~hartmans/kerberos/trunk-packaging : revision 16824

1

2

<head>

3

<title>Kerberos V5 Installation Guide</title>

4

5

6

7

8

9

<!--

10

11

12

13

pre.display { font-family:inherit }

14

pre.format { font-family:inherit }

15

pre.smalldisplay { font-family:inherit; font-size:smaller }

16

pre.smallformat { font-family:inherit; font-size:smaller }

17

pre.smallexample { font-size:smaller }

18

pre.smalllisp { font-size:smaller }

19

span.sc { font-variant:small-caps }

20

span.roman { font-family:serif; font-weight:normal; }

21

span.sansserif { font-family:sans-serif; font-weight:normal; }

22

--></style>

23

</head>

24

<body>

25

<h1 class="settitle">Kerberos V5 Installation Guide</h1>

26

27

28

<p><hr>

29

Next: <a rel="next" accesskey="n" href="#Introduction">Introduction</a>,

30

Previous: <a rel="previous" accesskey="p" href="#dir">(dir)</a>,

31

Up: <a rel="up" accesskey="u" href="#dir">(dir)</a>

32

33

</div>

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

<li><a accesskey="1" href="#Introduction">Introduction</a>

49

<li><a accesskey="2" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

50

<li><a accesskey="3" href="#Building-Kerberos-V5">Building Kerberos V5</a>

51

<li><a accesskey="4" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

52

<li><a accesskey="5" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>

53

<li><a accesskey="6" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>

54

<li><a accesskey="7" href="#Copyright">Copyright</a>

55

</ul>

56

57

58

59

<p><hr>

60

Next: <a rel="next" accesskey="n" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,

61

Previous: <a rel="previous" accesskey="p" href="#Top">Top</a>,

62

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

63

64

</div>

65

66

<h2 class="chapter">1 Introduction</h2>

67

68

69

<li><a accesskey="1" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>

70

<li><a accesskey="2" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>

71

<li><a accesskey="3" href="#Please-Read-the-Documentation">Please Read the Documentation</a>

72

<li><a accesskey="4" href="#Overview-of-This-Guide">Overview of This Guide</a>

73

</ul>

74

75

76

77

78

<p><hr>

79

Next: <a rel="next" accesskey="n" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,

80

Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,

81

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

82

83

</div>

84

85

<h3 class="section">1.1 What is Kerberos and How Does it Work?</h3>

86

87

<p>Kerberos V5 is based on the Kerberos authentication system developed

88

at MIT. Under Kerberos, a client (generally either a user or a service)

89

sends a request for a ticket to the Key Distribution Center (KDC). The

90

KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client,

91

encrypts it using the client's password as the key, and sends the

92

encrypted TGT back to the client. The client then attempts to decrypt

93

the TGT, using its password. If the client successfully decrypts the

94

TGT (<i>i.e.</i>, if the client gave the correct password), it keeps the

95

decrypted TGT, which indicates proof of the client's identity.

96

97

<p>The TGT, which expires at a specified time, permits the client to obtain

98

additional tickets, which give permission for specific services. The

99

requesting and granting of these additional tickets is user-transparent.

100

101

102

103

104

<p><hr>

105

Next: <a rel="next" accesskey="n" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,

106

Previous: <a rel="previous" accesskey="p" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>,

107

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

108

109

</div>

110

111

<h3 class="section">1.2 Why Should I use Kerberos?</h3>

112

113

<p>Since Kerberos negotiates authenticated, and optionally encrypted,

114

communications between two points anywhere on the Internet, it provides

115

a layer of security that is not dependent on which side of a firewall

116

either client is on. Since studies have shown that half of the computer

117

security breaches in industry happen from <i>inside</i> firewalls,

118

Kerberos V5 from MIT will play a vital role in the

119

security of your network.

120

121

122

123

<p><hr>

124

Next: <a rel="next" accesskey="n" href="#Overview-of-This-Guide">Overview of This Guide</a>,

125

Previous: <a rel="previous" accesskey="p" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,

126

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

127

128

</div>

129

130

<h3 class="section">1.3 Please Read the Documentation</h3>

131

132

<p>As with any software package that uses a centrallized database, the

133

installation procedure is somewhat involved, and requires forethought

134

and planning. MIT has attempted to make this

135

Kerberos V5 Installation Guide as concise as possible, rather than

136

making it an exhaustive description of the details of Kerberos.

137

Consequently, everything in this guide appears because MIT

138

believes that it is important. Please read and follow these

139

instructions carefully.

140

141

<p>This document is one piece of the document set for Kerberos V5. The

142

documents, and their intended audiences, are:

143

144

<ul>

145

<li><b>Kerberos V5 Installation Guide</b>: a concise guide for installing

146

Kerberos V5. Kerberos administrators (particularly whoever will be

147

making site-wide decisions about the installation) and the system

148

administrators who will be installing the software should read this

149

guide.

150

151

<li><b>Kerberos V5 System Administrator's Guide</b>: a sysadmin's guide to

152

administering a Kerberos installation. The System Administrator's Guide

153

describes the administration software and suggests policies and

154

procedures for administering a Kerberos installation. Anyone who will

155

have administrative access to your Kerberos database should read this

156

guide.

157

158

<li><b>Kerberos V5 UNIX User's Guide</b>: a guide to using the Kerberos

159

UNIX client programs. All users on UNIX systems should read this guide,

160

particularly the “Tutorial” section.

161

</ul>

162

163

164

165

<p><hr>

166

Previous: <a rel="previous" accesskey="p" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,

167

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

168

169

</div>

170

171

<h3 class="section">1.4 Overview of This Guide</h3>

172

173

<p class="noindent">The next chapter describes the decisions you need to make before

174

installing Kerberos V5.

175

176

<p class="noindent">Chapter three provided instructions for building the Kerberos sources.

177

178

<p class="noindent">Chapter four describes installation procedures for each class of

179

Kerberos machines:

180

181

182

<li>Key Distribution Centers (KDCs).

183

184

185

<li>The Master KDC.

186

187

<li>Slave KDCs.

188

</ol>

189

190

<li>UNIX client machines

191

192

<li>UNIX application server machines

193

</ol>

194

195

<p class="noindent">Note that a machine can be both a client machine and an application

196

server.

197

198

<p class="noindent">Chapter five describes procedure for updating previous installations of

199

Kerberos V5.

200

201

<p class="noindent">Chapter six describes our problem reporting system.

202

203

204

205

<p><hr>

206

Next: <a rel="next" accesskey="n" href="#Building-Kerberos-V5">Building Kerberos V5</a>,

207

Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,

208

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

209

210

</div>

211

212

<h2 class="chapter">2 Realm Configuration Decisions</h2>

213

214

<p>Before installing Kerberos V5, it is necessary to consider the

215

following issues:

216

217

<ul>

218

<li>The name of your Kerberos realm (or the name of each realm, if you need

219

more than one).

220

221

<li>How you will map your hostnames onto Kerberos realms.

222

223

<li>Which ports your KDC and and kadmin (database access) services will use.

224

225

<li>How many slave KDCs you need and where they should be located.

226

227

<li>The hostnames of your master and slave KDCs.

228

229

<li>How frequently you will propagate the database from the master KDC to

230

the slave KDCs.

231

</ul>

232

233

234

<li><a accesskey="1" href="#Kerberos-Realms">Kerberos Realms</a>

235

<li><a accesskey="2" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>

236

<li><a accesskey="3" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>

237

<li><a accesskey="4" href="#Slave-KDCs">Slave KDCs</a>

238

<li><a accesskey="5" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>

239

<li><a accesskey="6" href="#Database-Propagation">Database Propagation</a>

240

</ul>

241

242

243

244

<p><hr>

245

Next: <a rel="next" accesskey="n" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,

246

Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,

247

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

248

249

</div>

250

251

<h3 class="section">2.1 Kerberos Realms</h3>

252

253

<p>Although your Kerberos realm can be any ASCII string, convention is to

254

make it the same as your domain name, in upper-case letters. For

255

example, hosts in the domain example.com would be in the

256

Kerberos realm EXAMPLE.COM.

257

258

<p>If you need multiple Kerberos realms, MIT recommends that

259

you use descriptive names which end with your domain name, such as

260

BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM.

261

262

263

264

<p><hr>

265

Next: <a rel="next" accesskey="n" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,

266

Previous: <a rel="previous" accesskey="p" href="#Kerberos-Realms">Kerberos Realms</a>,

267

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

268

269

</div>

270

271

<h3 class="section">2.2 Mapping Hostnames onto Kerberos Realms</h3>

272

273

<p>Mapping hostnames onto Kerberos realms is done in one of two ways.

274

275

<p>The first mechanism, which has been in use for years in MIT-based

276

Kerberos distributions, works through a set of rules in

277

the <code>krb5.conf</code> configuration file. (See <a href="#krb5_002econf">krb5.conf</a>.) You can

278

specify mappings for an entire domain or subdomain, and/or on a

279

hostname-by-hostname basis. Since greater specificity takes precedence,

280

you would do this by specifying the mappings for a given domain or

281

subdomain and listing the exceptions.

282

283

<p>The second mechanism works by looking up the information in special

284

<code>TXT</code> records in the Domain Name Service. This is currently not

285

used by default because security holes could result if the DNS TXT

286

records were spoofed. If this mechanism is enabled on the client,

287

it will try to look up a <code>TXT</code> record for the DNS name formed by

288

putting the prefix <code>_kerberos</code> in front of the hostname in question.

289

If that record is not found, it will try using <code>_kerberos</code> and the

290

host's domain name, then its parent domain, and so forth. So for the

291

hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:

292

293

<pre class="smallexample"> _kerberos.boston.engineering.foobar.com

294

_kerberos.engineering.foobar.com

295

_kerberos.foobar.com

296

_kerberos.com

297

</pre>

298

<p>The value of the first TXT record found is taken as the realm name.

299

(Obviously, this doesn't work all that well if a host and a subdomain

300

have the same name, and different realms. For example, if all the hosts

301

in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM

302

realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in

303

another realm. In that case, you would set up TXT records for all

304

hosts, rather than relying on the fallback to the domain name.)

305

306

<p>Even if you do not choose to use this mechanism within your site, you

307

may wish to set it up anyway, for use when interacting with other sites.

308

309

310

311

<p><hr>

312

Next: <a rel="next" accesskey="n" href="#Slave-KDCs">Slave KDCs</a>,

313

Previous: <a rel="previous" accesskey="p" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,

314

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

315

316

</div>

317

318

<h3 class="section">2.3 Ports for the KDC and Admin Services</h3>

319

320

<p>The default ports used by Kerberos are port 88 for the

321

KDC<a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a> and

322

port 749 for the admin server. You can, however,

323

choose to run on other ports, as long as they are specified in each

324

host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the

325

<code>kdc.conf</code> file on each KDC. For a more thorough treatment of

326

port numbers used by the Kerberos V5 programs, refer to the

327

“Configuring Your Firewall to Work With Kerberos V5” section of

328

the <cite>Kerberos V5 System Administrator's Guide</cite>.

329

330

331

332

<p><hr>

333

Next: <a rel="next" accesskey="n" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,

334

Previous: <a rel="previous" accesskey="p" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,

335

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

336

337

</div>

338

339

<h3 class="section">2.4 Slave KDCs</h3>

340

341

<p>Slave KDCs provide an additional source of Kerberos ticket-granting

342

services in the event of inaccessibility of the master KDC. The number

343

of slave KDCs you need and the decision of where to place them, both

344

physically and logically, depends on the specifics of your network.

345

346

<p>All of the Kerberos authentication on your network requires that each

347

client be able to contact a KDC. Therefore, you need to anticipate any

348

likely reason a KDC might be unavailable and have a slave KDC to take up

349

the slack.

350

351

<p>Some considerations include:

352

353

<ul>

354

<li>Have at least one slave KDC as a backup, for when the master KDC is

355

down, is being upgraded, or is otherwise unavailable.

356

357

<li>If your network is split such that a network outage is likely to cause a

358

network partition (some segment or segments of the network to become cut

359

off or isolated from other segments), have a slave KDC accessible to

360

each segment.

361

362

<li>If possible, have at least one slave KDC in a different building from

363

the master, in case of power outages, fires, or other localized

364

disasters.

365

</ul>

366

367

368

369

<p><hr>

370

Next: <a rel="next" accesskey="n" href="#Database-Propagation">Database Propagation</a>,

371

Previous: <a rel="previous" accesskey="p" href="#Slave-KDCs">Slave KDCs</a>,

372

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

373

374

</div>

375

376

<h3 class="section">2.5 Hostnames for the Master and Slave KDCs</h3>

377

378

<p>MIT recommends that your KDCs have a predefined set of

379

CNAME records (DNS hostname aliases), such as <code>kerberos</code>

380

for the master KDC and

381

<code>kerberos-1</code>, <code>kerberos-2</code>, <small class="dots">...</small> for the

382

slave KDCs. This way, if you need to swap a machine, you only need to

383

change a DNS entry, rather than having to change hostnames.

384

385

<p>A new mechanism for locating KDCs of a realm through DNS has been added

386

to the MIT Kerberos V5 distribution. A relatively new

387

record type called <code>SRV</code> has been added to DNS. Looked up by a

388

service name and a domain name, these records indicate the hostname and

389

port number to contact for that service, optionally with weighting and

390

prioritization. (See RFC 2782 if you want more information. You can

391

follow the example below for straightforward cases.)

392

393

<p>The use with Kerberos is fairly straightforward. The domain name used

394

in the SRV record name is the domain-style Kerberos realm name. (It is

395

possible to have Kerberos realm names that are not DNS-style names, but

396

we don't recommend it for Internet use, and our code does not support it

397

well.) Several different Kerberos-related service names are used:

398

399

<dl>

400

<dt><code>_kerberos._udp</code><dd>This is for contacting any KDC by UDP. This entry will be used the most

401

often. Normally you should list port 88 on each of your KDCs.

402

403

404

405

406

407

<br><dt><code>_kerberos._tcp</code><dd>This is for contacting any KDC by TCP. The MIT KDC by default will not

408

listen on any TCP ports, so unless you've changed the configuration or

409

you're running another KDC implementation, you should leave this

410

unspecified. If you do enable TCP support, normally you should use

411

port 88.

412

413

<br><dt><code>_kerberos-master._udp</code><dd>This entry should refer to those KDCs, if any, that will immediately see

414

password changes to the Kerberos database. This entry is used only in

415

one case, when the user is logging in and the password appears to be

416

incorrect; the master KDC is then contacted, and the same password used

417

to try to decrypt the response, in case the user's password had recently

418

been changed and the first KDC contacted hadn't been updated. Only if

419

that fails is an “incorrect password” error given.

420

421

<p>If you have only one KDC, or for whatever reason there is no accessible

422

KDC that would get database changes faster than the others, you do not

423

need to define this entry.

424

425

<br><dt><code>_kerberos-adm._tcp</code><dd>This should list port 749 on your master KDC.

426

Support for it is not complete at this time, but it will eventually be

427

used by the <code>kadmin</code> program and related utilities. For now, you

428

will also need the <code>admin_server</code> entry in <code>krb5.conf</code>.

429

(See <a href="#krb5_002econf">krb5.conf</a>.)

430

431

<br><dt><code>_kpasswd._udp</code><dd>This should list port 464 on your master KDC.

432

It is used when a user changes her password.

433

434

</dl>

435

436

<p>Be aware, however, that the DNS SRV specification requires that the

437

hostnames listed be the canonical names, not aliases. So, for example,

438

you might include the following records in your (BIND-style) zone file:

439

440

<pre class="smallexample"> $ORIGIN foobar.com.

441

_kerberos TXT "FOOBAR.COM"

442

kerberos CNAME daisy

443

kerberos-1 CNAME use-the-force-luke

444

kerberos-2 CNAME bunny-rabbit

445

_kerberos._udp SRV 0 0 88 daisy

446

SRV 0 0 88 use-the-force-luke

447

SRV 0 0 88 bunny-rabbit

448

_kerberos-master._udp SRV 0 0 88 daisy

449

_kerberos-adm._tcp SRV 0 0 749 daisy

450

_kpasswd._udp SRV 0 0 464 daisy

451

</pre>

452

<p>As with the DNS-based mechanism for determining the Kerberos realm of a

453

host, we recommend distributing the information this way for use by

454

other sites that may want to interact with yours using Kerberos, even if

455

you don't immediately make use of it within your own site. If you

456

anticipate installing a very large number of machines on which it will

457

be hard to update the Kerberos configuration files, you may wish to do

458

all of your Kerberos service lookups via DNS and not put the information

459

(except for <code>admin_server</code> as noted above) in future versions of

460

your <code>krb5.conf</code> files at all. Eventually, we hope to phase out

461

the listing of server hostnames in the client-side configuration files;

462

making preparations now will make the transition easier in the future.

463

464

465

466

<p><hr>

467

Previous: <a rel="previous" accesskey="p" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,

468

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

469

470

</div>

471

472

<h3 class="section">2.6 Database Propagation</h3>

473

474

<p>The Kerberos database resides on the master KDC, and must be propagated

475

regularly (usually by a cron job) to the slave KDCs. In deciding how

476

frequently the propagation should happen, you will need to balance the

477

amount of time the propagation takes against the maximum reasonable

478

amount of time a user should have to wait for a password change to take

479

effect.

480

481

<p>If the propagation time is longer than this maximum reasonable time

482

(<i>e.g.,</i> you have a particularly large database, you have a lot of

483

slaves, or you experience frequent network delays), you may wish to

484

cut down on your propagation delay by performing the propagation in

485

parallel. To do this, have the master KDC propagate the database to one

486

set of slaves, and then have each of these slaves propagate the database

487

to additional slaves.

488

489

490

491

<p><hr>

492

Next: <a rel="next" accesskey="n" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,

493

Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,

494

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

495

496

</div>

497

498

<h2 class="chapter">3 Building Kerberos V5</h2>

499

500

<p>Kerberos V5 uses a configuration system built using the Free

501

Software Foundation's ‘<samp><span class="samp">autoconf</span></samp>’ program. This system makes

502

Kerberos V5 much simpler to build and reduces the amount of effort

503

required in porting Kerberos V5 to a new platform.

504

505

506

<li><a accesskey="1" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>: Description of the source tree.

507

<li><a accesskey="2" href="#Build-Requirements">Build Requirements</a>: How much disk space, etc. you need to

508

build Kerberos.

509

<li><a accesskey="3" href="#Unpacking-the-Sources">Unpacking the Sources</a>: Preparing the source tree.

510

<li><a accesskey="4" href="#Doing-the-Build">Doing the Build</a>: Compiling Kerberos.

511

<li><a accesskey="5" href="#Installing-the-Binaries">Installing the Binaries</a>: Installing the compiled binaries.

512

<li><a accesskey="6" href="#Testing-the-Build">Testing the Build</a>: Making sure Kerberos built correctly.

513

<li><a accesskey="7" href="#Options-to-Configure">Options to Configure</a>: Command-line options to Configure

514

<li><a accesskey="8" href="#osconf_002eh">osconf.h</a>: Header file-specific configurations

515

<li><a accesskey="9" href="#Shared-Library-Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5

516

<li><a href="#OS-Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.

517

<li><a href="#Using-Autoconf">Using Autoconf</a>: Modifying Kerberos V5's

518

configuration scripts.

519

</ul>

520

521

522

523

<p><hr>

524

Next: <a rel="next" accesskey="n" href="#Build-Requirements">Build Requirements</a>,

525

Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,

526

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

527

528

</div>

529

530

<h3 class="section">3.1 Organization of the Source Directory</h3>

531

532

<p>Below is a brief overview of the organization of the complete source

533

directory. More detailed descriptions follow.

534

535

<dl>

536

<dt><b>appl</b><dd>applications with Kerberos V5 extensions

537

<dt><b>clients</b><dd>Kerberos V5 user programs

538

<dt><b>gen-manpages</b><dd>manpages for Kerberos V5 and the Kerberos V5 login program

539

<dt><b>include</b><dd>include files

540

<dt><b>kadmin</b><dd>administrative interface to the Kerberos master database

541

<dt><b>kdc</b><dd>the Kerberos V5 Authentication Service and Key Distribution Center

542

<dt><b>krb524</b><dd>utilities for converting between Kerberos 4 and Kerberos 5

543

<dt><b>lib</b><dd>libraries for use with/by Kerberos V5

544

<dt><b>mac</b><dd>source code for building Kerberos V5 on MacOS

545

<dt><b>prototype</b><dd>templates for source code files

546

<dt><b>slave</b><dd>utilities for propagating the database to slave KDCs

547

<dt><b>tests</b><dd>test suite

548

<dt><b>util</b><dd>various utilities for building/configuring the code, sending bug reports, etc.

549

<dt><b>windows</b><dd>source code for building Kerberos V5 on Windows (see windows/README)

550

</dl>

551

552

553

<li><a accesskey="1" href="#The-appl-Directory">The appl Directory</a>

554

<li><a accesskey="2" href="#The-clients-Directory">The clients Directory</a>

555

<li><a accesskey="3" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>

556

<li><a accesskey="4" href="#The-include-Directory">The include Directory</a>

557

<li><a accesskey="5" href="#The-kadmin-Directory">The kadmin Directory</a>

558

<li><a accesskey="6" href="#The-kdc-Directory">The kdc Directory</a>

559

<li><a accesskey="7" href="#The-krb524-Directory">The krb524 Directory</a>

560

<li><a accesskey="8" href="#The-lib-Directory">The lib Directory</a>

561

<li><a accesskey="9" href="#The-prototype-Directory">The prototype Directory</a>

562

<li><a href="#The-slave-Directory">The slave Directory</a>

563

<li><a href="#The-util-Directory">The util Directory</a>

564

</ul>

565

566

567

568

<p><hr>

569

Next: <a rel="next" accesskey="n" href="#The-clients-Directory">The clients Directory</a>,

570

Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,

571

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

572

573

</div>

574

575

<h4 class="subsection">3.1.1 The appl Directory</h4>

576

577

<p>The <i>appl</i> directory contains sample Kerberos application client and

578

server programs. In previous releases, it contained Kerberized versions

579

of remote access daemons, but those have now been moved to a separate

580

project.

