3
<title>Kerberos V5 Installation Guide</title>
4
<meta http-equiv="Content-Type" content="text/html">
5
<meta name="description" content="Kerberos V5 Installation Guide">
6
<meta name="generator" content="makeinfo 4.7">
7
<link title="Top" rel="top" href="#Top">
8
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage">
9
<meta http-equiv="Content-Style-Type" content="text/css">
10
<style type="text/css"><!--
11
pre.display { font-family:inherit }
12
pre.format { font-family:inherit }
13
pre.smalldisplay { font-family:inherit; font-size:smaller }
14
pre.smallformat { font-family:inherit; font-size:smaller }
15
pre.smallexample { font-size:smaller }
16
pre.smalllisp { font-size:smaller }
17
span.sc { font-variant:small-caps }
18
span.roman { font-family: serif; font-weight: normal; }
22
<h1 class="settitle">Kerberos V5 Installation Guide</h1>
25
<a name="Top"></a>Next: <a rel="next" accesskey="n" href="#Copyright">Copyright</a>,
26
Previous: <a rel="previous" accesskey="p" href="#dir">(dir)</a>,
27
Up: <a rel="up" accesskey="u" href="#dir">(dir)</a>
31
<!-- node-name, next, previous, up -->
32
<!-- The master menu is updated using emacs19's M-x texinfo-all-menus-update -->
33
<!-- function. Don't forget to run M-x texinfo-every-node-update after -->
34
<!-- you add a new section or subsection, or after you've rearranged the -->
35
<!-- order of sections or subsections. Also, don't forget to add an @node -->
36
<!-- comand before each @section or @subsection! All you need to enter -->
38
<!-- @node New Section Name -->
39
<!-- @section New Section Name -->
40
<!-- M-x texinfo-every-node-update will take care of calculating the -->
41
<!-- node's forward and back pointers. -->
44
<li><a accesskey="1" href="#Copyright">Copyright</a>
45
<li><a accesskey="2" href="#Introduction">Introduction</a>
46
<li><a accesskey="3" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
47
<li><a accesskey="4" href="#Building-Kerberos-V5">Building Kerberos V5</a>
48
<li><a accesskey="5" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
49
<li><a accesskey="6" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
50
<li><a accesskey="7" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>
55
<a name="Copyright"></a>Next: <a rel="next" accesskey="n" href="#Introduction">Introduction</a>,
56
Previous: <a rel="previous" accesskey="p" href="#Top">Top</a>,
57
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
61
<h2 class="unnumbered">Copyright</h2>
63
<p>Copyright © 1985-2009 by the Massachusetts Institute of Technology.
66
Export of software employing encryption from the United States of
67
America may require a specific license from the United States
68
Government. It is the responsibility of any person or organization
69
contemplating export to obtain such a license before exporting.
72
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
73
this software and its documentation for any purpose and without fee is
74
hereby granted, provided that the above copyright notice appear in all
75
copies and that both that copyright notice and this permission notice
76
appear in supporting documentation, and that the name of M.I.T. not be
77
used in advertising or publicity pertaining to distribution of the
78
software without specific, written prior permission. Furthermore if you
79
modify this software you must label your software as modified software
80
and not distribute it in such a fashion that it might be confused with
81
the original MIT software. M.I.T. makes no representations about the
82
suitability of this software for any purpose. It is provided “as is”
83
without express or implied warranty.
85
<p>Individual source code files are copyright MIT, Cygnus Support,
86
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
87
FundsXpress, and others.
89
<p>Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
90
and Zephyr are trademarks of the Massachusetts Institute of Technology
91
(MIT). No commercial use of these trademarks may be made without
92
prior written permission of MIT.
94
<p>“Commercial use” means use of a name in a product or other for-profit
95
manner. It does NOT prevent a commercial firm from referring to the
96
MIT trademarks in order to convey information (although in doing so,
97
recognition of their trademark status should be given).
99
<p>The following copyright and permission notice applies to the
100
OpenVision Kerberos Administration system located in
101
<code>kadmin/create</code>, <code>kadmin/dbutil</code>, <code>kadmin/passwd</code>,
102
<code>kadmin/server</code>, <code>lib/kadm5</code>, and portions of
103
<code>lib/rpc</code>:
106
Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
108
<p>WARNING: Retrieving the OpenVision Kerberos Administration system source
109
code, as described below, indicates your acceptance of the following
110
terms. If you do not agree to the following terms, do not retrieve the
111
OpenVision Kerberos administration system.
113
<p>You may freely use and distribute the Source Code and Object Code
114
compiled from it, with or without modification, but this Source Code is
115
provided to you “AS IS” EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT
116
LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
117
PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
118
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS,
119
LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR
120
FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS
121
AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE
122
OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR
125
<p>OpenVision retains all copyrights in the donated Source Code. OpenVision
126
also retains copyright to derivative works of the Source Code, whether
127
created by OpenVision or by a third party. The OpenVision copyright
128
notice must be preserved if derivative works are made based on the
131
<p>OpenVision Technologies, Inc. has donated this Kerberos Administration
132
system to MIT for inclusion in the standard Kerberos 5 distribution.
133
This donation underscores our commitment to continuing Kerberos
134
technology development and our gratitude for the valuable work which has
135
been performed by MIT and the Kerberos community.
139
Portions contributed by Matt Crawford <code><crawdad@fnal.gov></code> were work
140
performed at Fermi National Accelerator Laboratory, which is operated
141
by Universities Research Association, Inc., under contract
142
DE-AC02-76CHO3000 with the U.S. Department of Energy.
145
<p>Portions of <code>src/lib/crypto</code> have the following copyright:
148
Copyright © 1998 by the FundsXpress, INC.
150
<p>All rights reserved.
152
<p>Export of this software from the United States of America may require
153
a specific license from the United States Government. It is the
154
responsibility of any person or organization contemplating export to
155
obtain such a license before exporting.
157
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
158
distribute this software and its documentation for any purpose and
159
without fee is hereby granted, provided that the above copyright
160
notice appear in all copies and that both that copyright notice and
161
this permission notice appear in supporting documentation, and that
162
the name of FundsXpress. not be used in advertising or publicity pertaining
163
to distribution of the software without specific, written prior
164
permission. FundsXpress makes no representations about the suitability of
165
this software for any purpose. It is provided “as is” without express
168
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
169
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
170
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
174
<p>The implementation of the Yarrow pseudo-random number generator
175
in <code>src/lib/crypto/yarrow</code> has the following copyright:
178
Copyright 2000 by Zero-Knowledge Systems, Inc.
180
<p>Permission to use, copy, modify, distribute, and sell this software
181
and its documentation for any purpose is hereby granted without fee,
182
provided that the above copyright notice appear in all copies and that
183
both that copyright notice and this permission notice appear in
184
supporting documentation, and that the name of Zero-Knowledge Systems,
185
Inc. not be used in advertising or publicity pertaining to
186
distribution of the software without specific, written prior
187
permission. Zero-Knowledge Systems, Inc. makes no representations
188
about the suitability of this software for any purpose. It is
189
provided “as is” without express or implied warranty.
191
<p>ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
192
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
193
FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
194
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
195
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
196
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
197
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
200
<p>The implementation of the AES encryption algorithm in
201
<code>src/lib/crypto/aes</code> has the following copyright:
204
Copyright © 2001, Dr Brian Gladman <code><brg@gladman.uk.net></code>,
210
<p>The free distribution and use of this software in both source and binary
211
form is allowed (with or without changes) provided that:
214
<li>distributions of this source code include the above copyright
215
notice, this list of conditions and the following disclaimer;
216
<li>distributions in binary form include the above copyright
217
notice, this list of conditions and the following disclaimer
218
in the documentation and/or other associated materials;
219
<li>the copyright holder's name is not used to endorse products
220
built using this software without specific written permission.
225
<p>This software is provided 'as is' with no explcit or implied warranties
226
in respect of any properties, including, but not limited to, correctness
227
and fitness for purpose.
230
<p>Portions contributed by Red Hat, including the pre-authentication
231
plug-in framework, contain the following copyright:
234
Copyright © 2006 Red Hat, Inc.<br>
235
Portions copyright © 2006 Massachusetts Institute of Technology<br>
236
All Rights Reserved.<br>
238
<p>Redistribution and use in source and binary forms, with or without
239
modification, are permitted provided that the following conditions are
243
<li>Redistributions of source code must retain the above copyright
244
notice, this list of conditions and the following disclaimer.
245
<li>Redistributions in binary form must reproduce the above copyright
246
notice, this list of conditions and the following disclaimer in the
247
documentation and/or other materials provided with the distribution.
248
<li>Neither the name of Red Hat, Inc., nor the names of its contributors
249
may be used to endorse or promote products derived from this software
250
without specific prior written permission.
253
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS
254
IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
255
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
256
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
257
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
258
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
259
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
260
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
261
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
262
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
263
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
267
<p>The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
268
<code>src/lib/gssapi</code>, including the following files:
270
<pre class="smallexample"> lib/gssapi/generic/gssapi_err_generic.et
271
lib/gssapi/mechglue/g_accept_sec_context.c
272
lib/gssapi/mechglue/g_acquire_cred.c
273
lib/gssapi/mechglue/g_canon_name.c
274
lib/gssapi/mechglue/g_compare_name.c
275
lib/gssapi/mechglue/g_context_time.c
276
lib/gssapi/mechglue/g_delete_sec_context.c
277
lib/gssapi/mechglue/g_dsp_name.c
278
lib/gssapi/mechglue/g_dsp_status.c
279
lib/gssapi/mechglue/g_dup_name.c
280
lib/gssapi/mechglue/g_exp_sec_context.c
281
lib/gssapi/mechglue/g_export_name.c
282
lib/gssapi/mechglue/g_glue.c
283
lib/gssapi/mechglue/g_imp_name.c
284
lib/gssapi/mechglue/g_imp_sec_context.c
285
lib/gssapi/mechglue/g_init_sec_context.c
286
lib/gssapi/mechglue/g_initialize.c
287
lib/gssapi/mechglue/g_inquire_context.c
288
lib/gssapi/mechglue/g_inquire_cred.c
289
lib/gssapi/mechglue/g_inquire_names.c
290
lib/gssapi/mechglue/g_process_context.c
291
lib/gssapi/mechglue/g_rel_buffer.c
292
lib/gssapi/mechglue/g_rel_cred.c
293
lib/gssapi/mechglue/g_rel_name.c
294
lib/gssapi/mechglue/g_rel_oid_set.c
295
lib/gssapi/mechglue/g_seal.c
296
lib/gssapi/mechglue/g_sign.c
297
lib/gssapi/mechglue/g_store_cred.c
298
lib/gssapi/mechglue/g_unseal.c
299
lib/gssapi/mechglue/g_userok.c
300
lib/gssapi/mechglue/g_utils.c
301
lib/gssapi/mechglue/g_verify.c
302
lib/gssapi/mechglue/gssd_pname_to_uid.c
303
lib/gssapi/mechglue/mglueP.h
304
lib/gssapi/mechglue/oid_ops.c
305
lib/gssapi/spnego/gssapiP_spnego.h
306
lib/gssapi/spnego/spnego_mech.c
308
<p>and the initial implementation of incremental propagation, including
309
the following new or changed files:
311
<pre class="smallexample"> include/iprop_hdr.h
312
kadmin/server/ipropd_svc.c
314
lib/kdb/kdb_convert.c
317
lib/krb5/error_tables/kdb5_err.et
321
<p>and marked portions of the following files:
323
<pre class="smallexample"> lib/krb5/os/hst_realm.c
325
<p>are subject to the following license:
328
Copyright © 2004 Sun Microsystems, Inc.
330
<p>Permission is hereby granted, free of charge, to any person obtaining a
331
copy of this software and associated documentation files (the
332
“Software”), to deal in the Software without restriction, including
333
without limitation the rights to use, copy, modify, merge, publish,
334
distribute, sublicense, and/or sell copies of the Software, and to
335
permit persons to whom the Software is furnished to do so, subject to
336
the following conditions:
338
<p>The above copyright notice and this permission notice shall be included
339
in all copies or substantial portions of the Software.
341
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
342
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
343
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
344
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
345
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
346
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
347
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
350
<p>Kerberos V5 includes documentation and software developed at the
351
University of California at Berkeley, which includes this copyright
355
Copyright © 1983 Regents of the University of California.<br>
358
<p>Redistribution and use in source and binary forms, with or without
359
modification, are permitted provided that the following conditions are
362
<li>Redistributions of source code must retain the above copyright
363
notice, this list of conditions and the following disclaimer.
364
<li>Redistributions in binary form must reproduce the above copyright
365
notice, this list of conditions and the following disclaimer in the
366
documentation and/or other materials provided with the distribution.
367
<li>Neither the name of the University nor the names of its contributors
368
may be used to endorse or promote products derived from this software
369
without specific prior written permission.
372
<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND
373
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
374
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
375
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
376
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
377
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
378
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
379
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
380
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
381
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
385
<p>Portions contributed by Novell, Inc., including the LDAP database
386
backend, are subject to the following license:
389
Copyright © 2004-2005, Novell, Inc.
392
<p>Redistribution and use in source and binary forms, with or without
393
modification, are permitted provided that the following conditions are met:
396
<li>Redistributions of source code must retain the above copyright notice,
397
this list of conditions and the following disclaimer.
398
<li>Redistributions in binary form must reproduce the above copyright
399
notice, this list of conditions and the following disclaimer in the
400
documentation and/or other materials provided with the distribution.
401
<li>The copyright holder's name is not used to endorse or promote products
402
derived from this software without specific prior written permission.
405
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
406
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
407
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
408
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
409
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
410
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
411
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
412
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
413
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
414
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
415
POSSIBILITY OF SUCH DAMAGE.
418
<p>Portions funded by Sandia National Laboratory
419
and developed by the University of Michigan's
420
Center for Information Technology Integration,
421
including the PKINIT implementation, are subject
422
to the following license:
426
<p>COPYRIGHT © 2006-2007<br>
427
THE REGENTS OF THE UNIVERSITY OF MICHIGAN<br>
430
<p>Permission is granted to use, copy, create derivative works
431
and redistribute this software and such derivative works
432
for any purpose, so long as the name of The University of
433
Michigan is not used in any advertising or publicity
434
pertaining to the use of distribution of this software
435
without specific, written prior authorization. If the
436
above copyright notice or any other identification of the
437
University of Michigan is included in any copy of any
438
portion of this software, then the disclaimer below must
441
<p>THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
442
FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
443
PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
444
MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
445
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
446
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
447
REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
448
FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
449
CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
450
OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
451
IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
455
<p>The pkcs11.h file included in the PKINIT code has the
460
<p>Copyright 2006 g10 Code GmbH
461
Copyright 2006 Andreas Jellinghaus
463
<p>This file is free software; as a special exception the author gives
464
unlimited permission to copy and/or distribute it, with or without
465
modifications, as long as this notice is preserved.
467
<p>This file is distributed in the hope that it will be useful, but
468
WITHOUT ANY WARRANTY, to the extent permitted by law; without even
469
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
474
<p>Portions contributed by Apple Inc. are subject to the following license:
478
<p>Copyright 2004-2008 Apple Inc. All Rights Reserved.
480
<p>Export of this software from the United States of America may require
481
a specific license from the United States Government. It is the
482
responsibility of any person or organization contemplating export to
483
obtain such a license before exporting.
485
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
486
distribute this software and its documentation for any purpose and
487
without fee is hereby granted, provided that the above copyright
488
notice appear in all copies and that both that copyright notice and
489
this permission notice appear in supporting documentation, and that
490
the name of Apple Inc. not be used in advertising or publicity pertaining
491
to distribution of the software without specific, written prior
492
permission. Apple Inc. makes no representations about the suitability of
493
this software for any purpose. It is provided "as is" without express
496
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
497
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
498
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
502
<p>The implementations of strlcpy and strlcat in
503
src/util/support/strlcat.c have the following copyright and permission
508
<p>Copyright © 1998 Todd C. Miller <Todd.Miller@courtesan.com>
510
<p>Permission to use, copy, modify, and distribute this software for any
511
purpose with or without fee is hereby granted, provided that the above
512
copyright notice and this permission notice appear in all copies.
514
<p>THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
515
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
516
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
517
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
518
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
519
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
520
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
524
<p>The implementations of UTF-8 string handling in src/util/support and
525
src/lib/krb5/unicode are subject to the following copyright and
530
<p>The OpenLDAP Public License
531
Version 2.8, 17 August 2003
533
<p>Redistribution and use of this software and associated documentation
534
("Software"), with or without modification, are permitted provided
535
that the following conditions are met:
537
<p>1. Redistributions in source form must retain copyright statements
540
<p>2. Redistributions in binary form must reproduce applicable copyright
541
statements and notices, this list of conditions, and the following
542
disclaimer in the documentation and/or other materials provided
543
with the distribution, and
545
<p>3. Redistributions must contain a verbatim copy of this document.
547
<p>The OpenLDAP Foundation may revise this license from time to time.
548
Each revision is distinguished by a version number. You may use
549
this Software under terms of this license revision or under the
550
terms of any subsequent revision of the license.
552
<p>THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
553
CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES,
554
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
555
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
556
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
557
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
558
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
559
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
560
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
561
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
562
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
563
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
564
POSSIBILITY OF SUCH DAMAGE.
566
<p>The names of the authors and copyright holders must not be used in
567
advertising or otherwise to promote the sale, use or other dealing
568
in this Software without specific, written prior permission. Title
569
to copyright in this Software shall at all times remain with copyright
572
<p>OpenLDAP is a registered trademark of the OpenLDAP Foundation.
574
<p>Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
575
California, USA. All Rights Reserved. Permission to copy and
576
distribute verbatim copies of this document is granted.
580
<p>Marked test programs in src/lib/krb5/krb have the following copyright:
584
<p>Copyright © 2006 Kungliga Tekniska Högskolan
585
(Royal Institute of Technology, Stockholm, Sweden).
588
<p>Redistribution and use in source and binary forms, with or without
589
modification, are permitted provided that the following conditions
592
<p>1. Redistributions of source code must retain the above copyright
593
notice, this list of conditions and the following disclaimer.
595
<p>2. Redistributions in binary form must reproduce the above copyright
596
notice, this list of conditions and the following disclaimer in the
597
documentation and/or other materials provided with the distribution.
599
<p>3. Neither the name of KTH nor the names of its contributors may be
600
used to endorse or promote products derived from this software without
601
specific prior written permission.
603
<p>THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS” AND ANY
604
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
605
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
606
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
607
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
608
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
609
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
610
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
611
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
612
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
613
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
617
<p>Permission is granted to make and distribute verbatim copies of this
618
manual provided the copyright notices and this permission notice are
619
preserved on all copies.
621
<p>Permission is granted to copy and distribute modified versions of this
622
manual under the conditions for verbatim copying, provided also that the
623
entire resulting derived work is distributed under the terms of a
624
permission notice identical to this one.
626
<p>Permission is granted to copy and distribute translations of this manual
627
into another language, under the above conditions for modified versions.
