Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
KPROPD(8)			 MIT Kerberos			     KPROPD(8)

       kpropd -	Kerberos V5 replica KDC	update server

       kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile]
       [-F    principal_database]    [-p     kdb5_util_prog]	 [-P	 port]
       [--pid-file=pid_file] [-d] [-t]

       The  kpropd command runs	on the replica KDC server.  It listens for up-
       date requests made by the kprop(8) program.  If incremental propagation
       is  enabled, it periodically requests incremental updates from the mas-
       ter KDC.

       When the	replica	receives a kprop request from the master,  kpropd  ac-
       cepts  the  dumped  KDC database	and places it in a file, and then runs
       kdb5_util(8) to load the	dumped database	into the active	database which
       is  used	 by krb5kdc(8).	 This allows the master	Kerberos server	to use
       kprop(8)	to propagate its database to the replica servers.  Upon	a suc-
       cessful	download of the	KDC database file, the replica Kerberos	server
       will have an up-to-date KDC database.

       Where incremental propagation is	not used, kpropd is  commonly  invoked
       out  of inetd(8)	as a nowait service.  This is done by adding a line to
       the /etc/inetd.conf file	which looks like this:

	  kprop	 stream	 tcp  nowait  root  /usr/local/sbin/kpropd  kpropd

       kpropd can also run as a	standalone daemon,  backgrounding  itself  and
       waiting	for connections	on port	754 (or	the port specified with	the -P
       option if given).  Standalone mode is required for incremental propaga-
       tion.   Starting	 in release 1.11, kpropd automatically detects whether
       it was run from inetd and runs in standalone mode if it is not.	 Prior
       to  release 1.11, the -S	option is required to run kpropd in standalone
       mode; this option is now	accepted for backward compatibility  but  does

       Incremental  propagation	 may be	enabled	with the iprop_enable variable
       in kdc.conf(5).	If incremental propagation is enabled, the replica pe-
       riodically  polls the master KDC	for updates, at	an interval determined
       by the iprop_replica_poll variable.  If the replica  receives  updates,
       kpropd  updates	its  log file with any updates from the	master.	 kpro-
       plog(8) can be used to view a summary of	the update entry  log  on  the
       replica	KDC.   If  incremental	propagation  is	enabled, the principal
       kiprop/replicahostname@REALM (where replicahostname is the name of  the
       replica	KDC host, and REALM is the name	of the Kerberos	realm) must be
       present in the replica's	keytab file.

       kproplog(8) can be used to force	full replication  when	iprop  is  en-

       -r realm
	      Specifies	the realm of the master	server.

       -A admin_server
	      Specifies	the server to be contacted for incremental updates; by
	      default, the master admin	server is contacted.

       -f file
	      Specifies	the filename where the dumped principal	database  file
	      is to be stored; by default the dumped database file is /usr/lo-

       -p     Allows the user to specify the pathname to the kdb5_util(8) pro-
	      gram; by default the pathname used is /usr/local/sbin/kdb5_util.

       -d     Turn on debug mode.  In this mode, kpropd	will not detach	itself
	      from the current job and run in  the  background.	  Instead,  it
	      will run in the foreground and print out debugging messages dur-
	      ing the database propagation.

       -t     In standalone mode without incremental propagation,  exit	 after
	      one  dump	 file  is  received.  In incremental propagation mode,
	      exit as soon as the database is up to date, or if	the master re-
	      turns an error.

       -P     Allow  for  an  alternate	 port  number for kpropd to listen on.
	      This is only useful in combination with the -S option.

       -a acl_file
	      Allows the user to specify the path to the kpropd.acl  file;  by
	      default the path used is /usr/local/var/krb5kdc/kpropd.acl.

	      In  standalone  mode,  write  the	 process ID of the daemon into

       kpropd uses the following environment variables:

       o KRB5_CONFIG


	      Access  file  for	 kpropd;  the  default	location  is  /usr/lo-
	      cal/var/krb5kdc/kpropd.acl.  Each	entry is a line	containing the
	      principal	of a host from which the local machine will allow Ker-
	      beros database propagation via kprop(8).

       See kerberos(7) for a description of Kerberos environment variables.

       kprop(8), kdb5_util(8), krb5kdc(8), kerberos(7),	inetd(8)


       1985-2020, MIT

1.19								     KPROPD(8)


Want to link to this manual page? Use this URL:

home | help