~ubuntu-branches/ubuntu/oneiric/likewise-open/oneiric

<a name="What-is-Kerberos-and-How-Does-it-Work_003f"></a>Next: <a rel="next" accesskey="n" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,

649

Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,

650

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

651

<br>

652

</div>

653

654

<h3 class="section">1.1 What is Kerberos and How Does it Work?</h3>

655

656

<p>Kerberos V5 is based on the Kerberos authentication system developed

657

at MIT. Under Kerberos, a client (generally either a user or a service)

658

sends a request for a ticket to the Key Distribution Center (KDC). The

659

KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client,

660

encrypts it using the client's password as the key, and sends the

661

encrypted TGT back to the client. The client then attempts to decrypt

662

the TGT, using its password. If the client successfully decrypts the

663

TGT (<i>i.e.</i>, if the client gave the correct password), it keeps the

664

decrypted TGT, which indicates proof of the client's identity.

665

666

<p>The TGT, which expires at a specified time, permits the client to obtain

667

additional tickets, which give permission for specific services. The

668

requesting and granting of these additional tickets is user-transparent.

669

670

671

<p><hr>

672

<a name="Why-Should-I-use-Kerberos_003f"></a>Next: <a rel="next" accesskey="n" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,

673

Previous: <a rel="previous" accesskey="p" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>,

674

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

675

<br>

676

</div>

677

678

<h3 class="section">1.2 Why Should I use Kerberos?</h3>

679

680

<p>Since Kerberos negotiates authenticated, and optionally encrypted,

681

communications between two points anywhere on the Internet, it provides

682

a layer of security that is not dependent on which side of a firewall

683

either client is on. Since studies have shown that half of the computer

684

security breaches in industry happen from <i>inside</i> firewalls,

685

Kerberos V5 from MIT will play a vital role in the

686

security of your network.

687

688

689

<p><hr>

690

<a name="Please-Read-the-Documentation"></a>Next: <a rel="next" accesskey="n" href="#Overview-of-This-Guide">Overview of This Guide</a>,

691

Previous: <a rel="previous" accesskey="p" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,

692

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

693

<br>

694

</div>

695

696

<h3 class="section">1.3 Please Read the Documentation</h3>

697

698

<p>As with any software package that uses a centrallized database, the

699

installation procedure is somewhat involved, and requires forethought

700

and planning. MIT has attempted to make this

701

Kerberos V5 Installation Guide as concise as possible, rather than

702

making it an exhaustive description of the details of Kerberos.

703

Consequently, everything in this guide appears because MIT

704

believes that it is important. Please read and follow these

705

instructions carefully.

706

707

<p>This document is one piece of the document set for Kerberos V5. The

708

documents, and their intended audiences, are:

709

710

<ul>

711

<li><b>Kerberos V5 Installation Guide</b>: a concise guide for installing

712

Kerberos V5. Kerberos administrators (particularly whoever will be

713

making site-wide decisions about the installation) and the system

714

administrators who will be installing the software should read this

715

guide.

716

717

<li><b>Kerberos V5 System Administrator's Guide</b>: a sysadmin's guide to

718

administering a Kerberos installation. The System Administrator's Guide

719

describes the administration software and suggests policies and

720

procedures for administering a Kerberos installation. Anyone who will

721

have administrative access to your Kerberos database should read this

722

guide.

723

724

<li><b>Kerberos V5 UNIX User's Guide</b>: a guide to using the Kerberos

725

UNIX client programs. All users on UNIX systems should read this guide,

726

particularly the “Tutorial” section.

727

</ul>

728

729

730

<p><hr>

731

<a name="Overview-of-This-Guide"></a>Previous: <a rel="previous" accesskey="p" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,

732

Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>

733

<br>

734

</div>

735

736

<h3 class="section">1.4 Overview of This Guide</h3>

737

738

<p class="noindent">The next chapter describes the decisions you need to make before

739

installing Kerberos V5.

740

741

<p class="noindent">Chapter three provided instructions for building the Kerberos sources.

742

743

<p class="noindent">Chapter four describes installation procedures for each class of

744

Kerberos machines:

745

746

747

<li>Key Distribution Centers (KDCs).

748

749

750

<li>The Master KDC.

751

752

<li>Slave KDCs.

753

</ol>

754

755

<li>UNIX client machines

756

757

<li>UNIX application server machines

758

</ol>

759

760

<p class="noindent">Note that a machine can be both a client machine and an application

761

server.

762

763

<p class="noindent">Chapter five describes procedure for updating previous installations of

764

Kerberos V5.

765

766

<p class="noindent">Chapter six describes our problem reporting system.

767

768

769

<p><hr>

770

<a name="Realm-Configuration-Decisions"></a>Next: <a rel="next" accesskey="n" href="#Building-Kerberos-V5">Building Kerberos V5</a>,

771

Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,

772

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

773

<br>

774

</div>

775

776

<h2 class="chapter">2 Realm Configuration Decisions</h2>

777

778

<p>Before installing Kerberos V5, it is necessary to consider the

779

following issues:

780

781

<ul>

782

<li>The name of your Kerberos realm (or the name of each realm, if you need

783

more than one).

784

785

<li>How you will map your hostnames onto Kerberos realms.

786

787

<li>Which ports your KDC and and kadmin (database access) services will use.

788

789

<li>How many slave KDCs you need and where they should be located.

790

791

<li>The hostnames of your master and slave KDCs.

792

793

<li>How frequently you will propagate the database from the master KDC to

794

the slave KDCs.

795

</ul>

796

797

798

<li><a accesskey="1" href="#Kerberos-Realms">Kerberos Realms</a>

799

<li><a accesskey="2" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>

800

<li><a accesskey="3" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>

801

<li><a accesskey="4" href="#Slave-KDCs">Slave KDCs</a>

802

<li><a accesskey="5" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>

803

<li><a accesskey="6" href="#Database-Propagation">Database Propagation</a>

804

</ul>

805

806

807

<p><hr>

808

<a name="Kerberos-Realms"></a>Next: <a rel="next" accesskey="n" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,

809

Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,

810

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

811

<br>

812

</div>

813

814

<h3 class="section">2.1 Kerberos Realms</h3>

815

816

<p>Although your Kerberos realm can be any ASCII string, convention is to

817

make it the same as your domain name, in upper-case letters. For

818

example, hosts in the domain example.com would be in the

819

Kerberos realm EXAMPLE.COM.

820

821

<p>If you need multiple Kerberos realms, MIT recommends that

822

you use descriptive names which end with your domain name, such as

823

BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM.

824

825

826

<p><hr>

827

<a name="Mapping-Hostnames-onto-Kerberos-Realms"></a>Next: <a rel="next" accesskey="n" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,

828

Previous: <a rel="previous" accesskey="p" href="#Kerberos-Realms">Kerberos Realms</a>,

829

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

830

<br>

831

</div>

832

833

<h3 class="section">2.2 Mapping Hostnames onto Kerberos Realms</h3>

834

835

<p>Mapping hostnames onto Kerberos realms is done in one of two ways.

