Propagating the Kerberos Server

The kpropd Daemon

The kpropd Daemon

The /opt/krb5/sbin/kpropd daemon propagates the principal database from one server to another and starts running when the security server starts up. It propagates principal records from a given security server to kpropd on the receiving security server or to the propagation plug-in on the receiving security server, if kpropd is not running on this security system.

Propagation generally occurs downward through the propagation hierarchy from parent server to child server as configured in the kpropd.ini file.

During downward incremental propagation, kpropd refers to the prop_q.wrk file for changes to principal records and propagates only those records that have changed during the current propagation cycle.

When the failed authentication count of the principal increments, kpropd initiates upward propagation. During an upward incremental propagation, kpropd updates those principals on the primary security server whose failed authentication count values are incremented during the current propagation cycle. If propagation to a particular server fails, kpropd writes the unpropagated principal records to a prop_hostname file on the host name server.

At the end of a successful propagation, each security server has an up-to-date principal database, and each server above or below the propagating server in the hierarchy has an empty prop_hostname file, where hostname is the receiving server.

For a detailed description of propagation configuration, see “Setting Up Propagation” on page 258.

248

Chapter 9

Page 248
Image 248
HP UX Kerberos Data Security Software manual Kpropd Daemon