Vai alla pagina of
Manuali d’uso simili
-
Server
HP (Hewlett-Packard) 9000
44 pagine 0.39 mb -
Server
HP (Hewlett-Packard) DL585 G5
19 pagine 0.62 mb -
Server
HP (Hewlett-Packard) PA 8800
44 pagine 0.27 mb -
Server
HP (Hewlett-Packard) P4000
1 pagine 2.46 mb -
Server
HP (Hewlett-Packard) 706539-S01
134 pagine 5.91 mb -
Server
HP (Hewlett-Packard) 648375-001
147 pagine 6.02 mb -
Server
HP (Hewlett-Packard) 643063-001
24 pagine 0.53 mb -
Server
HP (Hewlett-Packard) BH7800
66 pagine 1.64 mb
Un buon manuale d’uso
Le regole impongono al rivenditore l'obbligo di fornire all'acquirente, insieme alle merci, il manuale d’uso HP (Hewlett-Packard) E0905. La mancanza del manuale d’uso o le informazioni errate fornite al consumatore sono la base di una denuncia in caso di inosservanza del dispositivo con il contratto. Secondo la legge, l’inclusione del manuale d’uso in una forma diversa da quella cartacea è permessa, che viene spesso utilizzato recentemente, includendo una forma grafica o elettronica HP (Hewlett-Packard) E0905 o video didattici per gli utenti. La condizione è il suo carattere leggibile e comprensibile.
Che cosa è il manuale d’uso?
La parola deriva dal latino "instructio", cioè organizzare. Così, il manuale d’uso HP (Hewlett-Packard) E0905 descrive le fasi del procedimento. Lo scopo del manuale d’uso è istruire, facilitare lo avviamento, l'uso di attrezzature o l’esecuzione di determinate azioni. Il manuale è una raccolta di informazioni sull'oggetto/servizio, un suggerimento.
Purtroppo, pochi utenti prendono il tempo di leggere il manuale d’uso, e un buono manuale non solo permette di conoscere una serie di funzionalità aggiuntive del dispositivo acquistato, ma anche evitare la maggioranza dei guasti.
Quindi cosa dovrebbe contenere il manuale perfetto?
Innanzitutto, il manuale d’uso HP (Hewlett-Packard) E0905 dovrebbe contenere:
- informazioni sui dati tecnici del dispositivo HP (Hewlett-Packard) E0905
- nome del fabbricante e anno di fabbricazione HP (Hewlett-Packard) E0905
- istruzioni per l'uso, la regolazione e la manutenzione delle attrezzature HP (Hewlett-Packard) E0905
- segnaletica di sicurezza e certificati che confermano la conformità con le norme pertinenti
Perché non leggiamo i manuali d’uso?
Generalmente questo è dovuto alla mancanza di tempo e certezza per quanto riguarda la funzionalità specifica delle attrezzature acquistate. Purtroppo, la connessione e l’avvio HP (Hewlett-Packard) E0905 non sono sufficienti. Questo manuale contiene una serie di linee guida per funzionalità specifiche, la sicurezza, metodi di manutenzione (anche i mezzi che dovrebbero essere usati), eventuali difetti HP (Hewlett-Packard) E0905 e modi per risolvere i problemi più comuni durante l'uso. Infine, il manuale contiene le coordinate del servizio HP (Hewlett-Packard) in assenza dell'efficacia delle soluzioni proposte. Attualmente, i manuali d’uso sotto forma di animazioni interessanti e video didattici che sono migliori che la brochure suscitano un interesse considerevole. Questo tipo di manuale permette all'utente di visualizzare tutto il video didattico senza saltare le specifiche e complicate descrizioni tecniche HP (Hewlett-Packard) E0905, come nel caso della versione cartacea.
Perché leggere il manuale d’uso?
Prima di tutto, contiene la risposta sulla struttura, le possibilità del dispositivo HP (Hewlett-Packard) E0905, l'uso di vari accessori ed una serie di informazioni per sfruttare totalmente tutte le caratteristiche e servizi.
Dopo l'acquisto di successo di attrezzature/dispositivo, prendere un momento per familiarizzare con tutte le parti del manuale d'uso HP (Hewlett-Packard) E0905. Attualmente, sono preparati con cura e tradotti per essere comprensibili non solo per gli utenti, ma per svolgere la loro funzione di base di informazioni e di aiuto.
Sommario del manuale d’uso
-
Pagina 1
Kerberos Server V ersion 3.1 Administrator’ s Guide HP-UX 11i v2 Edition 5 Manufacturing P art Number: T1417-90009 E0905 United States © Copyright 2005 Hewlett-P ackard Development Company , L.P.[...]
-
Pagina 2
2 Legal Notices The information contained herein is subject to change without notice. Hewlett-P ackard makes no warranty of any kind with regard to this manual, including , but not limited to , the implied warranties of merchantability and fitness f or a particular purpose. Hewlett-P ackard shall not be held liable for errors contained herein or d[...]
-
Pagina 3
3 This software is based in part on the F ourth Berkeley Software Distribution under license from the Regents of the University of California. © Copyright 1983-2005 Hewlett-P ackard Co., All Rights Reserved © Copyright 1979, 1980,1983, 1985-1993 The Regents of the Univ . of California © Copyright 1980, 1984, 1986 Novell, Inc. © Copyright 1986-1[...]
-
Pagina 4
4[...]
-
Pagina 5
5 Contents 1. Overview Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 How the Kerberos Server W orks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 6
Contents 6 Configuration Files for the Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 The krb.conf F ile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 The krb.conf F ile F ormat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 7
7 Contents Starting the Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Configuring the Secondary Security Servers with C-Tree . . . . . . . . . . . . . . . . . . . . . . 103 Creating the Principal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 8
Contents 8 General T ab (Principal Information Window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Adding Principals to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Adding Multiple Principals with Similar Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Creati[...]
-
Pagina 9
9 Contents Adding a New Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Adding a Random Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Specifying a New P assword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 10
Contents 10 Maintenance T asks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Protecting Security Server Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 host/fqdn@REALM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 11
11 Contents Propagation F ailure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Converting a secondary security server to a primary security server . . . . . . . . . . . 270 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 12
Contents 12 Locking and Unlocking Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 User Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]
-
Pagina 13
13 T ables T able 1. HP-UX 11i Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 T able 2. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 T able 4-1. T able of Analogous T erms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [...]
-
Pagina 14
T ables 14 T able A-2. Configuration W orksheet Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . 312[...]
-
Pagina 15
15 F igures Authentication Process 28 Integrating a Kerberos Principal in to the LDAP Directory 34 Principals Tab 137 Principal Information Window 139 Change Password Window 144 Administrative Permissions Window 147 Password Tab 160 Change Password Window 163 Attributes Tab 168 LDAP Attributes Tab 176 Extract Service Key Table Window 180 Group Info[...]
-
Pagina 16
F igures 16[...]
-
Pagina 17
17 About This Manual This manual describes how to install, configure, administer , and troubleshoot the Kerberos server on HP Integrity servers running the HP-UX 11i v2 operating system. Intended Audience HP intends this manual for system managers or administrators responsible for configuring and maintaining the Kerberos server running HP-UX 11i [...]
-
Pagina 18
18 • Chapter 4, “Interoperability with Windows 2000, ” on page 51 : Contains information specific to establishing interoperability with Windows 2000 Kerberos implementations . • Chapter 5, “Configuring the Kerberos Server With C-T ree Backend, ” on page 63 : Provides information on the configuration files required to configure [...]
-
Pagina 19
19 • Index Typographic Conventions The following conventions are used throughout this manual: T ext Conventions Syntax Conventions italic Identifies book titles. bold Identifies options , command buttons, and menu items . fixed width Identifies file names, system prompts , operating system commands , and UNIX error and system messages . itali[...]
-
Pagina 20
20 HP-UX Release Name and Release Identifier Each HP-UX 11i release has an associated release name and release identifier . The uname (1) command with the -r option returns the release identifier . T able 1 lists the releases available for HP-UX 11i. Publishing History T able 2 provides , for a particular document, the manufacturing part number [...]
-
Pagina 21
21 • KRB5 Client Software on HP-UX 11i v2, delivered as part of the core operating system. • GSS-API on HP-UX 11i v2, delivered as part of the core operating system. Related Documentation F or more information on the Kerberos server , see the following manuals: • Configuration Guide for Kerberos Client Products on HP-UX (T1417-90006) • P A[...]
-
Pagina 22
22 • RFC 1510 - The Kerberos Networ k Authentication Service (V5) • RFC 1964 - The Kerberos v5 GSS-API Mec hanism • RFC 2743 - Generic Security Service Application Program Interface • RFC 2744 - Generic Security Service API Y ou can access these RFCs at the following W eb site: http://www.ietf.org/rfc.html HP Encourages Y our Comments HP we[...]
-
Pagina 23
Chapter 1 23 1 Overview This chapter provides an introduction to the Kerberos server v3.1, available on the HP-UX 11i v2 operating system.[...]
-
Pagina 24
Overview Chapter 1 24 This chapter discusses the following topics: • “How the Kerberos Server W orks” on page 26 • “ Authentication Process” on page 27 • “DES V ersus 3DES Key Type Settings” on page 31 • “Introduction to LDAP” on page 32 — “Integrating Kerberos Server v3.1 with LDAP” on page 33[...]
-
Pagina 25
Overview Introduction Chapter 1 25 Introduction The term Kerberos was derived from the Greek mythology . Cerberus is the latin variant of Kerberos, who guarded the entrance of Hades , the Greek hell. The Kerberos security system, on the other hand, guards electronic transmissions that are sent across a network. Kerberos is a mature network authenti[...]
-
Pagina 26
Overview How the K erberos Server W orks Chapter 1 26 How the Kerberos Server W orks The basic currency of Kerberos is the ticket, which the user presents to use a specific service. Each service , be it a login service or an FTP service, requires a different kind of ticket. The applications on the Kerberos server keep track of all the various kind[...]
-
Pagina 27
Overview A uthentication Process Chapter 1 27 Authentication Process The Kerberos server grants tickets to your user principal to access secured network services. Y ou must log on to the server by providing your user name and password. When the server authenticates you, it returns a set of initial credentials for you, including a TGT and a session [...]
-
Pagina 28
Overview A uthentication Process Chapter 1 28 Figure 1-1 illustrates the actions of the components and the Kerberos protocol in a secured environment. Figure 1-1 Authentication Process The following is a description of how a client and server authenticate each other using Kerberos: Step 1. Y ou can begin to use a Kerberos-secured application by ent[...]
-
Pagina 29
Overview A uthentication Process Chapter 1 29 • Client-indicates the user name, also referred to as the principal name • Server -indicates the Application Server • Time stamp • Nonce Step 2. If the AS decrypts the message successfully , it authenticates the requesting user and issues a TGT . The TGT contains the user name, a session key for[...]
-
Pagina 30
Overview A uthentication Process Chapter 1 30 also verifies that the user’ s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client. Step 7. (Optional) At the client’s request, the application server can also return the timestamp sent by the client, [...]
-
Pagina 31
Overview DES V ersus 3DES Ke y T ype Settings Chapter 1 31 DES V ersus 3DES Key Type Settings In the processes outlined in the section “ Authentication Process” on page 27, if the user principal and the service principal do not use the same key type, the process continues as described. The Kerberos server acts as the only trusted party , and th[...]
-
Pagina 32
Overview Introduction to LD AP Chapter 1 32 Introduction to LDAP The Lightweight Directory Access Protocol (LDAP) is a lightweight protocol for accessing directory services. LDAP defines a message protocol used by directory clients and directory servers . It is a fast-growing technology for accessing common directory information. LDAP has been emb[...]