631
<a name="Introduction"></a>Next: <a rel="next" accesskey="n" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
632
Previous: <a rel="previous" accesskey="p" href="#Copyright">Copyright</a>,
633
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
637
<h2 class="chapter">1 Introduction</h2>
640
<li><a accesskey="1" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>
641
<li><a accesskey="2" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>
642
<li><a accesskey="3" href="#Please-Read-the-Documentation">Please Read the Documentation</a>
643
<li><a accesskey="4" href="#Overview-of-This-Guide">Overview of This Guide</a>
648
<a name="What-is-Kerberos-and-How-Does-it-Work_003f"></a>Next: <a rel="next" accesskey="n" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
649
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
650
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
654
<h3 class="section">1.1 What is Kerberos and How Does it Work?</h3>
656
<p>Kerberos V5 is based on the Kerberos authentication system developed
657
at MIT. Under Kerberos, a client (generally either a user or a service)
658
sends a request for a ticket to the Key Distribution Center (KDC). The
659
KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client,
660
encrypts it using the client's password as the key, and sends the
661
encrypted TGT back to the client. The client then attempts to decrypt
662
the TGT, using its password. If the client successfully decrypts the
663
TGT (<i>i.e.</i>, if the client gave the correct password), it keeps the
664
decrypted TGT, which indicates proof of the client's identity.
666
<p>The TGT, which expires at a specified time, permits the client to obtain
667
additional tickets, which give permission for specific services. The
668
requesting and granting of these additional tickets is user-transparent.
672
<a name="Why-Should-I-use-Kerberos_003f"></a>Next: <a rel="next" accesskey="n" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,
673
Previous: <a rel="previous" accesskey="p" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>,
674
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
678
<h3 class="section">1.2 Why Should I use Kerberos?</h3>
680
<p>Since Kerberos negotiates authenticated, and optionally encrypted,
681
communications between two points anywhere on the Internet, it provides
682
a layer of security that is not dependent on which side of a firewall
683
either client is on. Since studies have shown that half of the computer
684
security breaches in industry happen from <i>inside</i> firewalls,
685
Kerberos V5 from MIT will play a vital role in the
686
security of your network.
690
<a name="Please-Read-the-Documentation"></a>Next: <a rel="next" accesskey="n" href="#Overview-of-This-Guide">Overview of This Guide</a>,
691
Previous: <a rel="previous" accesskey="p" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
692
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
696
<h3 class="section">1.3 Please Read the Documentation</h3>
698
<p>As with any software package that uses a centrallized database, the
699
installation procedure is somewhat involved, and requires forethought
700
and planning. MIT has attempted to make this
701
Kerberos V5 Installation Guide as concise as possible, rather than
702
making it an exhaustive description of the details of Kerberos.
703
Consequently, everything in this guide appears because MIT
704
believes that it is important. Please read and follow these
705
instructions carefully.
707
<p>This document is one piece of the document set for Kerberos V5. The
708
documents, and their intended audiences, are:
711
<li><b>Kerberos V5 Installation Guide</b>: a concise guide for installing
712
Kerberos V5. Kerberos administrators (particularly whoever will be
713
making site-wide decisions about the installation) and the system
714
administrators who will be installing the software should read this
717
<li><b>Kerberos V5 System Administrator's Guide</b>: a sysadmin's guide to
718
administering a Kerberos installation. The System Administrator's Guide
719
describes the administration software and suggests policies and
720
procedures for administering a Kerberos installation. Anyone who will
721
have administrative access to your Kerberos database should read this
724
<li><b>Kerberos V5 UNIX User's Guide</b>: a guide to using the Kerberos
725
UNIX client programs. All users on UNIX systems should read this guide,
726
particularly the “Tutorial” section.
731
<a name="Overview-of-This-Guide"></a>Previous: <a rel="previous" accesskey="p" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,
732
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
736
<h3 class="section">1.4 Overview of This Guide</h3>
738
<p class="noindent">The next chapter describes the decisions you need to make before
739
installing Kerberos V5.
741
<p class="noindent">Chapter three provided instructions for building the Kerberos sources.
743
<p class="noindent">Chapter four describes installation procedures for each class of
747
<li>Key Distribution Centers (KDCs).
755
<li>UNIX client machines
757
<li>UNIX application server machines
760
<p class="noindent">Note that a machine can be both a client machine and an application
763
<p class="noindent">Chapter five describes procedure for updating previous installations of
766
<p class="noindent">Chapter six describes our problem reporting system.
770
<a name="Realm-Configuration-Decisions"></a>Next: <a rel="next" accesskey="n" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
771
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
772
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
776
<h2 class="chapter">2 Realm Configuration Decisions</h2>
778
<p>Before installing Kerberos V5, it is necessary to consider the
782
<li>The name of your Kerberos realm (or the name of each realm, if you need
785
<li>How you will map your hostnames onto Kerberos realms.
787
<li>Which ports your KDC and and kadmin (database access) services will use.
789
<li>How many slave KDCs you need and where they should be located.
791
<li>The hostnames of your master and slave KDCs.
793
<li>How frequently you will propagate the database from the master KDC to
798
<li><a accesskey="1" href="#Kerberos-Realms">Kerberos Realms</a>
799
<li><a accesskey="2" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>
800
<li><a accesskey="3" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>
801
<li><a accesskey="4" href="#Slave-KDCs">Slave KDCs</a>
802
<li><a accesskey="5" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>
803
<li><a accesskey="6" href="#Database-Propagation">Database Propagation</a>
808
<a name="Kerberos-Realms"></a>Next: <a rel="next" accesskey="n" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
809
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
810
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
814
<h3 class="section">2.1 Kerberos Realms</h3>
816
<p>Although your Kerberos realm can be any ASCII string, convention is to
817
make it the same as your domain name, in upper-case letters. For
818
example, hosts in the domain example.com would be in the
819
Kerberos realm EXAMPLE.COM.
821
<p>If you need multiple Kerberos realms, MIT recommends that
822
you use descriptive names which end with your domain name, such as
823
BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM.
827
<a name="Mapping-Hostnames-onto-Kerberos-Realms"></a>Next: <a rel="next" accesskey="n" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
828
Previous: <a rel="previous" accesskey="p" href="#Kerberos-Realms">Kerberos Realms</a>,
829
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
833
<h3 class="section">2.2 Mapping Hostnames onto Kerberos Realms</h3>
835
<p>Mapping hostnames onto Kerberos realms is done in one of two ways.
837
<p>The first mechanism, which has been in use for years in MIT-based
838
Kerberos distributions, works through a set of rules in
839
the <code>krb5.conf</code> configuration file. (See <a href="#krb5_002econf">krb5.conf</a>.) You can
840
specify mappings for an entire domain or subdomain, and/or on a
841
hostname-by-hostname basis. Since greater specificity takes precedence,
842
you would do this by specifying the mappings for a given domain or
843
subdomain and listing the exceptions.
845
<p>The second mechanism works by looking up the information in special
846
<code>TXT</code> records in the Domain Name Service. This is currently not
847
used by default because security holes could result if the DNS TXT
848
records were spoofed. If this mechanism is enabled on the client,
849
it will try to look up a <code>TXT</code> record for the DNS name formed by
850
putting the prefix <code>_kerberos</code> in front of the hostname in question.
851
If that record is not found, it will try using <code>_kerberos</code> and the
852
host's domain name, then its parent domain, and so forth. So for the
853
hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
855
<pre class="smallexample"> _kerberos.boston.engineering.foobar.com
856
_kerberos.engineering.foobar.com
860
<p>The value of the first TXT record found is taken as the realm name.
861
(Obviously, this doesn't work all that well if a host and a subdomain
862
have the same name, and different realms. For example, if all the hosts
863
in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
864
realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
865
another realm. In that case, you would set up TXT records for all
866
hosts, rather than relying on the fallback to the domain name.)
868
<p>Even if you do not choose to use this mechanism within your site, you
869
may wish to set it up anyway, for use when interacting with other sites.
873
<a name="Ports-for-the-KDC-and-Admin-Services"></a>Next: <a rel="next" accesskey="n" href="#Slave-KDCs">Slave KDCs</a>,
874
Previous: <a rel="previous" accesskey="p" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
875
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
879
<h3 class="section">2.3 Ports for the KDC and Admin Services</h3>
881
<p>The default ports used by Kerberos are port 88 for the
882
KDC<a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a> and
883
port 749 for the admin server. You can, however,
884
choose to run on other ports, as long as they are specified in each
885
host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the
886
<code>kdc.conf</code> file on each KDC. For a more thorough treatment of
887
port numbers used by the Kerberos V5 programs, refer to the
888
“Configuring Your Firewall to Work With Kerberos V5” section of
889
the <cite>Kerberos V5 System Administrator's Guide</cite>.
893
<a name="Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
894
Previous: <a rel="previous" accesskey="p" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
895
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
899
<h3 class="section">2.4 Slave KDCs</h3>
901
<p>Slave KDCs provide an additional source of Kerberos ticket-granting
902
services in the event of inaccessibility of the master KDC. The number
903
of slave KDCs you need and the decision of where to place them, both
904
physically and logically, depends on the specifics of your network.
906
<p>All of the Kerberos authentication on your network requires that each
907
client be able to contact a KDC. Therefore, you need to anticipate any
908
likely reason a KDC might be unavailable and have a slave KDC to take up
911
<p>Some considerations include:
914
<li>Have at least one slave KDC as a backup, for when the master KDC is
915
down, is being upgraded, or is otherwise unavailable.
917
<li>If your network is split such that a network outage is likely to cause a
918
network partition (some segment or segments of the network to become cut
919
off or isolated from other segments), have a slave KDC accessible to
922
<li>If possible, have at least one slave KDC in a different building from
923
the master, in case of power outages, fires, or other localized
929
<a name="Hostnames-for-the-Master-and-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Database-Propagation">Database Propagation</a>,
930
Previous: <a rel="previous" accesskey="p" href="#Slave-KDCs">Slave KDCs</a>,
931
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
935
<h3 class="section">2.5 Hostnames for the Master and Slave KDCs</h3>
937
<p>MIT recommends that your KDCs have a predefined set of
938
CNAME records (DNS hostname aliases), such as <code>kerberos</code>
939
for the master KDC and
940
<code>kerberos-1</code>, <code>kerberos-2</code>, <small class="dots">...</small> for the
941
slave KDCs. This way, if you need to swap a machine, you only need to
942
change a DNS entry, rather than having to change hostnames.
944
<p>A new mechanism for locating KDCs of a realm through DNS has been added
945
to the MIT Kerberos V5 distribution. A relatively new
946
record type called <code>SRV</code> has been added to DNS. Looked up by a
947
service name and a domain name, these records indicate the hostname and
948
port number to contact for that service, optionally with weighting and
949
prioritization. (See RFC 2782 if you want more information. You can
950
follow the example below for straightforward cases.)
952
<p>The use with Kerberos is fairly straightforward. The domain name used
953
in the SRV record name is the domain-style Kerberos realm name. (It is
954
possible to have Kerberos realm names that are not DNS-style names, but
955
we don't recommend it for Internet use, and our code does not support it
956
well.) Several different Kerberos-related service names are used:
959
<dt><code>_kerberos._udp</code><dd>This is for contacting any KDC by UDP. This entry will be used the most
960
often. Normally you should list port 88 on each of your KDCs.
961
<!-- Don't encourage continued use of port 750 for krb5. -->
962
<!-- It should be only for backwards compatibility with krb4. -->
963
<!-- Do the Mac/Windows krb4 libraries use this DNS entry? -->
964
<!-- The UNIX code does not. -->
966
<br><dt><code>_kerberos._tcp</code><dd>This is for contacting any KDC by TCP. The MIT KDC by default will not
967
listen on any TCP ports, so unless you've changed the configuration or
968
you're running another KDC implementation, you should leave this
969
unspecified. If you do enable TCP support, normally you should use
972
<br><dt><code>_kerberos-master._udp</code><dd>This entry should refer to those KDCs, if any, that will immediately see
973
password changes to the Kerberos database. This entry is used only in
974
one case, when the user is logging in and the password appears to be
975
incorrect; the master KDC is then contacted, and the same password used
976
to try to decrypt the response, in case the user's password had recently
977
been changed and the first KDC contacted hadn't been updated. Only if
978
that fails is an “incorrect password” error given.
980
<p>If you have only one KDC, or for whatever reason there is no accessible
981
KDC that would get database changes faster than the others, you do not
982
need to define this entry.
984
<br><dt><code>_kerberos-adm._tcp</code><dd>This should list port 749 on your master KDC.
985
Support for it is not complete at this time, but it will eventually be
986
used by the <code>kadmin</code> program and related utilities. For now, you
987
will also need the <code>admin_server</code> entry in <code>krb5.conf</code>.
988
(See <a href="#krb5_002econf">krb5.conf</a>.)
990
<br><dt><code>_kpasswd._udp</code><dd>This should list port 464 on your master KDC.
991
It is used when a user changes her password.
995
<p>Be aware, however, that the DNS SRV specification requires that the
996
hostnames listed be the canonical names, not aliases. So, for example,
997
you might include the following records in your (BIND-style) zone file:
999
<pre class="smallexample"> $ORIGIN foobar.com.
1000
_kerberos TXT "FOOBAR.COM"
1001
kerberos CNAME daisy
1002
kerberos-1 CNAME use-the-force-luke
1003
kerberos-2 CNAME bunny-rabbit
1004
_kerberos._udp SRV 0 0 88 daisy
1005
SRV 0 0 88 use-the-force-luke
1006
SRV 0 0 88 bunny-rabbit
1007
_kerberos-master._udp SRV 0 0 88 daisy
1008
_kerberos-adm._tcp SRV 0 0 749 daisy
1009
_kpasswd._udp SRV 0 0 464 daisy
1011
<p>As with the DNS-based mechanism for determining the Kerberos realm of a
1012
host, we recommend distributing the information this way for use by
1013
other sites that may want to interact with yours using Kerberos, even if
1014
you don't immediately make use of it within your own site. If you
1015
anticipate installing a very large number of machines on which it will
1016
be hard to update the Kerberos configuration files, you may wish to do
1017
all of your Kerberos service lookups via DNS and not put the information
1018
(except for <code>admin_server</code> as noted above) in future versions of
1019
your <code>krb5.conf</code> files at all. Eventually, we hope to phase out
1020
the listing of server hostnames in the client-side configuration files;
1021
making preparations now will make the transition easier in the future.
1025
<a name="Database-Propagation"></a>Previous: <a rel="previous" accesskey="p" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
1026
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
1030
<h3 class="section">2.6 Database Propagation</h3>
1032
<p>The Kerberos database resides on the master KDC, and must be propagated
1033
regularly (usually by a cron job) to the slave KDCs. In deciding how
1034
frequently the propagation should happen, you will need to balance the
1035
amount of time the propagation takes against the maximum reasonable
1036
amount of time a user should have to wait for a password change to take
1039
<p>If the propagation time is longer than this maximum reasonable time
1040
(<i>e.g.,</i> you have a particularly large database, you have a lot of
1041
slaves, or you experience frequent network delays), you may wish to
1042
cut down on your propagation delay by performing the propagation in
1043
parallel. To do this, have the master KDC propagate the database to one
1044
set of slaves, and then have each of these slaves propagate the database
1045
to additional slaves.
1049
<a name="Building-Kerberos-V5"></a>Next: <a rel="next" accesskey="n" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
1050
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
1051
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
1055
<h2 class="chapter">3 Building Kerberos V5</h2>
1057
<p>Kerberos V5 uses a configuration system built using the Free
1058
Software Foundation's <span class="samp">autoconf</span> program. This system makes
1059
Kerberos V5 much simpler to build and reduces the amount of effort
1060
required in porting Kerberos V5 to a new platform.
1063
<li><a accesskey="1" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>: Description of the source tree.
1064
<li><a accesskey="2" href="#Build-Requirements">Build Requirements</a>: How much disk space, etc. you need to
1066
<li><a accesskey="3" href="#Unpacking-the-Sources">Unpacking the Sources</a>: Preparing the source tree.
1067
<li><a accesskey="4" href="#Doing-the-Build">Doing the Build</a>: Compiling Kerberos.
1068
<li><a accesskey="5" href="#Installing-the-Binaries">Installing the Binaries</a>: Installing the compiled binaries.
1069
<li><a accesskey="6" href="#Testing-the-Build">Testing the Build</a>: Making sure Kerberos built correctly.
1070
<li><a accesskey="7" href="#Options-to-Configure">Options to Configure</a>: Command-line options to Configure
1071
<li><a accesskey="8" href="#osconf_002eh">osconf.h</a>: Header file-specific configurations
1072
<li><a accesskey="9" href="#Shared-Library-Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5
1073
<li><a href="#OS-Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.
1074
<li><a href="#Using-Autoconf">Using Autoconf</a>: Modifying Kerberos V5's
1075
configuration scripts.
1080
<a name="Organization-of-the-Source-Directory"></a>Next: <a rel="next" accesskey="n" href="#Build-Requirements">Build Requirements</a>,
1081
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
1082
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1086
<h3 class="section">3.1 Organization of the Source Directory</h3>
1088
<p>Below is a brief overview of the organization of the complete source
1089
directory. More detailed descriptions follow.
1092
<dt><b>appl</b><dd>applications with Kerberos V5 extensions
1093
<dt><b>clients</b><dd>Kerberos V5 user programs
1094
<dt><b>gen-manpages</b><dd>manpages for Kerberos V5 and the Kerberos V5 login program
1095
<dt><b>include</b><dd>include files
1096
<dt><b>kadmin</b><dd>administrative interface to the Kerberos master database
1097
<dt><b>kdc</b><dd>the Kerberos V5 Authentication Service and Key Distribution Center
1098
<dt><b>krb524</b><dd>utilities for converting between Kerberos 4 and Kerberos 5
1099
<dt><b>lib</b><dd>libraries for use with/by Kerberos V5
1100
<dt><b>mac</b><dd>source code for building Kerberos V5 on MacOS
1101
<dt><b>prototype</b><dd>templates for source code files
1102
<dt><b>slave</b><dd>utilities for propagating the database to slave KDCs
1103
<dt><b>tests</b><dd>test suite
1104
<dt><b>util</b><dd>various utilities for building/configuring the code, sending bug reports, etc.
1105
<dt><b>windows</b><dd>source code for building Kerberos V5 on Windows (see windows/README)
1109
<li><a accesskey="1" href="#The-appl-Directory">The appl Directory</a>
1110
<li><a accesskey="2" href="#The-clients-Directory">The clients Directory</a>
1111
<li><a accesskey="3" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>
1112
<li><a accesskey="4" href="#The-include-Directory">The include Directory</a>
1113
<li><a accesskey="5" href="#The-kadmin-Directory">The kadmin Directory</a>
1114
<li><a accesskey="6" href="#The-kdc-Directory">The kdc Directory</a>
1115
<li><a accesskey="7" href="#The-krb524-Directory">The krb524 Directory</a>
1116
<li><a accesskey="8" href="#The-lib-Directory">The lib Directory</a>
1117
<li><a accesskey="9" href="#The-prototype-Directory">The prototype Directory</a>
1118
<li><a href="#The-slave-Directory">The slave Directory</a>
1119
<li><a href="#The-util-Directory">The util Directory</a>
1124
<a name="The-appl-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-clients-Directory">The clients Directory</a>,
1125
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
1126
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1130
<h4 class="subsection">3.1.1 The appl Directory</h4>
1132
<p>The Kerberos release provides certain UNIX utilities, modified to use
1133
Kerberos authentication. In the <i>appl/bsd</i> directory are the
1134
Berkeley utilities <i>login</i>, <i>rlogin</i>, <i>rsh</i>, and <i>rcp</i>, as well as
1135
the associated daemons <i>kshd</i> and <i>klogind</i>. The <i>login</i> program
1136
obtains ticket-granting tickets for users upon login; the other utilities
1137
provide authenticated Unix network services.
