HP (Hewlett-Packard) E0905 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung HP (Hewlett-Packard) E0905 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von HP (Hewlett-Packard) E0905, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung HP (Hewlett-Packard) E0905 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung HP (Hewlett-Packard) E0905. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung HP (Hewlett-Packard) E0905 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts HP (Hewlett-Packard) E0905
- Den Namen des Produzenten und das Produktionsjahr des Geräts HP (Hewlett-Packard) E0905
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts HP (Hewlett-Packard) E0905
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von HP (Hewlett-Packard) E0905 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von HP (Hewlett-Packard) E0905 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service HP (Hewlett-Packard) finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von HP (Hewlett-Packard) E0905 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts HP (Hewlett-Packard) E0905, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von HP (Hewlett-Packard) E0905 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    Kerberos Server V ersion 3.1 Administrator’ s Guide HP-UX 11i v2 Edition 5 Manufacturing P art Number: T1417-90009 E0905 United States © Copyright 2005 Hewlett-P ackard Development Company , L.P.[...]

  • Seite 2

    2 Legal Notices The information contained herein is subject to change without notice. Hewlett-P ackard makes no warranty of any kind with regard to this manual, including , but not limited to , the implied warranties of merchantability and fitness f or a particular purpose. Hewlett-P ackard shall not be held liable for errors contained herein or d[...]

  • Seite 3

    3 This software is based in part on the F ourth Berkeley Software Distribution under license from the Regents of the University of California. © Copyright 1983-2005 Hewlett-P ackard Co., All Rights Reserved © Copyright 1979, 1980,1983, 1985-1993 The Regents of the Univ . of California © Copyright 1980, 1984, 1986 Novell, Inc. © Copyright 1986-1[...]

  • Seite 4

    4[...]

  • Seite 5

    5 Contents 1. Overview Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 How the Kerberos Server W orks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Seite 6

    Contents 6 Configuration Files for the Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 The krb.conf F ile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 The krb.conf F ile F ormat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Seite 7

    7 Contents Starting the Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuring the Secondary Security Servers with C-Tree . . . . . . . . . . . . . . . . . . . . . . 103 Creating the Principal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Seite 8

    Contents 8 General T ab (Principal Information Window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Adding Principals to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Adding Multiple Principals with Similar Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Creati[...]

  • Seite 9

    9 Contents Adding a New Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Adding a Random Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Specifying a New P assword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Seite 10

    Contents 10 Maintenance T asks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Protecting Security Server Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 host/fqdn@REALM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Seite 11

    11 Contents Propagation F ailure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Converting a secondary security server to a primary security server . . . . . . . . . . . 270 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Seite 12

    Contents 12 Locking and Unlocking Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 User Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Seite 13

    13 T ables T able 1. HP-UX 11i Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 T able 2. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 T able 4-1. T able of Analogous T erms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]

  • Seite 14

    T ables 14 T able A-2. Configuration W orksheet Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . 312[...]

  • Seite 15

    15 F igures Authentication Process 28 Integrating a Kerberos Principal in to the LDAP Directory 34 Principals Tab 137 Principal Information Window 139 Change Password Window 144 Administrative Permissions Window 147 Password Tab 160 Change Password Window 163 Attributes Tab 168 LDAP Attributes Tab 176 Extract Service Key Table Window 180 Group Info[...]

  • Seite 16

    F igures 16[...]

  • Seite 17

    17 About This Manual This manual describes how to install, configure, administer , and troubleshoot the Kerberos server on HP Integrity servers running the HP-UX 11i v2 operating system. Intended Audience HP intends this manual for system managers or administrators responsible for configuring and maintaining the Kerberos server running HP-UX 11i [...]

  • Seite 18

    18 • Chapter 4, “Interoperability with Windows 2000, ” on page 51 : Contains information specific to establishing interoperability with Windows 2000  Kerberos implementations . • Chapter 5, “Configuring the Kerberos Server With C-T ree Backend, ” on page 63 : Provides information on the configuration files required to configure [...]

  • Seite 19

    19 • Index Typographic Conventions The following conventions are used throughout this manual: T ext Conventions Syntax Conventions italic Identifies book titles. bold Identifies options , command buttons, and menu items . fixed width Identifies file names, system prompts , operating system commands , and UNIX error and system messages . itali[...]

  • Seite 20

    20 HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier . The uname (1) command with the -r option returns the release identifier . T able 1 lists the releases available for HP-UX 11i. Publishing History T able 2 provides , for a particular document, the manufacturing part number [...]

  • Seite 21

    21 • KRB5 Client Software on HP-UX 11i v2, delivered as part of the core operating system. • GSS-API on HP-UX 11i v2, delivered as part of the core operating system. Related Documentation F or more information on the Kerberos server , see the following manuals: • Configuration Guide for Kerberos Client Products on HP-UX (T1417-90006) • P A[...]

  • Seite 22

    22 • RFC 1510 - The Kerberos Networ k Authentication Service (V5) • RFC 1964 - The Kerberos v5 GSS-API Mec hanism • RFC 2743 - Generic Security Service Application Program Interface • RFC 2744 - Generic Security Service API Y ou can access these RFCs at the following W eb site: http://www.ietf.org/rfc.html HP Encourages Y our Comments HP we[...]

  • Seite 23

    Chapter 1 23 1 Overview This chapter provides an introduction to the Kerberos server v3.1, available on the HP-UX 11i v2 operating system.[...]

  • Seite 24

    Overview Chapter 1 24 This chapter discusses the following topics: • “How the Kerberos Server W orks” on page 26 • “ Authentication Process” on page 27 • “DES V ersus 3DES Key Type Settings” on page 31 • “Introduction to LDAP” on page 32 — “Integrating Kerberos Server v3.1 with LDAP” on page 33[...]

  • Seite 25

    Overview Introduction Chapter 1 25 Introduction The term Kerberos was derived from the Greek mythology . Cerberus is the latin variant of Kerberos, who guarded the entrance of Hades , the Greek hell. The Kerberos security system, on the other hand, guards electronic transmissions that are sent across a network. Kerberos is a mature network authenti[...]

  • Seite 26

    Overview How the K erberos Server W orks Chapter 1 26 How the Kerberos Server W orks The basic currency of Kerberos is the ticket, which the user presents to use a specific service. Each service , be it a login service or an FTP service, requires a different kind of ticket. The applications on the Kerberos server keep track of all the various kind[...]

  • Seite 27

    Overview A uthentication Process Chapter 1 27 Authentication Process The Kerberos server grants tickets to your user principal to access secured network services. Y ou must log on to the server by providing your user name and password. When the server authenticates you, it returns a set of initial credentials for you, including a TGT and a session [...]

  • Seite 28

    Overview A uthentication Process Chapter 1 28 Figure 1-1 illustrates the actions of the components and the Kerberos protocol in a secured environment. Figure 1-1 Authentication Process The following is a description of how a client and server authenticate each other using Kerberos: Step 1. Y ou can begin to use a Kerberos-secured application by ent[...]

  • Seite 29

    Overview A uthentication Process Chapter 1 29 • Client-indicates the user name, also referred to as the principal name • Server -indicates the Application Server • Time stamp • Nonce Step 2. If the AS decrypts the message successfully , it authenticates the requesting user and issues a TGT . The TGT contains the user name, a session key for[...]

  • Seite 30

    Overview A uthentication Process Chapter 1 30 also verifies that the user’ s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client. Step 7. (Optional) At the client’s request, the application server can also return the timestamp sent by the client, [...]

  • Seite 31

    Overview DES V ersus 3DES Ke y T ype Settings Chapter 1 31 DES V ersus 3DES Key Type Settings In the processes outlined in the section “ Authentication Process” on page 27, if the user principal and the service principal do not use the same key type, the process continues as described. The Kerberos server acts as the only trusted party , and th[...]

  • Seite 32

    Overview Introduction to LD AP Chapter 1 32 Introduction to LDAP The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol for accessing directory services. LDAP defines a message protocol used by directory clients and directory servers . It is a fast-growing technology for accessing common directory information. LDAP has been emb[...]

  • Seite 33

    Overview Introduction to LD AP Chapter 1 33 Integrating Kerberos Server v3.1 with LDAP Y ou can configure K erberos server v3.1 with LDAP as the backend database. By integrating the Kerberos principals with the corresponding users in the LDAP directory , you store data for mechanisms, such as UNIX and Kerberos in a common repository . Also, you ca[...]

  • Seite 34

    Overview Introduction to LD AP Chapter 1 34 How is the Kerberos Principal Integrated in to the LDAP Directory? A directory contains a collection of objects organized in a tree structure. Y ou can arrange entries within the DIT based on their Distinguished Names (DNs). A DN is composed of a sequence of RDNs separated by commas, suc h as cn=alex,ou=R[...]

  • Seite 35

    Chapter 2 35 2 Installing the Kerberos Server v3.1 This chapter describes how to install the Kerberos server v3.1 on the HP-UX 11i v2 operating system.[...]

  • Seite 36

    Installing the K erberos Ser ver v3.1 Chapter 2 36 This chapter contains the following sections: • “Prerequisites” on page 37 • “System Requirements” on page 38 • “Installing the Server” on page 39[...]

  • Seite 37

    Installing the K erberos Ser ver v3.1 Prerequisites Chapter 2 37 Prerequisites Before you install the server , ensure that: • Y ou have installed the HP-UX 11i v2 operating system on your system. T o check the version of the HP-UX operating system, run the uname -r command at the HP-UX prompt. • The Kerberos server is installed on a system that[...]

  • Seite 38

    Installing the K erberos Ser ver v3.1 System Requirements Chapter 2 38 System Requirements This section describes the hardware and softw are requirements for the Kerberos server software for HP-UX server systems . Hardware Requirements The hardware requirement for installing the Kerberos server is 12 MB of free disk space. Y ou can install the K er[...]

  • Seite 39

    Installing the K erberos Ser ver v3.1 Installing the Server Chapter 2 39 Installing the Server T o install the Kerberos server , complete the following steps: Step 1. Insert the software media (tape or disk) in the appropriate drive. Step 2. Type the swinstall command at the HP-UX prompt. F or more information on the swinstall command, type man 1M [...]

  • Seite 40

    Installing the K erberos Ser ver v3.1 Installing the Server Chapter 2 40[...]

  • Seite 41

    Chapter 3 41 3 Migrating to a Newer V ersion of the Kerberos Server This chapter describes how to migrate from the Kerberos server v1.0 to v3.0, from the Kerberos server v2.0 to v3.0, and from the Kerberos server[...]

  • Seite 42

    Migrating to a Ne wer V ersion of the K erberos Ser ver Chapter 3 42 v3.0 to v3.1. The Kerberos database formats of v2.0 and v3.0 are compatible with each other , but the database formats of Kerberos server v1.0 and v3.0 are not compatible with each other . Therefore, migrate the database format from v1.0 to v3.0. The Kerberos server v1.0 database [...]

