Documentation< Previous | Contents | Next >
3.3. Secondary KDC
Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the primary becomes unavailable. Also, if you have Kerberos clients that are in different networks (possibly separated by routers using NAT), it is wise to place a secondary KDC in each of those networks.
1. First, install the packages, and when asked for the Kerberos and Admin server names enter the name of the Primary KDC:
sudo apt install krb5-kdc krb5-admin-server
2. Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:
kadmin -q "addprinc -randkey host/kdc02.example.com"
After, issuing any kadmin commands you will be prompted for your username/ [email protected] principal password.
3. Extract the keytab file:
kadmin -q "ktadd -norandkey -k keytab.kdc02 host/kdc02.example.com"
4. There should now be a keytab.kdc02 in the current directory, move the file to /etc/krb5.keytab:
sudo mv keytab.kdc02 /etc/krb5.keytab
If the path to the keytab.kdc02 file is different adjust accordingly.
Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the klist utility:
sudo klist -k /etc/krb5.keytab
The -k option indicates the file is a keytab file.
5. Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For example, on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:
host/[email protected] host/[email protected]
6. Create an empty database on the Secondary KDC:
sudo kdb5_util -s create
7. Now start the kpropd daemon, which listens for connections from the kprop utility. kprop is used to transfer dump files:
sudo kpropd -S
8. From a terminal on the Primary KDC, create a dump file of the principal database:
sudo kdb5_util dump /var/lib/krb5kdc/dump
9. Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:
kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com" sudo mv keytab.kdc01 /etc/krb5.keytab
Make sure there is a host for kdc01.example.com before extracting the Keytab.
10. Using the kprop utility push the database to the Secondary KDC:
sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
There should be a SUCCEEDED message if the propagation worked. If there is an error message check /var/log/syslog on the secondary KDC for more information.
You may also want to create a cron job to periodically update the database on the Secondary KDC. For example, the following will push the database every hour (note the long line has been split to fit the format of this document):
# m h dom mon dow command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump &&
/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
11. Back on the Secondary KDC, create a stash file to hold the Kerberos master key:
sudo kdb5_util stash
12. Finally, start the krb5-kdc daemon on the Secondary KDC:
sudo systemctl start krb5-kdc.service
The Secondary KDC should now be able to issue tickets for the Realm. You can test this by stopping the krb5-kdc daemon on the Primary KDC, then by using kinit to request a ticket. If all goes well you should
receive a ticket from the Secondary KDC. Otherwise, check /var/log/syslog and /var/log/auth.log in the Secondary KDC.