-
Pagina 33
Overview Introduction to LD AP Chapter 1 33 Integrating Kerberos Server v3.1 with LDAP Y ou can configure K erberos server v3.1 with LDAP as the backend database. By integrating the Kerberos principals with the corresponding users in the LDAP directory , you store data for mechanisms, such as UNIX and Kerberos in a common repository . Also, you ca[...]
-
Pagina 34
Overview Introduction to LD AP Chapter 1 34 How is the Kerberos Principal Integrated in to the LDAP Directory? A directory contains a collection of objects organized in a tree structure. Y ou can arrange entries within the DIT based on their Distinguished Names (DNs). A DN is composed of a sequence of RDNs separated by commas, suc h as cn=alex,ou=R[...]
-
Pagina 35
Chapter 2 35 2 Installing the Kerberos Server v3.1 This chapter describes how to install the Kerberos server v3.1 on the HP-UX 11i v2 operating system.[...]
-
Pagina 36
Installing the K erberos Ser ver v3.1 Chapter 2 36 This chapter contains the following sections: • “Prerequisites” on page 37 • “System Requirements” on page 38 • “Installing the Server” on page 39[...]
-
Pagina 37
Installing the K erberos Ser ver v3.1 Prerequisites Chapter 2 37 Prerequisites Before you install the server , ensure that: • Y ou have installed the HP-UX 11i v2 operating system on your system. T o check the version of the HP-UX operating system, run the uname -r command at the HP-UX prompt. • The Kerberos server is installed on a system that[...]
-
Pagina 38
Installing the K erberos Ser ver v3.1 System Requirements Chapter 2 38 System Requirements This section describes the hardware and softw are requirements for the Kerberos server software for HP-UX server systems . Hardware Requirements The hardware requirement for installing the Kerberos server is 12 MB of free disk space. Y ou can install the K er[...]
-
Pagina 39
Installing the K erberos Ser ver v3.1 Installing the Server Chapter 2 39 Installing the Server T o install the Kerberos server , complete the following steps: Step 1. Insert the software media (tape or disk) in the appropriate drive. Step 2. Type the swinstall command at the HP-UX prompt. F or more information on the swinstall command, type man 1M [...]
-
Pagina 40
Installing the K erberos Ser ver v3.1 Installing the Server Chapter 2 40[...]
-
Pagina 41
Chapter 3 41 3 Migrating to a Newer V ersion of the Kerberos Server This chapter describes how to migrate from the Kerberos server v1.0 to v3.0, from the Kerberos server v2.0 to v3.0, and from the Kerberos server[...]
-
Pagina 42
Migrating to a Ne wer V ersion of the K erberos Ser ver Chapter 3 42 v3.0 to v3.1. The Kerberos database formats of v2.0 and v3.0 are compatible with each other , but the database formats of Kerberos server v1.0 and v3.0 are not compatible with each other . Therefore, migrate the database format from v1.0 to v3.0. The Kerberos server v1.0 database [...]
-
Pagina 43
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 43 Migrating from Kerberos Server V ersion 1.0 to 3.0 If you want to use the Kerberos server with C-tree as the backend database, migrate your existing Kerberos server to Kerberos server v3.0. In the Kerberos server v1.0, you can cr[...]
-
Pagina 44
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 44 # kdb5_util dump /opt/krb5/dumpfilev1.0 Step 2. Copy the dump file to the new system where you are installing the Kerberos server v3.0. Step 3. Install the v3.0 Kerberos daemons on the new system. Step 4. Migrate the v1.0 dump ?[...]
-
Pagina 45
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 45 Y ou can configure K erberos server manually or by using the krbsetup tool. Ensure that the following values are the same in both versions of the Kerberos server: • Realm name • Master key name The master key password must b[...]
-
Pagina 46
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 1.0 to 3.0 Chapter 3 46 The policy applicable to the principal that is migrated from v1.0 to v3.0 is based on the instance name of the principals. T o modify the policy , edit the principal to change the policy name field to the new policy . • Y ou c[...]
-
Pagina 47
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 2.0 to V ersion 3.0 Chapter 3 47 Migrating from Kerberos Server V ersion 2.0 to V ersion 3.0 If you want to use the Kerberos server with C-tree as the backend database, migrate your existing Kerberos server to Kerberos server v3.0. In the Kerberos serve[...]
-
Pagina 48
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 2.0 to V ersion 3.0 Chapter 3 48 # kdb_dump -f /opt/krb5/dumpfilev2.0 Step 2. Copy the dump file to the system on which you are installing the v3.0 Kerberos server Step 3. Install the v3.0 Kerberos daemons on the new system. Step 4. Configure the Kerb[...]
-
Pagina 49
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 3.0 to V ersion 3.1 Chapter 3 49 Migrating from Kerberos Server V ersion 3.0 to V ersion 3.1 If you want to use the Kerberos server with LDAP as the backend database, migrate your existing Kerberos server to Kerberos server v3.0. Use the krb_2_ldap util[...]
-
Pagina 50
Migrating to a Ne wer V ersion of the K erberos Ser ver Migrating from K erberos Server V ersion 3.0 to V ersion 3.1 Chapter 3 50[...]
-
Pagina 51
Chapter 4 51 4 Interoperability with W indows 2000 When you configure interoperability between the Kerberos server and the Windows 2000 operating system, you must set certain configuration[...]
-
Pagina 52
Interoperability with Windows 2000 Chapter 4 52 parameters. This c hapter discusses what you need to know about configuring such an environment. This chapter contains information specific to establishing interoperability with Windows 2000 Kerberos implementations. Before reading this c hapter , ensure that you are familiar with the concepts in Ch[...]
-
Pagina 53
Interoperability with Windows 2000 Understanding the T erminology Chapter 4 53 Understanding the T erminology Both the Kerberos server and Microsoft provide Kerberos security for your network. While the technology is the same, the terminology varies . Kerberos authentication depends upon establishing trust between users and services through a t[...]
-
Pagina 54
Interoperability with Windows 2000 Understanding the T erminology Chapter 4 54 systems and the Microsoft implementation uses a DNS lookup to resolve host names. But both implementations are written to RFC 1510 ( Th e Kerberos Network A uthentication Service (V5) ) and RFC 1964 ( Th e Kerberos V ersion 5 GSS-API Mechanism ), and hence they can inter[...]
-
Pagina 55
Interoperability with Windows 2000 Kerber os Ser ver and Windows 2000 Inter operability Chapter 4 55 Kerberos Server and W indows 2000 Interoperability F ollowing are the possible interrealm interoperability scenarios between the Kerberos server software and W indows 2000, each with its own configuration requirements. Scenario 1 A Windows 2000 use[...]
-
Pagina 56
Interoperability with Windows 2000 Establishing T rust Between Kerber os Server and Windows 2000 Chapter 4 56 Establishing T rust Between Kerberos Server and W indows 2000 T o establish trust between Kerberos server KRB.REALM and Windows 2000 W2K.DOMAIN , complete the following steps: Step 1. Add interrealm service principals to the K erberos serve[...]
-
Pagina 57
Interoperability with Windows 2000 Establishing T rust Between Kerber os Server and Windows 2000 Chapter 4 57 NO TE The fqdn qualifier specifies the fully qualified domain name of the Kerberos KDC . Step 4. Reboot the Windows 2000 domain controller . Y ou need not reboot the Kerberos server or client.[...]
-
Pagina 58
Interoperability with Windows 2000 Single Realm (Domain) A uthentication Chapter 4 58 Single Realm (Domain) Authentication Single realm interoperability scenarios involve one or more client systems in a given realm or domain that authenticate to a single KDC . F ollowing are the interoperability scenarios that do not require interrealm authenticati[...]
-
Pagina 59
Interoperability with Windows 2000 Interrealm (Interdomain) A uthentication Chapter 4 59 Interrealm (Interdomain) Authentication If two distinct realms share common keys, the realms trust one another . With that trust in place , principals can securely access services in their native realm as well as those in the trusted realm. HP calls such an acc[...]
-
Pagina 60
Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 60 Special Considerations for Interoperability Y ou must consider the following issues related to interoperability with Windows 2000 implementations . Database Considerations Y our network can contain more than one server , but only one master copy of the data[...]
-
Pagina 61
Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 61[...]
-
Pagina 62
Interoperability with Windows 2000 Special Considerations for Inter operability Chapter 4 62[...]
-
Pagina 63
Chapter 5 63 5 Configuring the Kerberos Server W ith C-Tree Backend This chapter describes the configuration files and procedures used to configure the Kerberos Server with C-tree backend.[...]
-
Pagina 64
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 64 Configuration F iles for the Kerberos Server Y ou must install all the critical K erberos server files on the system before you start configuring the Kerberos Server . Y ou must configure these files on the primary security server a[...]
-
Pagina 65
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 65 The krb.conf File The krb.conf configuration file contains information about the default realm of the host, the administration server , and security servers for known realms . HP recommends that you copy the krb.conf.sample file from [...]
-
Pagina 66
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 66 NO TE Realm names are case sensitive; you must type the realm name correctly if your site does not follow the uppercase convention. The subsequent lines require fields that identify the security server host names . Each field in the li[...]
-
Pagina 67
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 67 The krb.realms file must contain sufficient entries to define the realm used by every service a client computer must access . Y ou can create a krb.realms file that contains all the required entries for your enterprise. If you suppor[...]
-
Pagina 68
Configuring the Kerberos Server With C-T ree Backend Configuration Files for the K erberos Server Chapter 5 68 T o create comments , use the hash sign (#) . Any characters after a # sign are ignored. Blank lines and any leading or trailing white spaces in a line are also ignored. T o identify multiple hosts that belong to the same realm in a sing[...]
-
Pagina 69
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 69 Autoconfiguring the Kerberos Server An automated tool named krbsetup is provided to autoconfigure your Kerberos server . Use this tool to: • Configure the Kerberos Server with either LDAP or C-Tree as the backend database . • Unconfigure[...]
-
Pagina 70
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 70 • Specify the encryption type. • Specify a different location for the log messages if you do not want to store the log messages in the default syslog file. • Specify the security mechanism for your LDAP-based Kerberos server . • Specify[...]
-
Pagina 71
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 71 • T o configure your Kerberos Server with C-Tree, select option 1 . See “Configuring the Kerberos Server with C-Tree” on page 71 to continue configuring your Kerberos Server with C-Tree. • T o configure your Kerberos Server with LDAP[...]
-
Pagina 72
Configuring the Kerberos Server With C-T ree Backend A utoconfiguring the Kerberos Server Chapter 5 72 Step 5. T o remove the existing Kerberos server configuration, press y and press n to retain the existing database. Step 6. Configure your Kerberos server as either a primary security server or a secondary security server: 1. T o configure yo[...]
-
Pagina 73
Chapter 6 73 6 Configuring the Kerberos Server with LDAP This chapter describes the configuration files and procedures used to configure the Kerberos Server with LDAP backend.[...]
-
Pagina 74
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 74 Configuration F iles for LDAP Integration Y ou must configure the LDAP configuration files listed in T able 6-1, before setting up your Kerberos server . This chapter contains detailed descriptions of these configuration files. The krbsetup aut[...]
-
Pagina 75
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 75 This file is generated automatically based on the input provided by you while autoconfiguring the Kerberos server . Alternatively , a sample file is available in the /opt/krb5/examples directory . Y ou can copy this file to the /opt/krb5 director[...]
