Slave KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the master KDC. It recommended that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as krb for the master KDC and kdc1, kdc2, ... for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames.
Master (Primary) Kerberos Server
- Add a new slave (kdc2.dev.local) to file /etc/krb5.conf (for the master and any other slaves):
[realms]
DEV.LOCAL = {
kdc = kdc1.dev.local
kdc = kdc2.dev.local
admin_server = krb.dev.local
}
Alternatively (preferred way) consider setup DNS discovery. Read here how.
- Add slave host principal:
kadmin.local -q "addprinc -randkey host/kdc2.dev.local"
kadmin.local -q "ktadd host/kdc2.dev.local"
- Create database propagation host list (file /etc/krb5kdc/kpropd.acl):
host/kdc1.dev.local@DEV.LOCAL
host/kdc2.dev.local@DEV.LOCAL
- Create a dump of the kerberos database (that is a default path for kprop utility):
kdb5_util dump /var/lib/krb5kdc/slave_datatrans
Secondary (Slave, Read-Only) Kerberos Server
- Install Kerberos Server and xinetd (to be used for database propagation):
apt-get install krb5-kdc xinetd
- Copy (a) realm configuration (file /etc/krb5.conf), (b) database propagation list (file /etc/krb5kdc/kpropd.acl), (c) keytab (file /etc/krb5.keytab), (d) logrotate settings from master, e.g. using ssh copy:
scp kdc1:/etc/krb5.conf /etc
scp kdc1:/etc/krb5kdc/kpropd.acl /etc/krb5kdc
scp kdc1:/etc/krb5.keytab /etc
scp kdc1:/etc/logrotate.d/krb5 /etc/logrotate.d
mkdir /var/log/krb5
- Setup database propagation service (file /etc/xinetd.d/krb_prop):
service krb_prop
{
disable = no
socket_type = stream
protocol = tcp
user = root
wait = no
server = /usr/sbin/kpropd
}
Restart xinetd service:
/etc/init.d/xinetd restart
Propagate database
- Propagate database from Master to Slave
kdc1:~# kprop kdc2.dev.local
Database propagation to kdc2.dev.local: SUCCEEDED
- Create database stash key on slave
kdb5_util stash
- Start Kerberos Slave service:
/etc/init.d/krb5-kdc start
Automate database propagation
- Here is a script that populates master database to all slaves (run on master, file /usr/local/sbin/krb5-prop):
#!/bin/sh
#slaves="kdc2.dev.local kdc3.dev.local"
slaves="kdc2.dev.local"
/usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans
error=$?
if [ $error -ne 0 ]; then
echo "Kerberos database dump failed."
exit 1
fi
for slave in $slaves; do
/usr/sbin/kprop $slave > /dev/null
error=$?
if [ $error -ne 0 ]; then
echo "Kerberos propagation to host $slave failed."
fi
done
exit 0
Ensure the file is executable:
chmod +x /usr/local/sbin/krb5-prop
- Schedule a cron job (/usr/local/sbin/cron-krb5-prop):
#
# Regular cron job for Kerberos database propagation
#
PATH=/usr/local/sbin
HOME=/
LOG=/dev/null
# Every 53 minutes
53 * * * * root test -x /usr/local/sbin/krb5-prop && krb5-prop >> $LOG
.. and let cron know about it:
ln -s /usr/local/sbin/cron-krb5-prop /etc/cron.d/cron-krb5-prop
Finally here is how to test it is working:
- Stop Master Kerberos server:
/etc/init.d/krb5-kdc stop
- Open log file on Slave:
tail -f /var/log/krb5/kdc.log
- Login to kerberos client:
ssh user1@deby01
- Watch the log on Slave, you should see authentication messages.
Read more about kerberos
here.
Posts
No comments :
Post a Comment