Propagating the Kerberos Server
Configuring Multirealm Enterprises
Chapter 9274
Database Propagation for Multirealm Databases
If you plan to support more than one realm in a single principal database
on a primary security server and to propagate only selected realms to
certain secondary security servers, you must perform additional steps
when you configure propagation.
HP assumes that you are familiar with the propagation setup procedure
as specified in “Propagation Hierarchy” on page 243.
You can follow the standard propagation configuration if you have
configured a multirealm environment that has only one realm for every
primary security server. In other words, if you have multiple primary
security servers or if you want to propagate all realms from the primary
security server to each secondary security server, complete the following
steps:
Step 1. Edit the Kerberos configuration file, krb.conf, on the primary security
server to contain one entry for each secondary security server that
supports a given realm. If a secondary security server supports more
than one realm, you must add multiple entries to the file for that server,
one for each supported realm. Ensure that you also add one primary
security server entry for each realm that the primary security server
supports. After you add all the entries, save and close the file.
Step 2. Run the mkpropcf utility to create an initial version of the kpropd.ini
file or registry key.
Step 3. You must edit the file/registry key to contain the correct information
for your propagation design. For instance, if you want to propagate only
certain realms to a selected secondary security server, you must edit the
entry/key for the parent of that server to indicate only the required
realms. For more information on indicating only select realms to
propagate, type man 4 kpropd.ini at the HP-UX prompt.
Step 4. After configuring the kpropd.ini file of the primary security server,
follow the propagation configuration steps.
On each Kerberos security server, you need to extract only the host/key
for the default realm of the primary security server, and not for each
realm supported by the secondary security server. Even if the secondary
security server does not support the default realm of the primary
security server, you must still create a host/principal for the
secondary security server and extract the key to the key table file of the
secondary security server.
