Kerberos Key Distribution Center

Kerberos KDC

The heart of Kerberos is the MIT Kerberos KDC (``Key Distribution Center''.)

The KDC is a daemon, krb5kdc. It's running on two hosts (at this time, niven01 and niven02, both happen to be HP/UX.) These hosts are known to the Kerberos clients because they're mentioned in /etc/krb5.conf.

Niven01 is the master server: 1) it's listed first, and therefore gets all the connections, and 2) it's also listed under admin_server, so it gets the updates.

Niven02 is the slave server, running roughly an hour behind niven01 via a complete periodic data base copy; it will see service only only in an emergency when niven01 fails to respond to queries. The hourly database propagation is initiated by niven01, which runs /krb5/sbin/propagate from cron.

Managing accounts

The kadmin program is the general purpose administrative tool. It should be able to work from any host, but needs to be accessed through an admin account and we don't have those set up. I use kadmin.local, which works only on the master service host and (I think) uses kadm5.keytab. The interfaces are identical, and they have a little bit of online help. kpasswd is like kadmin, but its function requires no special principal.

The Kerberos version of populate also works on the local host via keytab ucsktab (that's what's adding those thousands of users and keeping the passwords up to date.)

Host principals

Each host that wants services like telnetd, needs a file /etc/krb5.keytab with an entry for a host principal instance named after the host - so for melville, that principal looks like ``host/melville.u.washington.edu''. /krb5/sbin/newtabs makes new keytabs for the hostnames you specify, and saves them in /var/krb5/krb5kdc/keytabs/new. Don't delete the keytabs on niven01, unless you know what you're doing, and likewise don't make new keytabs unless the ones you need have definitely not been created. There's a script /ux01/tools/keytabdist that may help get them where they need to go, if you have .rhosts access there.

Master/Slave management

To switch a slave in as master, kill kadmind on the master and start it on the slave, then switch domain names or whatever we can think of along those lines (the alternative is to change all krb5.confs, which is probably not the way to go.)

The files specific to the KDC are in /krb5/var/krb5kdc.

Logging

Ticket transaction logging is going to LOG_LOCAL3, because that's what I put in krb5.conf. kpropdsyslog output goes to LOG_DAEMON, maybe other servers do this; we don't normally have a log defined for that facility.

Documentation

The docs are mainly a couple of .ps files in /tulsa/src/krb5-1.0/doc. The installation guide has most of the best; the administrators guide is good for cross-reference while going through the installation guide. Man pages are also available, currently in /krb5/man.