1

Since we've put in place a Master/Slave for our Kerberos, we've noticed that our fields doesn't get updated (Information wise)

Last password change: Fri Aug 02 10:18:08 GMT 2019
Last modified: Fri Aug 02 10:18:08 GMT 2019 (root/admin@EXAMPLE.COM)
Last successful authentication: Sat Aug 03 12:35:41 GMT 2019
Last failed authentication: Wed Jul 10 12:59:28 GMT 2019

This only happened when our clients are configured as follow

[libdefaults]
    default_realm = EXAMPLE.COM
    forwardable = true
    proxiable = true
    dns_lookup_kdc = no
    dns_lookup_realm = no
    allow_weak_crypto = true

[realms]
    EXAMPLE.COM = {
        kdc = kerberos-slave.EXAMPLE.COM
        admin_server = kerberos.EXAMPLE.COM
        kpasswd_server = kerberos.EXAMPLE.COM
        master_kdc = kerberos.EXAMPLE.COM
        default_domain = EXAMPLE.COM
        default_lifetime = 7d
        ticket_lifetime = 7d
    }

[domain_realm]
    .EXAMPLE.COM = EXAMPLE.COM
     EXAMPLE.COM = EXAMPLE.COM

If our clients directly use the master kerberos, our fields do get updated nicely. Would there be a way to update the fields on the Master, while querying directly from the slave?

Directly using kdc = master kerberos does update the KDC DB fields.

[libdefaults]
    default_realm = EXAMPLE.COM
    forwardable = true
    proxiable = true
    dns_lookup_kdc = no
    dns_lookup_realm = no
    allow_weak_crypto = true

[realms]
    EXAMPLE.COM = {
        kdc = kerberos.EXAMPLE.COM
        admin_server = kerberos.EXAMPLE.COM
        kpasswd_server = kerberos.EXAMPLE.COM
        master_kdc = kerberos.EXAMPLE.COM
        default_domain = EXAMPLE.COM
        default_lifetime = 7d
        ticket_lifetime = 7d
    }

[domain_realm]
    .EXAMPLE.COM = EXAMPLE.COM
     EXAMPLE.COM = EXAMPLE.COM
Tolsadus
  • 1,123
  • 11
  • 22

0 Answers0