-
Pagina 76
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 76 directory_server This line indicates a space separated list of LDAP Servers. Example: fox.bambi.com:389 deer.bambi.com base_dn_for_search This line indicates the default base DN for search is the root of the directory tree on the Directory server , w[...]
-
Pagina 77
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 77 The krb5_schema.conf File A schema is a collection of object and attribute definitions that defines the structure of the entries in a database. The krb5_schema.conf file is the kerberos schema file that contains the object and attribute definiti[...]
-
Pagina 78
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 78 • Type of object classes • Attributes of the object classes • Optional attributes • Syntax of each attribute F or example, a sc hema can define a person object class. The person schema might require that a person have a surname attribute tha[...]
-
Pagina 79
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 79 ticket’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( hpKrbAccountExpires-oid NAME ’hpKrbAccountExpires’ DESC ’Value used to compute date and time when account will expire’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE[...]
-
Pagina 80
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 80 attributetypes: ( hpKrbModifyTimestamp-oid NAME ’hpKrbModifyTimestamp’ DESC ’The date and time when the identity specified in the hpKrbModifiersName attribute made the last modification’ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) att[...]
-
Pagina 81
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 81 objectClasses: ( hpKrbKey-oid NAME ’hpKrbKey’ DESC ’An structural object class used for configuring the principal name of an associated principal entry.’ SUP top STRUCTURAL MUST ( hpKrbPrincipalName ) MAY ( hpKrbKeyVersion $ hpKrbKeyData ) ) [...]
-
Pagina 82
Configuring the Kerberos Server with LD AP Configuration Files for LD AP Integration Chapter 6 82 hpKrbAuthzData = hpKrbAuthzData hpKrbKeyVersion = hpKrbKeyVersion hpKrbKeyData = hpKrbKeyData[...]
-
Pagina 83
Configuring the Kerberos Server with LD AP Planning Y our LDAP Configuration Chapter 6 83 Planning Y our LDAP Configuration The following sections of this chapter describe how to plan and configure your Kerberos Server to work with the Directory server . Before Y ou Begin Remember the following points when you plan your LDAP setup: • Use the [...]
-
Pagina 84
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 84 Setting up Y our LDAP Configuration Plan how to set up and verify your LDAP directory and your Kerberos server environment, before you put them into production. Consider the following questions and record your decisions and other information that you will[...]
-
Pagina 85
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 85 you can access the information in the directory . Hence, you need to choose an authentication method. Currently , the supported mechanisms are P assword and SSL. The SSL protocol was devised to provide both authentication and data security . SSL encapsulat[...]
-
Pagina 86
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 86 • What is the name of your default principal subtree DN ? Each RDN in a DN corresponds to a branch in the DIT leading from the root of the DIT to the directory entry . The search base node subtree designates all the containers for the various information[...]
-
Pagina 87
Configuring the Kerberos Server with LD AP Setting up Y our LDAP Configuration Chapter 6 87 This line specifies the mandatory attributes of the default object class .The object class attribute determines the attributes the entry must have and can have . When the Kerberos server creates a default object it uses the first attribute specified in [...]
-
Pagina 88
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 88 Autoconfiguring the Kerberos Server W ith LDAP Integration An automated tool named krbsetup is provided to autoconfigure your Kerberos server . F or more information on the krbsetup tool, see “ Autoconfiguring the Kerberos Serv[...]
-
Pagina 89
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 89 Step 7. Enter the host name of the directory server . The default value is displayed. T o use the default, press Return ; otherwise, enter your fully qualified host name or the IP address. Step 8. Enter the port number of the direc[...]
-
Pagina 90
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 90 2. hpKrbKey T o remap the attributes of the object class hpKrbPrincipal , select option 1 . T o remap the attributes of the object class hpKrbKey , select option 2 . NO TE HP recommends that you use the default attributes of the hpK[...]
-
Pagina 91
Configuring the Kerberos Server with LD AP A utoconfiguring the Kerberos Server With LD AP Integration Chapter 6 91 Step 20. Enter the realm name. The default value is displayed. T o use the default, press Return ; otherwise, enter your realm name . Step 21. Enter the location where you want to store log messages . By default, log messages are st[...]
-
Pagina 92
Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 92 Manually Configuring the Kerberos Server with LDAP This section describes how to manually configure your Kerberos server with LDAP . HP recommends that you use the autoconfiguration tool to set up your basic Kerberos security server wit[...]
-
Pagina 93
Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 93 • Never delete any element of your Kerberos schema as this affects the compatibility of your schema to other LDAP services (servers and clients). • Never change the Kerberos schema of your directory by modifying the existing elements a[...]
-
Pagina 94
Configuring the Kerberos Server with LD AP Manually Configuring the K erberos Server with LD AP Chapter 6 94[...]
-
Pagina 95
Chapter 7 95 7 Configuring the Primary and Secondary Security Server This chapter describes the procedure to configure the primary and secondary security server .[...]
-
Pagina 96
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 96 Configuring the Primary Security Server The following sections describe the initial configuration tasks you need to perform to get your primary and secondary security server up and running . The primary security server requires the fo[...]
-
Pagina 97
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Primary Security Server Chapter 7 97 If you are using Kerberos server v2.0 or v3.0, and want to migrate the principal database to Kerberos server v3.1, see Chapter 3, “Migrating to a Newer V ersion of the Kerberos Server , ” on page 41. Add an Administrative Principal [...]
-
Pagina 98
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 98 Step 4. Use the Edit>Edit Administrative P ermissions menu to assign ALL administrative permissions to the principal. Step 5. On the Attributes tab, clear the Require P assword Change checkbox to disable the password change requireme[...]
-
Pagina 99
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Primary Security Server Chapter 7 99 The host/<fqdn> principal is not automatically added to the principal database during security server software installation; you must manually add the host/<fqdn> principal using the kadminl_ui or kadminl command. NO TE Y ou[...]
-
Pagina 100
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Primary Security Server Chapter 7 100 Alternatively , you can use the following command to start the K erberos daemons kdcd and kadmind : /sbin/init.d/krbsrv start T o start the kpropd daemon, use the following command: /opt/krb5/sbin/krpopd NO TE Propagation is disabled i[...]
-
Pagina 101
Configuring the Pr imar y and Secondary Secur ity Ser v er Security P olicies Chapter 7 101 Security P olicies The following files are directly related to the security of the network in your organization: • password policy • admin_acl_file P assword P olicy File The password policy file controls password rules, suc h as password length, numb[...]
-
Pagina 102
Configuring the Pr imary and Secondar y Secur ity Ser v er Starting the Security Ser ver Chapter 7 102 Starting the Security Server After creating the Kerberos database and setting up the administrative principals , you can start the Kerberos daemons on the primary security server . T o do this, edit the /etc/rc.config.d/krbsrv file to reflect t[...]
-
Pagina 103
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Secondary Security Servers with C-T ree Chapter 7 103 Configuring the Secondary Security Servers with C-T ree Y ou can now configure the secondary security servers. Assuming that you are setting up the primary security server so that you can easily switch the primary sec[...]
-
Pagina 104
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Secondary Security Servers with C-T ree Chapter 7 104 Creating a host/<fqdn> Principal and Extracting the Key T o allow principal database propagation, each secondary security server must contain a host/<fqdn> principal. Y ou must also extract the key for the h[...]
-
Pagina 105
Configuring the Pr imar y and Secondary Secur ity Ser v er Configuring the Secondary Security Servers with LD AP Chapter 7 105 Configuring the Secondary Security Servers with LDAP Y ou can now configure the secondary security servers. Assuming that you are setting up the primary security server so that you can easily switch the primary security[...]
-
Pagina 106
Configuring the Pr imary and Secondar y Secur ity Ser v er Configuring the Secondary Security Servers with LD AP Chapter 7 106 key type and master password that was specified when the database w as created.If you run the kdb_create utility with the -s option, a stash file is created automatically . NO TE The kdb_stash utility requires super use[...]
-
Pagina 107
Configuring the Pr imar y and Secondary Secur ity Ser v er Using Indexes to Impr ove Database P erformance Chapter 7 107 Using Indexes to Improve Database P erformance Most LDAP servers use indexes to improve search performance . Indexes are files stored in your directory databases. Separate index files are maintained for each database in your d[...]
-
Pagina 108
Configuring the Pr imary and Secondar y Secur ity Ser v er Using Indexes to Impr ove Database P erformance Chapter 7 108[...]
-
Pagina 109
Chapter 8 109 8 Administering the Kerberos Server This chapter explains how to administer and maintain the Kerberos database and how to manage principals using the HP Kerberos[...]
-
Pagina 110
Administering the Kerberos Server Chapter 8 110 Administrator , a graphical user interface, or the command-line administrator . This chapter discusses the following topics: • “ Administering the Kerberos Database” on page 111 • “The kadmind Command” on page 112 • “The admin_acl_file File” on page 113 • “P assword Policy F ile[...]
-
Pagina 111
Administering the Kerberos Server Administering the Kerber os Database Chapter 8 111 Administering the Kerberos Database After you have installed and configured the Kerberos server v3, the Kerberos database contains the default Kerberos principals, their keys , and other administrative information about each of these principals for your realm. F o[...]
-
Pagina 112
Administering the Kerberos Server The kadmind Command Chapter 8 112 The kadmind Command The kadmind command starts the administrative server . This administrative server runs on the Kerberos server that stores the Kerberos principal database. The kadmind command accepts password change requests and remote requests to administer the information in t[...]
-
Pagina 113
Administering the Kerberos Server The admin_acl_file File Chapter 8 113 The admin_acl_file F ile The /opt/krb5/admin_acl_file file located only on the primary security server , lists authorized principals with their respective administrative permissions. It also lists principals that you cannot modify without explicit privileges. NO TE Protect a[...]
-
Pagina 114
Administering the Kerberos Server The admin_acl_file File Chapter 8 114 Assigning Administrative P ermissions Administrative principals may have varying levels of trust assigned to them, depending on the policies of your organization. T able 8-2 lists the possible administrative permission settings and the letter designator used in admin_acl_file [...]
-
Pagina 115
Administering the Kerberos Server The admin_acl_file File Chapter 8 115 P ermissions designated with a lowercase letter apply only to those realms to which the administrative principal belongs . Permissions designated with an uppercase letter apply to all realms. [ permissions ] is an optional string containing one or more options listed in T able[...]
-
Pagina 116
Administering the Kerberos Server The admin_acl_file File Chapter 8 116 T o grant the principal rabbit@FINANCE.BAMBI.COM the permission to add, list, and inquire about any principal in the database, add the following entry to admin_acl_file : rabbit@FINANCE.BAMBI.COM ali Adding Entries to admin_acl_file Y ou can add any principal name to admin_ac[...]
-
Pagina 117
Administering the Kerberos Server The admin_acl_file File Chapter 8 117 Creating Administrative Accounts Y ou can set administrative permissions in admin_acl_file using one of the following methods: • Using the HP Kerberos Administrator to set administrative permissions . When you change the administrative permissions of the principal, admin_acl[...]
-
Pagina 118
Administering the Kerberos Server The admin_acl_file File Chapter 8 118 NO TE IRDid is equivalent to the IRD permissions because the uppercase permissions (excluding the r and R modifiers) apply to all realms. In either case, administrative principals can delete any principal from their own realm, but they have restricted delete privileges in rea[...]
-
Pagina 119
Administering the Kerberos Server P asswor d Policy File Chapter 8 119 P assword P olicy File The password policy file controls password rules, suc h as password length, number of character types , and the lifetime of a password. The password.policy file located on each of the primary and secondary security servers in the /opt/krb5 directory . Ed[...]