581

582

583

584

<p><hr>

585

Next: <a rel="next" accesskey="n" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,

586

Previous: <a rel="previous" accesskey="p" href="#The-appl-Directory">The appl Directory</a>,

587

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

588

589

</div>

590

591

<h4 class="subsection">3.1.2 The clients Directory</h4>

592

593

<p>This directory contains the code for several user-oriented programs.

594

595

<dl>

596

<dt><b>kdestroy</b><dd>This program destroys the user's active Kerberos authorization tickets.

597

MIT recommends that users <code>kdestroy</code> before logging out.

598

599

<dt><b>kinit</b><dd>This program prompts users for their Kerberos principal name and password,

600

and attempts to get an initial ticket-granting-ticket for that principal.

601

602

<dt><b>klist</b><dd>This program lists the Kerberos principal and Kerberos tickets held in

603

a credentials cache, or the keys held in a keytab file.

604

605

<dt><b>kpasswd</b><dd>This program changes a user's Kerberos password.

606

607

<dt><b>ksu</b><dd>This program is a Kerberized version of the <code>su</code> program that is

608

meant to securely change the real and effective user ID to that of the

609

target user and to create a new security context.

610

611

<dt><b>kvno</b><dd>This program acquires a service ticket for the specified Kerberos

612

principals and prints out the key version numbers of each.

613

</dl>

614

615

616

617

618

<p><hr>

619

Next: <a rel="next" accesskey="n" href="#The-include-Directory">The include Directory</a>,

620

Previous: <a rel="previous" accesskey="p" href="#The-clients-Directory">The clients Directory</a>,

621

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

622

623

</div>

624

625

<h4 class="subsection">3.1.3 The gen-manpages Directory</h4>

626

627

<p>There are two manual pages in this directory. One is an introduction

628

to the Kerberos system. The other describes the <code>.k5login</code> file

629

which allows users to give access with their UID to other users

630

authenticated by the Kerberos system.

631

632

633

634

<p><hr>

635

Next: <a rel="next" accesskey="n" href="#The-kadmin-Directory">The kadmin Directory</a>,

636

Previous: <a rel="previous" accesskey="p" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,

637

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

638

639

</div>

640

641

<h4 class="subsection">3.1.4 The include Directory</h4>

642

643

<p>This directory contains the <i>include</i> files needed to build the

644

Kerberos system.

645

646

647

648

<p><hr>

649

Next: <a rel="next" accesskey="n" href="#The-kdc-Directory">The kdc Directory</a>,

650

Previous: <a rel="previous" accesskey="p" href="#The-include-Directory">The include Directory</a>,

651

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

652

653

</div>

654

655

<h4 class="subsection">3.1.5 The kadmin Directory</h4>

656

657

<p>In this directory is the code for the utilities <code>kadmin</code>,

658

<code>kadmin.local</code>, <code>kdb5_util</code>, and <code>ktutil</code>.

659

<code>ktutil</code> is the Kerberos keytab file maintenance utility from

660

which a Kerberos administrator can read, write, or edit entries in a

661

Kerberos V5 keytab or Kerberos V4 srvtab. <code>kadmin</code> and

662

<code>kadmin.local</code> are command-line interfaces to the Kerberos V5 KADM5

663

administration system. <code>kadmin.local</code> runs on the master KDC and

664

does not use Kerberos to authenticate to the database, while

665

<code>kadmin</code> uses Kerberos authentication and an encrypted RPC. The

666

two provide identical functionalities, which allow administrators to

667

modify the database of Kerberos principals. <code>kdb5_util</code> allows

668

administrators to perform low-level maintenance procedures on Kerberos

669

and the KADM5 database. With this utility, databases can be created,

670

destroyed, or dumped to and loaded from ASCII files. It can also be

671

used to create master key stash files.

672

673

674

675

<p><hr>

676

Next: <a rel="next" accesskey="n" href="#The-krb524-Directory">The krb524 Directory</a>,

677

Previous: <a rel="previous" accesskey="p" href="#The-kadmin-Directory">The kadmin Directory</a>,

678

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

679

680

</div>

681

682

<h4 class="subsection">3.1.6 The kdc Directory</h4>

683

684

<p>This directory contains the code for the <code>krb5kdc</code> daemon, the

685

Kerberos Authentication Service and Key Distribution Center.

686

687

688

689

<p><hr>

690

Next: <a rel="next" accesskey="n" href="#The-lib-Directory">The lib Directory</a>,

691

Previous: <a rel="previous" accesskey="p" href="#The-kdc-Directory">The kdc Directory</a>,

692

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

693

694

</div>

695

696

<h4 class="subsection">3.1.7 The krb524 Directory</h4>

697

698

<p>This directory contains the code for <code>krb524</code>, a service that

699

converts Kerberos V5 credentials into Kerberos V4 credentials suitable

700

for use with applications that for whatever reason do not use V5

701

directly.

702

703

704

705

<p><hr>

706

Next: <a rel="next" accesskey="n" href="#The-prototype-Directory">The prototype Directory</a>,

707

Previous: <a rel="previous" accesskey="p" href="#The-krb524-Directory">The krb524 Directory</a>,

708

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

709

710

</div>

711

712

<h4 class="subsection">3.1.8 The lib Directory</h4>

713

714

<p>The <i>lib</i> directory contain 10 subdirectories as well as some

715

definition and glue files. The <i>crypto</i> subdirectory contains the

716

Kerberos V5 encryption library. The <i>des425</i> subdirectory exports

717

the Kerberos V4 encryption API, and translates these functions into

718

calls to the Kerberos V5 encryption API. The <i>gssapi</i> library

719

contains the Generic Security Services API, which is a library of

720

commands to be used in secure client-server communication. The

721

<i>kadm5</i> directory contains the libraries for the KADM5 administration

722

utilities. The Kerberos 5 database libraries are contained in

723

<i>kdb</i>. The directories <i>krb4</i> and <i>krb5</i> contain the Kerberos 4

724

and Kerberos 5 APIs, respectively. The <i>rpc</i> directory contains the

725

API for the Kerberos Remote Procedure Call protocol.

726

727

728

729

<p><hr>

730

Next: <a rel="next" accesskey="n" href="#The-slave-Directory">The slave Directory</a>,

731

Previous: <a rel="previous" accesskey="p" href="#The-lib-Directory">The lib Directory</a>,

732

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

733

734

</div>

735

736

<h4 class="subsection">3.1.9 The prototype Directory</h4>

737

738

<p>This directory contains several template files. The <code>prototype.h</code>

739

and <code>prototype.c</code> files contain the MIT copyright message and a

740

placeholder for the title and description of the file.

741

<code>prototype.h</code> also has a short template for writing <code>ifdef</code>

742

and <code>ifndef</code> preprocessor statements. The <code>getopt.c</code> file

743

provides a template for writing code that will parse the options with

744

which a program was called.

745

746

747

748

<p><hr>

749

Next: <a rel="next" accesskey="n" href="#The-util-Directory">The util Directory</a>,

750

Previous: <a rel="previous" accesskey="p" href="#The-prototype-Directory">The prototype Directory</a>,

751

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

752

753

</div>

754

755

<h4 class="subsection">3.1.10 The slave Directory</h4>

756

757

<p>This directory contains code which allows for the propagation of the

758

Kerberos principal database from the master KDC to slave KDCs over an

759

encrypted, secure channel. <code>kprop</code> is the program which actually

760

propagates the database dump file. <code>kpropd</code> is the Kerberos V5

761

slave KDC update server which accepts connections from the <code>kprop</code>

762

program. <code>kslave_update</code> is a script that takes the name of a

763

slave server, and propagates the database to that server if the

764

database has been modified since the last dump or if the database has

765

been dumped since the last propagation.

766

767

768

769

<p><hr>

770

Previous: <a rel="previous" accesskey="p" href="#The-slave-Directory">The slave Directory</a>,

771

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

772

773

</div>

774

775

<h4 class="subsection">3.1.11 The util Directory</h4>

776

777

<p>This directory contains several utility programs and libraries. The

778

programs used to configure and build the code, such as <code>autoconf</code>,

779

<code>lndir</code>, <code>kbuild</code>, <code>reconf</code>, and <code>makedepend</code>,

780

are in this directory. The <i>profile</i> directory contains most of the

781

functions which parse the Kerberos configuration files (<code>krb5.conf</code>

782

and <code>kdc.conf</code>). Also in this directory are the Kerberos error table

783

library and utilities (<i>et</i>), the Sub-system library and utilities

784

(<i>ss</i>), database utilities (<i>db2</i>), pseudo-terminal utilities

785

(<i>pty</i>), bug-reporting program <code>send-pr</code>, and a generic

786

support library <code>support</code> used by several of our other libraries.

787

788

789

790

<p><hr>

791

Next: <a rel="next" accesskey="n" href="#Unpacking-the-Sources">Unpacking the Sources</a>,

792

Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,

793

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

794

795

</div>

796

797

<h3 class="section">3.2 Build Requirements</h3>

798

799

<p>In order to build Kerberos V5, you will need approximately 60-70

800

megabytes of disk space. The exact amount will vary depending on the

801

platform and whether the distribution is compiled with debugging symbol

802

tables or not.

803

804

<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”).

805

Some operating systems do not have an ANSI C compiler, or their

806

default compiler requires extra command-line options to enable ANSI C

807

conformance.

808

809

<p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled

810

<samp><span class="file">*.o</span></samp> file and executables, separate from your source tree, you

811

will need a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’, or

812

you will need to use a tool such as ‘<samp><span class="samp">lndir</span></samp>’ to produce a symbolic

813

link tree for your build tree.

814

815

816

817

818

<p><hr>

819

Next: <a rel="next" accesskey="n" href="#Doing-the-Build">Doing the Build</a>,

820

Previous: <a rel="previous" accesskey="p" href="#Build-Requirements">Build Requirements</a>,

821

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

822

823

</div>

824

825

<h3 class="section">3.3 Unpacking the Sources</h3>

826

827

<p>The first step in each of these build procedures is to unpack the

828

source distribution. The Kerberos V5 distribution comes in a tar file,

829

generally named <samp><span class="file">krb5-1.10.tar</span></samp>, which contains a

830

compressed tar file consisting of the sources for all of Kerberos

831

(generally <samp><span class="file">krb5-1.10.tar.gz</span></samp>) and a PGP signature for

832

this source tree (generally <samp><span class="file">krb5-1.10.tar.gz.asc</span></samp>).

833

MIT highly recommends that you verify the integrity of the

834

source code using this signature.

835

836

<p>Unpack the compressed tar file in some directory, such as

837

<samp><span class="file">/u1/krb5-1.10</span></samp>. (In the rest of this document, we

838

will assume that you have chosen to unpack the Kerberos V5 source

839

distribution in this directory. Note that the tarfiles will by default

840

all unpack into the <samp><span class="file">./krb5-1.10</span></samp> directory, so that if

841

your current directory is <samp><span class="file">/u1</span></samp> when you unpack the tarfiles, you

842

will get <samp><span class="file">/u1/krb5-1.10/src</span></samp>, etc.)

843

844

845

846

<p><hr>

847

Next: <a rel="next" accesskey="n" href="#Installing-the-Binaries">Installing the Binaries</a>,

848

Previous: <a rel="previous" accesskey="p" href="#Unpacking-the-Sources">Unpacking the Sources</a>,

849

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

850

851

</div>

852

853

<h3 class="section">3.4 Doing the Build</h3>

854

855

<p>You have a number of different options in how to build Kerberos. If you

856

only need to build Kerberos for one platform, using a single directory

857

tree which contains both the source files and the object files is the

858

simplest. However, if you need to maintain Kerberos for a large number

859

of platforms, you will probably want to use separate build trees for

860

each platform. We recommend that you look at <a href="#OS-Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating

861

systems.

862

863

864

<li><a accesskey="1" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>

865

<li><a accesskey="2" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>

866

<li><a accesskey="3" href="#Building-using-lndir">Building using lndir</a>

867

</ul>

868

869

870

871

<p><hr>

872

Next: <a rel="next" accesskey="n" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,

873

Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,

874

Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>

875

876

</div>

877

878

<h4 class="subsection">3.4.1 Building Within a Single Tree</h4>

879

880

<p>If you don't want separate build trees for each architecture, then

881

use the following abbreviated procedure.

882

883

884

885

<li> <code>./configure</code>

886

887

</ol>

888

889

<p>That's it!

890

891

892

893

<p><hr>

894

Next: <a rel="next" accesskey="n" href="#Building-using-lndir">Building using lndir</a>,

895

Previous: <a rel="previous" accesskey="p" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>,

896

Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>

897

898

</div>

899

900

<h4 class="subsection">3.4.2 Building with Separate Build Directories</h4>

901

902

<p>If you wish to keep separate build directories for each platform, you

903

can do so using the following procedure. (Note, this requires that your

904

‘<samp><span class="samp">make</span></samp>’ program support ‘<samp><span class="samp">VPATH</span></samp>’. GNU's make will provide this

905

functionality, for example.) If your ‘<samp><span class="samp">make</span></samp>’ program does not

906

support this, see the next section.

907

908

<p>For example, if you wish to create a build directory for <code>pmax</code> binaries

909

you might use the following procedure:

910

911

912

<li><code>mkdir /u1/krb5-1.10/pmax</code>

913

914

<li> <code>../src/configure</code>

915

916

</ol>

917

918

919

920

<p><hr>

921

Previous: <a rel="previous" accesskey="p" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,

922

Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>

923

924

</div>

925

926

<h4 class="subsection">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</h4>

927

928

<p>If you wish to keep separate build directories for each platform, and

929

you do not have access to a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’,

930

all is not lost. You can use the ‘<samp><span class="samp">lndir</span></samp>’ program to create

931

symbolic link trees in your build directory.

932

933

<p>For example, if you wish to create a build directory for solaris binaries

934

you might use the following procedure:

935

936

937

<li> <code>mkdir /u1/krb5-1.10/solaris</code>

938

<li> <code>cd /u1/krb5-1.10/solaris</code>

939

<li> <code>/u1/krb5-1.10/src/util/lndir `pwd`/../src</code>

940

<li> <code>./configure</code>

941

942

</ol>

943

944

<p>You must give an absolute pathname to ‘<samp><span class="samp">lndir</span></samp>’ because it has a bug that

945

makes it fail for relative pathnames. Note that this version differs

946

from the latest version as distributed and installed by the XConsortium

947

with X11R6. Either version should be acceptable.

948

949

950

951

<p><hr>

952

Next: <a rel="next" accesskey="n" href="#Testing-the-Build">Testing the Build</a>,

953

Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,

954

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

955

956

</div>

957

958

<h3 class="section">3.5 Installing the Binaries</h3>

959

960

<p>Once you have built Kerberos, you should install the binaries. You

961

can do this by running:

962

963

<pre class="example"> % make install

964

</pre>

965

<p>If you want to install the binaries into a destination directory that

966

is not their final destination, which may be convenient if you want to

967

build a binary distribution to be deployed on multiple hosts, you may

968

use:

969

970

<pre class="example"> % make install DESTDIR=/path/to/destdir

971

</pre>

972

<p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the

973

user programs will install into <code>DESTDIR/PREFIX/bin</code>, the

974

libraries into <code>DESTDIR/PREFIX/lib</code>, etc.

975

976

<p>Note that if you want to test the build (see <a href="#Testing-the-Build">Testing the Build</a>),

977

you usually do not need to do a <code>make install</code> first.

978

979

<p>Some implementations of ‘<samp><span class="samp">make</span></samp>’ allow multiple commands to be run in

980

parallel, for faster builds. We test our Makefiles in parallel builds with

981

GNU ‘<samp><span class="samp">make</span></samp>’ only; they may not be compatible with other parallel build

982

implementations.

983

984

985

986

<p><hr>

987

Next: <a rel="next" accesskey="n" href="#Options-to-Configure">Options to Configure</a>,

988

Previous: <a rel="previous" accesskey="p" href="#Installing-the-Binaries">Installing the Binaries</a>,

989

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

990

991

</div>

992

993

<h3 class="section">3.6 Testing the Build</h3>

994

995

<p>The Kerberos V5 distribution comes with built-in regression tests. To

996

run them, simply type the following command while in the top-level build

997

directory (i.e., the directory where you sent typed ‘<samp><span class="samp">make</span></samp>’ to start

998

building Kerberos; see <a href="#Doing-the-Build">Doing the Build</a>.):

999

1000

<pre class="example"> % make check

1001

</pre>

1002

<p>However, there are several prerequisites that must be satisfied first:

1003

1004

<ul>

1005

<li>Configure and build Kerberos with Tcl support. Tcl is used to drive the

1006

test suite. This often means passing <code>--with-tcl</code> to configure to

1007

tell it the location of the Tcl configuration script. (See

1008

See <a href="#Options-to-Configure">Options to Configure</a>.)

1009

1010

<li>On some operating systems, you have to run ‘<samp><span class="samp">make install</span></samp>’ before

1011

running ‘<samp><span class="samp">make check</span></samp>’, or the test suite will pick up installed

1012

versions of Kerberos libraries rather than the newly built ones. You

1013

can install into a prefix that isn't in the system library search path,

1014

though. Alternatively, you can configure with <code>--disable-rpath</code>,

1015

which renders the build tree less suitable for installation, but allows

1016

testing without interference from previously installed libraries.

1017

1018

<li>In order to test the RPC layer, the local system has to be running the

1019

<samp><span class="command">portmap</span></samp> daemon and it has to be listening to the regular

1020

network interface (not just localhost).

1021

</ul>

1022

1023

1024

<li><a accesskey="1" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>

1025

<li><a accesskey="2" href="#The-KADM5-Tests">The KADM5 Tests</a>

1026

</ul>

1027

1028

1029

1030

<p><hr>

1031

Next: <a rel="next" accesskey="n" href="#The-KADM5-Tests">The KADM5 Tests</a>,

1032

Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,

1033

Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>

1034

1035

</div>

1036

1037

<h4 class="subsection">3.6.1 The DejaGnu Tests</h4>

1038

1039

<p>Some of the built-in regression tests are setup to use the DejaGnu

1040

framework for running tests. These tests tend to be more comprehensive

1041

than the normal built-in tests as they setup test servers and test

1042

client/server activities.

1043

1044

<p>DejaGnu may be found wherever GNU software is archived.

1045

1046

1047

1048

<p><hr>

1049

Previous: <a rel="previous" accesskey="p" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>,

1050

Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>

1051

1052

</div>

1053

1054

<h4 class="subsection">3.6.2 The KADM5 Tests</h4>

1055

1056

<p>Regression tests for the KADM5 system, including the GSS-RPC, KADM5

1057

client and server libraries, and kpasswd, are also included in this

1058

release. Each set of KADM5 tests is contained in a sub-directory called

1059

<code>unit-test</code> directly below the system being tested. For example,

1060

lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all

1061

based on DejaGnu (but they are not actually called part of "The DejaGnu

1062

tests," whose naming predates the inclusion of the KADM5 system). In

1063

addition, they require the Tool Command Language (TCL) header files and

1064

libraries to be available during compilation and some of the tests also

1065

require Perl in order to operate. If all of these resources are not

1066

available during configuration, the KADM5 tests will not run. The TCL

1067

installation directory can be specified with the <code>--with-tcl</code>

1068

configure option. (See See <a href="#Options-to-Configure">Options to Configure</a>.) The runtest and

1069

perl programs must be in the current execution path.

1070

1071

<p>If you install DejaGnu, TCL, or Perl after configuring and building

1072

Kerberos and then want to run the KADM5 tests, you will need to

1073

re-configure the tree and run <code>make</code> at the top level again to make

1074

sure all the proper programs are built. To save time, you actually only

1075

need to reconfigure and build in the directories src/kadmin/testing,

1076

src/lib/rpc, src/lib/kadm5.

1077

1078

1079

1080

<p><hr>

1081

Next: <a rel="next" accesskey="n" href="#osconf_002eh">osconf.h</a>,

1082

Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,

1083

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1084

1085

</div>

1086

1087

<h3 class="section">3.7 Options to Configure</h3>

1088

1089

<p>There are a number of options to ‘<samp><span class="samp">configure</span></samp>’ which you can use to

1090

control how the Kerberos distribution is built. The following table

1091

lists the most commonly used options to Kerberos V5's ‘<samp><span class="samp">configure</span></samp>’

1092

program.

1093

1094

<dl>

1095

1096

Provides help to configure. This will list the set of commonly used

1097

options for building Kerberos.

1098

1099

<br><dt><code>--prefix=PREFIX</code><dd>

1100

By default, Kerberos will install the package's files rooted at

1101

`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you

1102

desire a different location, use this option.

1103

1104

<br><dt><code>--exec-prefix=EXECPREFIX</code><dd>

1105

This option allows one to separate the architecture independent programs

1106

from the configuration files and manual pages.

1107

1108

<br><dt><code>--localstatedir=LOCALSTATEDIR</code><dd>

1109

This option sets the directory for locally modifiable single-machine

1110

data. In Kerberos, this mostly is useful for setting a location for the

1111

KDC data files, as they will be installed in

1112

<code>LOCALSTATEDIR/krb5kdc</code>, which is by default

1113

<code>PREFIX/var/krb5kdc</code>.

1114

1115

<br><dt><code>CC=COMPILER</code><dd>

1116

Use <code>COMPILER</code> as the C compiler.

1117

1118

<br><dt><code>CFLAGS=FLAGS</code><dd>

1119

Use <code>FLAGS</code> as the default set of C compiler flags.

1120

1121

<p>Note that if you use the native Ultrix compiler on a

1122

DECstation you are likely to lose if you pass no flags to cc; md4.c

1123

takes an estimated 3,469 billion years to compile if you provide neither

1124

the ‘<samp><span class="samp">-g</span></samp>’ flag nor the ‘<samp><span class="samp">-O</span></samp>’ flag to ‘<samp><span class="samp">cc</span></samp>’.

1125

1126

<br><dt><code>CPPFLAGS=CPPOPTS</code><dd>

1127

Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most

1128

common use of this option is to select certain <code>#define</code>'s for use

1129

with the operating system's include files.

1130

1131

<br><dt><code>LD=LINKER</code><dd>

1132

Use <code>LINKER</code> as the default loader if it should be different from C

1133

compiler as specified above.

1134

1135

<br><dt><code>LDFLAGS=LDOPTS</code><dd>

1136

This option allows one to specify optional arguments to be passed to the

1137

linker. This might be used to specify optional library paths.

1138

1139

1140

This option enables Kerberos V4 backwards compatibility using the

1141

builtin Kerberos V4 library.