  • Seite 43

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 43 Migrating from Kerberos Server V ersion 1.0 to 3.0 If you want to use the Kerberos server with C-tree as the backend database, migrate your existing Kerberos server to Kerberos server v3.0. In the Kerberos server v1.0, you can cr[...]

  • Seite 44

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 44 # kdb5_util dump /opt/krb5/dumpfilev1.0 Step 2. Copy the dump file to the new system where you are installing the Kerberos server v3.0. Step 3. Install the v3.0 Kerberos daemons on the new system. Step 4. Migrate the v1.0 dump ?[...]

  • Seite 45

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 45 Y ou can configure K erberos server manually or by using the krbsetup tool. Ensure that the following values are the same in both versions of the Kerberos server: • Realm name • Master key name The master key password must b[...]

  • Seite 46

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 46 The policy applicable to the principal that is migrated from v1.0 to v3.0 is based on the instance name of the principals. T o modify the policy , edit the principal to change the policy name field to the new policy . • Y ou c[...]

  • Seite 47

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 2.0 to V ersion 3.0 Chapter 3 47 Migrating from Kerberos Server V ersion 2.0 to V ersion 3.0 If you want to use the Kerberos server with C-tree as the backend database, migrate your existing Kerberos server to Kerberos server v3.0. In the Kerberos serve[...]

  • Seite 48

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 2.0 to V ersion 3.0 Chapter 3 48 # kdb_dump -f /opt/krb5/dumpfilev2.0 Step 2. Copy the dump file to the system on which you are installing the v3.0 Kerberos server Step 3. Install the v3.0 Kerberos daemons on the new system. Step 4. Configure the Kerb[...]

  • Seite 49

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 3.0 to V ersion 3.1 Chapter 3 49 Migrating from Kerberos Server V ersion 3.0 to V ersion 3.1 If you want to use the Kerberos server with LDAP as the backend database, migrate your existing Kerberos server to Kerberos server v3.0. Use the krb_2_ldap util[...]

  • Seite 50

    Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 3.0 to V ersion 3.1 Chapter 3 50[...]

  • Seite 51

    Chapter 4 51 4 Interoperability with W indows 2000 When you configure interoperability between the Kerberos server and the Windows 2000 operating system, you must set certain configuration[...]

  • Seite 52

    Interoperability with Windows 2000 Chapter 4 52 parameters. This c hapter discusses what you need to know about configuring such an environment. This chapter contains information specific to establishing interoperability with Windows 2000 Kerberos implementations. Before reading this c hapter , ensure that you are familiar with the concepts in Ch[...]

  • Seite 53

    Interoperability with Windows 2000 Understanding the T erminology Chapter 4 53 Understanding the T erminology Both the Kerberos server and Microsoft  provide Kerberos security for your network. While the technology is the same, the terminology varies . Kerberos authentication depends upon establishing trust between users and services through a t[...]

  • Seite 54

    Interoperability with Windows 2000 Understanding the T erminology Chapter 4 54 systems and the Microsoft implementation uses a DNS lookup to resolve host names. But both implementations are written to RFC 1510 ( Th e Kerberos Network A uthentication Service (V5) ) and RFC 1964 ( Th e Kerberos V ersion 5 GSS-API Mechanism ), and hence they can inter[...]

  • Seite 55

    Interoperability with Windows 2000 Kerber os Ser ver and Windows 2000 Inter operability Chapter 4 55 Kerberos Server and W indows 2000 Interoperability F ollowing are the possible interrealm interoperability scenarios between the Kerberos server software and W indows 2000, each with its own configuration requirements. Scenario 1 A Windows 2000 use[...]

  • Seite 56

    Interoperability with Windows 2000 Establishing T rust Between Kerber os Server and Windows 2000 Chapter 4 56 Establishing T rust Between Kerberos Server and W indows 2000 T o establish trust between Kerberos server KRB.REALM and Windows 2000 W2K.DOMAIN , complete the following steps: Step 1. Add interrealm service principals to the K erberos serve[...]

  • Seite 57

    Interoperability with Windows 2000 Establishing T rust Between Kerber os Server and Windows 2000 Chapter 4 57 NO TE The fqdn qualifier specifies the fully qualified domain name of the Kerberos KDC . Step 4. Reboot the Windows 2000 domain controller . Y ou need not reboot the Kerberos server or client.[...]

  • Seite 58

    Interoperability with Windows 2000 Single Realm (Domain) A uthentication Chapter 4 58 Single Realm (Domain) Authentication Single realm interoperability scenarios involve one or more client systems in a given realm or domain that authenticate to a single KDC . F ollowing are the interoperability scenarios that do not require interrealm authenticati[...]

  • Seite 59

    Interoperability with Windows 2000 Interrealm (Interdomain) A uthentication Chapter 4 59 Interrealm (Interdomain) Authentication If two distinct realms share common keys, the realms trust one another . With that trust in place , principals can securely access services in their native realm as well as those in the trusted realm. HP calls such an acc[...]

  • Seite 60

    Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 60 Special Considerations for Interoperability Y ou must consider the following issues related to interoperability with Windows 2000 implementations . Database Considerations Y our network can contain more than one server , but only one master copy of the data[...]

  • Seite 61

    Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 61[...]

  • Seite 62

    Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 62[...]

  • Seite 63

    Chapter 5 63 5 Configuring the Kerberos Server W ith C-Tree Backend This chapter describes the configuration files and procedures used to configure the Kerberos Server with C-tree backend.[...]

  • Seite 64

    Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 64 Configuration F iles for the Kerberos Server Y ou must install all the critical K erberos server files on the system before you start configuring the Kerberos Server . Y ou must configure these files on the primary security server a[...]

  • Seite 65

    Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 65 The krb.conf File The krb.conf configuration file contains information about the default realm of the host, the administration server , and security servers for known realms . HP recommends that you copy the krb.conf.sample file from [...]

  • Seite 66

    Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 66 NO TE Realm names are case sensitive; you must type the realm name correctly if your site does not follow the uppercase convention. The subsequent lines require fields that identify the security server host names . Each field in the li[...]

  • Seite 67

    Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 67 The krb.realms file must contain sufficient entries to define the realm used by every service a client computer must access . Y ou can create a krb.realms file that contains all the required entries for your enterprise. If you suppor[...]

  • Seite 68

    Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 68 T o create comments , use the hash sign (#) . Any characters after a # sign are ignored. Blank lines and any leading or trailing white spaces in a line are also ignored. T o identify multiple hosts that belong to the same realm in a sing[...]

  • Seite 69

    Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 69 Autoconfiguring the Kerberos Server An automated tool named krbsetup is provided to autoconfigure your Kerberos server . Use this tool to: • Configure the Kerberos Server with either LDAP or C-Tree as the backend database . • Unconfigure[...]

  • Seite 70

    Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 70 • Specify the encryption type. • Specify a different location for the log messages if you do not want to store the log messages in the default syslog file. • Specify the security mechanism for your LDAP-based Kerberos server . • Specify[...]

  • Seite 71

    Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 71 • T o configure your Kerberos Server with C-Tree, select option 1 . See “Configuring the Kerberos Server with C-Tree” on page 71 to continue configuring your Kerberos Server with C-Tree. • T o configure your Kerberos Server with LDAP[...]

  • Seite 72

    Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 72 Step 5. T o remove the existing Kerberos server configuration, press y and press n to retain the existing database. Step 6. Configure your Kerberos server as either a primary security server or a secondary security server: 1. T o configure yo[...]

  • Seite 73

    Chapter 6 73 6 Configuring the Kerberos Server with LDAP This chapter describes the configuration files and procedures used to configure the Kerberos Server with LDAP backend.[...]

  • Seite 74

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 74 Configuration F iles for LDAP Integration Y ou must configure the LDAP configuration files listed in T able 6-1, before setting up your Kerberos server . This chapter contains detailed descriptions of these configuration files. The krbsetup aut[...]

  • Seite 75

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 75 This file is generated automatically based on the input provided by you while autoconfiguring the Kerberos server . Alternatively , a sample file is available in the /opt/krb5/examples directory . Y ou can copy this file to the /opt/krb5 director[...]

  • Seite 76

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 76 directory_server This line indicates a space separated list of LDAP Servers. Example: fox.bambi.com:389 deer.bambi.com base_dn_for_search This line indicates the default base DN for search is the root of the directory tree on the Directory server , w[...]

  • Seite 77

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 77 The krb5_schema.conf File A schema is a collection of object and attribute definitions that defines the structure of the entries in a database. The krb5_schema.conf file is the kerberos schema file that contains the object and attribute definiti[...]

  • Seite 78

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 78 • Type of object classes • Attributes of the object classes • Optional attributes • Syntax of each attribute F or example, a sc hema can define a person object class. The person schema might require that a person have a surname attribute tha[...]

  • Seite 79

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 79 ticket’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( hpKrbAccountExpires-oid NAME ’hpKrbAccountExpires’ DESC ’Value used to compute date and time when account will expire’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE[...]

  • Seite 80

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 80 attributetypes: ( hpKrbModifyTimestamp-oid NAME ’hpKrbModifyTimestamp’ DESC ’The date and time when the identity specified in the hpKrbModifiersName attribute made the last modification’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) att[...]

  • Seite 81

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 81 objectClasses: ( hpKrbKey-oid NAME ’hpKrbKey’ DESC ’An structural object class used for configuring the principal name of an associated principal entry.’ SUP top STRUCTURAL MUST ( hpKrbPrincipalName ) MAY ( hpKrbKeyVersion $ hpKrbKeyData ) ) [...]

  • Seite 82

    Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 82 hpKrbAuthzData = hpKrbAuthzData hpKrbKeyVersion = hpKrbKeyVersion hpKrbKeyData = hpKrbKeyData[...]

  • Seite 83

    Configuring the Kerberos Server with LD AP Planning Y our LDAP Configuration Chapter 6 83 Planning Y our LDAP Configuration The following sections of this chapter describe how to plan and configure your Kerberos Server to work with the Directory server . Before Y ou Begin Remember the following points when you plan your LDAP setup: • Use the [...]

  • Seite 84

    Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 84 Setting up Y our LDAP Configuration Plan how to set up and verify your LDAP directory and your Kerberos server environment, before you put them into production. Consider the following questions and record your decisions and other information that you will[...]

  • Seite 85

    Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 85 you can access the information in the directory . Hence, you need to choose an authentication method. Currently , the supported mechanisms are P assword and SSL. The SSL protocol was devised to provide both authentication and data security . SSL encapsulat[...]

  • Seite 86

    Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 86 • What is the name of your default principal subtree DN ? Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry . The search base node subtree designates all the containers for the various information[...]

  • Seite 87

    Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 87 This line specifies the mandatory attributes of the default object class .The object class attribute determines the attributes the entry must have and can have . When the Kerberos server creates a default object it uses the first attribute specified in [...]

