How to quickly get a snapshot of the Heimdal DB file

Adam Lewenberg adamhl at stanford.edu
Mon Apr 3 19:55:24 CEST 2017



On 4/1/2017 5:22 PM, Jeffrey Hutzelman wrote:
> On Sat, 2017-04-01 at 16:59 -0700, Adam Lewenberg wrote:
>> I am looking for a quick way to get a snapshot of the Kerberos
>> database
>> file.
>>
>> The most obvious way to do this would be to shutdown the kerberos
>> service, copy the file, and restart the service. This could be done
>> on
>> one of the replicas, perhaps one that does not get actual
>> authentication
>> requests.
>>
>> Is there a faster way? For example, some database systems (e.g., MS
>> SQL)
>> have the ability to go into and out of a "quiescent" state faster
>> than a
>> full service stop/start to facilitate this sort of thing. Does
>> Heimdal
>> have something like this? Or is the full service restart the
>> only/best
>> option?
>
>
> hprop --stdout
>
> will produce a database dump that you can reload later if needed.

I did a round trip (hprop --stdout | hpropd --stdin) and the resulting 
heimdal.db has the same size as the original but a _different_ checksum.

Doing a "kadmin -l dump" on both database files I see that the output is 
almost the same, except each entry has some sort of counter that gets 
incremented. What is that counter for?

Adam Lewenberg



>
>
> kadmin -l list -l '*'
>
> will produce a verbose human-readable list of all the principals in the
> database and their attributes. Note that this is not particularly
> machine-readable and does not include keys, so it's not a backup.
>
>
> -- Jeff
>



More information about the Heimdal-discuss mailing list