-
Pagina 120
Administering the Kerberos Server P asswor d Polic y File Chapter 8 120 If you modify the MaxfailAuthCnt parameter , you must copy the password policy file to the secondary security server and restart kdcd on both the secondary and primary secondary security servers. NO TE MaxFailAuthCnt is the only parameter that the secondary security servers re[...]
-
Pagina 121
Administering the Kerberos Server Principals Chapter 8 121 Principals A principal is a specific entity to which you can assign a set of credentials . Principals are users and network services that are included in your security network. The general syntax for a principal is as follows: identifier/instance@REALM where: identifier Specifies the name[...]
-
Pagina 122
Administering the Kerberos Server Principals Chapter 8 122 • Is case sensitive. • Cannot be longer than 767 characters . • Must be uniquely defined in the first 255 characters . • Cannot contain a space, tab , pound symbol ( # ), bac kward slash ( )o r colon ( : ). • Does not subscribe to a NULL policy . If you subscribe to a policy t[...]
-
Pagina 123
Administering the Kerberos Server Principals Chapter 8 123 Adding User Principals The Kerberos server enables you to add user principals to the principal database. The only limit on the number of principals in the database is the disk space available on the primary security server and on each of the secondary security servers. When adding a user pr[...]
-
Pagina 124
Administering the Kerberos Server Principals Chapter 8 124 The instance portion of the service principal name must be the fully qualified domain name (FQDN) of the host on which the service resides. Although the FQDN in your network can use mixed-case characters , the instance portion of the principal name must be in lowercase. F or example, if th[...]
-
Pagina 125
Administering the Kerberos Server Principals Chapter 8 125 the database secret key . All records in the principal database are encrypted using this key . The key for this principal is stored on each Kerberos server in the .k5.realm file. IMPORT ANT Do not remove, modify , or change the key type for this principal. Do not generate a new key for thi[...]
-
Pagina 126
Administering the Kerberos Server Principals Chapter 8 126 kadmin/REALM@REALM: The Kerberos administrative graphical user interface and command-line interface utilities use the kadmin/REALM@REALM principal name. This principal is required in each realm. It automatically adds the principal name when you add a realm to the database. This principal us[...]
-
Pagina 127
Administering the Kerberos Server Principals Chapter 8 127 Y ou must enter the fqdn in lowercase letters, and the fqdn instance must be the fully qualified domain name of the host system for the server or service. These principals are not automatically added to the principal database when you install the Kerberos servers or application services. R[...]
-
Pagina 128
Administering the Kerberos Server Principals Chapter 8 128 Protecting a Secret Key A user principal must provide its password during authentication to create the secret key of the user principal. F or best security , all users must periodically change their passwords . This version of Kerberos contains the following methods to enforce user principa[...]
-
Pagina 129
Administering the Kerberos Server Principals Chapter 8 129 Deleting a service principal using one of the Kerberos administrative utilities removes the principal name, attributes , and properties from the database. F or a service principal, you need to perform an additional step of removing its secret key , which is stored in the service key table ?[...]
-
Pagina 130
Administering the Kerberos Server The kadmin and kadminl Utilities Chapter 8 130 The kadmin and kadminl Utilities The kadmin and kadminl Kerberos command-line administrative utilities provide a unified administration interface for the Kerberos database. Kerberos administrators use these utilities to create new users and services for the primary da[...]
-
Pagina 131
Administering the Kerberos Server The kadmin and kadminl Utilities Chapter 8 131 Administration Utilities T able 8-4 describes the administrative utilities that you can use to administer the Kerberos database. NO TE Y ou cannot use the command-line administrator to control administrative permissions, maximum tic ket lifetimes and renew times or the[...]
-
Pagina 132
Administering the Kerberos Server HP Kerber os Administrator Chapter 8 132 HP Kerberos Administrator HP Kerberos Administrator is a graphical user interface that you can use to administer the principal database. Y ou can use the HP K erberos Administrator to perform the following functions: • Creating , modifying , and deleting principals. • Al[...]
-
Pagina 133
Administering the Kerberos Server HP Kerber os Administrator Chapter 8 133 the * permissions in admin_acl_file . The account must have at least inquire privileges . F or more information, see “The admin_acl_file File” on page 113. Both the local and remote administrators are discussed in detail in this chapter . Standard Functionality of the A[...]
-
Pagina 134
Administering the Kerberos Server Local Administrator – kadminl_ui Chapter 8 134 Local Administrator – kadminl_ui The local administrator , kadminl_ui, is the GUI-based database administrator that runs on the primary security server . It allows principals with administrative privileges to administer and maintain the principal database on an ong[...]
-
Pagina 135
Administering the Kerberos Server Local Administrator – kadminl_ui Chapter 8 135 This chapter contains a detailed description of the Principals tab and the Realms tab.[...]
-
Pagina 136
Administering the Kerberos Server Principals T ab Chapter 8 136 Principals T ab Y ou can use the Principals tab (Figure 8-1) in the HP Kerberos Administrator window to manage principal entries in your database by adding , editing , or deleting principals.[...]
-
Pagina 137
Administering the Kerberos Server Principals T ab Chapter 8 137 T able 8-6 describes the components of the Principals tab. Figure 8-1 Principals T ab T able 8-6 Principals T ab Components Component Name Description Realm Select the realm where the principal that you want to add, c hange, or delete resides.[...]
-
Pagina 138
Administering the Kerberos Server Principals T ab Chapter 8 138 List All Click this button to list all the principals associated with the realm. NO TE: If you have selected LDAP as the backend database , then information about all realms under the same base DN is displayed when you click this button. Search String Enter characters for locating the [...]
-
Pagina 139
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 139 General T ab (Principal Information Window) Y ou can use the Principal Information window to add principals or to modify existing principals and ticket information. T o add a new principal, select the realm in the HP Kerberos Administrator window and click [...]
-
Pagina 140
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 140 T able 8-8 describes the components of the General tab. LDAP DN Displays the LDAP DN . General T ab Y ou can use the General tab on the Principal Information window to specify the ticket information, the password policy file, and values for Last Modified [...]
-
Pagina 141
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 141 Principal Expiration Displays the principal expiration time, whic h indicates when the current logon privileges of the principal expire. Enter one of the following options in the Principal Expiration box: • A date and time in the format HH:MM MM/DD/YYY. ?[...]
-
Pagina 142
Administering the Kerberos Server General T ab (Principal Information Windo w) Chapter 8 142 P assword P olicy Specifies the password policy name in this field. If you do not specify the password policy name, the default policy is applied. NO TE: Do not change the password policy name for reserved service principals . Last Modified Specifies th[...]
-
Pagina 143
Administering the Kerberos Server Adding Principals to the Database Chapter 8 143 Adding Principals to the Database When you add a principal, you must specify the following information: • Principal and ticket information, located in the General tab. • P assword and password expiration information, located in the P assword tab. • Other princip[...]
-
Pagina 144
Administering the Kerberos Server Adding Principals to the Database Chapter 8 144 Figure 8-3 Change P assword Window Step 5. Enter the new password in the Change Password window and c lick OK . Step 6. In the Password tab , enter the P assword Information and the K ey and Salt Types . Y ou cannot use the Change Password button in the P assword tab [...]
-
Pagina 145
Administering the Kerberos Server Adding Principals to the Database Chapter 8 145 Adding Multiple Principals with Similar Settings T o simultaneously add multiple principals with the same setting , complete the following steps: Step 1. In the HP Kerberos Administrator window , select the Realm in which you want to add multiple principals . Step 2. [...]
-
Pagina 146
Administering the Kerberos Server Creating an Administrative Principal Chapter 8 146 Creating an Administrative Principal Y ou can use the HP K erberos Administrator window to create an administrative principal. When you create a principal and assign the administrative permissions to it, the principal is stored in admin_acl_file located on the prim[...]
-
Pagina 147
Administering the Kerberos Server Creating an Administrative Principal Chapter 8 147 Step 6. Enter the password information and click OK in the Change P assword window . Do not select the Generate Random K ey option. Step 7. In the Attributes tab, select the attributes for the administrative principal. Select the Require Preauthentication attribute[...]
-
Pagina 148
Administering the Kerberos Server Creating an Administrative Principal Chapter 8 148 Step 11. Click OK to save all the values to the database and to close the Principal Information window , or click Cancel to close the Principal Information window without saving the values to the database .[...]
-
Pagina 149
Administering the Kerberos Server Searc hing for a Principal Chapter 8 149 Searching for a Principal F ollowing are the methods to search for a principal: • Click List All in the Principals tab to display a list of principals in the current realm in the List of Principals list box, which displays up to 1,000 principals. • Click Search to displa[...]
-
Pagina 150
Administering the Kerberos Server Searc hing for a Principal Chapter 8 150 [...] Represents any one character from the set except / (slash). F or example, [abc]* searc hes for all principal names starting with a , b ,o r c . The following characters have a special meaning with the [...] construct: ! Represents an exclusion when used immediately aft[...]
-
Pagina 151
Administering the Kerberos Server Deleting a Principal Chapter 8 151 Deleting a Principal When you delete a principal using one of the Kerberos administrative utilities , all references to the principal are automatically removed from both the principal database and admin_acl_file . T o delete a user principal, complete the following steps: Step 1. [...]
-
Pagina 152
Administering the Kerberos Server Loading Default V alues for a Principal Chapter 8 152 Loading Default V alues for a Principal When you add or edit a principal in the Principal Information window , you can quickly restore any changed values to the default values that are specified in the default group. When you reload the default values , all fi[...]
-
Pagina 153
Administering the Kerberos Server Restoring Previousl y Saved V alues for a Principal Chapter 8 153 Restoring Previously Saved V alues for a Principal Y ou can restore any value for a principal that you have changed but not yet saved to the values that were previously saved for that principal. T o retain the previously saved values for a principal [...]
-
Pagina 154
Administering the Kerberos Server Changing Ticket Inf ormation Chapter 8 154 Changing T icket Information Y ou can change the ticket information used for a principal, including the principal expiration date, ticket lifetime , and ticket renewal time . T o change the ticket information, complete the following steps: Step 1. In the Principals tab, se[...]
-
Pagina 155
Administering the Kerberos Server Rules for Setting Maxim um Ticket Lifetime Chapter 8 155 Rules for Setting Maximum T icket Lifetime Maximum ticket lifetime indicates the maximum lifetime for which a ticket can be issued to the principal. Y ou can specify the maximum ticket lifetime value in the General>Maximum Ticket Lifetime text box. The for[...]
-
Pagina 156
Administering the Kerberos Server Rules for Setting Maxim um Renew Time Chapter 8 156 Rules for Setting Maximum Renew T ime Maximum renew time indicates the maximum amount of time for which a ticket can be renewed. Y ou can specify the maximum renew time value in the Principal Information>General>Maximum Renew Time text box. The format for th[...]
-
Pagina 157
Administering the Kerberos Server Rules for Setting Maxim um Renew Time Chapter 8 157 You have entered an invalid time[...]
-
Pagina 158
Administering the Kerberos Server Changing P asswor d Information Chapter 8 158 Changing P assword Information Y ou can change the following password information used by a principal: • P assword expiration date Indicates when the password of the current principal is due to expire. Check the P assword Expiration Date box to activate password expir[...]
-
Pagina 159
Administering the Kerberos Server Changing P asswor d Information Chapter 8 159 IMPORT ANT If you change the key or salt type, you must change the password of the principal. Y ou must inform the principal of the required temporary password. The principal must change the password during next logon. Y ou can use the Principal Information>Edit menu[...]
