From bbe00be17ce30e83975e1ecbb70da14c04e52095 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 31 Jul 2008 13:42:49 +0000
Subject: [PATCH] note lack of policy propagation

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@20592 dc483132-0cff-0310-8789-dd5450dbe970
---
 doc/iprop-notes.txt | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/doc/iprop-notes.txt b/doc/iprop-notes.txt
index 2b1ee43c2..890efdc1e 100644
--- a/doc/iprop-notes.txt
+++ b/doc/iprop-notes.txt
@@ -10,6 +10,14 @@ for the kprop.  If the connection from the master never comes in for
 some reason, the slave side just blocks forever, and never resumes
 incremental propagation.
 
+The protocol does not currently pass policy database changes; this was
+an intentional decision on Sun's part.  The policy database is only
+relevant to the master KDC, and is usually fairly static (aside from
+refcount updates), but not propagating it does mean that a slave
+maintained via iprop can't simply be promoted to a master in disaster
+recovery or other cases without doing a full propagation or restoring
+a database from backups.
+
 Shawn had a good suggestion after I started the integration work, and
 which I haven't had a chance to implement: Make the update-log code
 fit in as a sort of pseudo-database layer via the DAL, being called
-- 
2.26.2