Benutzeranleitung / Produktwartung E0905 des Produzenten HP (Hewlett-Packard)
Zur Seite of 327
Kerberos Server V ersion 3.1 Administrator’ s Guide HP-UX 11i v2 Edition 5 Manufacturing P art Number: T1417-90009 E0905 United States © Copyright 2005 Hewlett-P ackard Development Company , L.
2 Legal Notices The information contained herein is subject to change without notice. Hewlett-P ackard makes no warranty of any kind with regard to this manual, including , but not limited to , the implied warranties of merchantability and fitness f or a particular purpose.
3 This software is based in part on the F ourth Berkeley Software Distribution under license from the Regents of the University of California. © Copyright 1983-2005 Hewlett-P ackard Co., All Rights Reserved © Copyright 1979, 1980,1983, 1985-1993 The Regents of the Univ .
4.
5 Contents 1. Overview Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 How the Kerberos Server W orks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 6 Configuration Files for the Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 The krb.conf F ile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7 Contents Starting the Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuring the Secondary Security Servers with C-Tree . . . . . . . . . . . . . . . . . . . . . . 103 Creating the Principal Database .
Contents 8 General T ab (Principal Information Window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Adding Principals to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Adding Multiple Principals with Similar Settings .
9 Contents Adding a New Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Adding a Random Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Specifying a New P assword .
Contents 10 Maintenance T asks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Protecting Security Server Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 host/fqdn@REALM .
11 Contents Propagation F ailure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Converting a secondary security server to a primary security server . . . . . . . . . . . 270 Restarting Services .
Contents 12 Locking and Unlocking Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 User Error Messages .
13 T ables T able 1. HP-UX 11i Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 T able 2. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 T able 4-1.
T ables 14 T able A-2. Configuration W orksheet Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . 312.
15 F igures Authentication Process 28 Integrating a Kerberos Principal in to the LDAP Directory 34 Principals Tab 137 Principal Information Window 139 Change Password Window 144 Administrative Permiss.
F igures 16.
17 About This Manual This manual describes how to install, configure, administer , and troubleshoot the Kerberos server on HP Integrity servers running the HP-UX 11i v2 operating system.
18 • Chapter 4, “Interoperability with Windows 2000, ” on page 51 : Contains information specific to establishing interoperability with Windows 2000 Kerberos implementations .
19 • Index Typographic Conventions The following conventions are used throughout this manual: T ext Conventions Syntax Conventions italic Identifies book titles. bold Identifies options , command buttons, and menu items . fixed width Identifies file names, system prompts , operating system commands , and UNIX error and system messages .
20 HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier . The uname (1) command with the -r option returns the release identifier . T able 1 lists the releases available for HP-UX 11i.
21 • KRB5 Client Software on HP-UX 11i v2, delivered as part of the core operating system. • GSS-API on HP-UX 11i v2, delivered as part of the core operating system.
22 • RFC 1510 - The Kerberos Networ k Authentication Service (V5) • RFC 1964 - The Kerberos v5 GSS-API Mec hanism • RFC 2743 - Generic Security Service Application Program Interface • RFC 2744 - Generic Security Service API Y ou can access these RFCs at the following W eb site: http://www.
Chapter 1 23 1 Overview This chapter provides an introduction to the Kerberos server v3.1, available on the HP-UX 11i v2 operating system..
Overview Chapter 1 24 This chapter discusses the following topics: • “How the Kerberos Server W orks” on page 26 • “ Authentication Process” on page 27 • “DES V ersus 3DES Key Type Settings” on page 31 • “Introduction to LDAP” on page 32 — “Integrating Kerberos Server v3.
Overview Introduction Chapter 1 25 Introduction The term Kerberos was derived from the Greek mythology . Cerberus is the latin variant of Kerberos, who guarded the entrance of Hades , the Greek hell. The Kerberos security system, on the other hand, guards electronic transmissions that are sent across a network.
Overview How the K erberos Server W orks Chapter 1 26 How the Kerberos Server W orks The basic currency of Kerberos is the ticket, which the user presents to use a specific service. Each service , be it a login service or an FTP service, requires a different kind of ticket.
Overview A uthentication Process Chapter 1 27 Authentication Process The Kerberos server grants tickets to your user principal to access secured network services.
Overview A uthentication Process Chapter 1 28 Figure 1-1 illustrates the actions of the components and the Kerberos protocol in a secured environment. Figure 1-1 Authentication Process The following is a description of how a client and server authenticate each other using Kerberos: Step 1.
Overview A uthentication Process Chapter 1 29 • Client-indicates the user name, also referred to as the principal name • Server -indicates the Application Server • Time stamp • Nonce Step 2. If the AS decrypts the message successfully , it authenticates the requesting user and issues a TGT .
Overview A uthentication Process Chapter 1 30 also verifies that the user’ s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client.
Overview DES V ersus 3DES Ke y T ype Settings Chapter 1 31 DES V ersus 3DES Key Type Settings In the processes outlined in the section “ Authentication Process” on page 27, if the user principal and the service principal do not use the same key type, the process continues as described.
Overview Introduction to LD AP Chapter 1 32 Introduction to LDAP The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol for accessing directory services. LDAP defines a message protocol used by directory clients and directory servers .
Overview Introduction to LD AP Chapter 1 33 Integrating Kerberos Server v3.1 with LDAP Y ou can configure K erberos server v3.1 with LDAP as the backend database. By integrating the Kerberos principals with the corresponding users in the LDAP directory , you store data for mechanisms, such as UNIX and Kerberos in a common repository .
Overview Introduction to LD AP Chapter 1 34 How is the Kerberos Principal Integrated in to the LDAP Directory? A directory contains a collection of objects organized in a tree structure. Y ou can arrange entries within the DIT based on their Distinguished Names (DNs).
Chapter 2 35 2 Installing the Kerberos Server v3.1 This chapter describes how to install the Kerberos server v3.1 on the HP-UX 11i v2 operating system.
Installing the K erberos Ser ver v3.1 Chapter 2 36 This chapter contains the following sections: • “Prerequisites” on page 37 • “System Requirements” on page 38 • “Installing the Serve.
Installing the K erberos Ser ver v3.1 Prerequisites Chapter 2 37 Prerequisites Before you install the server , ensure that: • Y ou have installed the HP-UX 11i v2 operating system on your system. T o check the version of the HP-UX operating system, run the uname -r command at the HP-UX prompt.
Installing the K erberos Ser ver v3.1 System Requirements Chapter 2 38 System Requirements This section describes the hardware and softw are requirements for the Kerberos server software for HP-UX server systems . Hardware Requirements The hardware requirement for installing the Kerberos server is 12 MB of free disk space.
Installing the K erberos Ser ver v3.1 Installing the Server Chapter 2 39 Installing the Server T o install the Kerberos server , complete the following steps: Step 1. Insert the software media (tape or disk) in the appropriate drive. Step 2. Type the swinstall command at the HP-UX prompt.
Installing the K erberos Ser ver v3.1 Installing the Server Chapter 2 40.
Chapter 3 41 3 Migrating to a Newer V ersion of the Kerberos Server This chapter describes how to migrate from the Kerberos server v1.0 to v3.0, from the Kerberos server v2.
Migrating to a Ne wer V ersion of the K erberos Ser ver Chapter 3 42 v3.0 to v3.1. The Kerberos database formats of v2.0 and v3.0 are compatible with each other , but the database formats of Kerberos server v1.0 and v3.0 are not compatible with each other .
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 43 Migrating from Kerberos Server V ersion 1.0 to 3.0 If you want to use the Kerberos server with C-tree as the backend database, migrate your existing Kerberos server to Kerberos server v3.