1142

1143

1144

This option enables Kerberos V4 backwards compatibility using a

1145

pre-existing Kerberos V4 installation. The directory specified by

1146

<code>KRB4DIR</code> specifies where the V4 header files should be found

1147

(<samp><span class="file">KRB4DIR/include</span></samp>) as well as where the V4 Kerberos library should

1148

be found (<samp><span class="file">KRB4DIR/lib</span></samp>).

1149

1150

<br><dt><code>--without-krb4</code><dd>

1151

Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4

1152

clients from using the V5 services including the KDC. This would be

1153

useful if you know you will never install or need to interact with V4

1154

clients.

1155

1156

<br><dt><code>--with-netlib[=libs]</code><dd>

1157

Allows for suppression of or replacement of network libraries. By

1158

default, Kerberos V5 configuration will look for <code>-lnsl</code> and

1159

<code>-lsocket</code>. If your operating system has a broken resolver library

1160

(see <a href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in

1161

<samp><span class="file">src/tests/resolv</span></samp> you will need to use this option.

1162

1163

<br><dt><code>--with-tcl=TCLPATH</code><dd>

1164

Some of the unit-tests in the build tree rely upon using a program in

1165

Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl

1166

header file (<samp><span class="file">TCLPATH/include/tcl.h</span></samp> as well as where the Tcl

1167

library should be found (<samp><span class="file">TCLPATH/lib</span></samp>).

1168

1169

<br><dt><code>--enable-shared</code><dd>

1170

This option will turn on the building and use of shared library objects

1171

in the Kerberos build. This option is only supported on certain

1172

platforms.

1173

1174

<br><dt><code>--enable-dns</code><br><dt><code>--enable-dns-for-kdc</code><br><dt><code>--enable-dns-for-realm</code><dd>

1175

Enable the use of DNS to look up a host's Kerberos realm, or a realm's

1176

KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to

1177

locate the KDCs, and <a href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a> for

1178

information about using DNS to determine the default realm. By default,

1179

DNS lookups are enabled for the former but not for the latter.

1180

1181

<br><dt><code>--disable-kdc-lookaside-cache</code><dd>

1182

Disables the cache in the KDC which detects retransmitted client

1183

requests and resends the previous responses to them.

1184

1185

<br><dt><code>--with-system-et</code><dd>

1186

Use an installed version of the error-table support software, the

1187

‘<samp><span class="samp">compile_et</span></samp>’ program, the <samp><span class="file">com_err.h</span></samp> header file and the

1188

<samp><span class="file">com_err</span></samp> library. If these are not in the default locations,

1189

you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and

1190

<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as

1191

well.

1192

1193

<p>If this option is not given, a version supplied with the Kerberos

1194

sources will be built and installed along with the rest of the

1195

Kerberos tree, for Kerberos applications to link against.

1196

1197

<br><dt><code>--with-system-ss</code><dd>

1198

Use an installed version of the subsystem command-line interface

1199

software, the ‘<samp><span class="samp">mk_cmds</span></samp>’ program, the <samp><span class="file">ss/ss.h</span></samp> header file

1200

and the <samp><span class="file">ss</span></samp> library. If these are not in the default locations,

1201

you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and

1202

<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as

1203

well. See also the ‘<samp><span class="samp">SS_LIB</span></samp>’ option.

1204

1205

<p>If this option is not given, the <samp><span class="file">ss</span></samp> library supplied with the

1206

Kerberos sources will be compiled and linked into those programs that

1207

need it; it will not be installed separately.

1208

1209

1210

If ‘<samp><span class="samp">-lss</span></samp>’ is not the correct way to link in your installed

1211

<samp><span class="file">ss</span></samp> library, for example if additional support libraries are

1212

needed, specify the correct link options here. Some variants of this

1213

library are around which allow for Emacs-like line editing, but

1214

different versions require different support libraries to be

1215

explicitly specified.

1216

1217

<p>This option is ignored if ‘<samp><span class="samp">--with-system-ss</span></samp>’ is not specified.

1218

1219

<br><dt><code>--with-system-db</code><dd>

1220

Use an installed version of the Berkeley DB package, which must

1221

provide an API compatible with version 1.85. This option is

1222

<em>unsupported</em> and untested. In particular, we do not know if the

1223

database-rename code used in the dumpfile load operation will behave

1224

properly.

1225

1226

<p>If this option is not given, a version supplied with the Kerberos

1227

sources will be built and installed. (We are not updating this

1228

version at this time because of licensing issues with newer versions

1229

that we haven't investigated sufficiently yet.)

1230

1231

<br><dt><code>DB_HEADER=headername.h</code><dd>

1232

If ‘<samp><span class="samp">db.h</span></samp>’ is not the correct header file to include to compile

1233

against the Berkeley DB 1.85 API, specify the correct header file name

1234

with this option. For example, ‘<samp><span class="samp">DB_HEADER=db3/db_185.h</span></samp>’.

1235

1236

1237

If ‘<samp><span class="samp">-ldb</span></samp>’ is not the correct library specification for the

1238

Berkeley DB library version to be used, override it with this option.

1239

For example, ‘<samp><span class="samp">DB_LIB=-ldb-3.3</span></samp>’.

1240

1241

<br><dt><code>--with-crypto-impl=IMPL</code><dd>

1242

Use specified crypto implementation in lieu of the default builtin.

1243

Currently only one alternative crypto-system openssl is available and

1244

it requires version 1.0.0 or higher of OpenSSL.

1245

1246

</dl>

1247

1248

<p>For example, in order to configure Kerberos on a Solaris machine using

1249

the ‘<samp><span class="samp">suncc</span></samp>’ compiler with the optimizer turned on, run the configure

1250

script with the following options:

1251

1252

<pre class="example"> % ./configure CC=suncc CFLAGS=-O

1253

</pre>

1254

<p>For a slightly more complicated example, consider a system where

1255

several packages to be used by Kerberos are installed in

1256

‘<samp><span class="samp">/usr/foobar</span></samp>’, including Berkeley DB 3.3, and an ‘<samp><span class="samp">ss</span></samp>’

1257

library that needs to link against the ‘<samp><span class="samp">curses</span></samp>’ library. The

1258

configuration of Kerberos might be done thus:

1259

1260

<pre class="example"> % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \

1261

--with-system-et --with-system-ss --with-system-db \

1262

SS_LIB='-lss -lcurses' \

1263

DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3

1264

</pre>

1265

<p>In previous releases, <code>--with-</code> options were used to specify the

1266

compiler and linker and their options.

1267

1268

1269

1270

1271

<p><hr>

1272

Next: <a rel="next" accesskey="n" href="#Shared-Library-Support">Shared Library Support</a>,

1273

Previous: <a rel="previous" accesskey="p" href="#Options-to-Configure">Options to Configure</a>,

1274

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1275

1276

</div>

1277

1278

<h3 class="section">3.8 <samp><span class="file">osconf.h</span></samp></h3>

1279

1280

<p>There is one configuration file which you may wish to edit to control

1281

various compile-time parameters in the Kerberos distribution:

1282

<samp><span class="file">include/stock/osconf.h</span></samp>. The list that follows is by no means

1283

complete, just some of the more interesting variables.

1284

1285

<p>Please note: The former configuration file <samp><span class="file">config.h</span></samp> no longer

1286

exists as its functionality has been merged into the auto-configuration

1287

process. See <a href="#Options-to-Configure">Options to Configure</a>.

1288

1289

<dl>

1290

<dt><code>DEFAULT_PROFILE_PATH</code><dd>

1291

The pathname to the file which contains the profiles for the known realms,

1292

their KDCs, etc. The default value is /etc/krb5.conf.

1293

1294

<p>The profile file format is no longer the same format as Kerberos V4's

1295

<samp><span class="file">krb.conf</span></samp> file.

1296

1297

<br><dt><code>DEFAULT_KEYTAB_NAME</code><dd>

1298

The type and pathname to the default server keytab file (the

1299

equivalent of Kerberos V4's <samp><span class="file">/etc/srvtab</span></samp>). The default is

1300

/etc/krb5.keytab.

1301

1302

<br><dt><code>DEFAULT_KDC_ENCTYPE</code><dd>

1303

The default encryption type for the KDC. The default value is

1304

des3-cbc-sha1.

1305

1306

<br><dt><code>KDCRCACHE</code><dd>

1307

The name of the replay cache used by the KDC. The default value is

1308

krb5kdc_rcache.

1309

1310

<br><dt><code>RCTMPDIR</code><dd>

1311

The directory which stores replay caches. The default is to try

1312

/var/tmp, /usr/tmp, /var/usr/tmp, and /tmp.

1313

1314

<br><dt><code>DEFAULT_KDB_FILE</code><dd>

1315

The location of the default database. The default value is

1316

/usr/local/var/krb5kdc/principal.

1317

1318

</dl>

1319

1320

1321

1322

<p><hr>

1323

Next: <a rel="next" accesskey="n" href="#OS-Incompatibilities">OS Incompatibilities</a>,

1324

Previous: <a rel="previous" accesskey="p" href="#osconf_002eh">osconf.h</a>,

1325

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1326

1327

</div>

1328

1329

<h3 class="section">3.9 Shared Library Support</h3>

1330

1331

<p>Shared library support is provided for a few operating systems. There

1332

are restrictions as to which compiler to use when using shared

1333

libraries. In all cases, executables linked with the shared libraries in

1334

this build process will have built in the location of the libraries,

1335

therefore obliterating the need for special LD_LIBRARY_PATH, et al environment

1336

variables when using the programs. Except where noted, multiple versions

1337

of the libraries may be installed on the same system and continue to

1338

work.

1339

1340

<p>Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS

1341

5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows

1342

(using DLLs).

1343

1344

<p>Shared library support has been tested on the following platforms but

1345

not exhaustively (they have been built but not necessarily tested in an

1346

installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and

1347

HP/UX 10.20.

1348

1349

<p>Platforms for which there is shared library support but not significant

1350

testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x

1351

(i386).

1352

1353

<p>To enable shared libraries on the above platforms, run the configure

1354

script with the option ‘<samp><span class="samp">--enable-shared</span></samp>’.

1355

1356

1357

1358

<p><hr>

1359

Next: <a rel="next" accesskey="n" href="#Using-Autoconf">Using Autoconf</a>,

1360

Previous: <a rel="previous" accesskey="p" href="#Shared-Library-Support">Shared Library Support</a>,

1361

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1362

1363

</div>

1364

1365

<h3 class="section">3.10 Operating System Incompatibilities</h3>

1366

1367

<p>This section details operating system incompatibilities with Kerberos V5

1368

which have been reported to the developers at MIT. If you find

1369

additional incompatibilities, and/or discover workarounds to such

1370

problems, please send a report via the <code>krb5-send-pr</code> program.

1371

Thanks!

1372

1373

1374

1375

<li><a accesskey="2" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>

1376

<li><a accesskey="3" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>

1377

<li><a accesskey="4" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>

1378

1379

1380

<li><a accesskey="7" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>

1381

<li><a accesskey="8" href="#Solaris-2_002eX">Solaris 2.X</a>

1382

<li><a accesskey="9" href="#Solaris-9">Solaris 9</a>

1383

1384

<li><a href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>

1385

</ul>

1386

1387

1388

1389

<p><hr>

1390

Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,

1391

Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,

1392

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1393

1394

</div>

1395

1396

1397

1398

<p>The AIX 3.2.5 linker dumps core trying to build a shared

1399

‘<samp><span class="samp">libkrb5.a</span></samp>’ produced with the GNU C compiler. The native AIX

1400

compiler works fine. This problem is fixed using the AIX 4.1 linker.

1401

1402

1403

1404

1405

<p><hr>

1406

Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,

1407

Previous: <a rel="previous" accesskey="p" href="#AIX">AIX</a>,

1408

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1409

1410

</div>

1411

1412

<h4 class="subsection">3.10.2 Alpha OSF/1 V1.3</h4>

1413

1414

<p>Using the native compiler, compiling with the ‘<samp><span class="samp">-O</span></samp>’ compiler flag

1415

causes the <code>asn.1</code> library to be compiled incorrectly.

1416

1417

<p>Using GCC version 2.6.3 or later instead of the native compiler will also work

1418

fine, both with or without optimization.

1419

1420

1421

1422

1423

<p><hr>

1424

Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,

1425

Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,

1426

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1427

1428

</div>

1429

1430

<h4 class="subsection">3.10.3 Alpha OSF/1 V2.0</h4>

1431

1432

<p>There used to be a bug when using the native compiler in compiling

1433

<samp><span class="file">md4.c</span></samp> when compiled without either the ‘<samp><span class="samp">-O</span></samp>’ or ‘<samp><span class="samp">-g</span></samp>’

1434

compiler options. We have changed the code and there is no problem

1435

under V2.1, but we do not have access to V2.0 to test and see if the

1436

problem would exist there. (We welcome feedback on this issue). There

1437

was never a problem in using GCC version 2.6.3.

1438

1439

<p>In version 3.2 and beyond of the operating system, we have not seen

1440

this sort of problem with the native compiler.

1441

1442

1443

1444

1445

<p><hr>

1446

Next: <a rel="next" accesskey="n" href="#BSDI">BSDI</a>,

1447

Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,

1448

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1449

1450

</div>

1451

1452

<h4 class="subsection">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</h4>

1453

1454

<p>The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)

1455

defaults to an extended K&R C mode, not ANSI C. You need to provide

1456

the ‘<samp><span class="samp">-std</span></samp>’ argument to the compiler (i.e., ‘<samp><span class="samp">./configure

1457

CC='cc -std'</span></samp>’) to enable extended ANSI C mode. More recent versions

1458

of the operating system, such as 5.0, seem to have C compilers which

1459

default to ‘<samp><span class="samp">-std</span></samp>’.

1460

1461

1462

1463

1464

1465

1466

<p><hr>

1467

Next: <a rel="next" accesskey="n" href="#HPUX">HPUX</a>,

1468

Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,

1469

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1470

1471

</div>

1472

1473

1474

1475

<p>BSDI versions 1.0 and 1.1 reportedly has a bad ‘<samp><span class="samp">sed</span></samp>’ which causes

1476

it to go into an infinite loop during the build. The work around is

1477

to use a ‘<samp><span class="samp">sed</span></samp>’ from somewhere else, such as GNU. (This may be

1478

true for some versions of other systems derived from BSD 4.4, such as

1479

NetBSD and FreeBSD.)

1480

1481

1482

1483

<p><hr>

1484

Next: <a rel="next" accesskey="n" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,

1485

Previous: <a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,

1486

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1487

1488

</div>

1489

1490

1491

1492

<p>The native (bundled) compiler for HPUX currently will not work,

1493

because it is not a full ANSI C compiler. The optional ANSI C

1494

compiler should work as long as you give it the ‘<samp><span class="samp">-Ae</span></samp>’ flag

1495

(i.e. ‘<samp><span class="samp">./configure CC='cc -Ae'</span></samp>’). This is equivalent to

1496

‘<samp><span class="samp">./configure CC='c89 -D_HPUX_SOURCE'</span></samp>’, which was the previous

1497

recommendation. This has only been tested recently for HPUX 10.20.

1498

1499

<p>You will need to configure with ‘<samp><span class="samp">--disable-shared

1500

--enable-static</span></samp>’, because as of 1.4 we don't have support for HPUX

1501

shared library finalization routines, nor the option (yet) to ignore

1502

that lack of support (which means repeated

1503

<code>dlopen</code>/<code>dlclose</code> cycles on the Kerberos libraries may not

1504

be safe) and build the shared libraries anyways.

1505

1506

<p>You will also need to configure the build tree with

1507

‘<samp><span class="samp">--disable-thread-support</span></samp>’ if you are on HPUX 10 and do not have

1508

the DCE development package installed, because that's where the

1509

<code>pthread.h</code> header file is found. (We don't know if our code

1510

will work with such a package installed, because according to some HP

1511

documentation, their <code>pthread.h</code> has to be included before any

1512

other header files, and our code doesn't do that.)

1513

1514

<p>If you use GCC, it may work, but some versions of GCC have omitted

1515

certain important preprocessor defines, like <code>__STDC_EXT__</code> and

1516

<code>__hpux</code>.

1517

1518

1519

1520

1521

<p><hr>

1522

Next: <a rel="next" accesskey="n" href="#Solaris-2_002eX">Solaris 2.X</a>,

1523

Previous: <a rel="previous" accesskey="p" href="#HPUX">HPUX</a>,

1524

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1525

1526

</div>

1527

1528

<h4 class="subsection">3.10.7 Solaris versions 2.0 through 2.3</h4>

1529

1530

<p>The <code>gethostbyname()</code> routine is broken; it does not return a fully

1531

qualified domain name, even if you are using the Domain Name Service

1532

routines. Since Kerberos V5 uses the fully qualified domain name as the

1533

second component of a service principal (i.e,

1534

‘<samp><span class="samp">host/tsx-11.mit.edu@ATHENA.MIT.EDU</span></samp>’), this causes problems for servers

1535

who try to figure out their own fully qualified domain name.

1536

1537

<p>Workarounds:

1538

1539

1540

1541

<li> Supply your own resolver library. (such as bind-4.9.3pl1 available

1542

from ftp.vix.com)

1543

1544

<li> Upgrade to Solaris 2.4

1545

1546

<li> Make sure your /etc/nsswitch.conf has `files' before `dns' like:

1547

1548

<pre class="example"> hosts: files dns

1549

</pre>

1550

<p>and then in /etc/hosts, make sure there is a line with your

1551

workstation's IP address and hostname, with the fully qualified domain

1552

name first. Example:

1553

1554

<pre class="example"> 18.172.1.4 dcl.mit.edu dcl

1555

</pre>

1556

<p>Note that making this change may cause other programs in your

1557

environment to break or behave differently.

1558

1559

</ol>

1560

1561

1562

1563

1564

<p><hr>

1565

Next: <a rel="next" accesskey="n" href="#Solaris-9">Solaris 9</a>,

1566

Previous: <a rel="previous" accesskey="p" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,

1567

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1568

1569

</div>

1570

1571

<h4 class="subsection">3.10.8 Solaris 2.X</h4>

1572

1573

<p>You <b>must</b> compile Kerberos V5 without the UCB compatibility

1574

libraries. This means that <samp><span class="file">/usr/ucblib</span></samp> must not be in the

1575

LD_LIBRARY_PATH environment variable when you compile it. Alternatively

1576

you can use the <code>-i</code> option to ‘<samp><span class="samp">cc</span></samp>’, by using the specifying

1577

<code>CFLAGS=-i</code> option to ‘<samp><span class="samp">configure</span></samp>’.

1578

1579

<p>If you are compiling for a 64-bit execution environment, you may need

1580

to configure with the option <code>CFLAGS="-D_XOPEN_SOURCE=500

1581

-D__EXTENSIONS__"</code>. This is not well tested; at MIT we work primarily

1582

with the 32-bit execution environment.

1583

1584

1585

1586

<p><hr>

1587

Next: <a rel="next" accesskey="n" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,

1588

Previous: <a rel="previous" accesskey="p" href="#Solaris-2_002eX">Solaris 2.X</a>,

1589

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1590

1591

</div>

1592

1593

<h4 class="subsection">3.10.9 Solaris 9</h4>

1594

1595

<p>Solaris 9 has a kernel race condition which causes the final output

1596

written to the slave side of a pty to be lost upon the final close()

1597

of the slave device. This causes the dejagnu-based tests to fail

1598

intermittently. A workaround exists, but requires some help from the

1599

scheduler, and the “make check” must be executed from a shell with

1600

elevated priority limits.

1601

1602

<p>Run something like

1603

1604

<p><code>priocntl -s -c FX -m 30 -p 30 -i pid nnnn</code>

1605

1606

<p>as root, where <code>nnnn</code> is the pid of the shell whose priority

1607

limit you wish to raise.

1608

1609

<p>Sun has released kernel patches for this race condition. Apply patch

1610

117171-11 for sparc, or patch 117172-11 for x86. Later revisions of

1611

the patches should also work. It is not necessary to run “make

1612

check” from a shell with elevated priority limits once the patch has

1613

been applied.

1614

1615

1616

1617

1618

<p><hr>

1619

Next: <a rel="next" accesskey="n" href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>,

1620

Previous: <a rel="previous" accesskey="p" href="#Solaris-9">Solaris 9</a>,

1621

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1622

1623

</div>

1624

1625

1626

1627

<p>If you are building in a tree separate from the source tree, the vendors

1628

version of make does not work properly with regards to

1629

‘<samp><span class="samp">VPATH</span></samp>’. It also has problems with standard inference rules in 5.2

1630

(not tested yet in 5.3) so one needs to use GNU's make.

1631

1632

<p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code>

1633

library in which the routine <code>gethostbyname()</code> is broken. The

1634

system supplied version in <code>-lc</code> appears to work though so one may

1635

simply specify <code>--with-netlib</code> option to ‘<samp><span class="samp">configure</span></samp>’.

1636

1637

<p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and

1638

is no longer an issue.

1639

1640

1641

1642

1643

<p><hr>

1644

Previous: <a rel="previous" accesskey="p" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,

1645

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1646

1647

</div>

1648

1649

<h4 class="subsection">3.10.11 Ultrix 4.2/3</h4>

1650

1651

<p>The DEC MIPS platform currently will not support the native compiler,

1652

since the Ultrix compiler is not a full ANSI C compiler. You should use

1653

GCC instead.

1654

1655

1656

1657

<p><hr>

1658

Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,

1659

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1660

1661

</div>

1662

1663

<h3 class="section">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</h3>

1664

1665

<p>(If you are not a developer, you can skip this section.)

1666

1667

<p>In most of the Kerberos V5 source directories, there is a

1668

<samp><span class="file">configure</span></samp> script which automatically determines the compilation

1669

environment and creates the proper Makefiles for a particular

1670

platform. These <samp><span class="file">configure</span></samp> files are generated using

1671

‘<samp><span class="samp">autoconf</span></samp>’, which can be found in the <samp><span class="file">src/util/autoconf</span></samp>

1672

directory in the distribution.

1673

1674

<p>Normal users will not need to worry about running ‘<samp><span class="samp">autoconf</span></samp>’; the

1675

distribution comes with the <samp><span class="file">configure</span></samp> files already prebuilt.

1676

Developers who wish to modify the <samp><span class="file">configure.in</span></samp> files should see

1677

<a href="autoconf.html#Top">Overview</a>.

