[28895] in Kerberos
Re: Moving kerberos infrastructure
daemon@ATHENA.MIT.EDU (John Washington)
Wed Dec 12 08:44:04 2007
Date: Wed, 12 Dec 2007 07:43:07 -0600
From: John Washington <jawashin@uiuc.edu>
To: kerberos@mit.edu
Message-ID: <20071212134307.GB15139@localhost>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87zlwgflx7.fsf@windlord.stanford.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Also remember to manually push the ovsec dump across to the new master
and pull it in (this cannot be done via kprop IIRC).
Another useful way to think of this is to add the new master as a slave
of your current master, and set up propagation from that to the new
slave. Then all you will need to do is repoint your DNS entries and
bring up kadmin on the new master.
* Russ Allbery <rra@stanford.edu> [2007-12-12 00:57]:
> Jason L Tibbitts III <tibbs@math.uh.edu> writes:
>
> > What I need to do is move both my primary and secondary KDCs to
> > different machines. Not necessarily both at the same time, mind you,
> > but everything does need to move eventually. I'm pretty sure I can
> > move the secondary without totally hosing everything but I'm not at
> > all sure how to move the primary. Does anyone have any handy pointers
> > to documentation on doing this, or any tips?
>
> It's basically like moving a secondary. Set up a new KDC on the new
> system, set up kpropd, and then when you're ready to do the move, turn off
> kadmind on the master, dump a new database with kdb5_util, and push it to
> the new master with kprop. Then do whatever DNS changes you need to do
> and start the KDC and kadmind on the new master. Then set up your
> periodic kprop job on the new master to push to the slaves (and make sure
> that you update the kpropd.acl where needed).
>
> That's all there is to it. It's really surprisingly easy.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
John Washington Security Officer,
University of Illinois Urbana-Champaign
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
