Jump to content

Fundraising/techops/procedures/services-kerberos new replica setup

From Wikitech

Services: Kerberos New KDC Replica Setup

Here are the steps to add a new Kerberos host into the replication chain.

First, create a host key for new Kerberos replica host

  • On Origin:
    bash# kadmin.local
    kadmin.local: addprinc -randkey host/frauth1002.frack.eqiad.wmnet@WMF-FUNDRAISING

The next step is to extract these keys to the keytab file.

The keytab file is a keyring which contains the cryptographic keys needed to authenticate with the KDC. Extraction of keys to the keytab is done with the ktadd sub command:

  • On Origin:
    kadmin.local: ktadd host/frauth1002.frack.eqiad.wmnet@WMF-FUNDRAISING
    kadmin.local: exit

Next we need to copy the keytab to the new host that is being set up.

  • On Replica:
    cd /etc/
    nc -l -p 88 | tar xvBpf -
    sha256sum krb5.keytab
  • On Origin:
    cd /etc/
    sha256sum krb5.keytab
    tar cvBpf - krb5.keytab | nc -q 100 frauth1002 88

Then we can run the krb5_propagate script to do the regular propagation.

  • On Origin:
    /usr/local/bin/krb5_propagate

Not done yet. For the service to start on the replica, there are a few more files that need to be copied across.

The stash file:

  • On Replica:
    cd /etc/krb5kdc/
    nc -l -p 88 | tar xvBpf -
    sha256sum /etc/krb5kdc/stash
  • On Origin:
    cd /etc/krb5kdc/
    sha256sum /etc/krb5kdc/stash
    tar cvBpf - stash | nc -q 100 frauth1002 88

The principal file:

  • On Replica:
    cd /var/lib/krb5kdc/
    nc -l -p 88 | tar xvBpf -
    sha256sum /var/lib/krb5kdc/principal
  • On Origin:
    cd /var/lib/krb5kdc/
    sha256sum /var/lib/krb5kdc/principal
    tar cvBpf - principal | nc -q 100 frauth1002 88

You should now be able to start the kdc admin processes on the replica.

  • On Replica:
    sudo systemctl restart krb5-kdc.service
    kadmin.local
    kadmin.local: list_principals