Node:Set Up the Slave KDCs for Database Propagation, Previous:Extract Host Keytabs for the KDCs, Up:Install the Slave KDCs
The database is propagated from the master KDC to the slave KDCs via the
kpropd daemon.  To set up propagation, create a file on each KDC,
named /usr/local/var/krb5kdc/kpropd.acl, containing the
principals for each of the KDCs. 
For example, if the master KDC were
kerberos.mit.edu, the slave KDCs were
kerberos-1.mit.edu and
kerberos-2.mit.edu, and the realm were
ATHENA.MIT.EDU, then the file's contents would be:
     host/kerberos.mit.edu@ATHENA.MIT.EDU
     host/kerberos-1.mit.edu@ATHENA.MIT.EDU
     host/kerberos-2.mit.edu@ATHENA.MIT.EDU
     
Then, add the following lines to /etc/inetd.conf file on each KDC
(the line beginnng with => is a continuation of the previous
line):
     krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
     eklogin   stream tcp nowait root /usr/local/sbin/klogind
     => klogind -k -c -e
     
The first line sets up the kpropd database propagation daemon. 
The second line sets up the eklogin daemon, allowing
Kerberos-authenticated, encrypted rlogin to the KDC.
You also need to add the following lines to /etc/services on each
KDC:
     kerberos        88/udp      kdc       # Kerberos authentication (udp)
     kerberos        88/tcp      kdc       # Kerberos authentication (tcp)
     krb5_prop       754/tcp               # Kerberos slave propagation
     kerberos-adm    749/tcp               # Kerberos 5 admin/changepw (tcp)
     kerberos-adm    749/udp               # Kerberos 5 admin/changepw (udp)
     eklogin         2105/tcp              # Kerberos encrypted rlogin