1139
<p>The <i>appl</i> directory also contains Kerberized telnet and ftp programs,
1140
as well as sample Kerberos application client and server programs.
1144
<a name="The-clients-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
1145
Previous: <a rel="previous" accesskey="p" href="#The-appl-Directory">The appl Directory</a>,
1146
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1150
<h4 class="subsection">3.1.2 The clients Directory</h4>
1152
<p>This directory contains the code for several user-oriented programs.
1155
<dt><b>kdestroy</b><dd>This program destroys the user's active Kerberos authorization tickets.
1156
MIT recommends that users <code>kdestroy</code> before logging out.
1158
<dt><b>kinit</b><dd>This program prompts users for their Kerberos principal name and password,
1159
and attempts to get an initial ticket-granting-ticket for that principal.
1161
<dt><b>klist</b><dd>This program lists the Kerberos principal and Kerberos tickets held in
1162
a credentials cache, or the keys held in a keytab file.
1164
<dt><b>kpasswd</b><dd>This program changes a user's Kerberos password.
1166
<dt><b>ksu</b><dd>This program is a Kerberized version of the <code>su</code> program that is
1167
meant to securely change the real and effective user ID to that of the
1168
target user and to create a new security context.
1170
<dt><b>kvno</b><dd>This program acquires a service ticket for the specified Kerberos
1171
principals and prints out the key version numbers of each.
1176
<a name="The-gen_002dmanpages-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-include-Directory">The include Directory</a>,
1177
Previous: <a rel="previous" accesskey="p" href="#The-clients-Directory">The clients Directory</a>,
1178
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1182
<h4 class="subsection">3.1.3 The gen-manpages Directory</h4>
1184
<p>There are two manual pages in this directory. One is an introduction
1185
to the Kerberos system. The other describes the <code>.k5login</code> file
1186
which allows users to give access with their UID to other users
1187
authenticated by the Kerberos system.
1191
<a name="The-include-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-kadmin-Directory">The kadmin Directory</a>,
1192
Previous: <a rel="previous" accesskey="p" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
1193
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1197
<h4 class="subsection">3.1.4 The include Directory</h4>
1199
<p>This directory contains the <i>include</i> files needed to build the
1204
<a name="The-kadmin-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-kdc-Directory">The kdc Directory</a>,
1205
Previous: <a rel="previous" accesskey="p" href="#The-include-Directory">The include Directory</a>,
1206
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1210
<h4 class="subsection">3.1.5 The kadmin Directory</h4>
1212
<p>In this directory is the code for the utilities <code>kadmin</code>,
1213
<code>kadmin.local</code>, <code>kdb5_util</code>, and <code>ktutil</code>.
1214
<code>ktutil</code> is the Kerberos keytab file maintenance utility from
1215
which a Kerberos administrator can read, write, or edit entries in a
1216
Kerberos V5 keytab or Kerberos V4 srvtab. <code>kadmin</code> and
1217
<code>kadmin.local</code> are command-line interfaces to the Kerberos V5 KADM5
1218
administration system. <code>kadmin.local</code> runs on the master KDC and
1219
does not use Kerberos to authenticate to the database, while
1220
<code>kadmin</code> uses Kerberos authentication and an encrypted RPC. The
1221
two provide identical functionalities, which allow administrators to
1222
modify the database of Kerberos principals. <code>kdb5_util</code> allows
1223
administrators to perform low-level maintenance procedures on Kerberos
1224
and the KADM5 database. With this utility, databases can be created,
1225
destroyed, or dumped to and loaded from ASCII files. It can also be
1226
used to create master key stash files.
1230
<a name="The-kdc-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-krb524-Directory">The krb524 Directory</a>,
1231
Previous: <a rel="previous" accesskey="p" href="#The-kadmin-Directory">The kadmin Directory</a>,
1232
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1236
<h4 class="subsection">3.1.6 The kdc Directory</h4>
1238
<p>This directory contains the code for the <code>krb5kdc</code> daemon, the
1239
Kerberos Authentication Service and Key Distribution Center.
1243
<a name="The-krb524-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-lib-Directory">The lib Directory</a>,
1244
Previous: <a rel="previous" accesskey="p" href="#The-kdc-Directory">The kdc Directory</a>,
1245
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1249
<h4 class="subsection">3.1.7 The krb524 Directory</h4>
1251
<p>This directory contains the code for <code>krb524</code>, a service that
1252
converts Kerberos V5 credentials into Kerberos V4 credentials suitable
1253
for use with applications that for whatever reason do not use V5
1258
<a name="The-lib-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-prototype-Directory">The prototype Directory</a>,
1259
Previous: <a rel="previous" accesskey="p" href="#The-krb524-Directory">The krb524 Directory</a>,
1260
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1264
<h4 class="subsection">3.1.8 The lib Directory</h4>
1266
<p>The <i>lib</i> directory contain 10 subdirectories as well as some
1267
definition and glue files. The <i>crypto</i> subdirectory contains the
1268
Kerberos V5 encryption library. The <i>des425</i> subdirectory exports
1269
the Kerberos V4 encryption API, and translates these functions into
1270
calls to the Kerberos V5 encryption API. The <i>gssapi</i> library
1271
contains the Generic Security Services API, which is a library of
1272
commands to be used in secure client-server communication. The
1273
<i>kadm5</i> directory contains the libraries for the KADM5 administration
1274
utilities. The Kerberos 5 database libraries are contained in
1275
<i>kdb</i>. The directories <i>krb4</i> and <i>krb5</i> contain the Kerberos 4
1276
and Kerberos 5 APIs, respectively. The <i>rpc</i> directory contains the
1277
API for the Kerberos Remote Procedure Call protocol.
1281
<a name="The-prototype-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-slave-Directory">The slave Directory</a>,
1282
Previous: <a rel="previous" accesskey="p" href="#The-lib-Directory">The lib Directory</a>,
1283
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1287
<h4 class="subsection">3.1.9 The prototype Directory</h4>
1289
<p>This directory contains several template files. The <code>prototype.h</code>
1290
and <code>prototype.c</code> files contain the MIT copyright message and a
1291
placeholder for the title and description of the file.
1292
<code>prototype.h</code> also has a short template for writing <code>ifdef</code>
1293
and <code>ifndef</code> preprocessor statements. The <code>getopt.c</code> file
1294
provides a template for writing code that will parse the options with
1295
which a program was called.
1299
<a name="The-slave-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-util-Directory">The util Directory</a>,
1300
Previous: <a rel="previous" accesskey="p" href="#The-prototype-Directory">The prototype Directory</a>,
1301
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1305
<h4 class="subsection">3.1.10 The slave Directory</h4>
1307
<p>This directory contains code which allows for the propagation of the
1308
Kerberos principal database from the master KDC to slave KDCs over an
1309
encrypted, secure channel. <code>kprop</code> is the program which actually
1310
propagates the database dump file. <code>kpropd</code> is the Kerberos V5
1311
slave KDC update server which accepts connections from the <code>kprop</code>
1312
program. <code>kslave_update</code> is a script that takes the name of a
1313
slave server, and propagates the database to that server if the
1314
database has been modified since the last dump or if the database has
1315
been dumped since the last propagation.
1319
<a name="The-util-Directory"></a>Previous: <a rel="previous" accesskey="p" href="#The-slave-Directory">The slave Directory</a>,
1320
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
1324
<h4 class="subsection">3.1.11 The util Directory</h4>
1326
<p>This directory contains several utility programs and libraries. The
1327
programs used to configure and build the code, such as <code>autoconf</code>,
1328
<code>lndir</code>, <code>kbuild</code>, <code>reconf</code>, and <code>makedepend</code>,
1329
are in this directory. The <i>profile</i> directory contains most of the
1330
functions which parse the Kerberos configuration files (<code>krb5.conf</code>
1331
and <code>kdc.conf</code>). Also in this directory are the Kerberos error table
1332
library and utilities (<i>et</i>), the Sub-system library and utilities
1333
(<i>ss</i>), database utilities (<i>db2</i>), pseudo-terminal utilities
1334
(<i>pty</i>), bug-reporting program <code>send-pr</code>, and a generic
1335
support library <code>support</code> used by several of our other libraries.
1339
<a name="Build-Requirements"></a>Next: <a rel="next" accesskey="n" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
1340
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
1341
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1345
<h3 class="section">3.2 Build Requirements</h3>
1347
<p>In order to build Kerberos V5, you will need approximately 60-70
1348
megabytes of disk space. The exact amount will vary depending on the
1349
platform and whether the distribution is compiled with debugging symbol
1352
<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”).
1353
Some operating systems do not have an ANSI C compiler, or their
1354
default compiler requires extra command-line options to enable ANSI C
1357
<p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled
1358
<span class="file">*.o</span> file and executables, separate from your source tree, you
1359
will need a <span class="samp">make</span> program which supports <span class="samp">VPATH</span>, or
1360
you will need to use a tool such as <span class="samp">lndir</span> to produce a symbolic
1361
link tree for your build tree.
1363
<!-- Library support... -->
1366
<a name="Unpacking-the-Sources"></a>Next: <a rel="next" accesskey="n" href="#Doing-the-Build">Doing the Build</a>,
1367
Previous: <a rel="previous" accesskey="p" href="#Build-Requirements">Build Requirements</a>,
1368
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1372
<h3 class="section">3.3 Unpacking the Sources</h3>
1374
<p>The first step in each of these build procedures is to unpack the
1375
source distribution. The Kerberos V5 distribution comes in a tar file,
1376
generally named <span class="file">krb5-1.7.tar</span>, which contains a
1377
compressed tar file consisting of the sources for all of Kerberos
1378
(generally <span class="file">krb5-1.7.tar.gz</span>) and a PGP signature for
1379
this source tree (generally <span class="file">krb5-1.7.tar.gz.asc</span>).
1380
MIT highly recommends that you verify the integrity of the
1381
source code using this signature.
1383
<p>Unpack the compressed tar file in some directory, such as
1384
<span class="file">/u1/krb5-1.7</span>. (In the rest of this document, we
1385
will assume that you have chosen to unpack the Kerberos V5 source
1386
distribution in this directory. Note that the tarfiles will by default
1387
all unpack into the <span class="file">./krb5-1.7</span> directory, so that if
1388
your current directory is <span class="file">/u1</span> when you unpack the tarfiles, you
1389
will get <span class="file">/u1/krb5-1.7/src</span>, etc.)
1393
<a name="Doing-the-Build"></a>Next: <a rel="next" accesskey="n" href="#Installing-the-Binaries">Installing the Binaries</a>,
1394
Previous: <a rel="previous" accesskey="p" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
1395
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1399
<h3 class="section">3.4 Doing the Build</h3>
1401
<p>You have a number of different options in how to build Kerberos. If you
1402
only need to build Kerberos for one platform, using a single directory
1403
tree which contains both the source files and the object files is the
1404
simplest. However, if you need to maintain Kerberos for a large number
1405
of platforms, you will probably want to use separate build trees for
1406
each platform. We recommend that you look at <a href="#OS-Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating
1410
<li><a accesskey="1" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>
1411
<li><a accesskey="2" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>
1412
<li><a accesskey="3" href="#Building-using-lndir">Building using lndir</a>
1417
<a name="Building-Within-a-Single-Tree"></a>Next: <a rel="next" accesskey="n" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
1418
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
1419
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
1423
<h4 class="subsection">3.4.1 Building Within a Single Tree</h4>
1425
<p>If you don't want separate build trees for each architecture, then
1426
use the following abbreviated procedure.
1429
<li> <code>cd /u1/krb5-1.7/src</code>
1430
<li> <code>./configure</code>
1431
<li> <code>make</code>
1438
<a name="Building-with-Separate-Build-Directories"></a>Next: <a rel="next" accesskey="n" href="#Building-using-lndir">Building using lndir</a>,
1439
Previous: <a rel="previous" accesskey="p" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>,
1440
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
1444
<h4 class="subsection">3.4.2 Building with Separate Build Directories</h4>
1446
<p>If you wish to keep separate build directories for each platform, you
1447
can do so using the following procedure. (Note, this requires that your
1448
<span class="samp">make</span> program support <span class="samp">VPATH</span>. GNU's make will provide this
1449
functionality, for example.) If your <span class="samp">make</span> program does not
1450
support this, see the next section.
1452
<p>For example, if you wish to create a build directory for <code>pmax</code> binaries
1453
you might use the following procedure:
1456
<li><code>mkdir /u1/krb5-1.7/pmax</code>
1457
<li> <code>cd /u1/krb5-1.7/pmax</code>
1458
<li> <code>../src/configure</code>
1459
<li> <code>make</code>
1464
<a name="Building-using-lndir"></a>Previous: <a rel="previous" accesskey="p" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
1465
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
1469
<h4 class="subsection">3.4.3 Building Using <span class="samp">lndir</span></h4>
1471
<p>If you wish to keep separate build directories for each platform, and
1472
you do not have access to a <span class="samp">make</span> program which supports <span class="samp">VPATH</span>,
1473
all is not lost. You can use the <span class="samp">lndir</span> program to create
1474
symbolic link trees in your build directory.
1476
<p>For example, if you wish to create a build directory for solaris binaries
1477
you might use the following procedure:
1480
<li> <code>mkdir /u1/krb5-1.7/solaris</code>
1481
<li> <code>cd /u1/krb5-1.7/solaris</code>
1482
<li> <code>/u1/krb5-1.7/src/util/lndir `pwd`/../src</code>
1483
<li> <code>./configure</code>
1484
<li> <code>make</code>
1487
<p>You must give an absolute pathname to <span class="samp">lndir</span> because it has a bug that
1488
makes it fail for relative pathnames. Note that this version differs
1489
from the latest version as distributed and installed by the XConsortium
1490
with X11R6. Either version should be acceptable.
1494
<a name="Installing-the-Binaries"></a>Next: <a rel="next" accesskey="n" href="#Testing-the-Build">Testing the Build</a>,
1495
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
1496
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1500
<h3 class="section">3.5 Installing the Binaries</h3>
1502
<p>Once you have built Kerberos, you should install the binaries. You
1503
can do this by running:
1505
<pre class="example"> % make install
1507
<p>If you want to install the binaries into a destination directory that
1508
is not their final destination, which may be convenient if you want to
1509
build a binary distribution to be deployed on multiple hosts, you may
1512
<pre class="example"> % make install DESTDIR=/path/to/destdir
1514
<p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the
1515
user programs will install into <code>DESTDIR/PREFIX/bin</code>, the
1516
libraries into <code>DESTDIR/PREFIX/lib</code>, etc.
1518
<p>Note that if you want to test the build (see <a href="#Testing-the-Build">Testing the Build</a>),
1519
you usually do not need to do a <code>make install</code> first.
1521
<p>Some implementations of <span class="samp">make</span> allow multiple commands to be run in
1522
parallel, for faster builds. We test our Makefiles in parallel builds with
1523
GNU <span class="samp">make</span> only; they may not be compatible with other parallel build
1528
<a name="Testing-the-Build"></a>Next: <a rel="next" accesskey="n" href="#Options-to-Configure">Options to Configure</a>,
1529
Previous: <a rel="previous" accesskey="p" href="#Installing-the-Binaries">Installing the Binaries</a>,
1530
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1534
<h3 class="section">3.6 Testing the Build</h3>
1536
<p>The Kerberos V5 distribution comes with built-in regression tests. To
1537
run them, simply type the following command while in the top-level build
1538
directory (i.e., the directory where you sent typed <span class="samp">make</span> to start
1539
building Kerberos; see <a href="#Doing-the-Build">Doing the Build</a>.):
1541
<pre class="example"> % make check
1543
<p>However, there are several prerequisites that must be satisfied first:
1546
<li>Configure and build Kerberos with Tcl support. Tcl is used to drive the
1547
test suite. This often means passing <code>--with-tcl</code> to configure to
1548
tell it the location of the Tcl configuration script. (See
1549
See <a href="#Options-to-Configure">Options to Configure</a>.)
1551
<li>You have to run <span class="samp">make install</span> before running <span class="samp">make check</span>, or
1552
the test suite will often pick up the installed version of Kerberos
1553
rather than the newly built one. You can install into a prefix that
1554
isn't in the system library search path, though. This theoretically
1555
could be fixed with the appropriate environment variable magic in the
1556
test suite, but hasn't been yet.
1558
<li>In order to test the RPC layer, the local system has to be running the
1559
<span class="command">portmap</span> daemon and it has to be listening to the regular
1560
network interface (not just localhost).
1564
<li><a accesskey="1" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>
1565
<li><a accesskey="2" href="#The-KADM5-Tests">The KADM5 Tests</a>
1570
<a name="The-DejaGnu-Tests"></a>Next: <a rel="next" accesskey="n" href="#The-KADM5-Tests">The KADM5 Tests</a>,
1571
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
1572
Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>
1576
<h4 class="subsection">3.6.1 The DejaGnu Tests</h4>
1578
<p>Some of the built-in regression tests are setup to use the DejaGnu
1579
framework for running tests. These tests tend to be more comprehensive
1580
than the normal built-in tests as they setup test servers and test
1581
client/server activities.
1583
<p>DejaGnu may be found wherever GNU software is archived.
1585
<p>Most of the tests are setup to run as a non-privileged user. For some
1586
of the krb-root tests to work properly, either (a) the user running the
1587
tests must not have a .k5login file in the home directory or (b) the
1588
.k5login file must contain an entry for <code><username>@KRBTEST.COM</code>.
1589
There are two series of tests (<span class="samp">rlogind</span> and <span class="samp">telnetd</span>) which
1590
require the ability to <span class="samp">rlogin</span> as root to the local
1591
machine. Admittedly, this does require the use of a <span class="file">.rhosts</span> file
1592
or some authenticated means. <a rel="footnote" href="#fn-2" name="fnd-2"><sup>2</sup></a>
1594
<p>If you cannot obtain root access to your machine, all the other tests
1595
will still run. Note however, with DejaGnu 1.2, the "untested testcases"
1596
will cause the testsuite to exit with a non-zero exit status which
1597
<span class="samp">make</span> will consider a failure of the testing process. Do not worry
1598
about this, as these tests are the last run when <span class="samp">make check</span> is
1599
executed from the top level of the build tree. This problem does not
1600
exist with DejaGnu 1.3.
1604
<a name="The-KADM5-Tests"></a>Previous: <a rel="previous" accesskey="p" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>,
1605
Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>
1609
<h4 class="subsection">3.6.2 The KADM5 Tests</h4>
1611
<p>Regression tests for the KADM5 system, including the GSS-RPC, KADM5
1612
client and server libraries, and kpasswd, are also included in this
1613
release. Each set of KADM5 tests is contained in a sub-directory called
1614
<code>unit-test</code> directly below the system being tested. For example,
1615
lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
1616
based on DejaGnu (but they are not actually called part of "The DejaGnu
1617
tests," whose naming predates the inclusion of the KADM5 system). In
1618
addition, they require the Tool Command Language (TCL) header files and
1619
libraries to be available during compilation and some of the tests also
1620
require Perl in order to operate. If all of these resources are not
1621
available during configuration, the KADM5 tests will not run. The TCL
1622
installation directory can be specified with the <code>--with-tcl</code>
1623
configure option. (See See <a href="#Options-to-Configure">Options to Configure</a>.) The runtest and
1624
perl programs must be in the current execution path.