836

837

<p>The first mechanism, which has been in use for years in MIT-based

838

Kerberos distributions, works through a set of rules in

839

the <code>krb5.conf</code> configuration file. (See <a href="#krb5_002econf">krb5.conf</a>.) You can

840

specify mappings for an entire domain or subdomain, and/or on a

841

hostname-by-hostname basis. Since greater specificity takes precedence,

842

you would do this by specifying the mappings for a given domain or

843

subdomain and listing the exceptions.

844

845

<p>The second mechanism works by looking up the information in special

846

<code>TXT</code> records in the Domain Name Service. This is currently not

847

used by default because security holes could result if the DNS TXT

848

records were spoofed. If this mechanism is enabled on the client,

849

it will try to look up a <code>TXT</code> record for the DNS name formed by

850

putting the prefix <code>_kerberos</code> in front of the hostname in question.

851

If that record is not found, it will try using <code>_kerberos</code> and the

852

host's domain name, then its parent domain, and so forth. So for the

853

hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:

854

855

<pre class="smallexample"> _kerberos.boston.engineering.foobar.com

856

_kerberos.engineering.foobar.com

857

_kerberos.foobar.com

858

_kerberos.com

859

</pre>

860

<p>The value of the first TXT record found is taken as the realm name.

861

(Obviously, this doesn't work all that well if a host and a subdomain

862

have the same name, and different realms. For example, if all the hosts

863

in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM

864

realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in

865

another realm. In that case, you would set up TXT records for all

866

hosts, rather than relying on the fallback to the domain name.)

867

868

<p>Even if you do not choose to use this mechanism within your site, you

869

may wish to set it up anyway, for use when interacting with other sites.

870

871

872

<p><hr>

873

<a name="Ports-for-the-KDC-and-Admin-Services"></a>Next: <a rel="next" accesskey="n" href="#Slave-KDCs">Slave KDCs</a>,

874

Previous: <a rel="previous" accesskey="p" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,

875

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

876

<br>

877

</div>

878

879

<h3 class="section">2.3 Ports for the KDC and Admin Services</h3>

880

881

<p>The default ports used by Kerberos are port 88 for the

882

KDC<a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a> and

883

port 749 for the admin server. You can, however,

884

choose to run on other ports, as long as they are specified in each

885

host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the

886

<code>kdc.conf</code> file on each KDC. For a more thorough treatment of

887

port numbers used by the Kerberos V5 programs, refer to the

888

“Configuring Your Firewall to Work With Kerberos V5” section of

889

the <cite>Kerberos V5 System Administrator's Guide</cite>.

890

891

892

<p><hr>

893

<a name="Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,

894

Previous: <a rel="previous" accesskey="p" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,

895

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

896

<br>

897

</div>

898

899

<h3 class="section">2.4 Slave KDCs</h3>

900

901

<p>Slave KDCs provide an additional source of Kerberos ticket-granting

902

services in the event of inaccessibility of the master KDC. The number

903

of slave KDCs you need and the decision of where to place them, both

904

physically and logically, depends on the specifics of your network.

905

906

<p>All of the Kerberos authentication on your network requires that each

907

client be able to contact a KDC. Therefore, you need to anticipate any

908

likely reason a KDC might be unavailable and have a slave KDC to take up

909

the slack.

910

911

<p>Some considerations include:

912

913

<ul>

914

<li>Have at least one slave KDC as a backup, for when the master KDC is

915

down, is being upgraded, or is otherwise unavailable.

916

917

<li>If your network is split such that a network outage is likely to cause a

918

network partition (some segment or segments of the network to become cut

919

off or isolated from other segments), have a slave KDC accessible to

920

each segment.

921

922

<li>If possible, have at least one slave KDC in a different building from

923

the master, in case of power outages, fires, or other localized

924

disasters.

925

</ul>

926

927

928

<p><hr>

929

<a name="Hostnames-for-the-Master-and-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Database-Propagation">Database Propagation</a>,

930

Previous: <a rel="previous" accesskey="p" href="#Slave-KDCs">Slave KDCs</a>,

931

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

932

<br>

933

</div>

934

935

<h3 class="section">2.5 Hostnames for the Master and Slave KDCs</h3>

936

937

<p>MIT recommends that your KDCs have a predefined set of

938

CNAME records (DNS hostname aliases), such as <code>kerberos</code>

939

for the master KDC and

940

<code>kerberos-1</code>, <code>kerberos-2</code>, <small class="dots">...</small> for the

941

slave KDCs. This way, if you need to swap a machine, you only need to

942

change a DNS entry, rather than having to change hostnames.

943

944

<p>A new mechanism for locating KDCs of a realm through DNS has been added

945

to the MIT Kerberos V5 distribution. A relatively new

946

record type called <code>SRV</code> has been added to DNS. Looked up by a

947

service name and a domain name, these records indicate the hostname and

948

port number to contact for that service, optionally with weighting and

949

prioritization. (See RFC 2782 if you want more information. You can

950

follow the example below for straightforward cases.)

951

952

<p>The use with Kerberos is fairly straightforward. The domain name used

953

in the SRV record name is the domain-style Kerberos realm name. (It is

954

possible to have Kerberos realm names that are not DNS-style names, but

955

we don't recommend it for Internet use, and our code does not support it

956

well.) Several different Kerberos-related service names are used:

957

958

<dl>

959

<dt><code>_kerberos._udp</code><dd>This is for contacting any KDC by UDP. This entry will be used the most

960

often. Normally you should list port 88 on each of your KDCs.

961

962

963

964

965

966

<br><dt><code>_kerberos._tcp</code><dd>This is for contacting any KDC by TCP. The MIT KDC by default will not

967

listen on any TCP ports, so unless you've changed the configuration or

968

you're running another KDC implementation, you should leave this

969

unspecified. If you do enable TCP support, normally you should use

970

port 88.

971

972

<br><dt><code>_kerberos-master._udp</code><dd>This entry should refer to those KDCs, if any, that will immediately see

973

password changes to the Kerberos database. This entry is used only in

974

one case, when the user is logging in and the password appears to be

975

incorrect; the master KDC is then contacted, and the same password used

976

to try to decrypt the response, in case the user's password had recently

977

been changed and the first KDC contacted hadn't been updated. Only if

978

that fails is an “incorrect password” error given.

979

980

<p>If you have only one KDC, or for whatever reason there is no accessible

981

KDC that would get database changes faster than the others, you do not

982

need to define this entry.

983

984

<br><dt><code>_kerberos-adm._tcp</code><dd>This should list port 749 on your master KDC.

985

Support for it is not complete at this time, but it will eventually be

986

used by the <code>kadmin</code> program and related utilities. For now, you

987

will also need the <code>admin_server</code> entry in <code>krb5.conf</code>.

988

(See <a href="#krb5_002econf">krb5.conf</a>.)

989

990

<br><dt><code>_kpasswd._udp</code><dd>This should list port 464 on your master KDC.

991

It is used when a user changes her password.

992

993

</dl>

994

995

<p>Be aware, however, that the DNS SRV specification requires that the

996

hostnames listed be the canonical names, not aliases. So, for example,

997

you might include the following records in your (BIND-style) zone file:

998

999

<pre class="smallexample"> $ORIGIN foobar.com.

