>You do BOTH ktadd's on the master, then copy (SAFELY) that keytab to the >slave.
That's bad advice, IMHO. One common problem people run into when setting up their second KDC is that at that point, they don't really understand what the host secret is _for_, and they're not aware of the subtle fact that ktadd generates a new key. So many people end up doing "ktadd" of BOTH principals on BOTH KDCs, and of course that screws things up royally, because the principals in one keytab don't match what's stored in the database. To reinforce the idea that you really want one principal per host/keytab, I always tell people to run kadmin/ktadd on the destination host ... e.g, make sure "ktadd host/kerberos-2" ONLY happens on kerberos-2. Yes, you can ktadd everything on the master and copy the keytab over, but that has two problems: - You're UNNECESSARILY exposing the other host's key on each host. Admittedly, since it's the KDC and has a copy of the whole freaking database, then it's probably moot, but still ... and maybe you're one of the few people in the world who doesn't use a stash file :-) - It's not clear at that point that you really really need to copy the keytab securely. If you make sure you use kadmin, then it does it for you. --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