-
Pagina 160
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 160 P assword T ab (Principal Information W indow) Y ou can use the Password tab (F igure 8-5) on the Principal Information window to specify the password parameters for the principal. Figure 8-5 P assword T ab T able 8-10 describes the components of the P as[...]
-
Pagina 161
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 161 P assword Expiration/Date Indicates when the current principal password expires. Select P assword Expiration/Date to activate password expiration for the current principal. If you do not enable this function, the password of the current principal never ex[...]
-
Pagina 162
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 162 Change P assword Window (P assword T ab) When you create a new principal using the Principal Information window>Password tab, HP Kerberos Administrator automatically displays the Change P assword window (Figure 8-6). Enter a new password and verify the[...]
-
Pagina 163
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 163 Generate Random Key only for service principals. If you select the Generate Random Key option, a unique encrypted key is created without entering a password. Figure 8-6 Change P assword Window T able 8-11 describes the components of the Change P assword w[...]
-
Pagina 164
Administering the Kerberos Server P asswor d T ab (Principal Information Window) Chapter 8 164 New P assword Specifies the new password information. This is a temporary password because the principal is required to change the password of the user during next logon. The assumption is that the NoChangeReqPwd setting in the password policy file of t[...]
-
Pagina 165
Administering the Kerberos Server Changing a Ke y T ype Chapter 8 165 Changing a Key Type F or a strong enterprise wide security between the Kerberos servers and clients , all principals must have 3DES keys using Normal (V5) salt. Changing a DES-CRC or DES-MD5 Principal Key Type to 3DES If you are changing the key type for a service principal that [...]
-
Pagina 166
Administering the Kerberos Server Changing a Ke y T ype Chapter 8 166 • If the principal is a service principal with an extracted key , select the Generate Random Key check box to generate a random key . Step 8. Click OK to close the Change P assword window . Step 9. Click OK to close the Principal Information window . If the principal is a user [...]
-
Pagina 167
Administering the Kerberos Server Changing Principal Attributes Chapter 8 167 Changing Principal Attributes Y ou can change the attributes of a principal in the Principal Information window (Figure 8-5). These attributes are the characteristics and properties assigned to a user or a service principal. Attributes control how a principal behaves and [...]
-
Pagina 168
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 168 Attributes T ab (Principal Information W indow) Attributes are the characteristics and properties assigned to a principal that control the behavior of the principal. Y ou can use the Attributes tab in the Principal Information window to assign attributes [...]
-
Pagina 169
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 169 LDAP DN Displays the LDAP DN that you are editing . Allow P ostdated Specifies whether a principal is allowed for ticket postdating . Postdating is a mechanism that allows a principal to obtain a ticket that is initially invalid, but that can become vali[...]
-
Pagina 170
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 170 LDAP DN Displays the LDAP DN that you are editing . Allow P ostdated Specifies whether a principal is allowed for ticket postdating . Postdating is a mechanism that allows a principal to obtain a ticket that is initially invalid, but that can become vali[...]
-
Pagina 171
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 171 Allow F orwardable Specifies if a principal is allowed ticket forwarding . F orwarding is a process that sends a ticket-granting ticket (TGT) from one network host to another host. The second host system can use the forwarded TGT to generate a new servic[...]
-
Pagina 172
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 172 Require Preauthentication Specifies if a principal is required to use preauthentication in the TGT request. Preauthentication means that additional known encrypted data is sent with the ticket request, providing additional security when the TGT is presen[...]
-
Pagina 173
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 173 Lock Principal Specifies if a principal is active. A locked principal still exists in the principal database, but it is unable to use or provide Kerberos services. The Lock Principal attribute applies to both user and service principals. If you set this [...]
-
Pagina 174
Administering the Kerberos Server Attributes T ab (Principal Information Window) Chapter 8 174 Require Initial Authentication Specifies if the server is allowed to issue service to the service principal on behalf of a user principal using a previously obtained TGT . If you set this attribute for the service principal, a user principal must authent[...]
-
Pagina 175
Administering the Kerberos Server LD AP Attributes T ab (Prinicpal Information Windo w) Chapter 8 175 LDAP Attributes T ab (Prinicpal Information W indow) The LDAP Attributes tab displays the mandatory LDAP attributes that need to be specified while creating a Kerberos principal. These attributes need to be specified only if the LDAP DN does not [...]
-
Pagina 176
Administering the Kerberos Server LD AP Attributes T ab (Prinicpal Information Windo w) Chapter 8 176 Y ou can use the LDAP Attributes tab in the Principal Information window to assign LDAP attributes for a principal, as shown in Figure 8-8. Figure 8-8 LDAP Attributes T ab Figure 8-8 describes the components of the LDAP Attributes tab , if you have[...]
-
Pagina 177
Administering the Kerberos Server Deleting a Service Principal Chapter 8 177 Deleting a Service Principal The Kerberos server requires several specific principals. If you accidentally delete these principals, you must restore the principal database from a backup tape. T o delete a service principal that has a random key extracted to the service ke[...]
-
Pagina 178
Administering the Kerberos Server Extracting Service Keys Chapter 8 178 Extracting Service Keys Unlike users who type their password using a keyboard, a service principal needs to have its secret key automatically available during authentication. Therefore, store the secret key for the service principals on the host where the service is located, in[...]
-
Pagina 179
Administering the Kerberos Server Extracting Service Keys Chapter 8 179 If you change the default name and location to a different name and location than the programs of the Kerberos server , you must edit the settings to indicate the new location of the service key table file. Step 8. Select the Generate New Random Key before Extracting option. H[...]
-
Pagina 180
Administering the Kerberos Server Extracting a Service Key T able Chapter 8 180 Extracting a Service Key T able Y ou can extract the key for a service principal to the service key table ( v5srvtab ) by using the Extract Principal Key to Service Key T able window . Because a service does not enter the password using the keyboard, you must store its [...]
-
Pagina 181
Administering the Kerberos Server Extracting a Service Key T able Chapter 8 181 T able 8-13 Extract Service Key T able Components Component Description Principal Displays the name of the principal for which you are extracting a key . Service Key T able Type Identifies the type of key table into which the principal name and keys are extracted. Serv[...]
-
Pagina 182
Administering the Kerberos Server Using Groups to Contr ol Settings Chapter 8 182 Using Groups to Control Settings Y ou can modify the default values used for new principals using the Principal Information window (Figure 8-2). Each realm has a default group, and the default group for the realm contains default values . The values that you specify f[...]
-
Pagina 183
Administering the Kerberos Server Using Groups to Contr ol Settings Chapter 8 183 Y ou can also edit the default group by selecting the default@REALM principal from the List of Principals list box in the Principals tab. In the Principals tab, clic k Edit to open the Principal Information window , and enter the value for all the fields in the Gener[...]
-
Pagina 184
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 184 Group Information W indow (Principal Information W indow) Y ou can view or modify the default group settings of a realm using the Group Information window . The default group is similar to a template used to control the settings for new princip[...]
-
Pagina 185
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 185 T o open the Group Information window , choose Principal Information>Edit>Edit Default Group to display the Group Information window (Figure 8-10). Figure 8-10 Group Information Window T able 8-14 describes the components of the Group Inf[...]
-
Pagina 186
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 186 Principal Attributes Y ou must assign attributes to each principal to control the usage and rights of the account. This section describes the possible attributes and the default settings. Setting the Default Group Principal Attributes Before ad[...]
-
Pagina 187
Administering the Kerberos Server Group Inf ormation Window (Principal Information Windo w) Chapter 8 187 T o edit the default group, use the HP Kerberos Administrator or the command-line administrator , discussed as follows: • In the HP Kerberos Administrator window , complete the following steps to edit the default group: 1. Select a principal [...]
-
Pagina 188
Administering the Kerberos Server Setting Administrative P ermissions Chapter 8 188 Setting Administrative P ermissions Use the HP Kerberos Administrator window to assign administrative permissions to users. When you assign administrative permissions to a principal, the principal and its permissions are saved to admin_acl_file located on the primar[...]
-
Pagina 189
Administering the Kerberos Server Administrative P ermissions Chapter 8 189 Administrative P ermissions Y ou can assign administrative permissions using the Administrative P ermissions window . Choose Principal Information>Edit , and select the Edit Administrative P ermissions option to display the Administrative P ermissions window (Figure 8-11[...]
-
Pagina 190
Administering the Kerberos Server Administrative P ermissions Chapter 8 190 the Add Principals , Delete Principals, Change Principal P assword, Inquire About Principals, Modify Principals , and Extract Keys permissions. T able 8-15 describes the components of the Group Information window . T able 8-15 Group Information Window Components Component D[...]
-
Pagina 191
Administering the Kerberos Server Administrative P ermissions Chapter 8 191 Restricted Administrator Select this option in addition to the Add Principals, Delete Principals , Modify Principals, Inquire about Principals , Extract Keys, Change Principal P assword attributes in the realm of the administrative principal or all realms to permit administ[...]
-
Pagina 192
Administering the Kerberos Server Administrative P ermissions Chapter 8 192 Modify Administrative P ermissions Modifies administrative permissions for others users. Y ou can modify the administrative permission using the Principal Information>Edit>Edit Administrative P ermissions>Administrative P ermissions window . All* The Administrativ[...]
-
Pagina 193
Administering the Kerberos Server Realms T ab Chapter 8 193 Realms T ab A realm is a collection of principals that reside in the same administrative domain. Y our network-naming scheme, network topology , security policy , and company organization determine which principals and services you put in a relam. Within a realm, all principals share the s[...]
-
Pagina 194
Administering the Kerberos Server Realms T ab Chapter 8 194 Figure 8-12 Realms T ab T able 8-16 describes the components in the Realms tab. T able 8-16 Realms T ab Components Component Description List of Realms Displays a list of all the available realms . New Creates a new realm. Delete Deletes a realm. Y ou must select an entry to enable this bu[...]
-
Pagina 195
Administering the Kerberos Server Realms T ab Chapter 8 195 Realm Information Window Y ou can use the Realm Information window to add realms. Click New in the HP Kerberos Administrator window>Realms tab to display the Realm Information window as shown in Figure 8-13. Figure 8-13 Realm Information Window T able 8-17 describes the components of th[...]
-
Pagina 196
Administering the Kerberos Server Adding a Realm Chapter 8 196 Adding a Realm When you add a realm, HP Kerberos Administrator automatically creates some reserved principals, whic h remain in the database. T o add a realm, complete the following steps: Step 1. In the HP Kerberos Adminsitrator window , select the Realms tab (Figure 8-12). Step 2. In [...]
-
Pagina 197
Administering the Kerberos Server Deleting a Realm Chapter 8 197 Deleting a Realm When you delete a realm, all the principals for that realm are not deleted from the database. T o delete the principals from the database, you can use the HP Kerberos Administrator window or the command-line administrator . F or more information, see “Deleting a Pri[...]
-
Pagina 198
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 198 Remote Administrator – kadmin_ui The kadmin_ui utility is the GUI-based Kerberos remote administrative utility that runs on the secondary security servers and clients. Principals with administrative privileges use the remote administrator to maintain the database o[...]
-
Pagina 199
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 199 Step 1. Execute the following command at the HP-UX prompt: # /opt/krb5/kadmin_ui The logon screen displays as shown in Figure 8-14. Figure 8-14 Logon Screen Step 2. Enter your principal name and password in the logon screen. Step 3. Click OK to display the change pas[...]
-
Pagina 200
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 200 Step 4. Enter a new password in the change password screen to change your password, and click OK . Figure 8-15 Change P assword Screen NO TE This screen is displayed only when you first log on using the remote administrator . T o access the database using the remote[...]
