Fundraising/techops/procedures/services-kerberos new replica setup
< Fundraising | techops
Services: Kerberos New KDC Replica Setup
Here are the steps to add a new Kerberos host into the replication chain.
First, create a host key for new Kerberos replica host
- On Origin:
bash# kadmin.local
kadmin.local: addprinc -randkey host/frauth1002.frack.eqiad.wmnet@WMF-FUNDRAISING
The next step is to extract these keys to the keytab file.
The keytab file is a keyring which contains the cryptographic keys needed to authenticate with the KDC. Extraction of keys to the keytab is done with the ktadd sub command:
- On Origin:
kadmin.local: ktadd host/frauth1002.frack.eqiad.wmnet@WMF-FUNDRAISING
kadmin.local: exit
Next we need to copy the keytab to the new host that is being set up.
- On Replica:
cd /etc/
nc -l -p 88 | tar xvBpf -
sha256sum krb5.keytab
- On Origin:
cd /etc/
sha256sum krb5.keytab
tar cvBpf - krb5.keytab | nc -q 100 frauth1002 88
Then we can run the krb5_propagate script to do the regular propagation.
- On Origin:
/usr/local/bin/krb5_propagate
Not done yet. For the service to start on the replica, there are a few more files that need to be copied across.
The stash file:
- On Replica:
cd /etc/krb5kdc/
nc -l -p 88 | tar xvBpf -
sha256sum /etc/krb5kdc/stash
- On Origin:
cd /etc/krb5kdc/
sha256sum /etc/krb5kdc/stash
tar cvBpf - stash | nc -q 100 frauth1002 88
The principal file:
- On Replica:
cd /var/lib/krb5kdc/
nc -l -p 88 | tar xvBpf -
sha256sum /var/lib/krb5kdc/principal
- On Origin:
cd /var/lib/krb5kdc/
sha256sum /var/lib/krb5kdc/principal
tar cvBpf - principal | nc -q 100 frauth1002 88
You should now be able to start the kdc admin processes on the replica.
- On Replica:
sudo systemctl restart krb5-kdc.service
kadmin.local
kadmin.local: list_principals