On Fri, Nov 16, 2001 at 04:22:01PM +0100, Turbo Fredriksson wrote: > >>>>> "Nicolas" == Nicolas Williams <[EMAIL PROTECTED]> writes: > Nicolas> You'll need to decide whether you want to back up the > Nicolas> "stash" file containing the KDC's master key, if you're > Nicolas> using a stash file... I suggest that you save a > Nicolas> (several?) printed copy of the KDC master database > Nicolas> pass-phrase and don't backup the stash file. Restoring is > Nicolas> easy: use "kdb5_util load ..." to reload the KDC db and > Nicolas> "kdb5_util stash ..." to re-create the stash file. > > The 'KDC master database pass-phrase'... Would that bee the K/M principal > pass phrase/password?
Yes, but the KDC needs it to be typed in to it when it starts or to be stored in a "stash" file. > Oki, 'kdb5_util dump <filename> [principals]'... > > So if not specifying principals, it backs up everything, I gather... But > filename? What filename? I haven't digged that deep :) If you don't specify which principals to dump it dumps all of them. RTFM. > I know where the stash file is, but the actual database? Could these be > it? > > ----- s n i p ----- > [papadoc.root]# pwd > /var/lib/krb5kdc > [papadoc.root]# ll > total 1068 > -rw------- 1 root root 40960 Nov 14 12:37 principal ^^^^ This is the database. > -rw------- 1 root root 1049088 Nov 14 12:40 principal.kadm5 > -rw------- 1 root root 0 Oct 30 22:53 principal.kadm5.lock > -rw------- 1 root root 0 Nov 14 12:37 principal.ok > ----- s n i p ----- > > Can I just use tar to backup these, or must I use the 'kdb5_util dump' > command line? Use 'kdb5_util dump' to get a dump and back up everything except the database, and possibly the stash. > Nicolas> With any sort of database that dynamically changes, such > Nicolas> as the KDC's, or OpenLDAP's, you'll need to have a way to > Nicolas> lock out changes or dump/copy a snapshot of the database > Nicolas> before you back it up; there's really no other way to > Nicolas> backup active databases reliably (if there's a journal, > Nicolas> back that up too, if you can). > > So I should shut down the KDC while doing a dump? Can I solve that problem > by running a slave KDC on localhost, in the same way as I'm running a slave > LDAP server on localhost (on a different port)? No need to shutdown the KDC in order to dump. The KDC, kadmind and the dump/load utility are smart enough to lock around each other. Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
