How to quickly get a snapshot of the Heimdal DB file

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to quickly get a snapshot of the Heimdal DB file

Adam Lewenberg
I am looking for a quick way to get a snapshot of the Kerberos database
file.

The most obvious way to do this would be to shutdown the kerberos
service, copy the file, and restart the service. This could be done on
one of the replicas, perhaps one that does not get actual authentication
requests.

Is there a faster way? For example, some database systems (e.g., MS SQL)
have the ability to go into and out of a "quiescent" state faster than a
full service stop/start to facilitate this sort of thing. Does Heimdal
have something like this? Or is the full service restart the only/best
option?

Thanks, Adam Lewenberg

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Jeffrey Hutzelman
On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote:

> I am looking for a quick way to get a snapshot of the Kerberos
> database 
> file.
>
> The most obvious way to do this would be to shutdown the kerberos 
> service, copy the file, and restart the service. This could be done
> on 
> one of the replicas, perhaps one that does not get actual
> authentication 
> requests.
>
> Is there a faster way? For example, some database systems (e.g., MS
> SQL) 
> have the ability to go into and out of a "quiescent" state faster
> than a 
> full service stop/start to facilitate this sort of thing. Does
> Heimdal 
> have something like this? Or is the full service restart the
> only/best 
> option?


hprop --stdout

will produce a database dump that you can reload later if needed.


kadmin -l list -l '*'

will produce a verbose human-readable list of all the principals in the
database and their attributes. Note that this is not particularly
machine-readable and does not include keys, so it's not a backup.


-- Jeff
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Nico Williams
In reply to this post by Adam Lewenberg
On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote:
> I am looking for a quick way to get a snapshot of the Kerberos database
> file.
>
> The most obvious way to do this would be to shutdown the kerberos service,
> copy the file, and restart the service. This could be done on one of the
> replicas, perhaps one that does not get actual authentication requests.

You can use the lock sub-command of kadmin -l, copy the HDB, and then
unlock.

You could also setup a hidden slave on the same host as the master, then
stop that ipropd-slave to take a snapshot of its HDB.

Nico
--
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Nico Williams
In reply to this post by Jeffrey Hutzelman
On Sat, Apr 01, 2017 at 08:22:32PM -0400, Jeffrey Hutzelman wrote:
> hprop --stdout
>
> will produce a database dump that you can reload later if needed.

Ah, yes, that's nice.  Forgot about that one.

Nico
--
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Adam Lewenberg
In reply to this post by Jeffrey Hutzelman


On 4/1/2017 5:22 PM, Jeffrey Hutzelman wrote:

> On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote:
>> I am looking for a quick way to get a snapshot of the Kerberos
>> database
>> file.
>>
>> The most obvious way to do this would be to shutdown the kerberos
>> service, copy the file, and restart the service. This could be done
>> on
>> one of the replicas, perhaps one that does not get actual
>> authentication
>> requests.
>>
>> Is there a faster way? For example, some database systems (e.g., MS
>> SQL)
>> have the ability to go into and out of a "quiescent" state faster
>> than a
>> full service stop/start to facilitate this sort of thing. Does
>> Heimdal
>> have something like this? Or is the full service restart the
>> only/best
>> option?
>
>
> hprop --stdout
>
> will produce a database dump that you can reload later if needed.

This looks to be a simple way to get a consistent snapshot with no
service downtime. Thanks!

Adam Lewenberg


>
>
> kadmin -l list -l '*'
>
> will produce a verbose human-readable list of all the principals in the
> database and their attributes. Note that this is not particularly
> machine-readable and does not include keys, so it's not a backup.
>
>
> -- Jeff
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Adam Lewenberg
In reply to this post by Nico Williams


On 4/1/2017 5:52 PM, Nico Williams wrote:

> On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote:
>> I am looking for a quick way to get a snapshot of the Kerberos database
>> file.
>>
>> The most obvious way to do this would be to shutdown the kerberos service,
>> copy the file, and restart the service. This could be done on one of the
>> replicas, perhaps one that does not get actual authentication requests.
>
> You can use the lock sub-command of kadmin -l, copy the HDB, and then
> unlock.

