# Proper heimdal kerberos KDC replication setup (hprop/hpropd)



## romanr (Apr 7, 2013)

*9.1-RELEASE* i386

The general question is: how to properly set up the Kerberos KDC replication system?

The database is in DBM format with master key, stored in the /var/heimdal - the generic setup. I can't find any system /etc/rc.d scripts to launch hpropd replication server. I tried to launch the hpropd daemon via inetd, the config is:

```
krb5_prop stream tcp wait root /usr/libexec/hpropd hpropd
```
but hpropd fails to determine that it's launched via inetd and opens the listening socket too, the sending process

```
[root@h01 /etc]# /usr/libexec/hprop h02
... zzz
```
hangs and does nothing. Specifying the -n parameter to hpropd

```
krb5_prop stream tcp wait root /usr/libexec/hpropd hpropd -n
```
introduces another problem:

```
...
Apr  7 16:59:50 h02 hpropd[2178]: krb5_read_message: Socket is not connected
Apr  7 16:59:50 h02 inetd[1914]: /usr/libexec/hpropd[2178]: exited, status 1
Apr  7 16:59:50 h02 hpropd[2179]: krb5_read_message: Socket is not connected
Apr  7 16:59:50 h02 inetd[1914]: /usr/libexec/hpropd[2179]: exited, status 1
Apr  7 16:59:50 h02 hpropd[2180]: krb5_read_message: Socket is not connected
Apr  7 16:59:50 h02 inetd[1914]: /usr/libexec/hpropd[2180]: exited, status 1
Apr  7 16:59:50 h02 inetd[1914]: krb5_prop/tcp server failing (looping), service terminated
```
hprop terminates with error too:

```
[root@h01 /etc]# /usr/libexec/hprop h02
hprop: krb5_sendauth (h02): read: Connection reset by peer
[root@h01 /etc]#
```

The only way hpropd works fine is when it's launched as a daemon, but it terminates each time the replication session finishes, so it's needed to be wrapped with some restarting loop. Do I need to craft some scripts myself or there are already made somewhere? The same question for hprop (the client side). Should I launch the hprop tool via cron or via shell script? Perhaps somehow like this:

```
while true; do /usr/libexec/hprop h02 h03 h15; sleep 3600; done &
echo $! > /var/run/hprop.pid
```


----------



## romanr (Apr 9, 2013)

The problem is solved.

The cause was in the *wait*/*nowait* inetd configuration parameter. When the service is started with *wait* clause, it will share sequential connections and will not be presented with actual socket (but a pipe), that's why hpropd failed to determine that it's launched via inetd and opened another socket.

The server-side /etc/inetd.conf:

```
krb5_prop stream tcp nowait root /usr/libexec/hpropd hpropd
```
The client-size /etc/crontab:

```
*/15 * * * * root /usr/libexec/hprop h02 h03 h15
```


----------