  • Seite 88

    Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 88 Autoconfiguring the Kerberos Server W ith LDAP Integration An automated tool named krbsetup is provided to autoconfigure your Kerberos server . F or more information on the krbsetup tool, see “ Autoconfiguring the Kerberos Serv[...]

  • Seite 89

    Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 89 Step 7. Enter the host name of the directory server . The default value is displayed. T o use the default, press Return ; otherwise, enter your fully qualified host name or the IP address. Step 8. Enter the port number of the direc[...]

  • Seite 90

    Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 90 2. hpKrbKey T o remap the attributes of the object class hpKrbPrincipal , select option 1 . T o remap the attributes of the object class hpKrbKey , select option 2 . NO TE HP recommends that you use the default attributes of the hpK[...]

  • Seite 91

    Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 91 Step 20. Enter the realm name. The default value is displayed. T o use the default, press Return ; otherwise, enter your realm name . Step 21. Enter the location where you want to store log messages . By default, log messages are st[...]

  • Seite 92

    Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 92 Manually Configuring the Kerberos Server with LDAP This section describes how to manually configure your Kerberos server with LDAP . HP recommends that you use the autoconfiguration tool to set up your basic Kerberos security server wit[...]

  • Seite 93

    Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 93 • Never delete any element of your Kerberos schema as this affects the compatibility of your schema to other LDAP services (servers and clients). • Never change the Kerberos schema of your directory by modifying the existing elements a[...]

  • Seite 94

    Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 94[...]

  • Seite 95

    Chapter 7 95 7 Configuring the Primary and Secondary Security Server This chapter describes the procedure to configure the primary and secondary security server .[...]

  • Seite 96

    Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 96 Configuring the Primary Security Server The following sections describe the initial configuration tasks you need to perform to get your primary and secondary security server up and running . The primary security server requires the fo[...]

  • Seite 97

    Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Primary Security Server Chapter 7 97 If you are using Kerberos server v2.0 or v3.0, and want to migrate the principal database to Kerberos server v3.1, see Chapter 3, “Migrating to a Newer V ersion of the Kerberos Server , ” on page 41. Add an Administrative Principal [...]

  • Seite 98

    Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 98 Step 4. Use the Edit>Edit Administrative P ermissions menu to assign ALL administrative permissions to the principal. Step 5. On the Attributes tab, clear the Require P assword Change checkbox to disable the password change requireme[...]

  • Seite 99

    Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Primary Security Server Chapter 7 99 The host/<fqdn> principal is not automatically added to the principal database during security server software installation; you must manually add the host/<fqdn> principal using the kadminl_ui or kadminl command. NO TE Y ou[...]

  • Seite 100

    Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 100 Alternatively , you can use the following command to start the K erberos daemons kdcd and kadmind : /sbin/init.d/krbsrv start T o start the kpropd daemon, use the following command: /opt/krb5/sbin/krpopd NO TE Propagation is disabled i[...]

  • Seite 101

    Configuring the Pr imar y and Secondary Secur ity Ser v er Security P olicies Chapter 7 101 Security P olicies The following files are directly related to the security of the network in your organization: • password policy • admin_acl_file P assword P olicy File The password policy file controls password rules, suc h as password length, numb[...]

  • Seite 102

    Configuring the Pr imary and Secondar y Secur ity Ser v er Starting the Security Ser ver Chapter 7 102 Starting the Security Server After creating the Kerberos database and setting up the administrative principals , you can start the Kerberos daemons on the primary security server . T o do this, edit the /etc/rc.config.d/krbsrv file to reflect t[...]

  • Seite 103

    Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Secondary Security Servers with C-T ree Chapter 7 103 Configuring the Secondary Security Servers with C-T ree Y ou can now configure the secondary security servers. Assuming that you are setting up the primary security server so that you can easily switch the primary sec[...]

  • Seite 104

    Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Secondary Security Servers with C-T ree Chapter 7 104 Creating a host/<fqdn> Principal and Extracting the Key T o allow principal database propagation, each secondary security server must contain a host/<fqdn> principal. Y ou must also extract the key for the h[...]

  • Seite 105

    Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Secondary Security Servers with LD AP Chapter 7 105 Configuring the Secondary Security Servers with LDAP Y ou can now configure the secondary security servers. Assuming that you are setting up the primary security server so that you can easily switch the primary security[...]

  • Seite 106

    Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Secondary Security Servers with LD AP Chapter 7 106 key type and master password that was specified when the database w as created.If you run the kdb_create utility with the -s option, a stash file is created automatically . NO TE The kdb_stash utility requires super use[...]

  • Seite 107

    Configuring the Pr imar y and Secondary Secur ity Ser v er Using Indexes to Impr ove Database P erformance Chapter 7 107 Using Indexes to Improve Database P erformance Most LDAP servers use indexes to improve search performance . Indexes are files stored in your directory databases. Separate index files are maintained for each database in your d[...]

  • Seite 108

    Configuring the Pr imary and Secondar y Secur ity Ser v er Using Indexes to Impr ove Database P erformance Chapter 7 108[...]

  • Seite 109

    Chapter 8 109 8 Administering the Kerberos Server This chapter explains how to administer and maintain the Kerberos database and how to manage principals using the HP Kerberos[...]

  • Seite 110

    Administering the Kerberos Server Chapter 8 110 Administrator , a graphical user interface, or the command-line administrator . This chapter discusses the following topics: • “ Administering the Kerberos Database” on page 111 • “The kadmind Command” on page 112 • “The admin_acl_file File” on page 113 • “P assword Policy F ile[...]

  • Seite 111

    Administering the Kerberos Server Administering the Kerber os Database Chapter 8 111 Administering the Kerberos Database After you have installed and configured the Kerberos server v3, the Kerberos database contains the default Kerberos principals, their keys , and other administrative information about each of these principals for your realm. F o[...]

  • Seite 112

    Administering the Kerberos Server The kadmind Command Chapter 8 112 The kadmind Command The kadmind command starts the administrative server . This administrative server runs on the Kerberos server that stores the Kerberos principal database. The kadmind command accepts password change requests and remote requests to administer the information in t[...]

  • Seite 113

    Administering the Kerberos Server The admin_acl_file File Chapter 8 113 The admin_acl_file F ile The /opt/krb5/admin_acl_file file located only on the primary security server , lists authorized principals with their respective administrative permissions. It also lists principals that you cannot modify without explicit privileges. NO TE Protect a[...]

  • Seite 114

    Administering the Kerberos Server The admin_acl_file File Chapter 8 114 Assigning Administrative P ermissions Administrative principals may have varying levels of trust assigned to them, depending on the policies of your organization. T able 8-2 lists the possible administrative permission settings and the letter designator used in admin_acl_file [...]

  • Seite 115

    Administering the Kerberos Server The admin_acl_file File Chapter 8 115 P ermissions designated with a lowercase letter apply only to those realms to which the administrative principal belongs . Permissions designated with an uppercase letter apply to all realms. [ permissions ] is an optional string containing one or more options listed in T able[...]

  • Seite 116

    Administering the Kerberos Server The admin_acl_file File Chapter 8 116 T o grant the principal rabbit@FINANCE.BAMBI.COM the permission to add, list, and inquire about any principal in the database, add the following entry to admin_acl_file : rabbit@FINANCE.BAMBI.COM ali Adding Entries to admin_acl_file Y ou can add any principal name to admin_ac[...]

  • Seite 117

    Administering the Kerberos Server The admin_acl_file File Chapter 8 117 Creating Administrative Accounts Y ou can set administrative permissions in admin_acl_file using one of the following methods: • Using the HP Kerberos Administrator to set administrative permissions . When you change the administrative permissions of the principal, admin_acl[...]

  • Seite 118

    Administering the Kerberos Server The admin_acl_file File Chapter 8 118 NO TE IRDid is equivalent to the IRD permissions because the uppercase permissions (excluding the r and R modifiers) apply to all realms. In either case, administrative principals can delete any principal from their own realm, but they have restricted delete privileges in rea[...]

  • Seite 119

    Administering the Kerberos Server P asswor d Policy File Chapter 8 119 P assword P olicy File The password policy file controls password rules, suc h as password length, number of character types , and the lifetime of a password. The password.policy file located on each of the primary and secondary security servers in the /opt/krb5 directory . Ed[...]

  • Seite 120

    Administering the Kerberos Server P asswor d Polic y File Chapter 8 120 If you modify the MaxfailAuthCnt parameter , you must copy the password policy file to the secondary security server and restart kdcd on both the secondary and primary secondary security servers. NO TE MaxFailAuthCnt is the only parameter that the secondary security servers re[...]

  • Seite 121

    Administering the Kerberos Server Principals Chapter 8 121 Principals A principal is a specific entity to which you can assign a set of credentials . Principals are users and network services that are included in your security network. The general syntax for a principal is as follows: identifier/instance@REALM where: identifier Specifies the name[...]

  • Seite 122

    Administering the Kerberos Server Principals Chapter 8 122 • Is case sensitive. • Cannot be longer than 767 characters . • Must be uniquely defined in the first 255 characters . • Cannot contain a space, tab , pound symbol ( # ), bac kward slash ( )o r colon ( : ). • Does not subscribe to a NULL policy . If you subscribe to a policy t[...]

  • Seite 123

    Administering the Kerberos Server Principals Chapter 8 123 Adding User Principals The Kerberos server enables you to add user principals to the principal database. The only limit on the number of principals in the database is the disk space available on the primary security server and on each of the secondary security servers. When adding a user pr[...]

  • Seite 124

    Administering the Kerberos Server Principals Chapter 8 124 The instance portion of the service principal name must be the fully qualified domain name (FQDN) of the host on which the service resides. Although the FQDN in your network can use mixed-case characters , the instance portion of the principal name must be in lowercase. F or example, if th[...]

  • Seite 125

    Administering the Kerberos Server Principals Chapter 8 125 the database secret key . All records in the principal database are encrypted using this key . The key for this principal is stored on each Kerberos server in the .k5.realm file. IMPORT ANT Do not remove, modify , or change the key type for this principal. Do not generate a new key for thi[...]

  • Seite 126

    Administering the Kerberos Server Principals Chapter 8 126 kadmin/REALM@REALM: The Kerberos administrative graphical user interface and command-line interface utilities use the kadmin/REALM@REALM principal name. This principal is required in each realm. It automatically adds the principal name when you add a realm to the database. This principal us[...]

  • Seite 127

    Administering the Kerberos Server Principals Chapter 8 127 Y ou must enter the fqdn in lowercase letters, and the fqdn instance must be the fully qualified domain name of the host system for the server or service. These principals are not automatically added to the principal database when you install the Kerberos servers or application services. R[...]

  • Seite 128

    Administering the Kerberos Server Principals Chapter 8 128 Protecting a Secret Key A user principal must provide its password during authentication to create the secret key of the user principal. F or best security , all users must periodically change their passwords . This version of Kerberos contains the following methods to enforce user principa[...]