1000

_kerberos TXT "FOOBAR.COM"

1001

kerberos CNAME daisy

1002

kerberos-1 CNAME use-the-force-luke

1003

kerberos-2 CNAME bunny-rabbit

1004

_kerberos._udp SRV 0 0 88 daisy

1005

SRV 0 0 88 use-the-force-luke

1006

SRV 0 0 88 bunny-rabbit

1007

_kerberos-master._udp SRV 0 0 88 daisy

1008

_kerberos-adm._tcp SRV 0 0 749 daisy

1009

_kpasswd._udp SRV 0 0 464 daisy

1010

</pre>

1011

<p>As with the DNS-based mechanism for determining the Kerberos realm of a

1012

host, we recommend distributing the information this way for use by

1013

other sites that may want to interact with yours using Kerberos, even if

1014

you don't immediately make use of it within your own site. If you

1015

anticipate installing a very large number of machines on which it will

1016

be hard to update the Kerberos configuration files, you may wish to do

1017

all of your Kerberos service lookups via DNS and not put the information

1018

(except for <code>admin_server</code> as noted above) in future versions of

1019

your <code>krb5.conf</code> files at all. Eventually, we hope to phase out

1020

the listing of server hostnames in the client-side configuration files;

1021

making preparations now will make the transition easier in the future.

1022

1023

1024

<p><hr>

1025

<a name="Database-Propagation"></a>Previous: <a rel="previous" accesskey="p" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,

1026

Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>

1027

<br>

1028

</div>

1029

1030

<h3 class="section">2.6 Database Propagation</h3>

1031

1032

<p>The Kerberos database resides on the master KDC, and must be propagated

1033

regularly (usually by a cron job) to the slave KDCs. In deciding how

1034

frequently the propagation should happen, you will need to balance the

1035

amount of time the propagation takes against the maximum reasonable

1036

amount of time a user should have to wait for a password change to take

1037

effect.

1038

1039

<p>If the propagation time is longer than this maximum reasonable time

1040

(<i>e.g.,</i> you have a particularly large database, you have a lot of

1041

slaves, or you experience frequent network delays), you may wish to

1042

cut down on your propagation delay by performing the propagation in

1043

parallel. To do this, have the master KDC propagate the database to one

1044

set of slaves, and then have each of these slaves propagate the database

1045

to additional slaves.

1046

1047

1048

<p><hr>

1049

<a name="Building-Kerberos-V5"></a>Next: <a rel="next" accesskey="n" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,

1050

Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,

1051

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

1052

<br>

1053

</div>

1054

1055

<h2 class="chapter">3 Building Kerberos V5</h2>

1056

1057

<p>Kerberos V5 uses a configuration system built using the Free

1058

Software Foundation's <span class="samp">autoconf</span> program. This system makes

1059

Kerberos V5 much simpler to build and reduces the amount of effort

1060

required in porting Kerberos V5 to a new platform.

1061

1062

1063

<li><a accesskey="1" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>: Description of the source tree.

1064

<li><a accesskey="2" href="#Build-Requirements">Build Requirements</a>: How much disk space, etc. you need to

1065

build Kerberos.

1066

<li><a accesskey="3" href="#Unpacking-the-Sources">Unpacking the Sources</a>: Preparing the source tree.

1067

<li><a accesskey="4" href="#Doing-the-Build">Doing the Build</a>: Compiling Kerberos.

1068

<li><a accesskey="5" href="#Installing-the-Binaries">Installing the Binaries</a>: Installing the compiled binaries.

1069

<li><a accesskey="6" href="#Testing-the-Build">Testing the Build</a>: Making sure Kerberos built correctly.

1070

<li><a accesskey="7" href="#Options-to-Configure">Options to Configure</a>: Command-line options to Configure

1071

<li><a accesskey="8" href="#osconf_002eh">osconf.h</a>: Header file-specific configurations

1072

<li><a accesskey="9" href="#Shared-Library-Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5

1073

<li><a href="#OS-Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.

1074

<li><a href="#Using-Autoconf">Using Autoconf</a>: Modifying Kerberos V5's

1075

configuration scripts.

1076

</ul>

1077

1078

1079

<p><hr>

1080

<a name="Organization-of-the-Source-Directory"></a>Next: <a rel="next" accesskey="n" href="#Build-Requirements">Build Requirements</a>,

1081

Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,

1082

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1083

<br>

1084

</div>

1085

1086

<h3 class="section">3.1 Organization of the Source Directory</h3>

1087

1088

<p>Below is a brief overview of the organization of the complete source

1089

directory. More detailed descriptions follow.

1090

1091

<dl>

1092

<dt><b>appl</b><dd>applications with Kerberos V5 extensions

1093

<dt><b>clients</b><dd>Kerberos V5 user programs

1094

<dt><b>gen-manpages</b><dd>manpages for Kerberos V5 and the Kerberos V5 login program

1095

<dt><b>include</b><dd>include files

1096

<dt><b>kadmin</b><dd>administrative interface to the Kerberos master database

1097

<dt><b>kdc</b><dd>the Kerberos V5 Authentication Service and Key Distribution Center

1098

<dt><b>krb524</b><dd>utilities for converting between Kerberos 4 and Kerberos 5

1099

<dt><b>lib</b><dd>libraries for use with/by Kerberos V5

1100

<dt><b>mac</b><dd>source code for building Kerberos V5 on MacOS

1101

<dt><b>prototype</b><dd>templates for source code files

1102

<dt><b>slave</b><dd>utilities for propagating the database to slave KDCs

1103

<dt><b>tests</b><dd>test suite

1104

<dt><b>util</b><dd>various utilities for building/configuring the code, sending bug reports, etc.

1105

<dt><b>windows</b><dd>source code for building Kerberos V5 on Windows (see windows/README)

1106

</dl>

1107

1108

1109

<li><a accesskey="1" href="#The-appl-Directory">The appl Directory</a>

1110

<li><a accesskey="2" href="#The-clients-Directory">The clients Directory</a>

1111

<li><a accesskey="3" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>

1112

<li><a accesskey="4" href="#The-include-Directory">The include Directory</a>

1113

<li><a accesskey="5" href="#The-kadmin-Directory">The kadmin Directory</a>

1114

<li><a accesskey="6" href="#The-kdc-Directory">The kdc Directory</a>

1115

<li><a accesskey="7" href="#The-krb524-Directory">The krb524 Directory</a>

1116

<li><a accesskey="8" href="#The-lib-Directory">The lib Directory</a>

1117

<li><a accesskey="9" href="#The-prototype-Directory">The prototype Directory</a>

1118

<li><a href="#The-slave-Directory">The slave Directory</a>

1119

<li><a href="#The-util-Directory">The util Directory</a>

1120

</ul>

1121

1122

1123

<p><hr>

1124

<a name="The-appl-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-clients-Directory">The clients Directory</a>,

1125

Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,

1126

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1127

<br>

1128

</div>

1129

1130

<h4 class="subsection">3.1.1 The appl Directory</h4>

1131

1132

<p>The Kerberos release provides certain UNIX utilities, modified to use

1133

Kerberos authentication. In the <i>appl/bsd</i> directory are the

1134

Berkeley utilities <i>login</i>, <i>rlogin</i>, <i>rsh</i>, and <i>rcp</i>, as well as

1135

the associated daemons <i>kshd</i> and <i>klogind</i>. The <i>login</i> program

1136

obtains ticket-granting tickets for users upon login; the other utilities

1137

provide authenticated Unix network services.

