The /opt/krb5/sbin/kpropd daemon propagates the principal database from
one server to another and starts running when the security server starts
up. It propagates principal records from a given security server
to kpropd on the receiving security server or to the propagation
plug-in on the receiving security server, if kpropd is not running on this security system.
Propagation generally occurs downward through the propagation hierarchy
from parent server to child server as configured in the kpropd.ini file.
During downward incremental propagation, kpropd refers to the prop_q.wrk file for changes to principal records and propagates
only those records that have changed during the current propagation
cycle.
When the failed authentication count of the principal increments, kpropd initiates upward propagation. During an upward
incremental propagation, kpropd updates those principals on the primary security server whose
failed authentication count values are incremented during the current
propagation cycle. If propagation to a particular server fails, kpropd writes the unpropagated principal records to a prop_hostname file on the host name server.
At the end of a successful propagation, each security server
has an up-to-date principal database, and each server above or below
the propagating server in the hierarchy has an empty prop_hostname file, where hostname is the receiving server.
For a detailed description of propagation configuration, see “Setting
Up Propagation”.
Printable version
