Filter
Top Products
Propagating the Kerberos Server
Monitoring Propagation
Chapter 9 267
incremental database propagation. To ensure accurate results, dump
the databases simultaneously when administrative activity is at a
minimum. Under these conditions, consider a discrepancy of more
than five principal entries to be significant.
• Authentication test to the primary security server succeeds,
but fails on the secondary security server
The last step to confirm the out-of-sync problem is to force
authentication tests to go to the primary security server. You only
need to do this for one or two machines. Ensure that the test
principal is not locked and that you know the password. Edit the
krb.conf file and comment the secondary security server entries by
placing a hash symbol (#) in the first column on each secondary
security server entry.
Following is a krb.conf file in which the secondary security server
entries are commented out:
#FINANCE.BAMBI.COM fnc01.bambi.com
#IT.BAMBI.COM it02.bambi.com
NETWORK.BAMBI.COM netwrk05.bambi.com admin server
You need to authenticate from the machine with the new
configuration file. If authentication succeeds continuously, you have
your final clue that the out-of-sync condition exists.
The kdb_dump Utility
To view details of any discrepancy between a primary and secondary
principal database and to look for out-of-sync conditions, export each
database to a text file and compare the text files. You can dump the
databases by stopping the daemons or services and then using the
kdb_dump utility. You must stop the daemons before using kdb_dump.
To identify the difference between the primary and secondary security
server database, complete the following steps:
Step 1. On a secondary security server, stop the daemons and execute the
following command at the HP-UX prompt:
# /opt/krb5/admin/kdb_dump -f /tmp/secondary.db
Step 2. From the primary security server, stop the daemons and execute the
following command at the HP-UX prompt:
# /opt/krb5/admin/kdb_dump -f /tmp/primary.db