1626
<p>If you install DejaGnu, TCL, or Perl after configuring and building
1627
Kerberos and then want to run the KADM5 tests, you will need to
1628
re-configure the tree and run <code>make</code> at the top level again to make
1629
sure all the proper programs are built. To save time, you actually only
1630
need to reconfigure and build in the directories src/kadmin/testing,
1631
src/lib/rpc, src/lib/kadm5.
1635
<a name="Options-to-Configure"></a>Next: <a rel="next" accesskey="n" href="#osconf_002eh">osconf.h</a>,
1636
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
1637
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1641
<h3 class="section">3.7 Options to Configure</h3>
1643
<p>There are a number of options to <span class="samp">configure</span> which you can use to
1644
control how the Kerberos distribution is built. The following table
1645
lists the most commonly used options to Kerberos V5's <span class="samp">configure</span>
1649
<dt><code>--help</code><dd>
1650
Provides help to configure. This will list the set of commonly used
1651
options for building Kerberos.
1653
<br><dt><code>--prefix=PREFIX</code><dd>
1654
By default, Kerberos will install the package's files rooted at
1655
`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
1656
desire a different location, use this option.
1658
<br><dt><code>--exec-prefix=EXECPREFIX</code><dd>
1659
This option allows one to separate the architecture independent programs
1660
from the configuration files and manual pages.
1662
<br><dt><code>--localstatedir=LOCALSTATEDIR</code><dd>
1663
This option sets the directory for locally modifiable single-machine
1664
data. In Kerberos, this mostly is useful for setting a location for the
1665
KDC data files, as they will be installed in
1666
<code>LOCALSTATEDIR/krb5kdc</code>, which is by default
1667
<code>PREFIX/var/krb5kdc</code>.
1669
<br><dt><code>CC=COMPILER</code><dd>
1670
Use <code>COMPILER</code> as the C compiler.
1672
<br><dt><code>CFLAGS=FLAGS</code><dd>
1673
Use <code>FLAGS</code> as the default set of C compiler flags.
1675
<p>Note that if you use the native Ultrix compiler on a
1676
DECstation you are likely to lose if you pass no flags to cc; md4.c
1677
takes an estimated 3,469 billion years to compile if you provide neither
1678
the <span class="samp">-g</span> flag nor the <span class="samp">-O</span> flag to <span class="samp">cc</span>.
1680
<br><dt><code>CPPFLAGS=CPPOPTS</code><dd>
1681
Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most
1682
common use of this option is to select certain <code>#define</code>'s for use
1683
with the operating system's include files.
1685
<br><dt><code>LD=LINKER</code><dd>
1686
Use <code>LINKER</code> as the default loader if it should be different from C
1687
compiler as specified above.
1689
<br><dt><code>LDFLAGS=LDOPTS</code><dd>
1690
This option allows one to specify optional arguments to be passed to the
1691
linker. This might be used to specify optional library paths.
1693
<br><dt><code>--with-krb4</code><dd>
1694
This option enables Kerberos V4 backwards compatibility using the
1695
builtin Kerberos V4 library.
1697
<br><dt><code>--with-krb4=KRB4DIR</code><dd>
1698
This option enables Kerberos V4 backwards compatibility using a
1699
pre-existing Kerberos V4 installation. The directory specified by
1700
<code>KRB4DIR</code> specifies where the V4 header files should be found
1701
(<span class="file">KRB4DIR/include</span>) as well as where the V4 Kerberos library should
1702
be found (<span class="file">KRB4DIR/lib</span>).
1704
<br><dt><code>--without-krb4</code><dd>
1705
Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
1706
clients from using the V5 services including the KDC. This would be
1707
useful if you know you will never install or need to interact with V4
1710
<br><dt><code>--with-netlib[=libs]</code><dd>
1711
Allows for suppression of or replacement of network libraries. By
1712
default, Kerberos V5 configuration will look for <code>-lnsl</code> and
1713
<code>-lsocket</code>. If your operating system has a broken resolver library
1714
(see <a href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in
1715
<span class="file">src/tests/resolv</span> you will need to use this option.
1717
<br><dt><code>--with-tcl=TCLPATH</code><dd>
1718
Some of the unit-tests in the build tree rely upon using a program in
1719
Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl
1720
header file (<span class="file">TCLPATH/include/tcl.h</span> as well as where the Tcl
1721
library should be found (<span class="file">TCLPATH/lib</span>).
1723
<br><dt><code>--enable-shared</code><dd>
1724
This option will turn on the building and use of shared library objects
1725
in the Kerberos build. This option is only supported on certain
1728
<br><dt><code>--enable-dns</code><br><dt><code>--enable-dns-for-kdc</code><br><dt><code>--enable-dns-for-realm</code><dd>
1729
Enable the use of DNS to look up a host's Kerberos realm, or a realm's
1730
KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to
1731
locate the KDCs, and <a href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a> for
1732
information about using DNS to determine the default realm. By default,
1733
DNS lookups are enabled for the former but not for the latter.
1735
<br><dt><code>--enable-kdc-replay-cache</code><dd>
1736
Enable a cache in the KDC to detect retransmitted messages, and resend
1737
the previous responses to them. This protects against certain types of
1738
attempts to extract information from the KDC through some of the
1739
hardware preauthentication systems.
1741
<br><dt><code>--with-system-et</code><dd>
1742
Use an installed version of the error-table support software, the
1743
<span class="samp">compile_et</span> program, the <span class="file">com_err.h</span> header file and the
1744
<span class="file">com_err</span> library. If these are not in the default locations,
1745
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
1746
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
1749
<p>If this option is not given, a version supplied with the Kerberos
1750
sources will be built and installed along with the rest of the
1751
Kerberos tree, for Kerberos applications to link against.
1753
<br><dt><code>--with-system-ss</code><dd>
1754
Use an installed version of the subsystem command-line interface
1755
software, the <span class="samp">mk_cmds</span> program, the <span class="file">ss/ss.h</span> header file
1756
and the <span class="file">ss</span> library. If these are not in the default locations,
1757
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
1758
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
1759
well. See also the <span class="samp">SS_LIB</span> option.
1761
<p>If this option is not given, the <span class="file">ss</span> library supplied with the
1762
Kerberos sources will be compiled and linked into those programs that
1763
need it; it will not be installed separately.
1765
<br><dt><code>SS_LIB=libs...</code><dd>
1766
If <span class="samp">-lss</span> is not the correct way to link in your installed
1767
<span class="file">ss</span> library, for example if additional support libraries are
1768
needed, specify the correct link options here. Some variants of this
1769
library are around which allow for Emacs-like line editing, but
1770
different versions require different support libraries to be
1771
explicitly specified.
1773
<p>This option is ignored if <span class="samp">--with-system-ss</span> is not specified.
1775
<br><dt><code>--with-system-db</code><dd>
1776
Use an installed version of the Berkeley DB package, which must
1777
provide an API compatible with version 1.85. This option is
1778
<em>unsupported</em> and untested. In particular, we do not know if the
1779
database-rename code used in the dumpfile load operation will behave
1782
<p>If this option is not given, a version supplied with the Kerberos
1783
sources will be built and installed. (We are not updating this
1784
version at this time because of licensing issues with newer versions
1785
that we haven't investigated sufficiently yet.)
1787
<br><dt><code>DB_HEADER=headername.h</code><dd>
1788
If <span class="samp">db.h</span> is not the correct header file to include to compile
1789
against the Berkeley DB 1.85 API, specify the correct header file name
1790
with this option. For example, <span class="samp">DB_HEADER=db3/db_185.h</span>.
1792
<br><dt><code>DB_LIB=libs...</code><dd>
1793
If <span class="samp">-ldb</span> is not the correct library specification for the
1794
Berkeley DB library version to be used, override it with this option.
1795
For example, <span class="samp">DB_LIB=-ldb-3.3</span>.
1799
<p>For example, in order to configure Kerberos on a Solaris machine using
1800
the <span class="samp">suncc</span> compiler with the optimizer turned on, run the configure
1801
script with the following options:
1803
<pre class="example"> % ./configure CC=suncc CFLAGS=-O
1805
<p>For a slightly more complicated example, consider a system where
1806
several packages to be used by Kerberos are installed in
1807
<span class="samp">/usr/foobar</span>, including Berkeley DB 3.3, and an <span class="samp">ss</span>
1808
library that needs to link against the <span class="samp">curses</span> library. The
1809
configuration of Kerberos might be done thus:
1811
<pre class="example"> % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
1812
--with-system-et --with-system-ss --with-system-db \
1813
SS_LIB='-lss -lcurses' \
1814
DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
1816
<p>In previous releases, <code>--with-</code> options were used to specify the
1817
compiler and linker and their options.
1821
<a name="osconf_002eh"></a>Next: <a rel="next" accesskey="n" href="#Shared-Library-Support">Shared Library Support</a>,
1822
Previous: <a rel="previous" accesskey="p" href="#Options-to-Configure">Options to Configure</a>,
1823
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1827
<h3 class="section">3.8 <span class="file">osconf.h</span></h3>
1829
<p>There is one configuration file which you may wish to edit to control
1830
various compile-time parameters in the Kerberos distribution:
1831
<span class="file">include/stock/osconf.h</span>. The list that follows is by no means
1832
complete, just some of the more interesting variables.
1834
<p>Please note: The former configuration file <span class="file">config.h</span> no longer
1835
exists as its functionality has been merged into the auto-configuration
1836
process. See <a href="#Options-to-Configure">Options to Configure</a>.
1839
<dt><code>DEFAULT_PROFILE_PATH</code><dd>
1840
The pathname to the file which contains the profiles for the known realms,
1841
their KDCs, etc. The default value is /etc/krb5.conf.
1843
<p>The profile file format is no longer the same format as Kerberos V4's
1844
<span class="file">krb.conf</span> file.
1846
<br><dt><code>DEFAULT_KEYTAB_NAME</code><dd>
1847
The type and pathname to the default server keytab file (the
1848
equivalent of Kerberos V4's <span class="file">/etc/srvtab</span>). The default is
1851
<br><dt><code>DEFAULT_KDC_ENCTYPE</code><dd>
1852
The default encryption type for the KDC. The default value is
1855
<br><dt><code>KDCRCACHE</code><dd>
1856
The name of the replay cache used by the KDC. The default value is
1859
<br><dt><code>RCTMPDIR</code><dd>
1860
The directory which stores replay caches. The default is to try
1861
/var/tmp, /usr/tmp, /var/usr/tmp, and /tmp.
1863
<br><dt><code>DEFAULT_KDB_FILE</code><dd>
1864
The location of the default database. The default value is
1865
/usr/local/var/krb5kdc/principal.
1871
<a name="Shared-Library-Support"></a>Next: <a rel="next" accesskey="n" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1872
Previous: <a rel="previous" accesskey="p" href="#osconf_002eh">osconf.h</a>,
1873
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1877
<h3 class="section">3.9 Shared Library Support</h3>
1879
<p>Shared library support is provided for a few operating systems. There
1880
are restrictions as to which compiler to use when using shared
1881
libraries. In all cases, executables linked with the shared libraries in
1882
this build process will have built in the location of the libraries,
1883
therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
1884
variables when using the programs. Except where noted, multiple versions
1885
of the libraries may be installed on the same system and continue to
1888
<p>Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS
1889
5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows
1892
<p>Shared library support has been tested on the following platforms but
1893
not exhaustively (they have been built but not necessarily tested in an
1894
installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and
1897
<p>Platforms for which there is shared library support but not significant
1898
testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x
1901
<p>To enable shared libraries on the above platforms, run the configure
1902
script with the option <span class="samp">--enable-shared</span>.
1906
<a name="OS-Incompatibilities"></a>Next: <a rel="next" accesskey="n" href="#Using-Autoconf">Using Autoconf</a>,
1907
Previous: <a rel="previous" accesskey="p" href="#Shared-Library-Support">Shared Library Support</a>,
1908
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1912
<h3 class="section">3.10 Operating System Incompatibilities</h3>
1914
<p>This section details operating system incompatibilities with Kerberos V5
1915
which have been reported to the developers at MIT. If you find
1916
additional incompatibilities, and/or discover workarounds to such
1917
problems, please send a report via the <code>krb5-send-pr</code> program.
1921
<li><a accesskey="1" href="#AIX">AIX</a>
1922
<li><a accesskey="2" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>
1923
<li><a accesskey="3" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>
1924
<li><a accesskey="4" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>
1925
<li><a accesskey="5" href="#BSDI">BSDI</a>
1926
<li><a accesskey="6" href="#HPUX">HPUX</a>
1927
<li><a accesskey="7" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>
1928
<li><a accesskey="8" href="#Solaris-2_002eX">Solaris 2.X</a>
1929
<li><a accesskey="9" href="#Solaris-9">Solaris 9</a>
1930
<li><a href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>
1931
<li><a href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>
1936
<a name="AIX"></a>Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
1937
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1938
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1942
<h4 class="subsection">3.10.1 AIX</h4>
1944
<p>The AIX 3.2.5 linker dumps core trying to build a shared
1945
<span class="samp">libkrb5.a</span> produced with the GNU C compiler. The native AIX
1946
compiler works fine. This problem is fixed using the AIX 4.1 linker.
1950
<a name="Alpha-OSF_002f1-V1_002e3"></a>Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
1951
Previous: <a rel="previous" accesskey="p" href="#AIX">AIX</a>,
1952
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1956
<h4 class="subsection">3.10.2 Alpha OSF/1 V1.3</h4>
1958
<p>Using the native compiler, compiling with the <span class="samp">-O</span> compiler flag
1959
causes the <code>asn.1</code> library to be compiled incorrectly.
1961
<p>Using GCC version 2.6.3 or later instead of the native compiler will also work
1962
fine, both with or without optimization.
1966
<a name="Alpha-OSF_002f1-V2_002e0"></a>Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
1967
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
1968
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1972
<h4 class="subsection">3.10.3 Alpha OSF/1 V2.0</h4>
1974
<p>There used to be a bug when using the native compiler in compiling
1975
<span class="file">md4.c</span> when compiled without either the <span class="samp">-O</span> or <span class="samp">-g</span>
1976
compiler options. We have changed the code and there is no problem
1977
under V2.1, but we do not have access to V2.0 to test and see if the
1978
problem would exist there. (We welcome feedback on this issue). There
1979
was never a problem in using GCC version 2.6.3.
1981
<p>In version 3.2 and beyond of the operating system, we have not seen
1982
this sort of problem with the native compiler.
1986
<a name="Alpha-OSF_002f1-V4_002e0"></a>Next: <a rel="next" accesskey="n" href="#BSDI">BSDI</a>,
1987
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
1988
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1992
<h4 class="subsection">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</h4>
1994
<p>The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)
1995
defaults to an extended K&R C mode, not ANSI C. You need to provide
1996
the <span class="samp">-std</span> argument to the compiler (i.e., <span class="samp">./configure
1997
CC='cc -std'</span>) to enable extended ANSI C mode. More recent versions
1998
of the operating system, such as 5.0, seem to have C compilers which
1999
default to <span class="samp">-std</span>.
2001
<!-- @node Alpha Tru64 UNIX 5.0 -->
2002
<!-- @subsection Alpha Tru64 UNIX 5.0 -->
2003
<!-- ... login.krb5 problems -->
2006
<a name="BSDI"></a>Next: <a rel="next" accesskey="n" href="#HPUX">HPUX</a>,
2007
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
2008
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2012
<h4 class="subsection">3.10.5 BSDI</h4>
2014
<p>BSDI versions 1.0 and 1.1 reportedly has a bad <span class="samp">sed</span> which causes
2015
it to go into an infinite loop during the build. The work around is
2016
to use a <span class="samp">sed</span> from somewhere else, such as GNU. (This may be
2017
true for some versions of other systems derived from BSD 4.4, such as
2018
NetBSD and FreeBSD.)
2022
<a name="HPUX"></a>Next: <a rel="next" accesskey="n" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
2023
Previous: <a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,
2024
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2028
<h4 class="subsection">3.10.6 HPUX</h4>
2030
<p>The native (bundled) compiler for HPUX currently will not work,
2031
because it is not a full ANSI C compiler. The optional ANSI C
2032
compiler should work as long as you give it the <span class="samp">-Ae</span> flag
2033
(i.e. <span class="samp">./configure CC='cc -Ae'</span>). This is equivalent to
2034
<span class="samp">./configure CC='c89 -D_HPUX_SOURCE'</span>, which was the previous
2035
recommendation. This has only been tested recently for HPUX 10.20.
2037
<p>You will need to configure with <span class="samp">--disable-shared
2038
--enable-static</span>, because as of 1.4 we don't have support for HPUX
2039
shared library finalization routines, nor the option (yet) to ignore
2040
that lack of support (which means repeated
2041
<code>dlopen</code>/<code>dlclose</code> cycles on the Kerberos libraries may not
2042
be safe) and build the shared libraries anyways.
2044
<p>You will also need to configure the build tree with
2045
<span class="samp">--disable-thread-support</span> if you are on HPUX 10 and do not have
2046
the DCE development package installed, because that's where the
2047
<code>pthread.h</code> header file is found. (We don't know if our code
2048
will work with such a package installed, because according to some HP
2049
documentation, their <code>pthread.h</code> has to be included before any
2050
other header files, and our code doesn't do that.)
2052
<p>If you use GCC, it may work, but some versions of GCC have omitted
2053
certain important preprocessor defines, like <code>__STDC_EXT__</code> and
2054
<code>__hpux</code>.
2058
<a name="Solaris-versions-2_002e0-through-2_002e3"></a>Next: <a rel="next" accesskey="n" href="#Solaris-2_002eX">Solaris 2.X</a>,
2059
Previous: <a rel="previous" accesskey="p" href="#HPUX">HPUX</a>,
2060
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2064
<h4 class="subsection">3.10.7 Solaris versions 2.0 through 2.3</h4>
2066
<p>The <code>gethostbyname()</code> routine is broken; it does not return a fully
2067
qualified domain name, even if you are using the Domain Name Service
2068
routines. Since Kerberos V5 uses the fully qualified domain name as the
2069
second component of a service principal (i.e,
2070
<span class="samp">host/tsx-11.mit.edu@ATHENA.MIT.EDU</span>), this causes problems for servers
2071
who try to figure out their own fully qualified domain name.
2077
<li> Supply your own resolver library. (such as bind-4.9.3pl1 available
2080
<li> Upgrade to Solaris 2.4
2082
<li> Make sure your /etc/nsswitch.conf has `files' before `dns' like:
2084
<pre class="example"> hosts: files dns
2086
<p>and then in /etc/hosts, make sure there is a line with your
2087
workstation's IP address and hostname, with the fully qualified domain
2088
name first. Example:
2090
<pre class="example"> 18.172.1.4 dcl.mit.edu dcl
2092
<p>Note that making this change may cause other programs in your
2093
environment to break or behave differently.
