f



moving kerberos master to new server

Hello,
Currently using kerberos 5.
Soon I plan to migrate this server onto another hardware that will
have a new hostname and IP, but same O/S level (aix).

My first thoughts in doing this was to:
Stop  the master server, all clients will then goto to the slave for
authentication.
Install the krb5 binaries, without configuring the new master.
Tar up the /var/krb5 and /etc/krb5 directories, then untar it onto the
new host.
Change the kdc and krb5 conf files with the new hostname. Start the
new master up

Would that work, or is there another sequence I should follow.

Thanks
Pete.
0
10/23/2009 12:03:48 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

2 Replies
510 Views

Similar Articles

[PageSpeed] 54

Pete,

Ideally it should work. But I would suggest you to take dump of KDC database
and then move on to the new hardware.

- Sachin.

On Fri, Oct 23, 2009 at 5:33 PM, peter sands <peter_sands@techemail.com>wrote:

> Hello,
> Currently using kerberos 5.
> Soon I plan to migrate this server onto another hardware that will
> have a new hostname and IP, but same O/S level (aix).
>
> My first thoughts in doing this was to:
> Stop  the master server, all clients will then goto to the slave for
> authentication.
> Install the krb5 binaries, without configuring the new master.
> Tar up the /var/krb5 and /etc/krb5 directories, then untar it onto the
> new host.
> Change the kdc and krb5 conf files with the new hostname. Start the
> new master up
>
> Would that work, or is there another sequence I should follow.
>
> Thanks
> Pete.
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
0
10/23/2009 2:10:17 PM
Quoting "peter sands" <peter_sands@techemail.com>:

> Hello,
> Currently using kerberos 5.
> Soon I plan to migrate this server onto another hardware that will
> have a new hostname and IP, but same O/S level (aix).
>
> My first thoughts in doing this was to:
> Stop  the master server, all clients will then goto to the slave for
> authentication.
> Install the krb5 binaries, without configuring the new master.
> Tar up the /var/krb5 and /etc/krb5 directories, then untar it onto the
> new host.
> Change the kdc and krb5 conf files with the new hostname. Start the
> new master up
>
> Would that work, or is there another sequence I should follow.
>
> Thanks
> Pete.
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

I have done this three times and this how I do it.
Build the new server and kerberos software. Harden it.
Grab a tar file of the principal db off of a slave server get the  
krb5.conf file and requisite ketabs and put it in place.

Start it up - you should be able to kinit locally to it and do some  
kadmin functions. This will not have any effect on your production  
Realm (as long as you are not propagating to slaves from it)- make  
certain you are kinit ing to the new machine by inspecting logs.

Once you are satisfied with the tests - schedule your down time bring  
the main server down and move the princs over. Make sure you local  
files (krb5.conf) are pointing to the right host and you should be ok.
I usually don't start kadmin right away so no one can reset their  
passwords until I am sure that I am going to leave it up.
Actual down time is usually 30 minutes or less.
/sd



Steve Devine
Email & Storage
Academic Technology Services
Michigan State University

313 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327

Everything that can be counted does not necessarily count;
everything that counts cannot necessarily be counted.
Albert Einstein


0
sd6275 (3)
10/23/2009 5:31:45 PM
Reply:

Similar Artilces:

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

New IP or rename a kerberos server
Is it easy to change the IP or rename (move) a kerberos server? Obviously config files need adjustment, but the realm remains the same. But has the hostname/IP the server was installed and set up with somehow been salted into the keytab? Or is it time to tear down, reinstall, and set up, again? Thanks, Dale Pontius ...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Exchange Server and Campus Kerberos server ?
Hi - I hope this is the right place to post this query - if not, I apologize. Does anyone have any experience with Exchange Server and Kerberos who might be willing to talk to someone from another University. I have no experience with either kerberos or exchange and would be unable to answer their questions. If you are interested, please contact BK directly. Thanks, Kirky --------- attached email ---------- Kirky - I've been contacted my a Director of Network Security at a Mid-Atlantic-based University who is looking to speak with a peer that has experience syncing up an Exchange server to a campus-wide Kerberos server. Do you think the folks on IT Partners would know themselves or of someone who migh have such experience? Feel free to have them contact me directly. Best Regards, B.K. DeLong Dir. of Partner Member Services & Research Institute for Applied Network Security 15 Court Square, Suite 1100 Boston, MA 02108 617.399.8100 617.399.8101 facsimile www.ianetsec.com[1] Links: ------ [1] http://www.ianetsec.com/ ----- End forwarded message ----- ...

Kerberos Web Server to file Server
Hello, Is Kerberos delegation needed to write a file from a web app to a file server within the same network? If so, I will be setting up constrained delegation. The problem is what is the service on the file server that I will let the web service be delegated for? ...

kerberos SERVER
Hello. could you help me where i can find and download a Kerberos SERVER please. thanks a lot. <ali.mohammadi62@gmail.com> wrote in message news:1115458379.334742.266760@o13g2000cwo.googlegroups.com... > Hello. > could you help me where i can find and download > a Kerberos SERVER please. > thanks a lot. > ever heard of Google ? ...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m using 2.4.15) has the ability to run in a multi-master mode. I was able to set up two servers that each ran a Kerberos instance as well as an OpenLDAP instance that had ldap and kerberos failover. I now don=B9t need to worry about doing any sync with Kerberos, as LDAP does it all. I can also run kadmin against either of the kerberos servers. Some tests I did that were pretty successful were: Realm setup: kdc =3D kdc01.security.lab.comcast.net:88 kdc =3D kdc02.security.lab.comcast.net:88 Turn off kdc on kdc01 -> successfully authenticated with kdc02 Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with kdc02 The failover works exactly as a expected. --=20 MAT ...

