Member since
09-12-2024
4
Posts
2
Kudos Received
0
Solutions
09-20-2024
01:09 AM
1 Kudo
Hi Re: Configure two Kerberos KDCs as a Master/Slave @ bilsch12 @TerryP Can you please suggest.
... View more
09-16-2024
05:24 AM
Hi Everyone, I'm configuring Kerberos for our environment and aiming to ensure high availability. I've set up a master KDC and a slave KDC on EC2 instances but getting the below error message while propagating. here is my setup on ec2 instances for master kdc and slave kdc to propagate. Install Kerberos server on both the KDC's using: sudo apt install krb5-{admin-server,kdc} edited the below files. 1. sudo cat /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true rdns = false [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log 2. sudo cat /etc/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 [realms] EXAMPLE.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s #master_key_type = aes256-cts #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth } 3. sudo cat /etc/krb5kdc/kadm5.acl # This file Is the access control list for krb5 administration. # When this file is edited run service krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: # */admin * */admin@EXAMPLE.COM * here are the principles which I had created kadmin.local: listprincs K/M@EXAMPLE.COM host/kdc01.example.com@EXAMPLE.COM host/kdc02.example.com@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/kdc01.example.com@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM root/admin@EXAMPLE.COM ubuntu/admin@EXAMPLE.COM ubuntu@EXAMPLE.COM Extract the keytab file for the kdc02 principal: sudo kadmin -p ubuntu/admin -q "ktadd host/kdc02.example.com" create /etc/krb5kdc/kpropd.acl: host/kdc01.example.com@EXAMPLE.COM host/kdc02.example.com@EXAMPLE.COM Now install kpropd daemon, which listens for connections from the kprop utility from the primary KDC: $ sudo apt install krb5-kpropd From a terminal on the primary KDC, create a dump file of the principal database: sudo kdb5_util dump /var/lib/krb5kdc/dump Still on the Primary KDC, extract its key: sudo kadmin.local -q "ktadd host/kdc01.example.com" On the primary KDC, run the kprop utility to push the database dump made before to the secondary KDC: sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com kprop: Key table entry not found while getting initial credentials. this is what I am getting error. please help if anyone has already done it.
... View more
09-12-2024
01:32 AM
1 Kudo
HI @All Can anyone suggest how to set up Kerberos with high availability? here are my setup steps : 1. sudo cat /etc/krb5.conf [libdefaults] default_realm = EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true rdns = false [realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log 2. sudo cat /etc/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 [realms] EXAMPLE.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s #master_key_type = aes256-cts #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth } 3. sudo cat /etc/krb5kdc/kadm5.acl # This file Is the access control list for krb5 administration. # When this file is edited run service krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: # */admin * */admin@EXAMPLE.COM * kadmin.local: listprincs K/M@EXAMPLE.COM host/kdc01.example.com@EXAMPLE.COM host/kdc02.example.com@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/kdc01.example.com@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM root/admin@EXAMPLE.COM ubuntu/admin@EXAMPLE.COM ubuntu@EXAMPLE.COM Extract the key file for the kdc02 principal, which is the server we are on: $ sudo kadmin -p ubuntu/admin -q "ktadd host/kdc02.example.com" create /etc/krb5kdc/kpropd.acl: host/kdc01.example.com@EXAMPLE.COM host/kdc02.example.com@EXAMPLE.COM Now install kpropd daemon, which listens for connections from the kprop utility from the primary KDC: $ sudo apt install krb5-kpropd From a terminal on the primary KDC, create a dump file of the principal database: $ sudo kdb5_util dump /var/lib/krb5kdc/dump Still on the Primary KDC, extract its key: $ sudo kadmin.local -q "ktadd host/kdc01.example.com" On the primary KDC, run the kprop utility to push the database dump made before to the secondary KDC: $ sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com kprop: Key table entry not found while getting initial credentials this is what i am getting error . please help if anyonce has already did it. i am not using ambari and any other ting normally i am setting up on ec2 instances.
... View more