YANG ChengFu <youngs...@gmail.com> writes: > thanks for your quick reply, finally I figured what happened, I used the > following cron job to create keyring fils
> sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d > sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring gc -60d > apache2ctl graceful > for host in bulger.mdc; do > rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring > ssh $host apache2ctl graceful > done > but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then > apache create the keyring, then it work > the two ways to create keyring are in the same place, I am not sure what > I should do ? Well, note that the first command creates a key that won't be valid for two days (to give you time to distribute the key to the other systems). Then the second command removes everything older than 60 days. *If* you run the command every day, this should be okay. Basically, you'll have a rotating set of 60 keys. That's what we do at Stanford. However, you can't use it to create the *initial* keyring, since it won't create a key that's immediately valid. For that, you need to do a wa_keyring -f /var/lib/webkdc/keyring add 0d. The other place where it won't work is for some reason the job doesn't run for longer than 60 days (not adding new keys) and then you run it, since it will add a new postdated key and then delete all the current keys. We use pretty much exactly that job on our WebKDCs, so I know it does work if it runs daily. I suspect one of the above things happened: either there wasn't an existing keyring with a full set of keys, or something prevented it from running for an extended period. -- Russ Allbery <ea...@windlord.stanford.edu> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
