3 files changed, 265 insertions, 2 deletions
diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo
index 5d239b5..cc6b577 100644
--- a/doc/copyright.texinfo
+++ b/doc/copyright.texinfo
@@ -1,4 +1,4 @@
-Copyright @copyright{} 1985-2007 by the Massachusetts Institute of Technology.
+Copyright @copyright{} 1985-2008 by the Massachusetts Institute of Technology.
 
 @quotation
 Export of software employing encryption from the United States of
@@ -309,6 +309,21 @@ lib/gssapi/spnego/gssapiP_spnego.h
 lib/gssapi/spnego/spnego_mech.c
 @end smallexample
 
+and the initial implementation of incremental propagation, including
+the following new or changed files:
+
+@smallexample
+  include/iprop_hdr.h
+  kadmin/server/ipropd_svc.c
+  lib/kdb/iprop.x
+  lib/kdb/kdb_convert.c
+  lib/kdb/kdb_log.c
+  lib/kdb/kdb_log.h
+  lib/krb5/error_tables/kdb5_err.et
+  slave/kpropd_rpc.c
+  slave/kproplog.c
+@end smallexample
+
 are subject to the following license:
 
 @quotation
diff --git a/doc/install.texinfo b/doc/install.texinfo
index 64cdac7..54f183d 100644
--- a/doc/install.texinfo
+++ b/doc/install.texinfo
@@ -363,6 +363,7 @@ procedure is based on that recommendation.
 * Add Kerberos Principals to the Database::  
 * Limit Access to the KDCs::    
 * Switching Master and Slave KDCs::  
+* Incremental Database Propagation::  
 @end menu
 
 @node Install the Master KDC, Install the Slave KDCs, Installing KDCs, Installing KDCs
@@ -950,7 +951,7 @@ eklogin   stream tcp nowait root @value{ROOTDIR}/sbin/klogind
 @end group
 @end smallexample
 
-@node Switching Master and Slave KDCs,  , Limit Access to the KDCs, Installing KDCs
+@node Switching Master and Slave KDCs, Incremental Database Propagation, Limit Access to the KDCs, Installing KDCs
 @subsection Switching Master and Slave KDCs
 
 You may occasionally want to use one of your slave KDCs as the master.
@@ -1001,6 +1002,133 @@ machine in your Kerberos realm.)
 
