3
<title>Kerberos V5 Installation Guide</title>
4
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
5
<meta name="description" content="Kerberos V5 Installation Guide">
6
<meta name="generator" content="makeinfo 4.13">
7
<link title="Top" rel="top" href="#Top">
8
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage">
10
Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.-->
11
<meta http-equiv="Content-Style-Type" content="text/css">
12
<style type="text/css"><!--
13
pre.display { font-family:inherit }
14
pre.format { font-family:inherit }
15
pre.smalldisplay { font-family:inherit; font-size:smaller }
16
pre.smallformat { font-family:inherit; font-size:smaller }
17
pre.smallexample { font-size:smaller }
18
pre.smalllisp { font-size:smaller }
19
span.sc { font-variant:small-caps }
20
span.roman { font-family:serif; font-weight:normal; }
21
span.sansserif { font-family:sans-serif; font-weight:normal; }
25
<h1 class="settitle">Kerberos V5 Installation Guide</h1>
29
Next: <a rel="next" accesskey="n" href="#Introduction">Introduction</a>,
30
Previous: <a rel="previous" accesskey="p" href="#dir">(dir)</a>,
31
Up: <a rel="up" accesskey="u" href="#dir">(dir)</a>
35
<!-- node-name, next, previous, up -->
36
<!-- The master menu is updated using emacs19's M-x texinfo-all-menus-update -->
37
<!-- function. Don't forget to run M-x texinfo-every-node-update after -->
38
<!-- you add a new section or subsection, or after you've rearranged the -->
39
<!-- order of sections or subsections. Also, don't forget to add an @node -->
40
<!-- comand before each @section or @subsection! All you need to enter -->
42
<!-- @node New Section Name -->
43
<!-- @section New Section Name -->
44
<!-- M-x texinfo-every-node-update will take care of calculating the -->
45
<!-- node's forward and back pointers. -->
48
<li><a accesskey="1" href="#Introduction">Introduction</a>
49
<li><a accesskey="2" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
50
<li><a accesskey="3" href="#Building-Kerberos-V5">Building Kerberos V5</a>
51
<li><a accesskey="4" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
52
<li><a accesskey="5" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
53
<li><a accesskey="6" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>
54
<li><a accesskey="7" href="#Copyright">Copyright</a>
58
<a name="Introduction"></a>
60
Next: <a rel="next" accesskey="n" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
61
Previous: <a rel="previous" accesskey="p" href="#Top">Top</a>,
62
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
66
<h2 class="chapter">1 Introduction</h2>
69
<li><a accesskey="1" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>
70
<li><a accesskey="2" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>
71
<li><a accesskey="3" href="#Please-Read-the-Documentation">Please Read the Documentation</a>
72
<li><a accesskey="4" href="#Overview-of-This-Guide">Overview of This Guide</a>
76
<a name="What-is-Kerberos-and-How-Does-it-Work%3f"></a>
77
<a name="What-is-Kerberos-and-How-Does-it-Work_003f"></a>
79
Next: <a rel="next" accesskey="n" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
80
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
81
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
85
<h3 class="section">1.1 What is Kerberos and How Does it Work?</h3>
87
<p>Kerberos V5 is based on the Kerberos authentication system developed
88
at MIT. Under Kerberos, a client (generally either a user or a service)
89
sends a request for a ticket to the Key Distribution Center (KDC). The
90
KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client,
91
encrypts it using the client's password as the key, and sends the
92
encrypted TGT back to the client. The client then attempts to decrypt
93
the TGT, using its password. If the client successfully decrypts the
94
TGT (<i>i.e.</i>, if the client gave the correct password), it keeps the
95
decrypted TGT, which indicates proof of the client's identity.
97
<p>The TGT, which expires at a specified time, permits the client to obtain
98
additional tickets, which give permission for specific services. The
99
requesting and granting of these additional tickets is user-transparent.
102
<a name="Why-Should-I-use-Kerberos%3f"></a>
103
<a name="Why-Should-I-use-Kerberos_003f"></a>
105
Next: <a rel="next" accesskey="n" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,
106
Previous: <a rel="previous" accesskey="p" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>,
107
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
111
<h3 class="section">1.2 Why Should I use Kerberos?</h3>
113
<p>Since Kerberos negotiates authenticated, and optionally encrypted,
114
communications between two points anywhere on the Internet, it provides
115
a layer of security that is not dependent on which side of a firewall
116
either client is on. Since studies have shown that half of the computer
117
security breaches in industry happen from <i>inside</i> firewalls,
118
Kerberos V5 from MIT will play a vital role in the
119
security of your network.
122
<a name="Please-Read-the-Documentation"></a>
124
Next: <a rel="next" accesskey="n" href="#Overview-of-This-Guide">Overview of This Guide</a>,
125
Previous: <a rel="previous" accesskey="p" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
126
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
130
<h3 class="section">1.3 Please Read the Documentation</h3>
132
<p>As with any software package that uses a centrallized database, the
133
installation procedure is somewhat involved, and requires forethought
134
and planning. MIT has attempted to make this
135
Kerberos V5 Installation Guide as concise as possible, rather than
136
making it an exhaustive description of the details of Kerberos.
137
Consequently, everything in this guide appears because MIT
138
believes that it is important. Please read and follow these
139
instructions carefully.
141
<p>This document is one piece of the document set for Kerberos V5. The
142
documents, and their intended audiences, are:
145
<li><b>Kerberos V5 Installation Guide</b>: a concise guide for installing
146
Kerberos V5. Kerberos administrators (particularly whoever will be
147
making site-wide decisions about the installation) and the system
148
administrators who will be installing the software should read this
151
<li><b>Kerberos V5 System Administrator's Guide</b>: a sysadmin's guide to
152
administering a Kerberos installation. The System Administrator's Guide
153
describes the administration software and suggests policies and
154
procedures for administering a Kerberos installation. Anyone who will
155
have administrative access to your Kerberos database should read this
158
<li><b>Kerberos V5 UNIX User's Guide</b>: a guide to using the Kerberos
159
UNIX client programs. All users on UNIX systems should read this guide,
160
particularly the “Tutorial” section.
164
<a name="Overview-of-This-Guide"></a>
166
Previous: <a rel="previous" accesskey="p" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,
167
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
171
<h3 class="section">1.4 Overview of This Guide</h3>
173
<p class="noindent">The next chapter describes the decisions you need to make before
174
installing Kerberos V5.
176
<p class="noindent">Chapter three provided instructions for building the Kerberos sources.
178
<p class="noindent">Chapter four describes installation procedures for each class of
182
<li>Key Distribution Centers (KDCs).
190
<li>UNIX client machines
192
<li>UNIX application server machines
195
<p class="noindent">Note that a machine can be both a client machine and an application
198
<p class="noindent">Chapter five describes procedure for updating previous installations of
201
<p class="noindent">Chapter six describes our problem reporting system.
204
<a name="Realm-Configuration-Decisions"></a>
206
Next: <a rel="next" accesskey="n" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
207
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
208
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
212
<h2 class="chapter">2 Realm Configuration Decisions</h2>
214
<p>Before installing Kerberos V5, it is necessary to consider the
218
<li>The name of your Kerberos realm (or the name of each realm, if you need
221
<li>How you will map your hostnames onto Kerberos realms.
223
<li>Which ports your KDC and and kadmin (database access) services will use.
225
<li>How many slave KDCs you need and where they should be located.
227
<li>The hostnames of your master and slave KDCs.
229
<li>How frequently you will propagate the database from the master KDC to
234
<li><a accesskey="1" href="#Kerberos-Realms">Kerberos Realms</a>
235
<li><a accesskey="2" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>
236
<li><a accesskey="3" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>
237
<li><a accesskey="4" href="#Slave-KDCs">Slave KDCs</a>
238
<li><a accesskey="5" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>
239
<li><a accesskey="6" href="#Database-Propagation">Database Propagation</a>
243
<a name="Kerberos-Realms"></a>
245
Next: <a rel="next" accesskey="n" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
246
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
247
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
251
<h3 class="section">2.1 Kerberos Realms</h3>
253
<p>Although your Kerberos realm can be any ASCII string, convention is to
254
make it the same as your domain name, in upper-case letters. For
255
example, hosts in the domain example.com would be in the
256
Kerberos realm EXAMPLE.COM.
258
<p>If you need multiple Kerberos realms, MIT recommends that
259
you use descriptive names which end with your domain name, such as
260
BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM.
263
<a name="Mapping-Hostnames-onto-Kerberos-Realms"></a>
265
Next: <a rel="next" accesskey="n" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
266
Previous: <a rel="previous" accesskey="p" href="#Kerberos-Realms">Kerberos Realms</a>,
267
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
271
<h3 class="section">2.2 Mapping Hostnames onto Kerberos Realms</h3>
273
<p>Mapping hostnames onto Kerberos realms is done in one of two ways.
275
<p>The first mechanism, which has been in use for years in MIT-based
276
Kerberos distributions, works through a set of rules in
277
the <code>krb5.conf</code> configuration file. (See <a href="#krb5_002econf">krb5.conf</a>.) You can
278
specify mappings for an entire domain or subdomain, and/or on a
279
hostname-by-hostname basis. Since greater specificity takes precedence,
280
you would do this by specifying the mappings for a given domain or
281
subdomain and listing the exceptions.
283
<p>The second mechanism works by looking up the information in special
284
<code>TXT</code> records in the Domain Name Service. This is currently not
285
used by default because security holes could result if the DNS TXT
286
records were spoofed. If this mechanism is enabled on the client,
287
it will try to look up a <code>TXT</code> record for the DNS name formed by
288
putting the prefix <code>_kerberos</code> in front of the hostname in question.
289
If that record is not found, it will try using <code>_kerberos</code> and the
290
host's domain name, then its parent domain, and so forth. So for the
291
hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
293
<pre class="smallexample"> _kerberos.boston.engineering.foobar.com
294
_kerberos.engineering.foobar.com
298
<p>The value of the first TXT record found is taken as the realm name.
299
(Obviously, this doesn't work all that well if a host and a subdomain
300
have the same name, and different realms. For example, if all the hosts
301
in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
302
realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
303
another realm. In that case, you would set up TXT records for all
304
hosts, rather than relying on the fallback to the domain name.)
306
<p>Even if you do not choose to use this mechanism within your site, you
307
may wish to set it up anyway, for use when interacting with other sites.
310
<a name="Ports-for-the-KDC-and-Admin-Services"></a>
312
Next: <a rel="next" accesskey="n" href="#Slave-KDCs">Slave KDCs</a>,
313
Previous: <a rel="previous" accesskey="p" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
314
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
318
<h3 class="section">2.3 Ports for the KDC and Admin Services</h3>
320
<p>The default ports used by Kerberos are port 88 for the
321
KDC<a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a> and
322
port 749 for the admin server. You can, however,
323
choose to run on other ports, as long as they are specified in each
324
host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the
325
<code>kdc.conf</code> file on each KDC. For a more thorough treatment of
326
port numbers used by the Kerberos V5 programs, refer to the
327
“Configuring Your Firewall to Work With Kerberos V5” section of
328
the <cite>Kerberos V5 System Administrator's Guide</cite>.
331
<a name="Slave-KDCs"></a>
333
Next: <a rel="next" accesskey="n" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
334
Previous: <a rel="previous" accesskey="p" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
335
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
339
<h3 class="section">2.4 Slave KDCs</h3>
341
<p>Slave KDCs provide an additional source of Kerberos ticket-granting
342
services in the event of inaccessibility of the master KDC. The number
343
of slave KDCs you need and the decision of where to place them, both
344
physically and logically, depends on the specifics of your network.
346
<p>All of the Kerberos authentication on your network requires that each
347
client be able to contact a KDC. Therefore, you need to anticipate any
348
likely reason a KDC might be unavailable and have a slave KDC to take up
351
<p>Some considerations include:
354
<li>Have at least one slave KDC as a backup, for when the master KDC is
355
down, is being upgraded, or is otherwise unavailable.
357
<li>If your network is split such that a network outage is likely to cause a
358
network partition (some segment or segments of the network to become cut
359
off or isolated from other segments), have a slave KDC accessible to
362
<li>If possible, have at least one slave KDC in a different building from
363
the master, in case of power outages, fires, or other localized
368
<a name="Hostnames-for-the-Master-and-Slave-KDCs"></a>
370
Next: <a rel="next" accesskey="n" href="#Database-Propagation">Database Propagation</a>,
371
Previous: <a rel="previous" accesskey="p" href="#Slave-KDCs">Slave KDCs</a>,
372
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
376
<h3 class="section">2.5 Hostnames for the Master and Slave KDCs</h3>
378
<p>MIT recommends that your KDCs have a predefined set of
379
CNAME records (DNS hostname aliases), such as <code>kerberos</code>
380
for the master KDC and
381
<code>kerberos-1</code>, <code>kerberos-2</code>, <small class="dots">...</small> for the
382
slave KDCs. This way, if you need to swap a machine, you only need to
383
change a DNS entry, rather than having to change hostnames.
385
<p>A new mechanism for locating KDCs of a realm through DNS has been added
386
to the MIT Kerberos V5 distribution. A relatively new
387
record type called <code>SRV</code> has been added to DNS. Looked up by a
388
service name and a domain name, these records indicate the hostname and
389
port number to contact for that service, optionally with weighting and
390
prioritization. (See RFC 2782 if you want more information. You can
391
follow the example below for straightforward cases.)
393
<p>The use with Kerberos is fairly straightforward. The domain name used
394
in the SRV record name is the domain-style Kerberos realm name. (It is
395
possible to have Kerberos realm names that are not DNS-style names, but
396
we don't recommend it for Internet use, and our code does not support it
397
well.) Several different Kerberos-related service names are used:
400
<dt><code>_kerberos._udp</code><dd>This is for contacting any KDC by UDP. This entry will be used the most
401
often. Normally you should list port 88 on each of your KDCs.
402
<!-- Don't encourage continued use of port 750 for krb5. -->
403
<!-- It should be only for backwards compatibility with krb4. -->
404
<!-- Do the Mac/Windows krb4 libraries use this DNS entry? -->
405
<!-- The UNIX code does not. -->
407
<br><dt><code>_kerberos._tcp</code><dd>This is for contacting any KDC by TCP. The MIT KDC by default will not
408
listen on any TCP ports, so unless you've changed the configuration or
409
you're running another KDC implementation, you should leave this
410
unspecified. If you do enable TCP support, normally you should use
413
<br><dt><code>_kerberos-master._udp</code><dd>This entry should refer to those KDCs, if any, that will immediately see
414
password changes to the Kerberos database. This entry is used only in
415
one case, when the user is logging in and the password appears to be
416
incorrect; the master KDC is then contacted, and the same password used
417
to try to decrypt the response, in case the user's password had recently
418
been changed and the first KDC contacted hadn't been updated. Only if
419
that fails is an “incorrect password” error given.
421
<p>If you have only one KDC, or for whatever reason there is no accessible
422
KDC that would get database changes faster than the others, you do not
423
need to define this entry.
425
<br><dt><code>_kerberos-adm._tcp</code><dd>This should list port 749 on your master KDC.
426
Support for it is not complete at this time, but it will eventually be
427
used by the <code>kadmin</code> program and related utilities. For now, you
428
will also need the <code>admin_server</code> entry in <code>krb5.conf</code>.
429
(See <a href="#krb5_002econf">krb5.conf</a>.)
431
<br><dt><code>_kpasswd._udp</code><dd>This should list port 464 on your master KDC.
432
It is used when a user changes her password.
436
<p>Be aware, however, that the DNS SRV specification requires that the
437
hostnames listed be the canonical names, not aliases. So, for example,
438
you might include the following records in your (BIND-style) zone file:
440
<pre class="smallexample"> $ORIGIN foobar.com.
441
_kerberos TXT "FOOBAR.COM"
443
kerberos-1 CNAME use-the-force-luke
444
kerberos-2 CNAME bunny-rabbit
445
_kerberos._udp SRV 0 0 88 daisy
446
SRV 0 0 88 use-the-force-luke
447
SRV 0 0 88 bunny-rabbit
448
_kerberos-master._udp SRV 0 0 88 daisy
449
_kerberos-adm._tcp SRV 0 0 749 daisy
450
_kpasswd._udp SRV 0 0 464 daisy
452
<p>As with the DNS-based mechanism for determining the Kerberos realm of a
453
host, we recommend distributing the information this way for use by
454
other sites that may want to interact with yours using Kerberos, even if
455
you don't immediately make use of it within your own site. If you
456
anticipate installing a very large number of machines on which it will
457
be hard to update the Kerberos configuration files, you may wish to do
458
all of your Kerberos service lookups via DNS and not put the information
459
(except for <code>admin_server</code> as noted above) in future versions of
460
your <code>krb5.conf</code> files at all. Eventually, we hope to phase out
461
the listing of server hostnames in the client-side configuration files;
462
making preparations now will make the transition easier in the future.
465
<a name="Database-Propagation"></a>
467
Previous: <a rel="previous" accesskey="p" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
468
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
472
<h3 class="section">2.6 Database Propagation</h3>
474
<p>The Kerberos database resides on the master KDC, and must be propagated
475
regularly (usually by a cron job) to the slave KDCs. In deciding how
476
frequently the propagation should happen, you will need to balance the
477
amount of time the propagation takes against the maximum reasonable
478
amount of time a user should have to wait for a password change to take
481
<p>If the propagation time is longer than this maximum reasonable time
482
(<i>e.g.,</i> you have a particularly large database, you have a lot of
483
slaves, or you experience frequent network delays), you may wish to
484
cut down on your propagation delay by performing the propagation in
485
parallel. To do this, have the master KDC propagate the database to one
486
set of slaves, and then have each of these slaves propagate the database
487
to additional slaves.
490
<a name="Building-Kerberos-V5"></a>
492
Next: <a rel="next" accesskey="n" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
493
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
494
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
498
<h2 class="chapter">3 Building Kerberos V5</h2>
500
<p>Kerberos V5 uses a configuration system built using the Free
501
Software Foundation's ‘<samp><span class="samp">autoconf</span></samp>’ program. This system makes
502
Kerberos V5 much simpler to build and reduces the amount of effort
503
required in porting Kerberos V5 to a new platform.
506
<li><a accesskey="1" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>: Description of the source tree.
507
<li><a accesskey="2" href="#Build-Requirements">Build Requirements</a>: How much disk space, etc. you need to
509
<li><a accesskey="3" href="#Unpacking-the-Sources">Unpacking the Sources</a>: Preparing the source tree.
510
<li><a accesskey="4" href="#Doing-the-Build">Doing the Build</a>: Compiling Kerberos.
511
<li><a accesskey="5" href="#Installing-the-Binaries">Installing the Binaries</a>: Installing the compiled binaries.
512
<li><a accesskey="6" href="#Testing-the-Build">Testing the Build</a>: Making sure Kerberos built correctly.
513
<li><a accesskey="7" href="#Options-to-Configure">Options to Configure</a>: Command-line options to Configure
514
<li><a accesskey="8" href="#osconf_002eh">osconf.h</a>: Header file-specific configurations
515
<li><a accesskey="9" href="#Shared-Library-Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5
516
<li><a href="#OS-Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.
517
<li><a href="#Using-Autoconf">Using Autoconf</a>: Modifying Kerberos V5's
518
configuration scripts.
522
<a name="Organization-of-the-Source-Directory"></a>
524
Next: <a rel="next" accesskey="n" href="#Build-Requirements">Build Requirements</a>,
525
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
526
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
530
<h3 class="section">3.1 Organization of the Source Directory</h3>
532
<p>Below is a brief overview of the organization of the complete source
533
directory. More detailed descriptions follow.
536
<dt><b>appl</b><dd>applications with Kerberos V5 extensions
537
<dt><b>clients</b><dd>Kerberos V5 user programs
538
<dt><b>gen-manpages</b><dd>manpages for Kerberos V5 and the Kerberos V5 login program
539
<dt><b>include</b><dd>include files
540
<dt><b>kadmin</b><dd>administrative interface to the Kerberos master database
541
<dt><b>kdc</b><dd>the Kerberos V5 Authentication Service and Key Distribution Center
542
<dt><b>krb524</b><dd>utilities for converting between Kerberos 4 and Kerberos 5
543
<dt><b>lib</b><dd>libraries for use with/by Kerberos V5
544
<dt><b>mac</b><dd>source code for building Kerberos V5 on MacOS
545
<dt><b>prototype</b><dd>templates for source code files
546
<dt><b>slave</b><dd>utilities for propagating the database to slave KDCs
547
<dt><b>tests</b><dd>test suite
548
<dt><b>util</b><dd>various utilities for building/configuring the code, sending bug reports, etc.