2099
<a name="Solaris-2_002eX"></a>Next: <a rel="next" accesskey="n" href="#Solaris-9">Solaris 9</a>,
2100
Previous: <a rel="previous" accesskey="p" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
2101
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2105
<h4 class="subsection">3.10.8 Solaris 2.X</h4>
2107
<p>You <b>must</b> compile Kerberos V5 without the UCB compatibility
2108
libraries. This means that <span class="file">/usr/ucblib</span> must not be in the
2109
LD_LIBRARY_PATH environment variable when you compile it. Alternatively
2110
you can use the <code>-i</code> option to <span class="samp">cc</span>, by using the specifying
2111
<code>CFLAGS=-i</code> option to <span class="samp">configure</span>.
2113
<p>If you are compiling for a 64-bit execution environment, you may need
2114
to configure with the option <code>CFLAGS="-D_XOPEN_SOURCE=500
2115
-D__EXTENSIONS__"</code>. This is not well tested; at MIT we work primarily
2116
with the 32-bit execution environment.
2120
<a name="Solaris-9"></a>Next: <a rel="next" accesskey="n" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
2121
Previous: <a rel="previous" accesskey="p" href="#Solaris-2_002eX">Solaris 2.X</a>,
2122
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2126
<h4 class="subsection">3.10.9 Solaris 9</h4>
2128
<p>Solaris 9 has a kernel race condition which causes the final output
2129
written to the slave side of a pty to be lost upon the final close()
2130
of the slave device. This causes the dejagnu-based tests to fail
2131
intermittently. A workaround exists, but requires some help from the
2132
scheduler, and the “make check” must be executed from a shell with
2133
elevated priority limits.
2135
<p>Run something like
2137
<p><code>priocntl -s -c FX -m 30 -p 30 -i pid nnnn</code>
2139
<p>as root, where <code>nnnn</code> is the pid of the shell whose priority
2140
limit you wish to raise.
2142
<p>Sun has released kernel patches for this race condition. Apply patch
2143
117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
2144
the patches should also work. It is not necessary to run “make
2145
check” from a shell with elevated priority limits once the patch has
2150
<a name="SGI-Irix-5_002eX"></a>Next: <a rel="next" accesskey="n" href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>,
2151
Previous: <a rel="previous" accesskey="p" href="#Solaris-9">Solaris 9</a>,
2152
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2156
<h4 class="subsection">3.10.10 SGI Irix 5.X</h4>
2158
<p>If you are building in a tree separate from the source tree, the vendors
2159
version of make does not work properly with regards to
2160
<span class="samp">VPATH</span>. It also has problems with standard inference rules in 5.2
2161
(not tested yet in 5.3) so one needs to use GNU's make.
2163
<p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code>
2164
library in which the routine <code>gethostbyname()</code> is broken. The
2165
system supplied version in <code>-lc</code> appears to work though so one may
2166
simply specify <code>--with-netlib</code> option to <span class="samp">configure</span>.
2168
<p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and
2169
is no longer an issue.
2173
<a name="Ultrix-4_002e2_002f3"></a>Previous: <a rel="previous" accesskey="p" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
2174
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
2178
<h4 class="subsection">3.10.11 Ultrix 4.2/3</h4>
2180
<p>The DEC MIPS platform currently will not support the native compiler,
2181
since the Ultrix compiler is not a full ANSI C compiler. You should use
2186
<a name="Using-Autoconf"></a>Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
2187
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
2191
<h3 class="section">3.11 Using <span class="samp">Autoconf</span></h3>
2193
<p>(If you are not a developer, you can skip this section.)
2195
<p>In most of the Kerberos V5 source directories, there is a
2196
<span class="file">configure</span> script which automatically determines the compilation
2197
environment and creates the proper Makefiles for a particular
2198
platform. These <span class="file">configure</span> files are generated using
2199
<span class="samp">autoconf</span>, which can be found in the <span class="file">src/util/autoconf</span>
2200
directory in the distribution.
2202
<p>Normal users will not need to worry about running <span class="samp">autoconf</span>; the
2203
distribution comes with the <span class="file">configure</span> files already prebuilt.
2204
Developers who wish to modify the <span class="file">configure.in</span> files should see
2205
<a href="autoconf.html#Top">Overview (The Autoconf Manual)</a>.
2207
<p>Note that in order to run <span class="samp">autoconf</span>, you must have GNU <span class="samp">m4</span>
2208
in your path. Before you use the <span class="samp">autoconf</span> in the Kerberos V5
2209
source tree, you may also need to run <span class="samp">configure</span>, and then run
2210
<span class="samp">make</span> in the <span class="file">src/util/autoconf</span> directory in order to
2211
properly set up <span class="samp">autoconf</span>.
2213
<p>One tool which is provided for the convenience of developers can be
2214
found in <span class="file">src/util/reconf</span>. This program should be run while the
2215
current directory is the top source directory. It will automatically
2216
rebuild any <span class="file">configure</span> files which need rebuilding. If you know
2217
that you have made a change that will require that all the
2218
<span class="file">configure</span> files need to be rebuilt from scratch, specify the
2219
<code>--force</code> option:
2221
<pre class="example"> % cd /u1/krb5-1.7/src
2222
% ./util/reconf --force
2224
<p>The developmental sources are a raw source tree (before it's been packaged
2225
for public release), without the pre-built <span class="file">configure</span> files.
2226
In order to build from such a source tree, you must do:
2228
<pre class="example"> % cd krb5/util/autoconf
2234
<p>Then follow the instructions for building packaged source trees (above).
2235
To install the binaries into a binary tree, do:
2237
<pre class="example"> % cd /u1/krb5-1.7/src
2239
% make install DESTDIR=somewhere-else
2243
<a name="Installing-Kerberos-V5"></a>Next: <a rel="next" accesskey="n" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
2244
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
2245
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
2249
<h2 class="chapter">4 Installing Kerberos V5</h2>
2251
<p>The sections of this chapter describe procedures for installing
2257
<li>UNIX client machines
2259
<li>UNIX Application Servers
2263
<li><a accesskey="1" href="#Installing-KDCs">Installing KDCs</a>
2264
<li><a accesskey="2" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
2265
<li><a accesskey="3" href="#UNIX-Application-Servers">UNIX Application Servers</a>
2270
<a name="Installing-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
2271
Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
2272
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
2276
<h3 class="section">4.1 Installing KDCs</h3>
2278
<p>The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC
2279
contains a copy of the Kerberos database. The master KDC contains the
2280
master copy of the database, which it propagates to the slave KDCs at
2281
regular intervals. All database changes (such as password changes) are
2282
made on the master KDC.
2284
<p>Slave KDCs provide Kerberos ticket-granting services, but not database
2285
administration. This allows clients to continue to obtain tickets when
2286
the master KDC is unavailable.
2288
<p>MIT recommends that you install all of your KDCs to be able
2289
to function as either the master or one of the slaves. This will enable
2290
you to easily switch your master KDC with one of the slaves if
2291
necessary. (See <a href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>.) This installation
2292
procedure is based on that recommendation.
2295
<li><a accesskey="1" href="#Install-the-Master-KDC">Install the Master KDC</a>
2296
<li><a accesskey="2" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2297
<li><a accesskey="3" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
2298
<li><a accesskey="4" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2299
<li><a accesskey="5" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>
2300
<li><a accesskey="6" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>
2301
<li><a accesskey="7" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>
2302
<li><a accesskey="8" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
2307
<a name="Install-the-Master-KDC"></a>Next: <a rel="next" accesskey="n" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
2308
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
2309
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2313
<h4 class="subsection">4.1.1 Install the Master KDC</h4>
2315
<p>This installation procedure will require you to go back and forth a
2316
couple of times between the master KDC and each of the slave KDCs. The
2317
first few steps must be done on the master KDC.
2320
<li><a accesskey="1" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>
2321
<li><a accesskey="2" href="#krb5_002econf">krb5.conf</a>
2322
<li><a accesskey="3" href="#kdc_002econf">kdc.conf</a>
2323
<li><a accesskey="4" href="#Create-the-Database">Create the Database</a>
2324
<li><a accesskey="5" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>
2325
<li><a accesskey="6" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>
2326
<li><a accesskey="7" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>
2327
<li><a accesskey="8" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>
2332
<a name="Edit-the-Configuration-Files"></a>Next: <a rel="next" accesskey="n" href="#krb5_002econf">krb5.conf</a>,
2333
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
2334
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2338
<h5 class="subsubsection">4.1.1.1 Edit the Configuration Files</h5>
2340
<p>Modify the configuration files, <code>/etc/krb5.conf</code> and
2341
<code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct
2342
information (such as the hostnames and realm name) for your realm.
2343
MIT recommends that you keep <code>krb5.conf</code> in <code>/etc</code>.
2345
<p>Most of the tags in the configuration have default values that will
2346
work well for most sites. There are some tags in the <code>krb5.conf</code>
2347
file whose values must be specified, and this section will explain
2348
those as well as give an overview of all of the sections in both
2349
configuration files. For more information on changing defaults with
2350
the configuration files, see the Kerberos V5 System Administrator's
2351
Guide sections on configuration files.
2355
<a name="krb5_002econf"></a>Next: <a rel="next" accesskey="n" href="#kdc_002econf">kdc.conf</a>,
2356
Previous: <a rel="previous" accesskey="p" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>,
2357
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2361
<h5 class="subsubsection">4.1.1.2 krb5.conf</h5>
2363
<p>The <code>krb5.conf</code> file contains Kerberos configuration information,
2364
including the locations of KDCs and admin servers for the Kerberos
2365
realms of interest, defaults for the current realm and for Kerberos
2366
applications, and mappings of hostnames onto Kerberos realms. Normally,
2367
you should install your <code>krb5.conf</code> file in the directory
2368
<code>/etc</code>. You can override the default location by setting the
2369
environment variable <span class="samp">KRB5_CONFIG</span>.
2371
<p>The <code>krb5.conf</code> file is set up in the style of a Windows INI file.
2372
Sections are headed by the section name, in square brackets. Each
2373
section may contain zero or more relations, of the form:
2375
<pre class="smallexample"> foo = bar
2377
<p class="noindent">or
2379
<pre class="smallexample"> fubar = {
2384
<p>Placing a `*' at the end of a line indicates that this is the
2385
<dfn>final</dfn> value for the tag. This means that neither the remainder
2386
of this configuration file nor any other configuration file will be
2387
checked for any other values for this tag.
2389
<p>For example, if you have the following lines:
2391
<pre class="smallexample"> foo = bar*
2394
<p>then the second value of foo (baz) would never be read.
2396
<p>The <code>krb5.conf</code> file may contain any or all of the following
2400
<dt><b>libdefaults</b><dd>Contains default values used by the Kerberos V5 library.
2402
<dt><b>login</b><dd>Contains default values used by the Kerberos V5 login program.
2404
<dt><b>appdefaults</b><dd>Contains default values that can be used by Kerberos V5 applications.
2406
<dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
2407
describes realm-specific information, including where to find the
2408
Kerberos servers for that realm.
2410
<dt><b>domain_realm</b><dd>Contains relations which map domain names and subdomains onto Kerberos
2411
realm names. This is used by programs to determine what realm a host
2412
should be in, given its fully qualified domain name.
2414
<dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
2417
<dt><b>capaths</b><dd>Contains the authentication paths used with direct (nonhierarchical)
2418
cross-realm authentication. Entries in this section are used by the
2419
client to determine the intermediate realms which may be used in
2420
cross-realm authentication. It is also used by the end-service when
2421
checking the transited field for trusted intermediate realms.
2425
<p>If you are not using DNS TXT records, you must specify the
2426
<code>default_realm</code> in the <code>libdefaults</code> section. If you are not
2427
using DNS SRV records, you must include the <code>kdc</code> tag for each
2428
realm in the <code>realms</code> section. To communicate with the kadmin
2429
server in each realm, the <code>admin_server</code> tag must be set in the
2430
<code>realms</code> section. If your domain name and realm name are not the
2431
same, you must provide a translation in <code>domain_realm</code>. It is
2432
also higly recommeneded that you create a <code>[logging]</code> stanza if
2433
the computer will be functioning as a KDC so that the KDC and kadmind
2434
will generate logging output.
2436
<p>An example <code>krb5.conf</code> file:
2438
<pre class="smallexample"> [libdefaults]
2439
default_realm = ATHENA.MIT.EDU
2443
kdc = kerberos.mit.edu
2444
kdc = kerberos-1.mit.edu
2445
kdc = kerberos-2.mit.edu
2446
admin_server = kerberos.mit.edu
2450
kdc = FILE:/var/log/krb5kdc.log
2451
admin_server = FILE:/var/log/kadmin.log
2452
default = FILE:/var/log/krb5lib.log
2456
<a name="kdc_002econf"></a>Next: <a rel="next" accesskey="n" href="#Create-the-Database">Create the Database</a>,
2457
Previous: <a rel="previous" accesskey="p" href="#krb5_002econf">krb5.conf</a>,
2458
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2462
<h5 class="subsubsection">4.1.1.3 kdc.conf</h5>
2464
<p>The <code>kdc.conf</code> file contains KDC configuration information,
2465
including defaults used when issuing Kerberos tickets. Normally, you
2466
should install your <code>kdc.conf</code> file in the directory
2467
<code>/usr/local/var/krb5kdc</code>. You can override the default
2468
location by setting the environment variable <span class="samp">KRB5_KDC_PROFILE</span>.
2470
<p>The <code>kdc.conf</code> file is set up in the same format as the
2471
<code>krb5.conf</code> file. (See <a href="#krb5_002econf">krb5.conf</a>.) The <code>kdc.conf</code> file
2472
may contain any or all of the following three sections:
2475
<dt><b>kdcdefaults</b><dd>Contains default values for overall behavior of the KDC.
2477
<br><dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
2478
describes realm-specific information, including where to find the
2479
Kerberos servers for that realm.
2481
<br><dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
2487
<a name="Create-the-Database"></a>Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
2488
Previous: <a rel="previous" accesskey="p" href="#kdc_002econf">kdc.conf</a>,
2489
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2493
<h5 class="subsubsection">4.1.1.4 Create the Database</h5>
2495
<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to
2496
create the Kerberos database and the optional stash file. The
2497
<dfn>stash file</dfn> is a local copy of the master key that resides in
2498
encrypted form on the KDC's local disk. The stash file is used to
2499
authenticate the KDC to itself automatically before starting the
2500
<code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the
2501
machine's boot sequence). The stash file, like the keytab file
2502
(see See <a href="#The-Keytab-File">The Keytab File</a>, for more information) is a potential
2503
point-of-entry for a break-in,
2504
and if compromised, would allow unrestricted access to the Kerberos
2505
database. If you choose to install a stash file, it should be readable
2506
only by root, and should exist only on the KDC's local disk. The file
2507
should not be part of any backup of the machine, unless access to the
2508
backup data is secured as tightly as access to the master password
2511
<p>If you choose not to install a stash file, the KDC will prompt you for
2512
the master key each time it starts up. This means that the KDC will
2513
not be able to start automatically, such as after a system reboot.
2515
<p>Note that <code>kdb5_util</code> will prompt you for the master key for the
2516
Kerberos database. This key can be any string. A good key is one you
2517
can remember, but that no one else can guess. Examples of bad keys are
2518
words that can be found in a dictionary, any common or popular name,
2519
especially a famous person (or cartoon character), your username in any
2520
form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of
2521
the sample keys that appear in this manual. One example of a key which
2522
might be good if it did not appear in this manual is “MITiys4K5!”,
2523
which represents the sentence “MIT is your source for Kerberos 5!”
2524
(It's the first letter of each word, substituting the numeral “4” for
2525
the word “for”, and includes the punctuation mark at the end.)
2527
<p>The following is an example of how to create a Kerberos database and
2528
stash file on the master KDC, using the <code>kdb5_util</code> command. (The
2529
line that begins with => is a continuation of the previous line.)
2530
Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.
2532
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
2533
<b>Initializing database '/usr/local/var/krb5kdc/principal' for
2534
=> realm 'ATHENA.MIT.EDU',
2535
master key name 'K/M@ATHENA.MIT.EDU'
2536
You will be prompted for the database Master Password.
2537
It is important that you NOT FORGET this password.</b>
2538
<b>Enter KDC database master key:</b> <i><= Type the master password.</i>
2539
<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>
2542
<p>This will create five files in the directory specified in your
2543
<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,
2544
and <code>principal.ok</code>; the Kerberos administrative database file,
2545
<code>principal.kadm5</code>; the administrative database lock file,
2546
<code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The
2547
default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not
2548
want a stash file, run the above command without the <code>-s</code> option.
2552
<a name="Add-Administrators-to-the-Acl-File"></a>Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
2553
Previous: <a rel="previous" accesskey="p" href="#Create-the-Database">Create the Database</a>,
2554
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2558
<h5 class="subsubsection">4.1.1.5 Add Administrators to the Acl File</h5>
2560
<p>Next, you need create an Access Control List (acl) file, and put the
2561
Kerberos principal of at least one of the administrators into it. This
2562
file is used by the <code>kadmind</code> daemon to control which principals
2563
may view and make privileged modifications to the Kerberos database
2564
files. The filename should match the value you have set for
2565
“acl_file” in your <code>kdc.conf</code> file. The default file name is
2566
<span class="samp">/usr/local/var/krb5kdc/kadm5.acl</span>.
2568
<p>The format of the file is:
2570
<pre class="smallexample"> Kerberos_principal permissions [target_principal] [restrictions]
2572
<p>The Kerberos principal (and optional target principal) can include the
2573
“<b>*</b>” wildcard, so if you want any principal with the instance
2574
“admin” to have full permissions on the database, you could use the
2575
principal “<code>*/admin@REALM</code>” where “REALM” is your Kerberos
2576
realm. <code>target_principal</code> can also include backreferences to
2577
<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i>" matches the
2578
component <i>number</i> in the <code>Kerberos_principal</code>.
2580
<p>Note: a common use of an <i>admin</i> instance is so you can grant
2581
separate permissions (such as administrator access to the Kerberos
2582
database) to a separate Kerberos principal. For example, the user
2583
<code>joeadmin</code> might have a principal for his administrative
2584
use, called <code>joeadmin/admin</code>. This way,
2585
<code>joeadmin</code> would obtain <code>joeadmin/admin</code>
2586
tickets only when he actually needs to use those permissions.
2588
<p>The permissions are represented by single letters; UPPER-CASE letters
2589
represent negative permissions. The permissions are:
2592
<dt><b>a</b><dd>allows the addition of principals or policies in the database.
2593
<dt><b>A</b><dd>disallows the addition of principals or policies in the database.
2594
<dt><b>d</b><dd>allows the deletion of principals or policies in the database.
2595
<dt><b>D</b><dd>disallows the deletion of principals or policies in the database.
2596
<dt><b>m</b><dd>allows the modification of principals or policies in the database.
2597
<dt><b>M</b><dd>disallows the modification of principals or policies in the database.
2598
<dt><b>c</b><dd>allows the changing of passwords for principals in the database.
2599
<dt><b>C</b><dd>disallows the changing of passwords for principals in the database.
2600
<dt><b>i</b><dd>allows inquiries to the database.
2601
<dt><b>I</b><dd>disallows inquiries to the database.
2602
<dt><b>l</b><dd>allows the listing of principals or policies in the database.
2603
<dt><b>L</b><dd>disallows the listing of principals or policies in the database.
2604
<dt><b>s</b><dd>allows the explicit setting of the key for a principal
2605
<dt><b>S</b><dd>disallows the explicit setting of the key for a principal
2606
<dt><b>*</b><dd>All privileges (admcil).
2607
<dt><b>x</b><dd>All privileges (admcil); identical to “*”.