1138

1139

<p>The <i>appl</i> directory also contains Kerberized telnet and ftp programs,

1140

as well as sample Kerberos application client and server programs.

1141

1142

1143

<p><hr>

1144

<a name="The-clients-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,

1145

Previous: <a rel="previous" accesskey="p" href="#The-appl-Directory">The appl Directory</a>,

1146

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1147

<br>

1148

</div>

1149

1150

<h4 class="subsection">3.1.2 The clients Directory</h4>

1151

1152

<p>This directory contains the code for several user-oriented programs.

1153

1154

<dl>

1155

<dt><b>kdestroy</b><dd>This program destroys the user's active Kerberos authorization tickets.

1156

MIT recommends that users <code>kdestroy</code> before logging out.

1157

1158

<dt><b>kinit</b><dd>This program prompts users for their Kerberos principal name and password,

1159

and attempts to get an initial ticket-granting-ticket for that principal.

1160

1161

<dt><b>klist</b><dd>This program lists the Kerberos principal and Kerberos tickets held in

1162

a credentials cache, or the keys held in a keytab file.

1163

1164

<dt><b>kpasswd</b><dd>This program changes a user's Kerberos password.

1165

1166

<dt><b>ksu</b><dd>This program is a Kerberized version of the <code>su</code> program that is

1167

meant to securely change the real and effective user ID to that of the

1168

target user and to create a new security context.

1169

1170

<dt><b>kvno</b><dd>This program acquires a service ticket for the specified Kerberos

1171

principals and prints out the key version numbers of each.

1172

</dl>

1173

1174

1175

<p><hr>

1176

<a name="The-gen_002dmanpages-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-include-Directory">The include Directory</a>,

1177

Previous: <a rel="previous" accesskey="p" href="#The-clients-Directory">The clients Directory</a>,

1178

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1179

<br>

1180

</div>

1181

1182

<h4 class="subsection">3.1.3 The gen-manpages Directory</h4>

1183

1184

<p>There are two manual pages in this directory. One is an introduction

1185

to the Kerberos system. The other describes the <code>.k5login</code> file

1186

which allows users to give access with their UID to other users

1187

authenticated by the Kerberos system.

1188

1189

1190

<p><hr>

1191

<a name="The-include-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-kadmin-Directory">The kadmin Directory</a>,

1192

Previous: <a rel="previous" accesskey="p" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,

1193

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1194

<br>

1195

</div>

1196

1197

<h4 class="subsection">3.1.4 The include Directory</h4>

1198

1199

<p>This directory contains the <i>include</i> files needed to build the

1200

Kerberos system.

1201

1202

1203

<p><hr>

1204

<a name="The-kadmin-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-kdc-Directory">The kdc Directory</a>,

1205

Previous: <a rel="previous" accesskey="p" href="#The-include-Directory">The include Directory</a>,

1206

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1207

<br>

1208

</div>

1209

1210

<h4 class="subsection">3.1.5 The kadmin Directory</h4>

1211

1212

<p>In this directory is the code for the utilities <code>kadmin</code>,

1213

<code>kadmin.local</code>, <code>kdb5_util</code>, and <code>ktutil</code>.

1214

<code>ktutil</code> is the Kerberos keytab file maintenance utility from

1215

which a Kerberos administrator can read, write, or edit entries in a

1216

Kerberos V5 keytab or Kerberos V4 srvtab. <code>kadmin</code> and

1217

<code>kadmin.local</code> are command-line interfaces to the Kerberos V5 KADM5

1218

administration system. <code>kadmin.local</code> runs on the master KDC and

1219

does not use Kerberos to authenticate to the database, while

1220

<code>kadmin</code> uses Kerberos authentication and an encrypted RPC. The

1221

two provide identical functionalities, which allow administrators to

1222

modify the database of Kerberos principals. <code>kdb5_util</code> allows

1223

administrators to perform low-level maintenance procedures on Kerberos

1224

and the KADM5 database. With this utility, databases can be created,

1225

destroyed, or dumped to and loaded from ASCII files. It can also be

1226

used to create master key stash files.

1227

1228

1229

<p><hr>

1230

<a name="The-kdc-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-krb524-Directory">The krb524 Directory</a>,

1231

Previous: <a rel="previous" accesskey="p" href="#The-kadmin-Directory">The kadmin Directory</a>,

1232

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1233

<br>

1234

</div>

1235

1236

<h4 class="subsection">3.1.6 The kdc Directory</h4>

1237

1238

<p>This directory contains the code for the <code>krb5kdc</code> daemon, the

1239

Kerberos Authentication Service and Key Distribution Center.

1240

1241

1242

<p><hr>

1243

<a name="The-krb524-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-lib-Directory">The lib Directory</a>,

1244

Previous: <a rel="previous" accesskey="p" href="#The-kdc-Directory">The kdc Directory</a>,

1245

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1246

<br>

1247

</div>

1248

1249

<h4 class="subsection">3.1.7 The krb524 Directory</h4>

1250

1251

<p>This directory contains the code for <code>krb524</code>, a service that

1252

converts Kerberos V5 credentials into Kerberos V4 credentials suitable

1253

for use with applications that for whatever reason do not use V5

1254

directly.

1255

1256

1257

<p><hr>

1258

<a name="The-lib-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-prototype-Directory">The prototype Directory</a>,

1259

Previous: <a rel="previous" accesskey="p" href="#The-krb524-Directory">The krb524 Directory</a>,

1260

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1261

<br>

1262

</div>

1263

1264

<h4 class="subsection">3.1.8 The lib Directory</h4>

1265

1266

<p>The <i>lib</i> directory contain 10 subdirectories as well as some

1267

definition and glue files. The <i>crypto</i> subdirectory contains the

1268

Kerberos V5 encryption library. The <i>des425</i> subdirectory exports

1269

the Kerberos V4 encryption API, and translates these functions into

1270

calls to the Kerberos V5 encryption API. The <i>gssapi</i> library

1271

contains the Generic Security Services API, which is a library of

1272

commands to be used in secure client-server communication. The

1273

<i>kadm5</i> directory contains the libraries for the KADM5 administration

1274

utilities. The Kerberos 5 database libraries are contained in

1275

<i>kdb</i>. The directories <i>krb4</i> and <i>krb5</i> contain the Kerberos 4

1276

and Kerberos 5 APIs, respectively. The <i>rpc</i> directory contains the

1277

API for the Kerberos Remote Procedure Call protocol.

1278

1279

1280

<p><hr>

1281

<a name="The-prototype-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-slave-Directory">The slave Directory</a>,

1282

Previous: <a rel="previous" accesskey="p" href="#The-lib-Directory">The lib Directory</a>,

1283

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1284

<br>

1285

</div>

1286

1287

<h4 class="subsection">3.1.9 The prototype Directory</h4>

1288

1289

<p>This directory contains several template files. The <code>prototype.h</code>

1290

and <code>prototype.c</code> files contain the MIT copyright message and a

1291

placeholder for the title and description of the file.