-
Pagina 201
Administering the Kerberos Server Remote Administrator – kadmin_ui Chapter 8 201 The graphical user interface for the remote administrator is similar to that for the local administrator . F or more information on using the remote administrator , kadmin_ui , and administering your K erberos server , see “Local Administrator – kadminl_ui” on [...]
-
Pagina 202
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 202 Manual Administration Using kadmin Y ou can use the command-line administrator to administer the principal database. It enables principals with administrative privileges to maintain the principal database. Y ou must include all the users , clients, and services authe[...]
-
Pagina 203
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 203 Only a user with root permission can invoke the local command-line administrator , kadminl . T o log on to the remote administrator , kadmin , use a principal account that has an entry in admin_acl_file and an account that has at least inquire privileges. F or comple[...]
-
Pagina 204
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 204 HP recommends that you use the graphical user interface administrative utility , kadminl_ui , to administer these parameters. Adding a New Principal Y ou must specify the add administrative privilege in admin_acl_file to add a principal to the database. T o add a new[...]
-
Pagina 205
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 205 F or example, to add a new principal admin , type kadmin at the HP-UX prompt, and specify the add command, the principal name, and the policy name. F ollowing is a sample output of the add command: command: add Name of Principal to add: admin Enter password: <pass[...]
-
Pagina 206
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 206 command: cpw Name of Principal: admin Enter password: password Re-enter password for verification: password Principal modified Changing P assword to a New Randomly Generated P assword The cpwrnd command changes the password of a principal to a new randomly generated [...]
-
Pagina 207
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 207 Extracting a Principal The ext command securely extracts the key of the principal into a local service key table file. By default, the host/fqdn@REALM principal is extracted into the v5srvtab file, where fqdn is the fully qualified domain name of the host system. [...]
-
Pagina 208
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 208 [principal] Specifies an alternate principal to extract other than the default host/fqdn@REALM principal, for example, ext finance@BAMBI.COM After ext executes , it prompts you for the service key table file name. The default file name is /krb5/v5srvtab . Listing [...]
-
Pagina 209
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 209 policy Specifies the new policy name. If you do not specify a policy name, the default policy is applied. dn Specifies the LDAP DN name. If you do not specify an LDAP DN name, the default policy is applied. The general syntax for modifying an existing principal is [...]
-
Pagina 210
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 210 Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno,policy,dn or quit ):fcnt Failure Count (or quit): <enter count> Principal modified. Key V ersion Number Attribute Every principal password has an associated version num[...]
-
Pagina 211
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 211 F ollowing is a sample output for the mod command with the dn parameter: Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :dn Enter LDAP DN name or quit: <enter LDAP DN name> Principal modified. P[...]
-
Pagina 212
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 212 The Allow Postdated attribute applies to both user and service principals specified as follows: • Y ou can issue either a postdated or postdatable ticket for user principals . • The server can issue postdated service tickets for the service. NO TE Before the ser[...]
-
Pagina 213
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 213 NO TE Before the server issues a renewable service ticket, the requesting user must possess a renewable TGT . T o modify the type of the parameter attr for the principal admin and to set the Allow Renewable attribute, type kadmin at the HP-UX prompt and specify the m[...]
-
Pagina 214
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 214 Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr Attribute (or quit): {forward|noforward} Principal modified. Allow Proxy Attribute The Allow Proxy attribute determines whether a principal is allo[...]
-
Pagina 215
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 215 Allow Duplicate Session Key Attribute The Allow Duplicate Session Key attribute determines whether a principal is allowed to use a duplicate session key . A duplicate session key applies to user -to-user authentication and determines which key is used to encrypt the [...]
-
Pagina 216
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 216 Require Preauthentication Attribute The Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting a TGT . Preauthentication implies that the client logon program attaches known encrypted data to a ticket request[...]
-
Pagina 217
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 217 When a new principal is added to the database or when a password of the principal is changed, this attribute is controlled by the NoReqChangePwd setting in the password policy file of the principle. By default, NoReqChangePwd is set to 0 (zero), that is, the user mu[...]
-
Pagina 218
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 218 T o modify the type of the parameter attr for the principal admin and to set the Lock Principal attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute . F ollowing is a sample output of t[...]
-
Pagina 219
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 219 Require Initial Authentication Attribute The Require Initial Authentication attribute specifies if the server is allowed to issue service tickets to a service principal on behalf of a user principal using an existing TGT . The Require Initial Authentication attribut[...]
-
Pagina 220
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 220 Y ou can use the kadmin inq command to view the attribute of the principal. With Require Initial Authentication selected ( tgt ), the inquire command shows TGT_BASED in the attributes field. Without the Require Initial Authentication setting ( notgt ), the text does[...]
-
Pagina 221
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 221 F ollowing is a sample output of the Password Change Service attribute: Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr, fcnt, vno, policy,dn or q ui) :attr Attribute (or quit): {cpwsrv|nocpwsrv} Principal modified. P assword Expir[...]
-
Pagina 222
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 222 Because the expiration time is calculated from the time you add a new principal to the database, the password change load on the server is distributed over time. Therefore , you can select a password expiration in the default group principal template without affectin[...]
-
Pagina 223
Administering the Kerberos Server Manual Administration Using kadmin Chapter 8 223 Y ou cannot set this attribute using the command-line administrator . Maximum Renew Time Attribute The Maximum Renew Time attribute controls the renew time limit for renewable tic kets. If you set the renew time longer than the renew time assigned to the krbtgt/REALM[...]
-
Pagina 224
Administering the Kerberos Server Principal Database Utilities Chapter 8 224 Principal Database Utilities Principal database utilities are tools that help you to globally manage the principal database. Use these tools only if the database w as not properly created or configured during installation, or if you are debugging or upgrading your Kerbero[...]
-
Pagina 225
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 225 Kerberos Database Utilities The primary security server contains a database of all principals that are trusted in each of the supported realms . Y ou can also create the database during installation. See “ Auto-Configuration of the Kerberos Server” on page 63 for more[...]
-
Pagina 226
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 226 • DES-CRC or 1 : DES-CBC-CRC NO TE The default, DES3-CBC-MD5 , will be set as the encryption type if you do not specify any of the encryption types previously mentioned. -f keyfile Specifies an alternate name for the stash file when used with the -s switch. If you do n[...]
-
Pagina 227
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 227 Adding principals to database... Cleaning up.... shell% The kdb_create command creates the following principals: • K/M@<REALM NAME> This is the default key name. However , you can configure this key name. • default@<REALM NAME> • kadmin/<REALM NAME>[...]
-
Pagina 228
Administering the Kerberos Server Kerber os Database Utilities Chapter 8 228 • DES-MD5 • DES-CRC The encryption type selected during database creation determines the encryption type applied to the master password, which in turn is used to create the key that secures all records stored in the principal database. Encrypt the database using DES en[...]
-
Pagina 229
Administering the Kerberos Server Destro ying the Kerberos Database Chapter 8 229 Destroying the Kerberos Database The kdb_destroy utility securely removes the principal database. This utility runs on the primary and secondary security servers. If you run this utility using command-line options, it prompts you with a confirmation message and then [...]
-
Pagina 230
Administering the Kerberos Server Destro ying the Kerberos Database Chapter 8 230 sure? (type ‘yes’ to confirm)? Database destroyed![...]
-
Pagina 231
Administering the Kerberos Server Dumping the Kerber os Database Chapter 8 231 Dumping the Kerberos Database The kdb_dump utility copies the contents of the principal database to stdout or to a text file. By default, the output is displa yed on the terminal using the stdout command. NO TE Y ou must be a root user to run the kdb_dump program. The g[...]
-
Pagina 232
Administering the Kerberos Server Loading the Kerber os Database Chapter 8 232 Loading the Kerberos Database The kdb_load utility loads the database with the principal entries from a database dump text file. This utility overrides the existing database entries with the corresponding entries present in the dump file. Principals in the existing dat[...]
-
Pagina 233
Administering the Kerberos Server Stashing the Master Ke y Chapter 8 233 Stashing the Master Key The kdb_stash utility stores the master key , the encrypted master password, to a stash file. This utility runs on the primary and secondary security servers . Use the kdb_stash utility to store the master key in a stash file. Y ou must specify the sa[...]
-
Pagina 234
Administering the Kerberos Server Stashing the Master Key Chapter 8 234 F ollowing is an example of using kdb_stash : shell% kdb_stash -f <filename> Enter password: <password> Re-enter password for verification: <password>[...]
-
Pagina 235
Administering the Kerberos Server Starting and Stopping Daemons Chapter 8 235 Starting and Stopping Daemons If you change the configuration of the Kerberos server , you must stop and restart the services and daemons for the changes to take effect. T able 8-8 briefly describes the related services and daemons that you must stop and restart. Y ou c[...]
-
Pagina 236
Administering the Kerberos Server Maintenance T asks Chapter 8 236 Maintenance T asks F ollowing are the maintenance tasks associated with the Kerberos server: • “Protecting Security Server Secrets” on page 236 • “Backing Up primary security server Data” on page 237 Protecting Security Server Secrets The Kerberos server stores the follo[...]
-
Pagina 237
Administering the Kerberos Server Maintenance T asks Chapter 8 237 Backing Up primary security server Data Save the copied information to a CD or tape — whatever your preferred archive method is . Be aw are that primary security server files contain sensitive information; therefore, do not copy files unless you intend to properly secure the bac[...]
-
Pagina 238
Administering the Kerberos Server Maintenance T asks Chapter 8 238 • Run the following command as a root user: # /sbin/init.d/krbsrv stop Step 2. Copy the principal.dat , principal.idx , and principal.ok files from one of the propagation servers to your desired destination, for example, CD-ROM or tape. The files are located at /opt/krb5 . Step [...]
-
Pagina 239
Administering the Kerberos Server Removing Un used Space from the Database Chapter 8 239 Removing Unused Space from the Database After long and continued use, the principal database on the primary security server can grow large due to unused space. When you delete a principal, the space that the record had occupied is not removed. Instead, the spac[...]
-
Pagina 240
Administering the Kerberos Server Removing Un used Space from the Database Chapter 8 240 Step 8. Remove the /tmp/filename file after you have verified that the new database is functioning without problems.[...]
-
Pagina 241
Chapter 9 241 9 Propagating the Kerberos Server This chapter describes how to propagate the Kerberos database from the primary security server to the secondary security server .[...]
-
Pagina 242
Propagating the K erberos Ser ver Chapter 9 242 This chapter discusses the following topics: • “Propagation Hierarchy” on page 243 • “Service Key T able” on page 244 • “Propagation T ools” on page 246 • “The kpropd Daemon” on page 248 • “The mkpropcf T ool” on page 249 • “The kpropd.ini File” on page 251 • “T[...]
-
Pagina 243
Propagating the K erberos Ser ver Propa gation Hierarchy Chapter 9 243 Propagation Hierarchy T o authenticate users on the network, each secondary security server must contain the latest copy of the principal database, at all times . secondary security servers obtain the copy of the principal database from the primary security server using the data[...]
-
Pagina 244
Propagating the K erberos Ser ver Service Key T able Chapter 9 244 Service Key T able The /krb5/v5srvtab file is the service key table file that contains service principal names with their corresponding secret keys. Y ou must store this file on the system that hosts the service or application, which requires an extracted key . Secured applicatio[...]
-
Pagina 245
Propagating the K erberos Ser ver Service Key T able Chapter 9 245 T o extract the principal <principal_name> to a local service key table file, SrvTab , type kadmin at the HP-UX prompt and specify the ext command, the principal name, and the service key table file name . F ollowing is a sample output for the ext command: command: ext Name [...]
