{"id":352,"date":"2013-01-12T16:25:24","date_gmt":"2013-01-12T22:25:24","guid":{"rendered":"https:\/\/www.soljerome.com\/blog\/?p=352"},"modified":"2013-01-12T16:25:24","modified_gmt":"2013-01-12T22:25:24","slug":"mit-incremental-database-propagation","status":"publish","type":"post","link":"https:\/\/www.soljerome.com\/blog\/2013\/01\/12\/mit-incremental-database-propagation\/","title":{"rendered":"MIT incremental database propagation"},"content":{"rendered":"<p>In this post, I will describe how to setup incremental database propagation as described in the <a href=\"http:\/\/web.mit.edu\/kerberos\/krb5-current\/doc\/admin\/database.html#incr-db-prop\" target=\"_blank\">MIT documentation<\/a>. Unfortunately, the instructions at the preceding link are incomplete (as of this writing). The aim of this post is to completely describe how to setup incremental propagation.<\/p>\n<p>For the purposes of this tutorial, I will assume you have 2 KDCs (referred to here as kdc1.example.com and kdc2.example.com). Installing the KDCs is out of the scope of this post. In this post, I will use the default filesystem paths as they exist on Debian for illustration purposes.<\/p>\n<p>First, you need to add <strong>kiprop<\/strong> principals for kdc1 and kdc2.<\/p>\n<pre>kdc1 # kadmin.local \r\nAuthenticating as principal solj\/admin@EXAMPLE.COM with password.\r\nkadmin.local:  addprinc -policy service -randkey kiprop\/kdc1.example.com\r\nPrincipal \"kiprop\/kdc1.example.com@EXAMPLE.COM\" created.\r\nkadmin.local:  addprinc -policy service -randkey kiprop\/kdc2.example.com\r\nPrincipal \"kiprop\/kdc2.example.com@EXAMPLE.COM\" created.<\/pre>\n<p>Once you have done this, you will need to dump the database on kdc1 and load it on kdc2.<\/p>\n<pre>kdc1 # kdb5_util dump principal<\/pre>\n<p>Use a secure method (e.g. scp) to transfer the <code>principal<\/code> database to kdc2 and load the database there.<\/p>\n<pre>kdc2 # kdb5_util load principal<\/pre>\n<p>Add the following options in the appropriate <em>[realms]<\/em> section of <code>\/etc\/krb5kdc\/kdc.conf<\/code> on both KDCs.<\/p>\n<pre>iprop_enable = true\r\niprop_port = 2121<\/pre>\n<p>The actual port you use is up to you. Note that there are other <em>iprop_<\/em> options you can use and they are already documented on the <a href=\"http:\/\/web.mit.edu\/kerberos\/krb5-current\/doc\/admin\/database.html#incr-db-prop\" target=\"_blank\">MIT page<\/a>.<\/p>\n<p>Next, you need to allow the kiprop principals the access they need to propagate the database. On kdc1, add the following to <code>\/etc\/krb5kdc\/kadm5.acl<\/code>.<\/p>\n<pre>kiprop\/krb1.example.com p\r\nkiprop\/krb2.example.com p<\/pre>\n<p>Extract kdc1&#8217;s <em>kiprop<\/em> keytab to <code>\/etc\/krb5kdc\/kadm5.keytab<\/code>.<\/p>\n<pre>kdc1 # kadmin.local \r\nAuthenticating as principal solj\/admin@EXAMPLE.COM with password.\r\nkadmin.local: ktadd -k \/etc\/krb5kdc\/kadm5.keytab kiprop\/kdc1.example.com\r\nEntry for principal kiprop\/kdc1.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5kdc\/kadm5.keytab.\r\nEntry for principal kiprop\/kdc1.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5kdc\/kadm5.keytab.\r\nEntry for principal kiprop\/kdc1.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:\/etc\/krb5kdc\/kadm5.keytab.\r\nEntry for principal kiprop\/kdc1.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:\/etc\/krb5kdc\/kadm5.keytab.<\/pre>\n<p>You also need to extract kdc2&#8217;s <em>kiprop<\/em> keytab, however, it should go to the default keytab file\u00a0(<a href=\"http:\/\/web.mit.edu\/kerberos\/krb5-current\/doc\/mitK5defaults.html#paths\" target=\"_blank\">DEFKTNAME<\/a>).<\/p>\n<pre>kdc2 # kadmin -p solj\/admin\r\nAuthenticating as principal solj\/admin with password.\r\nPassword for solj\/admin@EXAMPLE.COM: \r\nkadmin: addprinc -policy service -randkey kiprop\/kdc2.example.com\r\nPrincipal \"kiprop\/kdc2.example.com@SIRIAD.COM\" created.\r\nkadmin:  ktadd kiprop\/kdc2.example.com\r\nEntry for principal kiprop\/kdc2.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal kiprop\/kdc2.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal kiprop\/kdc2.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:\/etc\/krb5.keytab.\r\nEntry for principal kiprop\/kdc2.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:\/etc\/krb5.keytab.<\/pre>\n<p>You should now be able to restart kadmind on kdc1 and run kpropd on kdc2 to successfully propagate the database. Note that you can debug this process by watching the kadmind logs as well as running kpropd in the foreground (<code>kpropd -S -d<\/code>).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post, I will describe how to setup incremental database propagation as described in the MIT documentation. Unfortunately, the instructions at the preceding link are incomplete (as of this writing). The aim of this post is to completely describe how to setup incremental propagation. For the purposes of this tutorial, I will assume you <a href='https:\/\/www.soljerome.com\/blog\/2013\/01\/12\/mit-incremental-database-propagation\/' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/352"}],"collection":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/comments?post=352"}],"version-history":[{"count":22,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/352\/revisions"}],"predecessor-version":[{"id":374,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/posts\/352\/revisions\/374"}],"wp:attachment":[{"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/media?parent=352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/categories?post=352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.soljerome.com\/blog\/wp-json\/wp\/v2\/tags?post=352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}