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 44 # kdb5_util dump /opt/krb5/dumpfilev1.0 Step 2. Copy the dump file to the new system where you are installing the Kerberos server v3.
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 45 Y ou can configure K erberos server manually or by using the krbsetup tool.
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 46 The policy applicable to the principal that is migrated from v1.0 to v3.0 is based on the instance name of the principals. T o modify the policy , edit the principal to change the policy name field to the new policy .
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 2.0 to V ersion 3.0 Chapter 3 47 Migrating from Kerberos Server V ersion 2.0 to V ersion 3.0 If you want to use the Kerberos server with C-tree as the backend database, migrate your existing Kerberos server to Kerberos server v3.
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 2.0 to V ersion 3.0 Chapter 3 48 # kdb_dump -f /opt/krb5/dumpfilev2.0 Step 2. Copy the dump file to the system on which you are installing the v3.0 Kerberos server Step 3.
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 3.0 to V ersion 3.1 Chapter 3 49 Migrating from Kerberos Server V ersion 3.0 to V ersion 3.1 If you want to use the Kerberos server with LDAP as the backend database, migrate your existing Kerberos server to Kerberos server v3.
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 3.0 to V ersion 3.1 Chapter 3 50.
Chapter 4 51 4 Interoperability with W indows 2000 When you configure interoperability between the Kerberos server and the Windows 2000 operating system, you must set certain configuration.
Interoperability with Windows 2000 Chapter 4 52 parameters. This c hapter discusses what you need to know about configuring such an environment. This chapter contains information specific to establishing interoperability with Windows 2000 Kerberos implementations.
Interoperability with Windows 2000 Understanding the T erminology Chapter 4 53 Understanding the T erminology Both the Kerberos server and Microsoft provide Kerberos security for your network. While the technology is the same, the terminology varies .
Interoperability with Windows 2000 Understanding the T erminology Chapter 4 54 systems and the Microsoft implementation uses a DNS lookup to resolve host names.
Interoperability with Windows 2000 Kerber os Ser ver and Windows 2000 Inter operability Chapter 4 55 Kerberos Server and W indows 2000 Interoperability F ollowing are the possible interrealm interoperability scenarios between the Kerberos server software and W indows 2000, each with its own configuration requirements.
Interoperability with Windows 2000 Establishing T rust Between Kerber os Server and Windows 2000 Chapter 4 56 Establishing T rust Between Kerberos Server and W indows 2000 T o establish trust between Kerberos server KRB.REALM and Windows 2000 W2K.DOMAIN , complete the following steps: Step 1.
Interoperability with Windows 2000 Establishing T rust Between Kerber os Server and Windows 2000 Chapter 4 57 NO TE The fqdn qualifier specifies the fully qualified domain name of the Kerberos KDC . Step 4. Reboot the Windows 2000 domain controller .
Interoperability with Windows 2000 Single Realm (Domain) A uthentication Chapter 4 58 Single Realm (Domain) Authentication Single realm interoperability scenarios involve one or more client systems in a given realm or domain that authenticate to a single KDC .
Interoperability with Windows 2000 Interrealm (Interdomain) A uthentication Chapter 4 59 Interrealm (Interdomain) Authentication If two distinct realms share common keys, the realms trust one another . With that trust in place , principals can securely access services in their native realm as well as those in the trusted realm.
Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 60 Special Considerations for Interoperability Y ou must consider the following issues related to interoperability with Windows 2000 implementations .
Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 61.
Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 62.
Chapter 5 63 5 Configuring the Kerberos Server W ith C-Tree Backend This chapter describes the configuration files and procedures used to configure the Kerberos Server with C-tree backend.
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 64 Configuration F iles for the Kerberos Server Y ou must install all the critical K erberos server files on the system before you start configuring the Kerberos Server .
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 65 The krb.conf File The krb.conf configuration file contains information about the default realm of the host, the administration server , and security servers for known realms .
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 66 NO TE Realm names are case sensitive; you must type the realm name correctly if your site does not follow the uppercase convention. The subsequent lines require fields that identify the security server host names .
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 67 The krb.realms file must contain sufficient entries to define the realm used by every service a client computer must access . Y ou can create a krb.
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 68 T o create comments , use the hash sign (#) . Any characters after a # sign are ignored. Blank lines and any leading or trailing white spaces in a line are also ignored.
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 69 Autoconfiguring the Kerberos Server An automated tool named krbsetup is provided to autoconfigure your Kerberos server . Use this tool to: • Configure the Kerberos Server with either LDAP or C-Tree as the backend database .
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 70 • Specify the encryption type. • Specify a different location for the log messages if you do not want to store the log messages in the default syslog file.
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 71 • T o configure your Kerberos Server with C-Tree, select option 1 . See “Configuring the Kerberos Server with C-Tree” on page 71 to continue configuring your Kerberos Server with C-Tree.
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 72 Step 5. T o remove the existing Kerberos server configuration, press y and press n to retain the existing database. Step 6. Configure your Kerberos server as either a primary security server or a secondary security server: 1.
Chapter 6 73 6 Configuring the Kerberos Server with LDAP This chapter describes the configuration files and procedures used to configure the Kerberos Server with LDAP backend.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 74 Configuration F iles for LDAP Integration Y ou must configure the LDAP configuration files listed in T able 6-1, before setting up your Kerberos server .
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 75 This file is generated automatically based on the input provided by you while autoconfiguring the Kerberos server . Alternatively , a sample file is available in the /opt/krb5/examples directory .
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 76 directory_server This line indicates a space separated list of LDAP Servers.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 77 The krb5_schema.conf File A schema is a collection of object and attribute definitions that defines the structure of the entries in a database. The krb5_schema.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 78 • Type of object classes • Attributes of the object classes • Optional attributes • Syntax of each attribute F or example, a sc hema can define a person object class.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 79 ticket’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( hpKrbAccountExpires-oid NAME ’hpKrbAccountExpires’ DESC ’Value used to compute date and time when account will expire’ SYNTAX 1.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 80 attributetypes: ( hpKrbModifyTimestamp-oid NAME ’hpKrbModifyTimestamp’ DESC ’The date and time when the identity specified in the hpKrbModifiersName attribute made the last modification’ SYNTAX 1.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 81 objectClasses: ( hpKrbKey-oid NAME ’hpKrbKey’ DESC ’An structural object class used for configuring the principal name of an associated principal entry.
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 82 hpKrbAuthzData = hpKrbAuthzData hpKrbKeyVersion = hpKrbKeyVersion hpKrbKeyData = hpKrbKeyData.
Configuring the Kerberos Server with LD AP Planning Y our LDAP Configuration Chapter 6 83 Planning Y our LDAP Configuration The following sections of this chapter describe how to plan and configure your Kerberos Server to work with the Directory server .
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 84 Setting up Y our LDAP Configuration Plan how to set up and verify your LDAP directory and your Kerberos server environment, before you put them into production.
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 85 you can access the information in the directory . Hence, you need to choose an authentication method. Currently , the supported mechanisms are P assword and SSL.
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 86 • What is the name of your default principal subtree DN ? Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry .
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 87 This line specifies the mandatory attributes of the default object class .The object class attribute determines the attributes the entry must have and can have .
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 88 Autoconfiguring the Kerberos Server W ith LDAP Integration An automated tool named krbsetup is provided to autoconfigure your Kerberos server .
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 89 Step 7. Enter the host name of the directory server . The default value is displayed. T o use the default, press Return ; otherwise, enter your fully qualified host name or the IP address.
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 90 2. hpKrbKey T o remap the attributes of the object class hpKrbPrincipal , select option 1 . T o remap the attributes of the object class hpKrbKey , select option 2 .
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 91 Step 20. Enter the realm name. The default value is displayed. T o use the default, press Return ; otherwise, enter your realm name .
Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 92 Manually Configuring the Kerberos Server with LDAP This section describes how to manually configure your Kerberos server with LDAP .
Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 93 • Never delete any element of your Kerberos schema as this affects the compatibility of your schema to other LDAP services (servers and clients).
Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 94.
Chapter 7 95 7 Configuring the Primary and Secondary Security Server This chapter describes the procedure to configure the primary and secondary security server .
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 96 Configuring the Primary Security Server The following sections describe the initial configuration tasks you need to perform to get your primary and secondary security server up and running .
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Primary Security Server Chapter 7 97 If you are using Kerberos server v2.0 or v3.0, and want to migrate the principal database to Kerberos server v3.1, see Chapter 3, “Migrating to a Newer V ersion of the Kerberos Server , ” on page 41.
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 98 Step 4. Use the Edit>Edit Administrative P ermissions menu to assign ALL administrative permissions to the principal.
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Primary Security Server Chapter 7 99 The host/<fqdn> principal is not automatically added to the principal database during security server software installation; you must manually add the host/<fqdn> principal using the kadminl_ui or kadminl command.
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 100 Alternatively , you can use the following command to start the K erberos daemons kdcd and kadmind : /sbin/init.
Configuring the Pr imar y and Secondary Secur ity Ser v er Security P olicies Chapter 7 101 Security P olicies The following files are directly related to the security of the network in your organiz.
Configuring the Pr imary and Secondar y Secur ity Ser v er Starting the Security Ser ver Chapter 7 102 Starting the Security Server After creating the Kerberos database and setting up the administrative principals , you can start the Kerberos daemons on the primary security server .
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Secondary Security Servers with C-T ree Chapter 7 103 Configuring the Secondary Security Servers with C-T ree Y ou can now configure the secondary security servers.
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Secondary Security Servers with C-T ree Chapter 7 104 Creating a host/<fqdn> Principal and Extracting the Key T o allow principal database propagation, each secondary security server must contain a host/<fqdn> principal.
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Secondary Security Servers with LD AP Chapter 7 105 Configuring the Secondary Security Servers with LDAP Y ou can now configure the secondary security servers.
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Secondary Security Servers with LD AP Chapter 7 106 key type and master password that was specified when the database w as created.If you run the kdb_create utility with the -s option, a stash file is created automatically .
Configuring the Pr imar y and Secondary Secur ity Ser v er Using Indexes to Impr ove Database P erformance Chapter 7 107 Using Indexes to Improve Database P erformance Most LDAP servers use indexes to improve search performance . Indexes are files stored in your directory databases.
Configuring the Pr imary and Secondar y Secur ity Ser v er Using Indexes to Impr ove Database P erformance Chapter 7 108.
Chapter 8 109 8 Administering the Kerberos Server This chapter explains how to administer and maintain the Kerberos database and how to manage principals using the HP Kerberos.
Administering the Kerberos Server Chapter 8 110 Administrator , a graphical user interface, or the command-line administrator . This chapter discusses the following topics: • “ Administering the K.
Administering the Kerberos Server Administering the Kerber os Database Chapter 8 111 Administering the Kerberos Database After you have installed and configured the Kerberos server v3, the Kerberos database contains the default Kerberos principals, their keys , and other administrative information about each of these principals for your realm.
Administering the Kerberos Server The kadmind Command Chapter 8 112 The kadmind Command The kadmind command starts the administrative server . This administrative server runs on the Kerberos server that stores the Kerberos principal database.
Administering the Kerberos Server The admin_acl_file File Chapter 8 113 The admin_acl_file F ile The /opt/krb5/admin_acl_file file located only on the primary security server , lists authorized principals with their respective administrative permissions.
Administering the Kerberos Server The admin_acl_file File Chapter 8 114 Assigning Administrative P ermissions Administrative principals may have varying levels of trust assigned to them, depending on the policies of your organization.
Administering the Kerberos Server The admin_acl_file File Chapter 8 115 P ermissions designated with a lowercase letter apply only to those realms to which the administrative principal belongs . Permissions designated with an uppercase letter apply to all realms.
Administering the Kerberos Server The admin_acl_file File Chapter 8 116 T o grant the principal rabbit@FINANCE.BAMBI.COM the permission to add, list, and inquire about any principal in the database, add the following entry to admin_acl_file : rabbit@FINANCE.
Administering the Kerberos Server The admin_acl_file File Chapter 8 117 Creating Administrative Accounts Y ou can set administrative permissions in admin_acl_file using one of the following methods: • Using the HP Kerberos Administrator to set administrative permissions .
Administering the Kerberos Server The admin_acl_file File Chapter 8 118 NO TE IRDid is equivalent to the IRD permissions because the uppercase permissions (excluding the r and R modifiers) apply to all realms.
Administering the Kerberos Server P asswor d Policy File Chapter 8 119 P assword P olicy File The password policy file controls password rules, suc h as password length, number of character types , and the lifetime of a password. The password.policy file located on each of the primary and secondary security servers in the /opt/krb5 directory .
Administering the Kerberos Server P asswor d Polic y File Chapter 8 120 If you modify the MaxfailAuthCnt parameter , you must copy the password policy file to the secondary security server and restart kdcd on both the secondary and primary secondary security servers.
Administering the Kerberos Server Principals Chapter 8 121 Principals A principal is a specific entity to which you can assign a set of credentials . Principals are users and network services that are included in your security network.
Administering the Kerberos Server Principals Chapter 8 122 • Is case sensitive. • Cannot be longer than 767 characters . • Must be uniquely defined in the first 255 characters . • Cannot contain a space, tab , pound symbol ( # ), bac kward slash ( )o r colon ( : ).
Administering the Kerberos Server Principals Chapter 8 123 Adding User Principals The Kerberos server enables you to add user principals to the principal database. The only limit on the number of principals in the database is the disk space available on the primary security server and on each of the secondary security servers.
Administering the Kerberos Server Principals Chapter 8 124 The instance portion of the service principal name must be the fully qualified domain name (FQDN) of the host on which the service resides. Although the FQDN in your network can use mixed-case characters , the instance portion of the principal name must be in lowercase.
Administering the Kerberos Server Principals Chapter 8 125 the database secret key . All records in the principal database are encrypted using this key . The key for this principal is stored on each Kerberos server in the .k5.realm file. IMPORT ANT Do not remove, modify , or change the key type for this principal.
Administering the Kerberos Server Principals Chapter 8 126 kadmin/REALM@REALM: The Kerberos administrative graphical user interface and command-line interface utilities use the kadmin/REALM@REALM principal name. This principal is required in each realm.
Administering the Kerberos Server Principals Chapter 8 127 Y ou must enter the fqdn in lowercase letters, and the fqdn instance must be the fully qualified domain name of the host system for the server or service. These principals are not automatically added to the principal database when you install the Kerberos servers or application services.
Administering the Kerberos Server Principals Chapter 8 128 Protecting a Secret Key A user principal must provide its password during authentication to create the secret key of the user principal. F or best security , all users must periodically change their passwords .
Administering the Kerberos Server Principals Chapter 8 129 Deleting a service principal using one of the Kerberos administrative utilities removes the principal name, attributes , and properties from the database.
Administering the Kerberos Server The kadmin and kadminl Utilities Chapter 8 130 The kadmin and kadminl Utilities The kadmin and kadminl Kerberos command-line administrative utilities provide a unified administration interface for the Kerberos database.
Administering the Kerberos Server The kadmin and kadminl Utilities Chapter 8 131 Administration Utilities T able 8-4 describes the administrative utilities that you can use to administer the Kerberos database.