Once a week Kerberos failure between IIS6 web server and SQL Server 2000 db server
Hi, Regularly once a week we get problems with a Kerberos failure on ouintranet application. Kerberos is set up with Constrained Delegation and Protocol Transition. Configuration: S3 ...

Can one install MIT Kerberos master server on PC with dynamic IP assigned?
Hi, I have a headless powerpc box on which I'm running Debian GNU/Linux 7.5 (wheezy) operating system. These box get IP address from my ISP dynamically with dhcp. Can I install and setup MIT Kerberos master server on this box, or must I request a fix IP address for this purpose? -- Regards from Paul ...

AD Server returning server not found kerberos database
Hi all, I am using MIT Kerberos to mutually authenticate with other user (Kerberos Server: AD Server), It is working fine with my newly installed active directory .But when I try to work with my Company AD Server to get service ticket for particular user I am getting "Server not found in Kerberos Database", But that user is there in AD . any option can change to get it work . I want to to know which option in ad makes mutual authentication between user and user makes fail. Do I need to use setspn to add service principle?? Please help me Regards, Eswar S **************************************************************************** *********** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

Kerberos Administration Protocol
Hi, I'm looking for an open source Java implementation for the Kerberos administration protocol, for changing password, getprinc, delete_principal and so on. The main goals for kadmin, for the MIT implementation. Are there any libraries? If no, I would try to do an adHoc implementation. Are there documents? The only draft that I can see is http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 Thanks, Massimiliano > Date: Tue, 02 Jun 2009 15:28:32 +0200 > To: kerberos@mit.edu > From: "max@mascanc.net" <max@mascanc.net> > Subject: Kerberos Administration Protocol > > Hi, > > I'm looking for an open source Java implementation for the Kerberos > administration protocol, for changing password, getprinc, > delete_principal and so on. The main goals for kadmin, for > the MIT implementation. > > Are there any libraries? > > If no, I would try to do an adHoc implementation. Are there > documents? The only draft that I can see is > > http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 > > Thanks, > > > Massimiliano As it happens, I do have something that might be the start at this. It could stand a bit more "polishing" before being released, and at the moment, it's not on our priority list. If this is something of interest to you, we should certainly talk. You won't be at afsbpw 2009, by any chance? What I have ...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

kerberos
Hi I have kerberos server setup, and it works fine with iseries navigator, I have to create a AS400 object now using Java and kerberos ticket, has any one done it successfully, does anyone have any code sample "polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in news:fr3i5a$sn6$1@ss408.t-com.hr: > Hi > I have kerberos server setup, and it works fine with > iseries navigator, I have to create a AS400 object now > using Java and kerberos ticket, has any one done it > successfully, does anyone have any code sample You should read: http://publib.boulder...

Monitoring your Kerberos servers?
I'm a bit surprised to find (or rather not finding) that there doesn't seem to exist much in a way of monitoring software for Kerberos servers/services... What _are_ people using to make sure that their KDC's are up and running, *and* containing valid data? I've now experienced a couple of times confusing system behaviour due to KDC's not running or KDC slaves containing old/stale data... The last such occurance was fun - the primary KDC server had due to some unknown even shut down the "kdc" service. However the "kadmin" service was still running. So I would use 'kadmin' to add new principals to the database, and/or ktadd updated ones to hosts keytabs and then get very confusing errors since the remaning slave KDC would use the old data (since it couldn't contact the master KDC to get the updated database records)... Specifically I'd like to see a Nagios plugin that can be directed to talk to a *specific* KDC (not just the first one that answers from the list in krb5.conf) to check that the KDC service is running. I'd also like some Nagios plugin that can check that slave KDC's contain valid up-to-date data by comparing things with the master KDC... (I've solved the second part with a special hack for Solaris Kerberos that has a "kproplog" utility) - Peter -- -- Peter Eriksson <peter@ifm.liu.se> Phone: +46 13 28 2786 Computer Systems Manager/BOFH Cell/G...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters ...

New features for kerberos
I'm an Italian student of the polytechnic university Marche(faculty of engineering). I'm working on the kerberos5 for an university project. I would want some information on the future developments of the kerberos and on his use for new applications. Thanks ------------------------------------------------------ Scegli infostrada: ADSL gratis per tutta l�estate e telefoni senza canone Telecom http://click.libero.it/infostrada ...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

Moving Kerberos to the Cloud?
--Apple-Mail=_F0D8D69B-C149-4305-8D5B-35927A1097C2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The higher ups asked: Feasibility of moving the University=92s MIT = Kerberos authentication critical service infrastructures to the Cloud? Has any of the Higher-Education institutions out there done or thought = about doing this, and how feasible was it. I have my own personal view regarding this question, I am sure you can = guess it, but was curious what others thought. Apologies if this topic has been covered before. Thank you, Tareq _____ Tareq.Alrashid@CASE.EDU=20 ITS Middleware - 10900 Euclid Avenue, Crawford 422 Cleveland, OH 44106-7072 U.S.A. --Apple-Mail=_F0D8D69B-C149-4305-8D5B-35927A1097C2-- ...

Web resources about - moving kerberos master to new server - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 9:40:53 PM