On 4/1/2017 5:22 PM, Jeffrey Hutzelman wrote:
On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote:
I am looking for a quick way to get a snapshot of the Kerberos
database
file.
The most obvious way to do this would be to shutdown the kerberos
service, copy the file, and restart the service. This could be done
on
one of the replicas, perhaps one that does not get actual
authentication
requests.
Is there a faster way? For example, some database systems (e.g., MS
SQL)
have the ability to go into and out of a "quiescent" state faster
than a
full service stop/start to facilitate this sort of thing. Does
Heimdal
have something like this? Or is the full service restart the
only/best
option?
hprop --stdout
will produce a database dump that you can reload later if needed.
I did a round trip (hprop --stdout | hpropd --stdin) and the resulting
heimdal.db has the same size as the original but a _different_ checksum.
Doing a "kadmin -l dump" on both database files I see that the output is
almost the same, except each entry has some sort of counter that gets
incremented. What is that counter for?
Adam Lewenberg
kadmin -l list -l '*'
will produce a verbose human-readable list of all the principals in the
database and their attributes. Note that this is not particularly
machine-readable and does not include keys, so it's not a backup.
-- Jeff
