 |
» |
|
|
|
The /opt/krb5/kpropd.ini file is the propagation configuration file created
by the mkpropcf tool using the information from the local krb.conf file. Ensure that only authorized users have access to this file.
Unauthorized access to kpropd.ini can jeopardize the integrity of your realm. Intruders
who modify or replace entries can also modify your principal database. If you add or remove servers from the propagation hierarchy,
that is, if you modify the kpropd.ini file, stop and restart the kpropd daemon on each security server. Stopping and restarting
the kpropd daemon ensures that the servers correctly propagate
to any new server added and do not propagate to the servers removed
from the kpropd.ini file. The general syntax for the kpropd.ini file is as follows: [default_values]
interval=n[s|m|h|d]
key_exp=n[s|m|h|d]
max_cache=n[K|M]
max_retry_delay=n[s|m|h|d]
net_timeout=n[s|m|h|d]
port=port_name
primary_realm=DEFAULT_REALM
realms=[all|realm1[realm2][,...]]
service_name=service_principal_name
[secsrv1_name]
child=secsrv2_name
[secsrv2_name]
child1=secsrv3_name
child2=secsrv4_name
parent=secsrv1_name |
When adding entries in the kpropd.ini file, consider the following: Specify values with a statement
of the following type: Any character following a
pound sign (#) on a given line is ignored as comments. Blank lines
are ignored. Use a backslash (\) to specify a line extension.
Sections | |
The kpropd.ini file stores configuration parameters required
for propagation. This file contains the following sections: The [default_values] section controls the various global propagation
properties. The listed values apply to all security servers unless
you override the defaults by specifying different values in the [
secsrv_name] section for a given security server. The [secsrv_name] section lists each security server in accordance with
your propagation hierarchy. The listed values apply only to the specified
server, where secsrv_name is the fully qualified domain name (FQDN) of the
security server. You must configure the [secsrv_name] section for each security server in your realm
in order to identify its parent-child relationships in the propagation
hierarchy and override one or more default values for a given server.
This is an optional parameter.
Following is a brief description of the kpropd.ini file sections: The
[default_values] SectionYou cannot override the interval, service_name, or primary_realm values that you set in the [default_values] section. In other words, the values you set for
these parameters in the [default_values] section override any other value you assign to
them in the subsequent [secsrv_name] sections. Following are the options in the [default_values] section: - interval = n [s|m|h|d]
Specifies how often to propagate database changes to the other
security servers, where n indicates the number of seconds, minutes, hours, or days.
The default value is 15 seconds. | | | |  | NOTE: Intervals less than
15 seconds may generate a lot of network traffic during peak authentication. | | | | |
- key_exp=n[s|m|h|d]
Specifies the length of time for which a session key is valid,
where n indicates the number of seconds, minutes, hours,
or days. The default is value 6 hours. - max_cache=n[K|M]
Specifies the maximum size that each cache file of the security
server (prop_hostname) can reach before it is deleted, where n indicates the number of bytes, kilobytes, or megabytes.
A deleted cache file initiates a full database propagation when
the connection is re-established. The default value is 1024 kilobytes. - max_retry_delay=n[s|m|h|d]
When kpropd attempts to establish a connection with a secondary
security server and the attempt fails, kpropd waits for a period of time called the retry delay,
initially set for 1 minute. With each subsequent timeout, the retry
delay doubles. The max_retry_delay is the maximum interval between retries that kpropd must wait before it terminates its attempt to
establish a connection with a secondary security server and logs the
failure to the system log. - net_timeout=n[s|m|h|d]
Specifies the length of time the propagation system waits
for a response from any security server before terminating the connection,
where n indicates the number of seconds, minutes, hours,
or days. When a timeout occurs, all propagating records are cached
into the prop_hostname file associated with the target server. When a
connection to the server is re-established, records in the cache
file are then propagated. The default value is 30 seconds. - port=port_name
Specifies the communication port over which the database
is propagated. The value can be a well-known service or a numeric
value, but must be listed in the /etc/services file. The default port is kerberos-adm. - primary_realm=DEFAULT_REALM
Specifies the default realm of the primary security server. If the krb.conf file does not exist, the DEFAULT REALM is assigned the uppercase equivalent of the domain name. - realms=[all|realm1[, realm2][,...]]
Specifies the realms whose records are propagated to the secondary
security servers. The default value, all, propagates principal records from all realms
to all security servers. - service_name=service_principal_name
Specifies the name of the service principal with access to
the propagation system on the local security server, where service_principal_name is the name of the service principal. The default
value is host/fqdn@REALM, where fqdn is the FQDN of the host, and REALM is the realm name of the host.
The
[secsrv_name] SectionThe secsrv_name section is the FQDN of the security server specific
to this section. Following are the options in the [secsrv_name] section: Following is a sample [secsrv_name] section in the Kerberos configuration file: REALM1
REALM1 secsrv1.company.com admin server
REALM2 secsrv1.company.com admin server
REALM1 secsrv1.company.com
REALM2 secsrv2.company.com
REALM2 secsrv2.company.com
REALM1 secsrv3.company.com
REALM2 secsrv4.company.com
|
The [secsrv_name] section denotes a propagation hierarchy where secsrv1 is the primary security server and the parent
of the secondary security server, secsrv2. In addition, secsrv2 is the parent of the secsrv3 and secsrv4 secondary security servers. The security servers secsrv1 and secsrv2 support the realms REALM1 and REALM2. The secondary security server secsrv3 supports only REALM1, while secsrv4 supports only REALM2. All servers have a host/fqdn principal in REALM1. Following is a sample [default_values] section: [default_values]
interval=15s
key_exp=6h
max_cache=1024K
max_retry_delay=1h
net_timeout=30s
port=kerberos-adm
primary_realm=REALM1
realms=all
service_name=host
[sersrv1]
child = secsrv2
[secsrv2]
child1 = secsrv3
child = secsrv4
parent = secsrv1
[secsrv3]
parent = secsrv2, realms = REALM1
[secsrv4]
parent = secsrv2, realms = REALM2 |
The [default_values] section lists the default values that mkpropcf may create using the krb.conf file on a primary security server, which supports REALM1 as its default realm. The propagation hierarchy
that kpropd creates is derived from the security servers that
support the default realm. Because the krb.conf file cannot describe a propagation hierarchy, where secondary
security servers themselves have secondary security servers, edit
the kpropd.ini file to support such relationships. |
Printable version
