I've just spent the last $num hours trying to get this set up, finally
figured it out, with no thanks to any of the related docs, so i thought
i'd post here in case it's useful to other people.
To have a (or multiple) slave kdc(s) for my kerberos domain so that if
the master kdc is down, people can still log on.
All the docs i could find go into wonderful detail on how to setup the
master server, but all gloss completely over the setup of the slave(s).
So, here goes. First, we need to install the heimdal-kdc package on the
apt-get install heimdal-kdc
Fairly simple. Except, there's a gotcha. Debian (sarge/testing at least)
assumes that if you don't have the package installed already, that
you're doing a green-field installation, and does setup stuff without
informing you. Even if you have debconf set to 'low'. Special.
Specifically, it generates a random master password for the kerberos
database, and then populates the database with the basic principals that
a new realm would need.
Needless to say, this causes massive confusion when you try to propagate
the database from the master kdc to the slave. You'll know if this has
happened if when you run
kadmin> list *
on the slave, you get:
kadmin: get username at REALM: Decrypt integrity check failed
Of course, this is bad. And it'll take hours before you see this error,
causing lots of stress. But enough moaning.
So, the problem is two-fold. 1) The master password for the kerberos db
is wrong, and 2) The principals in the db are invalid. The solution is
kadmin> del *
which removes all the invalid principals, and then run
which prompts you for the master password for the db. If you don't know
the master password for the db on the master kdc (because either debian
automagically generated it and you never saw it, or just because you
forgot it ,-), the simplest solution is to copy over the
/var/lib/heimdal-kdc/m-key by hand from the master to the slave.
Warning: long rambly email ,-)
Now, in order to propagate changes from master to slave, you'll want to
use either hprop/hpropd (old, reliable, ineffecient, not supported by
debian) or iprop-master/iprop-slave (new, experimental, effecient,
supported by debian). In my (limited) experience, the iprop method works
In order to use this, edit /etc/default/heimdal-kdc on both master and
slave servers. On the master, you do the obvious and set
'MASTER_ENABLED' to yes. On the slave, you similarly set 'SLAVE_ENABLED'
to no. But there's a gotcha. You'll need to add a new line:
where 'master-kdc' is the name of your master kdc, surprising eh? Make
sure to use the fqdn of the master kdc, it simplifies things.
Right, you're now pretty much as far as the assumed starting point in
the docs. Oh yeah, the ones on the heimdal home page are out of date, so
either install heimdal-docs and use info (*shudder*. pinfo makes it less
bad), or use this:
The salient points are:
1) Add an entry for every slave to /var/lib/heimdal-kdc/slaves
2) Create an iprop/hostname principal for every slave, and
export it to the slave's keytab.
Keeping an eye on /var/log/heimdal-kdc.log is useful for debugging. If
anyone here actually cares about this, and notices i've left out
important stuff, poke me.
P.s. for other fun places where the docs suck, the dns conf section is
also well misleading. http://houghi.org/admin/ch18s04.html is much more
informative, even helpful.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!