Propagating the Kerberos Server
Configuring Multirealm Enterprises
| Database Propagation for Multirealm Databases |
| If you plan to support more than one realm in a single principal database |
| on a primary security server and to propagate only selected realms to |
| certain secondary security servers, you must perform additional steps |
| when you configure propagation. |
| HP assumes that you are familiar with the propagation setup procedure |
| as specified in “Propagation Hierarchy” on page 243. |
| You can follow the standard propagation configuration if you have |
| configured a multirealm environment that has only one realm for every |
| primary security server. In other words, if you have multiple primary |
| security servers or if you want to propagate all realms from the primary |
| security server to each secondary security server, complete the following |
| steps: |
Step | 1. Edit the Kerberos configuration file, krb.conf, on the primary security |
| server to contain one entry for each secondary security server that |
| supports a given realm. If a secondary security server supports more |
| than one realm, you must add multiple entries to the file for that server, |
| one for each supported realm. Ensure that you also add one primary |
| security server entry for each realm that the primary security server |
| supports. After you add all the entries, save and close the file. |
Step | 2. Run the mkpropcf utility to create an initial version of the kpropd.ini |
| file or registry key. |
Step | 3. You must edit the file/registry key to contain the correct information |
| for your propagation design. For instance, if you want to propagate only |
| certain realms to a selected secondary security server, you must edit the |
| entry/key for the parent of that server to indicate only the required |
| realms. For more information on indicating only select realms to |
| propagate, type man 4 kpropd.ini at the |
Step | 4. After configuring the kpropd.ini file of the primary security server, |
| follow the propagation configuration steps. |
| On each Kerberos security server, you need to extract only the host/key |
| for the default realm of the primary security server, and not for each |
| realm supported by the secondary security server. Even if the secondary |
| security server does not support the default realm of the primary |
| security server, you must still create a host/principal for the |
| secondary security server and extract the key to the key table file of the |
| secondary security server. |
274 | Chapter 9 |