549
<dt><b>windows</b><dd>source code for building Kerberos V5 on Windows (see windows/README)
553
<li><a accesskey="1" href="#The-appl-Directory">The appl Directory</a>
554
<li><a accesskey="2" href="#The-clients-Directory">The clients Directory</a>
555
<li><a accesskey="3" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>
556
<li><a accesskey="4" href="#The-include-Directory">The include Directory</a>
557
<li><a accesskey="5" href="#The-kadmin-Directory">The kadmin Directory</a>
558
<li><a accesskey="6" href="#The-kdc-Directory">The kdc Directory</a>
559
<li><a accesskey="7" href="#The-krb524-Directory">The krb524 Directory</a>
560
<li><a accesskey="8" href="#The-lib-Directory">The lib Directory</a>
561
<li><a accesskey="9" href="#The-prototype-Directory">The prototype Directory</a>
562
<li><a href="#The-slave-Directory">The slave Directory</a>
563
<li><a href="#The-util-Directory">The util Directory</a>
567
<a name="The-appl-Directory"></a>
569
Next: <a rel="next" accesskey="n" href="#The-clients-Directory">The clients Directory</a>,
570
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
571
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
575
<h4 class="subsection">3.1.1 The appl Directory</h4>
577
<p>The <i>appl</i> directory contains sample Kerberos application client and
578
server programs. In previous releases, it contained Kerberized versions
579
of remote access daemons, but those have now been moved to a separate
583
<a name="The-clients-Directory"></a>
585
Next: <a rel="next" accesskey="n" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
586
Previous: <a rel="previous" accesskey="p" href="#The-appl-Directory">The appl Directory</a>,
587
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
591
<h4 class="subsection">3.1.2 The clients Directory</h4>
593
<p>This directory contains the code for several user-oriented programs.
596
<dt><b>kdestroy</b><dd>This program destroys the user's active Kerberos authorization tickets.
597
MIT recommends that users <code>kdestroy</code> before logging out.
599
<dt><b>kinit</b><dd>This program prompts users for their Kerberos principal name and password,
600
and attempts to get an initial ticket-granting-ticket for that principal.
602
<dt><b>klist</b><dd>This program lists the Kerberos principal and Kerberos tickets held in
603
a credentials cache, or the keys held in a keytab file.
605
<dt><b>kpasswd</b><dd>This program changes a user's Kerberos password.
607
<dt><b>ksu</b><dd>This program is a Kerberized version of the <code>su</code> program that is
608
meant to securely change the real and effective user ID to that of the
609
target user and to create a new security context.
611
<dt><b>kvno</b><dd>This program acquires a service ticket for the specified Kerberos
612
principals and prints out the key version numbers of each.
616
<a name="The-gen-manpages-Directory"></a>
617
<a name="The-gen_002dmanpages-Directory"></a>
619
Next: <a rel="next" accesskey="n" href="#The-include-Directory">The include Directory</a>,
620
Previous: <a rel="previous" accesskey="p" href="#The-clients-Directory">The clients Directory</a>,
621
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
625
<h4 class="subsection">3.1.3 The gen-manpages Directory</h4>
627
<p>There are two manual pages in this directory. One is an introduction
628
to the Kerberos system. The other describes the <code>.k5login</code> file
629
which allows users to give access with their UID to other users
630
authenticated by the Kerberos system.
633
<a name="The-include-Directory"></a>
635
Next: <a rel="next" accesskey="n" href="#The-kadmin-Directory">The kadmin Directory</a>,
636
Previous: <a rel="previous" accesskey="p" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
637
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
641
<h4 class="subsection">3.1.4 The include Directory</h4>
643
<p>This directory contains the <i>include</i> files needed to build the
647
<a name="The-kadmin-Directory"></a>
649
Next: <a rel="next" accesskey="n" href="#The-kdc-Directory">The kdc Directory</a>,
650
Previous: <a rel="previous" accesskey="p" href="#The-include-Directory">The include Directory</a>,
651
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
655
<h4 class="subsection">3.1.5 The kadmin Directory</h4>
657
<p>In this directory is the code for the utilities <code>kadmin</code>,
658
<code>kadmin.local</code>, <code>kdb5_util</code>, and <code>ktutil</code>.
659
<code>ktutil</code> is the Kerberos keytab file maintenance utility from
660
which a Kerberos administrator can read, write, or edit entries in a
661
Kerberos V5 keytab or Kerberos V4 srvtab. <code>kadmin</code> and
662
<code>kadmin.local</code> are command-line interfaces to the Kerberos V5 KADM5
663
administration system. <code>kadmin.local</code> runs on the master KDC and
664
does not use Kerberos to authenticate to the database, while
665
<code>kadmin</code> uses Kerberos authentication and an encrypted RPC. The
666
two provide identical functionalities, which allow administrators to
667
modify the database of Kerberos principals. <code>kdb5_util</code> allows
668
administrators to perform low-level maintenance procedures on Kerberos
669
and the KADM5 database. With this utility, databases can be created,
670
destroyed, or dumped to and loaded from ASCII files. It can also be
671
used to create master key stash files.
674
<a name="The-kdc-Directory"></a>
676
Next: <a rel="next" accesskey="n" href="#The-krb524-Directory">The krb524 Directory</a>,
677
Previous: <a rel="previous" accesskey="p" href="#The-kadmin-Directory">The kadmin Directory</a>,
678
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
682
<h4 class="subsection">3.1.6 The kdc Directory</h4>
684
<p>This directory contains the code for the <code>krb5kdc</code> daemon, the
685
Kerberos Authentication Service and Key Distribution Center.
688
<a name="The-krb524-Directory"></a>
690
Next: <a rel="next" accesskey="n" href="#The-lib-Directory">The lib Directory</a>,
691
Previous: <a rel="previous" accesskey="p" href="#The-kdc-Directory">The kdc Directory</a>,
692
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
696
<h4 class="subsection">3.1.7 The krb524 Directory</h4>
698
<p>This directory contains the code for <code>krb524</code>, a service that
699
converts Kerberos V5 credentials into Kerberos V4 credentials suitable
700
for use with applications that for whatever reason do not use V5
704
<a name="The-lib-Directory"></a>
706
Next: <a rel="next" accesskey="n" href="#The-prototype-Directory">The prototype Directory</a>,
707
Previous: <a rel="previous" accesskey="p" href="#The-krb524-Directory">The krb524 Directory</a>,
708
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
712
<h4 class="subsection">3.1.8 The lib Directory</h4>
714
<p>The <i>lib</i> directory contain 10 subdirectories as well as some
715
definition and glue files. The <i>crypto</i> subdirectory contains the
716
Kerberos V5 encryption library. The <i>des425</i> subdirectory exports
717
the Kerberos V4 encryption API, and translates these functions into
718
calls to the Kerberos V5 encryption API. The <i>gssapi</i> library
719
contains the Generic Security Services API, which is a library of
720
commands to be used in secure client-server communication. The
721
<i>kadm5</i> directory contains the libraries for the KADM5 administration
722
utilities. The Kerberos 5 database libraries are contained in
723
<i>kdb</i>. The directories <i>krb4</i> and <i>krb5</i> contain the Kerberos 4
724
and Kerberos 5 APIs, respectively. The <i>rpc</i> directory contains the
725
API for the Kerberos Remote Procedure Call protocol.
728
<a name="The-prototype-Directory"></a>
730
Next: <a rel="next" accesskey="n" href="#The-slave-Directory">The slave Directory</a>,
731
Previous: <a rel="previous" accesskey="p" href="#The-lib-Directory">The lib Directory</a>,
732
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
736
<h4 class="subsection">3.1.9 The prototype Directory</h4>
738
<p>This directory contains several template files. The <code>prototype.h</code>
739
and <code>prototype.c</code> files contain the MIT copyright message and a
740
placeholder for the title and description of the file.
741
<code>prototype.h</code> also has a short template for writing <code>ifdef</code>
742
and <code>ifndef</code> preprocessor statements. The <code>getopt.c</code> file
743
provides a template for writing code that will parse the options with
744
which a program was called.
747
<a name="The-slave-Directory"></a>
749
Next: <a rel="next" accesskey="n" href="#The-util-Directory">The util Directory</a>,
750
Previous: <a rel="previous" accesskey="p" href="#The-prototype-Directory">The prototype Directory</a>,
751
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
755
<h4 class="subsection">3.1.10 The slave Directory</h4>
757
<p>This directory contains code which allows for the propagation of the
758
Kerberos principal database from the master KDC to slave KDCs over an
759
encrypted, secure channel. <code>kprop</code> is the program which actually
760
propagates the database dump file. <code>kpropd</code> is the Kerberos V5
761
slave KDC update server which accepts connections from the <code>kprop</code>
762
program. <code>kslave_update</code> is a script that takes the name of a
763
slave server, and propagates the database to that server if the
764
database has been modified since the last dump or if the database has
765
been dumped since the last propagation.
768
<a name="The-util-Directory"></a>
770
Previous: <a rel="previous" accesskey="p" href="#The-slave-Directory">The slave Directory</a>,
771
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
775
<h4 class="subsection">3.1.11 The util Directory</h4>
777
<p>This directory contains several utility programs and libraries. The
778
programs used to configure and build the code, such as <code>autoconf</code>,
779
<code>lndir</code>, <code>kbuild</code>, <code>reconf</code>, and <code>makedepend</code>,
780
are in this directory. The <i>profile</i> directory contains most of the
781
functions which parse the Kerberos configuration files (<code>krb5.conf</code>
782
and <code>kdc.conf</code>). Also in this directory are the Kerberos error table
783
library and utilities (<i>et</i>), the Sub-system library and utilities
784
(<i>ss</i>), database utilities (<i>db2</i>), pseudo-terminal utilities
785
(<i>pty</i>), bug-reporting program <code>send-pr</code>, and a generic
786
support library <code>support</code> used by several of our other libraries.
789
<a name="Build-Requirements"></a>
791
Next: <a rel="next" accesskey="n" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
792
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
793
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
797
<h3 class="section">3.2 Build Requirements</h3>
799
<p>In order to build Kerberos V5, you will need approximately 60-70
800
megabytes of disk space. The exact amount will vary depending on the
801
platform and whether the distribution is compiled with debugging symbol
804
<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”).
805
Some operating systems do not have an ANSI C compiler, or their
806
default compiler requires extra command-line options to enable ANSI C
809
<p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled
810
<samp><span class="file">*.o</span></samp> file and executables, separate from your source tree, you
811
will need a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’, or
812
you will need to use a tool such as ‘<samp><span class="samp">lndir</span></samp>’ to produce a symbolic
813
link tree for your build tree.
815
<!-- Library support... -->
817
<a name="Unpacking-the-Sources"></a>
819
Next: <a rel="next" accesskey="n" href="#Doing-the-Build">Doing the Build</a>,
820
Previous: <a rel="previous" accesskey="p" href="#Build-Requirements">Build Requirements</a>,
821
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
825
<h3 class="section">3.3 Unpacking the Sources</h3>
827
<p>The first step in each of these build procedures is to unpack the
828
source distribution. The Kerberos V5 distribution comes in a tar file,
829
generally named <samp><span class="file">krb5-1.10.tar</span></samp>, which contains a
830
compressed tar file consisting of the sources for all of Kerberos
831
(generally <samp><span class="file">krb5-1.10.tar.gz</span></samp>) and a PGP signature for
832
this source tree (generally <samp><span class="file">krb5-1.10.tar.gz.asc</span></samp>).
833
MIT highly recommends that you verify the integrity of the
834
source code using this signature.
836
<p>Unpack the compressed tar file in some directory, such as
837
<samp><span class="file">/u1/krb5-1.10</span></samp>. (In the rest of this document, we
838
will assume that you have chosen to unpack the Kerberos V5 source
839
distribution in this directory. Note that the tarfiles will by default
840
all unpack into the <samp><span class="file">./krb5-1.10</span></samp> directory, so that if
841
your current directory is <samp><span class="file">/u1</span></samp> when you unpack the tarfiles, you
842
will get <samp><span class="file">/u1/krb5-1.10/src</span></samp>, etc.)
845
<a name="Doing-the-Build"></a>
847
Next: <a rel="next" accesskey="n" href="#Installing-the-Binaries">Installing the Binaries</a>,
848
Previous: <a rel="previous" accesskey="p" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
849
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
853
<h3 class="section">3.4 Doing the Build</h3>
855
<p>You have a number of different options in how to build Kerberos. If you
856
only need to build Kerberos for one platform, using a single directory
857
tree which contains both the source files and the object files is the
858
simplest. However, if you need to maintain Kerberos for a large number
859
of platforms, you will probably want to use separate build trees for
860
each platform. We recommend that you look at <a href="#OS-Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating
864
<li><a accesskey="1" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>
865
<li><a accesskey="2" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>
866
<li><a accesskey="3" href="#Building-using-lndir">Building using lndir</a>
870
<a name="Building-Within-a-Single-Tree"></a>
872
Next: <a rel="next" accesskey="n" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
873
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
874
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
878
<h4 class="subsection">3.4.1 Building Within a Single Tree</h4>
880
<p>If you don't want separate build trees for each architecture, then
881
use the following abbreviated procedure.
884
<li> <code>cd /u1/krb5-1.10/src</code>
885
<li> <code>./configure</code>
886
<li> <code>make</code>
892
<a name="Building-with-Separate-Build-Directories"></a>
894
Next: <a rel="next" accesskey="n" href="#Building-using-lndir">Building using lndir</a>,
895
Previous: <a rel="previous" accesskey="p" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>,
896
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
900
<h4 class="subsection">3.4.2 Building with Separate Build Directories</h4>
902
<p>If you wish to keep separate build directories for each platform, you
903
can do so using the following procedure. (Note, this requires that your
904
‘<samp><span class="samp">make</span></samp>’ program support ‘<samp><span class="samp">VPATH</span></samp>’. GNU's make will provide this
905
functionality, for example.) If your ‘<samp><span class="samp">make</span></samp>’ program does not
906
support this, see the next section.
908
<p>For example, if you wish to create a build directory for <code>pmax</code> binaries
909
you might use the following procedure:
912
<li><code>mkdir /u1/krb5-1.10/pmax</code>
913
<li> <code>cd /u1/krb5-1.10/pmax</code>
914
<li> <code>../src/configure</code>
915
<li> <code>make</code>
919
<a name="Building-using-lndir"></a>
921
Previous: <a rel="previous" accesskey="p" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
922
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
926
<h4 class="subsection">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</h4>
928
<p>If you wish to keep separate build directories for each platform, and
929
you do not have access to a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’,
930
all is not lost. You can use the ‘<samp><span class="samp">lndir</span></samp>’ program to create
931
symbolic link trees in your build directory.
933
<p>For example, if you wish to create a build directory for solaris binaries
934
you might use the following procedure:
937
<li> <code>mkdir /u1/krb5-1.10/solaris</code>
938
<li> <code>cd /u1/krb5-1.10/solaris</code>
939
<li> <code>/u1/krb5-1.10/src/util/lndir `pwd`/../src</code>
940
<li> <code>./configure</code>
941
<li> <code>make</code>
944
<p>You must give an absolute pathname to ‘<samp><span class="samp">lndir</span></samp>’ because it has a bug that
945
makes it fail for relative pathnames. Note that this version differs
946
from the latest version as distributed and installed by the XConsortium
947
with X11R6. Either version should be acceptable.
950
<a name="Installing-the-Binaries"></a>
952
Next: <a rel="next" accesskey="n" href="#Testing-the-Build">Testing the Build</a>,
953
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
954
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
958
<h3 class="section">3.5 Installing the Binaries</h3>
960
<p>Once you have built Kerberos, you should install the binaries. You
961
can do this by running:
963
<pre class="example"> % make install
965
<p>If you want to install the binaries into a destination directory that
966
is not their final destination, which may be convenient if you want to
967
build a binary distribution to be deployed on multiple hosts, you may
970
<pre class="example"> % make install DESTDIR=/path/to/destdir
972
<p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the
973
user programs will install into <code>DESTDIR/PREFIX/bin</code>, the
974
libraries into <code>DESTDIR/PREFIX/lib</code>, etc.
976
<p>Note that if you want to test the build (see <a href="#Testing-the-Build">Testing the Build</a>),
977
you usually do not need to do a <code>make install</code> first.
979
<p>Some implementations of ‘<samp><span class="samp">make</span></samp>’ allow multiple commands to be run in
980
parallel, for faster builds. We test our Makefiles in parallel builds with
981
GNU ‘<samp><span class="samp">make</span></samp>’ only; they may not be compatible with other parallel build
985
<a name="Testing-the-Build"></a>
987
Next: <a rel="next" accesskey="n" href="#Options-to-Configure">Options to Configure</a>,
988
Previous: <a rel="previous" accesskey="p" href="#Installing-the-Binaries">Installing the Binaries</a>,
989
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
993
<h3 class="section">3.6 Testing the Build</h3>
995
<p>The Kerberos V5 distribution comes with built-in regression tests. To
996
run them, simply type the following command while in the top-level build
997
directory (i.e., the directory where you sent typed ‘<samp><span class="samp">make</span></samp>’ to start
998
building Kerberos; see <a href="#Doing-the-Build">Doing the Build</a>.):
1000
<pre class="example"> % make check
1002
<p>However, there are several prerequisites that must be satisfied first:
1005
<li>Configure and build Kerberos with Tcl support. Tcl is used to drive the
1006
test suite. This often means passing <code>--with-tcl</code> to configure to
1007
tell it the location of the Tcl configuration script. (See
1008
See <a href="#Options-to-Configure">Options to Configure</a>.)
1010
<li>On some operating systems, you have to run ‘<samp><span class="samp">make install</span></samp>’ before
1011
running ‘<samp><span class="samp">make check</span></samp>’, or the test suite will pick up installed
1012
versions of Kerberos libraries rather than the newly built ones. You
1013
can install into a prefix that isn't in the system library search path,
1014
though. Alternatively, you can configure with <code>--disable-rpath</code>,
1015
which renders the build tree less suitable for installation, but allows
1016
testing without interference from previously installed libraries.
1018
<li>In order to test the RPC layer, the local system has to be running the
1019
<samp><span class="command">portmap</span></samp> daemon and it has to be listening to the regular
1020
network interface (not just localhost).
1024
<li><a accesskey="1" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>
1025
<li><a accesskey="2" href="#The-KADM5-Tests">The KADM5 Tests</a>
1029
<a name="The-DejaGnu-Tests"></a>
1031
Next: <a rel="next" accesskey="n" href="#The-KADM5-Tests">The KADM5 Tests</a>,
1032
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
1033
Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>
1037
<h4 class="subsection">3.6.1 The DejaGnu Tests</h4>
1039
<p>Some of the built-in regression tests are setup to use the DejaGnu
1040
framework for running tests. These tests tend to be more comprehensive
1041
than the normal built-in tests as they setup test servers and test
1042
client/server activities.
1044
<p>DejaGnu may be found wherever GNU software is archived.
1047
<a name="The-KADM5-Tests"></a>
1049
Previous: <a rel="previous" accesskey="p" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>,
1050
Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>
1054
<h4 class="subsection">3.6.2 The KADM5 Tests</h4>
1056
<p>Regression tests for the KADM5 system, including the GSS-RPC, KADM5
1057
client and server libraries, and kpasswd, are also included in this
1058
release. Each set of KADM5 tests is contained in a sub-directory called
1059
<code>unit-test</code> directly below the system being tested. For example,
1060
lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
1061
based on DejaGnu (but they are not actually called part of "The DejaGnu
1062
tests," whose naming predates the inclusion of the KADM5 system). In
1063
addition, they require the Tool Command Language (TCL) header files and
1064
libraries to be available during compilation and some of the tests also
1065
require Perl in order to operate. If all of these resources are not
1066
available during configuration, the KADM5 tests will not run. The TCL
1067
installation directory can be specified with the <code>--with-tcl</code>
1068
configure option. (See See <a href="#Options-to-Configure">Options to Configure</a>.) The runtest and
1069
perl programs must be in the current execution path.
1071
<p>If you install DejaGnu, TCL, or Perl after configuring and building
1072
Kerberos and then want to run the KADM5 tests, you will need to
1073
re-configure the tree and run <code>make</code> at the top level again to make
1074
sure all the proper programs are built. To save time, you actually only
1075
need to reconfigure and build in the directories src/kadmin/testing,
1076
src/lib/rpc, src/lib/kadm5.
1079
<a name="Options-to-Configure"></a>
1081
Next: <a rel="next" accesskey="n" href="#osconf_002eh">osconf.h</a>,
1082
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
1083
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1087
<h3 class="section">3.7 Options to Configure</h3>
1089
<p>There are a number of options to ‘<samp><span class="samp">configure</span></samp>’ which you can use to
1090
control how the Kerberos distribution is built. The following table
1091
lists the most commonly used options to Kerberos V5's ‘<samp><span class="samp">configure</span></samp>’
1095
<dt><code>--help</code><dd>
1096
Provides help to configure. This will list the set of commonly used
1097
options for building Kerberos.
1099
<br><dt><code>--prefix=PREFIX</code><dd>
1100
By default, Kerberos will install the package's files rooted at
1101
`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
1102
desire a different location, use this option.
1104
<br><dt><code>--exec-prefix=EXECPREFIX</code><dd>
1105
This option allows one to separate the architecture independent programs
1106
from the configuration files and manual pages.
1108
<br><dt><code>--localstatedir=LOCALSTATEDIR</code><dd>
1109
This option sets the directory for locally modifiable single-machine
1110
data. In Kerberos, this mostly is useful for setting a location for the
1111
KDC data files, as they will be installed in
1112
<code>LOCALSTATEDIR/krb5kdc</code>, which is by default
1113
<code>PREFIX/var/krb5kdc</code>.
