Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019

kpropd (8)


kpropd - Kerberos V5 slave KDC update server


kpropd  [-r  realm] [-A admin_server] [-a acl_file] [-f slave_dumpfile]
[-F    principal_database]    [-p     kdb5_util_prog]     [-P     port]
[--pid-file=pid_file] [-d] [-t]


KPROPD(8)                        MIT Kerberos                        KPROPD(8)

       kpropd - Kerberos V5 slave KDC update server

       kpropd  [-r  realm] [-A admin_server] [-a acl_file] [-f slave_dumpfile]
       [-F    principal_database]    [-p     kdb5_util_prog]     [-P     port]
       [--pid-file=pid_file] [-d] [-t]

       The kpropd command runs on the slave KDC server.  It listens for update
       requests made by the kprop(8) program.  If incremental  propagation  is
       enabled,  it  periodically requests incremental updates from the master

       When the slave receives a kprop request from the master, kpropd accepts
       the  dumped  KDC  database  and  places  it  in  a  file, and then runs
       kdb5_util(8) to load the dumped database into the active database which
       is  used  by krb5kdc(8).  This allows the master Kerberos server to use
       kprop(8) to propagate its database to the slave servers.  Upon  a  suc-
       cessful  download  of  the KDC database file, the slave Kerberos server
       will have an up-to-date KDC database.

       Where incremental propagation is not used, kpropd is  commonly  invoked
       out  of inetd(8) as a nowait service.  This is done by adding a line to
       the /etc/inetd.conf file which looks like this:

          kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd

       kpropd can also run as a standalone daemon,  backgrounding  itself  and
       waiting  for connections on port 754 (or the port specified with the -P
       option if given).  Standalone mode is required for incremental propaga-
       tion.   Starting  in release 1.11, kpropd automatically detects whether
       it was run from inetd and runs in standalone mode if it is not.   Prior
       to  release 1.11, the -S option is required to run kpropd in standalone
       mode; this option is now accepted for backward compatibility  but  does

       Incremental  propagation  may be enabled with the iprop_enable variable
       in kdc.conf(5).  If incremental propagation is enabled, the slave peri-
       odically polls the master KDC for updates, at an interval determined by
       the iprop_slave_poll variable.  If the slave receives  updates,  kpropd
       updates its log file with any updates from the master.  kproplog(8) can
       be used to view a summary of the update entry log on the slave KDC.  If
       incremental  propagation  is  enabled,  the principal kiprop/slavehost-
       name@REALM (where slavehostname is the name of the slave KDC host,  and
       REALM is the name of the Kerberos realm) must be present in the slave's
       keytab file.

       kproplog(8) can be  used  to  force  full  replication  when  iprop  is

       -r realm
              Specifies the realm of the master server.

       -A admin_server
              Specifies the server to be contacted for incremental updates; by
              default, the master admin server is contacted.

       -f file
              Specifies the filename where the dumped principal database  file
              is  to  be  stored;  by  default  the  dumped  database  file is

       -p     Allows the user to specify the pathname to the kdb5_util(8) pro-
              gram; by default the pathname used is /usr/sbin/kdb5_util.

       -d     Turn on debug mode.  In this mode, kpropd will not detach itself
              from the current job and run in  the  background.   Instead,  it
              will run in the foreground and print out debugging messages dur-
              ing the database propagation.

       -t     In standalone mode without incremental propagation,  exit  after
              one  dump  file  is  received.  In incremental propagation mode,
              exit as soon as the database is up to date,  or  if  the  master
              returns an error.

       -P     Allow  for  an  alternate  port  number for kpropd to listen on.
              This is only useful in combination with the -S option.

       -a acl_file
              Allows the user to specify the path to the kpropd.acl  file;  by
              default the path used is /var/krb5/kpropd.acl.

              In  standalone  mode,  write  the  process ID of the daemon into

       kpropd uses the following environment variables:

       o KRB5_CONFIG


              Access   file   for   kpropd;   the    default    location    is
              /usr/local/var/krb5kdc/kpropd.acl.   Each  entry  is a line con-
              taining the principal of a host from  which  the  local  machine
              will allow Kerberos database propagation via kprop(8).

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5/kdc |
       |Stability      | Pass-through committed  |
       kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)


       1985-2018, MIT

       The  kprop  service  is  managed  by  the  service management facility,
       smf(5), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting  restart,  can  be performed using svcadm(1M). The service's
       status can be queried using the svcs(1) command.

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source     was      downloaded      from       https://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at https://web.mit.edu/kerberos/.

1.16.1                                                               KPROPD(8)