Hello Russ, thanks a lot, I appreciated your suggestion, I will make the cronjob run daily !
-- Yang Orange Key: 35745318S1 On Tue, Jan 1, 2013 at 12:38 AM, Russ Allbery <ea...@windlord.stanford.edu>wrote: > YANG ChengFu <youngs...@gmail.com> writes: > > > thanks for your quick reply, finally I figured what happened, I used the > > following cron job to create keyring fils > > > sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring add 2d > > sudo -u www-data wa_keyring -f /var/lib/webkdc/keyring gc -60d > > apache2ctl graceful > > for host in bulger.mdc; do > > rsync -av -e 'ssh' /var/lib/webkdc/keyring $host:/var/lib/webkdc/keyring > > ssh $host apache2ctl graceful > > done > > > but it does not works. So I have to enable WebKdcKeyringAutoUpdate, then > > apache create the keyring, then it work > > > the two ways to create keyring are in the same place, I am not sure what > > I should do ? > > Well, note that the first command creates a key that won't be valid for > two days (to give you time to distribute the key to the other systems). > Then the second command removes everything older than 60 days. > > *If* you run the command every day, this should be okay. Basically, > you'll have a rotating set of 60 keys. That's what we do at Stanford. > > However, you can't use it to create the *initial* keyring, since it won't > create a key that's immediately valid. For that, you need to do a > wa_keyring -f /var/lib/webkdc/keyring add 0d. The other place where it > won't work is for some reason the job doesn't run for longer than 60 days > (not adding new keys) and then you run it, since it will add a new > postdated key and then delete all the current keys. > > We use pretty much exactly that job on our WebKDCs, so I know it does work > if it runs daily. I suspect one of the above things happened: either > there wasn't an existing keyring with a full set of keys, or something > prevented it from running for an extended period. > > -- > Russ Allbery <ea...@windlord.stanford.edu> > Technical Lead, ITS Infrastructure Delivery Group, Stanford University >