1115
<br><dt><code>CC=COMPILER</code><dd>
1116
Use <code>COMPILER</code> as the C compiler.
1118
<br><dt><code>CFLAGS=FLAGS</code><dd>
1119
Use <code>FLAGS</code> as the default set of C compiler flags.
1121
<p>Note that if you use the native Ultrix compiler on a
1122
DECstation you are likely to lose if you pass no flags to cc; md4.c
1123
takes an estimated 3,469 billion years to compile if you provide neither
1124
the ‘<samp><span class="samp">-g</span></samp>’ flag nor the ‘<samp><span class="samp">-O</span></samp>’ flag to ‘<samp><span class="samp">cc</span></samp>’.
1126
<br><dt><code>CPPFLAGS=CPPOPTS</code><dd>
1127
Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most
1128
common use of this option is to select certain <code>#define</code>'s for use
1129
with the operating system's include files.
1131
<br><dt><code>LD=LINKER</code><dd>
1132
Use <code>LINKER</code> as the default loader if it should be different from C
1133
compiler as specified above.
1135
<br><dt><code>LDFLAGS=LDOPTS</code><dd>
1136
This option allows one to specify optional arguments to be passed to the
1137
linker. This might be used to specify optional library paths.
1139
<br><dt><code>--with-krb4</code><dd>
1140
This option enables Kerberos V4 backwards compatibility using the
1141
builtin Kerberos V4 library.
1143
<br><dt><code>--with-krb4=KRB4DIR</code><dd>
1144
This option enables Kerberos V4 backwards compatibility using a
1145
pre-existing Kerberos V4 installation. The directory specified by
1146
<code>KRB4DIR</code> specifies where the V4 header files should be found
1147
(<samp><span class="file">KRB4DIR/include</span></samp>) as well as where the V4 Kerberos library should
1148
be found (<samp><span class="file">KRB4DIR/lib</span></samp>).
1150
<br><dt><code>--without-krb4</code><dd>
1151
Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
1152
clients from using the V5 services including the KDC. This would be
1153
useful if you know you will never install or need to interact with V4
1156
<br><dt><code>--with-netlib[=libs]</code><dd>
1157
Allows for suppression of or replacement of network libraries. By
1158
default, Kerberos V5 configuration will look for <code>-lnsl</code> and
1159
<code>-lsocket</code>. If your operating system has a broken resolver library
1160
(see <a href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in
1161
<samp><span class="file">src/tests/resolv</span></samp> you will need to use this option.
1163
<br><dt><code>--with-tcl=TCLPATH</code><dd>
1164
Some of the unit-tests in the build tree rely upon using a program in
1165
Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl
1166
header file (<samp><span class="file">TCLPATH/include/tcl.h</span></samp> as well as where the Tcl
1167
library should be found (<samp><span class="file">TCLPATH/lib</span></samp>).
1169
<br><dt><code>--enable-shared</code><dd>
1170
This option will turn on the building and use of shared library objects
1171
in the Kerberos build. This option is only supported on certain
1174
<br><dt><code>--enable-dns</code><br><dt><code>--enable-dns-for-kdc</code><br><dt><code>--enable-dns-for-realm</code><dd>
1175
Enable the use of DNS to look up a host's Kerberos realm, or a realm's
1176
KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to
1177
locate the KDCs, and <a href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a> for
1178
information about using DNS to determine the default realm. By default,
1179
DNS lookups are enabled for the former but not for the latter.
1181
<br><dt><code>--disable-kdc-lookaside-cache</code><dd>
1182
Disables the cache in the KDC which detects retransmitted client
1183
requests and resends the previous responses to them.
1185
<br><dt><code>--with-system-et</code><dd>
1186
Use an installed version of the error-table support software, the
1187
‘<samp><span class="samp">compile_et</span></samp>’ program, the <samp><span class="file">com_err.h</span></samp> header file and the
1188
<samp><span class="file">com_err</span></samp> library. If these are not in the default locations,
1189
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
1190
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
1193
<p>If this option is not given, a version supplied with the Kerberos
1194
sources will be built and installed along with the rest of the
1195
Kerberos tree, for Kerberos applications to link against.
1197
<br><dt><code>--with-system-ss</code><dd>
1198
Use an installed version of the subsystem command-line interface
1199
software, the ‘<samp><span class="samp">mk_cmds</span></samp>’ program, the <samp><span class="file">ss/ss.h</span></samp> header file
1200
and the <samp><span class="file">ss</span></samp> library. If these are not in the default locations,
1201
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
1202
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
1203
well. See also the ‘<samp><span class="samp">SS_LIB</span></samp>’ option.
1205
<p>If this option is not given, the <samp><span class="file">ss</span></samp> library supplied with the
1206
Kerberos sources will be compiled and linked into those programs that
1207
need it; it will not be installed separately.
1209
<br><dt><code>SS_LIB=libs...</code><dd>
1210
If ‘<samp><span class="samp">-lss</span></samp>’ is not the correct way to link in your installed
1211
<samp><span class="file">ss</span></samp> library, for example if additional support libraries are
1212
needed, specify the correct link options here. Some variants of this
1213
library are around which allow for Emacs-like line editing, but
1214
different versions require different support libraries to be
1215
explicitly specified.
1217
<p>This option is ignored if ‘<samp><span class="samp">--with-system-ss</span></samp>’ is not specified.
1219
<br><dt><code>--with-system-db</code><dd>
1220
Use an installed version of the Berkeley DB package, which must
1221
provide an API compatible with version 1.85. This option is
1222
<em>unsupported</em> and untested. In particular, we do not know if the
1223
database-rename code used in the dumpfile load operation will behave
1226
<p>If this option is not given, a version supplied with the Kerberos
1227
sources will be built and installed. (We are not updating this
1228
version at this time because of licensing issues with newer versions
1229
that we haven't investigated sufficiently yet.)
1231
<br><dt><code>DB_HEADER=headername.h</code><dd>
1232
If ‘<samp><span class="samp">db.h</span></samp>’ is not the correct header file to include to compile
1233
against the Berkeley DB 1.85 API, specify the correct header file name
1234
with this option. For example, ‘<samp><span class="samp">DB_HEADER=db3/db_185.h</span></samp>’.
1236
<br><dt><code>DB_LIB=libs...</code><dd>
1237
If ‘<samp><span class="samp">-ldb</span></samp>’ is not the correct library specification for the
1238
Berkeley DB library version to be used, override it with this option.
1239
For example, ‘<samp><span class="samp">DB_LIB=-ldb-3.3</span></samp>’.
1241
<br><dt><code>--with-crypto-impl=IMPL</code><dd>
1242
Use specified crypto implementation in lieu of the default builtin.
1243
Currently only one alternative crypto-system openssl is available and
1244
it requires version 1.0.0 or higher of OpenSSL.
1248
<p>For example, in order to configure Kerberos on a Solaris machine using
1249
the ‘<samp><span class="samp">suncc</span></samp>’ compiler with the optimizer turned on, run the configure
1250
script with the following options:
1252
<pre class="example"> % ./configure CC=suncc CFLAGS=-O
1254
<p>For a slightly more complicated example, consider a system where
1255
several packages to be used by Kerberos are installed in
1256
‘<samp><span class="samp">/usr/foobar</span></samp>’, including Berkeley DB 3.3, and an ‘<samp><span class="samp">ss</span></samp>’
1257
library that needs to link against the ‘<samp><span class="samp">curses</span></samp>’ library. The
1258
configuration of Kerberos might be done thus:
1260
<pre class="example"> % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
1261
--with-system-et --with-system-ss --with-system-db \
1262
SS_LIB='-lss -lcurses' \
1263
DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
1265
<p>In previous releases, <code>--with-</code> options were used to specify the
1266
compiler and linker and their options.
1269
<a name="osconf.h"></a>
1270
<a name="osconf_002eh"></a>
1272
Next: <a rel="next" accesskey="n" href="#Shared-Library-Support">Shared Library Support</a>,
1273
Previous: <a rel="previous" accesskey="p" href="#Options-to-Configure">Options to Configure</a>,
1274
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1278
<h3 class="section">3.8 <samp><span class="file">osconf.h</span></samp></h3>
1280
<p>There is one configuration file which you may wish to edit to control
1281
various compile-time parameters in the Kerberos distribution:
1282
<samp><span class="file">include/stock/osconf.h</span></samp>. The list that follows is by no means
1283
complete, just some of the more interesting variables.
1285
<p>Please note: The former configuration file <samp><span class="file">config.h</span></samp> no longer
1286
exists as its functionality has been merged into the auto-configuration
1287
process. See <a href="#Options-to-Configure">Options to Configure</a>.
1290
<dt><code>DEFAULT_PROFILE_PATH</code><dd>
1291
The pathname to the file which contains the profiles for the known realms,
1292
their KDCs, etc. The default value is /etc/krb5.conf.
1294
<p>The profile file format is no longer the same format as Kerberos V4's
1295
<samp><span class="file">krb.conf</span></samp> file.
1297
<br><dt><code>DEFAULT_KEYTAB_NAME</code><dd>
1298
The type and pathname to the default server keytab file (the
1299
equivalent of Kerberos V4's <samp><span class="file">/etc/srvtab</span></samp>). The default is
1302
<br><dt><code>DEFAULT_KDC_ENCTYPE</code><dd>
1303
The default encryption type for the KDC. The default value is
1306
<br><dt><code>KDCRCACHE</code><dd>
1307
The name of the replay cache used by the KDC. The default value is
1310
<br><dt><code>RCTMPDIR</code><dd>
1311
The directory which stores replay caches. The default is to try
1312
/var/tmp, /usr/tmp, /var/usr/tmp, and /tmp.
1314
<br><dt><code>DEFAULT_KDB_FILE</code><dd>
1315
The location of the default database. The default value is
1316
/usr/local/var/krb5kdc/principal.
1321
<a name="Shared-Library-Support"></a>
1323
Next: <a rel="next" accesskey="n" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1324
Previous: <a rel="previous" accesskey="p" href="#osconf_002eh">osconf.h</a>,
1325
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1329
<h3 class="section">3.9 Shared Library Support</h3>
1331
<p>Shared library support is provided for a few operating systems. There
1332
are restrictions as to which compiler to use when using shared
1333
libraries. In all cases, executables linked with the shared libraries in
1334
this build process will have built in the location of the libraries,
1335
therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
1336
variables when using the programs. Except where noted, multiple versions
1337
of the libraries may be installed on the same system and continue to
1340
<p>Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS
1341
5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows
1344
<p>Shared library support has been tested on the following platforms but
1345
not exhaustively (they have been built but not necessarily tested in an
1346
installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and
1349
<p>Platforms for which there is shared library support but not significant
1350
testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x
1353
<p>To enable shared libraries on the above platforms, run the configure
1354
script with the option ‘<samp><span class="samp">--enable-shared</span></samp>’.
1357
<a name="OS-Incompatibilities"></a>
1359
Next: <a rel="next" accesskey="n" href="#Using-Autoconf">Using Autoconf</a>,
1360
Previous: <a rel="previous" accesskey="p" href="#Shared-Library-Support">Shared Library Support</a>,
1361
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1365
<h3 class="section">3.10 Operating System Incompatibilities</h3>
1367
<p>This section details operating system incompatibilities with Kerberos V5
1368
which have been reported to the developers at MIT. If you find
1369
additional incompatibilities, and/or discover workarounds to such
1370
problems, please send a report via the <code>krb5-send-pr</code> program.
1374
<li><a accesskey="1" href="#AIX">AIX</a>
1375
<li><a accesskey="2" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>
1376
<li><a accesskey="3" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>
1377
<li><a accesskey="4" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>
1378
<li><a accesskey="5" href="#BSDI">BSDI</a>
1379
<li><a accesskey="6" href="#HPUX">HPUX</a>
1380
<li><a accesskey="7" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>
1381
<li><a accesskey="8" href="#Solaris-2_002eX">Solaris 2.X</a>
1382
<li><a accesskey="9" href="#Solaris-9">Solaris 9</a>
1383
<li><a href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>
1384
<li><a href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>
1390
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
1391
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1392
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1396
<h4 class="subsection">3.10.1 AIX</h4>
1398
<p>The AIX 3.2.5 linker dumps core trying to build a shared
1399
‘<samp><span class="samp">libkrb5.a</span></samp>’ produced with the GNU C compiler. The native AIX
1400
compiler works fine. This problem is fixed using the AIX 4.1 linker.
1403
<a name="Alpha-OSF%2f1-V1.3"></a>
1404
<a name="Alpha-OSF_002f1-V1_002e3"></a>
1406
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
1407
Previous: <a rel="previous" accesskey="p" href="#AIX">AIX</a>,
1408
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1412
<h4 class="subsection">3.10.2 Alpha OSF/1 V1.3</h4>
1414
<p>Using the native compiler, compiling with the ‘<samp><span class="samp">-O</span></samp>’ compiler flag
1415
causes the <code>asn.1</code> library to be compiled incorrectly.
1417
<p>Using GCC version 2.6.3 or later instead of the native compiler will also work
1418
fine, both with or without optimization.
1421
<a name="Alpha-OSF%2f1-V2.0"></a>
1422
<a name="Alpha-OSF_002f1-V2_002e0"></a>
1424
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
1425
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
1426
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1430
<h4 class="subsection">3.10.3 Alpha OSF/1 V2.0</h4>
1432
<p>There used to be a bug when using the native compiler in compiling
1433
<samp><span class="file">md4.c</span></samp> when compiled without either the ‘<samp><span class="samp">-O</span></samp>’ or ‘<samp><span class="samp">-g</span></samp>’
1434
compiler options. We have changed the code and there is no problem
1435
under V2.1, but we do not have access to V2.0 to test and see if the
1436
problem would exist there. (We welcome feedback on this issue). There
1437
was never a problem in using GCC version 2.6.3.
1439
<p>In version 3.2 and beyond of the operating system, we have not seen
1440
this sort of problem with the native compiler.
1443
<a name="Alpha-OSF%2f1-V4.0"></a>
1444
<a name="Alpha-OSF_002f1-V4_002e0"></a>
1446
Next: <a rel="next" accesskey="n" href="#BSDI">BSDI</a>,
1447
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
1448
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1452
<h4 class="subsection">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</h4>
1454
<p>The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)
1455
defaults to an extended K&R C mode, not ANSI C. You need to provide
1456
the ‘<samp><span class="samp">-std</span></samp>’ argument to the compiler (i.e., ‘<samp><span class="samp">./configure
1457
CC='cc -std'</span></samp>’) to enable extended ANSI C mode. More recent versions
1458
of the operating system, such as 5.0, seem to have C compilers which
1459
default to ‘<samp><span class="samp">-std</span></samp>’.
1461
<!-- @node Alpha Tru64 UNIX 5.0 -->
1462
<!-- @subsection Alpha Tru64 UNIX 5.0 -->
1463
<!-- ... login.krb5 problems -->
1467
Next: <a rel="next" accesskey="n" href="#HPUX">HPUX</a>,
1468
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
1469
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1473
<h4 class="subsection">3.10.5 BSDI</h4>
1475
<p>BSDI versions 1.0 and 1.1 reportedly has a bad ‘<samp><span class="samp">sed</span></samp>’ which causes
1476
it to go into an infinite loop during the build. The work around is
1477
to use a ‘<samp><span class="samp">sed</span></samp>’ from somewhere else, such as GNU. (This may be
1478
true for some versions of other systems derived from BSD 4.4, such as
1479
NetBSD and FreeBSD.)
1484
Next: <a rel="next" accesskey="n" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
1485
Previous: <a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,
1486
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1490
<h4 class="subsection">3.10.6 HPUX</h4>
1492
<p>The native (bundled) compiler for HPUX currently will not work,
1493
because it is not a full ANSI C compiler. The optional ANSI C
1494
compiler should work as long as you give it the ‘<samp><span class="samp">-Ae</span></samp>’ flag
1495
(i.e. ‘<samp><span class="samp">./configure CC='cc -Ae'</span></samp>’). This is equivalent to
1496
‘<samp><span class="samp">./configure CC='c89 -D_HPUX_SOURCE'</span></samp>’, which was the previous
1497
recommendation. This has only been tested recently for HPUX 10.20.
1499
<p>You will need to configure with ‘<samp><span class="samp">--disable-shared
1500
--enable-static</span></samp>’, because as of 1.4 we don't have support for HPUX
1501
shared library finalization routines, nor the option (yet) to ignore
1502
that lack of support (which means repeated
1503
<code>dlopen</code>/<code>dlclose</code> cycles on the Kerberos libraries may not
1504
be safe) and build the shared libraries anyways.
1506
<p>You will also need to configure the build tree with
1507
‘<samp><span class="samp">--disable-thread-support</span></samp>’ if you are on HPUX 10 and do not have
1508
the DCE development package installed, because that's where the
1509
<code>pthread.h</code> header file is found. (We don't know if our code
1510
will work with such a package installed, because according to some HP
1511
documentation, their <code>pthread.h</code> has to be included before any
1512
other header files, and our code doesn't do that.)
1514
<p>If you use GCC, it may work, but some versions of GCC have omitted
1515
certain important preprocessor defines, like <code>__STDC_EXT__</code> and
1516
<code>__hpux</code>.
1519
<a name="Solaris-versions-2.0-through-2.3"></a>
1520
<a name="Solaris-versions-2_002e0-through-2_002e3"></a>
1522
Next: <a rel="next" accesskey="n" href="#Solaris-2_002eX">Solaris 2.X</a>,
1523
Previous: <a rel="previous" accesskey="p" href="#HPUX">HPUX</a>,
1524
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1528
<h4 class="subsection">3.10.7 Solaris versions 2.0 through 2.3</h4>
1530
<p>The <code>gethostbyname()</code> routine is broken; it does not return a fully
1531
qualified domain name, even if you are using the Domain Name Service
1532
routines. Since Kerberos V5 uses the fully qualified domain name as the
1533
second component of a service principal (i.e,
1534
‘<samp><span class="samp">host/tsx-11.mit.edu@ATHENA.MIT.EDU</span></samp>’), this causes problems for servers
1535
who try to figure out their own fully qualified domain name.
1541
<li> Supply your own resolver library. (such as bind-4.9.3pl1 available
1544
<li> Upgrade to Solaris 2.4
1546
<li> Make sure your /etc/nsswitch.conf has `files' before `dns' like:
1548
<pre class="example"> hosts: files dns
1550
<p>and then in /etc/hosts, make sure there is a line with your
1551
workstation's IP address and hostname, with the fully qualified domain
1552
name first. Example:
1554
<pre class="example"> 18.172.1.4 dcl.mit.edu dcl
1556
<p>Note that making this change may cause other programs in your
1557
environment to break or behave differently.
1562
<a name="Solaris-2.X"></a>
1563
<a name="Solaris-2_002eX"></a>
1565
Next: <a rel="next" accesskey="n" href="#Solaris-9">Solaris 9</a>,
1566
Previous: <a rel="previous" accesskey="p" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
1567
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1571
<h4 class="subsection">3.10.8 Solaris 2.X</h4>
1573
<p>You <b>must</b> compile Kerberos V5 without the UCB compatibility
1574
libraries. This means that <samp><span class="file">/usr/ucblib</span></samp> must not be in the
1575
LD_LIBRARY_PATH environment variable when you compile it. Alternatively
1576
you can use the <code>-i</code> option to ‘<samp><span class="samp">cc</span></samp>’, by using the specifying
1577
<code>CFLAGS=-i</code> option to ‘<samp><span class="samp">configure</span></samp>’.
1579
<p>If you are compiling for a 64-bit execution environment, you may need
1580
to configure with the option <code>CFLAGS="-D_XOPEN_SOURCE=500
1581
-D__EXTENSIONS__"</code>. This is not well tested; at MIT we work primarily
1582
with the 32-bit execution environment.
1585
<a name="Solaris-9"></a>
1587
Next: <a rel="next" accesskey="n" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
1588
Previous: <a rel="previous" accesskey="p" href="#Solaris-2_002eX">Solaris 2.X</a>,
1589
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1593
<h4 class="subsection">3.10.9 Solaris 9</h4>
1595
<p>Solaris 9 has a kernel race condition which causes the final output
1596
written to the slave side of a pty to be lost upon the final close()
1597
of the slave device. This causes the dejagnu-based tests to fail
1598
intermittently. A workaround exists, but requires some help from the
1599
scheduler, and the “make check” must be executed from a shell with
1600
elevated priority limits.
1602
<p>Run something like
1604
<p><code>priocntl -s -c FX -m 30 -p 30 -i pid nnnn</code>
1606
<p>as root, where <code>nnnn</code> is the pid of the shell whose priority
1607
limit you wish to raise.
