kpropd - Kerberos V5 replica KDC update server
kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile] [-F principal_database] [-p kdb5_util_prog] [-P port] [--pid-file=pid_file] [-d] [-t]
KPROPD(8) MIT Kerberos KPROPD(8) NAME kpropd - Kerberos V5 replica KDC update server SYNOPSIS kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile] [-F principal_database] [-p kdb5_util_prog] [-P port] [--pid-file=pid_file] [-d] [-t] DESCRIPTION The kpropd command runs on the replica KDC server. It listens for update requests made by the kprop(8) program. If incremental propaga- tion is enabled, it periodically requests incremental updates from the master KDC. When the replica receives a kprop request from the master, kpropd accepts the dumped KDC database and places it in a file, and then runs kdb5_util(8) to load the dumped database into the active database which is used by krb5kdc(8). This allows the master Kerberos server to use kprop(8) to propagate its database to the replica servers. Upon a suc- cessful download of the KDC database file, the replica Kerberos server will have an up-to-date KDC database. Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to the /etc/inetd.conf file which looks like this: kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd kpropd can also run as a standalone daemon, backgrounding itself and waiting for connections on port 754 (or the port specified with the -P option if given). Standalone mode is required for incremental propaga- tion. Starting in release 1.11, kpropd automatically detects whether it was run from inetd and runs in standalone mode if it is not. Prior to release 1.11, the -S option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. Incremental propagation may be enabled with the iprop_enable variable in kdc.conf(5). If incremental propagation is enabled, the replica periodically polls the master KDC for updates, at an interval deter- mined by the iprop_replica_poll variable. If the replica receives updates, kpropd updates its log file with any updates from the master. kproplog(8) can be used to view a summary of the update entry log on the replica KDC. If incremental propagation is enabled, the principal kiprop/replicahostname@REALM (where replicahostname is the name of the replica KDC host, and REALM is the name of the Kerberos realm) must be present in the replica's keytab file. kproplog(8) can be used to force full replication when iprop is enabled. OPTIONS -r realm Specifies the realm of the master server. -A admin_server Specifies the server to be contacted for incremental updates; by default, the master admin server is contacted. -f file Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is /var/krb5/from_master. -p Allows the user to specify the pathname to the kdb5_util(8) pro- gram; by default the pathname used is /usr/sbin/kdb5_util. -d Turn on debug mode. In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground and print out debugging messages dur- ing the database propagation. -t In standalone mode without incremental propagation, exit after one dump file is received. In incremental propagation mode, exit as soon as the database is up to date, or if the master returns an error. -P Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the -S option. -a acl_file Allows the user to specify the path to the kpropd.acl file; by default the path used is /var/krb5/kpropd.acl. --pid-file=pid_file In standalone mode, write the process ID of the daemon into pid_file. ENVIRONMENT kpropd uses the following environment variables: o KRB5_CONFIG o KRB5_KDC_PROFILE FILES kpropd.acl Access file for kpropd; the default location is /usr/local/var/krb5kdc/kpropd.acl. Each entry is a line con- taining the principal of a host from which the local machine will allow Kerberos database propagation via kprop(8). ENVIRONMENT See kerberos(7) for a description of Kerberos environment variables. ATTRIBUTES See attributes(7) for descriptions of the following attributes: +---------------+-------------------------+ |ATTRIBUTE TYPE | ATTRIBUTE VALUE | +---------------+-------------------------+ |Availability | security/kerberos-5/kdc | +---------------+-------------------------+ |Stability | Pass-through committed | +---------------+-------------------------+ SEE ALSO kprop(8), kdb5_util(8), krb5kdc(8), kerberos(7), inetd(8) AUTHOR MIT COPYRIGHT 1985-2021, MIT NOTES The kprop service is managed by the service management facility, smf(7), under the service identifier: svc:/network/security/krb5_prop:default Administrative actions on this service, such as enabling, disabling, or requesting restart, can be performed using svcadm(8). The service's status can be queried using the svcs(1) command. Source code for open source software components in Oracle Solaris can be found at https://www.oracle.com/downloads/opensource/solaris-source- code-downloads.html. This software was built from source available at https://github.com/oracle/solaris-userland. The original community source was downloaded from http://web.mit.edu/ker- beros/dist/krb5/1.18/krb5-1.18.4.tar.gz. Further information about this software can be found on the open source community website at http://web.mit.edu/kerberos/. 1.18.4 KPROPD(8)