ktadd generates a new random key and stores this new key in the keytab, so this too has to be done on the master.
Tomas -------- Original message -------- From: Paul van der Vlis <[email protected]> Date: 25/07/2014 00:45 (GMT+01:00) To: Robert Wehn <[email protected]>,[email protected] Subject: Re: Replicated LDAP as backend op 24-07-14 19:16, Robert Wehn schreef: > > Am 24.07.2014 11:44, schrieb Paul van der Vlis: >> I am wondering a bit why this does not work on a client on the new >> leocation: >> ------- >> root@client:~# kadmin -p paul/admin -q "ktadd nfs/$(hostname --fqdn)" >> Authenticating as principal paul/admin with password. >> Password for paul/[email protected]: >> kadmin: Kerberos database constraints violated while changing >> nfs/client.domain.nl's key >> -------- >> Maybe kadmin tries to write something to the LDAP? >> Or is it not-related? >> On the old location this works fine. > as Benjamin pionted out, if your LDAP Backend is master/slave, the on > the slave location the Kerberos Server is also a slave, as changes can't > be done there (not replicated back). > > So your kadmin server can only be on the "Master Site", no "kadmin" to > the slave server is possible. If your Master Server is not reachable > kadmin (and password changes) cannot be done until the connection is > online again. The command I give is to download a key, not to change anything. But maybe it tries to write something too, no idea. Does it make sence to run krb5-admin-server at the slave-kdc server on the new location or is it better to stop this service? I think it's a good idea to change the "admin_server" setting in /etc/krb5.conf on the new location to the server at the old location. Correct? With regards, Paul van der Vlis. -- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
