Manualshelf

Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
231232233234235236237238239240
Propagation
Monitoring Propagation
Chapter 7 233
Log Files Indicate Problems
If an examination of the logs for the primary server and the secondary
servers suggests propagation problems, then your set of clues is nearly
complete. If kpropd is not running on the primary server and each
secondary server, then you can be certain that an out-of-sync condition
exists.
Number of Principals Does Not Match
The number of principals on both machines should be identical or close.
It is not unusual to see a few discrepancies, especially if the databases
were dumped during a propagation cycle. It can be off by a few principals
due to incremental database propagation, but rarely will be off by more
than a few principals. To ensure accurate results, dump the databases
simultaneously and after hours, at a time when administrative activity
is at a minimum. Under these conditions, consider a discrepancy of more
than five principal entries to be significant.
Authentication Tests Succeed
The last step to confirm this problem is to force authentication tests to go
to the primary server. You only need to do this for one or two machines.
Ensure that the test principal is not locked and you know the password.
Edit the krb.conf file and comment out the secondary servers by placing
a # in the first column on each secondary server entry. The file will look
similar to the following:
#FINANCE.BAMBI.COM fnc01.bambi.com
#IT.BAMBI.COM it02.bambi.com
NETWORK.BAMBI.COM netwrk05.bambi.com admin server
Attempt to authenticate from the machine with the new configuration
file. If authentication succeeds continuously you have your final clue that
the out-of-sync condition exists.
kdb_dump
To view details of any discrepancy between a primary and secondary
principal database and look for out-of-sync conditions, export each
database to a text file and compare them. You can dump the databases by
stopping the daemons or services and then using the kdb_dump utility.
You must stop the daemons before using kdb_dump.