incremental propagation gets stuck with UPDATE_FULL_RESYNC_NEEDED
Dave Steiner
steiner at oit.rutgers.edu
Mon Apr 29 19:40:37 EDT 2013
On 4/29/2013 7:34 PM, Nico Williams wrote:
> On Mon, Apr 29, 2013 at 4:09 PM, Dave Steiner <steiner at oit.rutgers.edu> wrote:
>> I've turned on incremental propagation for my two test Kerberos machines but
>> continually tries to do a full sync but doesn't.
> What version of MIT krb5 are you using?
Just upgraded to 1.11.2 (from 1.9.2)
>
>> Before starting this (as I had worked with iprop a few months back) did a full
>> kprop and deleted the principal.ulog files to start fresh.
> BTW, there's a kproplog -R option to reset the ulog now. You should use that.
Thanks!
>
>> One odd thing about our setup is we have multiple realms. As far as I can tell
>> from previously playing with iprop is that it doesn't work on multiple realms.
>> But at this time, I just want to iprop my default realm.
> Multiple realms in one KDB principal file? Or just multiple realms on a host?
>
> IIUC krb5kdc supports multiple realms in a single KDB just fine, but
> kadmind doesn't, and kadmind plays a big role in iprop.
Multiple realms in a single kdc.conf. Running multiple kadmind's on
different ports. That has worked fine for normal propagation.
>
>> Any ideas why (1) it thinks it needs to do a full resync (kproplog shows one new
>> update on the master), and (2) why it's not doing the full resync? What can I
>> check to see why it's not working.
> Can you truss/strace the kadmind (and follow fork and exec) and see
> what's happening? It's probably a misconfiguration that will be come
> evident as soon as you see open(2) return some ENOENT in the
> truss/strace output.
I will try this tomorrow and let you know. Thanks!
-ds
>
> Nico
> --
More information about the Kerberos
mailing list