1292

<code>prototype.h</code> also has a short template for writing <code>ifdef</code>

1293

and <code>ifndef</code> preprocessor statements. The <code>getopt.c</code> file

1294

provides a template for writing code that will parse the options with

1295

which a program was called.

1296

1297

1298

<p><hr>

1299

<a name="The-slave-Directory"></a>Next: <a rel="next" accesskey="n" href="#The-util-Directory">The util Directory</a>,

1300

Previous: <a rel="previous" accesskey="p" href="#The-prototype-Directory">The prototype Directory</a>,

1301

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1302

<br>

1303

</div>

1304

1305

<h4 class="subsection">3.1.10 The slave Directory</h4>

1306

1307

<p>This directory contains code which allows for the propagation of the

1308

Kerberos principal database from the master KDC to slave KDCs over an

1309

encrypted, secure channel. <code>kprop</code> is the program which actually

1310

propagates the database dump file. <code>kpropd</code> is the Kerberos V5

1311

slave KDC update server which accepts connections from the <code>kprop</code>

1312

program. <code>kslave_update</code> is a script that takes the name of a

1313

slave server, and propagates the database to that server if the

1314

database has been modified since the last dump or if the database has

1315

been dumped since the last propagation.

1316

1317

1318

<p><hr>

1319

<a name="The-util-Directory"></a>Previous: <a rel="previous" accesskey="p" href="#The-slave-Directory">The slave Directory</a>,

1320

Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>

1321

<br>

1322

</div>

1323

1324

<h4 class="subsection">3.1.11 The util Directory</h4>

1325

1326

<p>This directory contains several utility programs and libraries. The

1327

programs used to configure and build the code, such as <code>autoconf</code>,

1328

<code>lndir</code>, <code>kbuild</code>, <code>reconf</code>, and <code>makedepend</code>,

1329

are in this directory. The <i>profile</i> directory contains most of the

1330

functions which parse the Kerberos configuration files (<code>krb5.conf</code>

1331

and <code>kdc.conf</code>). Also in this directory are the Kerberos error table

1332

library and utilities (<i>et</i>), the Sub-system library and utilities

1333

(<i>ss</i>), database utilities (<i>db2</i>), pseudo-terminal utilities

1334

(<i>pty</i>), bug-reporting program <code>send-pr</code>, and a generic

1335

support library <code>support</code> used by several of our other libraries.

1336

1337

1338

<p><hr>

1339

<a name="Build-Requirements"></a>Next: <a rel="next" accesskey="n" href="#Unpacking-the-Sources">Unpacking the Sources</a>,

1340

Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,

1341

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1342

<br>

1343

</div>

1344

1345

<h3 class="section">3.2 Build Requirements</h3>

1346

1347

<p>In order to build Kerberos V5, you will need approximately 60-70

1348

megabytes of disk space. The exact amount will vary depending on the

1349

platform and whether the distribution is compiled with debugging symbol

1350

tables or not.

1351

1352

<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”).

1353

Some operating systems do not have an ANSI C compiler, or their

1354

default compiler requires extra command-line options to enable ANSI C

1355

conformance.

1356

1357

<p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled

1358

<span class="file">*.o</span> file and executables, separate from your source tree, you

1359

will need a <span class="samp">make</span> program which supports <span class="samp">VPATH</span>, or

1360

you will need to use a tool such as <span class="samp">lndir</span> to produce a symbolic

1361

link tree for your build tree.

1362

1363

1364

1365

<p><hr>

1366

<a name="Unpacking-the-Sources"></a>Next: <a rel="next" accesskey="n" href="#Doing-the-Build">Doing the Build</a>,

1367

Previous: <a rel="previous" accesskey="p" href="#Build-Requirements">Build Requirements</a>,

1368

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1369

<br>

1370

</div>

1371

1372

<h3 class="section">3.3 Unpacking the Sources</h3>

1373

1374

<p>The first step in each of these build procedures is to unpack the

1375

source distribution. The Kerberos V5 distribution comes in a tar file,

1376

generally named <span class="file">krb5-1.7.tar</span>, which contains a

1377

compressed tar file consisting of the sources for all of Kerberos

1378

(generally <span class="file">krb5-1.7.tar.gz</span>) and a PGP signature for

1379

this source tree (generally <span class="file">krb5-1.7.tar.gz.asc</span>).

1380

MIT highly recommends that you verify the integrity of the

1381

source code using this signature.

1382

1383

<p>Unpack the compressed tar file in some directory, such as

1384

<span class="file">/u1/krb5-1.7</span>. (In the rest of this document, we

1385

will assume that you have chosen to unpack the Kerberos V5 source

1386

distribution in this directory. Note that the tarfiles will by default

1387

all unpack into the <span class="file">./krb5-1.7</span> directory, so that if

1388

your current directory is <span class="file">/u1</span> when you unpack the tarfiles, you

1389

will get <span class="file">/u1/krb5-1.7/src</span>, etc.)

1390

1391

1392

<p><hr>

1393

<a name="Doing-the-Build"></a>Next: <a rel="next" accesskey="n" href="#Installing-the-Binaries">Installing the Binaries</a>,

1394

Previous: <a rel="previous" accesskey="p" href="#Unpacking-the-Sources">Unpacking the Sources</a>,

1395

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1396

<br>

1397

</div>

1398

1399

<h3 class="section">3.4 Doing the Build</h3>

1400

1401

<p>You have a number of different options in how to build Kerberos. If you

1402

only need to build Kerberos for one platform, using a single directory

1403

tree which contains both the source files and the object files is the

1404

simplest. However, if you need to maintain Kerberos for a large number

1405

of platforms, you will probably want to use separate build trees for

1406

each platform. We recommend that you look at <a href="#OS-Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating

1407

systems.

1408

1409

1410

<li><a accesskey="1" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>

1411

<li><a accesskey="2" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>

1412

<li><a accesskey="3" href="#Building-using-lndir">Building using lndir</a>

1413

</ul>

1414

1415

1416

<p><hr>

1417

<a name="Building-Within-a-Single-Tree"></a>Next: <a rel="next" accesskey="n" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,

1418

Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,

1419

Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>

1420

<br>

1421

</div>

1422

1423

<h4 class="subsection">3.4.1 Building Within a Single Tree</h4>

1424

1425

<p>If you don't want separate build trees for each architecture, then

1426

use the following abbreviated procedure.

1427

1428

1429

1430

<li> <code>./configure</code>

1431

1432

</ol>

1433

1434

<p>That's it!

1435

1436

1437

<p><hr>

1438

<a name="Building-with-Separate-Build-Directories"></a>Next: <a rel="next" accesskey="n" href="#Building-using-lndir">Building using lndir</a>,

1439

Previous: <a rel="previous" accesskey="p" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>,

1440

Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>

1441

<br>

1442

</div>

1443

1444

<h4 class="subsection">3.4.2 Building with Separate Build Directories</h4>

1445

1446

<p>If you wish to keep separate build directories for each platform, you

1447

can do so using the following procedure. (Note, this requires that your

1448

<span class="samp">make</span> program support <span class="samp">VPATH</span>. GNU's make will provide this

1449

functionality, for example.) If your <span class="samp">make</span> program does not

1450

support this, see the next section.