  • Seite 129

    Administering the Kerberos Server Principals Chapter 8 129 Deleting a service principal using one of the Kerberos administrative utilities removes the principal name, attributes , and properties from the database. F or a service principal, you need to perform an additional step of removing its secret key , which is stored in the service key table ?[...]

  • Seite 130

    Administering the Kerberos Server The kadmin and kadminl Utilities Chapter 8 130 The kadmin and kadminl Utilities The kadmin and kadminl Kerberos command-line administrative utilities provide a unified administration interface for the Kerberos database. Kerberos administrators use these utilities to create new users and services for the primary da[...]

  • Seite 131

    Administering the Kerberos Server The kadmin and kadminl Utilities Chapter 8 131 Administration Utilities T able 8-4 describes the administrative utilities that you can use to administer the Kerberos database. NO TE Y ou cannot use the command-line administrator to control administrative permissions, maximum tic ket lifetimes and renew times or the[...]

  • Seite 132

    Administering the Kerberos Server HP Kerber os Administrator Chapter 8 132 HP Kerberos Administrator HP Kerberos Administrator is a graphical user interface that you can use to administer the principal database. Y ou can use the HP K erberos Administrator to perform the following functions: • Creating , modifying , and deleting principals. • Al[...]

  • Seite 133

    Administering the Kerberos Server HP Kerber os Administrator Chapter 8 133 the * permissions in admin_acl_file . The account must have at least inquire privileges . F or more information, see “The admin_acl_file File” on page 113. Both the local and remote administrators are discussed in detail in this chapter . Standard Functionality of the A[...]

  • Seite 134

    Administering the Kerberos Server Local Administrator – kadminl_ui Chapter 8 134 Local Administrator – kadminl_ui The local administrator , kadminl_ui, is the GUI-based database administrator that runs on the primary security server . It allows principals with administrative privileges to administer and maintain the principal database on an ong[...]

  • Seite 135

    Administering the Kerberos Server Local Administrator – kadminl_ui Chapter 8 135 This chapter contains a detailed description of the Principals tab and the Realms tab.[...]

  • Seite 136

    Administering the Kerberos Server Principals T ab Chapter 8 136 Principals T ab Y ou can use the Principals tab (Figure 8-1) in the HP Kerberos Administrator window to manage principal entries in your database by adding , editing , or deleting principals.[...]

  • Seite 137

    Administering the Kerberos Server Principals T ab Chapter 8 137 T able 8-6 describes the components of the Principals tab. Figure 8-1 Principals T ab T able 8-6 Principals T ab Components Component Name Description Realm Select the realm where the principal that you want to add, c hange, or delete resides.[...]

  • Seite 138

    Administering the Kerberos Server Principals T ab Chapter 8 138 List All Click this button to list all the principals associated with the realm. NO TE: If you have selected LDAP as the backend database , then information about all realms under the same base DN is displayed when you click this button. Search String Enter characters for locating the [...]

  • Seite 139

    Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 139 General T ab (Principal Information Window) Y ou can use the Principal Information window to add principals or to modify existing principals and ticket information. T o add a new principal, select the realm in the HP Kerberos Administrator window and click [...]

  • Seite 140

    Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 140 T able 8-8 describes the components of the General tab. LDAP DN Displays the LDAP DN . General T ab Y ou can use the General tab on the Principal Information window to specify the ticket information, the password policy file, and values for Last Modified [...]

  • Seite 141

    Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 141 Principal Expiration Displays the principal expiration time, whic h indicates when the current logon privileges of the principal expire. Enter one of the following options in the Principal Expiration box: • A date and time in the format HH:MM MM/DD/YYY. ?[...]

  • Seite 142

    Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 142 P assword P olicy Specifies the password policy name in this field. If you do not specify the password policy name, the default policy is applied. NO TE: Do not change the password policy name for reserved service principals . Last Modified Specifies th[...]

  • Seite 143

    Administering the Kerberos Server Adding Principals to the Database Chapter 8 143 Adding Principals to the Database When you add a principal, you must specify the following information: • Principal and ticket information, located in the General tab. • P assword and password expiration information, located in the P assword tab. • Other princip[...]

  • Seite 144

    Administering the Kerberos Server Adding Principals to the Database Chapter 8 144 Figure 8-3 Change P assword Window Step 5. Enter the new password in the Change Password window and c lick OK . Step 6. In the Password tab , enter the P assword Information and the K ey and Salt Types . Y ou cannot use the Change Password button in the P assword tab [...]

  • Seite 145

    Administering the Kerberos Server Adding Principals to the Database Chapter 8 145 Adding Multiple Principals with Similar Settings T o simultaneously add multiple principals with the same setting , complete the following steps: Step 1. In the HP Kerberos Administrator window , select the Realm in which you want to add multiple principals . Step 2. [...]

  • Seite 146

    Administering the Kerberos Server Creating an Administrative Principal Chapter 8 146 Creating an Administrative Principal Y ou can use the HP K erberos Administrator window to create an administrative principal. When you create a principal and assign the administrative permissions to it, the principal is stored in admin_acl_file located on the prim[...]

  • Seite 147

    Administering the Kerberos Server Creating an Administrative Principal Chapter 8 147 Step 6. Enter the password information and click OK in the Change P assword window . Do not select the Generate Random K ey option. Step 7. In the Attributes tab, select the attributes for the administrative principal. Select the Require Preauthentication attribute[...]

  • Seite 148

    Administering the Kerberos Server Creating an Administrative Principal Chapter 8 148 Step 11. Click OK to save all the values to the database and to close the Principal Information window , or click Cancel to close the Principal Information window without saving the values to the database .[...]

  • Seite 149

    Administering the Kerberos Server Searc hing for a Principal Chapter 8 149 Searching for a Principal F ollowing are the methods to search for a principal: • Click List All in the Principals tab to display a list of principals in the current realm in the List of Principals list box, which displays up to 1,000 principals. • Click Search to displa[...]

  • Seite 150

    Administering the Kerberos Server Searc hing for a Principal Chapter 8 150 [...] Represents any one character from the set except / (slash). F or example, [abc]* searc hes for all principal names starting with a , b ,o r c . The following characters have a special meaning with the [...] construct: ! Represents an exclusion when used immediately aft[...]

  • Seite 151

    Administering the Kerberos Server Deleting a Principal Chapter 8 151 Deleting a Principal When you delete a principal using one of the Kerberos administrative utilities , all references to the principal are automatically removed from both the principal database and admin_acl_file . T o delete a user principal, complete the following steps: Step 1. [...]

  • Seite 152

    Administering the Kerberos Server Loading Default V alues for a Principal Chapter 8 152 Loading Default V alues for a Principal When you add or edit a principal in the Principal Information window , you can quickly restore any changed values to the default values that are specified in the default group. When you reload the default values , all fi[...]

  • Seite 153

    Administering the Kerberos Server Restoring Previousl y Saved V alues for a Principal Chapter 8 153 Restoring Previously Saved V alues for a Principal Y ou can restore any value for a principal that you have changed but not yet saved to the values that were previously saved for that principal. T o retain the previously saved values for a principal [...]

  • Seite 154

    Administering the Kerberos Server Changing Ticket Inf ormation Chapter 8 154 Changing T icket Information Y ou can change the ticket information used for a principal, including the principal expiration date, ticket lifetime , and ticket renewal time . T o change the ticket information, complete the following steps: Step 1. In the Principals tab, se[...]

  • Seite 155

    Administering the Kerberos Server Rules for Setting Maxim um Ticket Lifetime Chapter 8 155 Rules for Setting Maximum T icket Lifetime Maximum ticket lifetime indicates the maximum lifetime for which a ticket can be issued to the principal. Y ou can specify the maximum ticket lifetime value in the General>Maximum Ticket Lifetime text box. The for[...]

  • Seite 156

    Administering the Kerberos Server Rules for Setting Maxim um Renew Time Chapter 8 156 Rules for Setting Maximum Renew T ime Maximum renew time indicates the maximum amount of time for which a ticket can be renewed. Y ou can specify the maximum renew time value in the Principal Information>General>Maximum Renew Time text box. The format for th[...]

  • Seite 157

    Administering the Kerberos Server Rules for Setting Maxim um Renew Time Chapter 8 157 You have entered an invalid time[...]

  • Seite 158

    Administering the Kerberos Server Changing P asswor d Information Chapter 8 158 Changing P assword Information Y ou can change the following password information used by a principal: • P assword expiration date Indicates when the password of the current principal is due to expire. Check the P assword Expiration Date box to activate password expir[...]

  • Seite 159

    Administering the Kerberos Server Changing P asswor d Information Chapter 8 159 IMPORT ANT If you change the key or salt type, you must change the password of the principal. Y ou must inform the principal of the required temporary password. The principal must change the password during next logon. Y ou can use the Principal Information>Edit menu[...]

  • Seite 160

    Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 160 P assword T ab (Principal Information W indow) Y ou can use the Password tab (F igure 8-5) on the Principal Information window to specify the password parameters for the principal. Figure 8-5 P assword T ab T able 8-10 describes the components of the P as[...]

  • Seite 161

    Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 161 P assword Expiration/Date Indicates when the current principal password expires. Select P assword Expiration/Date to activate password expiration for the current principal. If you do not enable this function, the password of the current principal never ex[...]

  • Seite 162

    Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 162 Change P assword Window (P assword T ab) When you create a new principal using the Principal Information window>Password tab, HP Kerberos Administrator automatically displays the Change P assword window (Figure 8-6). Enter a new password and verify the[...]

  • Seite 163

    Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 163 Generate Random Key only for service principals. If you select the Generate Random Key option, a unique encrypted key is created without entering a password. Figure 8-6 Change P assword Window T able 8-11 describes the components of the Change P assword w[...]

  • Seite 164

    Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 164 New P assword Specifies the new password information. This is a temporary password because the principal is required to change the password of the user during next logon. The assumption is that the NoChangeReqPwd setting in the password policy file of t[...]

  • Seite 165

    Administering the Kerberos Server Changing a Ke y T ype Chapter 8 165 Changing a Key Type F or a strong enterprise wide security between the Kerberos servers and clients , all principals must have 3DES keys using Normal (V5) salt. Changing a DES-CRC or DES-MD5 Principal Key Type to 3DES If you are changing the key type for a service principal that [...]

  • Seite 166

    Administering the Kerberos Server Changing a Ke y T ype Chapter 8 166 • If the principal is a service principal with an extracted key , select the Generate Random Key check box to generate a random key . Step 8. Click OK to close the Change P assword window . Step 9. Click OK to close the Principal Information window . If the principal is a user [...]

