Re: Kerberos propagation, kpropd

Nalin Dahyabhai (nalin redhat com) wrote:
> On Tue, Oct 26, 2004 at 03:07:14PM -0600, Ryan Thomson wrote:
> > I'm wondering why the kadmin daemon isn't allowed to run when a kpropd ACL
> > file is located on the machine? In the MIT Kerberos documentation it says that
> > the kpropd.acl file must exist on all KDCs that will be a part of database
> > propagation including the master. It seems illogical that kadmin is not
> > allowed to run on any servers which are a part of database propagation...
> I couldn't find where that requirement's listed in the administrator's
> guide, but AFAIK kpropd.acl is only accessed by kpropd, which you'd only
> run on the receiving end of propagation.  A host which is receiving
> updates via kpropd shouldn't run kadmind because changes made through
> kadmind will be wiped out by kpropd.
> HTH,
> Nalin

>From the MIT Kerberos install guide:

"The database is propagated from the master KDC to the slave KDCs via the
kpropd daemon. To set up propagation, create a file on each KDC, named
/usr/local/var/krb5kdc/kpropd.acl, containing the principals for each of the

I assumed that "create a file on each KDC, named <file>" meant that without
the file on each KDC it won't work but that might be an incorrect assumption
since your logic does seem sound to me (kadmind on master, only one kadmind
per realm).

The install guide also seems to mandate running kpropd on both master and
slave but that sounds fishy to me since one uses 'kprop' on the master to
"send" the slave the database...

I suppose I could test it your way by deleting the kpropd.acl file on the
master but it's really not a big deal right now since it seems to work well.

Thanks for the insight,

Ryan Thomson, Systems Administrator
University Of Calgary, Biocomputing
Phone: (403) 220-2264
Email: thomsonr ucalgary ca