1609
<p>Sun has released kernel patches for this race condition. Apply patch
1610
117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
1611
the patches should also work. It is not necessary to run “make
1612
check” from a shell with elevated priority limits once the patch has
1616
<a name="SGI-Irix-5.X"></a>
1617
<a name="SGI-Irix-5_002eX"></a>
1619
Next: <a rel="next" accesskey="n" href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>,
1620
Previous: <a rel="previous" accesskey="p" href="#Solaris-9">Solaris 9</a>,
1621
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1625
<h4 class="subsection">3.10.10 SGI Irix 5.X</h4>
1627
<p>If you are building in a tree separate from the source tree, the vendors
1628
version of make does not work properly with regards to
1629
‘<samp><span class="samp">VPATH</span></samp>’. It also has problems with standard inference rules in 5.2
1630
(not tested yet in 5.3) so one needs to use GNU's make.
1632
<p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code>
1633
library in which the routine <code>gethostbyname()</code> is broken. The
1634
system supplied version in <code>-lc</code> appears to work though so one may
1635
simply specify <code>--with-netlib</code> option to ‘<samp><span class="samp">configure</span></samp>’.
1637
<p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and
1638
is no longer an issue.
1641
<a name="Ultrix-4.2%2f3"></a>
1642
<a name="Ultrix-4_002e2_002f3"></a>
1644
Previous: <a rel="previous" accesskey="p" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
1645
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1649
<h4 class="subsection">3.10.11 Ultrix 4.2/3</h4>
1651
<p>The DEC MIPS platform currently will not support the native compiler,
1652
since the Ultrix compiler is not a full ANSI C compiler. You should use
1656
<a name="Using-Autoconf"></a>
1658
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1659
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1663
<h3 class="section">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</h3>
1665
<p>(If you are not a developer, you can skip this section.)
1667
<p>In most of the Kerberos V5 source directories, there is a
1668
<samp><span class="file">configure</span></samp> script which automatically determines the compilation
1669
environment and creates the proper Makefiles for a particular
1670
platform. These <samp><span class="file">configure</span></samp> files are generated using
1671
‘<samp><span class="samp">autoconf</span></samp>’, which can be found in the <samp><span class="file">src/util/autoconf</span></samp>
1672
directory in the distribution.
1674
<p>Normal users will not need to worry about running ‘<samp><span class="samp">autoconf</span></samp>’; the
1675
distribution comes with the <samp><span class="file">configure</span></samp> files already prebuilt.
1676
Developers who wish to modify the <samp><span class="file">configure.in</span></samp> files should see
1677
<a href="autoconf.html#Top">Overview</a>.
1679
<p>Note that in order to run ‘<samp><span class="samp">autoconf</span></samp>’, you must have GNU ‘<samp><span class="samp">m4</span></samp>’
1680
in your path. Before you use the ‘<samp><span class="samp">autoconf</span></samp>’ in the Kerberos V5
1681
source tree, you may also need to run ‘<samp><span class="samp">configure</span></samp>’, and then run
1682
‘<samp><span class="samp">make</span></samp>’ in the <samp><span class="file">src/util/autoconf</span></samp> directory in order to
1683
properly set up ‘<samp><span class="samp">autoconf</span></samp>’.
1685
<p>One tool which is provided for the convenience of developers can be
1686
found in <samp><span class="file">src/util/reconf</span></samp>. This program should be run while the
1687
current directory is the top source directory. It will automatically
1688
rebuild any <samp><span class="file">configure</span></samp> files which need rebuilding. If you know
1689
that you have made a change that will require that all the
1690
<samp><span class="file">configure</span></samp> files need to be rebuilt from scratch, specify the
1691
<code>--force</code> option:
1693
<pre class="example"> % cd /u1/krb5-1.10/src
1694
% ./util/reconf --force
1696
<p>The developmental sources are a raw source tree (before it's been packaged
1697
for public release), without the pre-built <samp><span class="file">configure</span></samp> files.
1698
In order to build from such a source tree, you must do:
1700
<pre class="example"> % cd krb5/util/autoconf
1706
<p>Then follow the instructions for building packaged source trees (above).
1707
To install the binaries into a binary tree, do:
1709
<pre class="example"> % cd /u1/krb5-1.10/src
1711
% make install DESTDIR=somewhere-else
1714
<a name="Installing-Kerberos-V5"></a>
1716
Next: <a rel="next" accesskey="n" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
1717
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
1718
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
1722
<h2 class="chapter">4 Installing Kerberos V5</h2>
1724
<p>The sections of this chapter describe procedures for installing
1730
<li>UNIX client machines
1732
<li>UNIX Application Servers
1736
<li><a accesskey="1" href="#Installing-KDCs">Installing KDCs</a>
1737
<li><a accesskey="2" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
1738
<li><a accesskey="3" href="#UNIX-Application-Servers">UNIX Application Servers</a>
1742
<a name="Installing-KDCs"></a>
1744
Next: <a rel="next" accesskey="n" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
1745
Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
1746
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
1750
<h3 class="section">4.1 Installing KDCs</h3>
1752
<p>The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC
1753
contains a copy of the Kerberos database. The master KDC contains the
1754
master copy of the database, which it propagates to the slave KDCs at
1755
regular intervals. All database changes (such as password changes) are
1756
made on the master KDC.
1758
<p>Slave KDCs provide Kerberos ticket-granting services, but not database
1759
administration. This allows clients to continue to obtain tickets when
1760
the master KDC is unavailable.
1762
<p>MIT recommends that you install all of your KDCs to be able
1763
to function as either the master or one of the slaves. This will enable
1764
you to easily switch your master KDC with one of the slaves if
1765
necessary. (See <a href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>.) This installation
1766
procedure is based on that recommendation.
1769
<li><a accesskey="1" href="#Install-the-Master-KDC">Install the Master KDC</a>
1770
<li><a accesskey="2" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
1771
<li><a accesskey="3" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
1772
<li><a accesskey="4" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
1773
<li><a accesskey="5" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>
1774
<li><a accesskey="6" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>
1775
<li><a accesskey="7" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>
1776
<li><a accesskey="8" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
1780
<a name="Install-the-Master-KDC"></a>
1782
Next: <a rel="next" accesskey="n" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
1783
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
1784
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
1788
<h4 class="subsection">4.1.1 Install the Master KDC</h4>
1790
<p>This installation procedure will require you to go back and forth a
1791
couple of times between the master KDC and each of the slave KDCs. The
1792
first few steps must be done on the master KDC.
1795
<li><a accesskey="1" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>
1796
<li><a accesskey="2" href="#krb5_002econf">krb5.conf</a>
1797
<li><a accesskey="3" href="#kdc_002econf">kdc.conf</a>
1798
<li><a accesskey="4" href="#Create-the-Database">Create the Database</a>
1799
<li><a accesskey="5" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>
1800
<li><a accesskey="6" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>
1801
<li><a accesskey="7" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>
1802
<li><a accesskey="8" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>
1806
<a name="Edit-the-Configuration-Files"></a>
1808
Next: <a rel="next" accesskey="n" href="#krb5_002econf">krb5.conf</a>,
1809
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
1810
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
1814
<h5 class="subsubsection">4.1.1.1 Edit the Configuration Files</h5>
1816
<p>Modify the configuration files, <code>/etc/krb5.conf</code> and
1817
<code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct
1818
information (such as the hostnames and realm name) for your realm.
1819
MIT recommends that you keep <code>krb5.conf</code> in <code>/etc</code>.
1821
<p>Most of the tags in the configuration have default values that will
1822
work well for most sites. There are some tags in the <code>krb5.conf</code>
1823
file whose values must be specified, and this section will explain
1824
those as well as give an overview of all of the sections in both
1825
configuration files. For more information on changing defaults with
1826
the configuration files, see the Kerberos V5 System Administrator's
1827
Guide sections on configuration files.
1830
<a name="krb5.conf"></a>
1831
<a name="krb5_002econf"></a>
1833
Next: <a rel="next" accesskey="n" href="#kdc_002econf">kdc.conf</a>,
1834
Previous: <a rel="previous" accesskey="p" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>,
1835
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
1839
<h5 class="subsubsection">4.1.1.2 krb5.conf</h5>
1841
<p>The <code>krb5.conf</code> file contains Kerberos configuration information,
1842
including the locations of KDCs and admin servers for the Kerberos
1843
realms of interest, defaults for the current realm and for Kerberos
1844
applications, and mappings of hostnames onto Kerberos realms. Normally,
1845
you should install your <code>krb5.conf</code> file in the directory
1846
<code>/etc</code>. You can override the default location by setting the
1847
environment variable ‘<samp><span class="samp">KRB5_CONFIG</span></samp>’.
1849
<p>The <code>krb5.conf</code> file is set up in the style of a Windows INI file.
1850
Sections are headed by the section name, in square brackets. Each
1851
section may contain zero or more relations, of the form:
1853
<pre class="smallexample"> foo = bar
1855
<p class="noindent">or
1857
<pre class="smallexample"> fubar = {
1862
<p>Placing a `*' at the end of a line indicates that this is the
1863
<dfn>final</dfn> value for the tag. This means that neither the remainder
1864
of this configuration file nor any other configuration file will be
1865
checked for any other values for this tag.
1867
<p>For example, if you have the following lines:
1869
<pre class="smallexample"> foo = bar*
1872
<p>then the second value of foo (baz) would never be read.
1874
<p>The <code>krb5.conf</code> file can include other files using either of the
1875
following directives at the beginning of a line:
1877
<pre class="smallexample"> include <var>FILENAME</var>
1878
includedir <var>DIRNAME</var>
1880
<p><var>FILENAME</var> or <var>DIRNAME</var> should be an absolute path. The named
1881
file or directory must exist and be readable. Including a directory
1882
includes all files within the directory whose names consist solely of
1883
alphanumeric characters, dashes, or underscores. Included profile files
1884
are syntactically independent of their parents, so each included file
1885
must begin with a section header.
1887
<p>The <code>krb5.conf</code> file may contain any or all of the following
1891
<dt><b>libdefaults</b><dd>Contains default values used by the Kerberos V5 library.
1893
<dt><b>login</b><dd>Contains default values used by the Kerberos V5 login program.
1895
<dt><b>appdefaults</b><dd>Contains default values that can be used by Kerberos V5 applications.
1897
<dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
1898
describes realm-specific information, including where to find the
1899
Kerberos servers for that realm.
1901
<dt><b>domain_realm</b><dd>Contains relations which map domain names and subdomains onto Kerberos
1902
realm names. This is used by programs to determine what realm a host
1903
should be in, given its fully qualified domain name.
1905
<dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
1908
<dt><b>capaths</b><dd>Contains the authentication paths used with direct (nonhierarchical)
1909
cross-realm authentication. Entries in this section are used by the
1910
client to determine the intermediate realms which may be used in
1911
cross-realm authentication. It is also used by the end-service when
1912
checking the transited field for trusted intermediate realms.
1914
<dt><b>plugins</b><dd>Contains tags to register dynamic plugin modules and to turn modules on
1919
<p>If you are not using DNS TXT records, you must specify the
1920
<code>default_realm</code> in the <code>libdefaults</code> section. If you are not
1921
using DNS SRV records, you must include the <code>kdc</code> tag for each
1922
realm in the <code>realms</code> section. To communicate with the kadmin
1923
server in each realm, the <code>admin_server</code> tag must be set in the
1924
<code>realms</code> section. If your domain name and realm name are not the
1925
same, you must provide a translation in <code>domain_realm</code>. It is
1926
also higly recommeneded that you create a <code>[logging]</code> stanza if
1927
the computer will be functioning as a KDC so that the KDC and kadmind
1928
will generate logging output.
1930
<p>An example <code>krb5.conf</code> file:
1932
<pre class="smallexample"> [libdefaults]
1933
default_realm = ATHENA.MIT.EDU
1937
kdc = kerberos.mit.edu
1938
kdc = kerberos-1.mit.edu
1939
kdc = kerberos-2.mit.edu
1940
admin_server = kerberos.mit.edu
1944
kdc = FILE:/var/log/krb5kdc.log
1945
admin_server = FILE:/var/log/kadmin.log
1946
default = FILE:/var/log/krb5lib.log
1949
<a name="kdc.conf"></a>
1950
<a name="kdc_002econf"></a>
1952
Next: <a rel="next" accesskey="n" href="#Create-the-Database">Create the Database</a>,
1953
Previous: <a rel="previous" accesskey="p" href="#krb5_002econf">krb5.conf</a>,
1954
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
1958
<h5 class="subsubsection">4.1.1.3 kdc.conf</h5>
1960
<p>The <code>kdc.conf</code> file contains KDC configuration information,
1961
including defaults used when issuing Kerberos tickets. Normally, you
1962
should install your <code>kdc.conf</code> file in the directory
1963
<code>/usr/local/var/krb5kdc</code>. You can override the default
1964
location by setting the environment variable ‘<samp><span class="samp">KRB5_KDC_PROFILE</span></samp>’.
1966
<p>The <code>kdc.conf</code> file is set up in the same format as the
1967
<code>krb5.conf</code> file. (See <a href="#krb5_002econf">krb5.conf</a>.) The <code>kdc.conf</code> file
1968
may contain any or all of the following three sections:
1971
<dt><b>kdcdefaults</b><dd>Contains default values for overall behavior of the KDC.
1973
<br><dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
1974
describes realm-specific information, including where to find the
1975
Kerberos servers for that realm.
1977
<br><dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
1982
<a name="Create-the-Database"></a>
1984
Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
1985
Previous: <a rel="previous" accesskey="p" href="#kdc_002econf">kdc.conf</a>,
1986
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
1990
<h5 class="subsubsection">4.1.1.4 Create the Database</h5>
1992
<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to
1993
create the Kerberos database and the optional stash file. The
1994
<dfn>stash file</dfn> is a local copy of the master key that resides in
1995
encrypted form on the KDC's local disk. The stash file is used to
1996
authenticate the KDC to itself automatically before starting the
1997
<code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the
1998
machine's boot sequence). The stash file, like the keytab file
1999
(see See <a href="#The-Keytab-File">The Keytab File</a>, for more information) is a potential
2000
point-of-entry for a break-in,
2001
and if compromised, would allow unrestricted access to the Kerberos
2002
database. If you choose to install a stash file, it should be readable
2003
only by root, and should exist only on the KDC's local disk. The file
2004
should not be part of any backup of the machine, unless access to the
2005
backup data is secured as tightly as access to the master password
2008
<p>If you choose not to install a stash file, the KDC will prompt you for
2009
the master key each time it starts up. This means that the KDC will
2010
not be able to start automatically, such as after a system reboot.
2012
<p>Note that <code>kdb5_util</code> will prompt you for the master key for the
2013
Kerberos database. This key can be any string. A good key is one you
2014
can remember, but that no one else can guess. Examples of bad keys are
2015
words that can be found in a dictionary, any common or popular name,
2016
especially a famous person (or cartoon character), your username in any
2017
form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of
2018
the sample keys that appear in this manual. One example of a key which
2019
might be good if it did not appear in this manual is “MITiys4K5!”,
2020
which represents the sentence “MIT is your source for Kerberos 5!”
2021
(It's the first letter of each word, substituting the numeral “4” for
2022
the word “for”, and includes the punctuation mark at the end.)
2024
<p>The following is an example of how to create a Kerberos database and
2025
stash file on the master KDC, using the <code>kdb5_util</code> command. (The
2026
line that begins with ⇒ is a continuation of the previous line.)
2027
Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.
2029
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
2030
<b>Initializing database '/usr/local/var/krb5kdc/principal' for
2031
⇒ realm 'ATHENA.MIT.EDU',
2032
master key name 'K/M@ATHENA.MIT.EDU'
2033
You will be prompted for the database Master Password.
2034
It is important that you NOT FORGET this password.</b>
2035
<b>Enter KDC database master key:</b> <i><= Type the master password.</i>
2036
<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>
2039
<p>This will create five files in the directory specified in your
2040
<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,
2041
and <code>principal.ok</code>; the Kerberos administrative database file,
2042
<code>principal.kadm5</code>; the administrative database lock file,
2043
<code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The
2044
default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not
2045
want a stash file, run the above command without the <code>-s</code> option.
2048
<a name="Add-Administrators-to-the-Acl-File"></a>
2050
Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
2051
Previous: <a rel="previous" accesskey="p" href="#Create-the-Database">Create the Database</a>,
2052
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2056
<h5 class="subsubsection">4.1.1.5 Add Administrators to the Acl File</h5>
2058
<p>Next, you need create an Access Control List (acl) file, and put the
2059
Kerberos principal of at least one of the administrators into it. This
2060
file is used by the <code>kadmind</code> daemon to control which principals
2061
may view and make privileged modifications to the Kerberos database
2062
files. The filename should match the value you have set for
2063
“acl_file” in your <code>kdc.conf</code> file. The default file name is
2064
‘<samp><span class="samp">/usr/local/var/krb5kdc/kadm5.acl</span></samp>’.
2066
<p>The format of the file is:
2068
<pre class="smallexample"> Kerberos_principal permissions [target_principal] [restrictions]
2070
<p>The Kerberos principal (and optional target principal) can include the
2071
“<b>*</b>” wildcard, so if you want any principal with the instance
2072
“admin” to have full permissions on the database, you could use the
2073
principal “<code>*/admin@REALM</code>” where “REALM” is your Kerberos
2074
realm. <code>target_principal</code> can also include backreferences to
2075
<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i>" matches the
2076
component <i>number</i> in the <code>Kerberos_principal</code>.
2078
<p>Note: a common use of an <i>admin</i> instance is so you can grant
2079
separate permissions (such as administrator access to the Kerberos
2080
database) to a separate Kerberos principal. For example, the user
2081
<code>joeadmin</code> might have a principal for his administrative
2082
use, called <code>joeadmin/admin</code>. This way,
2083
<code>joeadmin</code> would obtain <code>joeadmin/admin</code>
2084
tickets only when he actually needs to use those permissions.
2086
<p>The permissions are represented by single letters; UPPER-CASE letters
2087
represent negative permissions. The permissions are:
2090
<dt><b>a</b><dd>allows the addition of principals or policies in the database.
2091
<dt><b>A</b><dd>disallows the addition of principals or policies in the database.
2092
<dt><b>d</b><dd>allows the deletion of principals or policies in the database.
2093
<dt><b>D</b><dd>disallows the deletion of principals or policies in the database.
2094
<dt><b>m</b><dd>allows the modification of principals or policies in the database.
2095
<dt><b>M</b><dd>disallows the modification of principals or policies in the database.
2096
<dt><b>c</b><dd>allows the changing of passwords for principals in the database.
2097
<dt><b>C</b><dd>disallows the changing of passwords for principals in the database.
2098
<dt><b>i</b><dd>allows inquiries to the database.
2099
<dt><b>I</b><dd>disallows inquiries to the database.
2100
<dt><b>l</b><dd>allows the listing of principals or policies in the database.
2101
<dt><b>L</b><dd>disallows the listing of principals or policies in the database.
2102
<dt><b>s</b><dd>allows the explicit setting of the key for a principal
2103
<dt><b>S</b><dd>disallows the explicit setting of the key for a principal
2104
<dt><b>*</b><dd>All privileges (admcil).
2105
<dt><b>x</b><dd>All privileges (admcil); identical to “*”.
2108
<p>The restrictions are a string of flags. Allowed restrictions are:
2111
<dt><b>[+ -]</b><i>flagname</i><dd>flag is forced to indicated value. The permissible flags are the same
2112
as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and
2113
<code>modprinc</code> commands.
2114
<dt><b>-clearpolicy</b><dd>policy is forced to clear
2115
<dt><b>-policy </b><i>pol</i><dd>policy is forced to be <i>pol</i>
2116
<dt><b>expire </b><i>time</i><dt><b>pwexpire </b><i>time</i><dt><b>maxlife </b><i>time</i><dt><b>maxrenewlife </b><i>time</i><dd>associated value will be forced to MIN(<i>time</i>, requested value)
2119
<p>The above flags act as restrictions on any add or modify operation
2120
which is allowed due to that ACL line.
2122
<p>Here is an example of a <code>kadm5.acl</code> file. Note that order is
2123
important; permissions are determined by the first matching entry.
2125
<pre class="smallexample"> */admin@ATHENA.MIT.EDU *
2126
joeadmin@ATHENA.MIT.EDU ADMCIL
2127
joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU
2128
*@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU
2129
*/*@ATHENA.MIT.EDU i
2130
*/admin@EXAMPLE.COM * -maxlife 9h -postdateable
2132
<p class="noindent">In the above file, any principal in the
2133
ATHENA.MIT.EDU realm with an <code>admin</code> instance has all
2134
administrative privileges. The user <code>joeadmin</code>
2135
has all permissions with his <code>admin</code> instance,
2136
<code>joeadmin/admin@ATHENA.MIT.EDU</code> (matches the first
2137
line). He has no permissions at all with his <code>null</code> instance,
2138
<code>joeadmin@ATHENA.MIT.EDU</code> (matches the second line).
2139
His root instance has <i>inquire</i> and <i>list</i> permissions with any
2140
other principal that has the instance <code>root</code>. Any principal
2141
in ATHENA.MIT.EDU can inquire, list, or change the password of
2142
their <code>admin</code> instance, but not any other <code>admin</code> instance.