  • Seite 167

    Administering the Kerberos Server Changing Principal Attributes Chapter 8 167 Changing Principal Attributes Y ou can change the attributes of a principal in the Principal Information window (Figure 8-5). These attributes are the characteristics and properties assigned to a user or a service principal. Attributes control how a principal behaves and [...]

  • Seite 168

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 168 Attributes T ab (Principal Information W indow) Attributes are the characteristics and properties assigned to a principal that control the behavior of the principal. Y ou can use the Attributes tab in the Principal Information window to assign attributes [...]

  • Seite 169

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 169 LDAP DN Displays the LDAP DN that you are editing . Allow P ostdated Specifies whether a principal is allowed for ticket postdating . Postdating is a mechanism that allows a principal to obtain a ticket that is initially invalid, but that can become vali[...]

  • Seite 170

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 170 LDAP DN Displays the LDAP DN that you are editing . Allow P ostdated Specifies whether a principal is allowed for ticket postdating . Postdating is a mechanism that allows a principal to obtain a ticket that is initially invalid, but that can become vali[...]

  • Seite 171

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 171 Allow F orwardable Specifies if a principal is allowed ticket forwarding . F orwarding is a process that sends a ticket-granting ticket (TGT) from one network host to another host. The second host system can use the forwarded TGT to generate a new servic[...]

  • Seite 172

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 172 Require Preauthentication Specifies if a principal is required to use preauthentication in the TGT request. Preauthentication means that additional known encrypted data is sent with the ticket request, providing additional security when the TGT is presen[...]

  • Seite 173

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 173 Lock Principal Specifies if a principal is active. A locked principal still exists in the principal database, but it is unable to use or provide Kerberos services. The Lock Principal attribute applies to both user and service principals. If you set this [...]

  • Seite 174

    Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 174 Require Initial Authentication Specifies if the server is allowed to issue service to the service principal on behalf of a user principal using a previously obtained TGT . If you set this attribute for the service principal, a user principal must authent[...]

  • Seite 175

    Administering the Kerberos Server LD AP Attributes T ab (Prinicpal Information Windo w) Chapter 8 175 LDAP Attributes T ab (Prinicpal Information W indow) The LDAP Attributes tab displays the mandatory LDAP attributes that need to be specified while creating a Kerberos principal. These attributes need to be specified only if the LDAP DN does not [...]

  • Seite 176

    Administering the Kerberos Server LD AP Attributes T ab (Prinicpal Information Windo w) Chapter 8 176 Y ou can use the LDAP Attributes tab in the Principal Information window to assign LDAP attributes for a principal, as shown in Figure 8-8. Figure 8-8 LDAP Attributes T ab Figure 8-8 describes the components of the LDAP Attributes tab , if you have[...]

  • Seite 177

    Administering the Kerberos Server Deleting a Service Principal Chapter 8 177 Deleting a Service Principal The Kerberos server requires several specific principals. If you accidentally delete these principals, you must restore the principal database from a backup tape. T o delete a service principal that has a random key extracted to the service ke[...]

  • Seite 178

    Administering the Kerberos Server Extracting Service Keys Chapter 8 178 Extracting Service Keys Unlike users who type their password using a keyboard, a service principal needs to have its secret key automatically available during authentication. Therefore, store the secret key for the service principals on the host where the service is located, in[...]

  • Seite 179

    Administering the Kerberos Server Extracting Service Keys Chapter 8 179 If you change the default name and location to a different name and location than the programs of the Kerberos server , you must edit the settings to indicate the new location of the service key table file. Step 8. Select the Generate New Random Key before Extracting option. H[...]

  • Seite 180

    Administering the Kerberos Server Extracting a Service Key T able Chapter 8 180 Extracting a Service Key T able Y ou can extract the key for a service principal to the service key table ( v5srvtab ) by using the Extract Principal Key to Service Key T able window . Because a service does not enter the password using the keyboard, you must store its [...]

  • Seite 181

    Administering the Kerberos Server Extracting a Service Key T able Chapter 8 181 T able 8-13 Extract Service Key T able Components Component Description Principal Displays the name of the principal for which you are extracting a key . Service Key T able Type Identifies the type of key table into which the principal name and keys are extracted. Serv[...]

  • Seite 182

    Administering the Kerberos Server Using Groups to Contr ol Settings Chapter 8 182 Using Groups to Control Settings Y ou can modify the default values used for new principals using the Principal Information window (Figure 8-2). Each realm has a default group, and the default group for the realm contains default values . The values that you specify f[...]

  • Seite 183

    Administering the Kerberos Server Using Groups to Contr ol Settings Chapter 8 183 Y ou can also edit the default group by selecting the default@REALM principal from the List of Principals list box in the Principals tab. In the Principals tab, clic k Edit to open the Principal Information window , and enter the value for all the fields in the Gener[...]

  • Seite 184

    Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 184 Group Information W indow (Principal Information W indow) Y ou can view or modify the default group settings of a realm using the Group Information window . The default group is similar to a template used to control the settings for new princip[...]

  • Seite 185

    Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 185 T o open the Group Information window , choose Principal Information>Edit>Edit Default Group to display the Group Information window (Figure 8-10). Figure 8-10 Group Information Window T able 8-14 describes the components of the Group Inf[...]

  • Seite 186

    Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 186 Principal Attributes Y ou must assign attributes to each principal to control the usage and rights of the account. This section describes the possible attributes and the default settings. Setting the Default Group Principal Attributes Before ad[...]

  • Seite 187

    Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 187 T o edit the default group, use the HP Kerberos Administrator or the command-line administrator , discussed as follows: • In the HP Kerberos Administrator window , complete the following steps to edit the default group: 1. Select a principal [...]

  • Seite 188

    Administering the Kerberos Server Setting Administrative P ermissions Chapter 8 188 Setting Administrative P ermissions Use the HP Kerberos Administrator window to assign administrative permissions to users. When you assign administrative permissions to a principal, the principal and its permissions are saved to admin_acl_file located on the primar[...]

  • Seite 189

    Administering the Kerberos Server Administrative P ermissions Chapter 8 189 Administrative P ermissions Y ou can assign administrative permissions using the Administrative P ermissions window . Choose Principal Information>Edit , and select the Edit Administrative P ermissions option to display the Administrative P ermissions window (Figure 8-11[...]

  • Seite 190

    Administering the Kerberos Server Administrative P ermissions Chapter 8 190 the Add Principals , Delete Principals, Change Principal P assword, Inquire About Principals, Modify Principals , and Extract Keys permissions. T able 8-15 describes the components of the Group Information window . T able 8-15 Group Information Window Components Component D[...]

  • Seite 191

    Administering the Kerberos Server Administrative P ermissions Chapter 8 191 Restricted Administrator Select this option in addition to the Add Principals, Delete Principals , Modify Principals, Inquire about Principals , Extract Keys, Change Principal P assword attributes in the realm of the administrative principal or all realms to permit administ[...]

  • Seite 192

    Administering the Kerberos Server Administrative P ermissions Chapter 8 192 Modify Administrative P ermissions Modifies administrative permissions for others users. Y ou can modify the administrative permission using the Principal Information>Edit>Edit Administrative P ermissions>Administrative P ermissions window . All* The Administrativ[...]

  • Seite 193

    Administering the Kerberos Server Realms T ab Chapter 8 193 Realms T ab A realm is a collection of principals that reside in the same administrative domain. Y our network-naming scheme, network topology , security policy , and company organization determine which principals and services you put in a relam. Within a realm, all principals share the s[...]

  • Seite 194

    Administering the Kerberos Server Realms T ab Chapter 8 194 Figure 8-12 Realms T ab T able 8-16 describes the components in the Realms tab. T able 8-16 Realms T ab Components Component Description List of Realms Displays a list of all the available realms . New Creates a new realm. Delete Deletes a realm. Y ou must select an entry to enable this bu[...]

  • Seite 195

    Administering the Kerberos Server Realms T ab Chapter 8 195 Realm Information Window Y ou can use the Realm Information window to add realms. Click New in the HP Kerberos Administrator window>Realms tab to display the Realm Information window as shown in Figure 8-13. Figure 8-13 Realm Information Window T able 8-17 describes the components of th[...]

  • Seite 196

    Administering the Kerberos Server Adding a Realm Chapter 8 196 Adding a Realm When you add a realm, HP Kerberos Administrator automatically creates some reserved principals, whic h remain in the database. T o add a realm, complete the following steps: Step 1. In the HP Kerberos Adminsitrator window , select the Realms tab (Figure 8-12). Step 2. In [...]

  • Seite 197

    Administering the Kerberos Server Deleting a Realm Chapter 8 197 Deleting a Realm When you delete a realm, all the principals for that realm are not deleted from the database. T o delete the principals from the database, you can use the HP Kerberos Administrator window or the command-line administrator . F or more information, see “Deleting a Pri[...]

  • Seite 198

    Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 198 Remote Administrator – kadmin_ui The kadmin_ui utility is the GUI-based Kerberos remote administrative utility that runs on the secondary security servers and clients. Principals with administrative privileges use the remote administrator to maintain the database o[...]

  • Seite 199

    Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 199 Step 1. Execute the following command at the HP-UX prompt: # /opt/krb5/kadmin_ui The logon screen displays as shown in Figure 8-14. Figure 8-14 Logon Screen Step 2. Enter your principal name and password in the logon screen. Step 3. Click OK to display the change pas[...]

  • Seite 200

    Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 200 Step 4. Enter a new password in the change password screen to change your password, and click OK . Figure 8-15 Change P assword Screen NO TE This screen is displayed only when you first log on using the remote administrator . T o access the database using the remote[...]

  • Seite 201

    Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 201 The graphical user interface for the remote administrator is similar to that for the local administrator . F or more information on using the remote administrator , kadmin_ui , and administering your K erberos server , see “Local Administrator – kadminl_ui” on [...]

  • Seite 202

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 202 Manual Administration Using kadmin Y ou can use the command-line administrator to administer the principal database. It enables principals with administrative privileges to maintain the principal database. Y ou must include all the users , clients, and services authe[...]

  • Seite 203

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 203 Only a user with root permission can invoke the local command-line administrator , kadminl . T o log on to the remote administrator , kadmin , use a principal account that has an entry in admin_acl_file and an account that has at least inquire privileges. F or comple[...]

  • Seite 204

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 204 HP recommends that you use the graphical user interface administrative utility , kadminl_ui , to administer these parameters. Adding a New Principal Y ou must specify the add administrative privilege in admin_acl_file to add a principal to the database. T o add a new[...]

  • Seite 205

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 205 F or example, to add a new principal admin , type kadmin at the HP-UX prompt, and specify the add command, the principal name, and the policy name. F ollowing is a sample output of the add command: command: add Name of Principal to add: admin Enter password: <pass[...]

  • Seite 206

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 206 command: cpw Name of Principal: admin Enter password: password Re-enter password for verification: password Principal modified Changing P assword to a New Randomly Generated P assword The cpwrnd command changes the password of a principal to a new randomly generated [...]

