NAME
iprop,
ipropd-master,
ipropd-slave —
propagate transactions
from a Heimdal Kerberos master KDC to slave KDCs
SYNOPSIS
ipropd-master |
[-c string |
--config-file=string]
[-r string |
--realm=string]
[-k kspec |
--keytab=kspec]
[-d file |
--database=file]
[--slave-stats-file=file]
[--time-missing=time]
[--time-gone=time]
[--detach]
[--version]
[--help] |
ipropd-slave |
[-c string |
--config-file=string]
[-r string |
--realm=string]
[-k kspec |
--keytab=kspec]
[--time-lost=time]
[--detach]
[--version]
[--help]
master |
DESCRIPTION
ipropd-master is used to propagate changes to a Heimdal
Kerberos database from the master Kerberos server on which it runs to slave
Kerberos servers running
ipropd-slave.
The slaves are specified by the contents of the
slaves file in
the KDC's database directory, e.g.
/var/heimdal/slaves. This
has principals one per-line of the form
iprop/slave@REALM
where
slave is the hostname of the slave server in the
given
REALM, e.g.
iprop/kerberos-1.example.com@EXAMPLE.COM
On a slave, the argument
master specifies the hostname of
the master server from which to receive updates.
In contrast to
hprop(8), which
sends the whole database to the slaves regularly,
iprop
normally sends only the changes as they happen on the master. The master keeps
track of all the changes by assigning a version number to every transaction to
the database. The slaves know which was the latest version they saw, and in
this way it can be determined if they are in sync or not. A log of all the
transactions is kept on the master. When a slave is at an older version than
the oldest one in the log, the whole database has to be sent.
The log of transactions is also used to implement a two-phase commit (with
roll-forward for recovery) method of updating the HDB. Transactions are first
recorded in the log, then in the HDB, then the log is updated to mark the
transaction as committed.
The changes are propagated over a secure channel (on port 2121 by default). This
should normally be defined as “iprop/tcp” in
/etc/services or another source of the services database.
The master and slaves must each have access to a keytab with keys for the
iprop service principal on the local host.
There is a keep-alive feature logged in the master's
slave-stats file (e.g.
/var/heimdal/slave-stats).
Supported options for
ipropd-master:
-
-
- -c
string,
--config-file=string
-
- -r
string,
--realm=string
-
- -k
kspec,
--keytab=kspec
- keytab to get authentication from
-
-
- -d
file,
--database=file
- Database (default per KDC)
-
-
- --slave-stats-file=file
- file for slave status information
-
-
- --time-missing=time
- time before slave is polled for presence (default 2
min)
-
-
- --time-gone=time
- time of inactivity after which a slave is considered gone
(default 5 min)
-
-
- --detach
- detach from console
-
-
- --version
-
- --help
-
Supported options for
ipropd-slave:
-
-
- -c
string,
--config-file=string
-
- -r
string,
--realm=string
-
- -k
kspec,
--keytab=kspec
- keytab to get authentication from
-
-
- --time-lost=time
- time before server is considered lost (default 5 min)
-
-
- --detach
- detach from console
-
-
- --version
-
- --help
-
Time arguments for the relevant options above may be specified in forms like 5
min, 300 s, or simply a number of seconds.
FILES
slaves,
slave-stats in the database
directory.
ipropd-master.pid,
ipropd-slave.pid in the database directory, or in the
directory named by the
HEIM_PIDFILE_DIR
environment
variable.
SEE ALSO
krb5.conf(5),
hprop(8),
hpropd(8),
iprop-log(8),
kdc(8).