Configure a Kerberos KDC server All KDC servers (primary and replicas) should be in a common ``kerberos-kdc`` group that defines ``kerberos_kdc_realm`` and ``kerberos_kdc_master_key``. The ``kerberos-kdc-primary`` group should have a single primary KDC host. It will be configured to replicate its database to hosts in the ``kerberos-kdc-replica`` group. Hosts in the ``kerberos-kdc-replica`` group will be configured to receive updates from the ``kerberos-kdc-primary`` host. The role should be run twice; once limited to the primary group and then a second time limited to the secondary group. **Role Variables** .. zuul:rolevar:: kerberos_kdc_relam The realm for all KDC servers. .. zuul:rolevar:: kerberos_kdc_master_key The master key written into the *stash* file for each KDC, which allows them to auth.