1KPROPD(8)                        MIT Kerberos                        KPROPD(8)
2
3
4

NAME

6       kpropd - Kerberos V5 slave KDC update server
7

SYNOPSIS

9       kpropd  [-r  realm] [-A admin_server] [-a acl_file] [-f slave_dumpfile]
10       [-F principal_database] [-p kdb5_util_prog] [-P port] [-d] [-t]
11

DESCRIPTION

13       The kpropd command runs on the slave KDC server.  It listens for update
14       requests  made  by the kprop(8) program.  If incremental propagation is
15       enabled, it periodically requests incremental updates from  the  master
16       KDC.
17
18       When the slave receives a kprop request from the master, kpropd accepts
19       the dumped KDC database  and  places  it  in  a  file,  and  then  runs
20       kdb5_util(8) to load the dumped database into the active database which
21       is used by krb5kdc(8).  This allows the master Kerberos server  to  use
22       kprop(8)  to  propagate its database to the slave servers.  Upon a suc‐
23       cessful download of the KDC database file, the  slave  Kerberos  server
24       will have an up-to-date KDC database.
25
26       Where  incremental  propagation is not used, kpropd is commonly invoked
27       out of inetd(8) as a nowait service.  This is done by adding a line  to
28       the /etc/inetd.conf file which looks like this:
29
30          kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
31
32       kpropd  can  also  run as a standalone daemon, backgrounding itself and
33       waiting for connections on port 754 (or the port specified with the  -P
34       option if given).  Standalone mode is required for incremental propaga‐
35       tion.  Starting in release 1.11, kpropd automatically  detects  whether
36       it  was run from inetd and runs in standalone mode if it is not.  Prior
37       to release 1.11, the -S option is required to run kpropd in  standalone
38       mode;  this  option is now accepted for backward compatibility but does
39       nothing.
40
41       Incremental propagation may be enabled with the  iprop_enable  variable
42       in kdc.conf(5).  If incremental propagation is enabled, the slave peri‐
43       odically polls the master KDC for updates, at an interval determined by
44       the  iprop_slave_poll  variable.  If the slave receives updates, kpropd
45       updates its log file with any updates from the master.  kproplog(8) can
46       be used to view a summary of the update entry log on the slave KDC.  If
47       incremental propagation is  enabled,  the  principal  kiprop/slavehost‐
48       name@REALM  (where slavehostname is the name of the slave KDC host, and
49       REALM is the name of the Kerberos realm) must be present in the slave's
50       keytab file.
51
52       kproplog(8)  can  be  used  to  force  full  replication  when iprop is
53       enabled.
54

OPTIONS

56       -r realm
57              Specifies the realm of the master server.
58
59       -A admin_server
60              Specifies the server to be contacted for incremental updates; by
61              default, the master admin server is contacted.
62
63       -f file
64              Specifies  the filename where the dumped principal database file
65              is to  be  stored;  by  default  the  dumped  database  file  is
66              /var/kerberos/krb5kdc/from_master.
67
68       -p     Allows the user to specify the pathname to the kdb5_util(8) pro‐
69              gram; by default the pathname used is /usr/sbin/kdb5_util.
70
71       -d     Turn on debug mode.  In this mode, kpropd will not detach itself
72              from  the  current  job  and run in the background.  Instead, it
73              will run in the foreground and print out debugging messages dur‐
74              ing the database propagation.
75
76       -t     In  standalone  mode without incremental propagation, exit after
77              one dump file is received.   In  incremental  propagation  mode,
78              exit  as  soon  as  the database is up to date, or if the master
79              returns an error.
80
81       -P     Allow for an alternate port number  for  kpropd  to  listen  on.
82              This is only useful in combination with the -S option.
83
84       -a acl_file
85              Allows  the  user to specify the path to the kpropd.acl file; by
86              default the path used is /var/kerberos/krb5kdc/kpropd.acl.
87

ENVIRONMENT

89       kpropd uses the following environment variables:
90
91       · KRB5_CONFIG
92
93       · KRB5_KDC_PROFILE
94

FILES

96       kpropd.acl
97              Access   file   for   kpropd;   the    default    location    is
98              /usr/local/var/krb5kdc/kpropd.acl.   Each  entry  is a line con‐
99              taining the principal of a host from  which  the  local  machine
100              will allow Kerberos database propagation via kprop(8).
101

SEE ALSO

103       kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)
104

AUTHOR

106       MIT
107

COPYRIGHT

109       1985-2017, MIT
110
111
112
113
1141.15.1                                                               KPROPD(8)