2610
<p>The restrictions are a string of flags. Allowed restrictions are:
2613
<dt><b>[+ -]</b><i>flagname</i><dd>flag is forced to indicated value. The permissible flags are the same
2614
as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and
2615
<code>modprinc</code> commands.
2616
<dt><b>-clearpolicy</b><dd>policy is forced to clear
2617
<dt><b>-policy </b><i>pol</i><dd>policy is forced to be <i>pol</i>
2618
<dt><b>expire </b><i>time</i><dt><b>pwexpire </b><i>time</i><dt><b>maxlife </b><i>time</i><dt><b>maxrenewlife </b><i>time</i><dd>associated value will be forced to MIN(<i>time</i>, requested value)
2621
<p>The above flags act as restrictions on any add or modify operation
2622
which is allowed due to that ACL line.
2624
<p>Here is an example of a <code>kadm5.acl</code> file. Note that order is
2625
important; permissions are determined by the first matching entry.
2627
<pre class="smallexample"> */admin@ATHENA.MIT.EDU *
2628
joeadmin@ATHENA.MIT.EDU ADMCIL
2629
joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU
2630
*@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU
2631
*/*@ATHENA.MIT.EDU i
2632
*/admin@EXAMPLE.COM * -maxlife 9h -postdateable
2634
<p class="noindent">In the above file, any principal in the
2635
ATHENA.MIT.EDU realm with an <code>admin</code> instance has all
2636
administrative privileges. The user <code>joeadmin</code>
2637
has all permissions with his <code>admin</code> instance,
2638
<code>joeadmin/admin@ATHENA.MIT.EDU</code> (matches the first
2639
line). He has no permissions at all with his <code>null</code> instance,
2640
<code>joeadmin@ATHENA.MIT.EDU</code> (matches the second line).
2641
His root instance has <i>inquire</i> and <i>list</i> permissions with any
2642
other principal that has the instance <code>root</code>. Any principal
2643
in ATHENA.MIT.EDU can inquire, list, or change the password of
2644
their <code>admin</code> instance, but not any other <code>admin</code> instance.
2645
Any principal in the realm <code>ATHENA.MIT.EDU</code> (except for
2646
<code>joeadmin@ATHENA.MIT.EDU</code>, as mentioned above) has
2647
<i>inquire</i> privileges. Finally, any principal with an admin instance
2648
in EXAMPLE.COM has all permissions, but any principal that they
2649
create or modify will not be able to get postdateable tickets or tickets
2650
with a life of longer than 9 hours.
2654
<a name="Add-Administrators-to-the-Kerberos-Database"></a>Next: <a rel="next" accesskey="n" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
2655
Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
2656
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2660
<h5 class="subsubsection">4.1.1.6 Add Administrators to the Kerberos Database</h5>
2662
<p>Next you need to add administrative principals to the Kerberos database.
2663
(You must add at least one now.) To do this, use <code>kadmin.local</code>
2664
<em>on the master KDC</em>. The administrative principals you create
2665
should be the ones you added to the ACL file. (See See <a href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>.) In the following example, the
2666
administration principal <code>admin/admin</code> is created:
2668
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local
2669
<b>kadmin.local:</b> addprinc admin/admin@ATHENA.MIT.EDU
2670
<b>NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU";
2671
assigning "default".</b>
2672
<b>Enter password for principal admin/admin@ATHENA.MIT.EDU:</b> <i><= Enter a password.</i>
2673
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <i><= Type it again.</i>
2674
<b>Principal "admin/admin@ATHENA.MIT.EDU" created.
2679
<a name="Create-a-kadmind-Keytab-_0028optional_0029"></a>Next: <a rel="next" accesskey="n" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>,
2680
Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
2681
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2685
<h5 class="subsubsection">4.1.1.7 Create a kadmind Keytab (optional)</h5>
2687
<p>The kadmind keytab is the key that the legacy admininstration daemons
2688
<code>kadmind4</code> and <code>v5passwdd</code> will use to decrypt
2689
administrators' or clients' Kerberos tickets to determine whether or
2690
not they should have access to the database. You need to create the
2691
kadmin keytab with entries for the principals <code>kadmin/admin</code> and
2692
<code>kadmin/changepw</code>. (These principals are placed in the Kerberos
2693
database automatically when you create it.) To create the kadmin
2694
keytab, run <code>kadmin.local</code> and use the <code>ktadd</code> command, as
2695
in the following example. (The line beginning with => is a
2696
continuation of the previous line.):
2698
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local
2699
<b>kadmin.local:</b> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
2700
=> kadmin/admin kadmin/changepw
2701
<b> Entry for principal kadmin/admin with kvno 5, encryption
2702
type Triple DES cbc mode with HMAC/sha1 added to keytab
2703
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2704
Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode
2705
with CRC-32 added to keytab
2706
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2707
Entry for principal kadmin/changepw with kvno 5, encryption
2708
type Triple DES cbc mode with HMAC/sha1 added to keytab
2709
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2710
Entry for principal kadmin/changepw with kvno 5,
2711
encryption type DES cbc mode with CRC-32 added to keytab
2712
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2713
kadmin.local:</b> quit
2716
<p class="noindent">As specified in the <span class="samp">-k</span> argument, <code>ktadd</code> will save the
2717
extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>.
2718
The filename you use must be the one specified in your <code>kdc.conf</code>
2723
<a name="Start-the-Kerberos-Daemons"></a>Previous: <a rel="previous" accesskey="p" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
2724
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2728
<h5 class="subsubsection">4.1.1.8 Start the Kerberos Daemons on the Master KDC</h5>
2730
<p>At this point, you are ready to start the Kerberos daemons on the Master
2731
KDC. To do so, type:
2733
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
2734
<b>shell%</b> /usr/local/sbin/kadmind
2736
<p class="noindent">Each daemon will fork and run in the background. Assuming you want
2737
these daemons to start up automatically at boot time, you can add them
2738
to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to
2739
have a stash file in order to do this.
2741
<p>You can verify that they started properly by checking for their startup
2742
messages in the logging locations you defined in <code>/etc/krb5.conf</code>.
2743
(See <a href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>.) For example:
2745
<pre class="smallexample"> <b>shell%</b> tail /var/log/krb5kdc.log
2746
Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
2747
<b>shell%</b> tail /var/log/kadmin.log
2748
Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
2750
<p>Any errors the daemons encounter while starting will also be listed in
2755
<a name="Install-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2756
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
2757
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2761
<h4 class="subsection">4.1.2 Install the Slave KDCs</h4>
2763
<p>You are now ready to start configuring the slave KDCs. Assuming you are
2764
setting the KDCs up so that you can easily switch the master KDC with
2765
one of the slaves, you should perform each of these steps on the master
2766
KDC as well as the slave KDCs, unless these instructions specify
2770
<li><a accesskey="1" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>
2771
<li><a accesskey="2" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>
2772
<li><a accesskey="3" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>
2777
<a name="Create-Host-Keys-for-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,
2778
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
2779
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2783
<h5 class="subsubsection">4.1.2.1 Create Host Keys for the Slave KDCs</h5>
2785
<p>Each KDC needs a host principal in the Kerberos database. You can enter
2786
these from any host, once the <code>kadmind</code> daemon is running. For
2787
example, if your master KDC were called
2788
kerberos.mit.edu, and you had two KDC slaves
2789
named kerberos-1.mit.edu and
2790
kerberos-2.mit.edu, you would type the following:
2792
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin
2793
<b>kadmin:</b> addprinc -randkey host/kerberos.mit.edu
2794
<b>NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU";
2796
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
2797
kadmin:</b> addprinc -randkey host/kerberos-1.mit.edu
2798
<b>NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU";
2800
Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</b>
2801
<b>kadmin:</b> addprinc -randkey host/kerberos-2.mit.edu
2802
<b>NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU";
2804
Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created.
2807
<p class="noindent">It is not actually necessary to have the master KDC server in the
2808
Kerberos database, but it can be handy if:
2811
<li>anyone will be logging into the machine as something other than root
2813
<li>you want to be able to swap the master KDC with one of the slaves if
2819
<a name="Extract-Host-Keytabs-for-the-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>,
2820
Previous: <a rel="previous" accesskey="p" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>,
2821
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2825
<h5 class="subsubsection">4.1.2.2 Extract Host Keytabs for the KDCs</h5>
2827
<p>Each KDC (including the master) needs a keytab to decrypt tickets.
2828
Ideally, you should extract each keytab locally on its own KDC. If this
2829
is not feasible, you should use an encrypted session to send them across
2830
the network. To extract a keytab on a KDC called
2831
kerberos.mit.edu, you would execute the following
2834
<pre class="smallexample"> <b>kadmin:</b> ktadd host/kerberos.mit.edu
2835
<b>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with
2836
kvno 1, encryption type DES-CBC-CRC added to keytab
2837
WRFILE:/etc/krb5.keytab.
2840
<p class="noindent">Note that the principal must exist in the Kerberos database in order to
2845
<a name="Set-Up-the-Slave-KDCs-for-Database-Propagation"></a>Previous: <a rel="previous" accesskey="p" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,
2846
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
2850
<h5 class="subsubsection">4.1.2.3 Set Up the Slave KDCs for Database Propagation</h5>
2852
<p>The database is propagated from the master KDC to the slave KDCs via the
2853
<code>kpropd</code> daemon. To set up propagation, create a file on each KDC,
2854
named <code>/usr/local/var/krb5kdc/kpropd.acl</code>, containing the
2855
principals for each of the KDCs.
2856
For example, if the master KDC were
2857
<code>kerberos.mit.edu</code>, the slave KDCs were
2858
<code>kerberos-1.mit.edu</code> and
2859
<code>kerberos-2.mit.edu</code>, and the realm were
2860
<code>ATHENA.MIT.EDU</code>, then the file's contents would be:
2862
<pre class="smallexample"> host/kerberos.mit.edu@ATHENA.MIT.EDU
2863
host/kerberos-1.mit.edu@ATHENA.MIT.EDU
2864
host/kerberos-2.mit.edu@ATHENA.MIT.EDU
2866
<p>Then, add the following lines to <code>/etc/inetd.conf</code> file on each KDC
2867
(the line beginnng with => is a continuation of the previous
2870
<pre class="smallexample"> krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
2871
eklogin stream tcp nowait root /usr/local/sbin/klogind
2872
=> klogind -k -c -e
2874
<p class="noindent">The first line sets up the <code>kpropd</code> database propagation daemon.
2875
The second line sets up the <code>eklogin</code> daemon, allowing
2876
Kerberos-authenticated, encrypted rlogin to the KDC.
2878
<p>You also need to add the following lines to <code>/etc/services</code> on each
2881
<pre class="smallexample"> kerberos 88/udp kdc # Kerberos authentication (udp)
2882
kerberos 88/tcp kdc # Kerberos authentication (tcp)
2883
krb5_prop 754/tcp # Kerberos slave propagation
2884
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
2885
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
2886
eklogin 2105/tcp # Kerberos encrypted rlogin
2890
<a name="Back-on-the-Master-KDC"></a>Next: <a rel="next" accesskey="n" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2891
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
2892
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2896
<h4 class="subsection">4.1.3 Back on the Master KDC</h4>
2898
<p>Now that the slave KDCs are able to accept database propagation, you'll
2899
need to propagate the database to each of them.
2902
<li><a accesskey="1" href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>
2907
<a name="Propagate-the-Database-to-Each-Slave-KDC"></a>Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2908
Up: <a rel="up" accesskey="u" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
2912
<h5 class="subsubsection">4.1.3.1 Propagate the Database to Each Slave KDC</h5>
2914
<p>First, create a dump of the database on the master KDC, as follows:
2916
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
2919
<p>Next, you need to manually propagate the database to each slave KDC, as
2920
in the following example. (The lines beginning with => are
2921
continuations of the previous line.):
2923
<pre class="smallexample"> /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
2924
=> kerberos-1.mit.edu
2925
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
2926
=> kerberos-2.mit.edu
2928
<p>You will need a script to dump and propagate the database. The
2929
following is an example of a bourne shell script that will do this.
2930
(Note that the line that begins with => is a continuation of the
2931
previous line. Remember that you need to replace /usr/local with
2932
the name of the directory in which you installed Kerberos V5.)
2934
<pre class="smallexample"> #!/bin/sh
2936
kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
2938
/usr/local/sbin/kdb5_util "dump
2939
=> /usr/local/var/krb5kdc/slave_datatrans"
2943
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
2946
<p class="noindent">You will need to set up a cron job to run this script at the intervals
2947
you decided on earlier (See <a href="#Database-Propagation">Database Propagation</a>.)
2951
<a name="Finish-Installing-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
2952
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2953
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2957
<h4 class="subsection">4.1.4 Finish Installing the Slave KDCs</h4>
2959
<p>Now that the slave KDCs have copies of the Kerberos database, you can
2960
create stash files for them and start the <code>krb5kdc</code> daemon.
2963
<li><a accesskey="1" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>
2964
<li><a accesskey="2" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>
2969
<a name="Create-Stash-Files-on-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>,
2970
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2971
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2975
<h5 class="subsubsection">4.1.4.1 Create Stash Files on the Slave KDCs</h5>
2977
<p>Create stash files, by issuing the following commands on each slave KDC:
2979
<pre class="smallexample"> <b>shell%</b> kdb5_util stash
2980
<b>kdb5_util: Cannot find/read stored master key while reading master key
2981
kdb5_util: Warning: proceeding without master key</b>
2982
<b>Enter KDC database master key:</b> <i><= Enter the database master key.</i>
2985
<p>As mentioned above, the stash file is necessary for your KDCs to be able
2986
authenticate to themselves, such as when they reboot. You could run
2987
your KDCs without stash files, but you would then need to type in the
2988
Kerberos database master key by hand every time you start a KDC daemon.
2992
<a name="Start-the-krb5kdc-Daemon-on-Each-KDC"></a>Previous: <a rel="previous" accesskey="p" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>,
2993
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2997
<h5 class="subsubsection">4.1.4.2 Start the krb5kdc Daemon on Each KDC</h5>
2999
<p>The final step in configuing your slave KDCs is to run the KDC daemon:
3001
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
3003
<p>As with the master KDC, you will probably want to add this command to
3004
the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will
3005
start the krb5kdc daemon automatically at boot time.
3009
<a name="Add-Kerberos-Principals-to-the-Database"></a>Next: <a rel="next" accesskey="n" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
3010
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
3011
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
3015
<h4 class="subsection">4.1.5 Add Kerberos Principals to the Database</h4>
3017
<p>Once your KDCs are set up and running, you are ready to use
3018
<code>kadmin</code> to load principals for your users, hosts, and other
3019
services into the Kerberos database. This procedure is described fully in the
3020
“Adding or Modifying Principals” section of the Kerberos V5 System
3021
Administrator's Guide. (See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>, for a
3022
brief description.) The keytab is generated by running <code>kadmin</code>
3023
and issuing the <code>ktadd</code> command.
3027
<a name="Limit-Access-to-the-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
3028
Previous: <a rel="previous" accesskey="p" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
3029
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
3033
<h4 class="subsection">4.1.6 Limit Access to the KDCs</h4>
3035
<p>To limit the possibility that your Kerberos database could be
3036
compromised, MIT recommends that each KDC be a dedicated
3037
host, with limited access. If your KDC is also a file server, FTP
3038
server, Web server, or even just a client machine, someone who obtained
3039
root access through a security hole in any of those areas could gain
3040
access to the Kerberos database.
3042
<p>MIT recommends that your KDCs use the following
3043
<code>/etc/inetd.conf</code> file. (Note: each line beginning with =>
3044
is a continuation of the previous line.):
3046
<pre class="smallexample"> #
3047
# Configuration file for inetd(1M). See inetd.conf(4).
3049
# To re-configure the running inetd process, edit this file, then
3050
# send the inetd process a SIGHUP.
3052
# Syntax for socket-based Internet services:
3053
# <service_name> <socket_type> <proto> <flags> <user>
3054
=> <server_pathname> <args>
3056
# Syntax for TLI-based Internet services:
3058
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
3060
# Ftp and telnet are standard Internet services.
3062
# This machine is a secure Kerberos Key Distribution Center (KDC).
3063
# Services are limited.
3066
# Time service is used for clock synchronization.
3068
time stream tcp nowait root internal
3069
time dgram udp wait root internal
3071
# Limited Kerberos services
3073
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
3074
eklogin stream tcp nowait root /usr/local/sbin/klogind
3075
=> klogind -5 -c -e
3079
<a name="Switching-Master-and-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
3080
Previous: <a rel="previous" accesskey="p" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
3081
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
3085
<h4 class="subsection">4.1.7 Switching Master and Slave KDCs</h4>
3087
<p>You may occasionally want to use one of your slave KDCs as the master.
3088
This might happen if you are upgrading the master KDC, or if your master
3089
KDC has a disk crash.
3091
<p>Assuming you have configured all of your KDCs to be able to function as
3092
either the master KDC or a slave KDC (as this document recommends), all
3093
you need to do to make the changeover is:
3095
<p>If the master KDC is still running, do the following on the <em>old</em>
3099
<li>Kill the <code>kadmind</code> process.
3101
<li>Disable the cron job that propagates the database.
3103
<li>Run your database propagation script manually, to ensure that the slaves
3104
all have the latest copy of the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.) If there is a need to preserve per-principal
3105
policy information from the database, you should do a “kdb5_util dump
3106
-ov” in order to preserve that information and propogate that dump file
3107
securely by some means to the slave so that its database has the correct
3108
state of the per-principal policy information.
3111
<p>On the <em>new</em> master KDC:
3114
<li>Create a database keytab. (See <a href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>.)
3116
<li>Start the <code>kadmind</code> daemon. (See <a href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>.)
3118
<li>Set up the cron job to propagate the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.)
3120
<li>Switch the CNAMEs of the old and new master KDCs. (If you don't do
3121
this, you'll need to change the <code>krb5.conf</code> file on every client
3122
machine in your Kerberos realm.)
3128
<a name="Incremental-Database-Propagation"></a>Previous: <a rel="previous" accesskey="p" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
3129
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
3133
<h4 class="subsection">4.1.8 Incremental Database Propagation</h4>
3135
<p>At some very large sites, dumping and transmitting the database can
3136
take more time than is desirable for changes to propagate from the
3137
master KDC to the slave KDCs. The incremental propagation support
3138
added in the 1.7 release is intended to address this.
3140
<p>With incremental propagation enabled, all programs on the master KDC
3141
that change the database also write information about the changes to
3142
an “update log” file, maintained as a circular buffer of a certain
3143
size. A process on each slave KDC connects to a service on the master
3144
KDC (currently implmented in the <code>kadmind</code> server) and
3145
periodically requests the changes that have been made since the last
3146
check. By default, this check is done every two minutes. If the
3147
database has just been modified in the previous several seconds
3148
(currently the threshold is hard-coded at 10 seconds), the slave will
3149
not retrieve updates, but instead will pause and try again soon after.
3150
This reduces the likelihood that incremental update queries will cause
3151
delays for an administrator trying to make a bunch of changes to the
3152
database at the same time.
3154
<p>Incremental propagation uses the following entries in the per-realm
3155
data in the KDC config file:
3158
<dt><code>iprop_enable</code> (boolean)<dd>If this is set to <code>true</code>, then incremental propagation is
3159
enabled, and (as noted below) normal <code>kprop</code> propagation is
3160
disabled. The default is <code>false</code>.
