Hi everyone. I'm currently struggling to make krb5kdc start without a stash file - and no prompt.
As I understood[1] the stash file stores the encrypted master key. This file is used to automate the start up of KDC to decrypt the local (as in on-disk) krb database. However the definition is not really that [2] - stash is used to authenticate the KDC to itself. However, I'm currently using LDAP backed and I have no local (on disk) database on my master. I'm not using (and don't plan to use) Kerberos built-in replication - I'm relying on LDAP replicas providing data for slave KDCs, thus taking advantage of LDAP built-in replication. That said, what's the role of the stash file in this scenario? To decrypt krbPrincipalKey LDAP attribute? If then, all KDCs, regardless of being slave or not, must have the same stash file - then comes the question: what's the best practice when spawning new kdcs to retrieve the one shared stash? I think I may have the answer already - use wallet file object, for example, but any idea/experience in the area would help. Thanks in advance. [1] https://books.google.com/books?id=dGMd-uay-lkC&printsec=frontcover&redir_esc=y#v=onepage&q&f=false - page 57 [2] http://web.mit.edu/Kerberos/krb5-1.13/doc/basic/stash_file_def.html -- -------- Dio ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