1678

1679

<p>Note that in order to run ‘<samp><span class="samp">autoconf</span></samp>’, you must have GNU ‘<samp><span class="samp">m4</span></samp>’

1680

in your path. Before you use the ‘<samp><span class="samp">autoconf</span></samp>’ in the Kerberos V5

1681

source tree, you may also need to run ‘<samp><span class="samp">configure</span></samp>’, and then run

1682

‘<samp><span class="samp">make</span></samp>’ in the <samp><span class="file">src/util/autoconf</span></samp> directory in order to

1683

properly set up ‘<samp><span class="samp">autoconf</span></samp>’.

1684

1685

<p>One tool which is provided for the convenience of developers can be

1686

found in <samp><span class="file">src/util/reconf</span></samp>. This program should be run while the

1687

current directory is the top source directory. It will automatically

1688

rebuild any <samp><span class="file">configure</span></samp> files which need rebuilding. If you know

1689

that you have made a change that will require that all the

1690

<samp><span class="file">configure</span></samp> files need to be rebuilt from scratch, specify the

1691

<code>--force</code> option:

1692

1693

<pre class="example"> % cd /u1/krb5-1.10/src

1694

% ./util/reconf --force

1695

</pre>

1696

<p>The developmental sources are a raw source tree (before it's been packaged

1697

for public release), without the pre-built <samp><span class="file">configure</span></samp> files.

1698

In order to build from such a source tree, you must do:

1699

1700

<pre class="example"> % cd krb5/util/autoconf

1701

% ./configure

1702

% make

1703

% cd ../..

1704

% util/reconf

1705

</pre>

1706

<p>Then follow the instructions for building packaged source trees (above).

1707

To install the binaries into a binary tree, do:

1708

1709

<pre class="example"> % cd /u1/krb5-1.10/src

1710

% make all

1711

% make install DESTDIR=somewhere-else

1712

</pre>

1713

1714

1715

<p><hr>

1716

Next: <a rel="next" accesskey="n" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,

1717

Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,

1718

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

1719

1720

</div>

1721

1722

<h2 class="chapter">4 Installing Kerberos V5</h2>

1723

1724

<p>The sections of this chapter describe procedures for installing

1725

Kerberos V5 on:

1726

1727

1728

<li>The KDCs

1729

1730

<li>UNIX client machines

1731

1732

<li>UNIX Application Servers

1733

</ol>

1734

1735

1736

<li><a accesskey="1" href="#Installing-KDCs">Installing KDCs</a>

1737

<li><a accesskey="2" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>

1738

<li><a accesskey="3" href="#UNIX-Application-Servers">UNIX Application Servers</a>

1739

</ul>

1740

1741

1742

1743

<p><hr>

1744

Next: <a rel="next" accesskey="n" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,

1745

Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,

1746

Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

1747

1748

</div>

1749

1750

<h3 class="section">4.1 Installing KDCs</h3>

1751

1752

<p>The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC

1753

contains a copy of the Kerberos database. The master KDC contains the

1754

master copy of the database, which it propagates to the slave KDCs at

1755

regular intervals. All database changes (such as password changes) are

1756

made on the master KDC.

1757

1758

<p>Slave KDCs provide Kerberos ticket-granting services, but not database

1759

administration. This allows clients to continue to obtain tickets when

1760

the master KDC is unavailable.

1761

1762

<p>MIT recommends that you install all of your KDCs to be able

1763

to function as either the master or one of the slaves. This will enable

1764

you to easily switch your master KDC with one of the slaves if

1765

necessary. (See <a href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>.) This installation

1766

procedure is based on that recommendation.

1767

1768

1769

<li><a accesskey="1" href="#Install-the-Master-KDC">Install the Master KDC</a>

1770

<li><a accesskey="2" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

1771

<li><a accesskey="3" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>

1772

<li><a accesskey="4" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>

1773

<li><a accesskey="5" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>

1774

<li><a accesskey="6" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>

1775

<li><a accesskey="7" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>

1776

<li><a accesskey="8" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>

1777

</ul>

1778

1779

1780

1781

<p><hr>

1782

Next: <a rel="next" accesskey="n" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,

1783

Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,

1784

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

1785

1786

</div>

1787

1788

<h4 class="subsection">4.1.1 Install the Master KDC</h4>

1789

1790

<p>This installation procedure will require you to go back and forth a

1791

couple of times between the master KDC and each of the slave KDCs. The

1792

first few steps must be done on the master KDC.

1793

1794

1795

<li><a accesskey="1" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>

1796

1797

1798

<li><a accesskey="4" href="#Create-the-Database">Create the Database</a>

1799

<li><a accesskey="5" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>

1800

<li><a accesskey="6" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>

1801

<li><a accesskey="7" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>

1802

<li><a accesskey="8" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>

1803

</ul>

1804

1805

1806

1807

<p><hr>

1808

Next: <a rel="next" accesskey="n" href="#krb5_002econf">krb5.conf</a>,

1809

Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,

1810

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

1811

1812

</div>

1813

1814

<h5 class="subsubsection">4.1.1.1 Edit the Configuration Files</h5>

1815

1816

<p>Modify the configuration files, <code>/etc/krb5.conf</code> and

1817

<code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct

1818

information (such as the hostnames and realm name) for your realm.

1819

MIT recommends that you keep <code>krb5.conf</code> in <code>/etc</code>.

1820

1821

<p>Most of the tags in the configuration have default values that will

1822

work well for most sites. There are some tags in the <code>krb5.conf</code>

1823

file whose values must be specified, and this section will explain

1824

those as well as give an overview of all of the sections in both

1825

configuration files. For more information on changing defaults with

1826

the configuration files, see the Kerberos V5 System Administrator's

1827

Guide sections on configuration files.

1828

1829

1830

1831

1832

<p><hr>

1833

Next: <a rel="next" accesskey="n" href="#kdc_002econf">kdc.conf</a>,

1834

Previous: <a rel="previous" accesskey="p" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>,

1835

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

1836

1837

</div>

1838

1839

1840

1841

<p>The <code>krb5.conf</code> file contains Kerberos configuration information,

1842

including the locations of KDCs and admin servers for the Kerberos

1843

realms of interest, defaults for the current realm and for Kerberos

1844

applications, and mappings of hostnames onto Kerberos realms. Normally,

1845

you should install your <code>krb5.conf</code> file in the directory

1846

<code>/etc</code>. You can override the default location by setting the

1847

environment variable ‘<samp><span class="samp">KRB5_CONFIG</span></samp>’.

1848

1849

<p>The <code>krb5.conf</code> file is set up in the style of a Windows INI file.

1850

Sections are headed by the section name, in square brackets. Each

1851

section may contain zero or more relations, of the form:

1852

1853

<pre class="smallexample"> foo = bar

1854

</pre>

1855

<p class="noindent">or

1856

1857

<pre class="smallexample"> fubar = {

1858

foo = bar

1859

baz = quux

1860

}

1861

</pre>

1862

<p>Placing a `*' at the end of a line indicates that this is the

1863

<dfn>final</dfn> value for the tag. This means that neither the remainder

1864

of this configuration file nor any other configuration file will be

1865

checked for any other values for this tag.

1866

1867

<p>For example, if you have the following lines:

1868

1869

<pre class="smallexample"> foo = bar*

1870

foo = baz

1871

</pre>

1872

<p>then the second value of foo (baz) would never be read.

1873

1874

<p>The <code>krb5.conf</code> file can include other files using either of the

1875

following directives at the beginning of a line:

1876

1877

<pre class="smallexample"> include <var>FILENAME</var>

1878

includedir <var>DIRNAME</var>

1879

</pre>

1880

<p><var>FILENAME</var> or <var>DIRNAME</var> should be an absolute path. The named

1881

file or directory must exist and be readable. Including a directory

1882

includes all files within the directory whose names consist solely of

1883

alphanumeric characters, dashes, or underscores. Included profile files

1884

are syntactically independent of their parents, so each included file

1885

must begin with a section header.

1886

1887

<p>The <code>krb5.conf</code> file may contain any or all of the following

1888

sections:

1889

1890

<dl>

1891

<dt><b>libdefaults</b><dd>Contains default values used by the Kerberos V5 library.

1892

1893

<dt><b>login</b><dd>Contains default values used by the Kerberos V5 login program.

1894

1895

<dt><b>appdefaults</b><dd>Contains default values that can be used by Kerberos V5 applications.

1896

1897

<dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection

1898

describes realm-specific information, including where to find the

1899

Kerberos servers for that realm.

1900

1901

<dt><b>domain_realm</b><dd>Contains relations which map domain names and subdomains onto Kerberos

1902

realm names. This is used by programs to determine what realm a host

1903

should be in, given its fully qualified domain name.

1904

1905

<dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform

1906

logging.

1907

1908

<dt><b>capaths</b><dd>Contains the authentication paths used with direct (nonhierarchical)

1909

cross-realm authentication. Entries in this section are used by the

1910

client to determine the intermediate realms which may be used in

1911

cross-realm authentication. It is also used by the end-service when

1912

checking the transited field for trusted intermediate realms.

1913

1914

<dt><b>plugins</b><dd>Contains tags to register dynamic plugin modules and to turn modules on

1915

and off.

1916

1917

</dl>

1918

1919

<p>If you are not using DNS TXT records, you must specify the

1920

<code>default_realm</code> in the <code>libdefaults</code> section. If you are not

1921

using DNS SRV records, you must include the <code>kdc</code> tag for each

1922

realm in the <code>realms</code> section. To communicate with the kadmin

1923

server in each realm, the <code>admin_server</code> tag must be set in the

1924

<code>realms</code> section. If your domain name and realm name are not the

1925

same, you must provide a translation in <code>domain_realm</code>. It is

1926

also higly recommeneded that you create a <code>[logging]</code> stanza if

1927

the computer will be functioning as a KDC so that the KDC and kadmind

1928

will generate logging output.

1929

1930

<p>An example <code>krb5.conf</code> file:

1931

1932

<pre class="smallexample"> [libdefaults]

1933

default_realm = ATHENA.MIT.EDU

1934

1935

[realms]

1936

ATHENA.MIT.EDU = {

1937

kdc = kerberos.mit.edu

1938

kdc = kerberos-1.mit.edu

1939

kdc = kerberos-2.mit.edu

1940

admin_server = kerberos.mit.edu

1941

{

1942

1943

[logging]

1944

kdc = FILE:/var/log/krb5kdc.log

1945

admin_server = FILE:/var/log/kadmin.log

1946

default = FILE:/var/log/krb5lib.log

1947

</pre>

1948

1949

1950

1951

<p><hr>

1952

Next: <a rel="next" accesskey="n" href="#Create-the-Database">Create the Database</a>,

1953

Previous: <a rel="previous" accesskey="p" href="#krb5_002econf">krb5.conf</a>,

1954

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

1955

1956

</div>

1957

1958

1959

1960

<p>The <code>kdc.conf</code> file contains KDC configuration information,

1961

including defaults used when issuing Kerberos tickets. Normally, you

1962

should install your <code>kdc.conf</code> file in the directory

1963

<code>/usr/local/var/krb5kdc</code>. You can override the default

1964

location by setting the environment variable ‘<samp><span class="samp">KRB5_KDC_PROFILE</span></samp>’.

1965

1966

<p>The <code>kdc.conf</code> file is set up in the same format as the

1967

<code>krb5.conf</code> file. (See <a href="#krb5_002econf">krb5.conf</a>.) The <code>kdc.conf</code> file

1968

may contain any or all of the following three sections:

1969

1970

<dl>

1971

<dt><b>kdcdefaults</b><dd>Contains default values for overall behavior of the KDC.

1972

1973

<br><dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection

1974

describes realm-specific information, including where to find the

1975

Kerberos servers for that realm.

1976

1977

<br><dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform

1978

logging.

1979

</dl>

1980

1981

1982

1983

<p><hr>

1984

Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,

1985

Previous: <a rel="previous" accesskey="p" href="#kdc_002econf">kdc.conf</a>,

1986

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

1987

1988

</div>

1989

1990

<h5 class="subsubsection">4.1.1.4 Create the Database</h5>

1991

1992

<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to

1993

create the Kerberos database and the optional stash file. The

1994

<dfn>stash file</dfn> is a local copy of the master key that resides in

1995

encrypted form on the KDC's local disk. The stash file is used to

1996

authenticate the KDC to itself automatically before starting the

1997

<code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the

1998

machine's boot sequence). The stash file, like the keytab file

1999

(see See <a href="#The-Keytab-File">The Keytab File</a>, for more information) is a potential

2000

point-of-entry for a break-in,

2001

and if compromised, would allow unrestricted access to the Kerberos

2002

database. If you choose to install a stash file, it should be readable

2003

only by root, and should exist only on the KDC's local disk. The file

2004

should not be part of any backup of the machine, unless access to the

2005

backup data is secured as tightly as access to the master password

2006

itself.

2007

2008

<p>If you choose not to install a stash file, the KDC will prompt you for

2009

the master key each time it starts up. This means that the KDC will

2010

not be able to start automatically, such as after a system reboot.

2011

2012

<p>Note that <code>kdb5_util</code> will prompt you for the master key for the

2013

Kerberos database. This key can be any string. A good key is one you

2014

can remember, but that no one else can guess. Examples of bad keys are

2015

words that can be found in a dictionary, any common or popular name,

2016

especially a famous person (or cartoon character), your username in any

2017

form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of

2018

the sample keys that appear in this manual. One example of a key which

2019

might be good if it did not appear in this manual is “MITiys4K5!”,

2020

which represents the sentence “MIT is your source for Kerberos 5!”

2021

(It's the first letter of each word, substituting the numeral “4” for

2022

the word “for”, and includes the punctuation mark at the end.)

2023

2024

<p>The following is an example of how to create a Kerberos database and

2025

stash file on the master KDC, using the <code>kdb5_util</code> command. (The

2026

line that begins with ⇒ is a continuation of the previous line.)

2027

Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.

2028

2029

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s

2030

<b>Initializing database '/usr/local/var/krb5kdc/principal' for

2031

⇒ realm 'ATHENA.MIT.EDU',

2032

master key name 'K/M@ATHENA.MIT.EDU'

2033

You will be prompted for the database Master Password.

2034

It is important that you NOT FORGET this password.</b>

2035

<b>Enter KDC database master key:</b> <i><= Type the master password.</i>

2036

<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>

2037

<b>shell%</b>

2038

</pre>

2039

<p>This will create five files in the directory specified in your

2040

<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,

2041

and <code>principal.ok</code>; the Kerberos administrative database file,

2042

<code>principal.kadm5</code>; the administrative database lock file,

2043

<code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The

2044

default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not

2045

want a stash file, run the above command without the <code>-s</code> option.

2046

2047

2048

2049

<p><hr>

2050

Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,

2051

Previous: <a rel="previous" accesskey="p" href="#Create-the-Database">Create the Database</a>,

2052

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2053

2054

</div>

2055

2056

<h5 class="subsubsection">4.1.1.5 Add Administrators to the Acl File</h5>

2057

2058

<p>Next, you need create an Access Control List (acl) file, and put the

2059

Kerberos principal of at least one of the administrators into it. This

2060

file is used by the <code>kadmind</code> daemon to control which principals

2061

may view and make privileged modifications to the Kerberos database

2062

files. The filename should match the value you have set for

2063

“acl_file” in your <code>kdc.conf</code> file. The default file name is

2064

‘<samp><span class="samp">/usr/local/var/krb5kdc/kadm5.acl</span></samp>’.

2065

2066

<p>The format of the file is:

2067

2068

<pre class="smallexample"> Kerberos_principal permissions [target_principal] [restrictions]

2069

</pre>

2070

<p>The Kerberos principal (and optional target principal) can include the

2071

“<b>*</b>” wildcard, so if you want any principal with the instance

2072

“admin” to have full permissions on the database, you could use the

2073

principal “<code>*/admin@REALM</code>” where “REALM” is your Kerberos

2074

realm. <code>target_principal</code> can also include backreferences to

2075

<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i>" matches the

2076

component <i>number</i> in the <code>Kerberos_principal</code>.

2077

2078

<p>Note: a common use of an <i>admin</i> instance is so you can grant

2079

separate permissions (such as administrator access to the Kerberos

2080

database) to a separate Kerberos principal. For example, the user

2081

<code>joeadmin</code> might have a principal for his administrative

2082

use, called <code>joeadmin/admin</code>. This way,

2083

<code>joeadmin</code> would obtain <code>joeadmin/admin</code>

2084

tickets only when he actually needs to use those permissions.

2085

2086

<p>The permissions are represented by single letters; UPPER-CASE letters

2087

represent negative permissions. The permissions are:

2088

2089

<dl>

2090

<dt><b>a</b><dd>allows the addition of principals or policies in the database.

2091

<dt><b>A</b><dd>disallows the addition of principals or policies in the database.

2092

<dt><b>d</b><dd>allows the deletion of principals or policies in the database.

2093

<dt><b>D</b><dd>disallows the deletion of principals or policies in the database.

2094

<dt><b>m</b><dd>allows the modification of principals or policies in the database.

2095

<dt><b>M</b><dd>disallows the modification of principals or policies in the database.

2096

<dt><b>c</b><dd>allows the changing of passwords for principals in the database.

2097

<dt><b>C</b><dd>disallows the changing of passwords for principals in the database.

2098

<dt><b>i</b><dd>allows inquiries to the database.

2099

<dt><b>I</b><dd>disallows inquiries to the database.

2100

<dt><b>l</b><dd>allows the listing of principals or policies in the database.

2101

<dt><b>L</b><dd>disallows the listing of principals or policies in the database.

2102

<dt><b>s</b><dd>allows the explicit setting of the key for a principal

2103

<dt><b>S</b><dd>disallows the explicit setting of the key for a principal

2104

<dt><b>*</b><dd>All privileges (admcil).

2105

<dt><b>x</b><dd>All privileges (admcil); identical to “*”.

2106

</dl>

2107

2108

<p>The restrictions are a string of flags. Allowed restrictions are:

2109

2110

<dl>

2111

<dt><b>[+ -]</b><i>flagname</i><dd>flag is forced to indicated value. The permissible flags are the same

2112

as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and

2113

<code>modprinc</code> commands.

2114

<dt><b>-clearpolicy</b><dd>policy is forced to clear

2115

<dt><b>-policy </b><i>pol</i><dd>policy is forced to be <i>pol</i>

2116

<dt><b>expire </b><i>time</i><dt><b>pwexpire </b><i>time</i><dt><b>maxlife </b><i>time</i><dt><b>maxrenewlife </b><i>time</i><dd>associated value will be forced to MIN(<i>time</i>, requested value)

2117

</dl>

2118

2119

<p>The above flags act as restrictions on any add or modify operation

2120

which is allowed due to that ACL line.

2121

2122

<p>Here is an example of a <code>kadm5.acl</code> file. Note that order is

2123

important; permissions are determined by the first matching entry.

2124

2125

<pre class="smallexample"> */admin@ATHENA.MIT.EDU *

2126

joeadmin@ATHENA.MIT.EDU ADMCIL

2127

joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU

2128

*@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU

2129

*/*@ATHENA.MIT.EDU i

2130

*/admin@EXAMPLE.COM * -maxlife 9h -postdateable

2131

</pre>

2132

<p class="noindent">In the above file, any principal in the

2133

ATHENA.MIT.EDU realm with an <code>admin</code> instance has all

2134

administrative privileges. The user <code>joeadmin</code>

2135

has all permissions with his <code>admin</code> instance,

2136

<code>joeadmin/admin@ATHENA.MIT.EDU</code> (matches the first

2137

line). He has no permissions at all with his <code>null</code> instance,

2138

<code>joeadmin@ATHENA.MIT.EDU</code> (matches the second line).

2139

His root instance has <i>inquire</i> and <i>list</i> permissions with any

2140

other principal that has the instance <code>root</code>. Any principal

2141

in ATHENA.MIT.EDU can inquire, list, or change the password of

2142

their <code>admin</code> instance, but not any other <code>admin</code> instance.

2143

Any principal in the realm <code>ATHENA.MIT.EDU</code> (except for

2144

<code>joeadmin@ATHENA.MIT.EDU</code>, as mentioned above) has

2145

<i>inquire</i> privileges. Finally, any principal with an admin instance

2146

in EXAMPLE.COM has all permissions, but any principal that they

2147

create or modify will not be able to get postdateable tickets or tickets

2148

with a life of longer than 9 hours.

2149

2150

2151

2152

<p><hr>

2153

Next: <a rel="next" accesskey="n" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,

2154

Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,

2155

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2156

2157

</div>

2158

2159

<h5 class="subsubsection">4.1.1.6 Add Administrators to the Kerberos Database</h5>

2160

2161

<p>Next you need to add administrative principals to the Kerberos database.

2162

(You must add at least one now.) To do this, use <code>kadmin.local</code>

2163

<em>on the master KDC</em>. The administrative principals you create

2164

should be the ones you added to the ACL file. (See See <a href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>.) In the following example, the

2165

administration principal <code>admin/admin</code> is created:

2166

2167

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local

2168

<b>kadmin.local:</b> addprinc admin/admin@ATHENA.MIT.EDU

2169

<b>NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU";

2170

assigning "default".</b>

2171

<b>Enter password for principal admin/admin@ATHENA.MIT.EDU:</b> <i><= Enter a password.</i>

2172

Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <i><= Type it again.</i>

2173

<b>Principal "admin/admin@ATHENA.MIT.EDU" created.