2143
Any principal in the realm <code>ATHENA.MIT.EDU</code> (except for
2144
<code>joeadmin@ATHENA.MIT.EDU</code>, as mentioned above) has
2145
<i>inquire</i> privileges. Finally, any principal with an admin instance
2146
in EXAMPLE.COM has all permissions, but any principal that they
2147
create or modify will not be able to get postdateable tickets or tickets
2148
with a life of longer than 9 hours.
2151
<a name="Add-Administrators-to-the-Kerberos-Database"></a>
2153
Next: <a rel="next" accesskey="n" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
2154
Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
2155
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2159
<h5 class="subsubsection">4.1.1.6 Add Administrators to the Kerberos Database</h5>
2161
<p>Next you need to add administrative principals to the Kerberos database.
2162
(You must add at least one now.) To do this, use <code>kadmin.local</code>
2163
<em>on the master KDC</em>. The administrative principals you create
2164
should be the ones you added to the ACL file. (See See <a href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>.) In the following example, the
2165
administration principal <code>admin/admin</code> is created:
2167
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local
2168
<b>kadmin.local:</b> addprinc admin/admin@ATHENA.MIT.EDU
2169
<b>NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU";
2170
assigning "default".</b>
2171
<b>Enter password for principal admin/admin@ATHENA.MIT.EDU:</b> <i><= Enter a password.</i>
2172
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <i><= Type it again.</i>
2173
<b>Principal "admin/admin@ATHENA.MIT.EDU" created.
2177
<a name="Create-a-kadmind-Keytab-(optional)"></a>
2178
<a name="Create-a-kadmind-Keytab-_0028optional_0029"></a>
2180
Next: <a rel="next" accesskey="n" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>,
2181
Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
2182
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2186
<h5 class="subsubsection">4.1.1.7 Create a kadmind Keytab (optional)</h5>
2188
<p>The kadmind keytab is the key that the legacy admininstration daemons
2189
<code>kadmind4</code> and <code>v5passwdd</code> will use to decrypt
2190
administrators' or clients' Kerberos tickets to determine whether or
2191
not they should have access to the database. You need to create the
2192
kadmin keytab with entries for the principals <code>kadmin/admin</code> and
2193
<code>kadmin/changepw</code>. (These principals are placed in the Kerberos
2194
database automatically when you create it.) To create the kadmin
2195
keytab, run <code>kadmin.local</code> and use the <code>ktadd</code> command, as
2196
in the following example. (The line beginning with ⇒ is a
2197
continuation of the previous line.):
2199
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local
2200
<b>kadmin.local:</b> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
2201
⇒ kadmin/admin kadmin/changepw
2202
<b> Entry for principal kadmin/admin with kvno 5, encryption
2203
type Triple DES cbc mode with HMAC/sha1 added to keytab
2204
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2205
Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode
2206
with CRC-32 added to keytab
2207
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2208
Entry for principal kadmin/changepw with kvno 5, encryption
2209
type Triple DES cbc mode with HMAC/sha1 added to keytab
2210
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2211
Entry for principal kadmin/changepw with kvno 5,
2212
encryption type DES cbc mode with CRC-32 added to keytab
2213
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2214
kadmin.local:</b> quit
2217
<p class="noindent">As specified in the ‘<samp><span class="samp">-k</span></samp>’ argument, <code>ktadd</code> will save the
2218
extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>.
2219
The filename you use must be the one specified in your <code>kdc.conf</code>
2223
<a name="Start-the-Kerberos-Daemons"></a>
2225
Previous: <a rel="previous" accesskey="p" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
2226
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2230
<h5 class="subsubsection">4.1.1.8 Start the Kerberos Daemons on the Master KDC</h5>
2232
<p>At this point, you are ready to start the Kerberos daemons on the Master
2233
KDC. To do so, type:
2235
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
2236
<b>shell%</b> /usr/local/sbin/kadmind
2238
<p class="noindent">Each daemon will fork and run in the background. Assuming you want
2239
these daemons to start up automatically at boot time, you can add them
2240
to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to
2241
have a stash file in order to do this.
2243
<p>You can verify that they started properly by checking for their startup
2244
messages in the logging locations you defined in <code>/etc/krb5.conf</code>.
2245
(See <a href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>.) For example:
2247
<pre class="smallexample"> <b>shell%</b> tail /var/log/krb5kdc.log
2248
Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
2249
<b>shell%</b> tail /var/log/kadmin.log
2250
Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
2252
<p>Any errors the daemons encounter while starting will also be listed in
2256
<a name="Install-the-Slave-KDCs"></a>
2258
Next: <a rel="next" accesskey="n" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2259
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
2260
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2264
<h4 class="subsection">4.1.2 Install the Slave KDCs</h4>
2266
<p>You are now ready to start configuring the slave KDCs. Assuming you are
2267
setting the KDCs up so that you can easily switch the master KDC with
2268
one of the slaves, you should perform each of these steps on the master
2269
KDC as well as the slave KDCs, unless these instructions specify
2273
<li><a accesskey="1" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>
2274
<li><a accesskey="2" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>
2275
<li><a accesskey="3" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>
2279
<a name="Create-Host-Keys-for-the-Slave-KDCs"></a>
2281
Next: <a rel="next" accesskey="n" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,
2282
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
2283
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2287
<h5 class="subsubsection">4.1.2.1 Create Host Keys for the Slave KDCs</h5>
2289
<p>Each KDC needs a host principal in the Kerberos database. You can enter
2290
these from any host, once the <code>kadmind</code> daemon is running. For
2291
example, if your master KDC were called
2292
kerberos.mit.edu, and you had two KDC slaves
2293
named kerberos-1.mit.edu and
2294
kerberos-2.mit.edu, you would type the following:
2296
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin
2297
<b>kadmin:</b> addprinc -randkey host/kerberos.mit.edu
2298
<b>NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU";
2300
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
2301
kadmin:</b> addprinc -randkey host/kerberos-1.mit.edu
2302
<b>NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU";
2304
Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</b>
2305
<b>kadmin:</b> addprinc -randkey host/kerberos-2.mit.edu
2306
<b>NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU";
2308
Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created.
2311
<p class="noindent">It is not actually necessary to have the master KDC server in the
2312
Kerberos database, but it can be handy if:
2315
<li>anyone will be logging into the machine as something other than root
2317
<li>you want to be able to swap the master KDC with one of the slaves if
2322
<a name="Extract-Host-Keytabs-for-the-KDCs"></a>
2324
Next: <a rel="next" accesskey="n" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>,
2325
Previous: <a rel="previous" accesskey="p" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>,
2326
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2330
<h5 class="subsubsection">4.1.2.2 Extract Host Keytabs for the KDCs</h5>
2332
<p>Each KDC (including the master) needs a keytab to decrypt tickets.
2333
Ideally, you should extract each keytab locally on its own KDC. If this
2334
is not feasible, you should use an encrypted session to send them across
2335
the network. To extract a keytab on a KDC called
2336
kerberos.mit.edu, you would execute the following
2339
<pre class="smallexample"> <b>kadmin:</b> ktadd host/kerberos.mit.edu
2340
<b>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with
2341
kvno 1, encryption type DES-CBC-CRC added to keytab
2342
WRFILE:/etc/krb5.keytab.
2345
<p class="noindent">Note that the principal must exist in the Kerberos database in order to
2349
<a name="Set-Up-the-Slave-KDCs-for-Database-Propagation"></a>
2351
Previous: <a rel="previous" accesskey="p" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,
2352
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2356
<h5 class="subsubsection">4.1.2.3 Set Up the Slave KDCs for Database Propagation</h5>
2358
<p>The database is propagated from the master KDC to the slave KDCs via the
2359
<code>kpropd</code> daemon. To set up propagation, create a file on each KDC,
2360
named <code>/usr/local/var/krb5kdc/kpropd.acl</code>, containing the
2361
principals for each of the KDCs.
2362
For example, if the master KDC were
2363
<code>kerberos.mit.edu</code>, the slave KDCs were
2364
<code>kerberos-1.mit.edu</code> and
2365
<code>kerberos-2.mit.edu</code>, and the realm were
2366
<code>ATHENA.MIT.EDU</code>, then the file's contents would be:
2368
<pre class="smallexample"> host/kerberos.mit.edu@ATHENA.MIT.EDU
2369
host/kerberos-1.mit.edu@ATHENA.MIT.EDU
2370
host/kerberos-2.mit.edu@ATHENA.MIT.EDU
2372
<p>Then, add the following line to <code>/etc/inetd.conf</code> file on each KDC:
2374
<pre class="smallexample"> krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
2376
<p class="noindent">You also need to add the following lines to <code>/etc/services</code> on each
2379
<pre class="smallexample"> kerberos 88/udp kdc # Kerberos authentication (udp)
2380
kerberos 88/tcp kdc # Kerberos authentication (tcp)
2381
krb5_prop 754/tcp # Kerberos slave propagation
2382
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
2383
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
2386
<a name="Back-on-the-Master-KDC"></a>
2388
Next: <a rel="next" accesskey="n" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2389
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
2390
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2394
<h4 class="subsection">4.1.3 Back on the Master KDC</h4>
2396
<p>Now that the slave KDCs are able to accept database propagation, you'll
2397
need to propagate the database to each of them.
2400
<li><a accesskey="1" href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>
2404
<a name="Propagate-the-Database-to-Each-Slave-KDC"></a>
2406
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2407
Up: <a rel="up" accesskey="u" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
2411
<h5 class="subsubsection">4.1.3.1 Propagate the Database to Each Slave KDC</h5>
2413
<p>First, create a dump of the database on the master KDC, as follows:
2415
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
2418
<p>Next, you need to manually propagate the database to each slave KDC, as
2419
in the following example. (The lines beginning with ⇒ are
2420
continuations of the previous line.):
2422
<pre class="smallexample"> /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
2423
⇒ kerberos-1.mit.edu
2424
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
2425
⇒ kerberos-2.mit.edu
2427
<p>You will need a script to dump and propagate the database. The
2428
following is an example of a bourne shell script that will do this.
2429
(Note that the line that begins with ⇒ is a continuation of the
2430
previous line. Remember that you need to replace /usr/local with
2431
the name of the directory in which you installed Kerberos V5.)
2433
<pre class="smallexample"> #!/bin/sh
2435
kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
2437
/usr/local/sbin/kdb5_util "dump
2438
⇒ /usr/local/var/krb5kdc/slave_datatrans"
2442
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
2445
<p class="noindent">You will need to set up a cron job to run this script at the intervals
2446
you decided on earlier (See <a href="#Database-Propagation">Database Propagation</a>.)
2449
<a name="Finish-Installing-the-Slave-KDCs"></a>
2451
Next: <a rel="next" accesskey="n" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
2452
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2453
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2457
<h4 class="subsection">4.1.4 Finish Installing the Slave KDCs</h4>
2459
<p>Now that the slave KDCs have copies of the Kerberos database, you can
2460
create stash files for them and start the <code>krb5kdc</code> daemon.
2463
<li><a accesskey="1" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>
2464
<li><a accesskey="2" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>
2468
<a name="Create-Stash-Files-on-the-Slave-KDCs"></a>
2470
Next: <a rel="next" accesskey="n" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>,
2471
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2472
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2476
<h5 class="subsubsection">4.1.4.1 Create Stash Files on the Slave KDCs</h5>
2478
<p>Create stash files, by issuing the following commands on each slave KDC:
2480
<pre class="smallexample"> <b>shell%</b> kdb5_util stash
2481
<b>kdb5_util: Cannot find/read stored master key while reading master key
2482
kdb5_util: Warning: proceeding without master key</b>
2483
<b>Enter KDC database master key:</b> <i><= Enter the database master key.</i>
2486
<p>As mentioned above, the stash file is necessary for your KDCs to be able
2487
authenticate to themselves, such as when they reboot. You could run
2488
your KDCs without stash files, but you would then need to type in the
2489
Kerberos database master key by hand every time you start a KDC daemon.
2492
<a name="Start-the-krb5kdc-Daemon-on-Each-KDC"></a>
2494
Previous: <a rel="previous" accesskey="p" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>,
2495
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2499
<h5 class="subsubsection">4.1.4.2 Start the krb5kdc Daemon on Each KDC</h5>
2501
<p>The final step in configuing your slave KDCs is to run the KDC daemon:
2503
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
2505
<p>As with the master KDC, you will probably want to add this command to
2506
the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will
2507
start the krb5kdc daemon automatically at boot time.
2510
<a name="Add-Kerberos-Principals-to-the-Database"></a>
2512
Next: <a rel="next" accesskey="n" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
2513
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2514
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2518
<h4 class="subsection">4.1.5 Add Kerberos Principals to the Database</h4>
2520
<p>Once your KDCs are set up and running, you are ready to use
2521
<code>kadmin</code> to load principals for your users, hosts, and other
2522
services into the Kerberos database. This procedure is described fully in the
2523
“Adding or Modifying Principals” section of the Kerberos V5 System
2524
Administrator's Guide. (See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>, for a
2525
brief description.) The keytab is generated by running <code>kadmin</code>
2526
and issuing the <code>ktadd</code> command.
2529
<a name="Limit-Access-to-the-KDCs"></a>
2531
Next: <a rel="next" accesskey="n" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
2532
Previous: <a rel="previous" accesskey="p" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
2533
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2537
<h4 class="subsection">4.1.6 Limit Access to the KDCs</h4>
2539
<p>To limit the possibility that your Kerberos database could be
2540
compromised, MIT recommends that each KDC be a dedicated
2541
host, with limited access. If your KDC is also a file server, FTP
2542
server, Web server, or even just a client machine, someone who obtained
2543
root access through a security hole in any of those areas could gain
2544
access to the Kerberos database.
2547
<a name="Switching-Master-and-Slave-KDCs"></a>
2549
Next: <a rel="next" accesskey="n" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
2550
Previous: <a rel="previous" accesskey="p" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
2551
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2555
<h4 class="subsection">4.1.7 Switching Master and Slave KDCs</h4>
2557
<p>You may occasionally want to use one of your slave KDCs as the master.
2558
This might happen if you are upgrading the master KDC, or if your master
2559
KDC has a disk crash.
2561
<p>Assuming you have configured all of your KDCs to be able to function as
2562
either the master KDC or a slave KDC (as this document recommends), all
2563
you need to do to make the changeover is:
2565
<p>If the master KDC is still running, do the following on the <em>old</em>
2569
<li>Kill the <code>kadmind</code> process.
2571
<li>Disable the cron job that propagates the database.
2573
<li>Run your database propagation script manually, to ensure that the slaves
2574
all have the latest copy of the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.) If there is a need to preserve per-principal
2575
policy information from the database, you should do a “kdb5_util dump
2576
-ov” in order to preserve that information and propogate that dump file
2577
securely by some means to the slave so that its database has the correct
2578
state of the per-principal policy information.
2581
<p>On the <em>new</em> master KDC:
2584
<li>Create a database keytab. (See <a href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>.)
2586
<li>Start the <code>kadmind</code> daemon. (See <a href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>.)
2588
<li>Set up the cron job to propagate the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.)
2590
<li>Switch the CNAMEs of the old and new master KDCs. (If you don't do
2591
this, you'll need to change the <code>krb5.conf</code> file on every client
2592
machine in your Kerberos realm.)
2597
<a name="Incremental-Database-Propagation"></a>
2599
Previous: <a rel="previous" accesskey="p" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
2600
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2604
<h4 class="subsection">4.1.8 Incremental Database Propagation</h4>
2606
<p>At some very large sites, dumping and transmitting the database can
2607
take more time than is desirable for changes to propagate from the
2608
master KDC to the slave KDCs. The incremental propagation support
2609
added in the 1.7 release is intended to address this.
2611
<p>With incremental propagation enabled, all programs on the master KDC
2612
that change the database also write information about the changes to
2613
an “update log” file, maintained as a circular buffer of a certain
2614
size. A process on each slave KDC connects to a service on the master
2615
KDC (currently implemented in the <code>kadmind</code> server) and
2616
periodically requests the changes that have been made since the last
2617
check. By default, this check is done every two minutes. If the
2618
database has just been modified in the previous several seconds
2619
(currently the threshold is hard-coded at 10 seconds), the slave will
2620
not retrieve updates, but instead will pause and try again soon after.
2621
This reduces the likelihood that incremental update queries will cause
2622
delays for an administrator trying to make a bunch of changes to the
2623
database at the same time.
2625
<p>Incremental propagation uses the following entries in the per-realm
2626
data in the KDC config file:
2629
<dt><code>iprop_enable</code> (boolean)<dd>If this is set to <code>true</code>, then incremental propagation is
2630
enabled, and (as noted below) normal <code>kprop</code> propagation is
2631
disabled. The default is <code>false</code>.
2633
<br><dt><code>iprop_master_ulogsize</code> (integer)<dd>This indicates the number of entries that should be retained in the
2634
update log. The default is 1000; the maximum number is 2500.
2636
<br><dt><code>iprop_slave_poll</code> (time interval)<dd>This indicates how often the slave should poll the master KDC for
2637
changes to the database. The default is two minutes.
2639
<br><dt><code>iprop_port</code> (integer)<dd>This specifies the port number to be used for incremental
2640
propagation. This is required in both master and slave configuration
2643
<br><dt><code>iprop_logfile</code> (file name)<dd>This specifies where the update log file for the realm database is to
2644
be stored. The default is to use the <code>database_name</code> entry from
2645
the <code>realms</code> section of the config file, with <samp><span class="file">.ulog</span></samp> appended.
2646
(NOTE: If <code>database_name</code> isn't specified in the <code>realms</code>
2647
section, perhaps because the LDAP database back end is being used, or
2648
the file name is specified in the <code>dbmodules</code> section, then the
2649
hard-coded default for <code>database_name</code> is used. Determination of
2650
the <code>iprop_logfile</code> default value will not use values from the
2651
<code>dbmodules</code> section.)
2654
<p>Both master and slave sides must have principals named
2655
<code>kiprop/</code><var>hostname</var> (where <var>hostname</var> is, as usual, the
2656
lower-case, fully-qualified, canonical name for the host) registered
2657
and keys stored in the default keytab file (<samp><span class="file">/etc/krb5.keytab</span></samp>).
2658
<!-- XXX: I think the master side, at least, might be able to read the -->
2659
<!-- key out of the database. Test and document this. -->
2661
<p>On the master KDC side, the <code>kiprop/</code><var>hostname</var> principal
2662
must be listed in the <code>kadmind</code> ACL file <code>kadm5.acl</code>, and
2663
given the <code>p</code> privilege.
2665
<p>On the slave KDC side, <code>kpropd</code> should be run. When incremental
2666
propagation is enabled, it will connect to the <code>kadmind</code> on the
2667
master KDC and start requesting updates.
2669
<p>The normal <code>kprop</code> mechanism is disabled by the incremental
2670
propagation support. However, if the slave has been unable to fetch
2671
changes from the master KDC for too long (network problems, perhaps),
2672
the log on the master may wrap around and overwrite some of the
2673
updates that the slave has not yet retrieved. In this case, the slave
2674
will instruct the master KDC to dump the current database out to a
2675
file and invoke a one-time <code>kprop</code> propagation, with special
2676
options to also convey the point in the update log at which the slave
2677
should resume fetching incremental updates. Thus, all the keytab and
2678
ACL setup previously described for <code>kprop</code> propagation is still
2681
<p>There are several restrictions in the current implementation:
2684
<li>Changes to password policy objects are not propagated incrementally.
2685
Changes to which policy applies to a principal are propagated.
2686
<li>The master and slave must be able to initiate TCP connections in both
2687
directions, without an intervening NAT.
2688
<li>If the slave has an IPv6 interface address but needs to accept
2689
connections over IPv4, the operating system needs “dual stack” support
2690
(i.e. the ability to accept IPv6 and IPv4 connections on a single IPv6
2691
listener socket). At this time, all modern Unix-like operating systems
2692
have dual stack support except OpenBSD.
2696
<li><a accesskey="1" href="#Sun_002fMIT-Incremental-Propagation-Differences">Sun/MIT Incremental Propagation Differences</a>
2700
<a name="Sun%2fMIT-Incremental-Propagation-Differences"></a>
2701
<a name="Sun_002fMIT-Incremental-Propagation-Differences"></a>
2703
Previous: <a rel="previous" accesskey="p" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
2704
Up: <a rel="up" accesskey="u" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
2708
<h5 class="subsubsection">4.1.8.1 Sun/MIT Incremental Propagation Differences</h5>
2710
<p>Sun donated the original code for supporting incremental database
2711
propagation to MIT. Some changes have been made in the MIT source
2712
tree that will be visible to administrators. (These notes are based
2713
on Sun's patches. Changes to Sun's implementation since then may not
2716
<p>The Sun config file support looks for <code>sunw_dbprop_enable</code>,
2717
<code>sunw_dbprop_master_ulogsize</code>, and <code>sunw_dbprop_slave_poll</code>.
2719
<p>The incremental propagation service is implemented as an ONC RPC
2720
service. In the Sun implementation, the service is registered with
2721
<code>rpcbind</code> (also known as <code>portmapper</code>) and the client looks
2722
up the port number to contact. In the MIT implementation, where
2723
interaction with some modern versions of <code>rpcbind</code> doesn't always
2724
work well, the port number must be specified in the config file on
2725
both the master and slave sides.