Administering the Kerberos Server HP Kerber os Administrator Chapter 8 132 HP Kerberos Administrator HP Kerberos Administrator is a graphical user interface that you can use to administer the principal database. Y ou can use the HP K erberos Administrator to perform the following functions: • Creating , modifying , and deleting principals.
Administering the Kerberos Server HP Kerber os Administrator Chapter 8 133 the * permissions in admin_acl_file . The account must have at least inquire privileges . F or more information, see “The admin_acl_file File” on page 113. Both the local and remote administrators are discussed in detail in this chapter .
Administering the Kerberos Server Local Administrator – kadminl_ui Chapter 8 134 Local Administrator – kadminl_ui The local administrator , kadminl_ui, is the GUI-based database administrator that runs on the primary security server .
Administering the Kerberos Server Local Administrator – kadminl_ui Chapter 8 135 This chapter contains a detailed description of the Principals tab and the Realms tab.
Administering the Kerberos Server Principals T ab Chapter 8 136 Principals T ab Y ou can use the Principals tab (Figure 8-1) in the HP Kerberos Administrator window to manage principal entries in your database by adding , editing , or deleting principals.
Administering the Kerberos Server Principals T ab Chapter 8 137 T able 8-6 describes the components of the Principals tab. Figure 8-1 Principals T ab T able 8-6 Principals T ab Components Component Name Description Realm Select the realm where the principal that you want to add, c hange, or delete resides.
Administering the Kerberos Server Principals T ab Chapter 8 138 List All Click this button to list all the principals associated with the realm. NO TE: If you have selected LDAP as the backend database , then information about all realms under the same base DN is displayed when you click this button.
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 139 General T ab (Principal Information Window) Y ou can use the Principal Information window to add principals or to modify existing principals and ticket information.
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 140 T able 8-8 describes the components of the General tab. LDAP DN Displays the LDAP DN .
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 141 Principal Expiration Displays the principal expiration time, whic h indicates when the current logon privileges of the principal expire. Enter one of the following options in the Principal Expiration box: • A date and time in the format HH:MM MM/DD/YYY.
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 142 P assword P olicy Specifies the password policy name in this field. If you do not specify the password policy name, the default policy is applied. NO TE: Do not change the password policy name for reserved service principals .
Administering the Kerberos Server Adding Principals to the Database Chapter 8 143 Adding Principals to the Database When you add a principal, you must specify the following information: • Principal and ticket information, located in the General tab.
Administering the Kerberos Server Adding Principals to the Database Chapter 8 144 Figure 8-3 Change P assword Window Step 5. Enter the new password in the Change Password window and c lick OK . Step 6. In the Password tab , enter the P assword Information and the K ey and Salt Types .
Administering the Kerberos Server Adding Principals to the Database Chapter 8 145 Adding Multiple Principals with Similar Settings T o simultaneously add multiple principals with the same setting , complete the following steps: Step 1. In the HP Kerberos Administrator window , select the Realm in which you want to add multiple principals .
Administering the Kerberos Server Creating an Administrative Principal Chapter 8 146 Creating an Administrative Principal Y ou can use the HP K erberos Administrator window to create an administrative principal.
Administering the Kerberos Server Creating an Administrative Principal Chapter 8 147 Step 6. Enter the password information and click OK in the Change P assword window . Do not select the Generate Random K ey option. Step 7. In the Attributes tab, select the attributes for the administrative principal.
Administering the Kerberos Server Creating an Administrative Principal Chapter 8 148 Step 11. Click OK to save all the values to the database and to close the Principal Information window , or click Cancel to close the Principal Information window without saving the values to the database .
Administering the Kerberos Server Searc hing for a Principal Chapter 8 149 Searching for a Principal F ollowing are the methods to search for a principal: • Click List All in the Principals tab to display a list of principals in the current realm in the List of Principals list box, which displays up to 1,000 principals.
Administering the Kerberos Server Searc hing for a Principal Chapter 8 150 [...] Represents any one character from the set except / (slash). F or example, [abc]* searc hes for all principal names starting with a , b ,o r c . The following characters have a special meaning with the [.
Administering the Kerberos Server Deleting a Principal Chapter 8 151 Deleting a Principal When you delete a principal using one of the Kerberos administrative utilities , all references to the principal are automatically removed from both the principal database and admin_acl_file .
Administering the Kerberos Server Loading Default V alues for a Principal Chapter 8 152 Loading Default V alues for a Principal When you add or edit a principal in the Principal Information window , you can quickly restore any changed values to the default values that are specified in the default group.
Administering the Kerberos Server Restoring Previousl y Saved V alues for a Principal Chapter 8 153 Restoring Previously Saved V alues for a Principal Y ou can restore any value for a principal that you have changed but not yet saved to the values that were previously saved for that principal.
Administering the Kerberos Server Changing Ticket Inf ormation Chapter 8 154 Changing T icket Information Y ou can change the ticket information used for a principal, including the principal expiration date, ticket lifetime , and ticket renewal time .
Administering the Kerberos Server Rules for Setting Maxim um Ticket Lifetime Chapter 8 155 Rules for Setting Maximum T icket Lifetime Maximum ticket lifetime indicates the maximum lifetime for which a ticket can be issued to the principal. Y ou can specify the maximum ticket lifetime value in the General>Maximum Ticket Lifetime text box.
Administering the Kerberos Server Rules for Setting Maxim um Renew Time Chapter 8 156 Rules for Setting Maximum Renew T ime Maximum renew time indicates the maximum amount of time for which a ticket can be renewed. Y ou can specify the maximum renew time value in the Principal Information>General>Maximum Renew Time text box.
Administering the Kerberos Server Rules for Setting Maxim um Renew Time Chapter 8 157 You have entered an invalid time.
Administering the Kerberos Server Changing P asswor d Information Chapter 8 158 Changing P assword Information Y ou can change the following password information used by a principal: • P assword expiration date Indicates when the password of the current principal is due to expire.
Administering the Kerberos Server Changing P asswor d Information Chapter 8 159 IMPORT ANT If you change the key or salt type, you must change the password of the principal. Y ou must inform the principal of the required temporary password. The principal must change the password during next logon.
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 160 P assword T ab (Principal Information W indow) Y ou can use the Password tab (F igure 8-5) on the Principal Information window to specify the password parameters for the principal.
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 161 P assword Expiration/Date Indicates when the current principal password expires. Select P assword Expiration/Date to activate password expiration for the current principal.
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 162 Change P assword Window (P assword T ab) When you create a new principal using the Principal Information window>Password tab, HP Kerberos Administrator automatically displays the Change P assword window (Figure 8-6).
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 163 Generate Random Key only for service principals. If you select the Generate Random Key option, a unique encrypted key is created without entering a password.
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 164 New P assword Specifies the new password information. This is a temporary password because the principal is required to change the password of the user during next logon.
Administering the Kerberos Server Changing a Ke y T ype Chapter 8 165 Changing a Key Type F or a strong enterprise wide security between the Kerberos servers and clients , all principals must have 3DES keys using Normal (V5) salt.
Administering the Kerberos Server Changing a Ke y T ype Chapter 8 166 • If the principal is a service principal with an extracted key , select the Generate Random Key check box to generate a random key . Step 8. Click OK to close the Change P assword window .
Administering the Kerberos Server Changing Principal Attributes Chapter 8 167 Changing Principal Attributes Y ou can change the attributes of a principal in the Principal Information window (Figure 8-5). These attributes are the characteristics and properties assigned to a user or a service principal.
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 168 Attributes T ab (Principal Information W indow) Attributes are the characteristics and properties assigned to a principal that control the behavior of the principal.
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 169 LDAP DN Displays the LDAP DN that you are editing . Allow P ostdated Specifies whether a principal is allowed for ticket postdating .