 @end enumerate
 
+@node Incremental Database Propagation,  , Switching Master and Slave KDCs, Installing KDCs
+@subsection Incremental Database Propagation
+
+At some very large sites, dumping and transmitting the database can
+take more time than is desirable for changes to propagate from the
+master KDC to the slave KDCs.  The incremental propagation support
+added in the 1.7 release is intended to address this.
+
+With incremental propagation enabled, all programs on the master KDC
+that change the database also write information about the changes to
+an ``update log'' file, maintained as a circular buffer of a certain
+size.  A process on each slave KDC connects to a service on the master
+KDC (currently implmented in the @code{kadmind} server) and
+periodically requests the changes that have been made since the last
+check.  By default, this check is done every two minutes.  If the
+database has just been modified in the previous several seconds
+(currently the threshold is hard-coded at 10 seconds), the slave will
+not retrieve updates, but instead will pause and try again soon after.
+This reduces the likelihood that incremental update queries will cause
+delays for an administrator trying to make a bunch of changes to the
+database at the same time.
+
+Incremental propagation uses the following entries in the per-realm
+data in the KDC config file:
+
+@table @asis
+@item @code{iprop_enable} (boolean)
+If this is set to @code{true}, then incremental propagation is
+enabled, and (as noted below) normal @code{kprop} propagation is
+disabled.  The default is @code{false}.
+
+@item @code{iprop_master_ulogsize} (integer)
+This indicates the number of entries that should be retained in the
+update log.  The default is 1000; the maximum number is 2500.
+
+@item @code{iprop_slave_poll} (time interval)
+This indicates how often the slave should poll the master KDC for
+changes to the database.  The default is two minutes.
+
+@item @code{iprop_port} (integer)
+This specifies the port number to be used for incremental
+propagation.  This is required in both master and slave configuration
+files.
+
+@item @code{iprop_logfile} (file name)
+This specifies where the update log file for the realm database is to
+be stored.  The default is to use the @code{database_name} entry from
+the @code{realms} section of the config file, with @file{.ulog} appended.
+(NOTE: If @code{database_name} isn't specified in the @code{realms}
+section, perhaps because the LDAP database back end is being used, or
+the file name is specified in the @code{dbmodules} section, then the
+hard-coded default for @code{database_name} is used.  Determination of
+the @code{iprop_logfile} default value will not use values from the
+@code{dbmodules} section.)
+@end table
+
+Both master and slave sides must have principals named
+@code{kiprop/@var{hostname}} (where @var{hostname} is, as usual, the
+lower-case, fully-qualified, canonical name for the host) registered
+and keys stored in the default keytab file (@file{/etc/krb5.keytab}).
+@c XXX: I think the master side, at least, might be able to read the
+@c key out of the database.  Test and document this.
+
+On the master KDC side, the @code{kiprop/@var{hostname}} principal
+must be listed in the @code{kadmind} ACL file @code{kadm5.acl}, and
+given the @code{p} privilege.
+
+On the slave KDC side, @code{kpropd} should be run.  When incremental
+propagation is enabled, it will connect to the @code{kadmind} on the
+master KDC and start requesting updates.
+
+The normal @code{kprop} mechanism is disabled by the incremental
+propagation support.  However, if the slave has been unable to fetch
+changes from the master KDC for too long (network problems, perhaps),
+the log on the master may wrap around and overwrite some of the
+updates that the slave has not yet retrieved.  In this case, the slave
+will instruct the master KDC to dump the current database out to a
+file and invoke a one-time @code{kprop} propagation, with special
+options to also convey the point in the update log at which the slave
+should resume fetching incremental updates.  Thus, all the keytab and
+ACL setup previously described for @code{kprop} propagation is still
+needed.
+
+There are several known bugs and restrictions in the current
+implementation:
+@itemize
+@item
+The ``call out to @code{kprop}'' mechanism is a bit fragile; if the
+@code{kprop} propagation fails to connect for some reason, the process
+on the slave may hang waiting for it, and will need to be restarted.
+@item
+The master and slave must be able to initiate TCP connections in
+both directions, without an intervening NAT.  They must also be able
+to communicate over IPv4, since MIT's RPC code does not currently
+support IPv6.
+@end itemize
+
+@menu
+* Sun/MIT Incremental Propagation Differences::  
+@end menu
+
+@node Sun/MIT Incremental Propagation Differences,  , Incremental Database Propagation, Incremental Database Propagation
+@subsubsection Sun/MIT Incremental Propagation Differences
+
+Sun donated the original code for supporting incremental database
+propagation to MIT.  Some changes have been made in the MIT source
+tree that will be visible to administrators.  (These notes are based
+on Sun's patches.  Changes to Sun's implementation since then may not
+be reflected here.)
+
+The Sun config file support looks for @code{sunw_dbprop_enable},
+@code{sunw_dbprop_master_ulogsize}, and @code{sunw_dbprop_slave_poll}.
+
+The incremental propagation service is implemented as an ONC RPC
+service.  In the Sun implementation, the service is registered with
+@code{rpcbind} (also known as @code{portmapper}) and the client looks
+up the port number to contact.  In the MIT implementation, where
+interaction with some modern versions of @code{rpcbind} doesn't always
+work well, the port number must be specified in the config file on
+both the master and slave sides.
+
+The Sun implementation hard-codes pathnames in @file{/var/krb5} for
+the update log and the per-slave @code{kprop} dump files.  In the MIT
+implementation, the pathname for the update log is specified in the
+config file, and the per-slave dump files are stored in
+@code{@value{ROOTDIR}/var/krb5kdc/slave_datatrans_@var{hostname}}.
+
 @node Installing and Configuring UNIX Client Machines, UNIX Application Servers, Installing KDCs, Installing Kerberos V5
 @section Installing and Configuring UNIX Client Machines
 
