From e2175df4a3393c9bd6f76a24ba1b95740bdfdf1c Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@sics.se>
Date: Fri, 21 Jul 2000 03:54:47 +0000
Subject: [PATCH] add some text on slaves and new extension of kadmind.acl

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8730 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 doc/setup.texi | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/doc/setup.texi b/doc/setup.texi
index cf9f600cb..12fe101ec 100644
--- a/doc/setup.texi
+++ b/doc/setup.texi
@@ -1,4 +1,5 @@
 @node Setting up a realm, Things in search for a better place, Building and Installing, Top
+
 @chapter Setting up a realm
 
 A
@@ -186,7 +187,7 @@ Access to the admin server is controlled by an acl-file, (default
 @file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the
 following syntax:
 @smallexample
-principal       [priv1,priv2,...]
+principal       [priv1,priv2,...]       [glob-pattern]
 @end smallexample
 
 The privileges you can assign to a principal are: @samp{add},
@@ -195,6 +196,11 @@ The privileges you can assign to a principal are: @samp{add},
 @samp{all}. All of these roughly corresponds to the different commands
 in @samp{kadmin}.
 
+If a @var{glob-pattern} is given on a line, it restricts the right for
+the principal to only apply for the subjects that match the pattern.
+The patters are of the same type as those used in shell globbing, see
+@url{none,,fnmatch(3)}.
+
 @section Password changing
 
 To allow users to change their passwords, you should run @samp{kpasswdd}.
@@ -245,3 +251,42 @@ verified that it is at least six characters of length.
 
 Now you should be able to run all the clients and servers.  Refer to the
 appropriate man pages for information on how to use them.
+
+@section Slave servers
+
+It is desirable to have at least one backup (slave) server in case the
+master server fails. It is possible to have any number of such slave
+servers but more than three usually doesn't buy much more redundancy.
+
+All Kerberos servers for a realm shall have the same database so that
+they present the same service to all the users.  The
+@pindex hprop
+@code{hprop} program, running on the master, will propagate the database
+to the slaves, running
+@pindex hpropd
+@code{hpropd} processes.
+
+Every slave needs a keytab with a principal,
+@samp{hprop/@var{hostname}}.  Add that with the
+@pindex ktutil
+@code{ktutil} command and start
+@pindex hpropd
+@code{propd}, as follows:
+
+@example
+slave# ktutil get -p foo/admin host/slave
+slave# hpropd
+@end example
+
+The master will use the principal @samp{kadmin/hprop} to authenticate to
+the slaves.  This principal should be added when running @kbd{kadmin -l
+init} but if you do not have it in your database for whatever reason,
+please add it with @kbd{kadmin -l add}.
+
+Then run
+@pindex hprop
+@code{hprop} on the master:
+
+@example
+master# hprop slave
+@end example