1451

1452

<p>For example, if you wish to create a build directory for <code>pmax</code> binaries

1453

you might use the following procedure:

1454

1455

1456

<li><code>mkdir /u1/krb5-1.7/pmax</code>

1457

1458

<li> <code>../src/configure</code>

1459

1460

</ol>

1461

1462

1463

<p><hr>

1464

<a name="Building-using-lndir"></a>Previous: <a rel="previous" accesskey="p" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,

1465

Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>

1466

<br>

1467

</div>

1468

1469

<h4 class="subsection">3.4.3 Building Using <span class="samp">lndir</span></h4>

1470

1471

<p>If you wish to keep separate build directories for each platform, and

1472

you do not have access to a <span class="samp">make</span> program which supports <span class="samp">VPATH</span>,

1473

all is not lost. You can use the <span class="samp">lndir</span> program to create

1474

symbolic link trees in your build directory.

1475

1476

<p>For example, if you wish to create a build directory for solaris binaries

1477

you might use the following procedure:

1478

1479

1480

<li> <code>mkdir /u1/krb5-1.7/solaris</code>

1481

<li> <code>cd /u1/krb5-1.7/solaris</code>

1482

<li> <code>/u1/krb5-1.7/src/util/lndir `pwd`/../src</code>

1483

<li> <code>./configure</code>

1484

1485

</ol>

1486

1487

<p>You must give an absolute pathname to <span class="samp">lndir</span> because it has a bug that

1488

makes it fail for relative pathnames. Note that this version differs

1489

from the latest version as distributed and installed by the XConsortium

1490

with X11R6. Either version should be acceptable.

1491

1492

1493

<p><hr>

1494

<a name="Installing-the-Binaries"></a>Next: <a rel="next" accesskey="n" href="#Testing-the-Build">Testing the Build</a>,

1495

Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,

1496

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1497

<br>

1498

</div>

1499

1500

<h3 class="section">3.5 Installing the Binaries</h3>

1501

1502

<p>Once you have built Kerberos, you should install the binaries. You

1503

can do this by running:

1504

1505

<pre class="example"> % make install

1506

</pre>

1507

<p>If you want to install the binaries into a destination directory that

1508

is not their final destination, which may be convenient if you want to

1509

build a binary distribution to be deployed on multiple hosts, you may

1510

use:

1511

1512

<pre class="example"> % make install DESTDIR=/path/to/destdir

1513

</pre>

1514

<p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the

1515

user programs will install into <code>DESTDIR/PREFIX/bin</code>, the

1516

libraries into <code>DESTDIR/PREFIX/lib</code>, etc.

1517

1518

<p>Note that if you want to test the build (see <a href="#Testing-the-Build">Testing the Build</a>),

1519

you usually do not need to do a <code>make install</code> first.

1520

1521

<p>Some implementations of <span class="samp">make</span> allow multiple commands to be run in

1522

parallel, for faster builds. We test our Makefiles in parallel builds with

1523

GNU <span class="samp">make</span> only; they may not be compatible with other parallel build

1524

implementations.

1525

1526

1527

<p><hr>

1528

<a name="Testing-the-Build"></a>Next: <a rel="next" accesskey="n" href="#Options-to-Configure">Options to Configure</a>,

1529

Previous: <a rel="previous" accesskey="p" href="#Installing-the-Binaries">Installing the Binaries</a>,

1530

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1531

<br>

1532

</div>

1533

1534

<h3 class="section">3.6 Testing the Build</h3>

1535

1536

<p>The Kerberos V5 distribution comes with built-in regression tests. To

1537

run them, simply type the following command while in the top-level build

1538

directory (i.e., the directory where you sent typed <span class="samp">make</span> to start

1539

building Kerberos; see <a href="#Doing-the-Build">Doing the Build</a>.):

1540

1541

<pre class="example"> % make check

1542

</pre>

1543

<p>However, there are several prerequisites that must be satisfied first:

1544

1545

<ul>

1546

<li>Configure and build Kerberos with Tcl support. Tcl is used to drive the

1547

test suite. This often means passing <code>--with-tcl</code> to configure to

1548

tell it the location of the Tcl configuration script. (See

1549

See <a href="#Options-to-Configure">Options to Configure</a>.)

1550

1551

<li>You have to run <span class="samp">make install</span> before running <span class="samp">make check</span>, or

1552

the test suite will often pick up the installed version of Kerberos

1553

rather than the newly built one. You can install into a prefix that

1554

isn't in the system library search path, though. This theoretically

1555

could be fixed with the appropriate environment variable magic in the

1556

test suite, but hasn't been yet.

1557

1558

<li>In order to test the RPC layer, the local system has to be running the

1559

<span class="command">portmap</span> daemon and it has to be listening to the regular

1560

network interface (not just localhost).

1561

</ul>

1562

1563

1564

<li><a accesskey="1" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>

1565

<li><a accesskey="2" href="#The-KADM5-Tests">The KADM5 Tests</a>

1566

</ul>

1567

1568

1569

<p><hr>

1570

<a name="The-DejaGnu-Tests"></a>Next: <a rel="next" accesskey="n" href="#The-KADM5-Tests">The KADM5 Tests</a>,

1571

Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,

1572

Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>

1573

<br>

1574

</div>

1575

1576

<h4 class="subsection">3.6.1 The DejaGnu Tests</h4>

1577

1578

<p>Some of the built-in regression tests are setup to use the DejaGnu

1579

framework for running tests. These tests tend to be more comprehensive

1580

than the normal built-in tests as they setup test servers and test

1581

client/server activities.

1582

1583

<p>DejaGnu may be found wherever GNU software is archived.

1584

1585

<p>Most of the tests are setup to run as a non-privileged user. For some

1586

of the krb-root tests to work properly, either (a) the user running the

1587

tests must not have a .k5login file in the home directory or (b) the

1588

.k5login file must contain an entry for <code><username>@KRBTEST.COM</code>.

1589

There are two series of tests (<span class="samp">rlogind</span> and <span class="samp">telnetd</span>) which

1590

require the ability to <span class="samp">rlogin</span> as root to the local

1591

machine. Admittedly, this does require the use of a <span class="file">.rhosts</span> file

1592

or some authenticated means. <a rel="footnote" href="#fn-2" name="fnd-2"><sup>2</sup></a>

1593

1594

<p>If you cannot obtain root access to your machine, all the other tests

1595

will still run. Note however, with DejaGnu 1.2, the "untested testcases"

1596

will cause the testsuite to exit with a non-zero exit status which

1597

<span class="samp">make</span> will consider a failure of the testing process. Do not worry

1598

about this, as these tests are the last run when <span class="samp">make check</span> is

1599

executed from the top level of the build tree. This problem does not

1600

exist with DejaGnu 1.3.

