On 4/29/2013 7:34 PM, Nico Williams wrote: > On Mon, Apr 29, 2013 at 4:09 PM, Dave Steiner <[email protected]> wrote: >> I've turned on incremental propagation for my two test Kerberos machines but >> continually tries to do a full sync but doesn't. > What version of MIT krb5 are you using?
Just upgraded to 1.11.2 (from 1.9.2) > >> Before starting this (as I had worked with iprop a few months back) did a >> full >> kprop and deleted the principal.ulog files to start fresh. > BTW, there's a kproplog -R option to reset the ulog now. You should use that. Thanks! > >> One odd thing about our setup is we have multiple realms. As far as I can >> tell >> from previously playing with iprop is that it doesn't work on multiple >> realms. >> But at this time, I just want to iprop my default realm. > Multiple realms in one KDB principal file? Or just multiple realms on a host? > > IIUC krb5kdc supports multiple realms in a single KDB just fine, but > kadmind doesn't, and kadmind plays a big role in iprop. Multiple realms in a single kdc.conf. Running multiple kadmind's on different ports. That has worked fine for normal propagation. > >> Any ideas why (1) it thinks it needs to do a full resync (kproplog shows one >> new >> update on the master), and (2) why it's not doing the full resync? What can >> I >> check to see why it's not working. > Can you truss/strace the kadmind (and follow fork and exec) and see > what's happening? It's probably a misconfiguration that will be come > evident as soon as you see open(2) return some ENOENT in the > truss/strace output. I will try this tomorrow and let you know. Thanks! -ds > > Nico > -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