3162
<br><dt><code>iprop_master_ulogsize</code> (integer)<dd>This indicates the number of entries that should be retained in the
3163
update log. The default is 1000; the maximum number is 2500.
3165
<br><dt><code>iprop_slave_poll</code> (time interval)<dd>This indicates how often the slave should poll the master KDC for
3166
changes to the database. The default is two minutes.
3168
<br><dt><code>iprop_port</code> (integer)<dd>This specifies the port number to be used for incremental
3169
propagation. This is required in both master and slave configuration
3172
<br><dt><code>iprop_logfile</code> (file name)<dd>This specifies where the update log file for the realm database is to
3173
be stored. The default is to use the <code>database_name</code> entry from
3174
the <code>realms</code> section of the config file, with <span class="file">.ulog</span> appended.
3175
(NOTE: If <code>database_name</code> isn't specified in the <code>realms</code>
3176
section, perhaps because the LDAP database back end is being used, or
3177
the file name is specified in the <code>dbmodules</code> section, then the
3178
hard-coded default for <code>database_name</code> is used. Determination of
3179
the <code>iprop_logfile</code> default value will not use values from the
3180
<code>dbmodules</code> section.)
3183
<p>Both master and slave sides must have principals named
3184
<code>kiprop/</code><var>hostname</var> (where <var>hostname</var> is, as usual, the
3185
lower-case, fully-qualified, canonical name for the host) registered
3186
and keys stored in the default keytab file (<span class="file">/etc/krb5.keytab</span>).
3187
<!-- XXX: I think the master side, at least, might be able to read the -->
3188
<!-- key out of the database. Test and document this. -->
3190
<p>On the master KDC side, the <code>kiprop/</code><var>hostname</var> principal
3191
must be listed in the <code>kadmind</code> ACL file <code>kadm5.acl</code>, and
3192
given the <code>p</code> privilege.
3194
<p>On the slave KDC side, <code>kpropd</code> should be run. When incremental
3195
propagation is enabled, it will connect to the <code>kadmind</code> on the
3196
master KDC and start requesting updates.
3198
<p>The normal <code>kprop</code> mechanism is disabled by the incremental
3199
propagation support. However, if the slave has been unable to fetch
3200
changes from the master KDC for too long (network problems, perhaps),
3201
the log on the master may wrap around and overwrite some of the
3202
updates that the slave has not yet retrieved. In this case, the slave
3203
will instruct the master KDC to dump the current database out to a
3204
file and invoke a one-time <code>kprop</code> propagation, with special
3205
options to also convey the point in the update log at which the slave
3206
should resume fetching incremental updates. Thus, all the keytab and
3207
ACL setup previously described for <code>kprop</code> propagation is still
3210
<p>There are several known bugs and restrictions in the current
3213
<li>The “call out to <code>kprop</code>” mechanism is a bit fragile; if the
3214
<code>kprop</code> propagation fails to connect for some reason, the process
3215
on the slave may hang waiting for it, and will need to be restarted.
3216
<li>The master and slave must be able to initiate TCP connections in both
3217
directions, without an intervening NAT. They must also be able to
3218
communicate over IPv4, since MIT's kprop and RPC code does not
3219
currently support IPv6.
3223
<li><a accesskey="1" href="#Sun_002fMIT-Incremental-Propagation-Differences">Sun/MIT Incremental Propagation Differences</a>
3228
<a name="Sun_002fMIT-Incremental-Propagation-Differences"></a>Previous: <a rel="previous" accesskey="p" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
3229
Up: <a rel="up" accesskey="u" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
3233
<h5 class="subsubsection">4.1.8.1 Sun/MIT Incremental Propagation Differences</h5>
3235
<p>Sun donated the original code for supporting incremental database
3236
propagation to MIT. Some changes have been made in the MIT source
3237
tree that will be visible to administrators. (These notes are based
3238
on Sun's patches. Changes to Sun's implementation since then may not
3241
<p>The Sun config file support looks for <code>sunw_dbprop_enable</code>,
3242
<code>sunw_dbprop_master_ulogsize</code>, and <code>sunw_dbprop_slave_poll</code>.
3244
<p>The incremental propagation service is implemented as an ONC RPC
3245
service. In the Sun implementation, the service is registered with
3246
<code>rpcbind</code> (also known as <code>portmapper</code>) and the client looks
3247
up the port number to contact. In the MIT implementation, where
3248
interaction with some modern versions of <code>rpcbind</code> doesn't always
3249
work well, the port number must be specified in the config file on
3250
both the master and slave sides.
3252
<p>The Sun implementation hard-codes pathnames in <span class="file">/var/krb5</span> for
3253
the update log and the per-slave <code>kprop</code> dump files. In the MIT
3254
implementation, the pathname for the update log is specified in the
3255
config file, and the per-slave dump files are stored in
3256
<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var>.
3260
<a name="Installing-and-Configuring-UNIX-Client-Machines"></a>Next: <a rel="next" accesskey="n" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
3261
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
3262
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
3266
<h3 class="section">4.2 Installing and Configuring UNIX Client Machines</h3>
3268
<p>Client machine installation is much more straightforward than
3269
installation of the KDCs.
3272
<li><a accesskey="1" href="#Client-Programs">Client Programs</a>
3273
<li><a accesskey="2" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
3278
<a name="Client-Programs"></a>Next: <a rel="next" accesskey="n" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
3279
Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
3280
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
3284
<h4 class="subsection">4.2.1 Client Programs</h4>
3286
<p>The Kerberized client programs are <code>login.krb5</code>, <code>rlogin</code>,
3287
<code>telnet</code>, <code>ftp</code>, <code>rcp</code>, <code>rsh</code>, <code>kinit</code>,
3288
<code>klist</code>, <code>kdestroy</code>, <code>kpasswd</code>, <code>ksu</code>, and
3289
<code>krb524init</code>. All of these programs are in the directory
3290
<code>/usr/local/bin</code>, except for <code>login.krb5</code> which is in
3291
<code>/usr/local/sbin</code>.
3293
<p>You will probably want to have your users put <code>/usr/local/bin</code>
3294
ahead of <code>/bin</code> and <code>/usr/bin</code> in their paths, so they will by
3295
default get the Kerberos V5 versions of <code>rlogin</code>,
3296
<code>telnet</code>, <code>ftp</code>, <code>rcp</code>, and <code>rsh</code>.
3298
<p>MIT recommends that you use <code>login.krb5</code> in place of
3299
<code>/bin/login</code> to give your users a single-sign-on system. You will
3300
need to make sure your users know to use their Kerberos passwords when
3303
<p>You will also need to educate your users to use the ticket management
3304
programs <code>kinit</code>,
3305
<!-- @code{krb524init}, -->
3306
<code>klist</code>, <code>kdestroy</code>, and to use the Kerberos programs
3307
<!-- @code{pfrom}, -->
3308
<code>ksu</code>, and <code>kpasswd</code> in place of their non-Kerberos
3310
<!-- @code{from} -->
3311
<code>su</code>, <code>passwd</code>, and <code>rdist</code>.
3315
<a name="Client-Machine-Configuration-Files"></a>Previous: <a rel="previous" accesskey="p" href="#Client-Programs">Client Programs</a>,
3316
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
3320
<h4 class="subsection">4.2.2 Client Machine Configuration Files</h4>
3322
<p>Each machine running Kerberos must have a <code>/etc/krb5.conf</code> file.
3323
(See <a href="#krb5_002econf">krb5.conf</a>.)
3325
<p>Also, for most UNIX systems, you must add the appropriate Kerberos
3326
services to each client machine's <code>/etc/services</code> file. If you are
3327
using the default configuration for Kerberos V5, you should be able
3328
to just insert the following code:
3330
<pre class="smallexample"> kerberos 88/udp kdc # Kerberos V5 KDC
3331
kerberos 88/tcp kdc # Kerberos V5 KDC
3332
klogin 543/tcp # Kerberos authenticated rlogin
3333
kshell 544/tcp cmd # and remote shell
3334
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
3335
kerberos-adm 749/udp # Kerberos 5 admin/changepw
3336
krb5_prop 754/tcp # Kerberos slave propagation
3337
<!-- kpop 1109/tcp # Pop with Kerberos -->
3338
eklogin 2105/tcp # Kerberos auth. & encrypted rlogin
3339
krb524 4444/tcp # Kerberos 5 to 4 ticket translator
3342
<li><a accesskey="1" href="#Mac-OS-X-Configuration">Mac OS X Configuration</a>
3347
<a name="Mac-OS-X-Configuration"></a>Previous: <a rel="previous" accesskey="p" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
3348
Up: <a rel="up" accesskey="u" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
3352
<h5 class="subsubsection">4.2.2.1 Mac OS X Configuration</h5>
3354
<p>To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the
3355
directions for generic Unix-based OS's, except for the
3356
<code>/etc/services</code> updates described above.
3358
<p>Mac OS X and Mac OS X Server use a database called NetInfo to store
3359
the contents of files normally found in <code>/etc</code>. Instead of
3360
modifying <code>/etc/services</code>, you should run the following commands
3361
to add the Kerberos service entries to NetInfo:
3363
<pre class="smallexample"> $ niutil -create . /services/kerberos
3364
$ niutil -createprop . /services/kerberos name kerberos kdc
3365
$ niutil -createprop . /services/kerberos port 750
3366
$ niutil -createprop . /services/kerberos protocol tcp udp
3367
$ niutil -create . /services/krbupdate
3368
$ niutil -createprop . /services/krbupdate name krbupdate kreg
3369
$ niutil -createprop . /services/krbupdate port 760
3370
$ niutil -createprop . /services/krbupdate protocol tcp
3371
$ niutil -create . /services/kpasswd
3372
$ niutil -createprop . /services/kpasswd name kpasswd kpwd
3373
$ niutil -createprop . /services/kpasswd port 761
3374
$ niutil -createprop . /services/kpasswd protocol tcp
3375
$ niutil -create . /services/klogin
3376
$ niutil -createprop . /services/klogin port 543
3377
$ niutil -createprop . /services/klogin protocol tcp
3378
$ niutil -create . /services/eklogin
3379
$ niutil -createprop . /services/eklogin port 2105
3380
$ niutil -createprop . /services/eklogin protocol tcp
3381
$ niutil -create . /services/kshell
3382
$ niutil -createprop . /services/kshell name kshell krcmd
3383
$ niutil -createprop . /services/kshell port 544
3384
$ niutil -createprop . /services/kshell protocol tcp
3386
<p>In addition to adding services to NetInfo, you must also modify the
3387
resolver configuration in NetInfo so that the machine resolves its own
3388
hostname as a FQDN (fully qualified domain name). By default, Mac OS X
3389
and Mac OS X Server machines query NetInfo to resolve hostnames before
3390
falling back to DNS. Because NetInfo has an unqualified name for all
3391
the machines in the NetInfo database, the machine's own hostname will
3392
resolve to an unqualified name. Kerberos needs a FQDN to look up keys
3393
in the machine's keytab file.
3395
<p>Fortunately, you can change the <code>lookupd</code> caching order to query
3396
DNS first. Run the following NetInfo commands and reboot the machine:
3398
<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts
3399
$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
3402
<p>Once you have rebooted, you can verify that the resolver now behaves
3403
correctly. Compile the Kerberos 5 distribution and run:
3405
<pre class="smallexample"> $ cd .../src/tests/resolve
3408
<p>This will tell you whether or not your machine returns FQDNs on name
3409
lookups. If the test still fails, you can also try turning off DNS
3410
caching. Run the following commands and reboot:
3412
<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts
3413
$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
3414
CacheAgent NIAgent NILAgent
3416
<p>The remainder of the setup of a Mac OS X client machine or application
3417
server should be the same as for other UNIX-based systems.
3421
<a name="UNIX-Application-Servers"></a>Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
3422
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
3426
<h3 class="section">4.3 UNIX Application Servers</h3>
3428
<p>An application server is a host that provides one or more services over
3429
the network. Application servers can be “secure” or “insecure.” A
3430
“secure” host is set up to require authentication from every client
3431
connecting to it. An “insecure” host will still provide Kerberos
3432
authentication, but will also allow unauthenticated clients to connect.
3434
<p>If you have Kerberos V5 installed on all of your client machines,
3435
MIT recommends that you make your hosts secure, to take
3436
advantage of the security that Kerberos authentication affords.
3437
However, if you have some clients that do not have Kerberos V5
3438
installed, you can run an insecure server, and still take advantage of
3439
Kerberos V5's single sign-on capability.
3442
<li><a accesskey="1" href="#Server-Programs">Server Programs</a>
3443
<li><a accesskey="2" href="#Server-Configuration-Files">Server Configuration Files</a>
3444
<li><a accesskey="3" href="#The-Keytab-File">The Keytab File</a>
3445
<li><a accesskey="4" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>
3450
<a name="Server-Programs"></a>Next: <a rel="next" accesskey="n" href="#Server-Configuration-Files">Server Configuration Files</a>,
3451
Previous: <a rel="previous" accesskey="p" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
3452
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
3456
<h4 class="subsection">4.3.1 Server Programs</h4>
3458
<p>Just as Kerberos V5 provided its own Kerberos-enhanced versions of
3459
client UNIX network programs, Kerberos V5 also provides
3460
Kerberos-enhanced versions of server UNIX network daemons. These are
3461
<code>ftpd</code>, <code>klogind</code>, <code>kshd</code>, and <code>telnetd</code>.
3462
<!-- @code{popper}, -->
3463
These programs are installed in the directory
3464
<code>/usr/local/sbin</code>. You may want to add this directory to
3469
<a name="Server-Configuration-Files"></a>Next: <a rel="next" accesskey="n" href="#The-Keytab-File">The Keytab File</a>,
3470
Previous: <a rel="previous" accesskey="p" href="#Server-Programs">Server Programs</a>,
3471
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
3475
<h4 class="subsection">4.3.2 Server Configuration Files</h4>
3477
<p>For a <em>secure</em> server, make the following changes to
3478
<code>/etc/inetd.conf</code>:
3480
<p>Find and comment out any lines for the services <code>ftp</code>,
3481
<code>telnet</code>, <code>shell</code>, <code>login</code>, and <code>exec</code>.
3483
<p>Add the following lines. (Note: each line beginning with => is
3484
a continuation of the previous line.)
3486
<pre class="smallexample"> klogin stream tcp nowait root /usr/local/sbin/klogind
3488
eklogin stream tcp nowait root /usr/local/sbin/klogind
3489
=> klogind -k -c -e
3490
kshell stream tcp nowait root /usr/local/sbin/kshd
3492
ftp stream tcp nowait root /usr/local/sbin/ftpd
3494
telnet stream tcp nowait root /usr/local/sbin/telnetd
3495
=> telnetd -a valid
3497
<p>For an <em>insecure</em> server, make the following changes instead to
3498
<code>/etc/inetd.conf</code>:
3500
<p>Find and comment out any lines for the services <code>ftp</code> and
3501
<code>telnet</code>.
3503
<p>Add the following lines. (Note: each line beginning with => is
3504
a continuation of the previous line.)
3505
<pre class="smallexample"> klogin stream tcp nowait root /usr/local/sbin/klogind
3507
eklogin stream tcp nowait root /usr/local/sbin/klogind
3508
=> klogind -k -c -e
3509
kshell stream tcp nowait root /usr/local/sbin/kshd
3511
ftp stream tcp nowait root /usr/local/sbin/ftpd
3513
telnet stream tcp nowait root /usr/local/sbin/telnetd
3514
=> telnetd -a none
3518
<a name="The-Keytab-File"></a>Next: <a rel="next" accesskey="n" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>,
3519
Previous: <a rel="previous" accesskey="p" href="#Server-Configuration-Files">Server Configuration Files</a>,
3520
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
3524
<h4 class="subsection">4.3.3 The Keytab File</h4>
3526
<p>All Kerberos server machines need a <dfn>keytab</dfn> file, called
3527
<code>/etc/krb5.keytab</code>, to authenticate to the KDC. The keytab file is
3528
an encrypted, local, on-disk copy of the host's key. The keytab file,
3529
like the stash file (<a href="#Create-the-Database">Create the Database</a>) is a potential
3530
point-of-entry for a break-in, and if compromised, would allow
3531
unrestricted access to its host. The keytab file should be readable
3532
only by root, and should exist only on the machine's local disk. The
3533
file should not be part of any backup of the machine, unless access to
3534
the backup data is secured as tightly as access to the machine's root
3537
<p>In order to generate a keytab for a host, the host must have a principal
3538
in the Kerberos database. The procedure for adding hosts to the
3539
database is described fully in the “Adding or Modifying Principals”
3540
section of the <cite>Kerberos V5 System Administrator's Guide</cite>.
3541
See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>. for a brief description.)
3542
The keytab is generated by running <code>kadmin</code> and issuing the
3543
<code>ktadd</code> command.
3545
<p>For example, to generate a keytab file to allow the host
3546
trillium.mit.edu to authenticate for the services
3547
<code>host</code>, <code>ftp</code>, and <code>pop</code>, the administrator
3548
<code>joeadmin</code> would issue the command (on
3551
<pre class="smallexample"> <b>trillium%</b> /usr/local/sbin/kadmin
3552
<b>kadmin5:</b> ktadd host/trillium.mit.edu ftp/trillium.mit.edu
3553
=> pop/trillium.mit.edu
3554
<b>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
3555
kvno 3, encryption type DES-CBC-CRC added to keytab
3556
WRFILE:/etc/krb5.keytab.
3557
kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
3558
kvno 3, encryption type DES-CBC-CRC added to keytab
3559
WRFILE:/etc/krb5.keytab.
3560
kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
3561
kvno 3, encryption type DES-CBC-CRC added to keytab
3562
WRFILE:/etc/krb5.keytab.
3566
<p>If you generate the keytab file on another host, you need to get a copy
3567
of the keytab file onto the destination host (<code>trillium</code>, in the
3568
above example) without sending it unencrypted over the network. If you
3569
have installed the Kerberos V5 client programs, you can use
3570
encrypted <code>rcp</code>.
3574
<a name="Some-Advice-about-Secure-Hosts"></a>Previous: <a rel="previous" accesskey="p" href="#The-Keytab-File">The Keytab File</a>,
3575
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
3579
<h4 class="subsection">4.3.4 Some Advice about Secure Hosts</h4>
3581
<p>Kerberos V5 can protect your host from certain types of break-ins,
3582
but it is possible to install Kerberos V5 and still leave your host
3583
vulnerable to attack. Obviously an installation guide is not the place
3584
to try to include an exhaustive list of countermeasures for every
3585
possible attack, but it is worth noting some of the larger holes and how
3588
<p>As stated earlier in this section, MIT recommends that on a
3589
secure host, you disable the standard <code>ftp</code>, <code>login</code>,
3590
<code>telnet</code>, <code>shell</code>, and <code>exec</code> services in
3591
<code>/etc/inetd.conf</code>. We also recommend that secure hosts have an empty
3592
<code>/etc/hosts.equiv</code> file and that there not be a <code>.rhosts</code> file
3593
in <code>root</code>'s home directory. You can grant Kerberos-authenticated
3594
root access to specific Kerberos principals by placing those principals
3595
in the file <code>.k5login</code> in root's home directory.
3597
<p>We recommend that backups of secure machines exclude the keytab file
3598
(<code>/etc/krb5.keytab</code>). If this is not possible, the backups should
3599
at least be done locally, rather than over a network, and the backup
3600
tapes should be physically secured.
