[37395] in Kerberos
Re: kprop with multiple or NATted IP address
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Jan 27 18:45:14 2016
From: Russ Allbery <eagle@eyrie.org>
To: Jerry Shipman <jes59@cornell.edu>
In-Reply-To: <57DC3AD8-EDF0-44F1-B726-C8D7AEDA7AA2@cornell.edu> (Jerry
Shipman's message of "Wed, 27 Jan 2016 21:07:26 +0000")
Date: Wed, 27 Jan 2016 15:43:43 -0800
Message-ID: <87d1sm4mhc.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Jerry Shipman <jes59@cornell.edu> writes:
> It’s me again, who was trying to kprop through a NAT a month ago.
> Hypothetically speaking… how bad of an idea would it be to make a cron
> job that `scp`s the database file to the slave KDC, or something like
> that? Does the slave KDC daemon need to restart after the file is
> updated, maybe? Or is this significantly less safe than using kprop? I
> think I would be relying on ssh instead of kerberos for the
> confidentiality and integrity. But I do that whenever I log into the
> machine anyway. I think I may risk getting the file in the middle of a
> write (so some records could be corrupted in the copy). It seems like
> this would be a bad idea; just checking.
If you're going to use scp, I strongly recommend generating a dump with
kdb5_util dump, scping that, and then loading it with kdb5_util load.
That's effectively what kprop/kpropd do.
Just copying the database file runs the risk of copying a corrupt database
because you happened to catch it in the middle of a write, as you note.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
