Provided by: krb5-kdc_1.13.2+dfsg-5_i386 bug


       kpropd - Kerberos V5 slave KDC update server


       kpropd  [-r  realm] [-A admin_server] [-a acl_file] [-f slave_dumpfile]
       [-F principal_database] [-p kdb5_util_prog] [-P port] [-d]


       The kpropd command runs on the slave KDC server.  It listens for update
       requests  made  by the kprop(8) program.  If incremental propagation is
       enabled, it periodically requests incremental updates from  the  master

       When the slave receives a kprop request from the master, kpropd accepts
       the dumped KDC database  and  places  it  in  a  file,  and  then  runs
       kdb5_util(8) to load the dumped database into the active database which
       is used by krb5kdc(8).  This allows the master Kerberos server  to  use
       kprop(8)  to  propagate  its  database  to  the  slave servers.  Upon a
       successful download of the KDC database file, the slave Kerberos server
       will have an up-to-date KDC database.

       Where  incremental  propagation is not used, kpropd is commonly invoked
       out of inetd(8) as a nowait service.  This is done by adding a line  to
       the /etc/inetd.conf file which looks like this:

          kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd

       kpropd  can  also  run as a standalone daemon, backgrounding itself and
       waiting for connections on port 754 (or the port specified with the  -P
       option   if  given).   Standalone  mode  is  required  for  incremental
       propagation.  Starting in release 1.11,  kpropd  automatically  detects
       whether it was run from inetd and runs in standalone mode if it is not.
       Prior to release 1.11, the -S option  is  required  to  run  kpropd  in
       standalone mode; this option is now accepted for backward compatibility
       but does nothing.

       Incremental propagation may be enabled with the  iprop_enable  variable
       in  kdc.conf(5).   If  incremental  propagation  is  enabled, the slave
       periodically  polls  the  master  KDC  for  updates,  at  an   interval
       determined  by  the  iprop_slave_poll  variable.  If the slave receives
       updates, kpropd updates its log file with any updates from the  master.
       kproplog(8)  can  be  used to view a summary of the update entry log on
       the slave KDC.  If incremental propagation is  enabled,  the  principal
       kiprop/slavehostname@REALM  (where  slavehostname  is  the  name of the
       slave KDC host, and REALM is the name of the Kerberos  realm)  must  be
       present in the slave's keytab file.

       kproplog(8)  can  be  used  to  force  full  replication  when iprop is


       -r realm
              Specifies the realm of the master server.

       -A admin_server
              Specifies the server to be contacted for incremental updates; by
              default, the master admin server is contacted.

       -f file
              Specifies  the filename where the dumped principal database file
              is to  be  stored;  by  default  the  dumped  database  file  is

       -p     Allows  the  user  to  specify  the pathname to the kdb5_util(8)
              program; by default the pathname used is /usr/sbin/kdb5_util.

       -d     Turn on debug mode.  In this mode, kpropd will not detach itself
              from  the  current  job  and run in the background.  Instead, it
              will run in the foreground  and  print  out  debugging  messages
              during the database propagation.

       -P     Allow  for  an  alternate  port  number for kpropd to listen on.
              This is only useful in combination with the -S option.

       -a acl_file
              Allows the user to specify the path to the kpropd.acl  file;  by
              default the path used is /etc/krb5kdc/kpropd.acl.


       kpropd uses the following environment variables:

       · KRB5_CONFIG



              Access    file    for    kpropd;   the   default   location   is
              /usr/local/var/krb5kdc/kpropd.acl.   Each  entry   is   a   line
              containing  the principal of a host from which the local machine
              will allow Kerberos database propagation via kprop(8).


       kprop(8), kdb5_util(8), krb5kdc(8), inetd(8)




       1985-2015, MIT