 |
» |
|
|
|
The kpropd.ini file
is the propagation configuration file mkpropcf creates using the information from the local krb.conf file.
This file is generally located at:# Ensure that only authorized users have access to this file.
Unauthorized access to kpropd.ini could jeopardize
the integrity of your realm. Intruders who modify or replace entries
could also modify your principal database. If you add or remove servers from the propagation hierarchy,
that is, you modify the kpropd.ini file,
you must stop and restart the kpropd daemon
on each security server. Stopping and restarting the kpropd daemon
ensures that the servers correctly propagate to any new servers added
and do not propagate to the servers removed from the kpropd.ini file. The general syntax of this file is: [default_values]
interval=n[s|m|h|d]
key_exp=n[s|m|h|d]
max_cache=n[K|M]
max_retry_delay=n[s|m|h|d]
net_timeout=n[s|m|h|d]
port=port_name
primay_realm=DEFAULT_REALM
realms=[all|realm1[realm2][,...]]
service_name=service_principal_name
[secsrv1_name]
child=secsrv2_name
[secsrv2_name]
child1=secsrv3_name
child2=secsrv4_name
parent=secsrv1_name |
Format When adding entries in the kpropd.ini file, consider the following: Specify values with a statement
of the type: Any character following a
a pound sign (#) on a given line is ignored as comments. Blank lines
are ignored. Use a backslash (\) to specify a line extension.
Sections | |
kpropd.ini stores configuration parameters
important to propagation. This file contains the following sections: The [default_values]
section controls the various global propagation properties. The
listed values apply to all security servers unless you override
the defaults by specifying different values in the [secsrv_name]
section for a given security server. The [secsrv_name]
section lists each security server in accordance to your propagation
hierarchy. The listed values apply only to the specified server,
where secsrv_name is the fully qualified
domain name of the security server.You must configure the [secsrv_name] section
for each security server in your realm in order to: Identify
its parent-child relationships in the propagation hierarchy Override one or more default
values for a given server. This is an optional parameter.
Given below is a brief description of the kpropd.ini file
sections: You cannot override the interval, service_name,
or primary_realm values that you set in the
default section. In other words, the values you set for these parameters
in the default section override any different values you assign
to them in the subsequent [secsrv_name] sections. - interval = n [s|m|h|d]
Specifies how often to propagate database changes
to the other security servers, where n, indicates the number of seconds, minutes, hours, or days.
The default value is 15 seconds (15s). The default unit is seconds. | | | |  | NOTE: Intervals less than 15s could generate too much network traffic
during peak authentication times. | | | | |
- key_exp=n[s|m|h|d]
Specifies the length of time a session key is valid, where
n, indicates the number of seconds, minutes, hours, or days. The default is value six hours (6h). The default unit is hours. - max_cache=n[K|M]
Specifies the maximum size that each security server's
cache file (prop_hostname) can reach before
it is deleted, where n, indicates the number of bytes, kilobytes,
or megabytes. A deleted cache file instigates a full database propagation
when the connection is re-established. The default value is 1024K. The default unit is bytes. - max_retry_delay=n[s|m|h|d]
When kpropd attempts to establish
a connection with a secondary server and the attempt fails, kpropd waits
for a period of time called the retry delay, initially set for one
minute. With each subsequent time out, the retry delay doubles.
The max_retry_delay then, is the maximum
interval between retries that kpropd should
wait before it terminates its attempt to establish a connection
with a secondary server and log the failure to the system log. - net_timeout=n[s|m|h|d]
Specifies the length of time the propagation system
waits for a response from any security server before terminating
the connection, where n, indicates the number of seconds, minutes,
hours, or days. When a timeout occurs, all propagating records are
cached into the prop_hostname file associated
with the target server; when a connection to the server is re-established,
records in the cache file are then propagated. The default value is 30 seconds (30s). The default unit is
seconds. - port=port_name
Specifies the communication port over which to propagate
the database. The value can be a well known service or a numeric
value, but must be listed in the Services file. The default port
is kerberos-adm. - primary_realm=DEFAULT_REALM
Specifies the default realm of the primary security
server. If the krb.conf file does not exist, the DEFAULT
REALM is assigned the uppercase equivalent of the domain
name. - realms=[all|realm1[, realm2][,...]]
Specifies the realms whose records will be propagated
to the Secondary Servers. The default value, all, propagates principal
records from all realms to all security servers. - service_name=service_principal_name
Specifies the name of the service principal with
access to the propagation system on the local security server, where service_principal_name
is the name of the service principal. The default value is host/fqdn@REALM, where fqdn is
the host's fully qualified domain name, and REALM is
the host's realm name.
secsrv_name is the fully qualified domain name of the security
server specific to this section. The sample [default_values] section
below lists the default values mkpropcf might
create using information from the krb.conf file on a primary security
server that supports REALM1 as its default
realm. The propagation hierarchy that kpropd creates
is derived from the security servers that support the default realm. The sample [secsrv_name] sections below
illustrates a propagation hierarchy where secsrv1 is the primary
security server and the parent of one secondary server, secsrv2.
In addition, secsrv2 is the parent of the secsrv3 and secsrv4 secondary
servers. secsrv1 and secsrv2 support two realms - REALM1 and REALM2.
secsrv3 only supports REALM1,
while secsrv4 only supports REALM2. All servers have a host/fqdn
principal in REALM1. The Kerberos configuration
files on all servers contain the following entries: REALM1
REALM1 secsrv1.company.com admin server
REALM2 secsrv1.company.com admin server
REALM1 secsrv1.company.com
REALM2 secsrv2.company.com
REALM2 secsrv2.company.com
REALM1 secsrv3.company.com
REALM2 secsrv4.company.com
|
As the krb.conf file cannot describe a propagation hierarchy
where secondary servers themselves have secondary servers, you must
edit the kpropd.ini file to support such
relationships. [default_values]
interval=15s
key_exp=6h
m ax_cache=1024K
max_retry_delay=1h
net_timeout=30s
port=kerberos-adm
primary_realm=REALM1
realms=all
service_name=host
[sersrv1]
child = secsrv2
[secsrv2]
child1 = secsrv3
child = secsrv4
parent = secsrv1
[secsrv3]
parent = secsrv2, realms = REALM1
[secsrv4]
parent = secsrv2, realms = REALM2
|
|
Printable version
