Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos High Availability Functionality Testing

avatar
Contributor

Is there a way to test MIT kerberos high availability functionality?Any approaches?

thanks in advance.

1 ACCEPTED SOLUTION

avatar
Master Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
13 REPLIES 13

avatar

@SheltonThank you so much

avatar
Contributor

Hi @Geoffrey Shelton Okot

i created principal for my LDAP id in below fashion.

kadmin.local: addprinc myid

WARNING: no policy specified for id@RXPERF.HDP.XX.COM; defaulting to no policy

Enter password for principal "id@RXPERF.HDP.XX.COM":

Re-enter password for principal "id@RXPERF.HDP.XX.COM":

Principal "id@RXPERF.HDP.XX.COM" created.

i didn't created any keytab for my id as of now.

Reg the sync will update that.

Thanks.

avatar
Master Mentor

@harish

Create the test user principal

Let's try this out as root create user at OS level

# useradd test 

Set password

# passwd test

evoke the kdc admin CLI, run these commands from /etc/security/keytabs

# kadmin.local .. 
kadmin.local: addprinc test@RXPERF.HDP.XX.COM 
Quit kadmin 
Kadmin.local: q 

Extract/Generate the keytab

The extracting the keytab is done in the ktutil shell cmd a continuation from the previous step the keytab name and principal is an explicit input it’s usually good if it matches the user for easy identification.

This will extract the keytab in the current directory i.e /etc/security/keytabs/ you can later move it to the user’s home directory or the /tmp directory

#sudo ktutil 
ktutil : addent –password –p test@RXPERF.HDP.XX.COM -k 1 -e RC4-HMAC 
Password for test@RXPERF.HDP.XX.COM : 
ktutil : wkt test.keytab 
ktutil : q

Now to validate the above steps run as the user test

$ klist -kt  /etc/security/keytabs/test.keytab

The output should look like

Keytab name: FILE:/etc/security/keytabs/test.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (des3-cbc-sha1)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (aes128-cts-hmac-sha1-96)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (arcfour-hmac)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (des-cbc-md5)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (aes256-cts-hmac-sha1-96)

Now grab a ticket using as test user format kinit -kt $keytab $principal

$ kinit -kt  /etc/security/keytabs/test.keytab test@RXPERF.HDP.XX.COM

Check for ticket

Klist

Let me know if that works

avatar
New Contributor

kadmin can't re-start on slave kdc and master kdc. This message log is:

oct 01 15:49:48 kdc01.test.local _kadmind[24364]: Error. This appears to be a slave server, found kpropd.acl
Oct 01 15:49:48 kdc01.test.local systemd[1]: kadmin.service: control process exited, code=exited status=6
Oct 01 15:49:48 kdc01.test.local systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.

when i removed kpropd.acl on /var/kerberos/krb5kdc/ on slave & master node. kadmin is working fine. Howto solve this problem?