1*7f2fe78bSCy Schubert.. _kpropd(8): 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy Schubertkpropd 4*7f2fe78bSCy Schubert====== 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy SchubertSYNOPSIS 7*7f2fe78bSCy Schubert-------- 8*7f2fe78bSCy Schubert 9*7f2fe78bSCy Schubert**kpropd** 10*7f2fe78bSCy Schubert[**-r** *realm*] 11*7f2fe78bSCy Schubert[**-A** *admin_server*] 12*7f2fe78bSCy Schubert[**-a** *acl_file*] 13*7f2fe78bSCy Schubert[**-f** *replica_dumpfile*] 14*7f2fe78bSCy Schubert[**-F** *principal_database*] 15*7f2fe78bSCy Schubert[**-p** *kdb5_util_prog*] 16*7f2fe78bSCy Schubert[**-P** *port*] 17*7f2fe78bSCy Schubert[**--pid-file**\ =\ *pid_file*] 18*7f2fe78bSCy Schubert[**-D**] 19*7f2fe78bSCy Schubert[**-d**] 20*7f2fe78bSCy Schubert[**-s** *keytab_file*] 21*7f2fe78bSCy Schubert 22*7f2fe78bSCy SchubertDESCRIPTION 23*7f2fe78bSCy Schubert----------- 24*7f2fe78bSCy Schubert 25*7f2fe78bSCy SchubertThe *kpropd* command runs on the replica KDC server. It listens for 26*7f2fe78bSCy Schubertupdate requests made by the :ref:`kprop(8)` program. If incremental 27*7f2fe78bSCy Schubertpropagation is enabled, it periodically requests incremental updates 28*7f2fe78bSCy Schubertfrom the primary KDC. 29*7f2fe78bSCy Schubert 30*7f2fe78bSCy SchubertWhen the replica receives a kprop request from the primary, kpropd 31*7f2fe78bSCy Schubertaccepts the dumped KDC database and places it in a file, and then runs 32*7f2fe78bSCy Schubert:ref:`kdb5_util(8)` to load the dumped database into the active 33*7f2fe78bSCy Schubertdatabase which is used by :ref:`krb5kdc(8)`. This allows the primary 34*7f2fe78bSCy SchubertKerberos server to use :ref:`kprop(8)` to propagate its database to 35*7f2fe78bSCy Schubertthe replica servers. Upon a successful download of the KDC database 36*7f2fe78bSCy Schubertfile, the replica Kerberos server will have an up-to-date KDC 37*7f2fe78bSCy Schubertdatabase. 38*7f2fe78bSCy Schubert 39*7f2fe78bSCy SchubertWhere incremental propagation is not used, kpropd is commonly invoked 40*7f2fe78bSCy Schubertout of inetd(8) as a nowait service. This is done by adding a line to 41*7f2fe78bSCy Schubertthe ``/etc/inetd.conf`` file which looks like this:: 42*7f2fe78bSCy Schubert 43*7f2fe78bSCy Schubert kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd 44*7f2fe78bSCy Schubert 45*7f2fe78bSCy Schubertkpropd can also run as a standalone daemon, backgrounding itself and 46*7f2fe78bSCy Schubertwaiting for connections on port 754 (or the port specified with the 47*7f2fe78bSCy Schubert**-P** option if given). Standalone mode is required for incremental 48*7f2fe78bSCy Schubertpropagation. Starting in release 1.11, kpropd automatically detects 49*7f2fe78bSCy Schubertwhether it was run from inetd and runs in standalone mode if it is 50*7f2fe78bSCy Schubertnot. Prior to release 1.11, the **-S** option is required to run 51*7f2fe78bSCy Schubertkpropd in standalone mode; this option is now accepted for backward 52*7f2fe78bSCy Schubertcompatibility but does nothing. 53*7f2fe78bSCy Schubert 54*7f2fe78bSCy SchubertIncremental propagation may be enabled with the **iprop_enable** 55*7f2fe78bSCy Schubertvariable in :ref:`kdc.conf(5)`. If incremental propagation is 56*7f2fe78bSCy Schubertenabled, the replica periodically polls the primary KDC for updates, at 57*7f2fe78bSCy Schubertan interval determined by the **iprop_replica_poll** variable. If the 58*7f2fe78bSCy Schubertreplica receives updates, kpropd updates its log file with any updates 59*7f2fe78bSCy Schubertfrom the primary. :ref:`kproplog(8)` can be used to view a summary of 60*7f2fe78bSCy Schubertthe update entry log on the replica KDC. If incremental propagation 61*7f2fe78bSCy Schubertis enabled, the principal ``kiprop/replicahostname@REALM`` (where 62*7f2fe78bSCy Schubert*replicahostname* is the name of the replica KDC host, and *REALM* is 63*7f2fe78bSCy Schubertthe name of the Kerberos realm) must be present in the replica's 64*7f2fe78bSCy Schubertkeytab file. 65*7f2fe78bSCy Schubert 66*7f2fe78bSCy Schubert:ref:`kproplog(8)` can be used to force full replication when iprop is 67*7f2fe78bSCy Schubertenabled. 