[28890] in Kerberos
Re: Moving kerberos infrastructure
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Dec 12 01:49:29 2007
To: kerberos@mit.edu
In-Reply-To: <ufawsrkigzc.fsf@epithumia.math.uh.edu> (Jason L. Tibbitts,
III's message of "12 Dec 2007 00\:07\:03 -0600")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 11 Dec 2007 22:48:36 -0800
Message-ID: <87zlwgflx7.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jason L Tibbitts III <tibbs@math.uh.edu> writes:
> What I need to do is move both my primary and secondary KDCs to
> different machines. Not necessarily both at the same time, mind you,
> but everything does need to move eventually. I'm pretty sure I can
> move the secondary without totally hosing everything but I'm not at
> all sure how to move the primary. Does anyone have any handy pointers
> to documentation on doing this, or any tips?
It's basically like moving a secondary. Set up a new KDC on the new
system, set up kpropd, and then when you're ready to do the move, turn off
kadmind on the master, dump a new database with kdb5_util, and push it to
the new master with kprop. Then do whatever DNS changes you need to do
and start the KDC and kadmind on the new master. Then set up your
periodic kprop job on the new master to push to the slaves (and make sure
that you update the kpropd.acl where needed).
That's all there is to it. It's really surprisingly easy.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
