> 3) anyway the best would be to pull old key from backups (either from
> kdc or server backup) and put it back to KDC under correct kvno
>
> depending on your skills and other factors of your environment,
> restoring whole KDC db might be easier than to mess with single entry ...
btw, just
I'm definitely not an expert on the field, but I'd guess you'd have to:
1) wait until client tickets expires and clients requests new ones for
current kvno
2) due to linux NFS credential storage burried deep in the kernel,
reboot all clients (sometimes just restarting services helps,
I'm not an expert but I'd try:
1) check if the keys for service are in sync in KDB and service keytab.
if client reboot does not help, i'd guess keys are not in proper sync
2) pull old keytab from NFS server backup and merge it with current
keytab
client with not-yet expired tickets
Specifically I'd like to see a Nagios plugin that can be
directed to talk to a *specific* KDC (not just the first one that
answers from the list in krb5.conf) to check that the KDC service
is running.
we have done this ourselves by checking running processes (bin/ps |
grep) in a custom NRPE