diff --git a/doc/iprop-notes.txt b/doc/iprop-notes.txt
new file mode 100644
index 0000000..2b1ee43
--- /dev/null
+++ b/doc/iprop-notes.txt
@@ -0,0 +1,120 @@
+Some (intentional) changes from Sun's submission are noted in the
+install guide.
+
+Bugs or issues:
+
+The "full resync" part of the protocol involves the master side firing
+off a normal kprop (and going back to servicing requests), and the
+slave side stopping all the incremental propagation stuff and waiting
+for the kprop.  If the connection from the master never comes in for
+some reason, the slave side just blocks forever, and never resumes
+incremental propagation.
+
+Shawn had a good suggestion after I started the integration work, and
+which I haven't had a chance to implement: Make the update-log code
+fit in as a sort of pseudo-database layer via the DAL, being called
+through the standard DAL methods, and doing its work around calls
+through to the real database back end again through the DAL methods.
+So for example, creating a "iprop+db2" database would create an update
+log and the real db2 database; storing a principal entry would update
+the update log as well; etc.  At least initially, we wouldn't treat it
+as a differently-named database; the installation of the hooks would
+be done by explicitly checking if iprop is enabled, etc.
+
+The "iprop role" is assumed to be either master or slave.  The master
+writes a log, and the slave fetches it.  But what about a cascade
+propagation model where A sends to B which sends to C, perhaps because
+A's bandwidth is highly limited, or B and C are co-located?  In such a
+case, B would want to operate in both modes.  Granted, with iprop the
+bandwidth issues should be less important, but there may still be
+reasons one may wish to run in such a configuration.
+
+The propagation of changes does not happen in real time.  It's not a
+"push" protocol; the slaves poll periodically for changes.  Perhaps a
+future revision of the protocol could address that.
+
+kadmin/cli/kadmin.c call to kadm5_init_iprop - is this needed in
+client-side program? Should it be done in libkadm5srv instead as part
+of the existing kadm5_init* so that database-accessing applications
+that don't get updated at the source level will automatically start
+changing the update log as needed?
+
+Locking: Currently DAL exports the DB locking interface to the caller;
+we want to slip the iprop code in between -- run it plus the DB update
+operation with the DB lock held, whether or not the caller grabbed the
+lock.  (Does the caller always grab the lock before making changes?)
+Currently we're using a file lock on the update log itself; this will
+be independent of whether the DB back end implements locking (which
+may be a good thing or a bad thing, depending).
+
+Various logging calls with odd format strings like "<null>" should be
+fixed.
+
+Why are different principal names used, when incremental propagation
+requires that normal kprop (which uses host principals) be possible
+anyways?
+
+Why is this tied to kadmind, aside from (a) wanting to prevent other
+db changes, which locking protocols should deal with anyways, (b)
+existing acl code, (c) existing server process?
+
+The incremental propagation protocol requires an ACL entry on the
+master, listing the slave.  Since the full-resync part uses normal
+kprop, the slave also has to have an ACL entry for the master.  If
+this is missing, I suspect the behavior will be that every two
+minutes, the master side will (at the prompting of the slave) dump out
+the database and attempt a full propagation.
+
+Possible optimizations: If an existing dump file has a recent enough
+serial number, just send it, without dumping again?  Use just one dump
+file instead of one per slave?
+
+Requiring normal kprop means the slave still can't be behind a NAT or
+firewall without special configuration.  The incremental parts can
+work in such a configuration, so long as outgoing TCP connections are
+allowed.
+
+Still limited to IPv4 because of limitations in MIT's version of the
+RPC code.  (This could be fixed for kprop, if IPv6 sites want to do
+full propagation only.  Doing incremental propagation over IPv6 will
+take work on the RPC library, and probably introduce
+backwards-incompatible ABI changes.)
+
+Overflow checks for ulogentries times block size?
+
+If file can't be made the size indicated by ulogentries, shoud we
+truncate or error out?  If we error out, this could blow out when
+resizing the log because of a too-large log entry.
+
+The kprop invocation doesn't specify a realm name, so it'll only work
+for the default realm.  No clean way to specify a port number, either.
+Would it be overkill to come up with a way to configure host+port for
+kpropd on the master?  Preferably in a way that'd support cascading
+propagations.
+
+The kadmind process, when it needs to run kprop, extracts the slave
+host name from the client principal name.  It assumes that the
+principal name will be of the form foo/hostname@REALM, and looks
+specifically for the "/" and "@" to chop up the string form of the
+name.  If looking up that name won't give a working IPv4 address for
+the slave, kprop will fail (and kpropd will keep waiting, incremental
+updates will stop, etc).
+
+Mapping between file offsets and structure addresses, we should be
+careful about alignment.  We're probably okay on current platforms,
+but if we break log-format compatibility with Sun at some point, use
+the chance to make the kdb_ent_header_t offsets be more strictly
+aligned in the file.  (16 or 32 bytes?)
+
+Not thread safe!  The kdb5.c code will get a lock on the update log
+file while making changes, but the lock is per-process.  Currently
+there are no processes I know of that use multiple threads and change
+the database.  (There's the Novell patch to make the KDC
+multithreaded, but the kdc-kdb-update option doesn't currently
+compile.)
+
+Logging in kpropd is poor to useless.  If there are any problems, run
+it in debug mode ("-d").  You'll still lose all output from the
+invocation of kdb5_util dump and kprop run out of kadmind.
+
+Other man page updates needed: Anything with new -x options.