Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos High Availability Functionality Testing


Is there a way to test MIT kerberos high availability functionality?Any approaches?

thanks in advance.


Master Mentor

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community



@SheltonThank you so much


Hi @Geoffrey Shelton Okot

i created principal for my LDAP id in below fashion.

kadmin.local: addprinc myid

WARNING: no policy specified for id@RXPERF.HDP.XX.COM; defaulting to no policy

Enter password for principal "id@RXPERF.HDP.XX.COM":

Re-enter password for principal "id@RXPERF.HDP.XX.COM":

Principal "id@RXPERF.HDP.XX.COM" created.

i didn't created any keytab for my id as of now.

Reg the sync will update that.


Master Mentor


Create the test user principal

Let's try this out as root create user at OS level

# useradd test 

Set password

# passwd test

evoke the kdc admin CLI, run these commands from /etc/security/keytabs

# kadmin.local .. 
kadmin.local: addprinc test@RXPERF.HDP.XX.COM 
Quit kadmin 
Kadmin.local: q 

Extract/Generate the keytab

The extracting the keytab is done in the ktutil shell cmd a continuation from the previous step the keytab name and principal is an explicit input it’s usually good if it matches the user for easy identification.

This will extract the keytab in the current directory i.e /etc/security/keytabs/ you can later move it to the user’s home directory or the /tmp directory

#sudo ktutil 
ktutil : addent –password –p test@RXPERF.HDP.XX.COM -k 1 -e RC4-HMAC 
Password for test@RXPERF.HDP.XX.COM : 
ktutil : wkt test.keytab 
ktutil : q

Now to validate the above steps run as the user test

$ klist -kt  /etc/security/keytabs/test.keytab

The output should look like

Keytab name: FILE:/etc/security/keytabs/test.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (des3-cbc-sha1)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (aes128-cts-hmac-sha1-96)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (arcfour-hmac)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (des-cbc-md5)
   1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (aes256-cts-hmac-sha1-96)

Now grab a ticket using as test user format kinit -kt $keytab $principal

$ kinit -kt  /etc/security/keytabs/test.keytab test@RXPERF.HDP.XX.COM

Check for ticket


Let me know if that works

New Contributor

kadmin can't re-start on slave kdc and master kdc. This message log is:

oct 01 15:49:48 kdc01.test.local _kadmind[24364]: Error. This appears to be a slave server, found kpropd.acl
Oct 01 15:49:48 kdc01.test.local systemd[1]: kadmin.service: control process exited, code=exited status=6
Oct 01 15:49:48 kdc01.test.local systemd[1]: Failed to start Kerberos 5 Password-changing and Administration.

when i removed kpropd.acl on /var/kerberos/krb5kdc/ on slave & master node. kadmin is working fine. Howto solve this problem?