Node:Set Up the Slave KDCs for Database Propagation, Previous:Extract Host Keytabs for the KDCs, Up:Install the Slave KDCs



Set Up the Slave KDCs for Database Propagation

The database is propagated from the master KDC to the slave KDCs via the kpropd daemon. To set up propagation, create a file on each KDC, named /usr/local/var/krb5kdc/kpropd.acl, containing the principals for each of the KDCs. For example, if the master KDC were kerberos.mit.edu, the slave KDCs were kerberos-1.mit.edu and kerberos-2.mit.edu, and the realm were ATHENA.MIT.EDU, then the file's contents would be:

     host/kerberos.mit.edu@ATHENA.MIT.EDU
     host/kerberos-1.mit.edu@ATHENA.MIT.EDU
     host/kerberos-2.mit.edu@ATHENA.MIT.EDU
     

Then, add the following lines to /etc/inetd.conf file on each KDC (the line beginnng with => is a continuation of the previous line):

     krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
     eklogin   stream tcp nowait root /usr/local/sbin/klogind
     => klogind -k -c -e
     

The first line sets up the kpropd database propagation daemon. The second line sets up the eklogin daemon, allowing Kerberos-authenticated, encrypted rlogin to the KDC.

You also need to add the following lines to /etc/services on each KDC:

     kerberos        88/udp      kdc       # Kerberos authentication (udp)
     kerberos        88/tcp      kdc       # Kerberos authentication (tcp)
     krb5_prop       754/tcp               # Kerberos slave propagation
     kerberos-adm    749/tcp               # Kerberos 5 admin/changepw (tcp)
     kerberos-adm    749/udp               # Kerberos 5 admin/changepw (udp)
     eklogin         2105/tcp              # Kerberos encrypted rlogin