1KPROPD(8)                        MIT Kerberos                        KPROPD(8)
2
3
4

NAME

6       kpropd - Kerberos V5 slave KDC update server
7

SYNOPSIS

9       kpropd  [-r  realm] [-A admin_server] [-a acl_file] [-f slave_dumpfile]
10       [-F    principal_database]    [-p     kdb5_util_prog]     [-P     port]
11       [--pid-file=pid_file] [-d] [-t]
12

DESCRIPTION

14       The kpropd command runs on the slave KDC server.  It listens for update
15       requests made by the kprop(8) program.  If incremental  propagation  is
16       enabled,  it  periodically requests incremental updates from the master
17       KDC.
18
19       When the slave receives a kprop request from the master, kpropd accepts
20       the  dumped  KDC  database  and  places  it  in  a  file, and then runs
21       kdb5_util(8) to load the dumped database into the active database which
22       is  used  by krb5kdc(8).  This allows the master Kerberos server to use
23       kprop(8) to propagate its database to the slave servers.  Upon  a  suc‐
24       cessful  download  of  the KDC database file, the slave Kerberos server
25       will have an up-to-date KDC database.
26
27       Where incremental propagation is not used, kpropd is  commonly  invoked
28       out  of inetd(8) as a nowait service.  This is done by adding a line to
29       the /etc/inetd.conf file which looks like this:
30
31          kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
32
33       kpropd can also run as a standalone daemon,  backgrounding  itself  and
34       waiting  for connections on port 754 (or the port specified with the -P
35       option if given).  Standalone mode is required for incremental propaga‐
36       tion.   Starting  in release 1.11, kpropd automatically detects whether
37       it was run from inetd and runs in standalone mode if it is not.   Prior
38       to  release 1.11, the -S option is required to run kpropd in standalone
39       mode; this option is now accepted for backward compatibility  but  does
40       nothing.
41
42       Incremental  propagation  may be enabled with the iprop_enable variable
43       in kdc.conf(5).  If incremental propagation is enabled, the slave peri‐
44       odically polls the master KDC for updates, at an interval determined by
45       the iprop_slave_poll variable.  If the slave receives  updates,  kpropd
46       updates its log file with any updates from the master.  kproplog(8) can
47       be used to view a summary of the update entry log on the slave KDC.  If
48       incremental  propagation  is  enabled,  the principal kiprop/slavehost‐
49       name@REALM (where slavehostname is the name of the slave KDC host,  and
50       REALM is the name of the Kerberos realm) must be present in the slave's
51       keytab file.
52
53       kproplog(8) can be  used  to  force  full  replication  when  iprop  is
54       enabled.
55

OPTIONS

57       -r realm
58              Specifies the realm of the master server.
59
60       -A admin_server
61              Specifies the server to be contacted for incremental updates; by
62              default, the master admin server is contacted.
63
64       -f file
65              Specifies the filename where the dumped principal database  file
66              is  to  be  stored;  by  default  the  dumped  database  file is
67              /var/kerberos/krb5kdc/from_master.
68
69       -p     Allows the user to specify the pathname to the kdb5_util(8) pro‐
70              gram; by default the pathname used is /usr/sbin/kdb5_util.
71
72       -d     Turn on debug mode.  In this mode, kpropd will not detach itself
73              from the current job and run in  the  background.   Instead,  it
74              will run in the foreground and print out debugging messages dur‐
75              ing the database propagation.
76
77       -t     In standalone mode without incremental propagation,  exit  after
78              one  dump  file  is  received.  In incremental propagation mode,
79              exit as soon as the database is up to date,  or  if  the  master
80              returns an error.
81
82       -P     Allow  for  an  alternate  port  number for kpropd to listen on.
83              This is only useful in combination with the -S option.
84
85       -a acl_file
86              Allows the user to specify the path to the kpropd.acl  file;  by
87              default the path used is /var/kerberos/krb5kdc/kpropd.acl.
88
89       --pid-file=pid_file
90              In  standalone  mode,  write  the  process ID of the daemon into
91              pid_file.
92

ENVIRONMENT

94       kpropd uses the following environment variables:
95
96       · KRB5_CONFIG
97
98       · KRB5_KDC_PROFILE
99

FILES

101       kpropd.acl
102              Access   file   for   kpropd;   the    default    location    is
103              /usr/local/var/krb5kdc/kpropd.acl.   Each  entry  is a line con‐
104              taining the principal of a host from  which  the  local  machine
105              will allow Kerberos database propagation via kprop(8).
106

SEE ALSO

108       kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)
109

AUTHOR

111       MIT
112

COPYRIGHT

114       1985-2018, MIT
115
116
117
118
1191.16.1                                                               KPROPD(8)