1601

1602

1603

<p><hr>

1604

<a name="The-KADM5-Tests"></a>Previous: <a rel="previous" accesskey="p" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>,

1605

Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>

1606

<br>

1607

</div>

1608

1609

<h4 class="subsection">3.6.2 The KADM5 Tests</h4>

1610

1611

<p>Regression tests for the KADM5 system, including the GSS-RPC, KADM5

1612

client and server libraries, and kpasswd, are also included in this

1613

release. Each set of KADM5 tests is contained in a sub-directory called

1614

<code>unit-test</code> directly below the system being tested. For example,

1615

lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all

1616

based on DejaGnu (but they are not actually called part of "The DejaGnu

1617

tests," whose naming predates the inclusion of the KADM5 system). In

1618

addition, they require the Tool Command Language (TCL) header files and

1619

libraries to be available during compilation and some of the tests also

1620

require Perl in order to operate. If all of these resources are not

1621

available during configuration, the KADM5 tests will not run. The TCL

1622

installation directory can be specified with the <code>--with-tcl</code>

1623

configure option. (See See <a href="#Options-to-Configure">Options to Configure</a>.) The runtest and

1624

perl programs must be in the current execution path.

1625

1626

<p>If you install DejaGnu, TCL, or Perl after configuring and building

1627

Kerberos and then want to run the KADM5 tests, you will need to

1628

re-configure the tree and run <code>make</code> at the top level again to make

1629

sure all the proper programs are built. To save time, you actually only

1630

need to reconfigure and build in the directories src/kadmin/testing,

1631

src/lib/rpc, src/lib/kadm5.

1632

1633

1634

<p><hr>

1635

<a name="Options-to-Configure"></a>Next: <a rel="next" accesskey="n" href="#osconf_002eh">osconf.h</a>,

1636

Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,

1637

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1638

<br>

1639

</div>

1640

1641

<h3 class="section">3.7 Options to Configure</h3>

1642

1643

<p>There are a number of options to <span class="samp">configure</span> which you can use to

1644

control how the Kerberos distribution is built. The following table

1645

lists the most commonly used options to Kerberos V5's <span class="samp">configure</span>

1646

program.

1647

1648

<dl>

1649

1650

Provides help to configure. This will list the set of commonly used

1651

options for building Kerberos.

1652

1653

<br><dt><code>--prefix=PREFIX</code><dd>

1654

By default, Kerberos will install the package's files rooted at

1655

`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you

1656

desire a different location, use this option.

1657

1658

<br><dt><code>--exec-prefix=EXECPREFIX</code><dd>

1659

This option allows one to separate the architecture independent programs

1660

from the configuration files and manual pages.

1661

1662

<br><dt><code>--localstatedir=LOCALSTATEDIR</code><dd>

1663

This option sets the directory for locally modifiable single-machine

1664

data. In Kerberos, this mostly is useful for setting a location for the

1665

KDC data files, as they will be installed in

1666

<code>LOCALSTATEDIR/krb5kdc</code>, which is by default

1667

<code>PREFIX/var/krb5kdc</code>.

1668

1669

<br><dt><code>CC=COMPILER</code><dd>

1670

Use <code>COMPILER</code> as the C compiler.

1671

1672

<br><dt><code>CFLAGS=FLAGS</code><dd>

1673

Use <code>FLAGS</code> as the default set of C compiler flags.

1674

1675

<p>Note that if you use the native Ultrix compiler on a

1676

DECstation you are likely to lose if you pass no flags to cc; md4.c

1677

takes an estimated 3,469 billion years to compile if you provide neither

1678

the <span class="samp">-g</span> flag nor the <span class="samp">-O</span> flag to <span class="samp">cc</span>.

1679

1680

<br><dt><code>CPPFLAGS=CPPOPTS</code><dd>

1681

Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most

1682

common use of this option is to select certain <code>#define</code>'s for use

1683

with the operating system's include files.

1684

1685

<br><dt><code>LD=LINKER</code><dd>

1686

Use <code>LINKER</code> as the default loader if it should be different from C

1687

compiler as specified above.

1688

1689

<br><dt><code>LDFLAGS=LDOPTS</code><dd>

1690

This option allows one to specify optional arguments to be passed to the

1691

linker. This might be used to specify optional library paths.

1692

1693

1694

This option enables Kerberos V4 backwards compatibility using the

1695

builtin Kerberos V4 library.

1696

1697

1698

This option enables Kerberos V4 backwards compatibility using a

1699

pre-existing Kerberos V4 installation. The directory specified by

1700

<code>KRB4DIR</code> specifies where the V4 header files should be found

1701

(<span class="file">KRB4DIR/include</span>) as well as where the V4 Kerberos library should

1702

be found (<span class="file">KRB4DIR/lib</span>).

1703

1704

<br><dt><code>--without-krb4</code><dd>

1705

Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4

1706

clients from using the V5 services including the KDC. This would be

1707

useful if you know you will never install or need to interact with V4

1708

clients.

1709

1710

<br><dt><code>--with-netlib[=libs]</code><dd>

1711

Allows for suppression of or replacement of network libraries. By

1712

default, Kerberos V5 configuration will look for <code>-lnsl</code> and

1713

<code>-lsocket</code>. If your operating system has a broken resolver library

1714

(see <a href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in

1715

<span class="file">src/tests/resolv</span> you will need to use this option.

1716

1717

<br><dt><code>--with-tcl=TCLPATH</code><dd>

1718

Some of the unit-tests in the build tree rely upon using a program in

1719

Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl

1720

header file (<span class="file">TCLPATH/include/tcl.h</span> as well as where the Tcl

1721

library should be found (<span class="file">TCLPATH/lib</span>).

1722

1723

<br><dt><code>--enable-shared</code><dd>

1724

This option will turn on the building and use of shared library objects

1725

in the Kerberos build. This option is only supported on certain

1726

platforms.

1727

1728

<br><dt><code>--enable-dns</code><br><dt><code>--enable-dns-for-kdc</code><br><dt><code>--enable-dns-for-realm</code><dd>

1729

Enable the use of DNS to look up a host's Kerberos realm, or a realm's

1730

KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to

1731

locate the KDCs, and <a href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a> for

1732

information about using DNS to determine the default realm. By default,

1733

DNS lookups are enabled for the former but not for the latter.

1734

1735

<br><dt><code>--enable-kdc-replay-cache</code><dd>

1736

Enable a cache in the KDC to detect retransmitted messages, and resend

1737

the previous responses to them. This protects against certain types of

1738

attempts to extract information from the KDC through some of the

1739

hardware preauthentication systems.

1740

1741

<br><dt><code>--with-system-et</code><dd>

1742

Use an installed version of the error-table support software, the

1743

<span class="samp">compile_et</span> program, the <span class="file">com_err.h</span> header file and the

1744

<span class="file">com_err</span> library. If these are not in the default locations,

1745

you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and

1746

<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as

1747

well.

1748

1749

<p>If this option is not given, a version supplied with the Kerberos

1750

sources will be built and installed along with the rest of the

1751

Kerberos tree, for Kerberos applications to link against.

1752

1753

<br><dt><code>--with-system-ss</code><dd>

1754

Use an installed version of the subsystem command-line interface

1755

software, the <span class="samp">mk_cmds</span> program, the <span class="file">ss/ss.h</span> header file

1756

and the <span class="file">ss</span> library. If these are not in the default locations,

1757

you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and

1758

<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as

1759

well. See also the <span class="samp">SS_LIB</span> option.