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 170 LDAP DN Displays the LDAP DN that you are editing . Allow P ostdated Specifies whether a principal is allowed for ticket postdating .
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 171 Allow F orwardable Specifies if a principal is allowed ticket forwarding . F orwarding is a process that sends a ticket-granting ticket (TGT) from one network host to another host.
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 172 Require Preauthentication Specifies if a principal is required to use preauthentication in the TGT request.
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 173 Lock Principal Specifies if a principal is active. A locked principal still exists in the principal database, but it is unable to use or provide Kerberos services.
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 174 Require Initial Authentication Specifies if the server is allowed to issue service to the service principal on behalf of a user principal using a previously obtained TGT .
Administering the Kerberos Server LD AP Attributes T ab (Prinicpal Information Windo w) Chapter 8 175 LDAP Attributes T ab (Prinicpal Information W indow) The LDAP Attributes tab displays the mandatory LDAP attributes that need to be specified while creating a Kerberos principal.
Administering the Kerberos Server LD AP Attributes T ab (Prinicpal Information Windo w) Chapter 8 176 Y ou can use the LDAP Attributes tab in the Principal Information window to assign LDAP attributes for a principal, as shown in Figure 8-8.
Administering the Kerberos Server Deleting a Service Principal Chapter 8 177 Deleting a Service Principal The Kerberos server requires several specific principals. If you accidentally delete these principals, you must restore the principal database from a backup tape.
Administering the Kerberos Server Extracting Service Keys Chapter 8 178 Extracting Service Keys Unlike users who type their password using a keyboard, a service principal needs to have its secret key automatically available during authentication.
Administering the Kerberos Server Extracting Service Keys Chapter 8 179 If you change the default name and location to a different name and location than the programs of the Kerberos server , you must edit the settings to indicate the new location of the service key table file.
Administering the Kerberos Server Extracting a Service Key T able Chapter 8 180 Extracting a Service Key T able Y ou can extract the key for a service principal to the service key table ( v5srvtab ) by using the Extract Principal Key to Service Key T able window .
Administering the Kerberos Server Extracting a Service Key T able Chapter 8 181 T able 8-13 Extract Service Key T able Components Component Description Principal Displays the name of the principal for which you are extracting a key . Service Key T able Type Identifies the type of key table into which the principal name and keys are extracted.
Administering the Kerberos Server Using Groups to Contr ol Settings Chapter 8 182 Using Groups to Control Settings Y ou can modify the default values used for new principals using the Principal Information window (Figure 8-2). Each realm has a default group, and the default group for the realm contains default values .
Administering the Kerberos Server Using Groups to Contr ol Settings Chapter 8 183 Y ou can also edit the default group by selecting the default@REALM principal from the List of Principals list box in the Principals tab.
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 184 Group Information W indow (Principal Information W indow) Y ou can view or modify the default group settings of a realm using the Group Information window .
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 185 T o open the Group Information window , choose Principal Information>Edit>Edit Default Group to display the Group Information window (Figure 8-10).
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 186 Principal Attributes Y ou must assign attributes to each principal to control the usage and rights of the account. This section describes the possible attributes and the default settings.
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 187 T o edit the default group, use the HP Kerberos Administrator or the command-line administrator , discussed as follows: • In the HP Kerberos Administrator window , complete the following steps to edit the default group: 1.
Administering the Kerberos Server Setting Administrative P ermissions Chapter 8 188 Setting Administrative P ermissions Use the HP Kerberos Administrator window to assign administrative permissions to users.
Administering the Kerberos Server Administrative P ermissions Chapter 8 189 Administrative P ermissions Y ou can assign administrative permissions using the Administrative P ermissions window .
Administering the Kerberos Server Administrative P ermissions Chapter 8 190 the Add Principals , Delete Principals, Change Principal P assword, Inquire About Principals, Modify Principals , and Extract Keys permissions. T able 8-15 describes the components of the Group Information window .
Administering the Kerberos Server Administrative P ermissions Chapter 8 191 Restricted Administrator Select this option in addition to the Add Principals, Delete Principals , Modify Principals, Inquir.
Administering the Kerberos Server Administrative P ermissions Chapter 8 192 Modify Administrative P ermissions Modifies administrative permissions for others users. Y ou can modify the administrative permission using the Principal Information>Edit>Edit Administrative P ermissions>Administrative P ermissions window .
Administering the Kerberos Server Realms T ab Chapter 8 193 Realms T ab A realm is a collection of principals that reside in the same administrative domain. Y our network-naming scheme, network topology , security policy , and company organization determine which principals and services you put in a relam.
Administering the Kerberos Server Realms T ab Chapter 8 194 Figure 8-12 Realms T ab T able 8-16 describes the components in the Realms tab. T able 8-16 Realms T ab Components Component Description List of Realms Displays a list of all the available realms .
Administering the Kerberos Server Realms T ab Chapter 8 195 Realm Information Window Y ou can use the Realm Information window to add realms. Click New in the HP Kerberos Administrator window>Realms tab to display the Realm Information window as shown in Figure 8-13.
Administering the Kerberos Server Adding a Realm Chapter 8 196 Adding a Realm When you add a realm, HP Kerberos Administrator automatically creates some reserved principals, whic h remain in the database. T o add a realm, complete the following steps: Step 1.
Administering the Kerberos Server Deleting a Realm Chapter 8 197 Deleting a Realm When you delete a realm, all the principals for that realm are not deleted from the database. T o delete the principals from the database, you can use the HP Kerberos Administrator window or the command-line administrator .
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 198 Remote Administrator – kadmin_ui The kadmin_ui utility is the GUI-based Kerberos remote administrative utility that runs on the secondary security servers and clients.
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 199 Step 1. Execute the following command at the HP-UX prompt: # /opt/krb5/kadmin_ui The logon screen displays as shown in Figure 8-14. Figure 8-14 Logon Screen Step 2. Enter your principal name and password in the logon screen.
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 200 Step 4. Enter a new password in the change password screen to change your password, and click OK . Figure 8-15 Change P assword Screen NO TE This screen is displayed only when you first log on using the remote administrator .
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 201 The graphical user interface for the remote administrator is similar to that for the local administrator .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 202 Manual Administration Using kadmin Y ou can use the command-line administrator to administer the principal database. It enables principals with administrative privileges to maintain the principal database.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 203 Only a user with root permission can invoke the local command-line administrator , kadminl . T o log on to the remote administrator , kadmin , use a principal account that has an entry in admin_acl_file and an account that has at least inquire privileges.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 204 HP recommends that you use the graphical user interface administrative utility , kadminl_ui , to administer these parameters. Adding a New Principal Y ou must specify the add administrative privilege in admin_acl_file to add a principal to the database.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 205 F or example, to add a new principal admin , type kadmin at the HP-UX prompt, and specify the add command, the principal name, and the policy name.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 206 command: cpw Name of Principal: admin Enter password: password Re-enter password for verification: password Principal.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 207 Extracting a Principal The ext command securely extracts the key of the principal into a local service key table file. By default, the host/fqdn@REALM principal is extracted into the v5srvtab file, where fqdn is the fully qualified domain name of the host system.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 208 [principal] Specifies an alternate principal to extract other than the default host/fqdn@REALM principal, for example, ext finance@BAMBI.COM After ext executes , it prompts you for the service key table file name.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 209 policy Specifies the new policy name. If you do not specify a policy name, the default policy is applied. dn Specifies the LDAP DN name. If you do not specify an LDAP DN name, the default policy is applied.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 210 Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno,policy,dn or quit ):fcnt Failure Count (or quit): <enter count> Principal modified.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 211 F ollowing is a sample output for the mod command with the dn parameter: Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :dn Enter LDAP DN name or quit: <enter LDAP DN name> Principal modified.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 212 The Allow Postdated attribute applies to both user and service principals specified as follows: • Y ou can issue either a postdated or postdatable ticket for user principals .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 213 NO TE Before the server issues a renewable service ticket, the requesting user must possess a renewable TGT .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 214 Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr Attribute (or quit): {forward|noforward} Principal modified.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 215 Allow Duplicate Session Key Attribute The Allow Duplicate Session Key attribute determines whether a principal is allowed to use a duplicate session key .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 216 Require Preauthentication Attribute The Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting a TGT .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 217 When a new principal is added to the database or when a password of the principal is changed, this attribute is controlled by the NoReqChangePwd setting in the password policy file of the principle.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 218 T o modify the type of the parameter attr for the principal admin and to set the Lock Principal attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 219 Require Initial Authentication Attribute The Require Initial Authentication attribute specifies if the server is allowed to issue service tickets to a service principal on behalf of a user principal using an existing TGT .
