| 1 |
|
|---|
| 2 | IPROP(8) BSD System Manager's Manual IPROP(8)
|
|---|
| 3 |
|
|---|
| 4 | NNAAMMEE
|
|---|
| 5 | iipprroopp, iipprrooppdd--mmaasstteerr, iipprrooppdd--ssllaavvee -- propagate changes to a Heimdal Ker-
|
|---|
| 6 | beros master KDC to slave KDCs
|
|---|
| 7 |
|
|---|
| 8 | SSYYNNOOPPSSIISS
|
|---|
| 9 | iipprrooppdd--mmaasstteerr [--cc _s_t_r_i_n_g | ----ccoonnffiigg--ffiillee==_s_t_r_i_n_g] [--rr _s_t_r_i_n_g |
|
|---|
| 10 | ----rreeaallmm==_s_t_r_i_n_g] [--kk _k_s_p_e_c | ----kkeeyyttaabb==_k_s_p_e_c] [--dd _f_i_l_e |
|
|---|
| 11 | ----ddaattaabbaassee==_f_i_l_e] [----ssllaavvee--ssttaattss--ffiillee==_f_i_l_e]
|
|---|
| 12 | [----ttiimmee--mmiissssiinngg==_t_i_m_e] [----ttiimmee--ggoonnee==_t_i_m_e] [----ddeettaacchh]
|
|---|
| 13 | [----vveerrssiioonn] [----hheellpp]
|
|---|
| 14 | iipprrooppdd--ssllaavvee [--cc _s_t_r_i_n_g | ----ccoonnffiigg--ffiillee==_s_t_r_i_n_g] [--rr _s_t_r_i_n_g |
|
|---|
| 15 | ----rreeaallmm==_s_t_r_i_n_g] [--kk _k_s_p_e_c | ----kkeeyyttaabb==_k_s_p_e_c]
|
|---|
| 16 | [----ttiimmee--lloosstt==_t_i_m_e] [----ddeettaacchh] [----vveerrssiioonn] [----hheellpp] _m_a_s_t_e_r
|
|---|
| 17 |
|
|---|
| 18 | DDEESSCCRRIIPPTTIIOONN
|
|---|
| 19 | iipprrooppdd--mmaasstteerr is used to propagate changes to a Heimdal Kerberos database
|
|---|
| 20 | from the master Kerberos server on which it runs to slave Kerberos
|
|---|
| 21 | servers running iipprrooppdd--ssllaavvee.
|
|---|
| 22 |
|
|---|
| 23 | The slaves are specified by the contents of the _s_l_a_v_e_s file in the KDC's
|
|---|
| 24 | database directory, e.g. _/_v_a_r_/_h_e_i_m_d_a_l_/_s_l_a_v_e_s. This has principals one
|
|---|
| 25 | per-line of the form
|
|---|
| 26 | iprop/_s_l_a_v_e@_R_E_A_L_M
|
|---|
| 27 | where _s_l_a_v_e is the hostname of the slave server in the given _R_E_A_L_M, e.g.
|
|---|
| 28 | iprop/kerberos-1.example.com@EXAMPLE.COM
|
|---|
| 29 | On a slave, the argument _m_a_s_t_e_r specifies the hostname of the master
|
|---|
| 30 | server from which to receive updates.
|
|---|
| 31 |
|
|---|
| 32 | In contrast to hprop(8), which sends the whole database to the slaves
|
|---|
| 33 | regularly, iipprroopp normally sends only the changes as they happen on the
|
|---|
| 34 | master. The master keeps track of all the changes by assigning a version
|
|---|
| 35 | number to every change to the database. The slaves know which was the
|
|---|
| 36 | latest version they saw, and in this way it can be determined if they are
|
|---|
| 37 | in sync or not. A log of all the changes is kept on the master. When a
|
|---|
| 38 | slave is at an older version than the oldest one in the log, the whole
|
|---|
| 39 | database has to be sent.
|
|---|
| 40 |
|
|---|
| 41 | The changes are propagated over a secure channel (on port 2121 by
|
|---|
| 42 | default). This should normally be defined as ``iprop/tcp'' in
|
|---|
| 43 | _/_e_t_c_/_s_e_r_v_i_c_e_s or another source of the services database. The master and
|
|---|
| 44 | slaves must each have access to a keytab with keys for the iipprroopp service
|
|---|
| 45 | principal on the local host.
