[ILUG] heimdal kdc slave servers on debian

[Stephen Shirley]

Right,
	I've just spent the last $num hours trying to get this set up, finally 
figured it out, with no thanks to any of the related docs, so i thought 
i'd post here in case it's useful to other people.

The Goal:
	To have a (or multiple) slave kdc(s) for my kerberos domain so that if 
the master kdc is down, people can still log on.

The issue:
	All the docs i could find go into wonderful detail on how to setup the 
master server, but all gloss completely over the setup of the slave(s).

So, here goes. First, we need to install the heimdal-kdc package on the 
slave server:
	apt-get install heimdal-kdc
Fairly simple. Except, there's a gotcha. Debian (sarge/testing at least) 
assumes that if you don't have the package installed already, that 
you're doing a green-field installation, and does setup stuff without 
informing you. Even if you have debconf set to 'low'. Special. 
Specifically, it generates a random master password for the kerberos 
database, and then populates the database with the basic principals that 
a new realm would need.

Needless to say, this causes massive confusion when you try to propagate 
the database from the master kdc to the slave. You'll know if this has 
happened if when you run
	kadmin -l
	kadmin> list *
on the slave, you get:
	kadmin: get username at REALM: Decrypt integrity check failed
Of course, this is bad. And it'll take hours before you see this error, 
causing lots of stress. But enough moaning.

So, the problem is two-fold. 1) The master password for the kerberos db 
is wrong, and 2) The principals in the db are invalid. The solution is 
to do:
	kadmin -l
	kadmin> del *
which removes all the invalid principals, and then run
	kstash
which prompts you for the master password for the db. If you don't know 
the master password for the db on the master kdc (because either debian 
automagically generated it and you never saw it, or just because you 
forgot it ,-), the simplest solution is to copy over the 
/var/lib/heimdal-kdc/m-key by hand from the master to the slave.

Warning: long rambly email ,-)

Now, in order to propagate changes from master to slave, you'll want to 
use either hprop/hpropd (old, reliable, ineffecient, not supported by 
debian) or iprop-master/iprop-slave (new, experimental, effecient, 
supported by debian). In my (limited) experience, the iprop method works 
nicely.

In order to use this, edit /etc/default/heimdal-kdc on both master and 
slave servers. On the master, you do the obvious and set 
'MASTER_ENABLED' to yes. On the slave, you similarly set 'SLAVE_ENABLED' 
to no. But there's a gotcha. You'll need to add a new line:
	SLAVE_PARAMS=master-kdc.example.com
where 'master-kdc' is the name of your master kdc, surprising eh? Make 
sure to use the fqdn of the master kdc, it simplifies things.

Right, you're now pretty much as far as the assumed starting point in 
the docs. Oh yeah, the ones on the heimdal home page are out of date, so 
either install heimdal-docs and use info (*shudder*. pinfo makes it less 
bad), or use this: 
http://orgs.man.ac.uk/documentation/heimdal/heimdal_20.html#SEC29

The salient points are:
	1) Add an entry for every slave to /var/lib/heimdal-kdc/slaves
	2) Create an iprop/hostname principal for every slave, and 		 
  export it to the slave's keytab.

Keeping an eye on /var/log/heimdal-kdc.log is useful for debugging. If 
anyone here actually cares about this, and notices i've left out 
important stuff, poke me.

Steve
P.s. for other fun places where the docs suck, the dns conf section is 
also well misleading. http://houghi.org/admin/ch18s04.html is much more 
informative, even helpful.