  • Seite 207

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 207 Extracting a Principal The ext command securely extracts the key of the principal into a local service key table file. By default, the host/fqdn@REALM principal is extracted into the v5srvtab file, where fqdn is the fully qualified domain name of the host system. [...]

  • Seite 208

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 208 [principal] Specifies an alternate principal to extract other than the default host/fqdn@REALM principal, for example, ext finance@BAMBI.COM After ext executes , it prompts you for the service key table file name. The default file name is /krb5/v5srvtab . Listing [...]

  • Seite 209

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 209 policy Specifies the new policy name. If you do not specify a policy name, the default policy is applied. dn Specifies the LDAP DN name. If you do not specify an LDAP DN name, the default policy is applied. The general syntax for modifying an existing principal is [...]

  • Seite 210

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 210 Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno,policy,dn or quit ):fcnt Failure Count (or quit): <enter count> Principal modified. Key V ersion Number Attribute Every principal password has an associated version num[...]

  • Seite 211

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 211 F ollowing is a sample output for the mod command with the dn parameter: Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :dn Enter LDAP DN name or quit: <enter LDAP DN name> Principal modified. P[...]

  • Seite 212

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 212 The Allow Postdated attribute applies to both user and service principals specified as follows: • Y ou can issue either a postdated or postdatable ticket for user principals . • The server can issue postdated service tickets for the service. NO TE Before the ser[...]

  • Seite 213

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 213 NO TE Before the server issues a renewable service ticket, the requesting user must possess a renewable TGT . T o modify the type of the parameter attr for the principal admin and to set the Allow Renewable attribute, type kadmin at the HP-UX prompt and specify the m[...]

  • Seite 214

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 214 Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr Attribute (or quit): {forward|noforward} Principal modified. Allow Proxy Attribute The Allow Proxy attribute determines whether a principal is allo[...]

  • Seite 215

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 215 Allow Duplicate Session Key Attribute The Allow Duplicate Session Key attribute determines whether a principal is allowed to use a duplicate session key . A duplicate session key applies to user -to-user authentication and determines which key is used to encrypt the [...]

  • Seite 216

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 216 Require Preauthentication Attribute The Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting a TGT . Preauthentication implies that the client logon program attaches known encrypted data to a ticket request[...]

  • Seite 217

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 217 When a new principal is added to the database or when a password of the principal is changed, this attribute is controlled by the NoReqChangePwd setting in the password policy file of the principle. By default, NoReqChangePwd is set to 0 (zero), that is, the user mu[...]

  • Seite 218

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 218 T o modify the type of the parameter attr for the principal admin and to set the Lock Principal attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute . F ollowing is a sample output of t[...]

  • Seite 219

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 219 Require Initial Authentication Attribute The Require Initial Authentication attribute specifies if the server is allowed to issue service tickets to a service principal on behalf of a user principal using an existing TGT . The Require Initial Authentication attribut[...]

  • Seite 220

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 220 Y ou can use the kadmin inq command to view the attribute of the principal. With Require Initial Authentication selected ( tgt ), the inquire command shows TGT_BASED in the attributes field. Without the Require Initial Authentication setting ( notgt ), the text does[...]

  • Seite 221

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 221 F ollowing is a sample output of the Password Change Service attribute: Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr, fcnt, vno, policy,dn or q ui) :attr Attribute (or quit): {cpwsrv|nocpwsrv} Principal modified. P assword Expir[...]

  • Seite 222

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 222 Because the expiration time is calculated from the time you add a new principal to the database, the password change load on the server is distributed over time. Therefore , you can select a password expiration in the default group principal template without affectin[...]

  • Seite 223

    Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 223 Y ou cannot set this attribute using the command-line administrator . Maximum Renew Time Attribute The Maximum Renew Time attribute controls the renew time limit for renewable tic kets. If you set the renew time longer than the renew time assigned to the krbtgt/REALM[...]

  • Seite 224

    Administering the Kerberos Server Principal Database Utilities Chapter 8 224 Principal Database Utilities Principal database utilities are tools that help you to globally manage the principal database. Use these tools only if the database w as not properly created or configured during installation, or if you are debugging or upgrading your Kerbero[...]

  • Seite 225

    Administering the Kerberos Server Kerber os Database Utilities Chapter 8 225 Kerberos Database Utilities The primary security server contains a database of all principals that are trusted in each of the supported realms . Y ou can also create the database during installation. See “ Auto-Configuration of the Kerberos Server” on page 63 for more[...]

  • Seite 226

    Administering the Kerberos Server Kerber os Database Utilities Chapter 8 226 • DES-CRC or 1 : DES-CBC-CRC NO TE The default, DES3-CBC-MD5 , will be set as the encryption type if you do not specify any of the encryption types previously mentioned. -f keyfile Specifies an alternate name for the stash file when used with the -s switch. If you do n[...]

  • Seite 227

    Administering the Kerberos Server Kerber os Database Utilities Chapter 8 227 Adding principals to database... Cleaning up.... shell% The kdb_create command creates the following principals: • K/M@<REALM NAME> This is the default key name. However , you can configure this key name. • default@<REALM NAME> • kadmin/<REALM NAME>[...]

  • Seite 228

    Administering the Kerberos Server Kerber os Database Utilities Chapter 8 228 • DES-MD5 • DES-CRC The encryption type selected during database creation determines the encryption type applied to the master password, which in turn is used to create the key that secures all records stored in the principal database. Encrypt the database using DES en[...]

  • Seite 229

    Administering the Kerberos Server Destro ying the Kerberos Database Chapter 8 229 Destroying the Kerberos Database The kdb_destroy utility securely removes the principal database. This utility runs on the primary and secondary security servers. If you run this utility using command-line options, it prompts you with a confirmation message and then [...]

  • Seite 230

    Administering the Kerberos Server Destro ying the Kerberos Database Chapter 8 230 sure? (type ‘yes’ to confirm)? Database destroyed![...]

  • Seite 231

    Administering the Kerberos Server Dumping the Kerber os Database Chapter 8 231 Dumping the Kerberos Database The kdb_dump utility copies the contents of the principal database to stdout or to a text file. By default, the output is displa yed on the terminal using the stdout command. NO TE Y ou must be a root user to run the kdb_dump program. The g[...]

  • Seite 232

    Administering the Kerberos Server Loading the Kerber os Database Chapter 8 232 Loading the Kerberos Database The kdb_load utility loads the database with the principal entries from a database dump text file. This utility overrides the existing database entries with the corresponding entries present in the dump file. Principals in the existing dat[...]

  • Seite 233

    Administering the Kerberos Server Stashing the Master Ke y Chapter 8 233 Stashing the Master Key The kdb_stash utility stores the master key , the encrypted master password, to a stash file. This utility runs on the primary and secondary security servers . Use the kdb_stash utility to store the master key in a stash file. Y ou must specify the sa[...]

  • Seite 234

    Administering the Kerberos Server Stashing the Master Key Chapter 8 234 F ollowing is an example of using kdb_stash : shell% kdb_stash -f <filename> Enter password: <password> Re-enter password for verification: <password>[...]

  • Seite 235

    Administering the Kerberos Server Starting and Stopping Daemons Chapter 8 235 Starting and Stopping Daemons If you change the configuration of the Kerberos server , you must stop and restart the services and daemons for the changes to take effect. T able 8-8 briefly describes the related services and daemons that you must stop and restart. Y ou c[...]

  • Seite 236

    Administering the Kerberos Server Maintenance T asks Chapter 8 236 Maintenance T asks F ollowing are the maintenance tasks associated with the Kerberos server: • “Protecting Security Server Secrets” on page 236 • “Backing Up primary security server Data” on page 237 Protecting Security Server Secrets The Kerberos server stores the follo[...]

  • Seite 237

    Administering the Kerberos Server Maintenance T asks Chapter 8 237 Backing Up primary security server Data Save the copied information to a CD or tape — whatever your preferred archive method is . Be aw are that primary security server files contain sensitive information; therefore, do not copy files unless you intend to properly secure the bac[...]

  • Seite 238

    Administering the Kerberos Server Maintenance T asks Chapter 8 238 • Run the following command as a root user: # /sbin/init.d/krbsrv stop Step 2. Copy the principal.dat , principal.idx , and principal.ok files from one of the propagation servers to your desired destination, for example, CD-ROM or tape. The files are located at /opt/krb5 . Step [...]

  • Seite 239

    Administering the Kerberos Server Removing Un used Space from the Database Chapter 8 239 Removing Unused Space from the Database After long and continued use, the principal database on the primary security server can grow large due to unused space. When you delete a principal, the space that the record had occupied is not removed. Instead, the spac[...]

  • Seite 240

    Administering the Kerberos Server Removing Un used Space from the Database Chapter 8 240 Step 8. Remove the /tmp/filename file after you have verified that the new database is functioning without problems.[...]

  • Seite 241

    Chapter 9 241 9 Propagating the Kerberos Server This chapter describes how to propagate the Kerberos database from the primary security server to the secondary security server .[...]

  • Seite 242

    Propagating the K erberos Ser ver Chapter 9 242 This chapter discusses the following topics: • “Propagation Hierarchy” on page 243 • “Service Key T able” on page 244 • “Propagation T ools” on page 246 • “The kpropd Daemon” on page 248 • “The mkpropcf T ool” on page 249 • “The kpropd.ini File” on page 251 • “T[...]

  • Seite 243

    Propagating the K erberos Ser ver Propa gation Hierarchy Chapter 9 243 Propagation Hierarchy T o authenticate users on the network, each secondary security server must contain the latest copy of the principal database, at all times . secondary security servers obtain the copy of the principal database from the primary security server using the data[...]

  • Seite 244

    Propagating the K erberos Ser ver Service Key T able Chapter 9 244 Service Key T able The /krb5/v5srvtab file is the service key table file that contains service principal names with their corresponding secret keys. Y ou must store this file on the system that hosts the service or application, which requires an extracted key . Secured applicatio[...]

  • Seite 245

    Propagating the K erberos Ser ver Service Key T able Chapter 9 245 T o extract the principal <principal_name> to a local service key table file, SrvTab , type kadmin at the HP-UX prompt and specify the ext command, the principal name, and the service key table file name . F ollowing is a sample output for the ext command: command: ext Name [...]

  • Seite 246

    Propagating the K erberos Ser ver Propa gation T ools Chapter 9 246 Propagation T ools The kpropd daemon manages and performs propagation of the principal database on each server in the propagation hierarchy . It uses the following local files: • prop_q A default propagation input queue file that contains the names of every principal whose reco[...]

  • Seite 247

    Propagating the K erberos Ser ver Propa gation T ools Chapter 9 247 F or more information on the process for configuring propagation, see “Setting Up Propagation” on page 258. This chapter contains a detailed discussion of these tools . Manually control propagation on one or more servers once propagation is configured and started. prpadmin T [...]