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 220 Y ou can use the kadmin inq command to view the attribute of the principal. With Require Initial Authentication selected ( tgt ), the inquire command shows TGT_BASED in the attributes field.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 221 F ollowing is a sample output of the Password Change Service attribute: Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr, fcnt, vno, policy,dn or q ui) :attr Attribute (or quit): {cpwsrv|nocpwsrv} Principal modified.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 222 Because the expiration time is calculated from the time you add a new principal to the database, the password change load on the server is distributed over time.
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 223 Y ou cannot set this attribute using the command-line administrator . Maximum Renew Time Attribute The Maximum Renew Time attribute controls the renew time limit for renewable tic kets.
Administering the Kerberos Server Principal Database Utilities Chapter 8 224 Principal Database Utilities Principal database utilities are tools that help you to globally manage the principal database.
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 225 Kerberos Database Utilities The primary security server contains a database of all principals that are trusted in each of the supported realms . Y ou can also create the database during installation.
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 226 • DES-CRC or 1 : DES-CBC-CRC NO TE The default, DES3-CBC-MD5 , will be set as the encryption type if you do not specify any of the encryption types previously mentioned. -f keyfile Specifies an alternate name for the stash file when used with the -s switch.
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 227 Adding principals to database... Cleaning up.... shell% The kdb_create command creates the following principals: • K/M@<REALM NAME> This is the default key name. However , you can configure this key name.
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 228 • DES-MD5 • DES-CRC The encryption type selected during database creation determines the encryption type applied to the master password, which in turn is used to create the key that secures all records stored in the principal database.
Administering the Kerberos Server Destro ying the Kerberos Database Chapter 8 229 Destroying the Kerberos Database The kdb_destroy utility securely removes the principal database.
Administering the Kerberos Server Destro ying the Kerberos Database Chapter 8 230 sure? (type ‘yes’ to confirm)? Database destroyed!.
Administering the Kerberos Server Dumping the Kerber os Database Chapter 8 231 Dumping the Kerberos Database The kdb_dump utility copies the contents of the principal database to stdout or to a text file. By default, the output is displa yed on the terminal using the stdout command.
Administering the Kerberos Server Loading the Kerber os Database Chapter 8 232 Loading the Kerberos Database The kdb_load utility loads the database with the principal entries from a database dump text file. This utility overrides the existing database entries with the corresponding entries present in the dump file.
Administering the Kerberos Server Stashing the Master Ke y Chapter 8 233 Stashing the Master Key The kdb_stash utility stores the master key , the encrypted master password, to a stash file. This utility runs on the primary and secondary security servers .
Administering the Kerberos Server Stashing the Master Key Chapter 8 234 F ollowing is an example of using kdb_stash : shell% kdb_stash -f <filename> Enter password: <password> Re-enter pas.
Administering the Kerberos Server Starting and Stopping Daemons Chapter 8 235 Starting and Stopping Daemons If you change the configuration of the Kerberos server , you must stop and restart the services and daemons for the changes to take effect. T able 8-8 briefly describes the related services and daemons that you must stop and restart.
Administering the Kerberos Server Maintenance T asks Chapter 8 236 Maintenance T asks F ollowing are the maintenance tasks associated with the Kerberos server: • “Protecting Security Server Secret.
Administering the Kerberos Server Maintenance T asks Chapter 8 237 Backing Up primary security server Data Save the copied information to a CD or tape — whatever your preferred archive method is .
Administering the Kerberos Server Maintenance T asks Chapter 8 238 • Run the following command as a root user: # /sbin/init.d/krbsrv stop Step 2. Copy the principal.dat , principal.idx , and principal.ok files from one of the propagation servers to your desired destination, for example, CD-ROM or tape.
Administering the Kerberos Server Removing Un used Space from the Database Chapter 8 239 Removing Unused Space from the Database After long and continued use, the principal database on the primary security server can grow large due to unused space. When you delete a principal, the space that the record had occupied is not removed.
Administering the Kerberos Server Removing Un used Space from the Database Chapter 8 240 Step 8. Remove the /tmp/filename file after you have verified that the new database is functioning without problems.
Chapter 9 241 9 Propagating the Kerberos Server This chapter describes how to propagate the Kerberos database from the primary security server to the secondary security server .
Propagating the K erberos Ser ver Chapter 9 242 This chapter discusses the following topics: • “Propagation Hierarchy” on page 243 • “Service Key T able” on page 244 • “Propagation T ools” on page 246 • “The kpropd Daemon” on page 248 • “The mkpropcf T ool” on page 249 • “The kpropd.
Propagating the K erberos Ser ver Propa gation Hierarchy Chapter 9 243 Propagation Hierarchy T o authenticate users on the network, each secondary security server must contain the latest copy of the principal database, at all times .
Propagating the K erberos Ser ver Service Key T able Chapter 9 244 Service Key T able The /krb5/v5srvtab file is the service key table file that contains service principal names with their corresponding secret keys. Y ou must store this file on the system that hosts the service or application, which requires an extracted key .
Propagating the K erberos Ser ver Service Key T able Chapter 9 245 T o extract the principal <principal_name> to a local service key table file, SrvTab , type kadmin at the HP-UX prompt and specify the ext command, the principal name, and the service key table file name .
Propagating the K erberos Ser ver Propa gation T ools Chapter 9 246 Propagation T ools The kpropd daemon manages and performs propagation of the principal database on each server in the propagation hierarchy .
Propagating the K erberos Ser ver Propa gation T ools Chapter 9 247 F or more information on the process for configuring propagation, see “Setting Up Propagation” on page 258. This chapter contains a detailed discussion of these tools . Manually control propagation on one or more servers once propagation is configured and started.
Propagating the K erberos Ser ver The kpropd Daemon Chapter 9 248 The kpropd Daemon The /opt/krb5/sbin/kpropd daemon propagates the principal database from one server to another and starts running when the security server starts up.
Propagating the K erberos Ser ver The mkpropcf T ool Chapter 9 249 The mkpropcf T ool The /opt/krb5/install/mkpropcf tool creates the kpropd.ini file, which is the default propagation configuration file in a propagation hierarchy . The mkpropcf tool exports the kpropd.
Propagating the K erberos Ser ver The mkpropcf T ool Chapter 9 250 -f Overwrites the kpropd.ini file. Y ou can use this option with the -i option to explicitly overwrite the kpropd.ini file. T o synchronize the kpropd configuration, HP recommends that you export the original configuration, kpropd.
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 251 The kpropd.ini F ile The /opt/krb5/kpropd.ini file is the propagation configuration file created by the mkpropcf tool using the information from the local krb.conf file. Ensure that only authorized users have access to this file .