|
|---|
| 46 |
|
|---|
| 47 | There is a keep-alive feature logged in the master's _s_l_a_v_e_-_s_t_a_t_s file
|
|---|
| 48 | (e.g. _/_v_a_r_/_h_e_i_m_d_a_l_/_s_l_a_v_e_-_s_t_a_t_s).
|
|---|
| 49 |
|
|---|
| 50 | Supported options for iipprrooppdd--mmaasstteerr:
|
|---|
| 51 |
|
|---|
| 52 | --cc _s_t_r_i_n_g, ----ccoonnffiigg--ffiillee==_s_t_r_i_n_g
|
|---|
| 53 |
|
|---|
| 54 | --rr _s_t_r_i_n_g, ----rreeaallmm==_s_t_r_i_n_g
|
|---|
| 55 |
|
|---|
| 56 | --kk _k_s_p_e_c, ----kkeeyyttaabb==_k_s_p_e_c
|
|---|
| 57 | keytab to get authentication from
|
|---|
| 58 |
|
|---|
| 59 | --dd _f_i_l_e, ----ddaattaabbaassee==_f_i_l_e
|
|---|
| 60 | Database (default per KDC)
|
|---|
| 61 |
|
|---|
| 62 | ----ssllaavvee--ssttaattss--ffiillee==_f_i_l_e
|
|---|
| 63 | file for slave status information
|
|---|
| 64 |
|
|---|
| 65 | ----ttiimmee--mmiissssiinngg==_t_i_m_e
|
|---|
| 66 | time before slave is polled for presence (default 2 min)
|
|---|
| 67 |
|
|---|
| 68 | ----ttiimmee--ggoonnee==_t_i_m_e
|
|---|
| 69 | time of inactivity after which a slave is considered gone
|
|---|
| 70 | (default 5 min)
|
|---|
| 71 |
|
|---|
| 72 | ----ddeettaacchh
|
|---|
| 73 | detach from console
|
|---|
| 74 |
|
|---|
| 75 | ----vveerrssiioonn
|
|---|
| 76 |
|
|---|
| 77 | ----hheellpp
|
|---|
| 78 |
|
|---|
| 79 | Supported options for iipprrooppdd--ssllaavvee:
|
|---|
| 80 |
|
|---|
| 81 | --cc _s_t_r_i_n_g, ----ccoonnffiigg--ffiillee==_s_t_r_i_n_g
|
|---|
| 82 |
|
|---|
| 83 | --rr _s_t_r_i_n_g, ----rreeaallmm==_s_t_r_i_n_g
|
|---|
| 84 |
|
|---|
| 85 | --kk _k_s_p_e_c, ----kkeeyyttaabb==_k_s_p_e_c
|
|---|
| 86 | keytab to get authentication from
|
|---|
| 87 |
|
|---|
| 88 | ----ttiimmee--lloosstt==_t_i_m_e
|
|---|
| 89 | time before server is considered lost (default 5 min)
|
|---|
| 90 |
|
|---|
| 91 | ----ddeettaacchh
|
|---|
| 92 | detach from console
|
|---|
| 93 |
|
|---|
| 94 | ----vveerrssiioonn
|
|---|
| 95 |
|
|---|
| 96 | ----hheellpp
|
|---|
| 97 | Time arguments for the relevant options above may be specified in forms
|
|---|
| 98 | like 5 min, 300 s, or simply a number of seconds.
|
|---|
| 99 |
|
|---|
| 100 | FFIILLEESS
|
|---|
| 101 | _s_l_a_v_e_s, _s_l_a_v_e_-_s_t_a_t_s in the database directory.
|
|---|
| 102 |
|
|---|
| 103 | SSEEEE AALLSSOO
|
|---|
| 104 | krb5.conf(5), hprop(8), hpropd(8), iprop-log(8), kdc(8).
|
|---|
| 105 |
|
|---|
| 106 | Heimdal May 24, 2005 Heimdal
|
|---|
