Node:Set Up the Slave KDCs for Database Propagation, Previous:Extract Host Keytabs for the KDCs, Up:Install the Slave KDCs
The database is propagated from the master KDC to the slave KDCs via the
kpropd daemon. To set up propagation, create a file on each KDC,
named /usr/local/var/krb5kdc/kpropd.acl, containing the
principals for each of the KDCs.
For example, if the master KDC were
kerberos.mit.edu, the slave KDCs were
kerberos-1.mit.edu and
kerberos-2.mit.edu, and the realm were
ATHENA.MIT.EDU, then the file's contents would be:
host/kerberos.mit.edu@ATHENA.MIT.EDU
host/kerberos-1.mit.edu@ATHENA.MIT.EDU
host/kerberos-2.mit.edu@ATHENA.MIT.EDU
Then, add the following lines to /etc/inetd.conf file on each KDC
(the line beginnng with => is a continuation of the previous
line):
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind
=> klogind -k -c -e
The first line sets up the kpropd database propagation daemon.
The second line sets up the eklogin daemon, allowing
Kerberos-authenticated, encrypted rlogin to the KDC.
You also need to add the following lines to /etc/services on each
KDC:
kerberos 88/udp kdc # Kerberos authentication (udp)
kerberos 88/tcp kdc # Kerberos authentication (tcp)
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
eklogin 2105/tcp # Kerberos encrypted rlogin