Problems with kprop and incremental propagation
Matej Zagiba
zagiba at fmph.uniba.sk
Wed Nov 10 05:04:15 EST 2010
Hello,
I have two problems with kprop/kpropd. At out site we are using (tying to use) two KDCs both version are 1.8.3 (1.8.3-dfsg-2 from debian repositories). One of them is production server with over 85k proncipals, second shoud be slave server.
I followed install manualhttp://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5-install.html#Install%20the%20Slave%20KDCs.
Exact configuration details areat the end of post.
First problem with kprop is, it=s not recognize defaut realm:
root at kdc1:~# /usr/sbin/kprop -f /var/lib/krb5kdc/slave_datatrans kdc2.my.domain
/usr/sbin/kprop: Cannot resolve network address for KDC in requested realm while getting initial ticket
if I force realm with -r option, everything goes as expected:
root at kdc1:~# time /usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans
real 0m11.119s
user 0m10.685s
sys 0m0.404s
root at kdc1:~# /usr/sbin/kprop.orig -r KRB.MY.DOMAIN -f /var/lib/krb5kdc/slave_datatrans kdc2.my.domain
Database propagation to kdc2.my.domain: SUCCEEDED
While in usual cron synchronization it is not a big deal, in incremental propagation it means that full resync never
succeed. I wrote a little wrapper aroun kprobe, so full resync now works, but I wonder, if there is anything wrong in my configuration, or if it is bug.
Second problem is that kpropd allways asks for full resync. In kadmin logs it looks like this:
=== start of kpropd on slave ===
Nov 10 10:43:34 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:43:38 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:43:46 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:43:46 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 14944, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN, service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:44:51 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=208; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:45:21 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=208; Outgoing SerialNo=209, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:45:51 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:45:51 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 14968, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN, service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:46:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:47:27 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:47:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:48:27 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:48:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:01 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:09 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=210; Outgoing SerialNo=212, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:39 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:49:39 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 15002, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN, service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Nov 10 10:50:45 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=213; Outgoing SerialNo=214, success, client=kiprop/kdc2.my.domain at KRB.MY.DOMAIN,service=kiprop/kdc1.my.domain at KRB.MY.DOMAIN, addr=kdc2_ip
Please help me solve this problem, because this way incrementall propagation has no meaning, and conventional use of kprop take too long.
thanks
Matej Zagiba
configuration:
/etc/krb5.conf (both master and slave):
[libdefaults]
default_realm = KRB.MY.DOMAIN
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
KRB.MY.DOMAIN = {
kdc = kdc1.my.domain
kdc = kdc2.my.domain
admin_server = kdc1.my.domain
iprop_enable = true
iprop_master_ulogsize = 2048
iprop_slave_poll = 30
iprop_port = 755
}
[domain_realm]
.my.domain. = KRB.MY.DOMAIN
my.domain. = KRB.MY.DOMAIN
[logging]
kdc = FILE:/var/log/kdc5.log
admin_server = FILE:/var/log/kadm5.log
default = FILE:/var/log/krb5.log
More information about the Kerberos
mailing list