(I thought about that about 5 minutes after I sent the email — oops.) I guess my question is: does kprop do anything other than: secrecy of the data in transmission, integrity of the transmission, kdb5_util dump/load ? Or can I really do the same thing in a cron job (or maybe 2, one on each end) without missing anything important? I guess I would lose out on the possibility of doing incremental propagation.
Thanks again, Jerry > On Jan 27, 2016, at 6:43 PM, Russ Allbery <ea...@eyrie.org> wrote: > > Jerry Shipman <je...@cornell.edu> writes: > >> It’s me again, who was trying to kprop through a NAT a month ago. > >> Hypothetically speaking… how bad of an idea would it be to make a cron >> job that `scp`s the database file to the slave KDC, or something like >> that? Does the slave KDC daemon need to restart after the file is >> updated, maybe? Or is this significantly less safe than using kprop? I >> think I would be relying on ssh instead of kerberos for the >> confidentiality and integrity. But I do that whenever I log into the >> machine anyway. I think I may risk getting the file in the middle of a >> write (so some records could be corrupted in the copy). It seems like >> this would be a bad idea; just checking. > > If you're going to use scp, I strongly recommend generating a dump with > kdb5_util dump, scping that, and then loading it with kdb5_util load. > That's effectively what kprop/kpropd do. > > Just copying the database file runs the risk of copying a corrupt database > because you happened to catch it in the middle of a write, as you note. > > -- > Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
