Hello, I have two problems with kprop/kpropd. At out site we are using (tying to use) two KDCs both version are 1.8.3 (1.8.3-dfsg-2 from debian repositories). One of them is production server with over 85k proncipals, second shoud be slave server. I followed install manualhttp://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.3/doc/krb5-install.html#Install%20the%20Slave%20KDCs. Exact configuration details areat the end of post.
First problem with kprop is, it=s not recognize defaut realm: r...@kdc1:~# /usr/sbin/kprop -f /var/lib/krb5kdc/slave_datatrans kdc2.my.domain /usr/sbin/kprop: Cannot resolve network address for KDC in requested realm while getting initial ticket if I force realm with -r option, everything goes as expected: r...@kdc1:~# time /usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans real 0m11.119s user 0m10.685s sys 0m0.404s r...@kdc1:~# /usr/sbin/kprop.orig -r KRB.MY.DOMAIN -f /var/lib/krb5kdc/slave_datatrans kdc2.my.domain Database propagation to kdc2.my.domain: SUCCEEDED While in usual cron synchronization it is not a big deal, in incremental propagation it means that full resync never succeed. I wrote a little wrapper aroun kprobe, so full resync now works, but I wonder, if there is anything wrong in my configuration, or if it is bug. Second problem is that kpropd allways asks for full resync. In kadmin logs it looks like this: === start of kpropd on slave === Nov 10 10:43:34 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:43:38 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:43:46 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:43:46 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 14944, client=kiprop/[email protected], service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:44:51 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=208; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:45:21 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=208; Outgoing SerialNo=209, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:45:51 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:45:51 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 14968, client=kiprop/[email protected], service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:46:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:47:27 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:47:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:48:27 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_NIL; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:48:57 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:49:01 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_BUSY; Incoming SerialNo=210; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:49:09 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=210; Outgoing SerialNo=212, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:49:39 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_FULL_RESYNC_NEEDED; Incoming SerialNo=0; Outgoing SerialNo=N/A, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:49:39 kdc1 kadmind[9394](Notice): Request: iprop_full_resync_1, spawned resync process 15002, client=kiprop/[email protected], service=kiprop/[email protected], addr=kdc2_ip Nov 10 10:50:45 kdc1 kadmind[9394](Notice): Request: iprop_get_updates_1, UPDATE_OK; Incoming SerialNo=213; Outgoing SerialNo=214, success, client=kiprop/[email protected],service=kiprop/[email protected], addr=kdc2_ip Please help me solve this problem, because this way incrementall propagation has no meaning, and conventional use of kprop take too long. thanks Matej Zagiba configuration: /etc/krb5.conf (both master and slave): [libdefaults] default_realm = KRB.MY.DOMAIN kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] KRB.MY.DOMAIN = { kdc = kdc1.my.domain kdc = kdc2.my.domain admin_server = kdc1.my.domain iprop_enable = true iprop_master_ulogsize = 2048 iprop_slave_poll = 30 iprop_port = 755 } [domain_realm] .my.domain. = KRB.MY.DOMAIN my.domain. = KRB.MY.DOMAIN [logging] kdc = FILE:/var/log/kdc5.log admin_server = FILE:/var/log/kadm5.log default = FILE:/var/log/krb5.log ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