2174

kadmin.local:</b>

2175

</pre>

2176

2177

2178

2179

<p><hr>

2180

Next: <a rel="next" accesskey="n" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>,

2181

Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,

2182

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2183

2184

</div>

2185

2186

<h5 class="subsubsection">4.1.1.7 Create a kadmind Keytab (optional)</h5>

2187

2188

<p>The kadmind keytab is the key that the legacy admininstration daemons

2189

<code>kadmind4</code> and <code>v5passwdd</code> will use to decrypt

2190

administrators' or clients' Kerberos tickets to determine whether or

2191

not they should have access to the database. You need to create the

2192

kadmin keytab with entries for the principals <code>kadmin/admin</code> and

2193

<code>kadmin/changepw</code>. (These principals are placed in the Kerberos

2194

database automatically when you create it.) To create the kadmin

2195

keytab, run <code>kadmin.local</code> and use the <code>ktadd</code> command, as

2196

in the following example. (The line beginning with ⇒ is a

2197

continuation of the previous line.):

2198

2199

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local

2200

<b>kadmin.local:</b> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab

2201

⇒ kadmin/admin kadmin/changepw

2202

<b> Entry for principal kadmin/admin with kvno 5, encryption

2203

type Triple DES cbc mode with HMAC/sha1 added to keytab

2204

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2205

Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode

2206

with CRC-32 added to keytab

2207

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2208

Entry for principal kadmin/changepw with kvno 5, encryption

2209

type Triple DES cbc mode with HMAC/sha1 added to keytab

2210

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2211

Entry for principal kadmin/changepw with kvno 5,

2212

encryption type DES cbc mode with CRC-32 added to keytab

2213

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2214

kadmin.local:</b> quit

2215

<b>shell%</b>

2216

</pre>

2217

<p class="noindent">As specified in the ‘<samp><span class="samp">-k</span></samp>’ argument, <code>ktadd</code> will save the

2218

extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>.

2219

The filename you use must be the one specified in your <code>kdc.conf</code>

2220

file.

2221

2222

2223

2224

<p><hr>

2225

Previous: <a rel="previous" accesskey="p" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,

2226

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2227

2228

</div>

2229

2230

<h5 class="subsubsection">4.1.1.8 Start the Kerberos Daemons on the Master KDC</h5>

2231

2232

<p>At this point, you are ready to start the Kerberos daemons on the Master

2233

KDC. To do so, type:

2234

2235

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc

2236

<b>shell%</b> /usr/local/sbin/kadmind

2237

</pre>

2238

<p class="noindent">Each daemon will fork and run in the background. Assuming you want

2239

these daemons to start up automatically at boot time, you can add them

2240

to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to

2241

have a stash file in order to do this.

2242

2243

<p>You can verify that they started properly by checking for their startup

2244

messages in the logging locations you defined in <code>/etc/krb5.conf</code>.

2245

(See <a href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>.) For example:

2246

2247

<pre class="smallexample"> <b>shell%</b> tail /var/log/krb5kdc.log

2248

Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation

2249

<b>shell%</b> tail /var/log/kadmin.log

2250

Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting

2251

</pre>

2252

<p>Any errors the daemons encounter while starting will also be listed in

2253

the logging output.

2254

2255

2256

2257

<p><hr>

2258

Next: <a rel="next" accesskey="n" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,

2259

Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,

2260

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2261

2262

</div>

2263

2264

<h4 class="subsection">4.1.2 Install the Slave KDCs</h4>

2265

2266

<p>You are now ready to start configuring the slave KDCs. Assuming you are

2267

setting the KDCs up so that you can easily switch the master KDC with

2268

one of the slaves, you should perform each of these steps on the master

2269

KDC as well as the slave KDCs, unless these instructions specify

2270

otherwise.

2271

2272

2273

<li><a accesskey="1" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>

2274

<li><a accesskey="2" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>

2275

<li><a accesskey="3" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>

2276

</ul>

2277

2278

2279

2280

<p><hr>

2281

Next: <a rel="next" accesskey="n" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,

2282

Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,

2283

Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2284

2285

</div>

2286

2287

<h5 class="subsubsection">4.1.2.1 Create Host Keys for the Slave KDCs</h5>

2288

2289

<p>Each KDC needs a host principal in the Kerberos database. You can enter

2290

these from any host, once the <code>kadmind</code> daemon is running. For

2291

example, if your master KDC were called

2292

kerberos.mit.edu, and you had two KDC slaves

2293

named kerberos-1.mit.edu and

2294

kerberos-2.mit.edu, you would type the following:

2295

2296

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin

2297

<b>kadmin:</b> addprinc -randkey host/kerberos.mit.edu

2298

<b>NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU";

2299

assigning "default"

2300

Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.

2301

kadmin:</b> addprinc -randkey host/kerberos-1.mit.edu

2302

<b>NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU";

2303

assigning "default"

2304

Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</b>

2305

<b>kadmin:</b> addprinc -randkey host/kerberos-2.mit.edu

2306

<b>NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU";

2307

assigning "default"

2308

Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created.

2309

kadmin:</b>

2310

</pre>

2311

<p class="noindent">It is not actually necessary to have the master KDC server in the

2312

Kerberos database, but it can be handy if:

2313

2314

<ul>

2315

<li>anyone will be logging into the machine as something other than root

2316

2317

<li>you want to be able to swap the master KDC with one of the slaves if

2318

necessary.

2319

</ul>

2320

2321

2322

2323

<p><hr>

2324

Next: <a rel="next" accesskey="n" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>,

2325

Previous: <a rel="previous" accesskey="p" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>,

2326

Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2327

2328

</div>

2329

2330

<h5 class="subsubsection">4.1.2.2 Extract Host Keytabs for the KDCs</h5>

2331

2332

<p>Each KDC (including the master) needs a keytab to decrypt tickets.

2333

Ideally, you should extract each keytab locally on its own KDC. If this

2334

is not feasible, you should use an encrypted session to send them across

2335

the network. To extract a keytab on a KDC called

2336

kerberos.mit.edu, you would execute the following

2337

command:

2338

2339

<pre class="smallexample"> <b>kadmin:</b> ktadd host/kerberos.mit.edu

2340

<b>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with

2341

kvno 1, encryption type DES-CBC-CRC added to keytab

2342

WRFILE:/etc/krb5.keytab.

2343

kadmin:</b>

2344

</pre>

2345

<p class="noindent">Note that the principal must exist in the Kerberos database in order to

2346

extract the keytab.

2347

2348

2349

2350

<p><hr>

2351

Previous: <a rel="previous" accesskey="p" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,

2352

Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2353

2354

</div>

2355

2356

<h5 class="subsubsection">4.1.2.3 Set Up the Slave KDCs for Database Propagation</h5>

2357

2358

<p>The database is propagated from the master KDC to the slave KDCs via the

2359

<code>kpropd</code> daemon. To set up propagation, create a file on each KDC,

2360

named <code>/usr/local/var/krb5kdc/kpropd.acl</code>, containing the

2361

principals for each of the KDCs.

2362

For example, if the master KDC were

2363

<code>kerberos.mit.edu</code>, the slave KDCs were

2364

<code>kerberos-1.mit.edu</code> and

2365

<code>kerberos-2.mit.edu</code>, and the realm were

2366

<code>ATHENA.MIT.EDU</code>, then the file's contents would be:

2367

2368

<pre class="smallexample"> host/kerberos.mit.edu@ATHENA.MIT.EDU

2369

host/kerberos-1.mit.edu@ATHENA.MIT.EDU

2370

host/kerberos-2.mit.edu@ATHENA.MIT.EDU

2371

</pre>

2372

<p>Then, add the following line to <code>/etc/inetd.conf</code> file on each KDC:

2373

2374

<pre class="smallexample"> krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd

2375

</pre>

2376

<p class="noindent">You also need to add the following lines to <code>/etc/services</code> on each

2377

KDC:

2378

2379

<pre class="smallexample"> kerberos 88/udp kdc # Kerberos authentication (udp)

2380

kerberos 88/tcp kdc # Kerberos authentication (tcp)

2381

krb5_prop 754/tcp # Kerberos slave propagation

2382

kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)

2383

kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)

2384

</pre>

2385

2386

2387

<p><hr>

2388

Next: <a rel="next" accesskey="n" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,

2389

Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,

2390

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2391

2392

</div>

2393

2394

<h4 class="subsection">4.1.3 Back on the Master KDC</h4>

2395

2396

<p>Now that the slave KDCs are able to accept database propagation, you'll

2397

need to propagate the database to each of them.

2398

2399

2400

<li><a accesskey="1" href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>

2401

</ul>

2402

2403

2404

2405

<p><hr>

2406

Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,

2407

Up: <a rel="up" accesskey="u" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>

2408

2409

</div>

2410

2411

<h5 class="subsubsection">4.1.3.1 Propagate the Database to Each Slave KDC</h5>

2412

2413

<p>First, create a dump of the database on the master KDC, as follows:

2414

2415

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans

2416

<b>shell%</b>

2417

</pre>

2418

<p>Next, you need to manually propagate the database to each slave KDC, as

2419

in the following example. (The lines beginning with ⇒ are

2420

continuations of the previous line.):

2421

2422

<pre class="smallexample"> /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans

2423

⇒ kerberos-1.mit.edu

2424

/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans

2425

⇒ kerberos-2.mit.edu

2426

</pre>

2427

<p>You will need a script to dump and propagate the database. The

2428

following is an example of a bourne shell script that will do this.

2429

(Note that the line that begins with ⇒ is a continuation of the

2430

previous line. Remember that you need to replace /usr/local with

2431

the name of the directory in which you installed Kerberos V5.)

2432

2433

<pre class="smallexample"> #!/bin/sh

2434

2435

kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"

2436

2437

/usr/local/sbin/kdb5_util "dump

2438

⇒ /usr/local/var/krb5kdc/slave_datatrans"

2439

2440

for kdc in $kdclist

2441

do

2442

/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc

2443

done

2444

</pre>

2445

<p class="noindent">You will need to set up a cron job to run this script at the intervals

2446

you decided on earlier (See <a href="#Database-Propagation">Database Propagation</a>.)

2447

2448

2449

2450

<p><hr>

2451

Next: <a rel="next" accesskey="n" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,

2452

Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,

2453

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2454

2455

</div>

2456

2457

<h4 class="subsection">4.1.4 Finish Installing the Slave KDCs</h4>

2458

2459

<p>Now that the slave KDCs have copies of the Kerberos database, you can

2460

create stash files for them and start the <code>krb5kdc</code> daemon.

2461

2462

2463

<li><a accesskey="1" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>

2464

<li><a accesskey="2" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>

2465

</ul>

2466

2467

2468

2469

<p><hr>

2470

Next: <a rel="next" accesskey="n" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>,

2471

Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,

2472

Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>

2473

2474

</div>

2475

2476

<h5 class="subsubsection">4.1.4.1 Create Stash Files on the Slave KDCs</h5>

2477

2478

<p>Create stash files, by issuing the following commands on each slave KDC:

2479

2480

<pre class="smallexample"> <b>shell%</b> kdb5_util stash

2481

<b>kdb5_util: Cannot find/read stored master key while reading master key

2482

kdb5_util: Warning: proceeding without master key</b>

2483

<b>Enter KDC database master key:</b> <i><= Enter the database master key.</i>

2484

<b>shell%</b>

2485

</pre>

2486

<p>As mentioned above, the stash file is necessary for your KDCs to be able

2487

authenticate to themselves, such as when they reboot. You could run

2488

your KDCs without stash files, but you would then need to type in the

2489

Kerberos database master key by hand every time you start a KDC daemon.

2490

2491

2492

2493

<p><hr>

2494

Previous: <a rel="previous" accesskey="p" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>,

2495

Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>

2496

2497

</div>

2498

2499

<h5 class="subsubsection">4.1.4.2 Start the krb5kdc Daemon on Each KDC</h5>

2500

2501

<p>The final step in configuing your slave KDCs is to run the KDC daemon:

2502

2503

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc

2504

</pre>

2505

<p>As with the master KDC, you will probably want to add this command to

2506

the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will

2507

start the krb5kdc daemon automatically at boot time.

2508

2509

2510

2511

<p><hr>

2512

Next: <a rel="next" accesskey="n" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,

2513

Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,

2514

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2515

2516

</div>

2517

2518

<h4 class="subsection">4.1.5 Add Kerberos Principals to the Database</h4>

2519

2520

<p>Once your KDCs are set up and running, you are ready to use

2521

<code>kadmin</code> to load principals for your users, hosts, and other

2522

services into the Kerberos database. This procedure is described fully in the

2523

“Adding or Modifying Principals” section of the Kerberos V5 System

2524

Administrator's Guide. (See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>, for a

2525

brief description.) The keytab is generated by running <code>kadmin</code>

2526

and issuing the <code>ktadd</code> command.

2527

2528

2529

2530

<p><hr>

2531

Next: <a rel="next" accesskey="n" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,

2532

Previous: <a rel="previous" accesskey="p" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,

2533

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2534

2535

</div>

2536

2537

<h4 class="subsection">4.1.6 Limit Access to the KDCs</h4>

2538

2539

<p>To limit the possibility that your Kerberos database could be

2540

compromised, MIT recommends that each KDC be a dedicated

2541

host, with limited access. If your KDC is also a file server, FTP

2542

server, Web server, or even just a client machine, someone who obtained

2543

root access through a security hole in any of those areas could gain

2544

access to the Kerberos database.

2545

2546

2547

2548

<p><hr>

2549

Next: <a rel="next" accesskey="n" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,

2550

Previous: <a rel="previous" accesskey="p" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,

2551

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2552

2553

</div>

2554

2555

<h4 class="subsection">4.1.7 Switching Master and Slave KDCs</h4>

2556

2557

<p>You may occasionally want to use one of your slave KDCs as the master.

2558

This might happen if you are upgrading the master KDC, or if your master

2559

KDC has a disk crash.

2560

2561

<p>Assuming you have configured all of your KDCs to be able to function as

2562

either the master KDC or a slave KDC (as this document recommends), all

2563

you need to do to make the changeover is:

2564

2565

<p>If the master KDC is still running, do the following on the <em>old</em>

2566

master KDC:

2567

2568

2569

<li>Kill the <code>kadmind</code> process.

2570

2571

<li>Disable the cron job that propagates the database.

2572

2573

<li>Run your database propagation script manually, to ensure that the slaves

2574

all have the latest copy of the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.) If there is a need to preserve per-principal

2575

policy information from the database, you should do a “kdb5_util dump

2576

-ov” in order to preserve that information and propogate that dump file

2577

securely by some means to the slave so that its database has the correct

2578

state of the per-principal policy information.

2579

</ol>

2580

2581

<p>On the <em>new</em> master KDC:

2582

2583

2584

<li>Create a database keytab. (See <a href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>.)

2585

2586

<li>Start the <code>kadmind</code> daemon. (See <a href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>.)

2587

2588

<li>Set up the cron job to propagate the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.)

2589

2590

<li>Switch the CNAMEs of the old and new master KDCs. (If you don't do

2591

this, you'll need to change the <code>krb5.conf</code> file on every client

2592

machine in your Kerberos realm.)

2593

2594

</ol>

2595

2596

2597

2598

<p><hr>

2599

Previous: <a rel="previous" accesskey="p" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,

2600

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2601

2602

</div>

2603

2604

<h4 class="subsection">4.1.8 Incremental Database Propagation</h4>

2605

2606

<p>At some very large sites, dumping and transmitting the database can

2607

take more time than is desirable for changes to propagate from the

2608

master KDC to the slave KDCs. The incremental propagation support

2609

added in the 1.7 release is intended to address this.

2610

2611

<p>With incremental propagation enabled, all programs on the master KDC

2612

that change the database also write information about the changes to

2613

an “update log” file, maintained as a circular buffer of a certain

2614

size. A process on each slave KDC connects to a service on the master

2615

KDC (currently implemented in the <code>kadmind</code> server) and

2616

periodically requests the changes that have been made since the last

2617

check. By default, this check is done every two minutes. If the

2618

database has just been modified in the previous several seconds

2619

(currently the threshold is hard-coded at 10 seconds), the slave will

2620

not retrieve updates, but instead will pause and try again soon after.

2621

This reduces the likelihood that incremental update queries will cause

2622

delays for an administrator trying to make a bunch of changes to the

2623

database at the same time.

2624

2625

<p>Incremental propagation uses the following entries in the per-realm

2626

data in the KDC config file:

2627

2628

<dl>

2629

<dt><code>iprop_enable</code> (boolean)<dd>If this is set to <code>true</code>, then incremental propagation is

2630

enabled, and (as noted below) normal <code>kprop</code> propagation is

2631

disabled. The default is <code>false</code>.

2632

2633

<br><dt><code>iprop_master_ulogsize</code> (integer)<dd>This indicates the number of entries that should be retained in the

2634

update log. The default is 1000; the maximum number is 2500.

2635

2636

<br><dt><code>iprop_slave_poll</code> (time interval)<dd>This indicates how often the slave should poll the master KDC for

2637

changes to the database. The default is two minutes.

2638

2639

<br><dt><code>iprop_port</code> (integer)<dd>This specifies the port number to be used for incremental

2640

propagation. This is required in both master and slave configuration

2641

files.

2642

2643

<br><dt><code>iprop_logfile</code> (file name)<dd>This specifies where the update log file for the realm database is to

2644

be stored. The default is to use the <code>database_name</code> entry from

2645

the <code>realms</code> section of the config file, with <samp><span class="file">.ulog</span></samp> appended.

2646

(NOTE: If <code>database_name</code> isn't specified in the <code>realms</code>

2647

section, perhaps because the LDAP database back end is being used, or

2648

the file name is specified in the <code>dbmodules</code> section, then the

2649

hard-coded default for <code>database_name</code> is used. Determination of

2650

the <code>iprop_logfile</code> default value will not use values from the

2651

<code>dbmodules</code> section.)

2652

</dl>

2653

2654

<p>Both master and slave sides must have principals named

2655

<code>kiprop/</code><var>hostname</var> (where <var>hostname</var> is, as usual, the

2656

lower-case, fully-qualified, canonical name for the host) registered

2657

and keys stored in the default keytab file (<samp><span class="file">/etc/krb5.keytab</span></samp>).

2658

2659

2660

2661

<p>On the master KDC side, the <code>kiprop/</code><var>hostname</var> principal

2662

must be listed in the <code>kadmind</code> ACL file <code>kadm5.acl</code>, and

2663

given the <code>p</code> privilege.

2664

2665

<p>On the slave KDC side, <code>kpropd</code> should be run. When incremental

2666

propagation is enabled, it will connect to the <code>kadmind</code> on the

2667

master KDC and start requesting updates.

2668

2669

<p>The normal <code>kprop</code> mechanism is disabled by the incremental

2670

propagation support. However, if the slave has been unable to fetch

2671

changes from the master KDC for too long (network problems, perhaps),

2672

the log on the master may wrap around and overwrite some of the

2673

updates that the slave has not yet retrieved. In this case, the slave

2674

will instruct the master KDC to dump the current database out to a

2675

file and invoke a one-time <code>kprop</code> propagation, with special

2676

options to also convey the point in the update log at which the slave

2677

should resume fetching incremental updates. Thus, all the keytab and

2678

ACL setup previously described for <code>kprop</code> propagation is still

2679

needed.

2680

2681

<p>There are several restrictions in the current implementation:

2682

2683

<ul>

2684

<li>Changes to password policy objects are not propagated incrementally.

2685

Changes to which policy applies to a principal are propagated.

2686

<li>The master and slave must be able to initiate TCP connections in both

2687

directions, without an intervening NAT.

2688

<li>If the slave has an IPv6 interface address but needs to accept

2689

connections over IPv4, the operating system needs “dual stack” support

2690

(i.e. the ability to accept IPv6 and IPv4 connections on a single IPv6

2691

listener socket). At this time, all modern Unix-like operating systems

2692

have dual stack support except OpenBSD.

2693

</ul>

2694

2695

2696

<li><a accesskey="1" href="#Sun_002fMIT-Incremental-Propagation-Differences">Sun/MIT Incremental Propagation Differences</a>

2697

</ul>

2698

2699

2700

2701

2702

<p><hr>

2703

Previous: <a rel="previous" accesskey="p" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,

2704

Up: <a rel="up" accesskey="u" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>

2705

2706

</div>

2707

2708

<h5 class="subsubsection">4.1.8.1 Sun/MIT Incremental Propagation Differences</h5>

2709

2710

<p>Sun donated the original code for supporting incremental database

2711

propagation to MIT. Some changes have been made in the MIT source

2712

tree that will be visible to administrators. (These notes are based

2713

on Sun's patches. Changes to Sun's implementation since then may not

2714

be reflected here.)

2715

2716

<p>The Sun config file support looks for <code>sunw_dbprop_enable</code>,

2717

<code>sunw_dbprop_master_ulogsize</code>, and <code>sunw_dbprop_slave_poll</code>.

2718

2719

<p>The incremental propagation service is implemented as an ONC RPC

2720

service. In the Sun implementation, the service is registered with

2721

<code>rpcbind</code> (also known as <code>portmapper</code>) and the client looks

2722

up the port number to contact. In the MIT implementation, where

2723

interaction with some modern versions of <code>rpcbind</code> doesn't always

2724

work well, the port number must be specified in the config file on

2725

both the master and slave sides.

2726

2727

<p>The Sun implementation hard-codes pathnames in <samp><span class="file">/var/krb5</span></samp> for

2728

the update log and the per-slave <code>kprop</code> dump files. In the MIT

2729

implementation, the pathname for the update log is specified in the

2730

config file, and the per-slave dump files are stored in

2731

<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var>.

2732

2733

2734

2735

<p><hr>

2736

Next: <a rel="next" accesskey="n" href="#UNIX-Application-Servers">UNIX Application Servers</a>,

2737

Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,

2738

Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

2739

2740

</div>

2741

2742

<h3 class="section">4.2 Installing and Configuring UNIX Client Machines</h3>

2743

2744

<p>Client machine installation is much more straightforward than

2745

installation of the KDCs.

2746

2747

2748

<li><a accesskey="1" href="#Client-Programs">Client Programs</a>

2749

<li><a accesskey="2" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>

2750

</ul>

2751

2752

2753

2754

<p><hr>

2755

Next: <a rel="next" accesskey="n" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,

2756

Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,

2757

Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>

2758

2759

</div>

2760

2761

<h4 class="subsection">4.2.1 Client Programs</h4>

2762

2763

<p>The Kerberized client programs are <code>kinit</code>, <code>klist</code>,

2764

<code>kdestroy</code>, <code>kpasswd</code>, and <code>ksu</code>. All of these programs

2765

are in the directory <code>/usr/local/bin</code>.

2766

2767

<p>MIT recommends that you use <code>login.krb5</code> in place of

2768

<code>/bin/login</code> to give your users a single-sign-on system. You will

2769

need to make sure your users know to use their Kerberos passwords when

2770

they log in.

2771

2772

<p>You will also need to educate your users to use the ticket management

2773

programs <code>kinit</code>, <code>klist</code>, <code>kdestroy</code>, and to use the

2774

Kerberos programs <code>ksu</code> and <code>kpasswd</code> in place of their

2775

non-Kerberos counterparts <code>su</code> and <code>passwd</code>.

