The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services. An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.
Based on code submitted by Richard Basch.
ticket: 7855
[**-r** *realm*]
[**-m**]
[**-nofork**]
[**-r** *realm*]
[**-m**]
[**-nofork**]
[**-port** *port-number*]
[**-P** *pid_file*]
[**-p** *kdb5_util_path*]
[**-port** *port-number*]
[**-P** *pid_file*]
[**-p** *kdb5_util_path*]
associated to the terminal. In normal operation, you should allow
the server to place itself in the background.
associated to the terminal. In normal operation, you should allow
the server to place itself in the background.
+**-proponly**
+ causes the server to only listen and respond to Kerberos slave
+ incremental propagation polling requests. This option can be used
+ to set up a hierarchical propagation topology where a slave KDC
+ provides incremental updates to other Kerberos slaves.
+
**-port** *port-number*
specifies the port on which the administration server listens for
connections. The default port is determined by the
**-port** *port-number*
specifies the port on which the administration server listens for
connections. The default port is determined by the
{
fprintf(stderr, _("Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] "
"[-port port-number]\n"
{
fprintf(stderr, _("Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] "
"[-port port-number]\n"
- "\t\t[-p path-to-kdb5_util] [-F dump-file]\n"
+ "\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n"
"\t\t[-K path-to-kprop] [-P pid_file]\n"
"\nwhere,\n\t[-x db_args]* - any number of database "
"specific arguments.\n"
"\t\t[-K path-to-kprop] [-P pid_file]\n"
"\nwhere,\n\t[-x db_args]* - any number of database "
"specific arguments.\n"
return st1 ? st1 : st2;
}
return st1 ? st1 : st2;
}
-/* Set up the main loop. May set *ctx_out even on error. */
+/* Set up the main loop. If proponly is set, don't set up ports for kpasswd or
+ * kadmin. May set *ctx_out even on error. */
-setup_loop(verto_ctx **ctx_out)
+setup_loop(int proponly, verto_ctx **ctx_out)
{
krb5_error_code ret;
verto_ctx *ctx;
{
krb5_error_code ret;
verto_ctx *ctx;
ret = loop_setup_signals(ctx, global_server_handle, NULL);
if (ret)
return ret;
ret = loop_setup_signals(ctx, global_server_handle, NULL);
if (ret)
return ret;
- ret = loop_add_udp_port(handle->params.kpasswd_port);
- if (ret)
- return ret;
- ret = loop_add_tcp_port(handle->params.kpasswd_port);
- if (ret)
- return ret;
- ret = loop_add_rpc_service(handle->params.kadmind_port, KADM, KADMVERS,
- kadm_1);
- if (ret)
- return ret;
+ if (!proponly) {
+ ret = loop_add_udp_port(handle->params.kpasswd_port);
+ if (ret)
+ return ret;
+ ret = loop_add_tcp_port(handle->params.kpasswd_port);
+ if (ret)
+ return ret;
+ ret = loop_add_rpc_service(handle->params.kadmind_port, KADM, KADMVERS,
+ kadm_1);
+ if (ret)
+ return ret;
+ }
#ifndef DISABLE_IPROP
if (handle->params.iprop_enabled) {
ret = loop_add_rpc_service(handle->params.iprop_port, KRB5_IPROP_PROG,
#ifndef DISABLE_IPROP
if (handle->params.iprop_enabled) {
ret = loop_add_rpc_service(handle->params.iprop_port, KRB5_IPROP_PROG,
verto_ctx *vctx;
const char *pid_file = NULL;
char **db_args = NULL, **tmpargs;
verto_ctx *vctx;
const char *pid_file = NULL;
char **db_args = NULL, **tmpargs;
- int ret, i, db_args_size = 0, strong_random = 1;
+ int ret, i, db_args_size = 0, strong_random = 1, proponly = 0;
setlocale(LC_ALL, "");
setvbuf(stderr, NULL, _IONBF, 0);
setlocale(LC_ALL, "");
setvbuf(stderr, NULL, _IONBF, 0);
#ifdef USE_PASSWORD_SERVER
} else if (strcmp(*argv, "-passwordserver") == 0) {
kadm5_set_use_password_server();
#ifdef USE_PASSWORD_SERVER
} else if (strcmp(*argv, "-passwordserver") == 0) {
kadm5_set_use_password_server();
+#endif
+#ifndef DISABLE_IPROP
+ } else if (strcmp(*argv, "-proponly") == 0) {
+ proponly = 1;
#endif
} else if (strcmp(*argv, "-port") == 0) {
argc--, argv++;
#endif
} else if (strcmp(*argv, "-port") == 0) {
argc--, argv++;
if (!(params.mask & KADM5_CONFIG_ACL_FILE))
fail_to_start(0, _("Missing required ACL file configuration"));
if (!(params.mask & KADM5_CONFIG_ACL_FILE))
fail_to_start(0, _("Missing required ACL file configuration"));
- ret = setup_loop(&vctx);
+ ret = setup_loop(proponly, &vctx);
if (ret)
fail_to_start(ret, _("initializing network"));
if (ret)
fail_to_start(ret, _("initializing network"));