The database is propagated from the master KDC to the slave KDCs via the
kpropd
daemon. To set up propagation, create a file on each KDC,
named /usr/local/var/krb5kdc/kpropd.acl
, containing the
principals for each of the KDCs.
For example, if the master KDC were
kerberos.mit.edu
, the slave KDCs were
kerberos-1.mit.edu
and
kerberos-2.mit.edu
, and the realm were
ATHENA.MIT.EDU
, then the file's contents would be:
host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU host/kerberos-2.mit.edu@ATHENA.MIT.EDU
Then, add the following lines to /etc/inetd.conf
file on each KDC
(the line beginnng with => is a continuation of the previous
line):
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c -e
The first line sets up the kpropd
database propagation daemon.
The second line sets up the eklogin
daemon, allowing
Kerberos-authenticated, encrypted rlogin to the KDC.
You also need to add the following lines to /etc/services
on each
KDC:
kerberos 88/udp kdc # Kerberos authentication (udp) kerberos 88/tcp kdc # Kerberos authentication (tcp) krb5_prop 754/tcp # Kerberos slave propagation kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) eklogin 2105/tcp # Kerberos encrypted rlogin