Functional test of KDC for monitoring?
John Devitofranceschi
jdvf at optonline.net
Thu Feb 14 07:05:06 EST 2013
On Feb 13, 2013, at 11:21 AM, Nico Williams <nico at cryptonector.com> wrote:
> On Wed, Feb 13, 2013 at 6:12 AM, John Devitofranceschi
> <jdvf at optonline.net> wrote:
>> One thing that we do is monitor propagation. Something like:
>>
>> lpc=get_last_princ_changed;
>>
>> master_lpc_kvno=get_kvno(master_kdc, lpc);
>>
>> init_error_state;
>> foreach kdc (@slave_kdc_list) ; do
>> slave_lpc_kvno= get_kvno(kdc, lpc);
>> if (master_lpc_kvno != slave_lpc_kvno)
>> then
>> set_error_state;
>> fi
>> done
>>
>> report_error_state;
>
> Note that this will fail to detect failures to iprop other principals.
Yes, I know. The intention is to insure that the slave kpropd services are running and not obviously blocked rather than making certain that every update occurs.
I recall is that in the old NetInfo system, you could say "niutil -statistics -t <host-tagged-domain-spec>" and get lots of information about the state of the database on a specified host, including a database checksum.
Being able to query the kdc's for that kind of thing would be most useful to efficiently insure that propagation is working properly from a remote monitoring system
jd
More information about the Kerberos
mailing list