2727
<p>The Sun implementation hard-codes pathnames in <samp><span class="file">/var/krb5</span></samp> for
2728
the update log and the per-slave <code>kprop</code> dump files. In the MIT
2729
implementation, the pathname for the update log is specified in the
2730
config file, and the per-slave dump files are stored in
2731
<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var>.
2734
<a name="Installing-and-Configuring-UNIX-Client-Machines"></a>
2736
Next: <a rel="next" accesskey="n" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
2737
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
2738
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
2742
<h3 class="section">4.2 Installing and Configuring UNIX Client Machines</h3>
2744
<p>Client machine installation is much more straightforward than
2745
installation of the KDCs.
2748
<li><a accesskey="1" href="#Client-Programs">Client Programs</a>
2749
<li><a accesskey="2" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
2753
<a name="Client-Programs"></a>
2755
Next: <a rel="next" accesskey="n" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
2756
Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
2757
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
2761
<h4 class="subsection">4.2.1 Client Programs</h4>
2763
<p>The Kerberized client programs are <code>kinit</code>, <code>klist</code>,
2764
<code>kdestroy</code>, <code>kpasswd</code>, and <code>ksu</code>. All of these programs
2765
are in the directory <code>/usr/local/bin</code>.
2767
<p>MIT recommends that you use <code>login.krb5</code> in place of
2768
<code>/bin/login</code> to give your users a single-sign-on system. You will
2769
need to make sure your users know to use their Kerberos passwords when
2772
<p>You will also need to educate your users to use the ticket management
2773
programs <code>kinit</code>, <code>klist</code>, <code>kdestroy</code>, and to use the
2774
Kerberos programs <code>ksu</code> and <code>kpasswd</code> in place of their
2775
non-Kerberos counterparts <code>su</code> and <code>passwd</code>.
2778
<a name="Client-Machine-Configuration-Files"></a>
2780
Previous: <a rel="previous" accesskey="p" href="#Client-Programs">Client Programs</a>,
2781
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
2785
<h4 class="subsection">4.2.2 Client Machine Configuration Files</h4>
2787
<p>Each machine running Kerberos must have a <code>/etc/krb5.conf</code> file.
2788
(See <a href="#krb5_002econf">krb5.conf</a>.)
2790
<p>Also, for most UNIX systems, you must add the appropriate Kerberos
2791
services to each client machine's <code>/etc/services</code> file. If you are
2792
using the default configuration for Kerberos V5, you should be able
2793
to just insert the following code:
2795
<pre class="smallexample"> kerberos 88/udp kdc # Kerberos V5 KDC
2796
kerberos 88/tcp kdc # Kerberos V5 KDC
2797
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
2798
kerberos-adm 749/udp # Kerberos 5 admin/changepw
2799
krb5_prop 754/tcp # Kerberos slave propagation
2800
krb524 4444/tcp # Kerberos 5 to 4 ticket translator
2803
<li><a accesskey="1" href="#Mac-OS-X-Configuration">Mac OS X Configuration</a>
2807
<a name="Mac-OS-X-Configuration"></a>
2809
Previous: <a rel="previous" accesskey="p" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
2810
Up: <a rel="up" accesskey="u" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
2814
<h5 class="subsubsection">4.2.2.1 Mac OS X Configuration</h5>
2816
<p>To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the
2817
directions for generic Unix-based OS's, except for the
2818
<code>/etc/services</code> updates described above.
2820
<p>Mac OS X and Mac OS X Server use a database called NetInfo to store
2821
the contents of files normally found in <code>/etc</code>. Instead of
2822
modifying <code>/etc/services</code>, you should run the following commands
2823
to add the Kerberos service entries to NetInfo:
2825
<pre class="smallexample"> $ niutil -create . /services/kerberos
2826
$ niutil -createprop . /services/kerberos name kerberos kdc
2827
$ niutil -createprop . /services/kerberos port 750
2828
$ niutil -createprop . /services/kerberos protocol tcp udp
2829
$ niutil -create . /services/krbupdate
2830
$ niutil -createprop . /services/krbupdate name krbupdate kreg
2831
$ niutil -createprop . /services/krbupdate port 760
2832
$ niutil -createprop . /services/krbupdate protocol tcp
2833
$ niutil -create . /services/kpasswd
2834
$ niutil -createprop . /services/kpasswd name kpasswd kpwd
2835
$ niutil -createprop . /services/kpasswd port 761
2836
$ niutil -createprop . /services/kpasswd protocol tcp
2837
$ niutil -create . /services/klogin
2838
$ niutil -createprop . /services/klogin port 543
2839
$ niutil -createprop . /services/klogin protocol tcp
2840
$ niutil -create . /services/eklogin
2841
$ niutil -createprop . /services/eklogin port 2105
2842
$ niutil -createprop . /services/eklogin protocol tcp
2843
$ niutil -create . /services/kshell
2844
$ niutil -createprop . /services/kshell name kshell krcmd
2845
$ niutil -createprop . /services/kshell port 544
2846
$ niutil -createprop . /services/kshell protocol tcp
2848
<p>In addition to adding services to NetInfo, you must also modify the
2849
resolver configuration in NetInfo so that the machine resolves its own
2850
hostname as a FQDN (fully qualified domain name). By default, Mac OS X
2851
and Mac OS X Server machines query NetInfo to resolve hostnames before
2852
falling back to DNS. Because NetInfo has an unqualified name for all
2853
the machines in the NetInfo database, the machine's own hostname will
2854
resolve to an unqualified name. Kerberos needs a FQDN to look up keys
2855
in the machine's keytab file.
2857
<p>Fortunately, you can change the <code>lookupd</code> caching order to query
2858
DNS first. Run the following NetInfo commands and reboot the machine:
2860
<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts
2861
$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
2864
<p>Once you have rebooted, you can verify that the resolver now behaves
2865
correctly. Compile the Kerberos 5 distribution and run:
2867
<pre class="smallexample"> $ cd .../src/tests/resolve
2870
<p>This will tell you whether or not your machine returns FQDNs on name
2871
lookups. If the test still fails, you can also try turning off DNS
2872
caching. Run the following commands and reboot:
2874
<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts
2875
$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
2876
CacheAgent NIAgent NILAgent
2878
<p>The remainder of the setup of a Mac OS X client machine or application
2879
server should be the same as for other UNIX-based systems.
2882
<a name="UNIX-Application-Servers"></a>
2884
Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
2885
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
2889
<h3 class="section">4.3 UNIX Application Servers</h3>
2891
<p>An application server is a host that provides one or more services over
2892
the network. Application servers can be “secure” or “insecure.” A
2893
“secure” host is set up to require authentication from every client
2894
connecting to it. An “insecure” host will still provide Kerberos
2895
authentication, but will also allow unauthenticated clients to connect.
2897
<p>If you have Kerberos V5 installed on all of your client machines,
2898
MIT recommends that you make your hosts secure, to take
2899
advantage of the security that Kerberos authentication affords.
2900
However, if you have some clients that do not have Kerberos V5
2901
installed, you can run an insecure server, and still take advantage of
2902
Kerberos V5's single sign-on capability.
2905
<li><a accesskey="1" href="#The-Keytab-File">The Keytab File</a>
2906
<li><a accesskey="2" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>
2910
<a name="The-Keytab-File"></a>
2912
Next: <a rel="next" accesskey="n" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>,
2913
Previous: <a rel="previous" accesskey="p" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
2914
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
2918
<h4 class="subsection">4.3.1 The Keytab File</h4>
2920
<p>All Kerberos server machines need a <dfn>keytab</dfn> file, called
2921
<code>/etc/krb5.keytab</code>, to authenticate to the KDC. The keytab file is
2922
an encrypted, local, on-disk copy of the host's key. The keytab file,
2923
like the stash file (<a href="#Create-the-Database">Create the Database</a>) is a potential
2924
point-of-entry for a break-in, and if compromised, would allow
2925
unrestricted access to its host. The keytab file should be readable
2926
only by root, and should exist only on the machine's local disk. The
2927
file should not be part of any backup of the machine, unless access to
2928
the backup data is secured as tightly as access to the machine's root
2931
<p>In order to generate a keytab for a host, the host must have a principal
2932
in the Kerberos database. The procedure for adding hosts to the
2933
database is described fully in the “Adding or Modifying Principals”
2934
section of the <cite>Kerberos V5 System Administrator's Guide</cite>.
2935
See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>. for a brief description.)
2936
The keytab is generated by running <code>kadmin</code> and issuing the
2937
<code>ktadd</code> command.
2939
<p>For example, to generate a keytab file to allow the host
2940
trillium.mit.edu to authenticate for the services
2941
<code>host</code>, <code>ftp</code>, and <code>pop</code>, the administrator
2942
<code>joeadmin</code> would issue the command (on
2945
<pre class="smallexample"> <b>trillium%</b> /usr/local/sbin/kadmin
2946
<b>kadmin5:</b> ktadd host/trillium.mit.edu ftp/trillium.mit.edu
2947
⇒ pop/trillium.mit.edu
2948
<b>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
2949
kvno 3, encryption type DES-CBC-CRC added to keytab
2950
WRFILE:/etc/krb5.keytab.
2951
kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
2952
kvno 3, encryption type DES-CBC-CRC added to keytab
2953
WRFILE:/etc/krb5.keytab.
2954
kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
2955
kvno 3, encryption type DES-CBC-CRC added to keytab
2956
WRFILE:/etc/krb5.keytab.
2960
<p>If you generate the keytab file on another host, you need to get a copy
2961
of the keytab file onto the destination host (<code>trillium</code>, in the
2962
above example) without sending it unencrypted over the network.
2965
<a name="Some-Advice-about-Secure-Hosts"></a>
2967
Previous: <a rel="previous" accesskey="p" href="#The-Keytab-File">The Keytab File</a>,
2968
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
2972
<h4 class="subsection">4.3.2 Some Advice about Secure Hosts</h4>
2974
<p>Kerberos V5 can protect your host from certain types of break-ins,
2975
but it is possible to install Kerberos V5 and still leave your host
2976
vulnerable to attack. Obviously an installation guide is not the place
2977
to try to include an exhaustive list of countermeasures for every
2978
possible attack, but it is worth noting some of the larger holes and how
2981
<p>We recommend that backups of secure machines exclude the keytab file
2982
(<code>/etc/krb5.keytab</code>). If this is not possible, the backups should
2983
at least be done locally, rather than over a network, and the backup
2984
tapes should be physically secured.
2986
<p>The keytab file and any programs run by root, including the
2987
Kerberos V5 binaries, should be kept on local disk. The keytab file
2988
should be readable only by root.
2991
<a name="Upgrading-Existing-Kerberos-V5-Installations"></a>
2993
Next: <a rel="next" accesskey="n" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,
2994
Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
2995
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
2999
<h2 class="chapter">5 Upgrading Existing Kerberos V5 Installations</h2>
3001
<p>If you already have an existing Kerberos database that you created with
3002
a prior release of Kerberos 5, you can upgrade it to work with the
3003
current release with the <code>kdb5_util</code> command. It is only
3004
necessary to perform this dump/undump procedure if you were running a
3005
krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you
3006
were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer
3007
KDC. The process for upgrading a Master KDC involves the following
3012
<li>Stop your current KDC and administration
3013
server processes, if any.
3015
<li>Dump your existing Kerberos database to an ASCII file with
3016
<code>kdb5_util</code>'s “dump” command:
3018
<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc
3019
<b>shell%</b> kdb5_util dump old-kdb-dump
3020
<b>shell%</b> kdb5_util dump -ov old-kdb-dump.ov
3023
<li>Create a new Master KDC installation (See <a href="#Install-the-Master-KDC">Install the Master KDC</a>.). If you have a stash file for your current database, choose any
3024
new master password but then copy your existing stash file to the
3025
location specified by your kdc.conf; if you do not have a stash file for
3026
your current database, you must choose the same master password.
3028
<li>Load your old Kerberos database into the new system with
3029
<code>kdb5_util</code>'s “load” command:
3031
<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc
3032
<b>shell%</b> kdb5_util load old-kdb-dump
3033
<b>shell%</b> kdb5_util load -update old-kdb-dump.ov
3038
<p>The “dump -ov” and “load -update” commands are necessary in order to
3039
preserve per-principal policy information, since the default dump format
3040
filters out that information. If you omit those steps, the loaded
3041
database database will lose the policy information for each principal
3044
<p>To update a Slave KDC, you must stop the old server processes on the
3045
Slave KDC, install the new server binaries, reload the most recent slave
3046
dump file, and re-start the server processes.
3049
<li><a accesskey="1" href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>
3053
<a name="Upgrading-to-Triple-DES-and-RC4-Encryption-Keys"></a>
3054
<a name="Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys"></a>
3056
Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
3057
Up: <a rel="up" accesskey="u" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
3061
<h3 class="section">5.1 Upgrading to Triple-DES Encryption Keys</h3>
3063
<p>Beginning with the 1.2 release from MIT, Kerberos includes
3064
a stronger encryption algorithm called “triple DES” – essentially,
3065
three applications of the basic DES encryption algorithm, greatly
3066
increasing the resistance to a brute-force search for the key by an
3067
attacker. This algorithm is more secure, but encryption is much
3070
<p>Release 1.1 had some support for triple-DES service keys, but with
3071
release 1.2 we have added support for user keys and session keys as
3072
well. Release 1.0 had very little support for multiple cryptosystems,
3073
and some of that software may not function properly in an environment
3074
using triple-DES as well as plain DES.
3076
<p>In the 1.3 release from MIT, Kerberos also includes the RC4
3077
encryption alogorithm, a stream cipher symmetric key algorithm
3078
developed in 1987 by Ronald Rivest at RSA Data Security. Please note
3079
that RC4 is not part of the IETF standard.
3081
<p>Because of the way the MIT Kerberos database is structured, the KDC
3082
will assume that a service supports only those encryption types for
3083
which keys are found in the database. Thus, if a service has only a
3084
single-DES key in the database, the KDC will not issue tickets for that
3085
service that use triple-DES or RC4 session keys; it will instead issue
3086
only single-DES session keys, even if other services are already
3087
capable of using triple-DES or RC4. So if you make sure your
3088
application server software is updated before adding a triple-DES or
3089
RC4 key for the service, clients should be able to talk to services at
3090
all times during the updating process.
3092
<p>Normally, the listed <code>supported_enctypes</code> in <code>kdc.conf</code> are
3093
all used when a new key is generated. You can control this with
3094
command-line flags to <code>kadmin</code> and <code>kadmin.local</code>. You may
3095
want to exclude triple-DES and RC4 by default until you have updated a
3096
lot of your application servers, and then change the default to include
3097
triple-DES and RC4. We recommend that you always include
3098
<code>des-cbc-crc</code> in the default list.
3101
<a name="Bug-Reports-for-Kerberos-V5"></a>
3103
Next: <a rel="next" accesskey="n" href="#Copyright">Copyright</a>,
3104
Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
3105
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
3109
<h2 class="chapter">6 Bug Reports for Kerberos V5</h2>
3111
<p>In any complex software, there will be bugs. If you have successfully
3112
built and installed Kerberos V5, please use the <code>krb5-send-pr</code>
3113
program to fill out a Problem Report should you encounter any errors in
3116
<p>Bug reports that include proposed fixes are especially welcome. If you
3117
do include fixes, please send them using either context diffs or unified
3118
diffs (using ‘<samp><span class="samp">diff -c</span></samp>’ or ‘<samp><span class="samp">diff -u</span></samp>’, respectively). Please be
3119
careful when using “cut and paste” or other such means to copy a patch
3120
into a bug report; depending on the system being used, that can result
3121
in converting TAB characters into spaces, which makes applying the
3122
patches more difficult.
3124
<p>The <code>krb5-send-pr</code> program is installed in the directory
3125
<code>/usr/local/sbin</code>.
3127
<p>The <code>krb5-send-pr</code> program enters the problem report into our
3128
Problem Report Management System (PRMS), which automatically assigns it
3129
to the engineer best able to help you with problems in the assigned
3132
<p>The <code>krb5-send-pr</code> program will try to intelligently fill in as
3133
many fields as it can. You need to choose the <dfn>category</dfn>,
3134
<dfn>class</dfn>, <dfn>severity</dfn>, and <dfn>priority</dfn> of the problem, as well
3135
as giving us as much information as you can about its exact nature.
3137
<p>The PR <b>category</b> will be one of:
3139
<pre class="smallexample"> krb5-admin krb5-appl krb5-build krb5-clients
3140
krb5-doc krb5-kdc krb5-libs krb5-misc
3143
<p class="noindent">Choose the category that best describes the area under which your
3146
<p>The <b>class</b> can be <dfn>sw-bug</dfn>, <dfn>doc-bug</dfn>, <dfn>change-request</dfn>,
3147
or <dfn>support</dfn>. The first two are exactly as their names imply. Use
3148
<i>change-request</i> when the software is behaving according to
3149
specifications, but you want to request changes in some feature or
3150
behavior. The <i>support</i> class is intended for more general questions
3151
about building or using Kerberos V5.
3153
<p>The <b>severity</b> of the problem indicates the problem's impact on the
3154
usability of Kerberos V5. If a problem is <dfn>critical</dfn>, that
3155
means the product, component or concept is completely non-operational,
3156
or some essential functionality is missing, and no workaround is known.
3157
A <dfn>serious</dfn> problem is one in which the product, component or
3158
concept is not working properly or significant functionality is missing.
3159
Problems that would otherwise be considered <i>critical</i> are rated
3160
<i>serious</i> when a workaround is known. A <dfn>non-critical</dfn> problem is
3161
one that is indeed a problem, but one that is having a minimal effect on
3162
your ability to use Kerberos V5. <i>E.g.</i>, The product, component
3163
or concept is working in general, but lacks features, has irritating
3164
behavior, does something wrong, or doesn't match its documentation. The
3165
default severity is <i>serious</i>.
3167
<p>The <b>priority</b> indicates how urgent this particular problem is in
3168
relation to your work. Note that low priority does not imply low
3170
A priority of <dfn>high</dfn> means a solution is needed as soon as possible.
3171
A priority of <dfn>medium</dfn> means the problem should be solved no later
3172
than the next release. A priority of <dfn>low</dfn> means the problem should
3173
be solved in a future release, but it is not important to your work how
3174
soon this happens. The default priority is <i>medium</i>.
3176
<p>Note that a given severity does not necessarily imply a given priority.
3177
For example, a non-critical problem might still have a high priority if
3178
you are faced with a hard deadline. Conversely, a serious problem might
3179
have a low priority if the feature it is disabling is one that you do
3182
<p>It is important that you fill in the <i>release</i> field and tell us
3183
what changes you have made, if any.
3185
<p>A sample filled-out form from a company named “Toasters, Inc.” might
3188
<pre class="smallexample"> To: krb5-bugs@mit.edu
3189
Subject: misspelled "Kerberos" in title of installation guide
3193
X-send-pr-version: 3.99
3196
>Submitter-Id: mit
3197
>Originator: Jeffrey C. Gilman Bigler
3200
>Confidential: no
3201
>Synopsis: Misspelled "Kerberos" in title of installation guide
3202
>Severity: non-critical
3204
>Category: krb5-doc
3206
>Release: 1.0-development
3208
<machine, os, target, libraries (multiple lines)>
3209
System: ULTRIX imbrium 4.2 0 RISC
3212
Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"
3216
Correct the spelling.
3218
<p>If the <code>krb5-send-pr</code> program does not work for you, or if you did
3219
not get far enough in the process to have an installed and working
3220
<code>krb5-send-pr</code>, you can generate your own form, using the above as
3224
<a name="Copyright"></a>
3226
Previous: <a rel="previous" accesskey="p" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,
3227
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
3231
<h2 class="appendix">Appendix A Copyright</h2>
3233
<p>Copyright © 1985-2012 by the Massachusetts Institute of Technology.
3235
<p>All rights reserved.
3238
Export of software employing encryption from the United States of
3239
America may require a specific license from the United States
3240
Government. It is the responsibility of any person or organization
3241
contemplating export to obtain such a license before exporting.
3244
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
3245
distribute this software for any purpose and without fee is hereby
3246
granted, provided that the above copyright notice appear in all copies
3247
and that both that copyright notice and this permission notice appear
3248
in supporting documentation, and that the name of M.I.T. not be used
3249
in advertising or publicity pertaining to distribution of the software
3250
without specific, written prior permission. Furthermore if you modify
3251
this software you must label your software as modified software and
3252
not distribute it in such a fashion that it might be confused with the
3253
original MIT software. M.I.T. makes no representations about the
3254
suitability of this software for any purpose. It is provided “as
3255
is” without express or implied warranty.
3257
<p>Documentation components of this software distribution are licensed
3258
under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
3259
(<a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>)
3261
<p>Individual source code files are copyright MIT, Cygnus Support,
3262
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
3263
FundsXpress, and others.
3265
<p>Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
3266
and Zephyr are trademarks of the Massachusetts Institute of Technology
3267
(MIT). No commercial use of these trademarks may be made without
3268
prior written permission of MIT.
