Propagation
Monitoring Propagation
Log Files Indicate Problems
If an examination of the logs for the primary server and the secondary servers suggests propagation problems, then your set of clues is nearly complete. If kpropd is not running on the primary server and each secondary server, then you can be certain that an
Number of Principals Does Not Match
The number of principals on both machines should be identical or close. It is not unusual to see a few discrepancies, especially if the databases were dumped during a propagation cycle. It can be off by a few principals due to incremental database propagation, but rarely will be off by more than a few principals. To ensure accurate results, dump the databases simultaneously and after hours, at a time when administrative activity is at a minimum. Under these conditions, consider a discrepancy of more than five principal entries to be significant.
Authentication Tests Succeed
The last step to confirm this problem is to force authentication tests to go to the primary server. You only need to do this for one or two machines. Ensure that the test principal is not locked and you know the password. Edit the krb.conf file and comment out the secondary servers by placing a # in the first column on each secondary server entry. The file will look similar to the following:
#FINANCE.BAMBI.COM fnc01.bambi.com
#IT.BAMBI.COM it02.bambi.com
NETWORK.BAMBI.COM netwrk05.bambi.com admin server
Attempt to authenticate from the machine with the new configuration file. If authentication succeeds continuously you have your final clue that the
kdb_dump
To view details of any discrepancy between a primary and secondary principal database and look for
Chapter 7 | 233 |