  • Seite 248

    Propagating the K erberos Ser ver The kpropd Daemon Chapter 9 248 The kpropd Daemon The /opt/krb5/sbin/kpropd daemon propagates the principal database from one server to another and starts running when the security server starts up. It propagates principal records from a given security server to kpropd on the receiving security server or to the pro[...]

  • Seite 249

    Propagating the K erberos Ser ver The mkpropcf T ool Chapter 9 249 The mkpropcf T ool The /opt/krb5/install/mkpropcf tool creates the kpropd.ini file, which is the default propagation configuration file in a propagation hierarchy . The mkpropcf tool exports the kpropd.ini file to the secondary security servers. When you execute mkpropcf on the [...]

  • Seite 250

    Propagating the K erberos Ser ver The mkpropcf T ool Chapter 9 250 -f Overwrites the kpropd.ini file. Y ou can use this option with the -i option to explicitly overwrite the kpropd.ini file. T o synchronize the kpropd configuration, HP recommends that you export the original configuration, kpropd.ini , on the primary security server to export.i[...]

  • Seite 251

    Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 251 The kpropd.ini F ile The /opt/krb5/kpropd.ini file is the propagation configuration file created by the mkpropcf tool using the information from the local krb.conf file. Ensure that only authorized users have access to this file . Unauthorized access to kpropd.ini can jeopardi[...]

  • Seite 252

    Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 252 Sections The kpropd.ini file stores configuration parameters required for propagation. This file contains the following sections: • The [ default_values ] section controls the various global propagation properties . The listed values apply to all security servers unless you ov[...]

  • Seite 253

    Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 253 Specifies the length of time for which a session key is valid, where n indicates the number of seconds, minutes , hours, or da ys. The default is value 6 hours. max_cache=n[K|M] Specifies the maximum size that each cache file of the security server ( prop_hostname ) can reach be[...]

  • Seite 254

    Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 254 primary_realm=DEFAULT_REALM Specifies the default realm of the primary security server . If the krb.conf file does not exist, the DEFAULT REALM is assigned the uppercase equivalent of the domain name. realms=[all|realm1[, realm2][,...]] Specifies the realms whose records are pro[...]

  • Seite 255

    Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 255 child[n]=fqdn Specifies the child security server of the secsrv_name in the propagation hierarchy , where fqdn is the FQDN of the child server . A security server can have zero or more child servers . If more than one child server receives propagated records from secsrv_name , inc[...]

  • Seite 256

    Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 256 [default_values] interval=15s key_exp=6h max_cache=1024K max_retry_delay=1h net_timeout=30s port=kerberos-adm primary_realm=REALM1 realms=all service_name=host [sersrv1] child = secsrv2 [secsrv2] child1 = secsrv3 child = secsrv4 parent = secsrv1 [secsrv3] parent = secsrv2, realms =[...]

  • Seite 257

    Propagating the K erberos Ser ver The prpadmin Administrative Application Chapter 9 257 The prpadmin Administrative Application The /opt/krb5/adm/prpadmin administrative application runs on all security servers and helps you manage the propagation system. F or example, to propagate all the contents of the primary principal database to all the secon[...]

  • Seite 258

    Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 258 Setting Up Propagation After installing and configuring your primary and secondary security servers , you must propagate principal database information from the primary security server to all secondary security servers. Before you can configure propagation, each secondary sec[...]

  • Seite 259

    Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 259 T able 9-2 lists the daemons , and briefly describes their functions. T o avoid confusion and redundancy in this section regarding names , T able 9-2 also indicates the generic names used in this document to discuss the daemon. T o propagate the principal database entries on t[...]

  • Seite 260

    Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 260 3. From the primary security server /opt/krb5/install directory , run the following command: # mkpropcf This creates the kpropd.ini file, which defines your propagation hierarchy . NO TE If you do not want to use the default hierarchy structure (a two-tier system), you must e[...]

  • Seite 261

    Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 261 NO TE The <admin/principal> is the same as the one added on the primary security server in step 2. Step 5. Start the admin daemon on the secondary security server by using the following command: # /opt/krb5/sbin/kadmind Step 6. Start the propagation daemon on the primary [...]

  • Seite 262

    Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 262 V erify that propagation has occurred on the secondary security server by using the kdb_dump utility to view the contents of the principal database on the secondary security server . The existence of recently added principal accounts indicates a successful propagation. F or inf[...]

  • Seite 263

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 263 Monitoring Propagation Y ou must regularly monitor database propagation between servers. Monitoring helps you to identify the following problems: • Primary-secondary link failure • Stalled propagation T o monitor the propagation, you need to examine the log file and the pr[...]

  • Seite 264

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 264 [hostname of peer] Can’t connect to subscriber to propagate principal database information [hostname of peer] could not get service ticket [hostname of peer] full_dump failed [hostname of peer] not enough memory to allocate work buffer Not enough free system resources to run [...]

  • Seite 265

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 265 F or example, a prop_ hostname file that is older than 48 hours or is unusually large indicates a propagation problem between the primary and secondary security servers as specified in hostname . Updating the principal.ok Time Stamp Y ou may notice that, by default, the time [...]

  • Seite 266

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 266 attempt is sent to the primary security server . However , if the principal fails on one server as many times as specified by the MaxFailAuthCnt parameter in the password policy file, that principal is locked out. NO TE HP authentication servers do not issue different message[...]

  • Seite 267

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 267 incremental database propagation. T o ensure accurate results , dump the databases simultaneously when administrative activity is at a minimum. Under these conditions, consider a discrepancy of more than five principal entries to be significant. • Authentication test to the[...]

  • Seite 268

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 268 Step 3. Restart the daemons on both the primary and secondary security servers . Step 4. T o compare the files for discrepancies, copy the files to a common location and execute the following command at the HP-UX prompt: # diff primary.db secondary.db > diffs_p.db The diff[...]

  • Seite 269

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 269 # rm -r -f /opt/krb5/prop/* Step 3. Restart the propagation daemon by using the following command: # /opt/krb5/sbin/kpropd Step 4. Perform a full dump to all secondary security servers by using the following command: # /opt/krb5/admin/prpadmin full_dump This process may take a [...]

  • Seite 270

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 270 If you encounter the following error message after installing a new secondary security server and attempting propagation, restart the daemons on the secondary security server after the full dump is complete: TGS: Error processing request from host Converting a secondary securit[...]

  • Seite 271

    Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 271 Step 4. Remove the Kerberos server software on the secondary security server . Step 5. Install the Kerberos server software on the previous secondary security server . Do not create the database during installation. Step 6. Restore the principal.* database files archived in st[...]

  • Seite 272

    Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 272 Configuring Multirealm Enterprises When you support multiple realms, additional configuration steps are required for both the security servers and clients . This section discusses the servers requirements. Number of Realms per Database A single primary security se[...]

  • Seite 273

    Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 273 Multiple primary security servers Supporting a Single Realm Y ou must have one primary security server for each realm if you have distributed administrative groups in which each group maintains its own realm information. Y ou cannot propagate changes from one primar[...]

  • Seite 274

    Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 274 Database Propagation for Multirealm Databases If you plan to support more than one realm in a single principal database on a primary security server and to propagate only selected realms to certain secondary security servers, you must perform additional steps when y[...]

  • Seite 275

    Chapter 10 275 10 Managing Multiple Realms This chapter describes how to set up and configure interrealm authentication between Kerberos servers, and how to manage multiple realms . Y ou must establish trust between the two realms before a principal in one realm can access a service in another realm.[...]

  • Seite 276

    Managing Multiple Realms Chapter 10 276 This chapter discusses the following topics: • “Considering a Trust Relationship” on page 277 • “Configuring Direct Trust Relationships” on page 279 • “Hierarchical Interrealm Trust” on page 281[...]

  • Seite 277

    Managing Multiple Realms Considering a T rust Relationship Chapter 10 277 Considering a T rust Relationship Y ou can establish a multiple realm environment within your enterprise. Regardless of the reason, if principals in one realm need access to secured services supported in a different realm, you must establish a trust relationship between the r[...]

  • Seite 278

    Managing Multiple Realms Considering a T rust Relationship Chapter 10 278 Hierarchical Trust In interrealm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms . The chain relies on a hierarchical realm naming scheme . F or example, IT.BAMB[...]

  • Seite 279

    Managing Multiple Realms Configuring Direct T rust Relationships Chapter 10 279 Configuring Direct T rust Relationships If the Kerberos security servers manage all the realms in a multirealm environment, you must add interrealm principals to the principal databases for each realm. Interrealm principals are special-case krbtgt/REALM1@REALM2 princi[...]

  • Seite 280

    Managing Multiple Realms Configuring Direct T rust Relationships Chapter 10 280 • The Kerberos server does not recognize the realm listed in the interrealm ticket, that is , when a proper trust relationship between the realms is not established. • The Kerberos server does not recognize the requested service principal, and has no further trust [...]

  • Seite 281

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 281 Hierarchical Interrealm T rust Y ou need to use hierarchical interrealm authentication when a realm does not have a direct path to its destination realm, but has a path to an intermediate realm. Hierarchical Chain of Trust Interrealm trust can be transitive, for example , if re[...]

  • Seite 282

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 282 interrealm ticket from VIBGYOR.INDIGO.COM , and can use this interrealm ticket to contact GREEN.YELLOW.COM for a ticket to use a service in its realm. Hierarchical Interrealm Configuration T o configure realms to perform hierarchical interrealm authentication, complete the fo[...]

  • Seite 283

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 283 These actions are described in detail in the following sections. The example configuration in this section uses the interrealm authentication principals shown in Figure 10-1. Figure 10-1 Hierarchical Interrealm Configuration The relationships are defined as follows: • krbt[...]

  • Seite 284

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 284 F or interrealm authentication in the other direction, two-wa y hierarchical interrealm authentication, you must also add these principals: • krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows the server in FINANCE.JUNGLE.COM to accept tickets from BAMBI.COM . • krbtgt/BAMBI.COM@IT[...]

  • Seite 285

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 285 Configuring the Intermediate Realm T o configure the intermediate realm, consider the local realm as FINANCE.JUNGLE.COM , the intermediate realm as BAMBI.COM , the target realm as IT.JUNGLE.COM , and complete the following steps in the BAMBI.COM realm: Step 1. Use the Kerbero[...]

  • Seite 286

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 286 Step 7. Enable the same settings for this principal as for the first krbtgt/BAMBI.COM@IT.JUNGLE.COM principal, with the same settings enabled as used for the principal in the local realm. Refer to step 2 in “Configuring the T arget Realm” on page 286. Configuring the T a[...]

  • Seite 287

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 287[...]

  • Seite 288

    Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 288[...]

  • Seite 289

    Chapter 11 289 11 T roubleshooting This chapter describes how to troubleshoot the Kerberos server , and also includes the strategies and tools to use while investigating the software and hardware components of the Kerberos server .[...]

