1KPROPD(8)                        MIT Kerberos                        KPROPD(8)
2
3
4

NAME

6       kpropd - Kerberos V5 replica KDC update server
7

SYNOPSIS

9       kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile]
10       [-F    principal_database]    [-p     kdb5_util_prog]     [-P     port]
11       [--pid-file=pid_file] [-D] [-d] [-s keytab_file]
12

DESCRIPTION

14       The  kpropd command runs on the replica KDC server.  It listens for up‐
15       date requests made by the kprop program.  If incremental propagation is
16       enabled,  it periodically requests incremental updates from the primary
17       KDC.
18
19       When the replica receives a kprop request from the primary, kpropd  ac‐
20       cepts  the  dumped  KDC database and places it in a file, and then runs
21       kdb5_util to load the dumped database into the active database which is
22       used  by krb5kdc.  This allows the primary Kerberos server to use kprop
23       to propagate its database to the replica servers.   Upon  a  successful
24       download  of  the  KDC  database file, the replica Kerberos server will
25       have an up-to-date KDC database.
26
27       Where incremental propagation is not used, kpropd is  commonly  invoked
28       out  of inetd(8) as a nowait service.  This is done by adding a line to
29       the /etc/inetd.conf file which looks like this:
30
31          kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
32
33       kpropd can also run as a standalone daemon,  backgrounding  itself  and
34       waiting  for connections on port 754 (or the port specified with the -P
35       option if given).  Standalone mode is required for incremental propaga‐
36       tion.   Starting  in release 1.11, kpropd automatically detects whether
37       it was run from inetd and runs in standalone mode if it is not.   Prior
38       to  release 1.11, the -S option is required to run kpropd in standalone
39       mode; this option is now accepted for backward compatibility  but  does
40       nothing.
41
42       Incremental  propagation  may be enabled with the iprop_enable variable
43       in kdc.conf.  If incremental propagation is enabled, the replica  peri‐
44       odically  polls  the primary KDC for updates, at an interval determined
45       by the iprop_replica_poll variable.  If the replica  receives  updates,
46       kpropd  updates  its  log  file  with  any  updates  from  the primary.
47       kproplog can be used to view a summary of the update entry log  on  the
48       replica  KDC.   If  incremental  propagation  is enabled, the principal
49       kiprop/replicahostname@REALM (where replicahostname is the name of  the
50       replica  KDC host, and REALM is the name of the Kerberos realm) must be
51       present in the replica's keytab file.
52
53       kproplog can be used to force full replication when iprop is enabled.
54

OPTIONS

56       -r realm
57              Specifies the realm of the primary server.
58
59       -A admin_server
60              Specifies the server to be contacted for incremental updates; by
61              default, the primary admin server is contacted.
62
63       -f file
64              Specifies  the filename where the dumped principal database file
65              is to  be  stored;  by  default  the  dumped  database  file  is
66              /var/kerberos/krb5kdc/from_master.
67
68       -F kerberos_db
69              Path to the Kerberos database file, if not the default.
70
71       -p     Allows  the  user  to specify the pathname to the kdb5_util pro‐
72              gram; by default the pathname used is /usr/sbin/kdb5_util.
73
74       -D     In this mode, kpropd will not detach itself from the current job
75              and  run  in  the background.  Instead, it will run in the fore‐
76              ground.
77
78       -d     Turn on debug mode.  kpropd will print  out  debugging  messages
79              during  the  database propogation and will run in the foreground
80              (implies -D).
81
82       -P     Allow for an alternate port number  for  kpropd  to  listen  on.
83              This is only useful in combination with the -S option.
84
85       -a acl_file
86              Allows  the  user to specify the path to the kpropd.acl file; by
87              default the path used is /var/kerberos/krb5kdc/kpropd.acl.
88
89       --pid-file=pid_file
90              In standalone mode, write the process  ID  of  the  daemon  into
91              pid_file.
92
93       -s keytab_file
94              Path to a keytab to use for acquiring acceptor credentials.
95
96       -x db_args
97              Database-specific arguments.  See Database Options in kadmin for
98              supported arguments.
99

FILES

101       kpropd.acl
102              Access  file  for  kpropd;  the  default  location  is  /usr/lo‐
103              cal/var/krb5kdc/kpropd.acl.  Each entry is a line containing the
104              principal of a host from which the local machine will allow Ker‐
105              beros database propagation via kprop.
106

ENVIRONMENT

108       See kerberos for a description of Kerberos environment variables.
109

SEE ALSO

111       kprop, kdb5_util, krb5kdc, kerberos, inetd(8)
112

AUTHOR

114       MIT
115

COPYRIGHT

117       1985-2022, MIT
118
119
120
121
1221.19.2                                                               KPROPD(8)