2776

2777

2778

2779

<p><hr>

2780

Previous: <a rel="previous" accesskey="p" href="#Client-Programs">Client Programs</a>,

2781

Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>

2782

2783

</div>

2784

2785

<h4 class="subsection">4.2.2 Client Machine Configuration Files</h4>

2786

2787

<p>Each machine running Kerberos must have a <code>/etc/krb5.conf</code> file.

2788

(See <a href="#krb5_002econf">krb5.conf</a>.)

2789

2790

<p>Also, for most UNIX systems, you must add the appropriate Kerberos

2791

services to each client machine's <code>/etc/services</code> file. If you are

2792

using the default configuration for Kerberos V5, you should be able

2793

to just insert the following code:

2794

2795

<pre class="smallexample"> kerberos 88/udp kdc # Kerberos V5 KDC

2796

kerberos 88/tcp kdc # Kerberos V5 KDC

2797

kerberos-adm 749/tcp # Kerberos 5 admin/changepw

2798

kerberos-adm 749/udp # Kerberos 5 admin/changepw

2799

krb5_prop 754/tcp # Kerberos slave propagation

2800

krb524 4444/tcp # Kerberos 5 to 4 ticket translator

2801

</pre>

2802

2803

<li><a accesskey="1" href="#Mac-OS-X-Configuration">Mac OS X Configuration</a>

2804

</ul>

2805

2806

2807

2808

<p><hr>

2809

Previous: <a rel="previous" accesskey="p" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,

2810

Up: <a rel="up" accesskey="u" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>

2811

2812

</div>

2813

2814

<h5 class="subsubsection">4.2.2.1 Mac OS X Configuration</h5>

2815

2816

<p>To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the

2817

directions for generic Unix-based OS's, except for the

2818

<code>/etc/services</code> updates described above.

2819

2820

<p>Mac OS X and Mac OS X Server use a database called NetInfo to store

2821

the contents of files normally found in <code>/etc</code>. Instead of

2822

modifying <code>/etc/services</code>, you should run the following commands

2823

to add the Kerberos service entries to NetInfo:

2824

2825

<pre class="smallexample"> $ niutil -create . /services/kerberos

2826

$ niutil -createprop . /services/kerberos name kerberos kdc

2827

$ niutil -createprop . /services/kerberos port 750

2828

$ niutil -createprop . /services/kerberos protocol tcp udp

2829

$ niutil -create . /services/krbupdate

2830

$ niutil -createprop . /services/krbupdate name krbupdate kreg

2831

$ niutil -createprop . /services/krbupdate port 760

2832

$ niutil -createprop . /services/krbupdate protocol tcp

2833

$ niutil -create . /services/kpasswd

2834

$ niutil -createprop . /services/kpasswd name kpasswd kpwd

2835

$ niutil -createprop . /services/kpasswd port 761

2836

$ niutil -createprop . /services/kpasswd protocol tcp

2837

$ niutil -create . /services/klogin

2838

$ niutil -createprop . /services/klogin port 543

2839

$ niutil -createprop . /services/klogin protocol tcp

2840

$ niutil -create . /services/eklogin

2841

$ niutil -createprop . /services/eklogin port 2105

2842

$ niutil -createprop . /services/eklogin protocol tcp

2843

$ niutil -create . /services/kshell

2844

$ niutil -createprop . /services/kshell name kshell krcmd

2845

$ niutil -createprop . /services/kshell port 544

2846

$ niutil -createprop . /services/kshell protocol tcp

2847

</pre>

2848

<p>In addition to adding services to NetInfo, you must also modify the

2849

resolver configuration in NetInfo so that the machine resolves its own

2850

hostname as a FQDN (fully qualified domain name). By default, Mac OS X

2851

and Mac OS X Server machines query NetInfo to resolve hostnames before

2852

falling back to DNS. Because NetInfo has an unqualified name for all

2853

the machines in the NetInfo database, the machine's own hostname will

2854

resolve to an unqualified name. Kerberos needs a FQDN to look up keys

2855

in the machine's keytab file.

2856

2857

<p>Fortunately, you can change the <code>lookupd</code> caching order to query

2858

DNS first. Run the following NetInfo commands and reboot the machine:

2859

2860

<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts

2861

$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent

2862

NIAgent NILAgent

2863

</pre>

2864

<p>Once you have rebooted, you can verify that the resolver now behaves

2865

correctly. Compile the Kerberos 5 distribution and run:

2866

2867

<pre class="smallexample"> $ cd .../src/tests/resolve

2868

$ ./resolve

2869

</pre>

2870

<p>This will tell you whether or not your machine returns FQDNs on name

2871

lookups. If the test still fails, you can also try turning off DNS

2872

caching. Run the following commands and reboot:

2873

2874

<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts

2875

$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent

2876

CacheAgent NIAgent NILAgent

2877

</pre>

2878

<p>The remainder of the setup of a Mac OS X client machine or application

2879

server should be the same as for other UNIX-based systems.

2880

2881

2882

2883

<p><hr>

2884

Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,

2885

Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

2886

2887

</div>

2888

2889

<h3 class="section">4.3 UNIX Application Servers</h3>

2890

2891

<p>An application server is a host that provides one or more services over

2892

the network. Application servers can be “secure” or “insecure.” A

2893

“secure” host is set up to require authentication from every client

2894

connecting to it. An “insecure” host will still provide Kerberos

2895

authentication, but will also allow unauthenticated clients to connect.

2896

2897

<p>If you have Kerberos V5 installed on all of your client machines,

2898

MIT recommends that you make your hosts secure, to take

2899

advantage of the security that Kerberos authentication affords.

2900

However, if you have some clients that do not have Kerberos V5

2901

installed, you can run an insecure server, and still take advantage of

2902

Kerberos V5's single sign-on capability.

2903

2904

2905

<li><a accesskey="1" href="#The-Keytab-File">The Keytab File</a>

2906

<li><a accesskey="2" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>

2907

</ul>

2908

2909

2910

2911

<p><hr>

2912

Next: <a rel="next" accesskey="n" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>,

2913

Previous: <a rel="previous" accesskey="p" href="#UNIX-Application-Servers">UNIX Application Servers</a>,

2914

Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>

2915

2916

</div>

2917

2918

<h4 class="subsection">4.3.1 The Keytab File</h4>

2919

2920

<p>All Kerberos server machines need a <dfn>keytab</dfn> file, called

2921

<code>/etc/krb5.keytab</code>, to authenticate to the KDC. The keytab file is

2922

an encrypted, local, on-disk copy of the host's key. The keytab file,

2923

like the stash file (<a href="#Create-the-Database">Create the Database</a>) is a potential

2924

point-of-entry for a break-in, and if compromised, would allow

2925

unrestricted access to its host. The keytab file should be readable

2926

only by root, and should exist only on the machine's local disk. The

2927

file should not be part of any backup of the machine, unless access to

2928

the backup data is secured as tightly as access to the machine's root

2929

password itself.

2930

2931

<p>In order to generate a keytab for a host, the host must have a principal

2932

in the Kerberos database. The procedure for adding hosts to the

2933

database is described fully in the “Adding or Modifying Principals”

2934

section of the <cite>Kerberos V5 System Administrator's Guide</cite>.

2935

See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>. for a brief description.)

2936

The keytab is generated by running <code>kadmin</code> and issuing the

2937

<code>ktadd</code> command.

2938

2939

<p>For example, to generate a keytab file to allow the host

2940

trillium.mit.edu to authenticate for the services

2941

<code>host</code>, <code>ftp</code>, and <code>pop</code>, the administrator

2942

<code>joeadmin</code> would issue the command (on

2943

trillium.mit.edu):

2944

2945

<pre class="smallexample"> <b>trillium%</b> /usr/local/sbin/kadmin

2946

<b>kadmin5:</b> ktadd host/trillium.mit.edu ftp/trillium.mit.edu

2947

⇒ pop/trillium.mit.edu

2948

<b>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with

2949

kvno 3, encryption type DES-CBC-CRC added to keytab

2950

WRFILE:/etc/krb5.keytab.

2951

kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with

2952

kvno 3, encryption type DES-CBC-CRC added to keytab

2953

WRFILE:/etc/krb5.keytab.

2954

kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with

2955

kvno 3, encryption type DES-CBC-CRC added to keytab

2956

WRFILE:/etc/krb5.keytab.

2957

kadmin5:</b> quit

2958

<b>trillium%</b>

2959

</pre>

2960

<p>If you generate the keytab file on another host, you need to get a copy

2961

of the keytab file onto the destination host (<code>trillium</code>, in the

2962

above example) without sending it unencrypted over the network.

2963

2964

2965

2966

<p><hr>

2967

Previous: <a rel="previous" accesskey="p" href="#The-Keytab-File">The Keytab File</a>,

2968

Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>

2969

2970

</div>

2971

2972

<h4 class="subsection">4.3.2 Some Advice about Secure Hosts</h4>

2973

2974

<p>Kerberos V5 can protect your host from certain types of break-ins,

2975

but it is possible to install Kerberos V5 and still leave your host

2976

vulnerable to attack. Obviously an installation guide is not the place

2977

to try to include an exhaustive list of countermeasures for every

2978

possible attack, but it is worth noting some of the larger holes and how

2979

to close them.

2980

2981

<p>We recommend that backups of secure machines exclude the keytab file

2982

(<code>/etc/krb5.keytab</code>). If this is not possible, the backups should

2983

at least be done locally, rather than over a network, and the backup

2984

tapes should be physically secured.

2985

2986

<p>The keytab file and any programs run by root, including the

2987

Kerberos V5 binaries, should be kept on local disk. The keytab file

2988

should be readable only by root.

2989

2990

2991

2992

<p><hr>

2993

Next: <a rel="next" accesskey="n" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,

2994

Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,

2995

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

2996

2997

</div>

2998

2999

<h2 class="chapter">5 Upgrading Existing Kerberos V5 Installations</h2>

3000

3001

<p>If you already have an existing Kerberos database that you created with

3002

a prior release of Kerberos 5, you can upgrade it to work with the

3003

current release with the <code>kdb5_util</code> command. It is only

3004

necessary to perform this dump/undump procedure if you were running a

3005

krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you

3006

were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer

3007

KDC. The process for upgrading a Master KDC involves the following

3008

steps:

3009

3010

3011

3012

<li>Stop your current KDC and administration

3013

server processes, if any.

3014

3015

<li>Dump your existing Kerberos database to an ASCII file with

3016

<code>kdb5_util</code>'s “dump” command:

3017

3018

<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc

3019

<b>shell%</b> kdb5_util dump old-kdb-dump

3020

<b>shell%</b> kdb5_util dump -ov old-kdb-dump.ov

3021

<b>shell%</b>

3022

</pre>

3023

<li>Create a new Master KDC installation (See <a href="#Install-the-Master-KDC">Install the Master KDC</a>.). If you have a stash file for your current database, choose any

3024

new master password but then copy your existing stash file to the

3025

location specified by your kdc.conf; if you do not have a stash file for

3026

your current database, you must choose the same master password.

3027

3028

<li>Load your old Kerberos database into the new system with

3029

<code>kdb5_util</code>'s “load” command:

3030

3031

<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc

3032

<b>shell%</b> kdb5_util load old-kdb-dump

3033

<b>shell%</b> kdb5_util load -update old-kdb-dump.ov

3034

<b>shell%</b>

3035

</pre>

3036

</ol>

3037

3038

<p>The “dump -ov” and “load -update” commands are necessary in order to

3039

preserve per-principal policy information, since the default dump format

3040

filters out that information. If you omit those steps, the loaded

3041

database database will lose the policy information for each principal

3042

that has a policy.

3043

3044

<p>To update a Slave KDC, you must stop the old server processes on the

3045

Slave KDC, install the new server binaries, reload the most recent slave

3046

dump file, and re-start the server processes.

3047

3048

3049

<li><a accesskey="1" href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>

3050

</ul>

3051

3052

3053

3054

3055

<p><hr>

3056

Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,

3057

Up: <a rel="up" accesskey="u" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>

3058

3059

</div>

3060

3061

<h3 class="section">5.1 Upgrading to Triple-DES Encryption Keys</h3>

3062

3063

<p>Beginning with the 1.2 release from MIT, Kerberos includes

3064

a stronger encryption algorithm called “triple DES” – essentially,

3065

three applications of the basic DES encryption algorithm, greatly

3066

increasing the resistance to a brute-force search for the key by an

3067

attacker. This algorithm is more secure, but encryption is much

3068

slower.

3069

3070

<p>Release 1.1 had some support for triple-DES service keys, but with

3071

release 1.2 we have added support for user keys and session keys as

3072

well. Release 1.0 had very little support for multiple cryptosystems,

3073

and some of that software may not function properly in an environment

3074

using triple-DES as well as plain DES.

3075

3076

<p>In the 1.3 release from MIT, Kerberos also includes the RC4

3077

encryption alogorithm, a stream cipher symmetric key algorithm

3078

developed in 1987 by Ronald Rivest at RSA Data Security. Please note

3079

that RC4 is not part of the IETF standard.

3080

3081

<p>Because of the way the MIT Kerberos database is structured, the KDC

3082

will assume that a service supports only those encryption types for

3083

which keys are found in the database. Thus, if a service has only a

3084

single-DES key in the database, the KDC will not issue tickets for that

3085

service that use triple-DES or RC4 session keys; it will instead issue

3086

only single-DES session keys, even if other services are already

3087

capable of using triple-DES or RC4. So if you make sure your

3088

application server software is updated before adding a triple-DES or

3089

RC4 key for the service, clients should be able to talk to services at

3090

all times during the updating process.

3091

3092

<p>Normally, the listed <code>supported_enctypes</code> in <code>kdc.conf</code> are

3093

all used when a new key is generated. You can control this with

3094

command-line flags to <code>kadmin</code> and <code>kadmin.local</code>. You may

3095

want to exclude triple-DES and RC4 by default until you have updated a

3096

lot of your application servers, and then change the default to include

3097

triple-DES and RC4. We recommend that you always include

3098

<code>des-cbc-crc</code> in the default list.

3099

3100

3101

3102

<p><hr>

3103

Next: <a rel="next" accesskey="n" href="#Copyright">Copyright</a>,

3104

Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,

3105

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

3106

3107

</div>

3108

3109

<h2 class="chapter">6 Bug Reports for Kerberos V5</h2>

3110

3111

<p>In any complex software, there will be bugs. If you have successfully

3112

built and installed Kerberos V5, please use the <code>krb5-send-pr</code>

3113

program to fill out a Problem Report should you encounter any errors in

3114

our software.

3115

3116

<p>Bug reports that include proposed fixes are especially welcome. If you

3117

do include fixes, please send them using either context diffs or unified

3118

diffs (using ‘<samp><span class="samp">diff -c</span></samp>’ or ‘<samp><span class="samp">diff -u</span></samp>’, respectively). Please be

3119

careful when using “cut and paste” or other such means to copy a patch

3120

into a bug report; depending on the system being used, that can result

3121

in converting TAB characters into spaces, which makes applying the

3122

patches more difficult.

3123

3124

<p>The <code>krb5-send-pr</code> program is installed in the directory

3125

<code>/usr/local/sbin</code>.

3126

3127

<p>The <code>krb5-send-pr</code> program enters the problem report into our

3128

Problem Report Management System (PRMS), which automatically assigns it

3129

to the engineer best able to help you with problems in the assigned

3130

category.

3131

3132

<p>The <code>krb5-send-pr</code> program will try to intelligently fill in as

3133

many fields as it can. You need to choose the <dfn>category</dfn>,

3134

<dfn>class</dfn>, <dfn>severity</dfn>, and <dfn>priority</dfn> of the problem, as well

3135

as giving us as much information as you can about its exact nature.

3136

3137

<p>The PR <b>category</b> will be one of:

3138

3139

<pre class="smallexample"> krb5-admin krb5-appl krb5-build krb5-clients

3140

krb5-doc krb5-kdc krb5-libs krb5-misc

3141

pty telnet test

3142

</pre>

3143

<p class="noindent">Choose the category that best describes the area under which your

3144

problem falls.

3145

3146

<p>The <b>class</b> can be <dfn>sw-bug</dfn>, <dfn>doc-bug</dfn>, <dfn>change-request</dfn>,

3147

or <dfn>support</dfn>. The first two are exactly as their names imply. Use

3148

<i>change-request</i> when the software is behaving according to

3149

specifications, but you want to request changes in some feature or

3150

behavior. The <i>support</i> class is intended for more general questions

3151

about building or using Kerberos V5.

3152

3153

<p>The <b>severity</b> of the problem indicates the problem's impact on the

3154

usability of Kerberos V5. If a problem is <dfn>critical</dfn>, that

3155

means the product, component or concept is completely non-operational,

3156

or some essential functionality is missing, and no workaround is known.

3157

A <dfn>serious</dfn> problem is one in which the product, component or

3158

concept is not working properly or significant functionality is missing.

3159

Problems that would otherwise be considered <i>critical</i> are rated

3160

<i>serious</i> when a workaround is known. A <dfn>non-critical</dfn> problem is

3161

one that is indeed a problem, but one that is having a minimal effect on

3162

your ability to use Kerberos V5. <i>E.g.</i>, The product, component

3163

or concept is working in general, but lacks features, has irritating

3164

behavior, does something wrong, or doesn't match its documentation. The

3165

default severity is <i>serious</i>.

3166

3167

<p>The <b>priority</b> indicates how urgent this particular problem is in

3168

relation to your work. Note that low priority does not imply low

3169

importance.

3170

A priority of <dfn>high</dfn> means a solution is needed as soon as possible.

3171

A priority of <dfn>medium</dfn> means the problem should be solved no later

3172

than the next release. A priority of <dfn>low</dfn> means the problem should

3173

be solved in a future release, but it is not important to your work how

3174

soon this happens. The default priority is <i>medium</i>.

3175

3176

<p>Note that a given severity does not necessarily imply a given priority.

3177

For example, a non-critical problem might still have a high priority if

3178

you are faced with a hard deadline. Conversely, a serious problem might

3179

have a low priority if the feature it is disabling is one that you do

3180

not need.

3181

3182

<p>It is important that you fill in the <i>release</i> field and tell us

3183

what changes you have made, if any.

3184

3185

<p>A sample filled-out form from a company named “Toasters, Inc.” might

3186

look like this:

3187

3188

<pre class="smallexample"> To: krb5-bugs@mit.edu

3189

Subject: misspelled "Kerberos" in title of installation guide

3190

From: jcb

3191

Reply-To: jcb

3192

Cc:

3193

X-send-pr-version: 3.99

3194

3195

3196

>Submitter-Id: mit

3197

>Originator: Jeffrey C. Gilman Bigler

3198

>Organization:

3199

mit

3200

>Confidential: no

3201

>Synopsis: Misspelled "Kerberos" in title of installation guide

3202

>Severity: non-critical

3203

>Priority: low

3204

>Category: krb5-doc

3205

>Class: doc-bug

3206

>Release: 1.0-development

3207

>Environment:

3208

<machine, os, target, libraries (multiple lines)>

3209

System: ULTRIX imbrium 4.2 0 RISC

3210

Machine: mips

3211

>Description:

3212

Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"

3213

>How-To-Repeat:

3214

N/A

3215

>Fix:

3216

Correct the spelling.

3217

</pre>

3218

<p>If the <code>krb5-send-pr</code> program does not work for you, or if you did

3219

not get far enough in the process to have an installed and working

3220

<code>krb5-send-pr</code>, you can generate your own form, using the above as

3221

an example.

3222

3223

3224

3225

<p><hr>

3226

Previous: <a rel="previous" accesskey="p" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,

3227

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

3228

3229

</div>

3230

3231

<h2 class="appendix">Appendix A Copyright</h2>

3232

3233

3234

3235

3236

3237

3238

Export of software employing encryption from the United States of

3239

America may require a specific license from the United States

3240

Government. It is the responsibility of any person or organization

3241

contemplating export to obtain such a license before exporting.

3242

</blockquote>

3243

3244

<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

3245

distribute this software for any purpose and without fee is hereby

3246

granted, provided that the above copyright notice appear in all copies

3247

and that both that copyright notice and this permission notice appear

3248

in supporting documentation, and that the name of M.I.T. not be used

3249

in advertising or publicity pertaining to distribution of the software

3250

without specific, written prior permission. Furthermore if you modify

3251

this software you must label your software as modified software and

3252

not distribute it in such a fashion that it might be confused with the

3253

original MIT software. M.I.T. makes no representations about the

3254

suitability of this software for any purpose. It is provided “as

3255

is” without express or implied warranty.

3256

3257

<p>Documentation components of this software distribution are licensed

3258

under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

3259

(<a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>)

3260

3261

<p>Individual source code files are copyright MIT, Cygnus Support,

3262

Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,

3263

FundsXpress, and others.

3264

3265

<p>Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,

3266

and Zephyr are trademarks of the Massachusetts Institute of Technology

3267

(MIT). No commercial use of these trademarks may be made without

3268

prior written permission of MIT.

3269

3270

<p>“Commercial use” means use of a name in a product or other for-profit

3271

manner. It does NOT prevent a commercial firm from referring to the

3272

MIT trademarks in order to convey information (although in doing so,

3273

recognition of their trademark status should be given).

3274

3275

<p><hr>

3276

3277

<p>The following copyright and permission notice applies to the

3278

OpenVision Kerberos Administration system located in

3279

<code>kadmin/create</code>, <code>kadmin/dbutil</code>, <code>kadmin/passwd</code>,

3280

<code>kadmin/server</code>, <code>lib/kadm5</code>, and portions of

3281

<code>lib/rpc</code>:

3282

3283

3284

3285

3286

<p>WARNING: Retrieving the OpenVision Kerberos Administration system source

3287

code, as described below, indicates your acceptance of the following

3288

terms. If you do not agree to the following terms, do not retrieve the

3289

OpenVision Kerberos administration system.

3290

3291

<p>You may freely use and distribute the Source Code and Object Code

3292

compiled from it, with or without modification, but this Source Code is

3293

provided to you “AS IS” EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT

3294

LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A

3295

PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.

3296

IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS,

3297

LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR

3298

FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS

3299

AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE

3300

OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR

3301

ANY OTHER REASON.

