< Previous | Contents | Next >
4.3. Secondary KDC Configuration
Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database.
1. First, install the necessary packages. In a terminal enter:
sudo apt install krb5-kdc krb5-admin-server krb5-kdc-ldap
2. Next, edit /etc/krb5.conf to use the LDAP backend:
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com kdc = kdc02.example.com
admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5
}
3. Create the stash for the LDAP bind password:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f
/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com
4. Now, on the Primary KDC copy the /etc/krb5kdc/.k5.EXAMPLE.COM Master Key stash to the Secondary KDC. Be sure to copy the file over an encrypted connection such as scp, or on physical media.
sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~ sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/
Again, replace EXAMPLE.COM with your actual realm.
5. Back on the Secondary KDC, (re)start the ldap server only,
sudo systemctl restart slapd.service
6. Finally, start the krb5-kdc daemon:
sudo systemctl start krb5-kdc.service
7. Verify the two ldap servers (and kerberos by extension) are in sync.
You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos server become unavailable.