Incremental Propagation and kpropd
vs_krb@aol.com
vs_krb at aol.com
Wed Feb 20 18:37:49 EST 2013
Hi There
I am trying to setup our kerberos to work with incremental propagation. Currently its turned off and we push updates from master to slaves. I am able to get iprop to work but it looks like we need to change the kpropd slave setup. We at present run it out of inetd but it looks like we need to take it out of inetd and run kpropd on the slaves in a standalone daemon mode. If this sounds not right, please let me know.
>From the MIT documentation for iprop i see "The normal kprop mechanism is disabled by the incremental propagationsupport. However, if the slave has been unable to fetch changes fromthe master KDC for too long (network problems, perhaps), the log onthe master may wrap around and overwrite some of the updates that theslave has not yet retrieved. In this case, the slave will instructthe master KDC to dump the current database out to a file and invoke aone-time kprop propagation, with special options to also convey thepoint in the update log at which the slave should resume fetchingincremental updates. Thus, all the keytab and ACL setup previouslydescribed for kprop propagation is still needed"
So this raises few questions for me.
1) With incremental propagation I believe, I can turn off kpropd on master and run only on slave in standalone mode. So as stated above in case of issues, will the slave be requesting a full propagation and pulling the full copy or does it have to be initiated by the master via kprop. If the master has to initiate a kprop, the kpropd on the slave is not going to be listening on the same port, i think this would be a problem.
2) How can we manage the size of iproplog specified using iprop_logfile, what is the best way to rotate it?
3) Is the update log same as the one specified with iprop_logfile, it seems that way from the documentation.
Any other info on best practices for switching to iprop pull configuration would be appreciated.
Thanks,
More information about the Kerberos
mailing list