On Wed, Apr 02, 2014 at 09:19:00PM +0200, Wang Shouhua wrote: > Is there such an utility which can issue a "ping" (null command) to > the kdc to see if it is still responding? >
The last time I was responsible for such a thing, I wrote a script that did the following: - Using a keytab, change the password of a test principal to a known random string. - Wait some minimally acceptable replication delay interval. - Using a specially crafted krb5.conf file for each kdc (disable dns lookups, the only kdc listed in each conf file was the kdc I was testing), try to get a ticket for the test principal using that known random string. This verified that enough of the master KDC was working to change passwords, that the changed password was making it to each KDC, and that each KDC could deliver at least a TGT. I believe I used one of the Perl kerberos libraries --- Perl isn't my first choice of scripting languages, but it had all the things I needed and wasn't C. For all I know, this may still be running at my last job. It used to be in a publically accessable CVSweb repo, but apparently that's no longer working.... I did run into a problem at some point, either rolling over the KVNO on the test principal, or it getting large enough that something making a stupid assumption broke; I don't remember which. Deleting and re-creating the principal fixed that. -- Thomas L. Kula | [email protected] | http://kula.tproa.net/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
