Kerberos database propagation

The Kerberos security server supports two types of security registries: SAF and NDBM. The SAF registry stores Kerberos information in the z/OS system security database and uses SAF services to interface with the external security manager. The external security manager is responsible for database propagation between systems in the same sysplex and between systems in different sysplexes. Kerberos database propagation is not used in this environment and does not need to be configured.

The NDBM registry uses the POSIX database support provided by Unix System Services. The database files are located in the /var/skrb/krb5kdc directory. Kerberos database propagation is used to synchronize these files between systems in the same sysplex and between systems in different sysplexes. The file system containing the /var/skrb/krb5kdc directory must be large enough to contain two copies of the registry database files plus a complete database dump file.

The Kerberos security server supports two database propagation protocols: full replacement and individual updates. The full replacement protocol sends the entire Kerberos database to each secondary Kerberos security server. This is the only propagation protocol supported by MIT Kerberos. The propagation occurs at timed intervals specified by the SKDC_KPROP_INTERVAL environment variable. A propagation does not occur if there have been no changes to the database since the last database propagation.

The individual update protocol sends just the database updates to each secondary Kerberos security server. The propagation occurs as each change is made to the database. The primary security server keeps track of the update level of each secondary security server and holds pending updates for an unavailable secondary server until the server becomes available. The individual update protocol should be used if it is supported by the primary KDC and the secondary KDC, since it performs much better than the full replacement protocol for large databases.

The /etc/skrb/home/kdc/kpropd.acl configuration file contains an entry for each Kerberos security server in the realm, and it specifies the role assigned to each of the servers. Each line consists of three fields, blank lines are ignored,comment lines are indicated by a semi-colon in the first position, and the file is assumed to be in the code page specified by the LANG environment variable. The maximum line length is 255 characters. The first field specifies the host name and optional port, separated by a colon, of a Kerberos security server. Port 754 is used for database propagation if a port is not specified either in kpropd.acl or for the krb5_prop service. The host name is used as the name of the Kerberos security server in the propagation status database and is converted to lowercase. The second field specifies the role assigned to that security server. The third field specifies the encryption type for the session key in the service ticket. The encryption type field is optional and the default encryption type list obtained from the Kerberos configuration file is used if the field is omitted.

The roles are:
  • Primary - This is the primary security server for the realm. It owns the Kerberos registry database and sends updates to the other security servers in the realm.
  • Replace - This is a secondary security server that receives updates by replacing the entire registry database as part of each propagation cycle. The database propagation contains principal policy and password history information. The secondary KDC must be at the MIT Kerberos 1.2.2 level or later.
  • Compat - This is a secondary security server that receives updates by replacing the entire registry database as part of each propagation cycle. The database propagation does not contain principal policy or password history information. This propagation format is supported by MIT Kerberos 1.2.1 and earlier. Note that the principal policy and password history information is lost if a database created using this propagation method is later used by the primary KDC for the realm.
  • Update - This is a secondary security server that receives individual database updates.
  • Manual - This is a secondary security server that receives updates manually when the security server PROP command is issued.

The /etc/skrb/home/kdc/kpropd.acl configuration file must exist on the primary system and on each secondary system if database propagation is going to be used. The KDC assumes it is the only KDC in the realm if this file is not found. The host names specified in the kpropd.acl file must be valid DNS names and each must be the primary name assigned to its host system. The KDC locates its own entry by using DNS services to translate the host name returned by the gethostname() function and then by searching for the translated name in the configuration file.

The kpropd.acl file on the primary system must contain an entry for each KDC in the realm, including the primary KDC. These entries define the secondary servers to receive database propagations from the primary KDC.

The kpropd.acl file on the secondary systems requires only the entry for the primary KDC, although other entries can be specified. A secondary KDC accepts updates only from servers identified in its kpropd.acl configuration file. The secondary KDC checks for an authorized server by using DNS services to translate the remote IP address for a connection to a host name and then searching for the host name in the configuration file.

The KDC identified as the primary KDC provides Kerberos administration services by listening for requests on the administration and password change ports. The primary KDC does not listen for requests on the propagation port.

A KDC identified as a secondary KDC does not provide Kerberos administration services. It does not listen for requests on the administration or password change ports. A secondary KDC listens for propagation requests on the propagation port.

The Kerberos registry must contain a service principal for each system with a KDC, including the primary KDC. The principal name is host/primary-host-name where primary-host-name is the primary DNS name for the system. For example, if a KDC is running on system dcesec4.krb390.ibm.com, the Kerberos registry must contain the principal host/dcesec4.krb390.ibm.com.

Each system running a secondary KDC must have a /var/skrb/krb5kdc/kpropd.ktf key table file. This key table contains the host key for that system and is created using the kadmin ktadd subcommand. For example, if a secondary KDC is running on system dcesec7.krb390.ibm.com, the following kadmin commands should be issued on the dcesec7.krb390.ibm.com system: 
addprinc host/dcesec7.krb390.ibm.com
ktadd -k /var/skrb/krb5kdc/kpropd.ktf host/dcesec7.krb390.ibm.com
The following is a sample kpropd.acl for a Kerberos realm containing three Kerberos security servers. Systems dcesec4.krb390.ibm.com and dcesec7.krb390.ibm.com are z/OS systems in the same sysplex, while system dcecpt.mitkrb.ibm.com is an AIX® system running MIT Kerberos. The KDC on dcesec4.krb390.ibm.com is the primary KDC for the realm. This sample configuration file can be found in /usr/lpp/skrb/examples/kpropd.acl: 
; Sample kpropd.acl configuration file
;
; Host                            Role        Encryption type
; ----                            ----        ---------------
  dcesec4.krb390.ibm.com:754      Primary
  dcesec7.krb390.ibm.com:754      Update
  dcecpt.mitkrb.ibm.com:754       Replace     des-cbc-crc

The kpropd.acl file may be changed while the Kerberos security server is running and the changes will be picked up at the next propagation interval. However, the role of a security server may not be changed from primary to secondary or from secondary to primary while the security server is running.