  • Seite 290

    T roubleshooting Chapter 11 290 When you encounter a problem, you may need to investigate many hardware and softw are components. Y ou can identify and resolve some problems quickly , such as invalid software installation, version incompatibilities , insufficient HP-UX resources, corrupt configuration shell scripts , and programming or command er[...]

  • Seite 291

    T roubleshooting Characterizing a Prob lem Chapter 11 291 Characterizing a Problem Y ou need to consider many questions while trying to characterize a problem. Start with global questions and gradually get more specific. Depending on the response, ask another series of questions until you have enough information to understand exactly what has happ[...]

  • Seite 292

    T roubleshooting Characterizing a Prob lem Chapter 11 292 • Data corruption. • Logging messages at the syslog. Knowing what has recently changed on your network can also help you understand whether the problem is software-related or hardware-related.[...]

  • Seite 293

    T roubleshooting Diagnostic T ools Summary Chapter 11 293 Diagnostic T ools Summary T able 11-1 describes the most frequently used diagnostic tools , which are documented in the link installation manuals. T able 11-1 Diagnostic T ools T ool Name Description netstat A nodal management command that returns statistical information regarding your netwo[...]

  • Seite 294

    T roubleshooting T roub leshooting Kerberos Chapter 11 294 T roubleshooting Kerberos When troubleshooting problems with Kerberos, you need a reference point from which to work. F or example, is the problem on the remote system or on the local system? However , the terms “local” and “remote” are limited in their description of complex commun[...]

  • Seite 295

    T roubleshooting T roub leshooting Kerberos Chapter 11 295 UNIX Syslog File The security server daemons, kadmind , kpropd , and kdcd , write error messages to the system log ( /var/adm/syslog/syslog.log ) file. Y ou can also configure the daemons to log the messages in a different file. Use the following command while starting the daemon, to spe[...]

  • Seite 296

    T roubleshooting T roub leshooting Kerberos Chapter 11 296 Services Checklist While troubleshooting ensure, that you ha ve answered all the questions in the troubleshooting checklist in the section “Characterizing a Problem” on page 291. Ensure that your node name and the Internet address exists in the /etc/hosts file, and run the service on y[...]

  • Seite 297

    T roubleshooting T roub leshooting Kerberos Chapter 11 297 Clock skew too great in KDC reply while getting initial credentials . This problem generally occurs because the clock of the system deviates too much from the time on the authenticating KDC . A clock skew time of up to 5 minutes is allowed. Y ou must run NTP or a similar service to keep you[...]

  • Seite 298

    T roubleshooting T roub leshooting Kerberos Chapter 11 298 Required parameters in krb.realms missing while initializing the Kerberos context. This problem occurs when the parameters are missing or incorrect in the krb.realms file. Ensure that the krb.realms file has the appropriate information. Stored master key is corrupted while initializing ka[...]

  • Seite 299

    T roubleshooting T roub leshooting Kerberos Chapter 11 299 Cannot find/read stored master key while getting master key . This problem occurs when the stash file is not found. Provide the master key as a command-line option. Y ou can also create the stash file. Error verifying pre-authentication data type 2. This problem occurs due to an incorrec[...]

  • Seite 300

    T roubleshooting T roub leshooting Kerberos Chapter 11 300 Connection to the LDAP server was lost. Connection to the LDAP server was lost. V erify that the Directory server is accessible, else restart the Directory server . Y ou can also restart the Kerberos server , if needed. LDAP server timeout The directory server timed out a request. Y ou may [...]

  • Seite 301

    T roubleshooting T roub leshooting Kerberos Chapter 11 301 LDAP authentication failed The Kerberos server was unable to connect to the Directory server with the information provided in the /opt/krb5/krb5_ld ap.conf configuration file. V erify that the values of the proxy_user and proxy_user_password are correct. Ensure that you change the value o[...]

  • Seite 302

    T roubleshooting T roub leshooting Kerberos Chapter 11 302 LDAP database is read-only An attempt to modify the Kerberos entry failed as the Directory server entry is read-only . Edit the Kerberos configuration file, krb5_ldap.conf , to specify a directory server that can be updated and restart all Kerberos server applications Insufficient access[...]

  • Seite 303

    T roubleshooting General Error s Chapter 11 303 General Errors F ollowing are the general errors that you may encounter while setting up your Kerberos server: • Ensure that the Domain Name Server (DNS) is working properly . Several aspects of Kerberos rely on this name service. It is important that your DNS entries and your hosts have the correct[...]

  • Seite 304

    T roubleshooting General Error s Chapter 11 304 Locking and Unlocking Accounts If a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal is not issued a ticket. Alternatively , a security administrator may have purposefully loc ked a pr[...]

  • Seite 305

    T roubleshooting User Error Messa g es Chapter 11 305 User Error Messages Users may see error messages while using the Kerberos server . The following sections describe user error messages, explain their causes , and suggest corrective actions. Decrypt Integrity Check F ailed Explanation: This message is displayed if a user requests a ticket from t[...]

  • Seite 306

    T roubleshooting Administrative Error Messa g es Chapter 11 306 Administrative Error Messages F ollowing are some messages that administrative principals may see when using their accounts . This section also contains some recommended solutions . P assword Has Expired While Getting Initial Ticket Explanation: This message may appear when a user trie[...]

  • Seite 307

    T roubleshooting Administrative Error Messages Chapter 11 307 key during authentication. If the principal does not have a 3DES key , the tools attempt to negotiate a supported key type. If the tools cannot negotiate a supported key type, the error message Service key not available while getting initial ticket is returned. Action If the user is usin[...]

  • Seite 308

    T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 308 Reporting Problems to Y our HP Support Contact If you do not have a service contract with HP , you may follow the procedure described below but you will be billed accordingly for time and materials . If you have a service contract with HP , document the problem as a Ser[...]

  • Seite 309

    T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 309 • Prepare a listing of the HP-UX I/O configuration you are using for your HP support contact to further analyze. • Try to determine the general area within the software where you think the problem exists. Refer to the appropriate reference manual and follow the gui[...]

  • Seite 310

    T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 310[...]

  • Seite 311

    Appendix A 311 A Configuration W orksheet The following worksheet helps you configure your Kerberos server with LDAP as the backend database.[...]

  • Seite 312

    Configuration W or ksheet Appendix A 312 F ollowing is an explanation and sample table. T able A-1 Configuration W orksheet Configuration W orksheet for LDAP database Directory administrator DN Directory server host Directory server port Base DN for search Subtree DN Proxy user DN Certificate db path NO TE: Enter the Certificate db path only i[...]

  • Seite 313

    Configuration W or ksheet Appendix A 313 Base DN for search The default base DN for search is the root of the directory tree on the Directory server , where the Kerberos server searches for kerberos principals. Example: ou=people , o=bambi.com Default Principal Subtree DN The default principal subtree DN is where all Kerberos principals are added [...]

  • Seite 314

    Configuration W or ksheet Appendix A 314[...]

  • Seite 315

    Appendix B 315 B Sample krb.conf F ile The sample krb.conf file named krb.conf.sample is available in the /opt/krb5/examples directory . Copy this sample file to /opt/krb5/krb.conf file and modify it to reflect the host names and realm name for your realm.[...]

  • Seite 316

    Sample krb .conf File Appendix B 316 NO TE If you have configured your Kerberos server with C-Tree as the backend then the realm names are case sensitive. If you ha ve configured your Kerberos server with LDAP as the backend then the realm names are not case sensitive. Replace the underlined Your_Realm_Name , Your_Secondary_Server1 , Your_Seconda[...]

  • Seite 317

    Sample krb .conf File The services File Appendix B 317 The services F ile The services file contains entries that allow client applications to establish socket connections to the KDC or to the applications servers . A KDC client requires the following entries in the /etc/services file: # # Kerberos services # kerberos5 88/udp kdc # Kerberos V5 kd[...]

  • Seite 318

    Sample krb .conf File The services File Appendix B 318[...]

  • Seite 319

    Appendix C 319 C Sample krb.realms F ile The sample krb.realms file named krb.realms.sample is available in the /opt/krb5/examples directory . Y ou can copy this sample file to the /opt/krb5 directory , and modify it to reflect your realm name.[...]

  • Seite 320

    Sample krb .realms File Appendix C 320 NO TE The realm names are case sensitive. Replace the underlined Your_Realm_Name , Your_Primary_Security_Server , Your_Secondary_Server_Server , and Your_Domain_Name with the name of your Kerberos REALM and host names of the primary security server and secondary security servers. Your_Primary_Security_Server Y[...]

  • Seite 321

    Glossary 321 Glossary A-B admin_acl_file (administrator access control list) T ext file that lists the administrators and their respective permissions. HP Kerberos Administrator The graphical user interface that is used to administer the principal database of the Kerberos server . Authentication Service (AS) Authentication is a verification of a[...]

  • Seite 322

    Glossar y kpropd.ini Glossary 322 kpropd.ini Propagation configuration file mkpropcf creates using information in the local krb.conf file. krb.conf File that contains configuration information that describes the default realm of the host, the administration server , and security servers for known realms. krb.realms The realms file defines hos[...]

  • Seite 323

    Glossar y v5srvtab Glossary 323 Ticket-granting ticket See TGT . V v5srvtab Binary file that contains service principal names and their corresponding secret keys .[...]

  • Seite 324

    Glossar y Ticket-granting tic ket Glossary 324[...]

  • Seite 325

    325 Index Symbols # , 68 /etc/rc.config .d/krbsrv , 102 /opt/krb5/sbin , 69 /sbin/init.d/krbsrv start , 102 /var/adm/krb5/krb5kdc , 315 A access control list See ACL ACL , 112 adding a realm , 273 ADMD = 1 , 102 admin_acl_file , 64 , 101 # comment , 113 format , 113 identifier , 113 instance , 113 perms_list , 113 using wildcards , 113 administr[...]

  • Seite 326

    Index 326 initial ticket , 26 intermediate realm , 285 intermittent error , 291 Internet Engineering T ask F orce See IETF interrealm authentication , 275 issuing a ticket , 322 K /krb5/admin_acl_file , 112 K/M key name , 44 K/M@REALM principal , 124 kadmin/changepw@REALM principal , 126 kadmin/REALM@REALM principal , 126 kadmind daemon , 104 , 22[...]

  • Seite 327

    Index 327 R remote administrator , 111 remote request , 112 reporting level , 295 LOG_ERR , 295 LOG_NOTICE , 295 LOG_W ARNING , 295 RFC 1510 , 22 , 25 , 54 RFC 1964 , 22 , 54 RFC 2743 , 22 RFC 2744 , 22 S sample kdc.conf , 319 sample krb.conf , 315 Sample krb.realms , 319 sample krb5.conf , 315 secsrv_name , 252 server , 294 service contract , 308 [...]