Kerberos is used by the Club to authenticate users across various club machines.

KDCs

In order to provide maximum availability, the Club operates several redundant Key Distribution Centers:

Generally, when performing maintenance on the Kerberos infrastructure, you should update each of these machines in series. This way, if something goes wrong, the other machines can continue to service our users.

Account Management Tasks

Binary Log Explosion

Sometimes the KDCs will suddenly fill up all of their disk with /var/lib/heimdal-kdc/log. Predictably, this causes Kerberos to go haywire. This is how to fix it:

  1. On slave KDCs: stop the KDC and kill ipropd-slave.

  2. On the master KDC: kill ipropd-master.

  3. Remove the logs and rename the old databases on the slave KDCs: 
    rm /var/heimdal/log
mv /var/heimdal/heimdal.db /tmp

  4. Restart ipropd-master on the master KDC.

  5. Restart ipropd-slave on the slave KDCs.

  6. Wait for ipropd to sychronize. On the master KDC the file /var/heimdal/slave-stats will show when the slaves have synced.

  7. Restart the slave KDCs.

Notice that it is not necessary to stop or restart the master KDC. This should permit other users to log in to club services normally while you are fixing the problem.

CategoryServices CategoryMemberServices

Kerberos (last edited 2013-10-28 22:37:46 by scgruber@CLUB.CC.CMU.EDU)