Jan 122013
 

In this post, I will describe how to setup incremental database propagation as described in the MIT documentation. Unfortunately, the instructions at the preceding link are incomplete (as of this writing). The aim of this post is to completely describe how to setup incremental propagation.

For the purposes of this tutorial, I will assume you have 2 KDCs (referred to here as kdc1.example.com and kdc2.example.com). Installing the KDCs is out of the scope of this post. In this post, I will use the default filesystem paths as they exist on Debian for illustration purposes.

First, you need to add kiprop principals for kdc1 and kdc2.

kdc1 # kadmin.local 
Authenticating as principal solj/admin@EXAMPLE.COM with password.
kadmin.local:  addprinc -policy service -randkey kiprop/kdc1.example.com
Principal "kiprop/kdc1.example.com@EXAMPLE.COM" created.
kadmin.local:  addprinc -policy service -randkey kiprop/kdc2.example.com
Principal "kiprop/kdc2.example.com@EXAMPLE.COM" created.

Once you have done this, you will need to dump the database on kdc1 and load it on kdc2.

kdc1 # kdb5_util dump principal

Use a secure method (e.g. scp) to transfer the principal database to kdc2 and load the database there.

kdc2 # kdb5_util load principal

Add the following options in the appropriate [realms] section of /etc/krb5kdc/kdc.conf on both KDCs.

iprop_enable = true
iprop_port = 2121

The actual port you use is up to you. Note that there are other iprop_ options you can use and they are already documented on the MIT page.

Next, you need to allow the kiprop principals the access they need to propagate the database. On kdc1, add the following to /etc/krb5kdc/kadm5.acl.

kiprop/krb1.example.com p
kiprop/krb2.example.com p

Extract kdc1’s kiprop keytab to /etc/krb5kdc/kadm5.keytab.

kdc1 # kadmin.local 
Authenticating as principal solj/admin@EXAMPLE.COM with password.
kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab kiprop/kdc1.example.com
Entry for principal kiprop/kdc1.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kiprop/kdc1.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kiprop/kdc1.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kiprop/kdc1.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.

You also need to extract kdc2’s kiprop keytab, however, it should go to the default keytab file (DEFKTNAME).

kdc2 # kadmin -p solj/admin
Authenticating as principal solj/admin with password.
Password for solj/admin@EXAMPLE.COM: 
kadmin: addprinc -policy service -randkey kiprop/kdc2.example.com
Principal "kiprop/kdc2.example.com@SIRIAD.COM" created.
kadmin:  ktadd kiprop/kdc2.example.com
Entry for principal kiprop/kdc2.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/kdc2.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/kdc2.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/kdc2.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.

You should now be able to restart kadmind on kdc1 and run kpropd on kdc2 to successfully propagate the database. Note that you can debug this process by watching the kadmind logs as well as running kpropd in the foreground (kpropd -S -d).

 Posted by at 16:25

  2 Responses to “MIT incremental database propagation”

  1. Thanks, great guide. Got everything up and working in a few minutes.

    Question though, the extra “addprinc -policy service -randkey kiprop/kdc2.example.com” in the last step seems superfluous since you’ve already copied the database in earlier steps? (I skipped it and everything seems to be working)

    • The earlier steps involved manually copying over the database from kdc1 -> kdc2. The kiprop configuration allows for incremental database propagation as changes are made to kdc1 (after the initial copy).

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*