1.14 Replication Enhancements - rbasch/krb5 GitHub Wiki

I have been providing replication enhancements for MIT Kerberos iprop since Kerberos 1.8. Most of the functionality represented in the enhancements over the years have eventually found their way into the mainstream releases. However, a few enhancements developed against more recent releases have yet to find their way into the standard distribution, but are provided here for anyone to adopt.

Replication enhancements:

Notify downstream slaves of pending ulog updates. This was first proposed and developed against Kerberos 1.12.

• When kpropd contacts an upstream kadmind for an iprop retrieval, kadmind will remember the slave to notify it of future ulog updates.
• After kpropd applies iprop updates, it will contact the local kadmind (iprop service) using the NULLPROC procedure to initiate a notification to downstream slaves. On the master, after a write operation, downstream slaves will be notified.
• kadmind will notify downstream slaves by calling kprop (new option -N) to notify each downstream slave of pending updates. Notification will use the error protocol (sending a generic error instead of a dump).
• kpropd, upon receiving an error notification via the full resync thread, will notify the iprop thread by sending a USR1 signal, which will cancel the timer until the next iprop retrieval.

Possible improvements:

• If kadmind had the combined functionality of kadmind, kpropd, and kprop, the inter-process communication would be simplified.
• The notify function currently uses KRB5KRB_ERR_GENERIC to the remote kpropd instead of a new error code dedicated for ulog update notifications. Older kpropd versions would not otherwise be able to display a meaningful error. However, other "generic errors" may result in excessive iprop polling from the slave (however, I have never seen a "generic error" in regular operations).

Commit: https://github.com/rbasch/krb5/commit/2dfa83a40e8283013a122011e986a2d39b7b11bb