68*7f2fe78bSCy Schubert 69*7f2fe78bSCy Schubert 70*7f2fe78bSCy SchubertOPTIONS 71*7f2fe78bSCy Schubert-------- 72*7f2fe78bSCy Schubert 73*7f2fe78bSCy Schubert**-r** *realm* 74*7f2fe78bSCy Schubert Specifies the realm of the primary server. 75*7f2fe78bSCy Schubert 76*7f2fe78bSCy Schubert**-A** *admin_server* 77*7f2fe78bSCy Schubert Specifies the server to be contacted for incremental updates; by 78*7f2fe78bSCy Schubert default, the primary admin server is contacted. 79*7f2fe78bSCy Schubert 80*7f2fe78bSCy Schubert**-f** *file* 81*7f2fe78bSCy Schubert Specifies the filename where the dumped principal database file is 82*7f2fe78bSCy Schubert to be stored; by default the dumped database file is |kdcdir|\ 83*7f2fe78bSCy Schubert ``/from_master``. 84*7f2fe78bSCy Schubert 85*7f2fe78bSCy Schubert**-F** *kerberos_db* 86*7f2fe78bSCy Schubert Path to the Kerberos database file, if not the default. 87*7f2fe78bSCy Schubert 88*7f2fe78bSCy Schubert**-p** 89*7f2fe78bSCy Schubert Allows the user to specify the pathname to the :ref:`kdb5_util(8)` 90*7f2fe78bSCy Schubert program; by default the pathname used is |sbindir|\ 91*7f2fe78bSCy Schubert ``/kdb5_util``. 92*7f2fe78bSCy Schubert 93*7f2fe78bSCy Schubert**-D** 94*7f2fe78bSCy Schubert In this mode, kpropd will not detach itself from the current job 95*7f2fe78bSCy Schubert and run in the background. Instead, it will run in the 96*7f2fe78bSCy Schubert foreground. 97*7f2fe78bSCy Schubert 98*7f2fe78bSCy Schubert**-d** 99*7f2fe78bSCy Schubert Turn on debug mode. kpropd will print out debugging messages 100*7f2fe78bSCy Schubert during the database propogation and will run in the foreground 101*7f2fe78bSCy Schubert (implies **-D**). 102*7f2fe78bSCy Schubert 103*7f2fe78bSCy Schubert**-P** 104*7f2fe78bSCy Schubert Allow for an alternate port number for kpropd to listen on. This 105*7f2fe78bSCy Schubert is only useful in combination with the **-S** option. 106*7f2fe78bSCy Schubert 107*7f2fe78bSCy Schubert**-a** *acl_file* 108*7f2fe78bSCy Schubert Allows the user to specify the path to the kpropd.acl file; by 109*7f2fe78bSCy Schubert default the path used is |kdcdir|\ ``/kpropd.acl``. 110*7f2fe78bSCy Schubert 111*7f2fe78bSCy Schubert**--pid-file**\ =\ *pid_file* 112*7f2fe78bSCy Schubert In standalone mode, write the process ID of the daemon into 113*7f2fe78bSCy Schubert *pid_file*. 114*7f2fe78bSCy Schubert 115*7f2fe78bSCy Schubert**-s** *keytab_file* 116*7f2fe78bSCy Schubert Path to a keytab to use for acquiring acceptor credentials. 117*7f2fe78bSCy Schubert 118*7f2fe78bSCy Schubert**-x** *db_args* 119*7f2fe78bSCy Schubert Database-specific arguments. See :ref:`Database Options 120*7f2fe78bSCy Schubert <dboptions>` in :ref:`kadmin(1)` for supported arguments. 121*7f2fe78bSCy Schubert 122*7f2fe78bSCy Schubert 123*7f2fe78bSCy SchubertFILES 124*7f2fe78bSCy Schubert----- 125*7f2fe78bSCy Schubert 126*7f2fe78bSCy Schubertkpropd.acl 127*7f2fe78bSCy Schubert Access file for kpropd; the default location is 128*7f2fe78bSCy Schubert ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line 129*7f2fe78bSCy Schubert containing the principal of a host from which the local machine 130*7f2fe78bSCy Schubert will allow Kerberos database propagation via :ref:`kprop(8)`. 131*7f2fe78bSCy Schubert 132*7f2fe78bSCy Schubert 133*7f2fe78bSCy SchubertENVIRONMENT 134*7f2fe78bSCy Schubert----------- 135*7f2fe78bSCy Schubert 136*7f2fe78bSCy SchubertSee :ref:`kerberos(7)` for a description of Kerberos environment 137*7f2fe78bSCy Schubertvariables. 138*7f2fe78bSCy Schubert 139*7f2fe78bSCy Schubert 140*7f2fe78bSCy SchubertSEE ALSO 141*7f2fe78bSCy Schubert-------- 142*7f2fe78bSCy Schubert 143*7f2fe78bSCy Schubert:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, 144*7f2fe78bSCy Schubert:ref:`kerberos(7)`, inetd(8) 145