incremental propagation gets stuck with UPDATE_FULL_RESYNC_NEEDED
Nico Williams
nico at cryptonector.com
Mon Apr 29 19:34:01 EDT 2013
On Mon, Apr 29, 2013 at 4:09 PM, Dave Steiner <steiner at oit.rutgers.edu> wrote:
> I've turned on incremental propagation for my two test Kerberos machines but
> continually tries to do a full sync but doesn't.
What version of MIT krb5 are you using?
> Before starting this (as I had worked with iprop a few months back) did a full
> kprop and deleted the principal.ulog files to start fresh.
BTW, there's a kproplog -R option to reset the ulog now. You should use that.
> One odd thing about our setup is we have multiple realms. As far as I can tell
> from previously playing with iprop is that it doesn't work on multiple realms.
> But at this time, I just want to iprop my default realm.
Multiple realms in one KDB principal file? Or just multiple realms on a host?
IIUC krb5kdc supports multiple realms in a single KDB just fine, but
kadmind doesn't, and kadmind plays a big role in iprop.
> Any ideas why (1) it thinks it needs to do a full resync (kproplog shows one new
> update on the master), and (2) why it's not doing the full resync? What can I
> check to see why it's not working.
Can you truss/strace the kadmind (and follow fork and exec) and see
what's happening? It's probably a misconfiguration that will be come
evident as soon as you see open(2) return some ENOENT in the
truss/strace output.
Nico
--
More information about the Kerberos
mailing list