1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
.\"
.\"
.\"
.TH KPROP 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kprop \- network utility for Kerberos database propagation
.SH SYNOPSIS
.B kadmin database slaves_file [-force] [-safe | -clear] [-realm realm]
.SH DESCRIPTION
The
.I kprop
daemon runs on a Kerberos master and propagates the Kerberos
database to the Kerberos slaves, where it is received by the waiting kpropd
daemon.
The first parameter,
.IR database ,
is the name of the file out of which data is
extracted. This file is not the db-formatted Kerberos database,
.IR /etc/kerberosIV/principal.db .
See the
.I db(3)
reference page for more
information. The database is a file created by the
.B kdb_util slave dump
command. It is an ASCII representation of the Kerberos database.
The second parameter that must be supplied is
.IR slaves_file ,
the name of the
file on the Kerberos master that lists the Kerberos slaves to which kprop
propagates the Kerberos master database. The slaves file contains one
line for each host running a secondary server consisting on just the hostname
of the machine.
The Kerberos utility first determines whether the ASCII Kerberos database,
database, was correctly dumped by
.BR kdb_util .
It accomplishes this by
determining if database is older than the
.B database.dump.ok
file created by
.I kdb_util
during the slave dump operation. If it is older, the dump did not
succeed or is not yet finished. If the dump did not complete successfully
or has not yet completed, the master database is not transferred to any
Kerberos slave. Otherwise,
.I kprop
determines, for each slave server listed
in the slaves file, whether or not the database has changed since the last
successful transfer to the slave. It determines this for slave server
.I cactus
by comparing the modification time of the
.I cactus-last-prop
file, which is stored in the same directory as the slaves file,
with the modification time of database. If the
.I /etc/cactus-last-prop
file
is newer, then the database, need not be transferred to
.IR cactus .
Finally,
.I kprop
propagates the database to those servers which need a new
copy of the database and updates the modification time of the
.I /etc/server-last-prop
file for these slave servers.
.PP
If the
.B \-safe
option is specified, the data sent over the network is guaranteed to be
authenticated at the destination and protected against modifications
in transit. That is, kprop and kpropd, which are Kerberos princi-
pals, become Kerberos-authenticated to each other and send messages
formatted by krb_mk_safe.
.PP
If the
.B \-clear
option is specified, all of the data will be sent in cleartext (unencrypted).
This switch is useful when first setting up the Kerberos environment.
.PP
If the
.B \-realm
option is specified, its argument is used as the current realm name rather
than the default specified in
.B krb.conf(5)
file.
.PP
If the
.B \-force
option is specified,
.B kprop
is forced to propagate the Kerberos database to the slaves, even if there are
no recent changes to the database. Without the force flag, the Kerberos
database is not propagated if the database file has not changed since the last
successful transfer.
.SH BUGS
This utility does not support the transfer of encrypted data.
The
.B -clear
and
.B -safe
options are not implemented.
.SH "SEE ALSO"
kerberos(1), kpropd(8)
.br
``A Subsystem Utilities Package for UNIX'' by Ken Raeburn
|
