Support Questions

Find answers, ask questions, and share your expertise

Need Guidance on Setting Up Kerberos with High Availability

avatar
Explorer

Hi Everyone,

I'm configuring Kerberos for our environment and aiming to ensure high availability. I've set up a master KDC and a slave KDC on EC2 instances but getting the below error message while propagating.

here is my setup on ec2 instances for master kdc and slave kdc to propagate.

Install Kerberos server on both the KDC's using:

sudo apt install krb5-{admin-server,kdc}

edited the below files. 

1.

sudo cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM

# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false

[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

2.

sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88

[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
#master_key_type = aes256-cts
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}

3. sudo cat /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
# */admin *
*/admin@EXAMPLE.COM *

here are the principles which I had created

kadmin.local: listprincs
K/M@EXAMPLE.COM
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
ubuntu/admin@EXAMPLE.COM
ubuntu@EXAMPLE.COM

Extract the keytab file for the kdc02 principal:

sudo kadmin -p ubuntu/admin -q "ktadd host/kdc02.example.com"

create /etc/krb5kdc/kpropd.acl:

host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM

Now install kpropd daemon, which listens for connections from the kprop utility from the primary KDC:

$ sudo apt install krb5-kpropd
From a terminal on the primary KDC, create a dump file of the principal database:

sudo kdb5_util dump /var/lib/krb5kdc/dump

Still on the Primary KDC, extract its key:

sudo kadmin.local -q "ktadd host/kdc01.example.com"
On the primary KDC, run the kprop utility to push the database dump made before to the secondary KDC:

sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
kprop: Key table entry not found while getting initial credentials.

this is what I am getting error. please help if anyone has already done it.

 

1 REPLY 1

avatar
Explorer

Hi Re: Configure two Kerberos KDCs as a Master/Slave 

@ bilsch12

@TerryP 

Can you please suggest.