3270
<p>“Commercial use” means use of a name in a product or other for-profit
3271
manner. It does NOT prevent a commercial firm from referring to the
3272
MIT trademarks in order to convey information (although in doing so,
3273
recognition of their trademark status should be given).
3277
<p>The following copyright and permission notice applies to the
3278
OpenVision Kerberos Administration system located in
3279
<code>kadmin/create</code>, <code>kadmin/dbutil</code>, <code>kadmin/passwd</code>,
3280
<code>kadmin/server</code>, <code>lib/kadm5</code>, and portions of
3281
<code>lib/rpc</code>:
3284
Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved
3286
<p>WARNING: Retrieving the OpenVision Kerberos Administration system source
3287
code, as described below, indicates your acceptance of the following
3288
terms. If you do not agree to the following terms, do not retrieve the
3289
OpenVision Kerberos administration system.
3291
<p>You may freely use and distribute the Source Code and Object Code
3292
compiled from it, with or without modification, but this Source Code is
3293
provided to you “AS IS” EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT
3294
LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
3295
PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
3296
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS,
3297
LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR
3298
FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS
3299
AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE
3300
OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR
3303
<p>OpenVision retains all copyrights in the donated Source Code. OpenVision
3304
also retains copyright to derivative works of the Source Code, whether
3305
created by OpenVision or by a third party. The OpenVision copyright
3306
notice must be preserved if derivative works are made based on the
3307
donated Source Code.
3309
<p>OpenVision Technologies, Inc. has donated this Kerberos Administration
3310
system to MIT for inclusion in the standard Kerberos 5 distribution.
3311
This donation underscores our commitment to continuing Kerberos
3312
technology development and our gratitude for the valuable work which has
3313
been performed by MIT and the Kerberos community.
3319
Portions contributed by Matt Crawford <code><crawdad@fnal.gov></code> were work
3320
performed at Fermi National Accelerator Laboratory, which is operated
3321
by Universities Research Association, Inc., under contract
3322
DE-AC02-76CHO3000 with the U.S. Department of Energy.
3327
<p>Portions of <code>src/lib/crypto</code> have the following copyright:
3330
Copyright © 1998 by the FundsXpress, INC.
3332
<p>All rights reserved.
3335
Export of this software from the United States of America may require
3336
a specific license from the United States Government. It is the
3337
responsibility of any person or organization contemplating export to
3338
obtain such a license before exporting.
3341
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
3342
distribute this software and its documentation for any purpose and
3343
without fee is hereby granted, provided that the above copyright
3344
notice appear in all copies and that both that copyright notice and
3345
this permission notice appear in supporting documentation, and that
3346
the name of FundsXpress. not be used in advertising or publicity pertaining
3347
to distribution of the software without specific, written prior
3348
permission. FundsXpress makes no representations about the suitability of
3349
this software for any purpose. It is provided “as is” without express
3350
or implied warranty.
3352
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
3353
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
3354
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
3359
<p>The implementation of the AES encryption algorithm in
3360
<code>src/lib/crypto/builtin/aes</code> has the following copyright:
3363
Copyright © 2001, Dr Brian Gladman <code><brg@gladman.uk.net></code>,
3365
All rights reserved.
3369
<p>The free distribution and use of this software in both source and binary
3370
form is allowed (with or without changes) provided that:
3373
<li>distributions of this source code include the above copyright
3374
notice, this list of conditions and the following disclaimer;
3375
<li>distributions in binary form include the above copyright
3376
notice, this list of conditions and the following disclaimer
3377
in the documentation and/or other associated materials;
3378
<li>the copyright holder's name is not used to endorse products
3379
built using this software without specific written permission.
3384
<p>This software is provided 'as is' with no explcit or implied warranties
3385
in respect of any properties, including, but not limited to, correctness
3386
and fitness for purpose.
3391
<p>Portions contributed by Red Hat, including the pre-authentication
3392
plug-in framework and the NSS crypto implementation, contain the
3393
following copyright:
3396
Copyright © 2006 Red Hat, Inc.<br>
3397
Portions copyright © 2006 Massachusetts Institute of Technology<br>
3398
All Rights Reserved.<br>
3400
<p>Redistribution and use in source and binary forms, with or without
3401
modification, are permitted provided that the following conditions are
3405
<li>Redistributions of source code must retain the above copyright
3406
notice, this list of conditions and the following disclaimer.
3407
<li>Redistributions in binary form must reproduce the above copyright
3408
notice, this list of conditions and the following disclaimer in the
3409
documentation and/or other materials provided with the distribution.
3410
<li>Neither the name of Red Hat, Inc., nor the names of its contributors
3411
may be used to endorse or promote products derived from this software
3412
without specific prior written permission.
3415
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS
3416
IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
3417
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
3418
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
3419
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
3420
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
3421
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
3422
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
3423
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
3424
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
3425
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3430
<p>The bundled verto source code is subject to the following license:
3433
Copyright 2011 Red Hat, Inc.
3435
<p>Permission is hereby granted, free of charge, to any person
3436
obtaining a copy of this software and associated documentation files
3437
(the "Software"), to deal in the Software without restriction,
3438
including without limitation the rights to use, copy, modify, merge,
3439
publish, distribute, sublicense, and/or sell copies of the Software,
3440
and to permit persons to whom the Software is furnished to do so,
3441
subject to the following conditions:
3443
<p>The above copyright notice and this permission notice shall be
3444
included in all copies or substantial portions of the Software.
3446
<p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
3447
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
3448
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
3449
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
3450
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
3451
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
3452
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
3458
<p>The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
3459
<code>src/lib/gssapi</code>, including the following files:
3461
<pre class="smallexample"> lib/gssapi/generic/gssapi_err_generic.et
3462
lib/gssapi/mechglue/g_accept_sec_context.c
3463
lib/gssapi/mechglue/g_acquire_cred.c
3464
lib/gssapi/mechglue/g_canon_name.c
3465
lib/gssapi/mechglue/g_compare_name.c
3466
lib/gssapi/mechglue/g_context_time.c
3467
lib/gssapi/mechglue/g_delete_sec_context.c
3468
lib/gssapi/mechglue/g_dsp_name.c
3469
lib/gssapi/mechglue/g_dsp_status.c
3470
lib/gssapi/mechglue/g_dup_name.c
3471
lib/gssapi/mechglue/g_exp_sec_context.c
3472
lib/gssapi/mechglue/g_export_name.c
3473
lib/gssapi/mechglue/g_glue.c
3474
lib/gssapi/mechglue/g_imp_name.c
3475
lib/gssapi/mechglue/g_imp_sec_context.c
3476
lib/gssapi/mechglue/g_init_sec_context.c
3477
lib/gssapi/mechglue/g_initialize.c
3478
lib/gssapi/mechglue/g_inquire_context.c
3479
lib/gssapi/mechglue/g_inquire_cred.c
3480
lib/gssapi/mechglue/g_inquire_names.c
3481
lib/gssapi/mechglue/g_process_context.c
3482
lib/gssapi/mechglue/g_rel_buffer.c
3483
lib/gssapi/mechglue/g_rel_cred.c
3484
lib/gssapi/mechglue/g_rel_name.c
3485
lib/gssapi/mechglue/g_rel_oid_set.c
3486
lib/gssapi/mechglue/g_seal.c
3487
lib/gssapi/mechglue/g_sign.c
3488
lib/gssapi/mechglue/g_store_cred.c
3489
lib/gssapi/mechglue/g_unseal.c
3490
lib/gssapi/mechglue/g_userok.c
3491
lib/gssapi/mechglue/g_utils.c
3492
lib/gssapi/mechglue/g_verify.c
3493
lib/gssapi/mechglue/gssd_pname_to_uid.c
3494
lib/gssapi/mechglue/mglueP.h
3495
lib/gssapi/mechglue/oid_ops.c
3496
lib/gssapi/spnego/gssapiP_spnego.h
3497
lib/gssapi/spnego/spnego_mech.c
3499
<p>and the initial implementation of incremental propagation, including
3500
the following new or changed files:
3502
<pre class="smallexample"> include/iprop_hdr.h
3503
kadmin/server/ipropd_svc.c
3505
lib/kdb/kdb_convert.c
3508
lib/krb5/error_tables/kdb5_err.et
3512
<p>are subject to the following license:
3515
Copyright © 2004 Sun Microsystems, Inc.
3517
<p>Permission is hereby granted, free of charge, to any person obtaining a
3518
copy of this software and associated documentation files (the
3519
“Software”), to deal in the Software without restriction, including
3520
without limitation the rights to use, copy, modify, merge, publish,
3521
distribute, sublicense, and/or sell copies of the Software, and to
3522
permit persons to whom the Software is furnished to do so, subject to
3523
the following conditions:
3525
<p>The above copyright notice and this permission notice shall be included
3526
in all copies or substantial portions of the Software.
3528
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
3529
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
3530
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
3531
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
3532
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
3533
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
3534
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
3539
<p>Kerberos V5 includes documentation and software developed at the
3540
University of California at Berkeley, which includes this copyright
3544
Copyright © 1983 Regents of the University of California.<br>
3545
All rights reserved.
3547
<p>Redistribution and use in source and binary forms, with or without
3548
modification, are permitted provided that the following conditions are
3552
<li>Redistributions of source code must retain the above copyright
3553
notice, this list of conditions and the following disclaimer.
3554
<li>Redistributions in binary form must reproduce the above copyright
3555
notice, this list of conditions and the following disclaimer in the
3556
documentation and/or other materials provided with the distribution.
3557
<li>Neither the name of the University nor the names of its contributors
3558
may be used to endorse or promote products derived from this software
3559
without specific prior written permission.
3562
<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND
3563
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3564
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3565
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
3566
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3567
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3568
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3569
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3570
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3571
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3577
<p>Portions contributed by Novell, Inc., including the LDAP database
3578
backend, are subject to the following license:
3581
Copyright © 2004-2005, Novell, Inc.<br>
3582
All rights reserved.
3584
<p>Redistribution and use in source and binary forms, with or without
3585
modification, are permitted provided that the following conditions are met:
3588
<li>Redistributions of source code must retain the above copyright notice,
3589
this list of conditions and the following disclaimer.
3590
<li>Redistributions in binary form must reproduce the above copyright
3591
notice, this list of conditions and the following disclaimer in the
3592
documentation and/or other materials provided with the distribution.
3593
<li>The copyright holder's name is not used to endorse or promote products
3594
derived from this software without specific prior written permission.
3597
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
3598
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3599
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3600
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
3601
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
3602
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
3603
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
3604
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
3605
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
3606
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
3607
POSSIBILITY OF SUCH DAMAGE.
3612
<p>Portions funded by Sandia National Laboratory
3613
and developed by the University of Michigan's
3614
Center for Information Technology Integration,
3615
including the PKINIT implementation, are subject
3616
to the following license:
3619
COPYRIGHT © 2006-2007<br>
3620
THE REGENTS OF THE UNIVERSITY OF MICHIGAN<br>
3623
<p>Permission is granted to use, copy, create derivative works
3624
and redistribute this software and such derivative works
3625
for any purpose, so long as the name of The University of
3626
Michigan is not used in any advertising or publicity
3627
pertaining to the use of distribution of this software
3628
without specific, written prior authorization. If the
3629
above copyright notice or any other identification of the
3630
University of Michigan is included in any copy of any
3631
portion of this software, then the disclaimer below must
3634
<p>THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
3635
FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
3636
PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
3637
MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
3638
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
3639
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
3640
REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
3641
FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
3642
CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
3643
OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
3644
IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
3650
<p>The pkcs11.h file included in the PKINIT code has the
3654
Copyright 2006 g10 Code GmbH<br>
3655
Copyright 2006 Andreas Jellinghaus
3657
<p>This file is free software; as a special exception the author gives
3658
unlimited permission to copy and/or distribute it, with or without
3659
modifications, as long as this notice is preserved.
3661
<p>This file is distributed in the hope that it will be useful, but
3662
WITHOUT ANY WARRANTY, to the extent permitted by law; without even
3663
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
3669
<p>Portions contributed by Apple Inc. are subject to the following license:
3672
Copyright 2004-2008 Apple Inc. All Rights Reserved.
3675
Export of this software from the United States of America may require
3676
a specific license from the United States Government. It is the
3677
responsibility of any person or organization contemplating export to
3678
obtain such a license before exporting.
3681
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
3682
distribute this software and its documentation for any purpose and
3683
without fee is hereby granted, provided that the above copyright
3684
notice appear in all copies and that both that copyright notice and
3685
this permission notice appear in supporting documentation, and that
3686
the name of Apple Inc. not be used in advertising or publicity pertaining
3687
to distribution of the software without specific, written prior
3688
permission. Apple Inc. makes no representations about the suitability of
3689
this software for any purpose. It is provided “as is” without express
3690
or implied warranty.
3692
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
3693
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
3694
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
3699
<p>The implementations of UTF-8 string handling in src/util/support and
3700
src/lib/krb5/unicode are subject to the following copyright and
3704
The OpenLDAP Public License<br>
3705
Version 2.8, 17 August 2003
3707
<p>Redistribution and use of this software and associated documentation
3708
(“Software”), with or without modification, are permitted provided
3709
that the following conditions are met:
3712
<li>Redistributions in source form must retain copyright statements
3714
<li>Redistributions in binary form must reproduce applicable copyright
3715
statements and notices, this list of conditions, and the following
3716
disclaimer in the documentation and/or other materials provided
3717
with the distribution, and
3718
<li>Redistributions must contain a verbatim copy of this document.
3721
<p>The OpenLDAP Foundation may revise this license from time to time.
3722
Each revision is distinguished by a version number. You may use
3723
this Software under terms of this license revision or under the
3724
terms of any subsequent revision of the license.
3726
<p>THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
3727
CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES,
3728
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
3729
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
3730
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
3731
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
3732
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
3733
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
3734
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
3735
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3736
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
3737
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
3738
POSSIBILITY OF SUCH DAMAGE.
3740
<p>The names of the authors and copyright holders must not be used in
3741
advertising or otherwise to promote the sale, use or other dealing
3742
in this Software without specific, written prior permission. Title
3743
to copyright in this Software shall at all times remain with copyright
3746
<p>OpenLDAP is a registered trademark of the OpenLDAP Foundation.
3748
<p>Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
3749
California, USA. All Rights Reserved. Permission to copy and
3750
distribute verbatim copies of this document is granted.
3755
<p>Marked test programs in src/lib/krb5/krb have the following copyright:
3758
Copyright © 2006 Kungliga Tekniska H{No value for `odiaeresis'}gskolan<br>
3759
(Royal Institute of Technology, Stockholm, Sweden).<br>
3760
All rights reserved.
3762
<p>Redistribution and use in source and binary forms, with or without
3763
modification, are permitted provided that the following conditions
3767
<li>Redistributions of source code must retain the above copyright
3768
notice, this list of conditions and the following disclaimer.
3769
<li>Redistributions in binary form must reproduce the above copyright
3770
notice, this list of conditions and the following disclaimer in the
3771
documentation and/or other materials provided with the distribution.
3772
<li>Neither the name of KTH nor the names of its contributors may be
3773
used to endorse or promote products derived from this software without
3774
specific prior written permission.
3777
<p>THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS” AND ANY
3778
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3779
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
3780
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
3781
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
3782
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
3783
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
3784
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
3785
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
3786
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
3787
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3792
<p>Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc
3793
have the following copyright and permission notice:
3796
Copyright © 2010, Oracle America, Inc.
3798
<p>All rights reserved.
3800
<p>Redistribution and use in source and binary forms, with or without
3801
modification, are permitted provided that the following conditions are met:
3804
<li>Redistributions of source code must retain the above copyright
3805
notice, this list of conditions and the following disclaimer.
3806
<li>Redistributions in binary form must reproduce the above copyright
3807
notice, this list of conditions and the following disclaimer in
3808
the documentation and/or other materials provided with the
3810
<li>Neither the name of the “Oracle America, Inc.” nor the names of
3811
its contributors may be used to endorse or promote products
3812
derived from this software without specific prior written permission.
3815
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS
3816
IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
3817
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
3818
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
3819
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
3820
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
3821
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
3822
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
3823
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
3824
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
3825
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3831
Copyright © 2006,2007,2009
3832
NTT (Nippon Telegraph and Telephone Corporation). All rights reserved.
3834
<p>Redistribution and use in source and binary forms, with or without
3835
modification, are permitted provided that the following conditions
3839
<li>Redistributions of source code must retain the above copyright
3840
notice, this list of conditions and the following disclaimer as
3841
the first lines of this file unmodified.
3842
<li>Redistributions in binary form must reproduce the above copyright
3843
notice, this list of conditions and the following disclaimer in the
3844
documentation and/or other materials provided with the distribution.
3847
<p>THIS SOFTWARE IS PROVIDED BY NTT “AS IS” AND ANY EXPRESS OR
3848
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
3849
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
3850
IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
3851
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
3852
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
3853
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
3854
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
3855
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
3856
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3862
Copyright 2000 by Carnegie Mellon University
3864
<p>All Rights Reserved
3866
<p>Permission to use, copy, modify, and distribute this software and its
3867
documentation for any purpose and without fee is hereby granted,
3868
provided that the above copyright notice appear in all copies and that
3869
both that copyright notice and this permission notice appear in
3870
supporting documentation, and that the name of Carnegie Mellon
3871
University not be used in advertising or publicity pertaining to
3872
distribution of the software without specific, written prior
3875
<p>CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
3876
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
3877
FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR
3878
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
3879
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
3880
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
3881
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
3887
Copyright © 2002 Naval Research Laboratory (NRL/CCS)
3889
<p>Permission to use, copy, modify and distribute this software and its
3890
documentation is hereby granted, provided that both the copyright
3891
notice and this permission notice appear in all copies of the software,
3892
derivative works or modified versions, and any portions thereof.
3894
<p>NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS “AS IS” CONDITION AND
3895
DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER
3896
RESULTING FROM THE USE OF THIS SOFTWARE.
3901
<p>Portions extracted from Internet RFCs have the following copyright
3905
Copyright © The Internet Society (2006).
3907
<p>This document is subject to the rights, licenses and restrictions
3908
contained in BCP 78, and except as set forth therein, the authors
3909
retain all their rights.
3911
<p>This document and the information contained herein are provided on an
3912
“AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
3913
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
3914
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
3915
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
3916
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
3917
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
3923
Copyright © 1991, 1992, 1994 by Cygnus Support.
3925
<p>Permission to use, copy, modify, and
3926
distribute this software and its documentation for any purpose and
3927
without fee is hereby granted, provided that the above copyright
3928
notice appear in all copies and that both that copyright notice and
3929
this permission notice appear in supporting documentation.
3930
Cygnus Support makes no representations about the suitability of
3931
this software for any purpose. It is provided “as is” without express
3932
or implied warranty.
3938
Copyright © 2006 Secure Endpoints Inc.
3940
<p>Permission is hereby granted, free of charge, to any person
3941
obtaining a copy of this software and associated documentation
3942
files (the “Software”), to deal in the Software without
3943
restriction, including without limitation the rights to use, copy,
3944
modify, merge, publish, distribute, sublicense, and/or sell copies
3945
of the Software, and to permit persons to whom the Software is
3946
furnished to do so, subject to the following conditions:
3948
<p>The above copyright notice and this permission notice shall be
3949
included in all copies or substantial portions of the Software.
3951
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
3952
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
3953
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
3954
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
3955
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
3956
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
3957
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
3963
<p>Portions of the implementation of the Fortuna-like PRNG are subject to
3964
the following notice:
3967
Copyright © 2005 Marko Kreen<br>
3968
All rights reserved.
3970
<p>Redistribution and use in source and binary forms, with or without
3971
modification, are permitted provided that the following conditions
3975
<li>Redistributions of source code must retain the above copyright
3976
notice, this list of conditions and the following disclaimer.
3977
<li>Redistributions in binary form must reproduce the above copyright
3978
notice, this list of conditions and the following disclaimer in the
3979
documentation and/or other materials provided with the distribution.
3982
<p>THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND
3983
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
3984
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
3985
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
3986
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
3987
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
3988
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
3989
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
3990
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
3991
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3996
Copyright © 1994 by the University of Southern California
3999
EXPORT OF THIS SOFTWARE from the United States of America may
4000
require a specific license from the United States Government.
4001
It is the responsibility of any person or organization contemplating
4002
export to obtain such a license before exporting.
4005
<p>WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
4006
this software and its documentation in source and binary forms is
4007
hereby granted, provided that any documentation or other materials
4008
related to such distribution or use acknowledge that the software
4009
was developed by the University of Southern California.
4011
<p>DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED “AS IS”. The
4012
University of Southern California MAKES NO REPRESENTATIONS OR
4013
WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
4014
limitation, the University of Southern California MAKES NO
4015
REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
4016
PARTICULAR PURPOSE. The University of Southern
4017
California shall not be held liable for any liability nor for any
4018
direct, indirect, or consequential damages with respect to any
4019
claim by the user or distributor of the ksu software.
4025
Copyright © 1995<br>
4026
The President and Fellows of Harvard University
4028
<p>This code is derived from software contributed to Harvard by
4031
<p>Redistribution and use in source and binary forms, with or without
4032
modification, are permitted provided that the following conditions
4036
<li>Redistributions of source code must retain the above copyright
4037
notice, this list of conditions and the following disclaimer.
