Is it possible to install Kerberos on a KDC?
Is it possible to install Kerberos on a KDC?
If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. Install Kerberos either from the OS-provided packages or from the source (See Building within a single tree ).
Do you need to install all KDCs in MIT?
MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see Switching primary and replica KDCs ).
Why do you need a host key for a KDC?
Each KDC needs a host key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the master KDC to the secondary KDC servers. On the master KDC, connect to administrative interface and create the host principal for each of the KDCs’ host services.
Can a replica KDC be used as a primary KDC?
All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas.
If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. Install Kerberos either from the OS-provided packages or from the source (See Building within a single tree ).
MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see Switching primary and replica KDCs ).
All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas.
Each KDC needs a host key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the master KDC to the secondary KDC servers. On the master KDC, connect to administrative interface and create the host principal for each of the KDCs’ host services.