I don't see that command in the man page. Is that a new command (we are
still running Heimdal 1.5.2)?

Adam Lewenberg

>
> You could also setup a hidden slave on the same host as the master, then
> stop that ipropd-slave to take a snapshot of its HDB.
>
> Nico
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Jeffrey Altman-2
On 4/2/2017 10:37 AM, Adam Lewenberg wrote:
> I don't see that command in the man page. Is that a new command (we are
> still running Heimdal 1.5.2)?

kadmin lock was added to the master branch in July 2011.  It is not
present on the 1.5 branch.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Roland C. Dowdeswell-2
In reply to this post by Adam Lewenberg
On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote:
>

> I am looking for a quick way to get a snapshot of the Kerberos
> database file.

In addition to the other methods suggested already, you could just:

        $ kadmin -l dump <file>

which can be later loaded with:

        $ kadmin -l load <file>

Or one could even grep the entries out that you wish to restore and pass
them to:

        $ kadmin -l merge <file>

if, say, you wanted to revert some entries to the dump file that you
created using the cronjob that we all generally have in place.

--
    Roland C. Dowdeswell
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Henry B (Hank) Hotz, CISSP-2
This is the one I’ve always used.

You can grep out specific entries and hand-edit them if you need to make changes not otherwise supported by the admin interface. Also you can use this method to move full-strength cross-realm keys between installations.

It’s also a great way to undo an otherwise-dangerous experiment. ;-)


> On Apr 2, 2017, at 10:44 AM, Roland C. Dowdeswell <[hidden email]> wrote:
>
> On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote:
>>
>
>> I am looking for a quick way to get a snapshot of the Kerberos
>> database file.
>
> In addition to the other methods suggested already, you could just:
>
> $ kadmin -l dump <file>
>
> which can be later loaded with:
>
> $ kadmin -l load <file>
>
> Or one could even grep the entries out that you wish to restore and pass
> them to:
>
> $ kadmin -l merge <file>
>
> if, say, you wanted to revert some entries to the dump file that you
> created using the cronjob that we all generally have in place.
>
> --
>    Roland C. Dowdeswell

Personal email.  [hidden email]



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to quickly get a snapshot of the Heimdal DB file

Adam Lewenberg
In reply to this post by Jeffrey Hutzelman


On 4/1/2017 5:22 PM, Jeffrey Hutzelman wrote:

> On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote:
>> I am looking for a quick way to get a snapshot of the Kerberos
>> database
>> file.
>>
>> The most obvious way to do this would be to shutdown the kerberos
>> service, copy the file, and restart the service. This could be done
>> on
>> one of the replicas, perhaps one that does not get actual
>> authentication
>> requests.
>>
>> Is there a faster way? For example, some database systems (e.g., MS
>> SQL)
>> have the ability to go into and out of a "quiescent" state faster
>> than a
>> full service stop/start to facilitate this sort of thing. Does
>> Heimdal
>> have something like this? Or is the full service restart the
>> only/best
>> option?
>
>
> hprop --stdout
>
> will produce a database dump that you can reload later if needed.

I did a round trip (hprop --stdout | hpropd --stdin) and the resulting
heimdal.db has the same size as the original but a _different_ checksum.

Doing a "kadmin -l dump" on both database files I see that the output is
almost the same, except each entry has some sort of counter that gets
incremented. What is that counter for?

Adam Lewenberg



>
>
> kadmin -l list -l '*'
>
> will produce a verbose human-readable list of all the principals in the
> database and their attributes. Note that this is not particularly
> machine-readable and does not include keys, so it's not a backup.
>
>
> -- Jeff
>

Loading...