-
Pagina 246
Propagating the K erberos Ser ver Propa gation T ools Chapter 9 246 Propagation T ools The kpropd daemon manages and performs propagation of the principal database on each server in the propagation hierarchy . It uses the following local files: • prop_q A default propagation input queue file that contains the names of every principal whose reco[...]
-
Pagina 247
Propagating the K erberos Ser ver Propa gation T ools Chapter 9 247 F or more information on the process for configuring propagation, see “Setting Up Propagation” on page 258. This chapter contains a detailed discussion of these tools . Manually control propagation on one or more servers once propagation is configured and started. prpadmin T [...]
-
Pagina 248
Propagating the K erberos Ser ver The kpropd Daemon Chapter 9 248 The kpropd Daemon The /opt/krb5/sbin/kpropd daemon propagates the principal database from one server to another and starts running when the security server starts up. It propagates principal records from a given security server to kpropd on the receiving security server or to the pro[...]
-
Pagina 249
Propagating the K erberos Ser ver The mkpropcf T ool Chapter 9 249 The mkpropcf T ool The /opt/krb5/install/mkpropcf tool creates the kpropd.ini file, which is the default propagation configuration file in a propagation hierarchy . The mkpropcf tool exports the kpropd.ini file to the secondary security servers. When you execute mkpropcf on the [...]
-
Pagina 250
Propagating the K erberos Ser ver The mkpropcf T ool Chapter 9 250 -f Overwrites the kpropd.ini file. Y ou can use this option with the -i option to explicitly overwrite the kpropd.ini file. T o synchronize the kpropd configuration, HP recommends that you export the original configuration, kpropd.ini , on the primary security server to export.i[...]
-
Pagina 251
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 251 The kpropd.ini F ile The /opt/krb5/kpropd.ini file is the propagation configuration file created by the mkpropcf tool using the information from the local krb.conf file. Ensure that only authorized users have access to this file . Unauthorized access to kpropd.ini can jeopardi[...]
-
Pagina 252
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 252 Sections The kpropd.ini file stores configuration parameters required for propagation. This file contains the following sections: • The [ default_values ] section controls the various global propagation properties . The listed values apply to all security servers unless you ov[...]
-
Pagina 253
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 253 Specifies the length of time for which a session key is valid, where n indicates the number of seconds, minutes , hours, or da ys. The default is value 6 hours. max_cache=n[K|M] Specifies the maximum size that each cache file of the security server ( prop_hostname ) can reach be[...]
-
Pagina 254
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 254 primary_realm=DEFAULT_REALM Specifies the default realm of the primary security server . If the krb.conf file does not exist, the DEFAULT REALM is assigned the uppercase equivalent of the domain name. realms=[all|realm1[, realm2][,...]] Specifies the realms whose records are pro[...]
-
Pagina 255
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 255 child[n]=fqdn Specifies the child security server of the secsrv_name in the propagation hierarchy , where fqdn is the FQDN of the child server . A security server can have zero or more child servers . If more than one child server receives propagated records from secsrv_name , inc[...]
-
Pagina 256
Propagating the K erberos Ser ver The kpropd.ini File Chapter 9 256 [default_values] interval=15s key_exp=6h max_cache=1024K max_retry_delay=1h net_timeout=30s port=kerberos-adm primary_realm=REALM1 realms=all service_name=host [sersrv1] child = secsrv2 [secsrv2] child1 = secsrv3 child = secsrv4 parent = secsrv1 [secsrv3] parent = secsrv2, realms =[...]
-
Pagina 257
Propagating the K erberos Ser ver The prpadmin Administrative Application Chapter 9 257 The prpadmin Administrative Application The /opt/krb5/adm/prpadmin administrative application runs on all security servers and helps you manage the propagation system. F or example, to propagate all the contents of the primary principal database to all the secon[...]
-
Pagina 258
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 258 Setting Up Propagation After installing and configuring your primary and secondary security servers , you must propagate principal database information from the primary security server to all secondary security servers. Before you can configure propagation, each secondary sec[...]
-
Pagina 259
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 259 T able 9-2 lists the daemons , and briefly describes their functions. T o avoid confusion and redundancy in this section regarding names , T able 9-2 also indicates the generic names used in this document to discuss the daemon. T o propagate the principal database entries on t[...]
-
Pagina 260
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 260 3. From the primary security server /opt/krb5/install directory , run the following command: # mkpropcf This creates the kpropd.ini file, which defines your propagation hierarchy . NO TE If you do not want to use the default hierarchy structure (a two-tier system), you must e[...]
-
Pagina 261
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 261 NO TE The <admin/principal> is the same as the one added on the primary security server in step 2. Step 5. Start the admin daemon on the secondary security server by using the following command: # /opt/krb5/sbin/kadmind Step 6. Start the propagation daemon on the primary [...]
-
Pagina 262
Propagating the K erberos Ser ver Setting Up Propa gation Chapter 9 262 V erify that propagation has occurred on the secondary security server by using the kdb_dump utility to view the contents of the principal database on the secondary security server . The existence of recently added principal accounts indicates a successful propagation. F or inf[...]
-
Pagina 263
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 263 Monitoring Propagation Y ou must regularly monitor database propagation between servers. Monitoring helps you to identify the following problems: • Primary-secondary link failure • Stalled propagation T o monitor the propagation, you need to examine the log file and the pr[...]
-
Pagina 264
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 264 [hostname of peer] Can’t connect to subscriber to propagate principal database information [hostname of peer] could not get service ticket [hostname of peer] full_dump failed [hostname of peer] not enough memory to allocate work buffer Not enough free system resources to run [...]
-
Pagina 265
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 265 F or example, a prop_ hostname file that is older than 48 hours or is unusually large indicates a propagation problem between the primary and secondary security servers as specified in hostname . Updating the principal.ok Time Stamp Y ou may notice that, by default, the time [...]
-
Pagina 266
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 266 attempt is sent to the primary security server . However , if the principal fails on one server as many times as specified by the MaxFailAuthCnt parameter in the password policy file, that principal is locked out. NO TE HP authentication servers do not issue different message[...]
-
Pagina 267
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 267 incremental database propagation. T o ensure accurate results , dump the databases simultaneously when administrative activity is at a minimum. Under these conditions, consider a discrepancy of more than five principal entries to be significant. • Authentication test to the[...]
-
Pagina 268
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 268 Step 3. Restart the daemons on both the primary and secondary security servers . Step 4. T o compare the files for discrepancies, copy the files to a common location and execute the following command at the HP-UX prompt: # diff primary.db secondary.db > diffs_p.db The diff[...]
-
Pagina 269
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 269 # rm -r -f /opt/krb5/prop/* Step 3. Restart the propagation daemon by using the following command: # /opt/krb5/sbin/kpropd Step 4. Perform a full dump to all secondary security servers by using the following command: # /opt/krb5/admin/prpadmin full_dump This process may take a [...]
-
Pagina 270
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 270 If you encounter the following error message after installing a new secondary security server and attempting propagation, restart the daemons on the secondary security server after the full dump is complete: TGS: Error processing request from host Converting a secondary securit[...]
-
Pagina 271
Propagating the K erberos Ser ver Monitoring Propa gation Chapter 9 271 Step 4. Remove the Kerberos server software on the secondary security server . Step 5. Install the Kerberos server software on the previous secondary security server . Do not create the database during installation. Step 6. Restore the principal.* database files archived in st[...]
-
Pagina 272
Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 272 Configuring Multirealm Enterprises When you support multiple realms, additional configuration steps are required for both the security servers and clients . This section discusses the servers requirements. Number of Realms per Database A single primary security se[...]
-
Pagina 273
Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 273 Multiple primary security servers Supporting a Single Realm Y ou must have one primary security server for each realm if you have distributed administrative groups in which each group maintains its own realm information. Y ou cannot propagate changes from one primar[...]
-
Pagina 274
Propagating the K erberos Ser ver Configuring Multirealm Enterprises Chapter 9 274 Database Propagation for Multirealm Databases If you plan to support more than one realm in a single principal database on a primary security server and to propagate only selected realms to certain secondary security servers, you must perform additional steps when y[...]
-
Pagina 275
Chapter 10 275 10 Managing Multiple Realms This chapter describes how to set up and configure interrealm authentication between Kerberos servers, and how to manage multiple realms . Y ou must establish trust between the two realms before a principal in one realm can access a service in another realm.[...]
-
Pagina 276
Managing Multiple Realms Chapter 10 276 This chapter discusses the following topics: • “Considering a Trust Relationship” on page 277 • “Configuring Direct Trust Relationships” on page 279 • “Hierarchical Interrealm Trust” on page 281[...]
-
Pagina 277
Managing Multiple Realms Considering a T rust Relationship Chapter 10 277 Considering a T rust Relationship Y ou can establish a multiple realm environment within your enterprise. Regardless of the reason, if principals in one realm need access to secured services supported in a different realm, you must establish a trust relationship between the r[...]
-
Pagina 278
Managing Multiple Realms Considering a T rust Relationship Chapter 10 278 Hierarchical Trust In interrealm authentication, hierarchical trust allows principals in one realm to access resources in another realm if there is a chain of trust established between the realms . The chain relies on a hierarchical realm naming scheme . F or example, IT.BAMB[...]
-
Pagina 279
Managing Multiple Realms Configuring Direct T rust Relationships Chapter 10 279 Configuring Direct T rust Relationships If the Kerberos security servers manage all the realms in a multirealm environment, you must add interrealm principals to the principal databases for each realm. Interrealm principals are special-case krbtgt/REALM1@REALM2 princi[...]
-
Pagina 280
Managing Multiple Realms Configuring Direct T rust Relationships Chapter 10 280 • The Kerberos server does not recognize the realm listed in the interrealm ticket, that is , when a proper trust relationship between the realms is not established. • The Kerberos server does not recognize the requested service principal, and has no further trust [...]
-
Pagina 281
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 281 Hierarchical Interrealm T rust Y ou need to use hierarchical interrealm authentication when a realm does not have a direct path to its destination realm, but has a path to an intermediate realm. Hierarchical Chain of Trust Interrealm trust can be transitive, for example , if re[...]
-
Pagina 282
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 282 interrealm ticket from VIBGYOR.INDIGO.COM , and can use this interrealm ticket to contact GREEN.YELLOW.COM for a ticket to use a service in its realm. Hierarchical Interrealm Configuration T o configure realms to perform hierarchical interrealm authentication, complete the fo[...]
-
Pagina 283
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 283 These actions are described in detail in the following sections. The example configuration in this section uses the interrealm authentication principals shown in Figure 10-1. Figure 10-1 Hierarchical Interrealm Configuration The relationships are defined as follows: • krbt[...]
-
Pagina 284
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 284 F or interrealm authentication in the other direction, two-wa y hierarchical interrealm authentication, you must also add these principals: • krbtgt/FINANCE.JUNGLE.COM@BAMBI.COM allows the server in FINANCE.JUNGLE.COM to accept tickets from BAMBI.COM . • krbtgt/BAMBI.COM@IT[...]
-
Pagina 285
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 285 Configuring the Intermediate Realm T o configure the intermediate realm, consider the local realm as FINANCE.JUNGLE.COM , the intermediate realm as BAMBI.COM , the target realm as IT.JUNGLE.COM , and complete the following steps in the BAMBI.COM realm: Step 1. Use the Kerbero[...]