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 252 Sections The kpropd.ini file stores configuration parameters required for propagation. This file contains the following sections: • The [ default_values ] section controls the various global propagation properties .
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 253 Specifies the length of time for which a session key is valid, where n indicates the number of seconds, minutes , hours, or da ys.
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 254 primary_realm=DEFAULT_REALM Specifies the default realm of the primary security server . If the krb.conf file does not exist, the DEFAULT REALM is assigned the uppercase equivalent of the domain name.
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 255 child[n]=fqdn Specifies the child security server of the secsrv_name in the propagation hierarchy , where fqdn is the FQDN of the child server . A security server can have zero or more child servers .
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 256 [default_values] interval=15s key_exp=6h max_cache=1024K max_retry_delay=1h net_timeout=30s port=kerberos-adm primary_realm=REALM1 r.
Propagating the K erberos Ser ver The prpadmin Administrative Application Chapter 9 257 The prpadmin Administrative Application The /opt/krb5/adm/prpadmin administrative application runs on all security servers and helps you manage the propagation system.
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 258 Setting Up Propagation After installing and configuring your primary and secondary security servers , you must propagate principal database information from the primary security server to all secondary security servers.
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 259 T able 9-2 lists the daemons , and briefly describes their functions. T o avoid confusion and redundancy in this section regarding names , T able 9-2 also indicates the generic names used in this document to discuss the daemon.
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 260 3. From the primary security server /opt/krb5/install directory , run the following command: # mkpropcf This creates the kpropd.ini file, which defines your propagation hierarchy .
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 261 NO TE The <admin/principal> is the same as the one added on the primary security server in step 2. Step 5. Start the admin daemon on the secondary security server by using the following command: # /opt/krb5/sbin/kadmind Step 6.
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 262 V erify that propagation has occurred on the secondary security server by using the kdb_dump utility to view the contents of the principal database on the secondary security server .
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 263 Monitoring Propagation Y ou must regularly monitor database propagation between servers.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 264 [hostname of peer] Can’t connect to subscriber to propagate principal database information [hostname of peer] could not get se.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 265 F or example, a prop_ hostname file that is older than 48 hours or is unusually large indicates a propagation problem between the primary and secondary security servers as specified in hostname .
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 266 attempt is sent to the primary security server . However , if the principal fails on one server as many times as specified by the MaxFailAuthCnt parameter in the password policy file, that principal is locked out.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 267 incremental database propagation. T o ensure accurate results , dump the databases simultaneously when administrative activity is at a minimum. Under these conditions, consider a discrepancy of more than five principal entries to be significant.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 268 Step 3. Restart the daemons on both the primary and secondary security servers . Step 4. T o compare the files for discrepancies, copy the files to a common location and execute the following command at the HP-UX prompt: # diff primary.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 269 # rm -r -f /opt/krb5/prop/* Step 3. Restart the propagation daemon by using the following command: # /opt/krb5/sbin/kpropd Step 4.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 270 If you encounter the following error message after installing a new secondary security server and attempting propagation, restar.
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 271 Step 4. Remove the Kerberos server software on the secondary security server . Step 5. Install the Kerberos server software on the previous secondary security server . Do not create the database during installation.
Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 272 Configuring Multirealm Enterprises When you support multiple realms, additional configuration steps are required for both the security servers and clients . This section discusses the servers requirements.
Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 273 Multiple primary security servers Supporting a Single Realm Y ou must have one primary security server for each realm if you have distributed administrative groups in which each group maintains its own realm information.
Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 274 Database Propagation for Multirealm Databases If you plan to support more than one realm in a single principal datab.
Chapter 10 275 10 Managing Multiple Realms This chapter describes how to set up and configure interrealm authentication between Kerberos servers, and how to manage multiple realms . Y ou must establish trust between the two realms before a principal in one realm can access a service in another realm.
Managing Multiple Realms Chapter 10 276 This chapter discusses the following topics: • “Considering a Trust Relationship” on page 277 • “Configuring Direct Trust Relationships” on page 27.
Managing Multiple Realms Considering a T rust Relationship Chapter 10 277 Considering a T rust Relationship Y ou can establish a multiple realm environment within your enterprise.
Managing Multiple Realms Considering a T rust Relationship Chapter 10 278 Hierarchical Trust In interrealm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms .
Managing Multiple Realms Configuring Direct T rust Relationships Chapter 10 279 Configuring Direct T rust Relationships If the Kerberos security servers manage all the realms in a multirealm environment, you must add interrealm principals to the principal databases for each realm.
Managing Multiple Realms Configuring Direct T rust Relationships Chapter 10 280 • The Kerberos server does not recognize the realm listed in the interrealm ticket, that is , when a proper trust relationship between the realms is not established.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 281 Hierarchical Interrealm T rust Y ou need to use hierarchical interrealm authentication when a realm does not have a direct path to its destination realm, but has a path to an intermediate realm.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 282 interrealm ticket from VIBGYOR.INDIGO.COM , and can use this interrealm ticket to contact GREEN.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 283 These actions are described in detail in the following sections. The example configuration in this section uses the interrealm authentication principals shown in Figure 10-1.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 284 F or interrealm authentication in the other direction, two-wa y hierarchical interrealm authentication, you must also add these principals: • krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows the server in FINANCE.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 285 Configuring the Intermediate Realm T o configure the intermediate realm, consider the local realm as FINANCE.JUNGLE.COM , the intermediate realm as BAMBI.COM , the target realm as IT.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 286 Step 7. Enable the same settings for this principal as for the first krbtgt/BAMBI.COM@IT.JUNGLE.COM principal, with the same settings enabled as used for the principal in the local realm.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 287.
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 288.
Chapter 11 289 11 T roubleshooting This chapter describes how to troubleshoot the Kerberos server , and also includes the strategies and tools to use while investigating the software and hardware components of the Kerberos server .
T roubleshooting Chapter 11 290 When you encounter a problem, you may need to investigate many hardware and softw are components. Y ou can identify and resolve some problems quickly , such as invalid .
T roubleshooting Characterizing a Prob lem Chapter 11 291 Characterizing a Problem Y ou need to consider many questions while trying to characterize a problem.
T roubleshooting Characterizing a Prob lem Chapter 11 292 • Data corruption. • Logging messages at the syslog. Knowing what has recently changed on your network can also help you understand whether the problem is software-related or hardware-related.
T roubleshooting Diagnostic T ools Summary Chapter 11 293 Diagnostic T ools Summary T able 11-1 describes the most frequently used diagnostic tools , which are documented in the link installation manuals.
T roubleshooting T roub leshooting Kerberos Chapter 11 294 T roubleshooting Kerberos When troubleshooting problems with Kerberos, you need a reference point from which to work.
T roubleshooting T roub leshooting Kerberos Chapter 11 295 UNIX Syslog File The security server daemons, kadmind , kpropd , and kdcd , write error messages to the system log ( /var/adm/syslog/syslog.log ) file. Y ou can also configure the daemons to log the messages in a different file.
T roubleshooting T roub leshooting Kerberos Chapter 11 296 Services Checklist While troubleshooting ensure, that you ha ve answered all the questions in the troubleshooting checklist in the section “Characterizing a Problem” on page 291.
T roubleshooting T roub leshooting Kerberos Chapter 11 297 Clock skew too great in KDC reply while getting initial credentials . This problem generally occurs because the clock of the system deviates too much from the time on the authenticating KDC . A clock skew time of up to 5 minutes is allowed.
T roubleshooting T roub leshooting Kerberos Chapter 11 298 Required parameters in krb.realms missing while initializing the Kerberos context. This problem occurs when the parameters are missing or incorrect in the krb.realms file. Ensure that the krb.
