1.. _kpropd(8): 2 3kpropd 4====== 5 6SYNOPSIS 7-------- 8 9**kpropd** 10[**-r** *realm*] 11[**-A** *admin_server*] 12[**-a** *acl_file*] 13[**-f** *replica_dumpfile*] 14[**-F** *principal_database*] 15[**-p** *kdb5_util_prog*] 16[**-P** *port*] 17[**--pid-file**\ =\ *pid_file*] 18[**-D**] 19[**-d**] 20[**-s** *keytab_file*] 21 22DESCRIPTION 23----------- 24 25The *kpropd* command runs on the replica KDC server. It listens for 26update requests made by the :ref:`kprop(8)` program. If incremental 27propagation is enabled, it periodically requests incremental updates 28from the primary KDC. 29 30When the replica receives a kprop request from the primary, kpropd 31accepts the dumped KDC database and places it in a file, and then runs 32:ref:`kdb5_util(8)` to load the dumped database into the active 33database which is used by :ref:`krb5kdc(8)`. This allows the primary 34Kerberos server to use :ref:`kprop(8)` to propagate its database to 35the replica servers. Upon a successful download of the KDC database 36file, the replica Kerberos server will have an up-to-date KDC 37database. 38 39Where incremental propagation is not used, kpropd is commonly invoked 40out of inetd(8) as a nowait service. This is done by adding a line to 41the ``/etc/inetd.conf`` file which looks like this:: 42 43 kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd 44 45kpropd can also run as a standalone daemon, backgrounding itself and 46waiting for connections on port 754 (or the port specified with the 47**-P** option if given). Standalone mode is required for incremental 48propagation. Starting in release 1.11, kpropd automatically detects 49whether it was run from inetd and runs in standalone mode if it is 50not. Prior to release 1.11, the **-S** option is required to run 51kpropd in standalone mode; this option is now accepted for backward 52compatibility but does nothing. 53 54Incremental propagation may be enabled with the **iprop_enable** 55variable in :ref:`kdc.conf(5)`. If incremental propagation is 56enabled, the replica periodically polls the primary KDC for updates, at 57an interval determined by the **iprop_replica_poll** variable. If the 58replica receives updates, kpropd updates its log file with any updates 59from the primary. :ref:`kproplog(8)` can be used to view a summary of 60the update entry log on the replica KDC. If incremental propagation 61is enabled, the principal ``kiprop/replicahostname@REALM`` (where 62*replicahostname* is the name of the replica KDC host, and *REALM* is 63the name of the Kerberos realm) must be present in the replica's 64keytab file. 65 66:ref:`kproplog(8)` can be used to force full replication when iprop is 67enabled. 68 69 70OPTIONS 71-------- 72 73**-r** *realm* 74 Specifies the realm of the primary server. 75 76**-A** *admin_server* 77 Specifies the server to be contacted for incremental updates; by 78 default, the primary admin server is contacted. 79 80**-f** *file* 81 Specifies the filename where the dumped principal database file is 82 to be stored; by default the dumped database file is |kdcdir|\ 83 ``/from_master``. 84 85**-F** *kerberos_db* 86 Path to the Kerberos database file, if not the default. 87 88**-p** 89 Allows the user to specify the pathname to the :ref:`kdb5_util(8)` 90 program; by default the pathname used is |sbindir|\ 91 ``/kdb5_util``. 92 93**-D** 94 In this mode, kpropd will not detach itself from the current job 95 and run in the background. Instead, it will run in the 96 foreground. 97 98**-d** 99 Turn on debug mode. kpropd will print out debugging messages 100 during the database propogation and will run in the foreground 101 (implies **-D**). 102 103**-P** 104 Allow for an alternate port number for kpropd to listen on. This 105 is only useful in combination with the **-S** option. 106 107**-a** *acl_file* 108 Allows the user to specify the path to the kpropd.acl file; by 109 default the path used is |kdcdir|\ ``/kpropd.acl``. 110 111**--pid-file**\ =\ *pid_file* 112 In standalone mode, write the process ID of the daemon into 113 *pid_file*. 114 115**-s** *keytab_file* 116 Path to a keytab to use for acquiring acceptor credentials. 117 118**-x** *db_args* 119 Database-specific arguments. See :ref:`Database Options 120 <dboptions>` in :ref:`kadmin(1)` for supported arguments. 121 122 123FILES 124----- 125 126kpropd.acl 127 Access file for kpropd; the default location is 128 ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line 129 containing the principal of a host from which the local machine 130 will allow Kerberos database propagation via :ref:`kprop(8)`. 131 132 133ENVIRONMENT 134----------- 135 136See :ref:`kerberos(7)` for a description of Kerberos environment 137variables. 138 139 140SEE ALSO 141-------- 142 143:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, 144:ref:`kerberos(7)`, inetd(8) 145