Next: , Previous: Testing clients and servers, Up: Setting up a realm

4.9 Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm

It is desirable to have at least one backup (slave) server in case the master server fails. It is possible to have any number of such slave servers but more than three usually doesn't buy much more redundancy.

All Kerberos servers for a realm must have the same database so that they present the same service to the users. The hprop program, running on the master, will propagate the database to the slaves, running hpropd processes.

Every slave needs a database directory, the master key (if it was used for the database) and a keytab with the principal `hprop/hostname'. Add the principal with the ktutil command and start hpropd, as follows:

     slave# ktutil get -p foo/admin hprop/`hostname`
     slave# mkdir /var/heimdal
     slave# hpropd

The master will use the principal `kadmin/hprop' to authenticate to the slaves. This principal should be added when running kadmin -l init but if you do not have it in your database for whatever reason, please add it with kadmin -l add.

Then run hprop on the master:

     master# hprop slave

This was just an hands-on example to make sure that everything was working properly. Doing it manually is of course the wrong way, and to automate this you will want to start hpropd from inetd on the slave(s) and regularly run hprop on the master to regularly propagate the database. Starting the propagation once an hour from cron is probably a good idea.