1.\" $NetBSD: iprop.8,v 1.3 2011/04/28 14:07:13 wiz Exp $ 2.\" 3.\" Id 4.\" 5.\" Copyright (c) 2005 Kungliga Tekniska Högskolan 6.\" (Royal Institute of Technology, Stockholm, Sweden). 7.\" All rights reserved. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 20.\" 3. Neither the name of the Institute nor the names of its contributors 21.\" may be used to endorse or promote products derived from this software 22.\" without specific prior written permission. 23.\" 24.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 25.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 28.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34.\" SUCH DAMAGE. 35.\" 36.Dd May 24, 2005 37.Dt IPROP 8 38.Os 39.Sh NAME 40.Nm iprop , 41.Nm ipropd-master , 42.Nm ipropd-slave 43.Nd propagate changes to a Heimdal Kerberos master KDC to slave KDCs 44.Sh SYNOPSIS 45.Nm ipropd-master 46.Oo Fl c Ar string \*(Ba Xo 47.Fl Fl config-file= Ns Ar string 48.Xc 49.Oc 50.Oo Fl r Ar string \*(Ba Xo 51.Fl Fl realm= Ns Ar string 52.Xc 53.Oc 54.Oo Fl k Ar kspec \*(Ba Xo 55.Fl Fl keytab= Ns Ar kspec 56.Xc 57.Oc 58.Oo Fl d Ar file \*(Ba Xo 59.Fl Fl database= Ns Ar file 60.Xc 61.Oc 62.Op Fl Fl slave-stats-file= Ns Ar file 63.Op Fl Fl time-missing= Ns Ar time 64.Op Fl Fl time-gone= Ns Ar time 65.Op Fl Fl detach 66.Op Fl Fl version 67.Op Fl Fl help 68.Nm ipropd-slave 69.Oo Fl c Ar string \*(Ba Xo 70.Fl Fl config-file= Ns Ar string 71.Xc 72.Oc 73.Oo Fl r Ar string \*(Ba Xo 74.Fl Fl realm= Ns Ar string 75.Xc 76.Oc 77.Oo Fl k Ar kspec \*(Ba Xo 78.Fl Fl keytab= Ns Ar kspec 79.Xc 80.Oc 81.Op Fl Fl time-lost= Ns Ar time 82.Op Fl Fl detach 83.Op Fl Fl version 84.Op Fl Fl help 85.Ar master 86.Sh DESCRIPTION 87.Nm ipropd-master 88is used to propagate changes to a Heimdal Kerberos database from the 89master Kerberos server on which it runs to slave Kerberos servers 90running 91.Nm ipropd-slave . 92.Pp 93The slaves are specified by the contents of the 94.Pa slaves 95file in the KDC's database directory, e.g.\& 96.Pa /var/heimdal/slaves . 97This has principals one per-line of the form 98.Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM 99where 100.Ar slave 101is the hostname of the slave server in the given 102.Ar REALM , 103e.g.\& 104.Dl iprop/kerberos-1.example.com@EXAMPLE.COM 105On a slave, the argument 106.Fa master 107specifies the hostname of the master server from which to receive updates. 108.Pp 109In contrast to 110.Xr hprop 8 , 111which sends the whole database to the slaves regularly, 112.Nm 113normally sends only the changes as they happen on the master. 114The master keeps track of all the changes by assigning a version 115number to every change to the database. 116The slaves know which was the latest version they saw, and in this 117way it can be determined if they are in sync or not. 118A log of all the changes is kept on the master. 119When a slave is at an older version than the oldest one in the log, 120the whole database has to be sent. 121.Pp 122The changes are propagated over a secure channel (on port 2121 by 123default). 124This should normally be defined as 125.Dq iprop/tcp 126in 127.Pa /etc/services 128or another source of the services database. 129The master and slaves 130must each have access to a keytab with keys for the 131.Nm iprop 132service principal on the local host. 133.Pp 134There is a keep-alive feature logged in the master's 135.Pa slave-stats 136file (e.g.\& 137.Pa /var/heimdal/slave-stats ) . 138.Pp 139Supported options for 140.Nm ipropd-master : 141.Bl -tag -width Ds 142.It Fl c Ar string , Fl Fl config-file= Ns Ar string 143.It Fl r Ar string , Fl Fl realm= Ns Ar string 144.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec 145keytab to get authentication from 146.It Fl d Ar file , Fl Fl database= Ns Ar file 147Database (default per KDC) 148.It Fl Fl slave-stats-file= Ns Ar file 149file for slave status information 150.It Fl Fl time-missing= Ns Ar time 151time before slave is polled for presence (default 2 min) 152.It Fl Fl time-gone= Ns Ar time 153time of inactivity after which a slave is considered gone (default 5 min) 154.It Fl Fl detach 155detach from console 156.It Fl Fl version 157.It Fl Fl help 158.El 159.Pp 160Supported options for 161.Nm ipropd-slave : 162.Bl -tag -width Ds 163.It Fl c Ar string , Fl Fl config-file= Ns Ar string 164.It Fl r Ar string , Fl Fl realm= Ns Ar string 165.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec 166keytab to get authentication from 167.It Fl Fl time-lost= Ns Ar time 168time before server is considered lost (default 5 min) 169.It Fl Fl detach 170detach from console 171.It Fl Fl version 172.It Fl Fl help 173.El 174Time arguments for the relevant options above may be specified in forms 175like 5 min, 300 s, or simply a number of seconds. 176.Sh FILES 177.Pa slaves , 178.Pa slave-stats 179in the database directory. 180.Sh SEE ALSO 181.Xr krb5.conf 5 , 182.Xr hprop 8 , 183.Xr hpropd 8 , 184.Xr iprop-log 8 , 185.Xr kdc 8 . 186