3302

3303

<p>OpenVision retains all copyrights in the donated Source Code. OpenVision

3304

also retains copyright to derivative works of the Source Code, whether

3305

created by OpenVision or by a third party. The OpenVision copyright

3306

notice must be preserved if derivative works are made based on the

3307

donated Source Code.

3308

3309

<p>OpenVision Technologies, Inc. has donated this Kerberos Administration

3310

system to MIT for inclusion in the standard Kerberos 5 distribution.

3311

This donation underscores our commitment to continuing Kerberos

3312

technology development and our gratitude for the valuable work which has

3313

been performed by MIT and the Kerberos community.

3314

</blockquote>

3315

3316

<p><hr>

3317

3318

3319

Portions contributed by Matt Crawford <code><crawdad@fnal.gov></code> were work

3320

performed at Fermi National Accelerator Laboratory, which is operated

3321

by Universities Research Association, Inc., under contract

3322

DE-AC02-76CHO3000 with the U.S. Department of Energy.

3323

</blockquote>

3324

3325

<p><hr>

3326

3327

<p>Portions of <code>src/lib/crypto</code> have the following copyright:

3328

3329

3330

3331

3332

3333

3334

3335

Export of this software from the United States of America may require

3336

a specific license from the United States Government. It is the

3337

responsibility of any person or organization contemplating export to

3338

obtain such a license before exporting.

3339

</blockquote>

3340

3341

<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

3342

distribute this software and its documentation for any purpose and

3343

without fee is hereby granted, provided that the above copyright

3344

notice appear in all copies and that both that copyright notice and

3345

this permission notice appear in supporting documentation, and that

3346

the name of FundsXpress. not be used in advertising or publicity pertaining

3347

to distribution of the software without specific, written prior

3348

permission. FundsXpress makes no representations about the suitability of

3349

this software for any purpose. It is provided “as is” without express

3350

or implied warranty.

3351

3352

<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR

3353

IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED

3354

WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

3355

</blockquote>

3356

3357

<p><hr>

3358

3359

<p>The implementation of the AES encryption algorithm in

3360

<code>src/lib/crypto/builtin/aes</code> has the following copyright:

3361

3362

3363

3364

Worcester, UK.<br>

3365

3366

3367

<p>LICENSE TERMS

3368

3369

<p>The free distribution and use of this software in both source and binary

3370

form is allowed (with or without changes) provided that:

3371

3372

3373

<li>distributions of this source code include the above copyright

3374

notice, this list of conditions and the following disclaimer;

3375

<li>distributions in binary form include the above copyright

3376

notice, this list of conditions and the following disclaimer

3377

in the documentation and/or other associated materials;

3378

<li>the copyright holder's name is not used to endorse products

3379

built using this software without specific written permission.

3380

</ol>

3381

3382

<p>DISCLAIMER

3383

3384

<p>This software is provided 'as is' with no explcit or implied warranties

3385

in respect of any properties, including, but not limited to, correctness

3386

and fitness for purpose.

3387

</blockquote>

3388

3389

<p><hr>

3390

3391

<p>Portions contributed by Red Hat, including the pre-authentication

3392

plug-in framework and the NSS crypto implementation, contain the

3393

following copyright:

3394

3395

3396

3397

3398

3399

3400

<p>Redistribution and use in source and binary forms, with or without

3401

modification, are permitted provided that the following conditions are

3402

met:

3403

3404

<ul>

3405

<li>Redistributions of source code must retain the above copyright

3406

notice, this list of conditions and the following disclaimer.

3407

<li>Redistributions in binary form must reproduce the above copyright

3408

notice, this list of conditions and the following disclaimer in the

3409

documentation and/or other materials provided with the distribution.

3410

<li>Neither the name of Red Hat, Inc., nor the names of its contributors

3411

may be used to endorse or promote products derived from this software

3412

without specific prior written permission.

3413

</ul>

3414

3415

<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS

3416

IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED

3417

TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

3418

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER

3419

OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

3420

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

3421

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

3422

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

3423

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

3424

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

3425

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

3426

</blockquote>

3427

3428

<p><hr>

3429

3430

<p>The bundled verto source code is subject to the following license:

3431

3432

3433

3434

3435

<p>Permission is hereby granted, free of charge, to any person

3436

obtaining a copy of this software and associated documentation files

3437

(the "Software"), to deal in the Software without restriction,

3438

including without limitation the rights to use, copy, modify, merge,

3439

publish, distribute, sublicense, and/or sell copies of the Software,

3440

and to permit persons to whom the Software is furnished to do so,

3441

subject to the following conditions:

3442

3443

<p>The above copyright notice and this permission notice shall be

3444

included in all copies or substantial portions of the Software.

3445

3446

<p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,

3447

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

3448

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

3449

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

3450

BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

3451

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

3452

CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

3453

SOFTWARE.

3454

</blockquote>

3455

3456

<p><hr>

3457

3458

<p>The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in

3459

<code>src/lib/gssapi</code>, including the following files:

3460

3461

<pre class="smallexample"> lib/gssapi/generic/gssapi_err_generic.et

3462

lib/gssapi/mechglue/g_accept_sec_context.c

3463

lib/gssapi/mechglue/g_acquire_cred.c

3464

lib/gssapi/mechglue/g_canon_name.c

3465

lib/gssapi/mechglue/g_compare_name.c

3466

lib/gssapi/mechglue/g_context_time.c

3467

lib/gssapi/mechglue/g_delete_sec_context.c

3468

lib/gssapi/mechglue/g_dsp_name.c

3469

lib/gssapi/mechglue/g_dsp_status.c

3470

lib/gssapi/mechglue/g_dup_name.c

3471

lib/gssapi/mechglue/g_exp_sec_context.c

3472

lib/gssapi/mechglue/g_export_name.c

3473

lib/gssapi/mechglue/g_glue.c

3474

lib/gssapi/mechglue/g_imp_name.c

3475

lib/gssapi/mechglue/g_imp_sec_context.c

3476

lib/gssapi/mechglue/g_init_sec_context.c

3477

lib/gssapi/mechglue/g_initialize.c

3478

lib/gssapi/mechglue/g_inquire_context.c

3479

lib/gssapi/mechglue/g_inquire_cred.c

3480

lib/gssapi/mechglue/g_inquire_names.c

3481

lib/gssapi/mechglue/g_process_context.c

3482

lib/gssapi/mechglue/g_rel_buffer.c

3483

lib/gssapi/mechglue/g_rel_cred.c

3484

lib/gssapi/mechglue/g_rel_name.c

3485

lib/gssapi/mechglue/g_rel_oid_set.c

3486

lib/gssapi/mechglue/g_seal.c

3487

lib/gssapi/mechglue/g_sign.c

3488

lib/gssapi/mechglue/g_store_cred.c

3489

lib/gssapi/mechglue/g_unseal.c

3490

lib/gssapi/mechglue/g_userok.c

3491

lib/gssapi/mechglue/g_utils.c

3492

lib/gssapi/mechglue/g_verify.c

3493

lib/gssapi/mechglue/gssd_pname_to_uid.c

3494

lib/gssapi/mechglue/mglueP.h

3495

lib/gssapi/mechglue/oid_ops.c

3496

lib/gssapi/spnego/gssapiP_spnego.h

3497

lib/gssapi/spnego/spnego_mech.c

3498

</pre>

3499

<p>and the initial implementation of incremental propagation, including

3500

the following new or changed files:

3501

3502

<pre class="smallexample"> include/iprop_hdr.h

3503

kadmin/server/ipropd_svc.c

3504

lib/kdb/iprop.x

3505

lib/kdb/kdb_convert.c

3506

lib/kdb/kdb_log.c

3507

lib/kdb/kdb_log.h

3508

lib/krb5/error_tables/kdb5_err.et

3509

slave/kpropd_rpc.c

3510

slave/kproplog.c

3511

</pre>

3512

<p>are subject to the following license:

3513

3514

3515

3516

3517

<p>Permission is hereby granted, free of charge, to any person obtaining a

3518

copy of this software and associated documentation files (the

3519

“Software”), to deal in the Software without restriction, including

3520

without limitation the rights to use, copy, modify, merge, publish,

3521

distribute, sublicense, and/or sell copies of the Software, and to

3522

permit persons to whom the Software is furnished to do so, subject to

3523

the following conditions:

3524

3525

<p>The above copyright notice and this permission notice shall be included

3526

in all copies or substantial portions of the Software.

3527

3528

<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS

3529

OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

3530

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.

3531

IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY

3532

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,

3533

TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE

3534

SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

3535

</blockquote>

3536

3537

<p><hr>

3538

3539

<p>Kerberos V5 includes documentation and software developed at the

3540

University of California at Berkeley, which includes this copyright

3541

notice:

3542

3543

3544

3545

3546

3547

<p>Redistribution and use in source and binary forms, with or without

3548

modification, are permitted provided that the following conditions are

3549

met:

3550

3551

3552

<li>Redistributions of source code must retain the above copyright

3553

notice, this list of conditions and the following disclaimer.

3554

<li>Redistributions in binary form must reproduce the above copyright

3555

notice, this list of conditions and the following disclaimer in the

3556

documentation and/or other materials provided with the distribution.

3557

<li>Neither the name of the University nor the names of its contributors

3558

may be used to endorse or promote products derived from this software

3559

without specific prior written permission.

3560

</ol>

3561

3562

<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND

3563

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

3564

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

3565

ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

3566

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

3567

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

3568

OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

3569

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

3570

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

3571

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

3572

SUCH DAMAGE.

3573

</blockquote>

3574

3575

<p><hr>

3576

3577

<p>Portions contributed by Novell, Inc., including the LDAP database

3578

backend, are subject to the following license:

3579

3580

3581

3582

3583

3584

<p>Redistribution and use in source and binary forms, with or without

3585

modification, are permitted provided that the following conditions are met:

3586

3587

<ul>

3588

<li>Redistributions of source code must retain the above copyright notice,

3589

this list of conditions and the following disclaimer.

3590

<li>Redistributions in binary form must reproduce the above copyright

3591

notice, this list of conditions and the following disclaimer in the

3592

documentation and/or other materials provided with the distribution.

3593

<li>The copyright holder's name is not used to endorse or promote products

3594

derived from this software without specific prior written permission.

3595

</ul>

3596

3597

<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”

3598

AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

3599

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

3600

ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

3601

LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

3602

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

3603

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

3604

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

3605

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

3606

ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

3607

POSSIBILITY OF SUCH DAMAGE.

3608

</blockquote>

3609

3610

<p><hr>

3611

3612

<p>Portions funded by Sandia National Laboratory

3613

and developed by the University of Michigan's

3614

Center for Information Technology Integration,

3615

including the PKINIT implementation, are subject

3616

to the following license:

3617

3618

3619

3620

THE REGENTS OF THE UNIVERSITY OF MICHIGAN<br>

3621

3622

3623

<p>Permission is granted to use, copy, create derivative works

3624

and redistribute this software and such derivative works

3625

for any purpose, so long as the name of The University of

3626

Michigan is not used in any advertising or publicity

3627

pertaining to the use of distribution of this software

3628

without specific, written prior authorization. If the

3629

above copyright notice or any other identification of the

3630

University of Michigan is included in any copy of any

3631

portion of this software, then the disclaimer below must

3632

also be included.

3633

3634

<p>THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION

3635

FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY

3636

PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF

3637

MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING

3638

WITHOUT LIMITATION THE IMPLIED WARRANTIES OF

3639

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE

3640

REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE

3641

FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR

3642

CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING

3643

OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN

3644

IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF

3645

SUCH DAMAGES.

3646

</blockquote>

3647

3648

<p><hr>

3649

3650

<p>The pkcs11.h file included in the PKINIT code has the

3651

following license:

3652

3653

3654

3655

3656

3657

<p>This file is free software; as a special exception the author gives

3658

unlimited permission to copy and/or distribute it, with or without

3659

modifications, as long as this notice is preserved.

3660

3661

<p>This file is distributed in the hope that it will be useful, but

3662

WITHOUT ANY WARRANTY, to the extent permitted by law; without even

3663

the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

3664

PURPOSE.

3665

</blockquote>

3666

3667

<p><hr>

3668

3669

<p>Portions contributed by Apple Inc. are subject to the following license:

3670

3671

3672

3673

3674

3675

Export of this software from the United States of America may require

3676

a specific license from the United States Government. It is the

3677

responsibility of any person or organization contemplating export to

3678

obtain such a license before exporting.

3679

</blockquote>

3680

3681

<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

3682

distribute this software and its documentation for any purpose and

3683

without fee is hereby granted, provided that the above copyright

3684

notice appear in all copies and that both that copyright notice and

3685

this permission notice appear in supporting documentation, and that

3686

the name of Apple Inc. not be used in advertising or publicity pertaining

3687

to distribution of the software without specific, written prior

3688

permission. Apple Inc. makes no representations about the suitability of

3689

this software for any purpose. It is provided “as is” without express

3690

or implied warranty.

3691

3692

<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR

3693

IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED

3694

WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

3695

</blockquote>

3696

3697

<p><hr>

3698

3699

<p>The implementations of UTF-8 string handling in src/util/support and

3700

src/lib/krb5/unicode are subject to the following copyright and

3701

permission notice:

3702

3703

3704

The OpenLDAP Public License<br>

3705

Version 2.8, 17 August 2003

3706

3707

<p>Redistribution and use of this software and associated documentation

3708

(“Software”), with or without modification, are permitted provided

3709

that the following conditions are met:

3710

3711

3712

<li>Redistributions in source form must retain copyright statements

3713

and notices,

3714

<li>Redistributions in binary form must reproduce applicable copyright

3715

statements and notices, this list of conditions, and the following

3716

disclaimer in the documentation and/or other materials provided

3717

with the distribution, and

3718

<li>Redistributions must contain a verbatim copy of this document.

3719

</ol>

3720

3721

<p>The OpenLDAP Foundation may revise this license from time to time.

3722

Each revision is distinguished by a version number. You may use

3723

this Software under terms of this license revision or under the

3724

terms of any subsequent revision of the license.

3725

3726

<p>THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS

3727

CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES,

3728

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

3729

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT

3730

SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)

3731

OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,

3732

INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,

3733

BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

3734

LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

3735

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

3736

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN

3737

ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

3738

POSSIBILITY OF SUCH DAMAGE.

3739

3740

<p>The names of the authors and copyright holders must not be used in

3741

advertising or otherwise to promote the sale, use or other dealing

3742

in this Software without specific, written prior permission. Title

3743

to copyright in this Software shall at all times remain with copyright

3744

holders.

3745

3746

<p>OpenLDAP is a registered trademark of the OpenLDAP Foundation.

3747

3748

3749

3750

distribute verbatim copies of this document is granted.

3751

</blockquote>

3752

3753

<p><hr>

3754

3755

<p>Marked test programs in src/lib/krb5/krb have the following copyright:

3756

3757

3758

3759

(Royal Institute of Technology, Stockholm, Sweden).<br>

3760

3761

3762

<p>Redistribution and use in source and binary forms, with or without

3763

modification, are permitted provided that the following conditions

3764

are met:

3765

3766

3767

<li>Redistributions of source code must retain the above copyright

3768

notice, this list of conditions and the following disclaimer.

3769

<li>Redistributions in binary form must reproduce the above copyright

3770

notice, this list of conditions and the following disclaimer in the

3771

documentation and/or other materials provided with the distribution.

3772

<li>Neither the name of KTH nor the names of its contributors may be

3773

used to endorse or promote products derived from this software without

3774

specific prior written permission.

3775

</ol>

3776

3777

<p>THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS” AND ANY

3778

EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

3779

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

3780

PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE

3781

LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

3782

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

3783

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR

3784

BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,

3785

WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR

3786

OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF

3787

ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

3788

</blockquote>

3789

3790

<p><hr>

3791

3792

<p>Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc

3793

have the following copyright and permission notice:

3794

3795

3796

3797

3798

3799

3800

<p>Redistribution and use in source and binary forms, with or without

3801

modification, are permitted provided that the following conditions are met:

3802

3803

3804

<li>Redistributions of source code must retain the above copyright

3805

notice, this list of conditions and the following disclaimer.

3806

<li>Redistributions in binary form must reproduce the above copyright

3807

notice, this list of conditions and the following disclaimer in

3808

the documentation and/or other materials provided with the

3809

distribution.

3810

<li>Neither the name of the “Oracle America, Inc.” nor the names of

3811

its contributors may be used to endorse or promote products

3812

derived from this software without specific prior written permission.

3813

</ol>

3814

3815

<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS

3816

IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED

3817

TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

3818

PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

3819

HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

3820

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED

3821

TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR

3822

PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

3823

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

3824

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

3825

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

3826

</blockquote>

3827

3828

<p><hr>

3829

3830

3831

3832

3833

3834

<p>Redistribution and use in source and binary forms, with or without

3835

modification, are permitted provided that the following conditions

3836

are met:

3837

3838

3839

<li>Redistributions of source code must retain the above copyright

3840

notice, this list of conditions and the following disclaimer as

3841

the first lines of this file unmodified.

3842

<li>Redistributions in binary form must reproduce the above copyright

3843

notice, this list of conditions and the following disclaimer in the

3844

documentation and/or other materials provided with the distribution.

3845

</ol>

3846

3847

<p>THIS SOFTWARE IS PROVIDED BY NTT “AS IS” AND ANY EXPRESS OR

3848

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

3849

OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

3850

IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,

3851

INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

3852

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

3853

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

3854

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

3855

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

3856

THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

3857

</blockquote>

3858

3859

<p><hr>

3860

3861

3862

3863

3864

3865

3866

<p>Permission to use, copy, modify, and distribute this software and its

3867

documentation for any purpose and without fee is hereby granted,

3868

provided that the above copyright notice appear in all copies and that

3869

both that copyright notice and this permission notice appear in

3870

supporting documentation, and that the name of Carnegie Mellon

3871

University not be used in advertising or publicity pertaining to

3872

distribution of the software without specific, written prior

3873

permission.

3874

3875

<p>CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO

3876

THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND

3877

FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR

3878

ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

3879

WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

3880

ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT

3881

OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

3882

</blockquote>

3883

3884

<p><hr>

3885

3886

3887

3888

3889

<p>Permission to use, copy, modify and distribute this software and its

3890

documentation is hereby granted, provided that both the copyright

3891

notice and this permission notice appear in all copies of the software,

3892

derivative works or modified versions, and any portions thereof.

3893

3894

<p>NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS “AS IS” CONDITION AND

3895

DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER

3896

RESULTING FROM THE USE OF THIS SOFTWARE.

3897

</blockquote>

3898

3899

<p><hr>

3900

3901

<p>Portions extracted from Internet RFCs have the following copyright

3902

notice:

3903

3904

3905

3906

3907

<p>This document is subject to the rights, licenses and restrictions

3908

contained in BCP 78, and except as set forth therein, the authors

3909

retain all their rights.

3910

3911

<p>This document and the information contained herein are provided on an

3912

“AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS

3913

OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET

3914

ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,

3915

INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE

3916

INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED

3917

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

3918

</blockquote>

3919

3920

<p><hr>

3921

3922

3923

3924

3925

<p>Permission to use, copy, modify, and

3926

distribute this software and its documentation for any purpose and

3927

without fee is hereby granted, provided that the above copyright

3928

notice appear in all copies and that both that copyright notice and

3929

this permission notice appear in supporting documentation.

3930

Cygnus Support makes no representations about the suitability of

3931

this software for any purpose. It is provided “as is” without express

3932

or implied warranty.

3933

</blockquote>

3934

3935

<p><hr>

3936

3937

3938

3939

3940

<p>Permission is hereby granted, free of charge, to any person

3941

obtaining a copy of this software and associated documentation

3942

files (the “Software”), to deal in the Software without

3943

restriction, including without limitation the rights to use, copy,

3944

modify, merge, publish, distribute, sublicense, and/or sell copies

3945

of the Software, and to permit persons to whom the Software is

3946

furnished to do so, subject to the following conditions:

3947

3948

<p>The above copyright notice and this permission notice shall be

3949

included in all copies or substantial portions of the Software.

3950

3951

<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,

3952

EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

3953

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

3954

NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS

3955

BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN

3956

ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN

3957

CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

3958

SOFTWARE.

3959

</blockquote>

3960

3961

<p><hr>

3962

3963

<p>Portions of the implementation of the Fortuna-like PRNG are subject to

3964

the following notice:

3965

3966

3967

3968

3969

3970

<p>Redistribution and use in source and binary forms, with or without

3971

modification, are permitted provided that the following conditions

3972

are met:

3973

3974

3975

<li>Redistributions of source code must retain the above copyright

3976

notice, this list of conditions and the following disclaimer.

3977

<li>Redistributions in binary form must reproduce the above copyright

3978

notice, this list of conditions and the following disclaimer in the

3979

documentation and/or other materials provided with the distribution.

3980

</ol>

3981

3982

<p>THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND

3983

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

3984

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

3985

ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

3986

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

3987

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

3988

OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

3989

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

3990

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

3991

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

3992

SUCH DAMAGE.

3993

</blockquote>

3994

3995

3996

3997

3998

3999

EXPORT OF THIS SOFTWARE from the United States of America may

4000

require a specific license from the United States Government.

4001

It is the responsibility of any person or organization contemplating

4002

export to obtain such a license before exporting.

4003

</blockquote>

4004

4005

<p>WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute

4006

this software and its documentation in source and binary forms is

4007

hereby granted, provided that any documentation or other materials

4008

related to such distribution or use acknowledge that the software

4009

was developed by the University of Southern California.

4010

4011

<p>DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED “AS IS”. The

4012

University of Southern California MAKES NO REPRESENTATIONS OR

4013

WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not

4014

limitation, the University of Southern California MAKES NO

4015

REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY

4016

PARTICULAR PURPOSE. The University of Southern

4017

California shall not be held liable for any liability nor for any

4018

direct, indirect, or consequential damages with respect to any

4019

claim by the user or distributor of the ksu software.

4020

</blockquote>

4021

4022

<p><hr>

4023

4024

4025

4026

The President and Fellows of Harvard University

4027

4028

<p>This code is derived from software contributed to Harvard by

4029

Jeremy Rassen.

4030

4031

<p>Redistribution and use in source and binary forms, with or without

4032

modification, are permitted provided that the following conditions

4033

are met:

4034

4035

4036

<li>Redistributions of source code must retain the above copyright

4037

notice, this list of conditions and the following disclaimer.