T roubleshooting T roub leshooting Kerberos Chapter 11 299 Cannot find/read stored master key while getting master key . This problem occurs when the stash file is not found. Provide the master key as a command-line option. Y ou can also create the stash file.
T roubleshooting T roub leshooting Kerberos Chapter 11 300 Connection to the LDAP server was lost. Connection to the LDAP server was lost. V erify that the Directory server is accessible, else restart the Directory server . Y ou can also restart the Kerberos server , if needed.
T roubleshooting T roub leshooting Kerberos Chapter 11 301 LDAP authentication failed The Kerberos server was unable to connect to the Directory server with the information provided in the /opt/krb5/krb5_ld ap.conf configuration file. V erify that the values of the proxy_user and proxy_user_password are correct.
T roubleshooting T roub leshooting Kerberos Chapter 11 302 LDAP database is read-only An attempt to modify the Kerberos entry failed as the Directory server entry is read-only .
T roubleshooting General Error s Chapter 11 303 General Errors F ollowing are the general errors that you may encounter while setting up your Kerberos server: • Ensure that the Domain Name Server (DNS) is working properly . Several aspects of Kerberos rely on this name service.
T roubleshooting General Error s Chapter 11 304 Locking and Unlocking Accounts If a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal is not issued a ticket.
T roubleshooting User Error Messa g es Chapter 11 305 User Error Messages Users may see error messages while using the Kerberos server . The following sections describe user error messages, explain their causes , and suggest corrective actions.
T roubleshooting Administrative Error Messa g es Chapter 11 306 Administrative Error Messages F ollowing are some messages that administrative principals may see when using their accounts .
T roubleshooting Administrative Error Messages Chapter 11 307 key during authentication. If the principal does not have a 3DES key , the tools attempt to negotiate a supported key type. If the tools cannot negotiate a supported key type, the error message Service key not available while getting initial ticket is returned.
T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 308 Reporting Problems to Y our HP Support Contact If you do not have a service contract with HP , you may follow the procedure described below but you will be billed accordingly for time and materials .
T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 309 • Prepare a listing of the HP-UX I/O configuration you are using for your HP support contact to further analyze. • Try to determine the general area within the software where you think the problem exists.
T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 310.
Appendix A 311 A Configuration W orksheet The following worksheet helps you configure your Kerberos server with LDAP as the backend database..
Configuration W or ksheet Appendix A 312 F ollowing is an explanation and sample table. T able A-1 Configuration W orksheet Configuration W orksheet for LDAP database Directory administrator DN Dir.
Configuration W or ksheet Appendix A 313 Base DN for search The default base DN for search is the root of the directory tree on the Directory server , where the Kerberos server searches for kerberos principals.
Configuration W or ksheet Appendix A 314.
Appendix B 315 B Sample krb.conf F ile The sample krb.conf file named krb.conf.sample is available in the /opt/krb5/examples directory . Copy this sample file to /opt/krb5/krb.conf file and modify it to reflect the host names and realm name for your realm.
Sample krb .conf File Appendix B 316 NO TE If you have configured your Kerberos server with C-Tree as the backend then the realm names are case sensitive. If you ha ve configured your Kerberos server with LDAP as the backend then the realm names are not case sensitive.
Sample krb .conf File The services File Appendix B 317 The services F ile The services file contains entries that allow client applications to establish socket connections to the KDC or to the applications servers .
Sample krb .conf File The services File Appendix B 318.
Appendix C 319 C Sample krb.realms F ile The sample krb.realms file named krb.realms.sample is available in the /opt/krb5/examples directory . Y ou can copy this sample file to the /opt/krb5 directory , and modify it to reflect your realm name.
Sample krb .realms File Appendix C 320 NO TE The realm names are case sensitive. Replace the underlined Your_Realm_Name , Your_Primary_Security_Server , Your_Secondary_Server_Server , and Your_Domain_Name with the name of your Kerberos REALM and host names of the primary security server and secondary security servers.
Glossary 321 Glossary A-B admin_acl_file (administrator access control list) T ext file that lists the administrators and their respective permissions. HP Kerberos Administrator The graphical user interface that is used to administer the principal database of the Kerberos server .
Glossar y kpropd.ini Glossary 322 kpropd.ini Propagation configuration file mkpropcf creates using information in the local krb.conf file. krb.conf File that contains configuration information that describes the default realm of the host, the administration server , and security servers for known realms.
Glossar y v5srvtab Glossary 323 Ticket-granting ticket See TGT . V v5srvtab Binary file that contains service principal names and their corresponding secret keys .
Glossar y Ticket-granting tic ket Glossary 324.
325 Index Symbols # , 68 /etc/rc.config .d/krbsrv , 102 /opt/krb5/sbin , 69 /sbin/init.d/krbsrv start , 102 /var/adm/krb5/krb5kdc , 315 A access control list See ACL ACL , 112 adding a realm , 273 AD.
Index 326 initial ticket , 26 intermediate realm , 285 intermittent error , 291 Internet Engineering T ask F orce See IETF interrealm authentication , 275 issuing a ticket , 322 K /krb5/admin_acl_fil.
Index 327 R remote administrator , 111 remote request , 112 reporting level , 295 LOG_ERR , 295 LOG_NOTICE , 295 LOG_W ARNING , 295 RFC 1510 , 22 , 25 , 54 RFC 1964 , 22 , 54 RFC 2743 , 22 RFC 2744 , 22 S sample kdc.conf , 319 sample krb.conf , 315 Sample krb.
Ein wichtiger Punkt beim Kauf des Geräts HP (Hewlett-Packard) E0905 (oder sogar vor seinem Kauf) ist das durchlesen seiner Bedienungsanleitung. Dies sollten wir wegen ein paar einfacher Gründe machen:
Wenn Sie HP (Hewlett-Packard) E0905 noch nicht gekauft haben, ist jetzt ein guter Moment, um sich mit den grundliegenden Daten des Produkts bekannt zu machen. Schauen Sie zuerst die ersten Seiten der Anleitung durch, die Sie oben finden. Dort finden Sie die wichtigsten technischen Daten für HP (Hewlett-Packard) E0905 - auf diese Weise prüfen Sie, ob das Gerät Ihren Wünschen entspricht. Wenn Sie tiefer in die Benutzeranleitung von HP (Hewlett-Packard) E0905 reinschauen, lernen Sie alle zugänglichen Produktfunktionen kennen, sowie erhalten Informationen über die Nutzung. Die Informationen, die Sie über HP (Hewlett-Packard) E0905 erhalten, werden Ihnen bestimmt bei der Kaufentscheidung helfen.
Wenn Sie aber schon HP (Hewlett-Packard) E0905 besitzen, und noch keine Gelegenheit dazu hatten, die Bedienungsanleitung zu lesen, sollten Sie es aufgrund der oben beschriebenen Gründe machen. Sie erfahren dann, ob Sie die zugänglichen Funktionen richtig genutzt haben, aber auch, ob Sie keine Fehler begangen haben, die den Nutzungszeitraum von HP (Hewlett-Packard) E0905 verkürzen könnten.
Jedoch ist die eine der wichtigsten Rollen, die eine Bedienungsanleitung für den Nutzer spielt, die Hilfe bei der Lösung von Problemen mit HP (Hewlett-Packard) E0905. Sie finden dort fast immer Troubleshooting, also die am häufigsten auftauchenden Störungen und Mängel bei HP (Hewlett-Packard) E0905 gemeinsam mit Hinweisen bezüglich der Arten ihrer Lösung. Sogar wenn es Ihnen nicht gelingen sollte das Problem alleine zu bewältigen, die Anleitung zeigt Ihnen die weitere Vorgehensweise – den Kontakt zur Kundenberatung oder dem naheliegenden Service.