Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.
I struggled with the Secondary KDC instructions, and ended up referring to the Red Hat Guide to supplement my understanding. Here were things that weren’t clear to me:
- Why the use of the 'extract-key’s privilege? This privilege was unnecessary for me on Ubuntu 20.04, and I don’t see it documented in MIT’s documentation.
- Why the use of ‘-norandkey’ when generating the keytab?
- Why add kdc02 to the kpropd.acl on the secondary KDC?
Places where I got stuck:
- I tried to initialize a new realm on the secondary KDC. This is wrong; you want to create the stash file that’s overwritten on the first realm sync. According to Red Hat’s documentation, the master key of the stash file must match the master key of the primary KDC’s stash file.
- I kept getting a ’ Service key not available’ during the manual sync. It took me a long time to notice the result of
hostname -fdidn’t match the secondary KDC’s Kerberos principal name. Maybe we could add a warning about that?
Also, this page was a useful reference for many failure modes; might be good for the References section: http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml
Thanks for the feedback. It’s good to know how well folks are getting along with the documentation and ways we can make it better. We’ll see how we can incorporate your feedback to make it better.
1 Like
Thanks for your comments. I also thought it was weird to need this new extract privilege, but it only worked with that. I’ll revise this.