4038
<li>Redistributions in binary form must reproduce the above copyright
4039
notice, this list of conditions and the following disclaimer in the
4040
documentation and/or other materials provided with the distribution.
4041
<li>All advertising materials mentioning features or use of this software
4042
must display the following acknowledgement:
4044
This product includes software developed by the University of
4045
California, Berkeley and its contributors.
4047
<li>Neither the name of the University nor the names of its contributors
4048
may be used to endorse or promote products derived from this software
4049
without specific prior written permission.
4052
<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND
4053
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4054
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4055
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
4056
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4057
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4058
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4059
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4060
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
4061
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
4068
Copyright © 2008 by the Massachusetts Institute of Technology.<br>
4069
Copyright 1995 by Richard P. Basch. All Rights Reserved.<br>
4070
Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.<br>
4073
Export of this software from the United States of America may
4074
require a specific license from the United States Government.
4075
It is the responsibility of any person or organization contemplating
4076
export to obtain such a license before exporting.
4079
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
4080
distribute this software and its documentation for any purpose and
4081
without fee is hereby granted, provided that the above copyright
4082
notice appear in all copies and that both that copyright notice and
4083
this permission notice appear in supporting documentation, and that
4084
the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used
4085
in advertising or publicity pertaining to distribution of the software
4086
without specific, written prior permission. Richard P. Basch,
4087
Lehman Brothers and M.I.T. make no representations about the suitability
4088
of this software for any purpose. It is provided “as is” without
4089
express or implied warranty.
4094
<p>The following notice applies to <code>src/lib/krb5/krb/strptime.c</code>:
4097
Copyright © 1997, 1998 The NetBSD Foundation, Inc.<br>
4098
All rights reserved.
4100
<p>This code was contributed to The NetBSD Foundation by Klaus Klein.
4102
<p>Redistribution and use in source and binary forms, with or without
4103
modification, are permitted provided that the following conditions
4107
<li>Redistributions of source code must retain the above copyright
4108
notice, this list of conditions and the following disclaimer.
4109
<li>Redistributions in binary form must reproduce the above copyright
4110
notice, this list of conditions and the following disclaimer in the
4111
documentation and/or other materials provided with the distribution.
4112
<li>All advertising materials mentioning features or use of this software
4113
must display the following acknowledgement:
4115
This product includes software developed by the NetBSD
4116
Foundation, Inc. and its contributors.
4118
<li>Neither the name of The NetBSD Foundation nor the names of its
4119
contributors may be used to endorse or promote products derived
4120
from this software without specific prior written permission.
4123
<p>THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
4124
“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
4125
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4126
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
4127
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
4128
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
4129
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
4130
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
4131
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4132
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
4133
POSSIBILITY OF SUCH DAMAGE.
4138
<p>The following notice applies to Unicode library files in
4139
<code>src/lib/krb5/unicode</code>:
4142
Copyright 1997, 1998, 1999 Computing Research Labs,<br>
4143
New Mexico State University
4145
<p>Permission is hereby granted, free of charge, to any person obtaining a
4146
copy of this software and associated documentation files (the “Software”),
4147
to deal in the Software without restriction, including without limitation
4148
the rights to use, copy, modify, merge, publish, distribute, sublicense,
4149
and/or sell copies of the Software, and to permit persons to whom the
4150
Software is furnished to do so, subject to the following conditions:
4152
<p>The above copyright notice and this permission notice shall be included in
4153
all copies or substantial portions of the Software.
4155
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
4156
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
4157
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
4158
THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY
4159
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
4160
OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
4161
THE USE OR OTHER DEALINGS IN THE SOFTWARE.
4166
<p>The following notice applies to <code>src/util/support/strlcpy.c</code>:
4169
Copyright © 1998 Todd C. Miller <Todd.Miller@courtesan.com>
4171
<p>Permission to use, copy, modify, and distribute this software for any
4172
purpose with or without fee is hereby granted, provided that the above
4173
copyright notice and this permission notice appear in all copies.
4175
<p>THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES
4176
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
4177
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
4178
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
4179
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
4180
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
4181
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
4186
<p>The following notice applies to <code>src/util/profile/argv_parse.c</code> and
4187
<code>src/util/profile/argv_parse.h</code>:
4190
Copyright 1999 by Theodore Ts'o.
4192
<p>Permission to use, copy, modify, and distribute this software for
4193
any purpose with or without fee is hereby granted, provided that
4194
the above copyright notice and this permission notice appear in all
4195
copies. THE SOFTWARE IS PROVIDED “AS IS” AND THEODORE TS'O (THE
4196
AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
4197
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
4198
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
4199
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
4200
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
4201
OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
4202
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't
4203
it sick that the U.S. culture of lawsuit-happy lawyers requires
4204
this kind of disclaimer?)
4209
<p>The following notice applies to SWIG-generated code in
4210
<code>src/util/profile/profile_tcl.c</code>:
4213
Copyright © 1999-2000, The University of Chicago
4215
<p>This file may be freely redistributed without license or fee provided
4216
this copyright message remains intact.
4221
<p>The following notice applies to portiions of <code>src/lib/rpc</code> and
4222
<code>src/include/gssrpc</code>:
4225
Copyright © 2000 The Regents of the University of Michigan.
4226
All rights reserved.
4228
<p>Copyright © 2000 Dug Song <dugsong@UMICH.EDU>.
4229
All rights reserved, all wrongs reversed.
4231
<p>Redistribution and use in source and binary forms, with or without
4232
modification, are permitted provided that the following conditions
4236
<li>Redistributions of source code must retain the above copyright
4237
notice, this list of conditions and the following disclaimer.
4238
<li>Redistributions in binary form must reproduce the above copyright
4239
notice, this list of conditions and the following disclaimer in the
4240
documentation and/or other materials provided with the distribution.
4241
<li>Neither the name of the University nor the names of its
4242
contributors may be used to endorse or promote products derived
4243
from this software without specific prior written permission.
4246
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED
4247
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
4248
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
4249
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
4250
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
4251
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
4252
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
4253
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
4254
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
4255
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
4256
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
4261
<p>Implementations of the MD4 algorithm are subject to the following
4265
Copyright © 1990, RSA Data Security, Inc. All rights reserved.
4267
<p>License to copy and use this software is granted provided that
4268
it is identified as the “RSA Data Security, Inc. MD4 Message
4269
Digest Algorithm” in all material mentioning or referencing this
4270
software or this function.
4272
<p>License is also granted to make and use derivative works
4273
provided that such works are identified as “derived from the RSA
4274
Data Security, Inc. MD4 Message Digest Algorithm” in all
4275
material mentioning or referencing the derived work.
4277
<p>RSA Data Security, Inc. makes no representations concerning
4278
either the merchantability of this software or the suitability
4279
of this software for any particular purpose. It is provided “as
4280
is” without express or implied warranty of any kind.
4282
<p>These notices must be retained in any copies of any part of this
4283
documentation and/or software.
4288
<p>Implementations of the MD5 algorithm are subject to the following
4292
Copyright © 1990, RSA Data Security, Inc. All rights reserved.
4294
<p>License to copy and use this software is granted provided that
4295
it is identified as the “RSA Data Security, Inc. MD5 Message-
4296
Digest Algorithm” in all material mentioning or referencing this
4297
software or this function.
4299
<p>License is also granted to make and use derivative works
4300
provided that such works are identified as “derived from the RSA
4301
Data Security, Inc. MD5 Message-Digest Algorithm” in all
4302
material mentioning or referencing the derived work.
4304
<p>RSA Data Security, Inc. makes no representations concerning
4305
either the merchantability of this software or the suitability
4306
of this software for any particular purpose. It is provided “as
4307
is” without express or implied warranty of any kind.
4309
<p>These notices must be retained in any copies of any part of this
4310
documentation and/or software.
4315
<p>The following notice applies to <code>src/lib/crypto/crypto_tests/t_mddriver.c</code>:
4318
Copyright © 1990-2, RSA Data Security, Inc. Created 1990. All
4321
<p>RSA Data Security, Inc. makes no representations concerning either
4322
the merchantability of this software or the suitability of this
4323
software for any particular purpose. It is provided “as is”
4324
without express or implied warranty of any kind.
4326
<p>These notices must be retained in any copies of any part of this
4327
documentation and/or software.
4332
<p>Portions of <code>src/lib/krb5</code> are subject to the following notice:
4335
Copyright © 1994 CyberSAFE Corporation.<br>
4336
Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.<br>
4337
All Rights Reserved.
4340
Export of this software from the United States of America may
4341
require a specific license from the United States Government.
4342
It is the responsibility of any person or organization contemplating
4343
export to obtain such a license before exporting.
4346
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
4347
distribute this software and its documentation for any purpose and
4348
without fee is hereby granted, provided that the above copyright
4349
notice appear in all copies and that both that copyright notice and
4350
this permission notice appear in supporting documentation, and that
4351
the name of M.I.T. not be used in advertising or publicity pertaining
4352
to distribution of the software without specific, written prior
4353
permission. Furthermore if you modify this software you must label
4354
your software as modified software and not distribute it in such a
4355
fashion that it might be confused with the original M.I.T. software.
4356
Neither M.I.T., the Open Computing Security Group, nor
4357
CyberSAFE Corporation make any representations about the suitability of
4358
this software for any purpose. It is provided “as is” without express
4359
or implied warranty.
4364
<p>Portions contributed by PADL Software are subject to the following
4368
Copyright (c) 2011, PADL Software Pty Ltd.
4369
All rights reserved.
4371
<p>Redistribution and use in source and binary forms, with or without
4372
modification, are permitted provided that the following conditions
4375
<p>1. Redistributions of source code must retain the above copyright
4376
notice, this list of conditions and the following disclaimer.
4378
<p>2. Redistributions in binary form must reproduce the above copyright
4379
notice, this list of conditions and the following disclaimer in the
4380
documentation and/or other materials provided with the distribution.
4382
<p>3. Neither the name of PADL Software nor the names of its contributors
4383
may be used to endorse or promote products derived from this software
4384
without specific prior written permission.
4386
<p>THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS “AS IS” AND
4387
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4388
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4389
ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
4390
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4391
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4392
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4393
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4394
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
4395
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
4401
<p>The bundled libev source code is subject to the following license:
4404
All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann.
4406
<p>Redistribution and use in source and binary forms, with or without
4407
modification, are permitted provided that the following conditions are
4411
<li>Redistributions of source code must retain the above copyright
4412
notice, this list of conditions and the following disclaimer.
4413
<li>Redistributions in binary form must reproduce the above
4414
copyright notice, this list of conditions and the following
4415
disclaimer in the documentation and/or other materials provided
4416
with the distribution.
4419
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
4420
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
4421
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
4422
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
4423
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4424
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
4425
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
4426
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
4427
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
4428
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
4429
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
4431
<p>Alternatively, the contents of this package may be used under the terms
4432
of the GNU General Public License ("GPL") version 2 or any later version,
4433
in which case the provisions of the GPL are applicable instead of the
4434
above. If you wish to allow the use of your version of this package only
4435
under the terms of the GPL and not to allow others to use your version of
4436
this file under the BSD license, indicate your decision by deleting the
4437
provisions above and replace them with the notice and other provisions
4438
required by the GPL in this and the other files of this package. If you do
4439
not delete the provisions above, a recipient may use your version of this
4440
file under either the BSD or the GPL.
4443
<div class="contents">
4444
<h2>Table of Contents</h2>
4446
<li><a name="toc_Introduction" href="#Introduction">1 Introduction</a>
4448
<li><a href="#What-is-Kerberos-and-How-Does-it-Work_003f">1.1 What is Kerberos and How Does it Work?</a>
4449
<li><a href="#Why-Should-I-use-Kerberos_003f">1.2 Why Should I use Kerberos?</a>
4450
<li><a href="#Please-Read-the-Documentation">1.3 Please Read the Documentation</a>
4451
<li><a href="#Overview-of-This-Guide">1.4 Overview of This Guide</a>
4453
<li><a name="toc_Realm-Configuration-Decisions" href="#Realm-Configuration-Decisions">2 Realm Configuration Decisions</a>
4455
<li><a href="#Kerberos-Realms">2.1 Kerberos Realms</a>
4456
<li><a href="#Mapping-Hostnames-onto-Kerberos-Realms">2.2 Mapping Hostnames onto Kerberos Realms</a>
4457
<li><a href="#Ports-for-the-KDC-and-Admin-Services">2.3 Ports for the KDC and Admin Services</a>
4458
<li><a href="#Slave-KDCs">2.4 Slave KDCs</a>
4459
<li><a href="#Hostnames-for-the-Master-and-Slave-KDCs">2.5 Hostnames for the Master and Slave KDCs</a>
4460
<li><a href="#Database-Propagation">2.6 Database Propagation</a>
4462
<li><a name="toc_Building-Kerberos-V5" href="#Building-Kerberos-V5">3 Building Kerberos V5</a>
4464
<li><a href="#Organization-of-the-Source-Directory">3.1 Organization of the Source Directory</a>
4466
<li><a href="#The-appl-Directory">3.1.1 The appl Directory</a>
4467
<li><a href="#The-clients-Directory">3.1.2 The clients Directory</a>
4468
<li><a href="#The-gen_002dmanpages-Directory">3.1.3 The gen-manpages Directory</a>
4469
<li><a href="#The-include-Directory">3.1.4 The include Directory</a>
4470
<li><a href="#The-kadmin-Directory">3.1.5 The kadmin Directory</a>
4471
<li><a href="#The-kdc-Directory">3.1.6 The kdc Directory</a>
4472
<li><a href="#The-krb524-Directory">3.1.7 The krb524 Directory</a>
4473
<li><a href="#The-lib-Directory">3.1.8 The lib Directory</a>
4474
<li><a href="#The-prototype-Directory">3.1.9 The prototype Directory</a>
4475
<li><a href="#The-slave-Directory">3.1.10 The slave Directory</a>
4476
<li><a href="#The-util-Directory">3.1.11 The util Directory</a>
4478
<li><a href="#Build-Requirements">3.2 Build Requirements</a>
4479
<li><a href="#Unpacking-the-Sources">3.3 Unpacking the Sources</a>
4480
<li><a href="#Doing-the-Build">3.4 Doing the Build</a>
4482
<li><a href="#Building-Within-a-Single-Tree">3.4.1 Building Within a Single Tree</a>
4483
<li><a href="#Building-with-Separate-Build-Directories">3.4.2 Building with Separate Build Directories</a>
4484
<li><a href="#Building-using-lndir">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</a>
4486
<li><a href="#Installing-the-Binaries">3.5 Installing the Binaries</a>
4487
<li><a href="#Testing-the-Build">3.6 Testing the Build</a>
4489
<li><a href="#The-DejaGnu-Tests">3.6.1 The DejaGnu Tests</a>
4490
<li><a href="#The-KADM5-Tests">3.6.2 The KADM5 Tests</a>
4492
<li><a href="#Options-to-Configure">3.7 Options to Configure</a>
4493
<li><a href="#osconf_002eh">3.8 <samp><span class="file">osconf.h</span></samp></a>
4494
<li><a href="#Shared-Library-Support">3.9 Shared Library Support</a>
4495
<li><a href="#OS-Incompatibilities">3.10 Operating System Incompatibilities</a>
4497
<li><a href="#AIX">3.10.1 AIX</a>
4498
<li><a href="#Alpha-OSF_002f1-V1_002e3">3.10.2 Alpha OSF/1 V1.3</a>
4499
<li><a href="#Alpha-OSF_002f1-V2_002e0">3.10.3 Alpha OSF/1 V2.0</a>
4500
<li><a href="#Alpha-OSF_002f1-V4_002e0">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</a>
4501
<li><a href="#BSDI">3.10.5 BSDI</a>
4502
<li><a href="#HPUX">3.10.6 HPUX</a>
4503
<li><a href="#Solaris-versions-2_002e0-through-2_002e3">3.10.7 Solaris versions 2.0 through 2.3</a>
4504
<li><a href="#Solaris-2_002eX">3.10.8 Solaris 2.X</a>
4505
<li><a href="#Solaris-9">3.10.9 Solaris 9</a>
4506
<li><a href="#SGI-Irix-5_002eX">3.10.10 SGI Irix 5.X</a>
4507
<li><a href="#Ultrix-4_002e2_002f3">3.10.11 Ultrix 4.2/3</a>
4509
<li><a href="#Using-Autoconf">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</a>
4511
<li><a name="toc_Installing-Kerberos-V5" href="#Installing-Kerberos-V5">4 Installing Kerberos V5</a>
4513
<li><a href="#Installing-KDCs">4.1 Installing KDCs</a>
4515
<li><a href="#Install-the-Master-KDC">4.1.1 Install the Master KDC</a>
4517
<li><a href="#Edit-the-Configuration-Files">4.1.1.1 Edit the Configuration Files</a>
4518
<li><a href="#krb5_002econf">4.1.1.2 krb5.conf</a>
4519
<li><a href="#kdc_002econf">4.1.1.3 kdc.conf</a>
4520
<li><a href="#Create-the-Database">4.1.1.4 Create the Database</a>
4521
<li><a href="#Add-Administrators-to-the-Acl-File">4.1.1.5 Add Administrators to the Acl File</a>
4522
<li><a href="#Add-Administrators-to-the-Kerberos-Database">4.1.1.6 Add Administrators to the Kerberos Database</a>
4523
<li><a href="#Create-a-kadmind-Keytab-_0028optional_0029">4.1.1.7 Create a kadmind Keytab (optional)</a>
4524
<li><a href="#Start-the-Kerberos-Daemons">4.1.1.8 Start the Kerberos Daemons on the Master KDC</a>
4526
<li><a href="#Install-the-Slave-KDCs">4.1.2 Install the Slave KDCs</a>
4528
<li><a href="#Create-Host-Keys-for-the-Slave-KDCs">4.1.2.1 Create Host Keys for the Slave KDCs</a>
4529
<li><a href="#Extract-Host-Keytabs-for-the-KDCs">4.1.2.2 Extract Host Keytabs for the KDCs</a>
4530
<li><a href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">4.1.2.3 Set Up the Slave KDCs for Database Propagation</a>
4532
<li><a href="#Back-on-the-Master-KDC">4.1.3 Back on the Master KDC</a>
4534
<li><a href="#Propagate-the-Database-to-Each-Slave-KDC">4.1.3.1 Propagate the Database to Each Slave KDC</a>
4536
<li><a href="#Finish-Installing-the-Slave-KDCs">4.1.4 Finish Installing the Slave KDCs</a>
4538
<li><a href="#Create-Stash-Files-on-the-Slave-KDCs">4.1.4.1 Create Stash Files on the Slave KDCs</a>
4539
<li><a href="#Start-the-krb5kdc-Daemon-on-Each-KDC">4.1.4.2 Start the krb5kdc Daemon on Each KDC</a>
4541
<li><a href="#Add-Kerberos-Principals-to-the-Database">4.1.5 Add Kerberos Principals to the Database</a>
4542
<li><a href="#Limit-Access-to-the-KDCs">4.1.6 Limit Access to the KDCs</a>
4543
<li><a href="#Switching-Master-and-Slave-KDCs">4.1.7 Switching Master and Slave KDCs</a>
4544
<li><a href="#Incremental-Database-Propagation">4.1.8 Incremental Database Propagation</a>
4546
<li><a href="#Sun_002fMIT-Incremental-Propagation-Differences">4.1.8.1 Sun/MIT Incremental Propagation Differences</a>
4549
<li><a href="#Installing-and-Configuring-UNIX-Client-Machines">4.2 Installing and Configuring UNIX Client Machines</a>
4551
<li><a href="#Client-Programs">4.2.1 Client Programs</a>
4552
<li><a href="#Client-Machine-Configuration-Files">4.2.2 Client Machine Configuration Files</a>
4554
<li><a href="#Mac-OS-X-Configuration">4.2.2.1 Mac OS X Configuration</a>
4557
<li><a href="#UNIX-Application-Servers">4.3 UNIX Application Servers</a>
4559
<li><a href="#The-Keytab-File">4.3.1 The Keytab File</a>
4560
<li><a href="#Some-Advice-about-Secure-Hosts">4.3.2 Some Advice about Secure Hosts</a>
4563
<li><a name="toc_Upgrading-Existing-Kerberos-V5-Installations" href="#Upgrading-Existing-Kerberos-V5-Installations">5 Upgrading Existing Kerberos V5 Installations</a>
4565
<li><a href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">5.1 Upgrading to Triple-DES Encryption Keys</a>
4567
<li><a name="toc_Bug-Reports-for-Kerberos-V5" href="#Bug-Reports-for-Kerberos-V5">6 Bug Reports for Kerberos V5</a>
4568
<li><a name="toc_Copyright" href="#Copyright">Appendix A Copyright</a>
4572
<div class="footnote">
4574
<a name="texinfo-footnotes-in-document"></a><h4>Footnotes</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Kerberos V4 used port 750. If
4575
necessary, you can run on both ports for backward compatibility.</p>