3602
<p>Finally, the keytab file and any programs run by root, including the
3603
Kerberos V5 binaries, should be kept on local disk. The keytab file
3604
should be readable only by root.
3608
<a name="Upgrading-Existing-Kerberos-V5-Installations"></a>Next: <a rel="next" accesskey="n" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,
3609
Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
3610
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
3614
<h2 class="chapter">5 Upgrading Existing Kerberos V5 Installations</h2>
3616
<p>If you already have an existing Kerberos database that you created with
3617
a prior release of Kerberos 5, you can upgrade it to work with the
3618
current release with the <code>kdb5_util</code> command. It is only
3619
necessary to perform this dump/undump procedure if you were running a
3620
krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you
3621
were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer
3622
KDC. The process for upgrading a Master KDC involves the following
3627
<li>Stop your current KDC and administration
3628
server processes, if any.
3630
<li>Dump your existing Kerberos database to an ASCII file with
3631
<code>kdb5_util</code>'s “dump” command:
3633
<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc
3634
<b>shell%</b> kdb5_util dump old-kdb-dump
3635
<b>shell%</b> kdb5_util dump -ov old-kdb-dump.ov
3638
<li>Create a new Master KDC installation (See <a href="#Install-the-Master-KDC">Install the Master KDC</a>.). If you have a stash file for your current database, choose any
3639
new master password but then copy your existing stash file to the
3640
location specified by your kdc.conf; if you do not have a stash file for
3641
your current database, you must choose the same master password.
3643
<li>Load your old Kerberos database into the new system with
3644
<code>kdb5_util</code>'s “load” command:
3646
<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc
3647
<b>shell%</b> kdb5_util load old-kdb-dump
3648
<b>shell%</b> kdb5_util load -update old-kdb-dump.ov
3653
<p>The “dump -ov” and “load -update” commands are necessary in order to
3654
preserve per-principal policy information, since the default dump format
3655
filters out that information. If you omit those steps, the loaded
3656
database database will lose the policy information for each principal
3659
<p>To update a Slave KDC, you must stop the old server processes on the
3660
Slave KDC, install the new server binaries, reload the most recent slave
3661
dump file, and re-start the server processes.
3664
<li><a accesskey="1" href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>
3669
<a name="Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys"></a>Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
3670
Up: <a rel="up" accesskey="u" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
3674
<h3 class="section">5.1 Upgrading to Triple-DES Encryption Keys</h3>
3676
<p>Beginning with the 1.2 release from MIT, Kerberos includes
3677
a stronger encryption algorithm called “triple DES” – essentially,
3678
three applications of the basic DES encryption algorithm, greatly
3679
increasing the resistance to a brute-force search for the key by an
3680
attacker. This algorithm is more secure, but encryption is much
3683
<p>Release 1.1 had some support for triple-DES service keys, but with
3684
release 1.2 we have added support for user keys and session keys as
3685
well. Release 1.0 had very little support for multiple cryptosystems,
3686
and some of that software may not function properly in an environment
3687
using triple-DES as well as plain DES.
3689
<p>In the 1.3 release from MIT, Kerberos also includes the RC4
3690
encryption alogorithm, a stream cipher symmetric key algorithm
3691
developed in 1987 by Ronald Rivest at RSA Data Security. Please note
3692
that RC4 is not part of the IETF standard.
3694
<p>Because of the way the MIT Kerberos database is structured, the KDC
3695
will assume that a service supports only those encryption types for
3696
which keys are found in the database. Thus, if a service has only a
3697
single-DES key in the database, the KDC will not issue tickets for that
3698
service that use triple-DES or RC4 session keys; it will instead issue
3699
only single-DES session keys, even if other services are already
3700
capable of using triple-DES or RC4. So if you make sure your
3701
application server software is updated before adding a triple-DES or
3702
RC4 key for the service, clients should be able to talk to services at
3703
all times during the updating process.
3705
<p>Normally, the listed <code>supported_enctypes</code> in <code>kdc.conf</code> are
3706
all used when a new key is generated. You can control this with
3707
command-line flags to <code>kadmin</code> and <code>kadmin.local</code>. You may
3708
want to exclude triple-DES and RC4 by default until you have updated a
3709
lot of your application servers, and then change the default to include
3710
triple-DES and RC4. We recommend that you always include
3711
<code>des-cbc-crc</code> in the default list.
3715
<a name="Bug-Reports-for-Kerberos-V5"></a>Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
3716
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
3720
<h2 class="chapter">6 Bug Reports for Kerberos V5</h2>
3722
<p>In any complex software, there will be bugs. If you have successfully
3723
built and installed Kerberos V5, please use the <code>krb5-send-pr</code>
3724
program to fill out a Problem Report should you encounter any errors in
3727
<p>Bug reports that include proposed fixes are especially welcome. If you
3728
do include fixes, please send them using either context diffs or unified
3729
diffs (using <span class="samp">diff -c</span> or <span class="samp">diff -u</span>, respectively). Please be
3730
careful when using “cut and paste” or other such means to copy a patch
3731
into a bug report; depending on the system being used, that can result
3732
in converting TAB characters into spaces, which makes applying the
3733
patches more difficult.
3735
<p>The <code>krb5-send-pr</code> program is installed in the directory
3736
<code>/usr/local/sbin</code>.
3738
<p>The <code>krb5-send-pr</code> program enters the problem report into our
3739
Problem Report Management System (PRMS), which automatically assigns it
3740
to the engineer best able to help you with problems in the assigned
3743
<p>The <code>krb5-send-pr</code> program will try to intelligently fill in as
3744
many fields as it can. You need to choose the <dfn>category</dfn>,
3745
<dfn>class</dfn>, <dfn>severity</dfn>, and <dfn>priority</dfn> of the problem, as well
3746
as giving us as much information as you can about its exact nature.
3748
<p>The PR <b>category</b> will be one of:
3750
<pre class="smallexample"> krb5-admin krb5-appl krb5-build krb5-clients
3751
krb5-doc krb5-kdc krb5-libs krb5-misc
3754
<p class="noindent">Choose the category that best describes the area under which your
3757
<p>The <b>class</b> can be <dfn>sw-bug</dfn>, <dfn>doc-bug</dfn>, <dfn>change-request</dfn>,
3758
or <dfn>support</dfn>. The first two are exactly as their names imply. Use
3759
<i>change-request</i> when the software is behaving according to
3760
specifications, but you want to request changes in some feature or
3761
behavior. The <i>support</i> class is intended for more general questions
3762
about building or using Kerberos V5.
3764
<p>The <b>severity</b> of the problem indicates the problem's impact on the
3765
usability of Kerberos V5. If a problem is <dfn>critical</dfn>, that
3766
means the product, component or concept is completely non-operational,
3767
or some essential functionality is missing, and no workaround is known.
3768
A <dfn>serious</dfn> problem is one in which the product, component or
3769
concept is not working properly or significant functionality is missing.
3770
Problems that would otherwise be considered <i>critical</i> are rated
3771
<i>serious</i> when a workaround is known. A <dfn>non-critical</dfn> problem is
3772
one that is indeed a problem, but one that is having a minimal effect on
3773
your ability to use Kerberos V5. <i>E.g.</i>, The product, component
3774
or concept is working in general, but lacks features, has irritating
3775
behavior, does something wrong, or doesn't match its documentation. The
3776
default severity is <i>serious</i>.
3778
<p>The <b>priority</b> indicates how urgent this particular problem is in
3779
relation to your work. Note that low priority does not imply low
3781
A priority of <dfn>high</dfn> means a solution is needed as soon as possible.
3782
A priority of <dfn>medium</dfn> means the problem should be solved no later
3783
than the next release. A priority of <dfn>low</dfn> means the problem should
3784
be solved in a future release, but it is not important to your work how
3785
soon this happens. The default priority is <i>medium</i>.
3787
<p>Note that a given severity does not necessarily imply a given priority.
3788
For example, a non-critical problem might still have a high priority if
3789
you are faced with a hard deadline. Conversely, a serious problem might
3790
have a low priority if the feature it is disabling is one that you do
3793
<p>It is important that you fill in the <i>release</i> field and tell us
3794
what changes you have made, if any.
3796
<p>A sample filled-out form from a company named “Toasters, Inc.” might
3799
<pre class="smallexample"> To: krb5-bugs@mit.edu
3800
Subject: misspelled "Kerberos" in title of installation guide
3804
X-send-pr-version: 3.99
3807
>Submitter-Id: mit
3808
>Originator: Jeffrey C. Gilman Bigler
3811
>Confidential: no
3812
>Synopsis: Misspelled "Kerberos" in title of installation guide
3813
>Severity: non-critical
3815
>Category: krb5-doc
3817
>Release: 1.0-development
3819
<machine, os, target, libraries (multiple lines)>
3820
System: ULTRIX imbrium 4.2 0 RISC
3823
Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"
3827
Correct the spelling.
3829
<p>If the <code>krb5-send-pr</code> program does not work for you, or if you did
3830
not get far enough in the process to have an installed and working
3831
<code>krb5-send-pr</code>, you can generate your own form, using the above as
3834
<div class="contents">
3835
<h2>Table of Contents</h2>
3837
<li><a name="toc_Copyright" href="#Copyright">Copyright</a>
3838
<li><a name="toc_Introduction" href="#Introduction">1 Introduction</a>
3840
<li><a href="#What-is-Kerberos-and-How-Does-it-Work_003f">1.1 What is Kerberos and How Does it Work?</a>
3841
<li><a href="#Why-Should-I-use-Kerberos_003f">1.2 Why Should I use Kerberos?</a>
3842
<li><a href="#Please-Read-the-Documentation">1.3 Please Read the Documentation</a>
3843
<li><a href="#Overview-of-This-Guide">1.4 Overview of This Guide</a>
3845
<li><a name="toc_Realm-Configuration-Decisions" href="#Realm-Configuration-Decisions">2 Realm Configuration Decisions</a>
3847
<li><a href="#Kerberos-Realms">2.1 Kerberos Realms</a>
3848
<li><a href="#Mapping-Hostnames-onto-Kerberos-Realms">2.2 Mapping Hostnames onto Kerberos Realms</a>
3849
<li><a href="#Ports-for-the-KDC-and-Admin-Services">2.3 Ports for the KDC and Admin Services</a>
3850
<li><a href="#Slave-KDCs">2.4 Slave KDCs</a>
3851
<li><a href="#Hostnames-for-the-Master-and-Slave-KDCs">2.5 Hostnames for the Master and Slave KDCs</a>
3852
<li><a href="#Database-Propagation">2.6 Database Propagation</a>
3854
<li><a name="toc_Building-Kerberos-V5" href="#Building-Kerberos-V5">3 Building Kerberos V5</a>
3856
<li><a href="#Organization-of-the-Source-Directory">3.1 Organization of the Source Directory</a>
3858
<li><a href="#The-appl-Directory">3.1.1 The appl Directory</a>
3859
<li><a href="#The-clients-Directory">3.1.2 The clients Directory</a>
3860
<li><a href="#The-gen_002dmanpages-Directory">3.1.3 The gen-manpages Directory</a>
3861
<li><a href="#The-include-Directory">3.1.4 The include Directory</a>
3862
<li><a href="#The-kadmin-Directory">3.1.5 The kadmin Directory</a>
3863
<li><a href="#The-kdc-Directory">3.1.6 The kdc Directory</a>
3864
<li><a href="#The-krb524-Directory">3.1.7 The krb524 Directory</a>
3865
<li><a href="#The-lib-Directory">3.1.8 The lib Directory</a>
3866
<li><a href="#The-prototype-Directory">3.1.9 The prototype Directory</a>
3867
<li><a href="#The-slave-Directory">3.1.10 The slave Directory</a>
3868
<li><a href="#The-util-Directory">3.1.11 The util Directory</a>
3870
<li><a href="#Build-Requirements">3.2 Build Requirements</a>
3871
<li><a href="#Unpacking-the-Sources">3.3 Unpacking the Sources</a>
3872
<li><a href="#Doing-the-Build">3.4 Doing the Build</a>
3874
<li><a href="#Building-Within-a-Single-Tree">3.4.1 Building Within a Single Tree</a>
3875
<li><a href="#Building-with-Separate-Build-Directories">3.4.2 Building with Separate Build Directories</a>
3876
<li><a href="#Building-using-lndir">3.4.3 Building Using <span class="samp">lndir</span></a>
3878
<li><a href="#Installing-the-Binaries">3.5 Installing the Binaries</a>
3879
<li><a href="#Testing-the-Build">3.6 Testing the Build</a>
3881
<li><a href="#The-DejaGnu-Tests">3.6.1 The DejaGnu Tests</a>
3882
<li><a href="#The-KADM5-Tests">3.6.2 The KADM5 Tests</a>
3884
<li><a href="#Options-to-Configure">3.7 Options to Configure</a>
3885
<li><a href="#osconf_002eh">3.8 <span class="file">osconf.h</span></a>
3886
<li><a href="#Shared-Library-Support">3.9 Shared Library Support</a>
3887
<li><a href="#OS-Incompatibilities">3.10 Operating System Incompatibilities</a>
3889
<li><a href="#AIX">3.10.1 AIX</a>
3890
<li><a href="#Alpha-OSF_002f1-V1_002e3">3.10.2 Alpha OSF/1 V1.3</a>
3891
<li><a href="#Alpha-OSF_002f1-V2_002e0">3.10.3 Alpha OSF/1 V2.0</a>
3892
<li><a href="#Alpha-OSF_002f1-V4_002e0">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</a>
3893
<li><a href="#BSDI">3.10.5 BSDI</a>
3894
<li><a href="#HPUX">3.10.6 HPUX</a>
3895
<li><a href="#Solaris-versions-2_002e0-through-2_002e3">3.10.7 Solaris versions 2.0 through 2.3</a>
3896
<li><a href="#Solaris-2_002eX">3.10.8 Solaris 2.X</a>
3897
<li><a href="#Solaris-9">3.10.9 Solaris 9</a>
3898
<li><a href="#SGI-Irix-5_002eX">3.10.10 SGI Irix 5.X</a>
3899
<li><a href="#Ultrix-4_002e2_002f3">3.10.11 Ultrix 4.2/3</a>
3901
<li><a href="#Using-Autoconf">3.11 Using <span class="samp">Autoconf</span></a>
3903
<li><a name="toc_Installing-Kerberos-V5" href="#Installing-Kerberos-V5">4 Installing Kerberos V5</a>
3905
<li><a href="#Installing-KDCs">4.1 Installing KDCs</a>
3907
<li><a href="#Install-the-Master-KDC">4.1.1 Install the Master KDC</a>
3909
<li><a href="#Edit-the-Configuration-Files">4.1.1.1 Edit the Configuration Files</a>
3910
<li><a href="#krb5_002econf">4.1.1.2 krb5.conf</a>
3911
<li><a href="#kdc_002econf">4.1.1.3 kdc.conf</a>
3912
<li><a href="#Create-the-Database">4.1.1.4 Create the Database</a>
3913
<li><a href="#Add-Administrators-to-the-Acl-File">4.1.1.5 Add Administrators to the Acl File</a>
3914
<li><a href="#Add-Administrators-to-the-Kerberos-Database">4.1.1.6 Add Administrators to the Kerberos Database</a>
3915
<li><a href="#Create-a-kadmind-Keytab-_0028optional_0029">4.1.1.7 Create a kadmind Keytab (optional)</a>
3916
<li><a href="#Start-the-Kerberos-Daemons">4.1.1.8 Start the Kerberos Daemons on the Master KDC</a>
3918
<li><a href="#Install-the-Slave-KDCs">4.1.2 Install the Slave KDCs</a>
3920
<li><a href="#Create-Host-Keys-for-the-Slave-KDCs">4.1.2.1 Create Host Keys for the Slave KDCs</a>
3921
<li><a href="#Extract-Host-Keytabs-for-the-KDCs">4.1.2.2 Extract Host Keytabs for the KDCs</a>
3922
<li><a href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">4.1.2.3 Set Up the Slave KDCs for Database Propagation</a>
3924
<li><a href="#Back-on-the-Master-KDC">4.1.3 Back on the Master KDC</a>
3926
<li><a href="#Propagate-the-Database-to-Each-Slave-KDC">4.1.3.1 Propagate the Database to Each Slave KDC</a>
3928
<li><a href="#Finish-Installing-the-Slave-KDCs">4.1.4 Finish Installing the Slave KDCs</a>
3930
<li><a href="#Create-Stash-Files-on-the-Slave-KDCs">4.1.4.1 Create Stash Files on the Slave KDCs</a>
3931
<li><a href="#Start-the-krb5kdc-Daemon-on-Each-KDC">4.1.4.2 Start the krb5kdc Daemon on Each KDC</a>
3933
<li><a href="#Add-Kerberos-Principals-to-the-Database">4.1.5 Add Kerberos Principals to the Database</a>
3934
<li><a href="#Limit-Access-to-the-KDCs">4.1.6 Limit Access to the KDCs</a>
3935
<li><a href="#Switching-Master-and-Slave-KDCs">4.1.7 Switching Master and Slave KDCs</a>
3936
<li><a href="#Incremental-Database-Propagation">4.1.8 Incremental Database Propagation</a>
3938
<li><a href="#Sun_002fMIT-Incremental-Propagation-Differences">4.1.8.1 Sun/MIT Incremental Propagation Differences</a>
3941
<li><a href="#Installing-and-Configuring-UNIX-Client-Machines">4.2 Installing and Configuring UNIX Client Machines</a>
3943
<li><a href="#Client-Programs">4.2.1 Client Programs</a>
3944
<li><a href="#Client-Machine-Configuration-Files">4.2.2 Client Machine Configuration Files</a>
3946
<li><a href="#Mac-OS-X-Configuration">4.2.2.1 Mac OS X Configuration</a>
3949
<li><a href="#UNIX-Application-Servers">4.3 UNIX Application Servers</a>
3951
<li><a href="#Server-Programs">4.3.1 Server Programs</a>
3952
<li><a href="#Server-Configuration-Files">4.3.2 Server Configuration Files</a>
3953
<li><a href="#The-Keytab-File">4.3.3 The Keytab File</a>
3954
<li><a href="#Some-Advice-about-Secure-Hosts">4.3.4 Some Advice about Secure Hosts</a>
3957
<li><a name="toc_Upgrading-Existing-Kerberos-V5-Installations" href="#Upgrading-Existing-Kerberos-V5-Installations">5 Upgrading Existing Kerberos V5 Installations</a>
3959
<li><a href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">5.1 Upgrading to Triple-DES Encryption Keys</a>
3961
<li><a name="toc_Bug-Reports-for-Kerberos-V5" href="#Bug-Reports-for-Kerberos-V5">6 Bug Reports for Kerberos V5</a>
3965
<div class="footnote">
3967
<a name="texinfo-footnotes-in-document"></a><h4>Footnotes</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Kerberos V4 used port 750. If
3968
necessary, you can run on both ports for backward compatibility.</p>
3970
<p class="footnote"><small>[<a name="fn-2" href="#fnd-2">2</a>]</small> If you are fortunate enough to
3971
have a previous version of Kerberos V5 or V4 installed, and the Kerberos
3972
rlogin is first in your path, you can setup <span class="file">.k5login</span> or
3973
<span class="file">.klogin</span> respectively to allow you access.</p>