Hello Benjamin, op 24-07-14 03:58, Benjamin Kaduk schreef: > On Wed, 23 Jul 2014, Paul van der Vlis wrote: > >> Hello, >> >> I am the administrator of a Kerberos system. The backend of Kerberos is >> LDAP. I use it for NFS home-directories and shares. Now there is a >> second location of the organisation, they would like to have the same >> system there. >> >> What I did is a replication of de LDAP to the new location, so the LDAP >> is read-only. And I've installed Kerberos with that LDAP as the backend. >> It seems to work. I create accounts on the old location and they are >> replicated to the new location. And I can use Kerberos on the new location. >> >> My question is: is this a good setup? >> >> A goal is, that we want to be able to work even when there is no >> internet connection between both locations. > > That should be a fine setup. The only thing that seems worth noting is > that the "old" Kerberos server (KDC) is the master KDC, so administrative > actions must be done against that site (and will not be possible from the > new location if there is no connection between the two locations).
Thanks for your help! Is it important to study the docs for a slave-KDC, or is this setup for when you don't have a replicated LDAP backend? I am wondering a bit why this does not work on a client on the new leocation: ------- root@client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)" Authenticating as principal paul/admin with password. Password for paul/[email protected]: kadmin: Kerberos database constraints violated while changing nfs/client.domain.nl's key -------- Maybe kadmin tries to write something to the LDAP? Or is it not-related? On the old location this works fine. With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
