kpropd(8) [osx man page]
KPROPD(8) System Manager's Manual KPROPD(8) NAME
kpropd - Kerberos V5 slave KDC update server SYNOPSIS
kpropd [ -r realm ] [ -f slave_dumpfile ] [ -F principal_database ] [ -p kdb5_util_prog ] [ -d ] [ -S ] [ -P port ] DESCRIPTION
The kpropd command runs on the slave KDC server. It listens for update requests made by the kprop(8) program, and periodically requests incremental updates from the master KDC. When the slave receives a kprop request from the master, kpropd accepts the dumped KDC database and places it in a file, and then runs kdb5_util(8) to load the dumped database into the active database which is used by krb5kdc(8). Thus, the master Kerberos server can use kprop(8) to propagate its database to the slave slavers. Upon a successful download of the KDC database file, the slave Kerberos server will have an up-to-date KDC database. Normally, kpropd is invoked out of inetd(8). This is done by adding a line to the inetd.conf file which looks like this: kprop stream tcp nowait root /usr/sbin/kpropd kpropd However, kpropd can also run as a standalone deamon, if the -S option is turned on. This is done for debugging purposes, or if for some reason the system administrator just doesn't want to run it out of inetd(8). When the slave periodically requests incremental updates, kpropd updates its principal.ulog file with any updates from the master. kpro- plog(8) can be used to view a summary of the update entry log on the slave KDC. Incremental propagation is not enabled by default; it can be enabled using the iprop_enable and iprop_slave_poll settings in kdc.conf(5). The principal "kiprop/slavehostname@REALM" (where "slave- hostname" is the name of the slave KDC host, and "REALM" is the name of the Kerberos realm) must be present in the slave's keytab file. OPTIONS
-r realm specifies the realm of the master server; by default the realm returned by krb5_default_local_realm(3) is used. -f file specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is KPROPD_DEFAULT_FILE (normally /var/db/krb5kdc/from_master). -p allows the user to specify the pathname to the kdb5_util(8) program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL (nor- mally /usr/sbin/kdb5_util). -S turn on standalone mode. Normally, kpropd is invoked out of inetd(8) so it expects a network connection to be passed to it from inetd (8). If the -S option is specified, kpropd will put itself into the background, and wait for connections to the KPROP_SERVICE port (normally krb5_prop). -d turn on debug mode. In this mode, if the -S option is selected, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground and print out debugging messages during the database propagation. -P allow for an alternate port number for kpropd to listen on. This is only useful if the program is run in standalone mode. -a allows the user to specify the path to the kpropd.acl file; by default the path used is KPROPD_ACL_FILE (normally /var/db/krb5kdc/kpropd.acl). FILES
kpropd.acl Access file for kpropd; the default location is KPROPD_ACL_FILE (normally /var/db/krb5kdc/kpropd.acl). Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via kprop. SEE ALSO
kprop(8), kdb5_util(8), krb5kdc(8), inetd(8) KPROPD(8)
Check Out this Related Man Page
kpropd(1M) kpropd(1M) NAME
kpropd - Kerberos propagation daemon for slave KDCs SYNOPSIS
/usr/lib/krb5/kpropd [-d] [-f temp_dbfile] [-F dbfile] [-p kdb_util] [-P port_number] [-r realm] [-s srv_tabfile] [-S] [-a acl_file] The kpropd command runs on the slave KDC server. It listens for update requests made by kprop(1M) from the master KDC and periodically requests incremental updates from the master KDC. When the slave receives a kprop request from the master, kpropd copies principal data to a temporary text file. Next, kpropd invokes kdb5_util(1M) (unless a different database utility is selected) to load the text file in database format. When the slave periodically requests incremental updates, kpropd update its principal.ulog file with any updates from the master. kpro- plog(1M) can be used to view a summary of the update entry log on the slave KDC. kpropd is not configured for incremental database propagation by default. These settings can be changed in the kdc.conf(4) file: sunw_dbprop_enable = [true | false] Enables or disables incremental database propagation. Default is false. sunw_dbprop_slave_poll = N[s, m, h] Specifies how often the slave KDC polls for any updates that the master might have. Default is 2m (two minutes). The kiprop/<hostname>@<REALM> principal must exist in the slave's keytab file to enable the master to authenticate incremental propagation requests from the slave. In this syntax, <hostname> is the slave KDC's host name and <REALM> is the realm in which the slave KDC resides. The following options are supported: -d Enable debug mode. Default is debug mode disabled. -f temp_dbfile The location of the slave's temporary principal database file. Default is /var/krb5/from_master. -F dbfile The location of the slave's principal database file. Default is /var/krb5/principal. -p kdb_util The location of the Kerberos database utility used for loading principal databases. Default is /usr/sbin/kdb5_util. -P port_number Specifies the port number on which kpropd will listen. Default is 754 (service name: krb5_prop). -r realm Specifies from which Kerberos realm kpropd will receive information. Default is specified in /etc/krb5/krb5.conf. -s srv_tabfile The location of the service table file used to authenticate the kpropd daemon. -S Run the daemon in standalone mode, instead of having inetd listen for requests. Default is non-standalone mode. -a acl_file The location of the kpropd's access control list to verify if this server can run the kpropd daemon. The file contains a list of prin- cipal name(s) that will be receiving updates. Default is /etc/krb5/kpropd.acl. /var/krb5/principal Kerberos principal database. /var/krb5/principal.ulog The update log file. /etc/krb5/kdc.conf KDC configuration information. /etc/krb5/kpropd.acl List of principals of all the KDCs; resides on each slave KDC. /var/krb5/from_master Temporary file used by kpropd before loading this to the principal database. See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWkdcu | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ kdb5_util(1M), kprop(1M), kproplog(1M), kdc.conf(4), krb5.conf(4), attributes(5), SEAM(5) The kprop service is managed by the service management facility, smf(5), under the service identifier: svc:/network/security/krb5_prop:default Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(1M). Responsibil- ity for initiating and restarting this service is delegated to inetd(1M). Use inetadm(1M) to make configuration changes and to view config- uration information for this service. The service's status can be queried using the svcs(1) command. 11 Jul 2005 kpropd(1M)