How to quickly get a snapshot of the Heimdal DB file

Jeffrey Hutzelman jhutz at
Sun Apr 2 02:22:32 CEST 2017

On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote:
> I am looking for a quick way to get a snapshot of the Kerberos
> database 
> file.
> The most obvious way to do this would be to shutdown the kerberos 
> service, copy the file, and restart the service. This could be done
> on 
> one of the replicas, perhaps one that does not get actual
> authentication 
> requests.
> Is there a faster way? For example, some database systems (e.g., MS
> SQL) 
> have the ability to go into and out of a "quiescent" state faster
> than a 
> full service stop/start to facilitate this sort of thing. Does
> Heimdal 
> have something like this? Or is the full service restart the
> only/best 
> option?

hprop --stdout

will produce a database dump that you can reload later if needed.

kadmin -l list -l '*'

will produce a verbose human-readable list of all the principals in the
database and their attributes. Note that this is not particularly
machine-readable and does not include keys, so it's not a backup.

-- Jeff

