Re: How to quickly get a snapshot of the Heimdal DB file
On 4/1/2017 5:22 PM, Jeffrey Hutzelman wrote: On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote: I am looking for a quick way to get a snapshot of the Kerberos database file. The most obvious way to do this would be to shutdown the kerberos service, copy the file, and restart the service. This could be done on one of the replicas, perhaps one that does not get actual authentication requests. Is there a faster way? For example, some database systems (e.g., MS SQL) have the ability to go into and out of a "quiescent" state faster than a full service stop/start to facilitate this sort of thing. Does Heimdal have something like this? Or is the full service restart the only/best option? hprop --stdout will produce a database dump that you can reload later if needed. I did a round trip (hprop --stdout | hpropd --stdin) and the resulting heimdal.db has the same size as the original but a _different_ checksum. Doing a "kadmin -l dump" on both database files I see that the output is almost the same, except each entry has some sort of counter that gets incremented. What is that counter for? Adam Lewenberg kadmin -l list -l '*' will produce a verbose human-readable list of all the principals in the database and their attributes. Note that this is not particularly machine-readable and does not include keys, so it's not a backup. -- Jeff
Re: How to quickly get a snapshot of the Heimdal DB file
This is the one I’ve always used. You can grep out specific entries and hand-edit them if you need to make changes not otherwise supported by the admin interface. Also you can use this method to move full-strength cross-realm keys between installations. It’s also a great way to undo an otherwise-dangerous experiment. ;-) > On Apr 2, 2017, at 10:44 AM, Roland C. Dowdeswell > wrote: > > On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote: >> > >> I am looking for a quick way to get a snapshot of the Kerberos >> database file. > > In addition to the other methods suggested already, you could just: > > $ kadmin -l dump > > which can be later loaded with: > > $ kadmin -l load > > Or one could even grep the entries out that you wish to restore and pass > them to: > > $ kadmin -l merge > > if, say, you wanted to revert some entries to the dump file that you > created using the cronjob that we all generally have in place. > > -- >Roland C. Dowdeswell Personal email. hbh...@oxy.edu
Re: How to quickly get a snapshot of the Heimdal DB file
On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote: > > I am looking for a quick way to get a snapshot of the Kerberos > database file. In addition to the other methods suggested already, you could just: $ kadmin -l dump which can be later loaded with: $ kadmin -l load Or one could even grep the entries out that you wish to restore and pass them to: $ kadmin -l merge if, say, you wanted to revert some entries to the dump file that you created using the cronjob that we all generally have in place. -- Roland C. Dowdeswell
Re: How to quickly get a snapshot of the Heimdal DB file
On 4/1/2017 5:52 PM, Nico Williams wrote: On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote: I am looking for a quick way to get a snapshot of the Kerberos database file. The most obvious way to do this would be to shutdown the kerberos service, copy the file, and restart the service. This could be done on one of the replicas, perhaps one that does not get actual authentication requests. You can use the lock sub-command of kadmin -l, copy the HDB, and then unlock. I don't see that command in the man page. Is that a new command (we are still running Heimdal 1.5.2)? Adam Lewenberg You could also setup a hidden slave on the same host as the master, then stop that ipropd-slave to take a snapshot of its HDB. Nico
Re: How to quickly get a snapshot of the Heimdal DB file
On 4/2/2017 10:37 AM, Adam Lewenberg wrote: > I don't see that command in the man page. Is that a new command (we are > still running Heimdal 1.5.2)? kadmin lock was added to the master branch in July 2011. It is not present on the 1.5 branch. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: How to quickly get a snapshot of the Heimdal DB file
On 4/1/2017 5:22 PM, Jeffrey Hutzelman wrote: On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote: I am looking for a quick way to get a snapshot of the Kerberos database file. The most obvious way to do this would be to shutdown the kerberos service, copy the file, and restart the service. This could be done on one of the replicas, perhaps one that does not get actual authentication requests. Is there a faster way? For example, some database systems (e.g., MS SQL) have the ability to go into and out of a "quiescent" state faster than a full service stop/start to facilitate this sort of thing. Does Heimdal have something like this? Or is the full service restart the only/best option? hprop --stdout will produce a database dump that you can reload later if needed. This looks to be a simple way to get a consistent snapshot with no service downtime. Thanks! Adam Lewenberg kadmin -l list -l '*' will produce a verbose human-readable list of all the principals in the database and their attributes. Note that this is not particularly machine-readable and does not include keys, so it's not a backup. -- Jeff
Re: How to quickly get a snapshot of the Heimdal DB file
On Sat, Apr 01, 2017 at 08:22:32PM -0400, Jeffrey Hutzelman wrote: > hprop --stdout > > will produce a database dump that you can reload later if needed. Ah, yes, that's nice. Forgot about that one. Nico --
Re: How to quickly get a snapshot of the Heimdal DB file
On Sat, Apr 01, 2017 at 04:59:56PM -0700, Adam Lewenberg wrote: > I am looking for a quick way to get a snapshot of the Kerberos database > file. > > The most obvious way to do this would be to shutdown the kerberos service, > copy the file, and restart the service. This could be done on one of the > replicas, perhaps one that does not get actual authentication requests. You can use the lock sub-command of kadmin -l, copy the HDB, and then unlock. You could also setup a hidden slave on the same host as the master, then stop that ipropd-slave to take a snapshot of its HDB. Nico --
Re: How to quickly get a snapshot of the Heimdal DB file
On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote: > I am looking for a quick way to get a snapshot of the Kerberos > database > file. > > The most obvious way to do this would be to shutdown the kerberos > service, copy the file, and restart the service. This could be done > on > one of the replicas, perhaps one that does not get actual > authentication > requests. > > Is there a faster way? For example, some database systems (e.g., MS > SQL) > have the ability to go into and out of a "quiescent" state faster > than a > full service stop/start to facilitate this sort of thing. Does > Heimdal > have something like this? Or is the full service restart the > only/best > option? hprop --stdout will produce a database dump that you can reload later if needed. kadmin -l list -l '*' will produce a verbose human-readable list of all the principals in the database and their attributes. Note that this is not particularly machine-readable and does not include keys, so it's not a backup. -- Jeff
How to quickly get a snapshot of the Heimdal DB file
I am looking for a quick way to get a snapshot of the Kerberos database file. The most obvious way to do this would be to shutdown the kerberos service, copy the file, and restart the service. This could be done on one of the replicas, perhaps one that does not get actual authentication requests. Is there a faster way? For example, some database systems (e.g., MS SQL) have the ability to go into and out of a "quiescent" state faster than a full service stop/start to facilitate this sort of thing. Does Heimdal have something like this? Or is the full service restart the only/best option? Thanks, Adam Lewenberg