-
Pagina 286
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 286 Step 7. Enable the same settings for this principal as for the first krbtgt/BAMBI.COM@IT.JUNGLE.COM principal, with the same settings enabled as used for the principal in the local realm. Refer to step 2 in “Configuring the T arget Realm” on page 286. Configuring the T a[...]
-
Pagina 287
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 287[...]
-
Pagina 288
Managing Multiple Realms Hierarc hical Interrealm T rust Chapter 10 288[...]
-
Pagina 289
Chapter 11 289 11 T roubleshooting This chapter describes how to troubleshoot the Kerberos server , and also includes the strategies and tools to use while investigating the software and hardware components of the Kerberos server .[...]
-
Pagina 290
T roubleshooting Chapter 11 290 When you encounter a problem, you may need to investigate many hardware and softw are components. Y ou can identify and resolve some problems quickly , such as invalid software installation, version incompatibilities , insufficient HP-UX resources, corrupt configuration shell scripts , and programming or command er[...]
-
Pagina 291
T roubleshooting Characterizing a Prob lem Chapter 11 291 Characterizing a Problem Y ou need to consider many questions while trying to characterize a problem. Start with global questions and gradually get more specific. Depending on the response, ask another series of questions until you have enough information to understand exactly what has happ[...]
-
Pagina 292
T roubleshooting Characterizing a Prob lem Chapter 11 292 • Data corruption. • Logging messages at the syslog. Knowing what has recently changed on your network can also help you understand whether the problem is software-related or hardware-related.[...]
-
Pagina 293
T roubleshooting Diagnostic T ools Summary Chapter 11 293 Diagnostic T ools Summary T able 11-1 describes the most frequently used diagnostic tools , which are documented in the link installation manuals. T able 11-1 Diagnostic T ools T ool Name Description netstat A nodal management command that returns statistical information regarding your netwo[...]
-
Pagina 294
T roubleshooting T roub leshooting Kerberos Chapter 11 294 T roubleshooting Kerberos When troubleshooting problems with Kerberos, you need a reference point from which to work. F or example, is the problem on the remote system or on the local system? However , the terms “local” and “remote” are limited in their description of complex commun[...]
-
Pagina 295
T roubleshooting T roub leshooting Kerberos Chapter 11 295 UNIX Syslog File The security server daemons, kadmind , kpropd , and kdcd , write error messages to the system log ( /var/adm/syslog/syslog.log ) file. Y ou can also configure the daemons to log the messages in a different file. Use the following command while starting the daemon, to spe[...]
-
Pagina 296
T roubleshooting T roub leshooting Kerberos Chapter 11 296 Services Checklist While troubleshooting ensure, that you ha ve answered all the questions in the troubleshooting checklist in the section “Characterizing a Problem” on page 291. Ensure that your node name and the Internet address exists in the /etc/hosts file, and run the service on y[...]
-
Pagina 297
T roubleshooting T roub leshooting Kerberos Chapter 11 297 Clock skew too great in KDC reply while getting initial credentials . This problem generally occurs because the clock of the system deviates too much from the time on the authenticating KDC . A clock skew time of up to 5 minutes is allowed. Y ou must run NTP or a similar service to keep you[...]
-
Pagina 298
T roubleshooting T roub leshooting Kerberos Chapter 11 298 Required parameters in krb.realms missing while initializing the Kerberos context. This problem occurs when the parameters are missing or incorrect in the krb.realms file. Ensure that the krb.realms file has the appropriate information. Stored master key is corrupted while initializing ka[...]
-
Pagina 299
T roubleshooting T roub leshooting Kerberos Chapter 11 299 Cannot find/read stored master key while getting master key . This problem occurs when the stash file is not found. Provide the master key as a command-line option. Y ou can also create the stash file. Error verifying pre-authentication data type 2. This problem occurs due to an incorrec[...]
-
Pagina 300
T roubleshooting T roub leshooting Kerberos Chapter 11 300 Connection to the LDAP server was lost. Connection to the LDAP server was lost. V erify that the Directory server is accessible, else restart the Directory server . Y ou can also restart the Kerberos server , if needed. LDAP server timeout The directory server timed out a request. Y ou may [...]
-
Pagina 301
T roubleshooting T roub leshooting Kerberos Chapter 11 301 LDAP authentication failed The Kerberos server was unable to connect to the Directory server with the information provided in the /opt/krb5/krb5_ld ap.conf configuration file. V erify that the values of the proxy_user and proxy_user_password are correct. Ensure that you change the value o[...]
-
Pagina 302
T roubleshooting T roub leshooting Kerberos Chapter 11 302 LDAP database is read-only An attempt to modify the Kerberos entry failed as the Directory server entry is read-only . Edit the Kerberos configuration file, krb5_ldap.conf , to specify a directory server that can be updated and restart all Kerberos server applications Insufficient access[...]
-
Pagina 303
T roubleshooting General Error s Chapter 11 303 General Errors F ollowing are the general errors that you may encounter while setting up your Kerberos server: • Ensure that the Domain Name Server (DNS) is working properly . Several aspects of Kerberos rely on this name service. It is important that your DNS entries and your hosts have the correct[...]
-
Pagina 304
T roubleshooting General Error s Chapter 11 304 Locking and Unlocking Accounts If a user or a service principal exceeds the maximum number of failed authentication attempts allowed by the password policy file, the account is locked and the principal is not issued a ticket. Alternatively , a security administrator may have purposefully loc ked a pr[...]
-
Pagina 305
T roubleshooting User Error Messa g es Chapter 11 305 User Error Messages Users may see error messages while using the Kerberos server . The following sections describe user error messages, explain their causes , and suggest corrective actions. Decrypt Integrity Check F ailed Explanation: This message is displayed if a user requests a ticket from t[...]
-
Pagina 306
T roubleshooting Administrative Error Messa g es Chapter 11 306 Administrative Error Messages F ollowing are some messages that administrative principals may see when using their accounts . This section also contains some recommended solutions . P assword Has Expired While Getting Initial Ticket Explanation: This message may appear when a user trie[...]
-
Pagina 307
T roubleshooting Administrative Error Messages Chapter 11 307 key during authentication. If the principal does not have a 3DES key , the tools attempt to negotiate a supported key type. If the tools cannot negotiate a supported key type, the error message Service key not available while getting initial ticket is returned. Action If the user is usin[...]
-
Pagina 308
T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 308 Reporting Problems to Y our HP Support Contact If you do not have a service contract with HP , you may follow the procedure described below but you will be billed accordingly for time and materials . If you have a service contract with HP , document the problem as a Ser[...]
-
Pagina 309
T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 309 • Prepare a listing of the HP-UX I/O configuration you are using for your HP support contact to further analyze. • Try to determine the general area within the software where you think the problem exists. Refer to the appropriate reference manual and follow the gui[...]
-
Pagina 310
T roubleshooting Reporting Problems to Y our HP Suppor t Contact Chapter 11 310[...]
-
Pagina 311
Appendix A 311 A Configuration W orksheet The following worksheet helps you configure your Kerberos server with LDAP as the backend database.[...]
-
Pagina 312
Configuration W or ksheet Appendix A 312 F ollowing is an explanation and sample table. T able A-1 Configuration W orksheet Configuration W orksheet for LDAP database Directory administrator DN Directory server host Directory server port Base DN for search Subtree DN Proxy user DN Certificate db path NO TE: Enter the Certificate db path only i[...]
-
Pagina 313
Configuration W or ksheet Appendix A 313 Base DN for search The default base DN for search is the root of the directory tree on the Directory server , where the Kerberos server searches for kerberos principals. Example: ou=people , o=bambi.com Default Principal Subtree DN The default principal subtree DN is where all Kerberos principals are added [...]
-
Pagina 314
Configuration W or ksheet Appendix A 314[...]
-
Pagina 315
Appendix B 315 B Sample krb.conf F ile The sample krb.conf file named krb.conf.sample is available in the /opt/krb5/examples directory . Copy this sample file to /opt/krb5/krb.conf file and modify it to reflect the host names and realm name for your realm.[...]
-
Pagina 316
Sample krb .conf File Appendix B 316 NO TE If you have configured your Kerberos server with C-Tree as the backend then the realm names are case sensitive. If you ha ve configured your Kerberos server with LDAP as the backend then the realm names are not case sensitive. Replace the underlined Your_Realm_Name , Your_Secondary_Server1 , Your_Seconda[...]
-
Pagina 317
Sample krb .conf File The services File Appendix B 317 The services F ile The services file contains entries that allow client applications to establish socket connections to the KDC or to the applications servers . A KDC client requires the following entries in the /etc/services file: # # Kerberos services # kerberos5 88/udp kdc # Kerberos V5 kd[...]
-
Pagina 318
Sample krb .conf File The services File Appendix B 318[...]
-
Pagina 319
Appendix C 319 C Sample krb.realms F ile The sample krb.realms file named krb.realms.sample is available in the /opt/krb5/examples directory . Y ou can copy this sample file to the /opt/krb5 directory , and modify it to reflect your realm name.[...]
-
Pagina 320
Sample krb .realms File Appendix C 320 NO TE The realm names are case sensitive. Replace the underlined Your_Realm_Name , Your_Primary_Security_Server , Your_Secondary_Server_Server , and Your_Domain_Name with the name of your Kerberos REALM and host names of the primary security server and secondary security servers. Your_Primary_Security_Server Y[...]
-
Pagina 321
Glossary 321 Glossary A-B admin_acl_file (administrator access control list) T ext file that lists the administrators and their respective permissions. HP Kerberos Administrator The graphical user interface that is used to administer the principal database of the Kerberos server . Authentication Service (AS) Authentication is a verification of a[...]
-
Pagina 322
Glossar y kpropd.ini Glossary 322 kpropd.ini Propagation configuration file mkpropcf creates using information in the local krb.conf file. krb.conf File that contains configuration information that describes the default realm of the host, the administration server , and security servers for known realms. krb.realms The realms file defines hos[...]
-
Pagina 323
Glossar y v5srvtab Glossary 323 Ticket-granting ticket See TGT . V v5srvtab Binary file that contains service principal names and their corresponding secret keys .[...]
-
Pagina 324
Glossar y Ticket-granting tic ket Glossary 324[...]
-
Pagina 325
325 Index Symbols # , 68 /etc/rc.config .d/krbsrv , 102 /opt/krb5/sbin , 69 /sbin/init.d/krbsrv start , 102 /var/adm/krb5/krb5kdc , 315 A access control list See ACL ACL , 112 adding a realm , 273 ADMD = 1 , 102 admin_acl_file , 64 , 101 # comment , 113 format , 113 identifier , 113 instance , 113 perms_list , 113 using wildcards , 113 administr[...]
-
Pagina 326
Index 326 initial ticket , 26 intermediate realm , 285 intermittent error , 291 Internet Engineering T ask F orce See IETF interrealm authentication , 275 issuing a ticket , 322 K /krb5/admin_acl_file , 112 K/M key name , 44 K/M@REALM principal , 124 kadmin/changepw@REALM principal , 126 kadmin/REALM@REALM principal , 126 kadmind daemon , 104 , 22[...]
-
Pagina 327
Index 327 R remote administrator , 111 remote request , 112 reporting level , 295 LOG_ERR , 295 LOG_NOTICE , 295 LOG_W ARNING , 295 RFC 1510 , 22 , 25 , 54 RFC 1964 , 22 , 54 RFC 2743 , 22 RFC 2744 , 22 S sample kdc.conf , 319 sample krb.conf , 315 Sample krb.realms , 319 sample krb5.conf , 315 secsrv_name , 252 server , 294 service contract , 308 [...]