Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022

kpropd (8)


kpropd - Kerberos V5 replica KDC update server


kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile]
[-F    principal_database]    [-p     kdb5_util_prog]     [-P     port]
[--pid-file=pid_file] [-d] [-t]


KPROPD(8)                        MIT Kerberos                        KPROPD(8)

       kpropd - Kerberos V5 replica KDC update server

       kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile]
       [-F    principal_database]    [-p     kdb5_util_prog]     [-P     port]
       [--pid-file=pid_file] [-d] [-t]

       The  kpropd  command  runs  on  the replica KDC server.  It listens for
       update requests made by the kprop(8) program.  If incremental  propaga-
       tion  is enabled, it periodically requests incremental updates from the
       master KDC.

       When the replica receives a  kprop  request  from  the  master,  kpropd
       accepts  the dumped KDC database and places it in a file, and then runs
       kdb5_util(8) to load the dumped database into the active database which
       is  used  by krb5kdc(8).  This allows the master Kerberos server to use
       kprop(8) to propagate its database to the replica servers.  Upon a suc-
       cessful  download of the KDC database file, the replica Kerberos server
       will have an up-to-date KDC database.

       Where incremental propagation is not used, kpropd is  commonly  invoked
       out  of inetd(8) as a nowait service.  This is done by adding a line to
       the /etc/inetd.conf file which looks like this:

          kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd

       kpropd can also run as a standalone daemon,  backgrounding  itself  and
       waiting  for connections on port 754 (or the port specified with the -P
       option if given).  Standalone mode is required for incremental propaga-
       tion.   Starting  in release 1.11, kpropd automatically detects whether
       it was run from inetd and runs in standalone mode if it is not.   Prior
       to  release 1.11, the -S option is required to run kpropd in standalone
       mode; this option is now accepted for backward compatibility  but  does

       Incremental  propagation  may be enabled with the iprop_enable variable
       in kdc.conf(5).  If incremental propagation  is  enabled,  the  replica
       periodically  polls  the  master KDC for updates, at an interval deter-
       mined by the iprop_replica_poll  variable.   If  the  replica  receives
       updates,  kpropd updates its log file with any updates from the master.
       kproplog(8) can be used to view a summary of the update  entry  log  on
       the  replica KDC.  If incremental propagation is enabled, the principal
       kiprop/replicahostname@REALM (where replicahostname is the name of  the
       replica  KDC host, and REALM is the name of the Kerberos realm) must be
       present in the replica's keytab file.

       kproplog(8) can be  used  to  force  full  replication  when  iprop  is

       -r realm
              Specifies the realm of the master server.

       -A admin_server
              Specifies the server to be contacted for incremental updates; by
              default, the master admin server is contacted.

       -f file
              Specifies the filename where the dumped principal database  file
              is  to  be  stored;  by  default  the  dumped  database  file is

       -p     Allows the user to specify the pathname to the kdb5_util(8) pro-
              gram; by default the pathname used is /usr/sbin/kdb5_util.

       -d     Turn on debug mode.  In this mode, kpropd will not detach itself
              from the current job and run in  the  background.   Instead,  it
              will run in the foreground and print out debugging messages dur-
              ing the database propagation.

       -t     In standalone mode without incremental propagation,  exit  after
              one  dump  file  is  received.  In incremental propagation mode,
              exit as soon as the database is up to date,  or  if  the  master
              returns an error.

       -P     Allow  for  an  alternate  port  number for kpropd to listen on.
              This is only useful in combination with the -S option.

       -a acl_file
              Allows the user to specify the path to the kpropd.acl  file;  by
              default the path used is /var/krb5/kpropd.acl.

              In  standalone  mode,  write  the  process ID of the daemon into

       kpropd uses the following environment variables:

       o KRB5_CONFIG


              Access   file   for   kpropd;   the    default    location    is
              /usr/local/var/krb5kdc/kpropd.acl.   Each  entry  is a line con-
              taining the principal of a host from  which  the  local  machine
              will allow Kerberos database propagation via kprop(8).

       See kerberos(7) for a description of Kerberos environment variables.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | security/kerberos-5/kdc |
       |Stability      | Pass-through committed  |

       kprop(8), kdb5_util(8), krb5kdc(8), kerberos(7), inetd(8)


       1985-2021, MIT

       The  kprop  service  is  managed  by  the  service management facility,
       smf(7), under the service identifier:


       Administrative actions on this service, such as enabling, disabling, or
       requesting  restart,  can  be  performed using svcadm(8). The service's
       status can be queried using the svcs(1) command.

       Source code for open source software components in Oracle  Solaris  can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source      was      downloaded      from       http://web.mit.edu/ker-

       Further information about this software can be found on the open source
       community website at http://web.mit.edu/kerberos/.

1.18.4                                                               KPROPD(8)