Problems with kprop and incremental propagation

Matej Zagiba zagiba at fmph.uniba.sk
Wed Nov 10 05:04:15 EST 2010


Hello,

  I have two problems with kprop/kpropd. At out site we are using (tying to use) two KDCs both version are 1.8.3 (1.8.3-dfsg-2 from debian repositories). One of them is production server with over 85k proncipals, second shoud be slave server.
I followed install manualhttp://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5-install.html#Install%20the%20Slave%20KDCs.
Exact configuration details areat the end of post.


First problem with kprop is, it=s not recognize defaut realm:

root at kdc1:~# /usr/sbin/kprop -f /var/lib/krb5kdc/slave_datatrans kdc2.my.domain
/usr/sbin/kprop: Cannot resolve network address for KDC in requested realm while getting initial ticket

if I force realm with -r option, everything goes as expected:

root at kdc1:~# time /usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans
real	0m11.119s
user	0m10.685s
sys	0m0.404s
root at kdc1:~# /usr/sbin/kprop.orig -r KRB.MY.DOMAIN -f /var/lib/krb5kdc/slave_datatrans kdc2.my.domain
Database propagation to kdc2.my.domain: SUCCEEDED

While in usual cron synchronization it is not a big deal, in incremental propagation it means that full resync never
succeed. I wrote a little wrapper aroun kprobe, so full resync now works, but I wonder, if there is anything wrong in my configuration, or if it is bug.


Second problem is that kpropd allways asks for full resync. In kadmin logs it looks like this:
=== start of kpropd on slave ===
Nov 10 10:43:34 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:43:38 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:43:46 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:43:46 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 14944, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN, service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:44:51 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=208; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:45:21 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=208; Outgoing SerialNo=209, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:45:51 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:45:51 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 14968, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN, service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:46:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:47:27 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:47:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:48:27 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:48:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:01 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:09 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=210; Outgoing SerialNo=212, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:39 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:39 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 15002, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN, service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:50:45 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=213; Outgoing SerialNo=214, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip


Please help me solve this problem, because this way incrementall propagation has no meaning, and conventional use of kprop take too long.

  thanks

    Matej Zagiba


configuration:
/etc/krb5.conf (both master and slave):

[libdefaults]
	default_realm = KRB.MY.DOMAIN
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true


[realms]
	KRB.MY.DOMAIN = {
		kdc = kdc1.my.domain
		kdc = kdc2.my.domain
		admin_server = kdc1.my.domain
		iprop_enable = true
		iprop_master_ulogsize = 2048
		iprop_slave_poll = 30
		iprop_port = 755
	}

[domain_realm]
	.my.domain. = KRB.MY.DOMAIN
	my.domain. = KRB.MY.DOMAIN

[logging]
	kdc = FILE:/var/log/kdc5.log
	admin_server = FILE:/var/log/kadm5.log
	default = FILE:/var/log/krb5.log



More information about the Kerberos mailing list