1KPROPD(8)                   System Manager's Manual                  KPROPD(8)
2
3
4

NAME

6       kpropd - Kerberos V5 slave KDC update server
7

SYNOPSIS

9       kpropd  [  -r realm ] [ -f slave_dumpfile ] [ -F principal_database ] [
10       -p kdb5_util_prog ] [ -d ] [ -S ] [ -P port ]
11

DESCRIPTION

13       The kpropd command runs on the slave KDC server.  It listens for update
14       requests made by the kprop(8) program, and periodically requests incre‐
15       mental updates from the master KDC.
16
17       When the slave receives a kprop request from the master, kpropd accepts
18       the  dumped  KDC  database  and  places  it  in  a  file, and then runs
19       kdb5_util(8) to load the dumped database into the active database which
20       is  used  by  krb5kdc(8).   Thus,  the  master  Kerberos server can use
21       kprop(8) to propagate its database to the slave slavers.  Upon  a  suc‐
22       cessful  download  of  the KDC database file, the slave Kerberos server
23       will have an up-to-date KDC database.
24
25       Normally, kpropd is invoked out of inetd(8).  This is done by adding  a
26       line to the inetd.conf file which looks like this:
27
28       kprop     stream    tcp  nowait    root /usr/sbin/kpropd    kpropd
29
30       However,  kpropd  can also run as a standalone daemon, if the -S option
31       is turned on.  This is done for debugging purposes, or if for some rea‐
32       son  the  system  administrator  just  doesn't  want  to  run it out of
33       inetd(8).
34
35       When  the  slave  periodically  requests  incremental  updates,  kpropd
36       updates  its  principal.ulog  file  with  any  updates from the master.
37       kproplog(8) can be used to view a summary of the update  entry  log  on
38       the  slave  KDC.  Incremental propagation is not enabled by default; it
39       can be enabled using the iprop_enable and iprop_slave_poll settings  in
40       kdc.conf(5).  The principal "kiprop/slavehostname@REALM" (where "slave‐
41       hostname" is the name of the slave KDC host, and "REALM" is the name of
42       the Kerberos realm) must be present in the slave's keytab file.
43
44

OPTIONS

46       -r realm
47              specifies  the  realm of the master server; by default the realm
48              returned by krb5_default_local_realm(3) is used.
49
50       -f file
51              specifies the filename where the dumped principal database  file
52              is  to  be  stored;  by  default  the  dumped  database  file is
53              KPROPD_DEFAULT_FILE  (normally   /var/kerberos/krb5kdc/from_mas‐
54              ter).
55
56       -p     allows the user to specify the pathname to the kdb5_util(8) pro‐
57              gram; by default the pathname used  is  KPROPD_DEFAULT_KDB5_UTIL
58              (normally /usr/sbin/kdb5_util).
59
60       -S     turn  on  standalone  mode.   Normally, kpropd is invoked out of
61              inetd(8) so it expects a network connection to be passed  to  it
62              from  inetd (8).  If the -S option is specified, kpropd will put
63              itself into the background, and  wait  for  connections  to  the
64              KPROP_SERVICE port (normally krb5_prop).
65
66       -d     turn on debug mode.  In this mode, if the -S option is selected,
67              kpropd will not detach itself from the current job  and  run  in
68              the  background.   Instead,  it  will  run in the foreground and
69              print out debugging messages during the database propagation.
70
71       -P     allow for an alternate port number for kpropd to listen on. This
72              is only useful if the program is run in standalone mode.
73
74       -a     allows  the  user to specify the path to the kpropd.acl file; by
75              default the path used  is  KPROPD_ACL_FILE  (normally  /var/ker‐
76              beros/krb5kdc/kpropd.acl).
77

FILES

79       kpropd.acl  Access   file   for   kpropd;   the   default  location  is
80                   KPROPD_ACL_FILE             (normally             /var/ker‐
81                   beros/krb5kdc/kpropd.acl).  Each entry is a line containing
82                   the principal of a host from which the local  machine  will
83                   allow Kerberos database propagation via kprop.
84

SEE ALSO

86       kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)
87
88
89
90                                                                     KPROPD(8)
Impressum