Wednesday, December 22, 2010

Debian Kerberos Slave

Slave KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the master KDC. It recommended that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as krb for the master KDC and kdc1, kdc2, ... for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames.

Master (Primary) Kerberos Server

  1. Add a new slave (kdc2.dev.local) to file /etc/krb5.conf (for the master and any other slaves):
    [realms]
            DEV.LOCAL = {
                    kdc = kdc1.dev.local
                    kdc = kdc2.dev.local
                    admin_server = krb.dev.local
            }
    
    Alternatively (preferred way) consider setup DNS discovery. Read here how.
  2. Add slave host principal:
    kadmin.local -q "addprinc -randkey host/kdc2.dev.local"
    
    kadmin.local -q "ktadd host/kdc2.dev.local"
    
  3. Create database propagation host list (file /etc/krb5kdc/kpropd.acl):
    host/kdc1.dev.local@DEV.LOCAL
    host/kdc2.dev.local@DEV.LOCAL
    
  4. Create a dump of the kerberos database (that is a default path for kprop utility):
    kdb5_util dump /var/lib/krb5kdc/slave_datatrans
    

Secondary (Slave, Read-Only) Kerberos Server

  1. Install Kerberos Server and xinetd (to be used for database propagation):
    apt-get install krb5-kdc xinetd
    
  2. Copy (a) realm configuration (file /etc/krb5.conf), (b) database propagation list (file /etc/krb5kdc/kpropd.acl), (c) keytab (file /etc/krb5.keytab), (d) logrotate settings from master, e.g. using ssh copy:
    scp kdc1:/etc/krb5.conf /etc
    scp kdc1:/etc/krb5kdc/kpropd.acl /etc/krb5kdc
    scp kdc1:/etc/krb5.keytab /etc
    scp kdc1:/etc/logrotate.d/krb5 /etc/logrotate.d
    mkdir /var/log/krb5
    
  3. Setup database propagation service (file /etc/xinetd.d/krb_prop):
    service krb_prop
    {
            disable         = no
            socket_type     = stream
            protocol        = tcp
            user            = root
            wait            = no
            server          = /usr/sbin/kpropd
    }
    
    Restart xinetd service:
    /etc/init.d/xinetd restart
    

Propagate database

  1. Propagate database from Master to Slave
    kdc1:~# kprop kdc2.dev.local
    Database propagation to kdc2.dev.local: SUCCEEDED
    
  2. Create database stash key on slave
    kdb5_util stash
    
  3. Start Kerberos Slave service:
    /etc/init.d/krb5-kdc start
    

Automate database propagation

  1. Here is a script that populates master database to all slaves (run on master, file /usr/local/sbin/krb5-prop):
    #!/bin/sh
    
    #slaves="kdc2.dev.local kdc3.dev.local"
    slaves="kdc2.dev.local"
    
    /usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans
    error=$?
    if [ $error -ne 0 ]; then
      echo "Kerberos database dump failed."
      exit 1
    fi
    
    for slave in $slaves; do
      /usr/sbin/kprop $slave > /dev/null
      error=$?
      if [ $error -ne 0 ]; then
        echo "Kerberos propagation to host $slave failed."
      fi
    done
    exit 0
    
    Ensure the file is executable:
    chmod +x /usr/local/sbin/krb5-prop
    
  2. Schedule a cron job (/usr/local/sbin/cron-krb5-prop):
    #
    # Regular cron job for Kerberos database propagation
    #
    PATH=/usr/local/sbin
    HOME=/
    LOG=/dev/null
    
    # Every 53 minutes
    53 * * * * root test -x /usr/local/sbin/krb5-prop && krb5-prop >> $LOG
    
    .. and let cron know about it:
    ln -s /usr/local/sbin/cron-krb5-prop /etc/cron.d/cron-krb5-prop
    
Finally here is how to test it is working:
  1. Stop Master Kerberos server:
    /etc/init.d/krb5-kdc stop
    
  2. Open log file on Slave:
    tail -f /var/log/krb5/kdc.log
    
  3. Login to kerberos client:
    ssh user1@deby01
    
  4. Watch the log on Slave, you should see authentication messages.
Read more about kerberos here.

No comments :

Post a Comment