Propagating the Kerberos Server

The kpropd.ini File

The kpropd.ini File

The /opt/krb5/kpropd.ini file is the propagation configuration file created by the mkpropcf tool using the information from the local krb.conf file.

Ensure that only authorized users have access to this file. Unauthorized access to kpropd.ini can jeopardize the integrity of your realm. Intruders who modify or replace entries can also modify your principal database.

If you add or remove servers from the propagation hierarchy, that is, if you modify the kpropd.ini file, stop and restart the kpropd daemon on each security server. Stopping and restarting the kpropd daemon ensures that the servers correctly propagate to any new server added and do not propagate to the servers removed from the kpropd.ini file.

The general syntax for the kpropd.ini file is as follows:

[default_values] interval=n[smhd] key_exp=n[smhd] max_cache=n[KM] max_retry_delay=n[smhd] net_timeout=n[smhd] port=port_name primay_realm=DEFAULT_REALM realms=[allrealm1[realm2][,...]] service_name=service_principal_name [secsrv1_name] child=secsrv2_name [secsrv2_name] child1=secsrv3_name child2=secsrv4_name parent=secsrv1_name

When adding entries in the kpropd.ini file, consider the following:

Specify values with a statement of the following type: key_phrase = value

Any character following a pound sign (#) on a given line is ignored as comments. Blank lines are ignored.

Use a backslash (\) to specify a line extension.

Chapter 9

251

Page 251
Image 251
HP UX Kerberos Data Security Software manual Kpropd.ini File