Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
KPROPD(8)			 MIT Kerberos			     KPROPD(8)

NAME
       kpropd -	Kerberos V5 replica KDC	update server

SYNOPSIS
       kpropd [-r realm] [-A admin_server] [-a acl_file] [-f replica_dumpfile]
       [-F     principal_database]     [-p     kdb5_util_prog]	  [-P	 port]
       [--pid-file=pid_file] [-D] [-d] [-s keytab_file]

DESCRIPTION
       The kpropd command runs on the replica KDC server.  It listens for  up-
       date requests made by the kprop(8) program.  If incremental propagation
       is  enabled, it periodically requests incremental updates from the pri-
       mary KDC.

       When the	replica	receives a kprop request from the primary, kpropd  ac-
       cepts  the  dumped  KDC database	and places it in a file, and then runs
       kdb5_util(8) to load the	dumped database	into the active	database which
       is used by krb5kdc(8).  This allows the primary Kerberos	server to  use
       kprop(8)	to propagate its database to the replica servers.  Upon	a suc-
       cessful	download of the	KDC database file, the replica Kerberos	server
       will have an up-to-date KDC database.

       Where incremental propagation is	not used, kpropd is  commonly  invoked
       out  of inetd(8)	as a nowait service.  This is done by adding a line to
       the /etc/inetd.conf file	which looks like this:

	  kprop	 stream	 tcp  nowait  root  /usr/local/sbin/kpropd  kpropd

       kpropd can also run as a	standalone daemon,  backgrounding  itself  and
       waiting	for connections	on port	754 (or	the port specified with	the -P
       option if given).  Standalone mode is required for incremental propaga-
       tion.  Starting in release 1.11,	kpropd automatically  detects  whether
       it  was run from	inetd and runs in standalone mode if it	is not.	 Prior
       to release 1.11,	the -S option is required to run kpropd	in  standalone
       mode;  this  option is now accepted for backward	compatibility but does
       nothing.

       Incremental propagation may be enabled with the	iprop_enable  variable
       in kdc.conf(5).	If incremental propagation is enabled, the replica pe-
       riodically polls	the primary KDC	for updates, at	an interval determined
       by  the	iprop_replica_poll variable.  If the replica receives updates,
       kpropd updates its log file with	any updates from the  primary.	 kpro-
       plog(8)	can  be	 used to view a	summary	of the update entry log	on the
       replica KDC.  If	incremental  propagation  is  enabled,	the  principal
       kiprop/replicahostname@REALM  (where replicahostname is the name	of the
       replica KDC host, and REALM is the name of the Kerberos realm) must  be
       present in the replica's	keytab file.

       kproplog(8)  can	 be  used  to force full replication when iprop	is en-
       abled.

OPTIONS
       -r realm
	      Specifies	the realm of the primary server.

       -A admin_server
	      Specifies	the server to be contacted for incremental updates; by
	      default, the primary admin server	is contacted.

       -f file
	      Specifies	the filename where the dumped principal	database  file
	      is to be stored; by default the dumped database file is /usr/lo-
	      cal/var/krb5kdc/from_master.

       -F kerberos_db
	      Path to the Kerberos database file, if not the default.

       -p     Allows the user to specify the pathname to the kdb5_util(8) pro-
	      gram; by default the pathname used is /usr/local/sbin/kdb5_util.

       -D     In this mode, kpropd will	not detach itself from the current job
	      and  run	in  the	background.  Instead, it will run in the fore-
	      ground.

       -d     Turn on debug mode.  kpropd will print  out  debugging  messages
	      during  the  database propogation	and will run in	the foreground
	      (implies -D).

       -P     Allow for	an alternate port number  for  kpropd  to  listen  on.
	      This is only useful in combination with the -S option.

       -a acl_file
	      Allows  the  user	to specify the path to the kpropd.acl file; by
	      default the path used is /usr/local/var/krb5kdc/kpropd.acl.

       --pid-file=pid_file
	      In standalone mode, write	the process  ID	 of  the  daemon  into
	      pid_file.

       -s keytab_file
	      Path to a	keytab to use for acquiring acceptor credentials.

       -x db_args
	      Database-specific	 arguments.  See Database Options in kadmin(1)
	      for supported arguments.

FILES
       kpropd.acl
	      Access  file  for	 kpropd;  the  default	location  is  /usr/lo-
	      cal/var/krb5kdc/kpropd.acl.  Each	entry is a line	containing the
	      principal	of a host from which the local machine will allow Ker-
	      beros database propagation via kprop(8).

ENVIRONMENT
       See kerberos(7) for a description of Kerberos environment variables.

SEE ALSO
       kprop(8), kdb5_util(8), krb5kdc(8), kerberos(7),	inetd(8)

AUTHOR
       MIT

COPYRIGHT
       1985-2024, MIT

1.22								     KPROPD(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=kpropd&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help