4038

<li>Redistributions in binary form must reproduce the above copyright

4039

notice, this list of conditions and the following disclaimer in the

4040

documentation and/or other materials provided with the distribution.

4041

<li>All advertising materials mentioning features or use of this software

4042

must display the following acknowledgement:

4043

4044

This product includes software developed by the University of

4045

California, Berkeley and its contributors.

4046

</blockquote>

4047

<li>Neither the name of the University nor the names of its contributors

4048

may be used to endorse or promote products derived from this software

4049

without specific prior written permission.

4050

</ol>

4051

4052

<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND

4053

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

4054

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

4055

ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

4056

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

4057

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

4058

OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

4059

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

4060

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

4061

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

4062

SUCH DAMAGE.

4063

</blockquote>

4064

4065

<p><hr>

4066

4067

4068

4069

4070

4071

4072

4073

Export of this software from the United States of America may

4074

require a specific license from the United States Government.

4075

It is the responsibility of any person or organization contemplating

4076

export to obtain such a license before exporting.

4077

</blockquote>

4078

4079

<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

4080

distribute this software and its documentation for any purpose and

4081

without fee is hereby granted, provided that the above copyright

4082

notice appear in all copies and that both that copyright notice and

4083

this permission notice appear in supporting documentation, and that

4084

the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used

4085

in advertising or publicity pertaining to distribution of the software

4086

without specific, written prior permission. Richard P. Basch,

4087

Lehman Brothers and M.I.T. make no representations about the suitability

4088

of this software for any purpose. It is provided “as is” without

4089

express or implied warranty.

4090

</blockquote>

4091

4092

<p><hr>

4093

4094

<p>The following notice applies to <code>src/lib/krb5/krb/strptime.c</code>:

4095

4096

4097

4098

4099

4100

<p>This code was contributed to The NetBSD Foundation by Klaus Klein.

4101

4102

<p>Redistribution and use in source and binary forms, with or without

4103

modification, are permitted provided that the following conditions

4104

are met:

4105

4106

4107

<li>Redistributions of source code must retain the above copyright

4108

notice, this list of conditions and the following disclaimer.

4109

<li>Redistributions in binary form must reproduce the above copyright

4110

notice, this list of conditions and the following disclaimer in the

4111

documentation and/or other materials provided with the distribution.

4112

<li>All advertising materials mentioning features or use of this software

4113

must display the following acknowledgement:

4114

4115

This product includes software developed by the NetBSD

4116

Foundation, Inc. and its contributors.

4117

</blockquote>

4118

<li>Neither the name of The NetBSD Foundation nor the names of its

4119

contributors may be used to endorse or promote products derived

4120

from this software without specific prior written permission.

4121

</ol>

4122

4123

<p>THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS

4124

“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED

4125

TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

4126

PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS

4127

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

4128

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

4129

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

4130

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

4131

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

4132

ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

4133

POSSIBILITY OF SUCH DAMAGE.

4134

</blockquote>

4135

4136

<p><hr>

4137

4138

<p>The following notice applies to Unicode library files in

4139

<code>src/lib/krb5/unicode</code>:

4140

4141

4142

4143

New Mexico State University

4144

4145

<p>Permission is hereby granted, free of charge, to any person obtaining a

4146

copy of this software and associated documentation files (the “Software”),

4147

to deal in the Software without restriction, including without limitation

4148

the rights to use, copy, modify, merge, publish, distribute, sublicense,

4149

and/or sell copies of the Software, and to permit persons to whom the

4150

Software is furnished to do so, subject to the following conditions:

4151

4152

<p>The above copyright notice and this permission notice shall be included in

4153

all copies or substantial portions of the Software.

4154

4155

<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

4156

IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

4157

FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL

4158

THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY

4159

CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT

4160

OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR

4161

THE USE OR OTHER DEALINGS IN THE SOFTWARE.

4162

</blockquote>

4163

4164

<p><hr>

4165

4166

<p>The following notice applies to <code>src/util/support/strlcpy.c</code>:

4167

4168

4169

4170

4171

<p>Permission to use, copy, modify, and distribute this software for any

4172

purpose with or without fee is hereby granted, provided that the above

4173

copyright notice and this permission notice appear in all copies.

4174

4175

<p>THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES

4176

WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

4177

MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

4178

ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

4179

WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

4180

ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

4181

OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

4182

</blockquote>

4183

4184

<p><hr>

4185

4186

<p>The following notice applies to <code>src/util/profile/argv_parse.c</code> and

4187

<code>src/util/profile/argv_parse.h</code>:

4188

4189

4190

4191

4192

<p>Permission to use, copy, modify, and distribute this software for

4193

any purpose with or without fee is hereby granted, provided that

4194

the above copyright notice and this permission notice appear in all

4195

copies. THE SOFTWARE IS PROVIDED “AS IS” AND THEODORE TS'O (THE

4196

AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,

4197

INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.

4198

IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,

4199

INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER

4200

RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

4201

OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR

4202

IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't

4203

it sick that the U.S. culture of lawsuit-happy lawyers requires

4204

this kind of disclaimer?)

4205

</blockquote>

4206

4207

<p><hr>

4208

4209

<p>The following notice applies to SWIG-generated code in

4210

<code>src/util/profile/profile_tcl.c</code>:

4211

4212

4213

4214

4215

<p>This file may be freely redistributed without license or fee provided

4216

this copyright message remains intact.

4217

</blockquote>

4218

4219

<p><hr>

4220

4221

<p>The following notice applies to portiions of <code>src/lib/rpc</code> and

4222

<code>src/include/gssrpc</code>:

4223

4224

4225

4226

4227

4228

4229

4230

4231

<p>Redistribution and use in source and binary forms, with or without

4232

modification, are permitted provided that the following conditions

4233

are met:

4234

4235

4236

<li>Redistributions of source code must retain the above copyright

4237

notice, this list of conditions and the following disclaimer.

4238

<li>Redistributions in binary form must reproduce the above copyright

4239

notice, this list of conditions and the following disclaimer in the

4240

documentation and/or other materials provided with the distribution.

4241

<li>Neither the name of the University nor the names of its

4242

contributors may be used to endorse or promote products derived

4243

from this software without specific prior written permission.

4244

</ol>

4245

4246

<p>THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED

4247

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

4248

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

4249

DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE

4250

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

4251

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

4252

SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR

4253

BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

4254

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING

4255

NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

4256

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

4257

</blockquote>

4258

4259

<p><hr>

4260

4261

<p>Implementations of the MD4 algorithm are subject to the following

4262

notice:

4263

4264

4265

4266

4267

<p>License to copy and use this software is granted provided that

4268

it is identified as the “RSA Data Security, Inc. MD4 Message

4269

Digest Algorithm” in all material mentioning or referencing this

4270

software or this function.

4271

4272

<p>License is also granted to make and use derivative works

4273

provided that such works are identified as “derived from the RSA

4274

Data Security, Inc. MD4 Message Digest Algorithm” in all

4275

material mentioning or referencing the derived work.

4276

4277

<p>RSA Data Security, Inc. makes no representations concerning

4278

either the merchantability of this software or the suitability

4279

of this software for any particular purpose. It is provided “as

4280

is” without express or implied warranty of any kind.

4281

4282

<p>These notices must be retained in any copies of any part of this

4283

documentation and/or software.

4284

</blockquote>

4285

4286

<p><hr>

4287

4288

<p>Implementations of the MD5 algorithm are subject to the following

4289

notice:

4290

4291

4292

4293

4294

<p>License to copy and use this software is granted provided that

4295

it is identified as the “RSA Data Security, Inc. MD5 Message-

4296

Digest Algorithm” in all material mentioning or referencing this

4297

software or this function.

4298

4299

<p>License is also granted to make and use derivative works

4300

provided that such works are identified as “derived from the RSA

4301

Data Security, Inc. MD5 Message-Digest Algorithm” in all

4302

material mentioning or referencing the derived work.

4303

4304

<p>RSA Data Security, Inc. makes no representations concerning

4305

either the merchantability of this software or the suitability

4306

of this software for any particular purpose. It is provided “as

4307

is” without express or implied warranty of any kind.

4308

4309

<p>These notices must be retained in any copies of any part of this

4310

documentation and/or software.

4311

</blockquote>

4312

4313

<p><hr>

4314

4315

<p>The following notice applies to <code>src/lib/crypto/crypto_tests/t_mddriver.c</code>:

4316

4317

4318

4319

rights reserved.

4320

4321

<p>RSA Data Security, Inc. makes no representations concerning either

4322

the merchantability of this software or the suitability of this

4323

software for any particular purpose. It is provided “as is”

4324

without express or implied warranty of any kind.

4325

4326

<p>These notices must be retained in any copies of any part of this

4327

documentation and/or software.

4328

</blockquote>

4329

4330

<p><hr>

4331

4332

<p>Portions of <code>src/lib/krb5</code> are subject to the following notice:

4333

4334

4335

4336

4337

4338

4339

4340

Export of this software from the United States of America may

4341

require a specific license from the United States Government.

4342

It is the responsibility of any person or organization contemplating

4343

export to obtain such a license before exporting.

4344

</blockquote>

4345

4346

<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and

4347

distribute this software and its documentation for any purpose and

4348

without fee is hereby granted, provided that the above copyright

4349

notice appear in all copies and that both that copyright notice and

4350

this permission notice appear in supporting documentation, and that

4351

the name of M.I.T. not be used in advertising or publicity pertaining

4352

to distribution of the software without specific, written prior

4353

permission. Furthermore if you modify this software you must label

4354

your software as modified software and not distribute it in such a

4355

fashion that it might be confused with the original M.I.T. software.

4356

Neither M.I.T., the Open Computing Security Group, nor

4357

CyberSAFE Corporation make any representations about the suitability of

4358

this software for any purpose. It is provided “as is” without express

4359

or implied warranty.

4360

</blockquote>

4361

4362

<p><hr>

4363

4364

<p>Portions contributed by PADL Software are subject to the following

4365

license:

4366

4367

4368

4369

4370

4371

<p>Redistribution and use in source and binary forms, with or without

4372

modification, are permitted provided that the following conditions

4373

are met:

4374

4375

<p>1. Redistributions of source code must retain the above copyright

4376

notice, this list of conditions and the following disclaimer.

4377

4378

<p>2. Redistributions in binary form must reproduce the above copyright

4379

notice, this list of conditions and the following disclaimer in the

4380

documentation and/or other materials provided with the distribution.

4381

4382

<p>3. Neither the name of PADL Software nor the names of its contributors

4383

may be used to endorse or promote products derived from this software

4384

without specific prior written permission.

4385

4386

<p>THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS “AS IS” AND

4387

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

4388

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

4389

ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE

4390

FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

4391

DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

4392

OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

4393

HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

4394

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

4395

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

4396

SUCH DAMAGE.

4397

</blockquote>

4398

4399

<p><hr>

4400

4401

<p>The bundled libev source code is subject to the following license:

4402

4403

4404

4405

4406

<p>Redistribution and use in source and binary forms, with or without

4407

modification, are permitted provided that the following conditions are

4408

met:

4409

4410

<ul>

4411

<li>Redistributions of source code must retain the above copyright

4412

notice, this list of conditions and the following disclaimer.

4413

<li>Redistributions in binary form must reproduce the above

4414

copyright notice, this list of conditions and the following

4415

disclaimer in the documentation and/or other materials provided

4416

with the distribution.

4417

</ul>

4418

4419

<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

4420

"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

4421

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

4422

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT

4423

OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

4424

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT

4425

LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

4426

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

4427

THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

4428

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE

4429

OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

4430

4431

<p>Alternatively, the contents of this package may be used under the terms

4432

of the GNU General Public License ("GPL") version 2 or any later version,

4433

in which case the provisions of the GPL are applicable instead of the

4434

above. If you wish to allow the use of your version of this package only

4435

under the terms of the GPL and not to allow others to use your version of

4436

this file under the BSD license, indicate your decision by deleting the

4437

provisions above and replace them with the notice and other provisions

4438

required by the GPL in this and the other files of this package. If you do

4439

not delete the provisions above, a recipient may use your version of this

4440

file under either the BSD or the GPL.

4441

</blockquote>

4442

4443

4444

<h2>Table of Contents</h2>

4445

<ul>

4446

<li><a name="toc_Introduction" href="#Introduction">1 Introduction</a>

4447

<ul>

4448

<li><a href="#What-is-Kerberos-and-How-Does-it-Work_003f">1.1 What is Kerberos and How Does it Work?</a>

4449

<li><a href="#Why-Should-I-use-Kerberos_003f">1.2 Why Should I use Kerberos?</a>

4450

<li><a href="#Please-Read-the-Documentation">1.3 Please Read the Documentation</a>

4451

<li><a href="#Overview-of-This-Guide">1.4 Overview of This Guide</a>

4452

</li></ul>

4453

<li><a name="toc_Realm-Configuration-Decisions" href="#Realm-Configuration-Decisions">2 Realm Configuration Decisions</a>

4454

<ul>

4455

<li><a href="#Kerberos-Realms">2.1 Kerberos Realms</a>

4456

<li><a href="#Mapping-Hostnames-onto-Kerberos-Realms">2.2 Mapping Hostnames onto Kerberos Realms</a>

4457

<li><a href="#Ports-for-the-KDC-and-Admin-Services">2.3 Ports for the KDC and Admin Services</a>

4458

<li><a href="#Slave-KDCs">2.4 Slave KDCs</a>

4459

<li><a href="#Hostnames-for-the-Master-and-Slave-KDCs">2.5 Hostnames for the Master and Slave KDCs</a>

4460

<li><a href="#Database-Propagation">2.6 Database Propagation</a>

4461

</li></ul>

4462

<li><a name="toc_Building-Kerberos-V5" href="#Building-Kerberos-V5">3 Building Kerberos V5</a>

4463

<ul>

4464

<li><a href="#Organization-of-the-Source-Directory">3.1 Organization of the Source Directory</a>

4465

<ul>

4466

<li><a href="#The-appl-Directory">3.1.1 The appl Directory</a>

4467

<li><a href="#The-clients-Directory">3.1.2 The clients Directory</a>

4468

<li><a href="#The-gen_002dmanpages-Directory">3.1.3 The gen-manpages Directory</a>

4469

<li><a href="#The-include-Directory">3.1.4 The include Directory</a>

4470

<li><a href="#The-kadmin-Directory">3.1.5 The kadmin Directory</a>

4471

<li><a href="#The-kdc-Directory">3.1.6 The kdc Directory</a>

4472

<li><a href="#The-krb524-Directory">3.1.7 The krb524 Directory</a>

4473

<li><a href="#The-lib-Directory">3.1.8 The lib Directory</a>

4474

<li><a href="#The-prototype-Directory">3.1.9 The prototype Directory</a>

4475

<li><a href="#The-slave-Directory">3.1.10 The slave Directory</a>

4476

<li><a href="#The-util-Directory">3.1.11 The util Directory</a>

4477

</li></ul>

4478

<li><a href="#Build-Requirements">3.2 Build Requirements</a>

4479

<li><a href="#Unpacking-the-Sources">3.3 Unpacking the Sources</a>

4480

<li><a href="#Doing-the-Build">3.4 Doing the Build</a>

4481

<ul>

4482

<li><a href="#Building-Within-a-Single-Tree">3.4.1 Building Within a Single Tree</a>

4483

<li><a href="#Building-with-Separate-Build-Directories">3.4.2 Building with Separate Build Directories</a>

4484

<li><a href="#Building-using-lndir">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</a>

4485

</li></ul>

4486

<li><a href="#Installing-the-Binaries">3.5 Installing the Binaries</a>

4487

<li><a href="#Testing-the-Build">3.6 Testing the Build</a>

4488

<ul>

4489

<li><a href="#The-DejaGnu-Tests">3.6.1 The DejaGnu Tests</a>

4490

<li><a href="#The-KADM5-Tests">3.6.2 The KADM5 Tests</a>

4491

</li></ul>

4492

<li><a href="#Options-to-Configure">3.7 Options to Configure</a>

4493

<li><a href="#osconf_002eh">3.8 <samp><span class="file">osconf.h</span></samp></a>

4494

<li><a href="#Shared-Library-Support">3.9 Shared Library Support</a>

4495

<li><a href="#OS-Incompatibilities">3.10 Operating System Incompatibilities</a>

4496

<ul>

4497

4498

<li><a href="#Alpha-OSF_002f1-V1_002e3">3.10.2 Alpha OSF/1 V1.3</a>

4499

<li><a href="#Alpha-OSF_002f1-V2_002e0">3.10.3 Alpha OSF/1 V2.0</a>

4500

<li><a href="#Alpha-OSF_002f1-V4_002e0">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</a>

4501

4502

4503

<li><a href="#Solaris-versions-2_002e0-through-2_002e3">3.10.7 Solaris versions 2.0 through 2.3</a>

4504

<li><a href="#Solaris-2_002eX">3.10.8 Solaris 2.X</a>

4505

<li><a href="#Solaris-9">3.10.9 Solaris 9</a>

4506

4507

<li><a href="#Ultrix-4_002e2_002f3">3.10.11 Ultrix 4.2/3</a>

4508

</li></ul>

4509

<li><a href="#Using-Autoconf">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</a>

4510

</li></ul>

4511

<li><a name="toc_Installing-Kerberos-V5" href="#Installing-Kerberos-V5">4 Installing Kerberos V5</a>

4512

<ul>

4513

<li><a href="#Installing-KDCs">4.1 Installing KDCs</a>

4514

<ul>

4515

<li><a href="#Install-the-Master-KDC">4.1.1 Install the Master KDC</a>

4516

<ul>

4517

<li><a href="#Edit-the-Configuration-Files">4.1.1.1 Edit the Configuration Files</a>

4518

4519

4520

<li><a href="#Create-the-Database">4.1.1.4 Create the Database</a>

4521

<li><a href="#Add-Administrators-to-the-Acl-File">4.1.1.5 Add Administrators to the Acl File</a>

4522

<li><a href="#Add-Administrators-to-the-Kerberos-Database">4.1.1.6 Add Administrators to the Kerberos Database</a>

4523

<li><a href="#Create-a-kadmind-Keytab-_0028optional_0029">4.1.1.7 Create a kadmind Keytab (optional)</a>

4524

<li><a href="#Start-the-Kerberos-Daemons">4.1.1.8 Start the Kerberos Daemons on the Master KDC</a>

4525

</li></ul>

4526

<li><a href="#Install-the-Slave-KDCs">4.1.2 Install the Slave KDCs</a>

4527

<ul>

4528

<li><a href="#Create-Host-Keys-for-the-Slave-KDCs">4.1.2.1 Create Host Keys for the Slave KDCs</a>

4529

<li><a href="#Extract-Host-Keytabs-for-the-KDCs">4.1.2.2 Extract Host Keytabs for the KDCs</a>

4530

<li><a href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">4.1.2.3 Set Up the Slave KDCs for Database Propagation</a>

4531

</li></ul>

4532

<li><a href="#Back-on-the-Master-KDC">4.1.3 Back on the Master KDC</a>

4533

<ul>

4534

<li><a href="#Propagate-the-Database-to-Each-Slave-KDC">4.1.3.1 Propagate the Database to Each Slave KDC</a>

4535

</li></ul>

4536

<li><a href="#Finish-Installing-the-Slave-KDCs">4.1.4 Finish Installing the Slave KDCs</a>

4537

<ul>

4538

<li><a href="#Create-Stash-Files-on-the-Slave-KDCs">4.1.4.1 Create Stash Files on the Slave KDCs</a>

4539

<li><a href="#Start-the-krb5kdc-Daemon-on-Each-KDC">4.1.4.2 Start the krb5kdc Daemon on Each KDC</a>

4540

</li></ul>

4541

<li><a href="#Add-Kerberos-Principals-to-the-Database">4.1.5 Add Kerberos Principals to the Database</a>

4542

<li><a href="#Limit-Access-to-the-KDCs">4.1.6 Limit Access to the KDCs</a>

4543

<li><a href="#Switching-Master-and-Slave-KDCs">4.1.7 Switching Master and Slave KDCs</a>

4544

<li><a href="#Incremental-Database-Propagation">4.1.8 Incremental Database Propagation</a>

4545

<ul>

4546

<li><a href="#Sun_002fMIT-Incremental-Propagation-Differences">4.1.8.1 Sun/MIT Incremental Propagation Differences</a>

4547

</li></ul>

4548

</li></ul>

4549

<li><a href="#Installing-and-Configuring-UNIX-Client-Machines">4.2 Installing and Configuring UNIX Client Machines</a>

4550

<ul>

4551

<li><a href="#Client-Programs">4.2.1 Client Programs</a>

4552

<li><a href="#Client-Machine-Configuration-Files">4.2.2 Client Machine Configuration Files</a>

4553

<ul>

4554

<li><a href="#Mac-OS-X-Configuration">4.2.2.1 Mac OS X Configuration</a>

4555

</li></ul>

4556

</li></ul>

4557

<li><a href="#UNIX-Application-Servers">4.3 UNIX Application Servers</a>

4558

<ul>

4559

<li><a href="#The-Keytab-File">4.3.1 The Keytab File</a>

4560

<li><a href="#Some-Advice-about-Secure-Hosts">4.3.2 Some Advice about Secure Hosts</a>

4561

</li></ul>

4562

</li></ul>

4563

<li><a name="toc_Upgrading-Existing-Kerberos-V5-Installations" href="#Upgrading-Existing-Kerberos-V5-Installations">5 Upgrading Existing Kerberos V5 Installations</a>

4564

<ul>

4565

<li><a href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">5.1 Upgrading to Triple-DES Encryption Keys</a>

4566

</li></ul>

4567

<li><a name="toc_Bug-Reports-for-Kerberos-V5" href="#Bug-Reports-for-Kerberos-V5">6 Bug Reports for Kerberos V5</a>

4568

<li><a name="toc_Copyright" href="#Copyright">Appendix A Copyright</a>

4569

</li></ul>

4570

</div>

4571

4572

4573

<hr>

4574

<a name="texinfo-footnotes-in-document"></a><h4>Footnotes</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Kerberos V4 used port 750. If

4575

necessary, you can run on both ports for backward compatibility.</p>

4576

4577

4578

4579

</body></html>

4580

4581

<!--

4582

4583

Local Variables:

4584

coding: utf-8

4585

End:

4586

4587

-->