1760

1761

<p>If this option is not given, the <span class="file">ss</span> library supplied with the

1762

Kerberos sources will be compiled and linked into those programs that

1763

need it; it will not be installed separately.

1764

1765

1766

If <span class="samp">-lss</span> is not the correct way to link in your installed

1767

<span class="file">ss</span> library, for example if additional support libraries are

1768

needed, specify the correct link options here. Some variants of this

1769

library are around which allow for Emacs-like line editing, but

1770

different versions require different support libraries to be

1771

explicitly specified.

1772

1773

<p>This option is ignored if <span class="samp">--with-system-ss</span> is not specified.

1774

1775

<br><dt><code>--with-system-db</code><dd>

1776

Use an installed version of the Berkeley DB package, which must

1777

provide an API compatible with version 1.85. This option is

1778

<em>unsupported</em> and untested. In particular, we do not know if the

1779

database-rename code used in the dumpfile load operation will behave

1780

properly.

1781

1782

<p>If this option is not given, a version supplied with the Kerberos

1783

sources will be built and installed. (We are not updating this

1784

version at this time because of licensing issues with newer versions

1785

that we haven't investigated sufficiently yet.)

1786

1787

<br><dt><code>DB_HEADER=headername.h</code><dd>

1788

If <span class="samp">db.h</span> is not the correct header file to include to compile

1789

against the Berkeley DB 1.85 API, specify the correct header file name

1790

with this option. For example, <span class="samp">DB_HEADER=db3/db_185.h</span>.

1791

1792

1793

If <span class="samp">-ldb</span> is not the correct library specification for the

1794

Berkeley DB library version to be used, override it with this option.

1795

For example, <span class="samp">DB_LIB=-ldb-3.3</span>.

1796

1797

</dl>

1798

1799

<p>For example, in order to configure Kerberos on a Solaris machine using

1800

the <span class="samp">suncc</span> compiler with the optimizer turned on, run the configure

1801

script with the following options:

1802

1803

<pre class="example"> % ./configure CC=suncc CFLAGS=-O

1804

</pre>

1805

<p>For a slightly more complicated example, consider a system where

1806

several packages to be used by Kerberos are installed in

1807

<span class="samp">/usr/foobar</span>, including Berkeley DB 3.3, and an <span class="samp">ss</span>

1808

library that needs to link against the <span class="samp">curses</span> library. The

1809

configuration of Kerberos might be done thus:

1810

1811

<pre class="example"> % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \

1812

--with-system-et --with-system-ss --with-system-db \

1813

SS_LIB='-lss -lcurses' \

1814

DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3

1815

</pre>

1816

<p>In previous releases, <code>--with-</code> options were used to specify the

1817

compiler and linker and their options.

1818

1819

1820

<p><hr>

1821

<a name="osconf_002eh"></a>Next: <a rel="next" accesskey="n" href="#Shared-Library-Support">Shared Library Support</a>,

1822

Previous: <a rel="previous" accesskey="p" href="#Options-to-Configure">Options to Configure</a>,

1823

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1824

<br>

1825

</div>

1826

1827

<h3 class="section">3.8 <span class="file">osconf.h</span></h3>

1828

1829

<p>There is one configuration file which you may wish to edit to control

1830

various compile-time parameters in the Kerberos distribution:

1831

<span class="file">include/stock/osconf.h</span>. The list that follows is by no means

1832

complete, just some of the more interesting variables.

1833

1834

<p>Please note: The former configuration file <span class="file">config.h</span> no longer

1835

exists as its functionality has been merged into the auto-configuration

1836

process. See <a href="#Options-to-Configure">Options to Configure</a>.

1837

1838

<dl>

1839

<dt><code>DEFAULT_PROFILE_PATH</code><dd>

1840

The pathname to the file which contains the profiles for the known realms,

1841

their KDCs, etc. The default value is /etc/krb5.conf.

1842

1843

<p>The profile file format is no longer the same format as Kerberos V4's

1844

<span class="file">krb.conf</span> file.

1845

1846

<br><dt><code>DEFAULT_KEYTAB_NAME</code><dd>

1847

The type and pathname to the default server keytab file (the

1848

equivalent of Kerberos V4's <span class="file">/etc/srvtab</span>). The default is

1849

/etc/krb5.keytab.

1850

1851

<br><dt><code>DEFAULT_KDC_ENCTYPE</code><dd>

1852

The default encryption type for the KDC. The default value is

1853

des3-cbc-sha1.

1854

1855

<br><dt><code>KDCRCACHE</code><dd>

1856

The name of the replay cache used by the KDC. The default value is

1857

krb5kdc_rcache.

1858

1859

<br><dt><code>RCTMPDIR</code><dd>

1860

The directory which stores replay caches. The default is to try

1861

/var/tmp, /usr/tmp, /var/usr/tmp, and /tmp.

1862

1863

<br><dt><code>DEFAULT_KDB_FILE</code><dd>

1864

The location of the default database. The default value is

1865

/usr/local/var/krb5kdc/principal.

1866

1867

</dl>

1868

1869

1870

<p><hr>

1871

<a name="Shared-Library-Support"></a>Next: <a rel="next" accesskey="n" href="#OS-Incompatibilities">OS Incompatibilities</a>,

1872

Previous: <a rel="previous" accesskey="p" href="#osconf_002eh">osconf.h</a>,

1873

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1874

<br>

1875

</div>

1876

1877

<h3 class="section">3.9 Shared Library Support</h3>

1878

1879

<p>Shared library support is provided for a few operating systems. There

1880

are restrictions as to which compiler to use when using shared

1881

libraries. In all cases, executables linked with the shared libraries in

1882

this build process will have built in the location of the libraries,

1883

therefore obliterating the need for special LD_LIBRARY_PATH, et al environment

1884

variables when using the programs. Except where noted, multiple versions

1885

of the libraries may be installed on the same system and continue to

1886

work.

1887

1888

<p>Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS

1889

5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows

1890

(using DLLs).

1891

1892

<p>Shared library support has been tested on the following platforms but

1893

not exhaustively (they have been built but not necessarily tested in an

1894

installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and

1895

HP/UX 10.20.

1896

1897

<p>Platforms for which there is shared library support but not significant

1898

testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x

1899

(i386).

1900

1901

<p>To enable shared libraries on the above platforms, run the configure

1902

script with the option <span class="samp">--enable-shared</span>.

1903

1904

1905

<p><hr>

1906

<a name="OS-Incompatibilities"></a>Next: <a rel="next" accesskey="n" href="#Using-Autoconf">Using Autoconf</a>,

1907

Previous: <a rel="previous" accesskey="p" href="#Shared-Library-Support">Shared Library Support</a>,

1908

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

1909

<br>

1910

</div>

1911

1912

<h3 class="section">3.10 Operating System Incompatibilities</h3>

1913

1914

<p>This section details operating system incompatibilities with Kerberos V5

1915

which have been reported to the developers at MIT. If you find

1916

additional incompatibilities, and/or discover workarounds to such

1917

problems, please send a report via the <code>krb5-send-pr</code> program.

1918

Thanks!

1919

1920

1921

1922

<li><a accesskey="2" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>

1923

<li><a accesskey="3" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>

1924

<li><a accesskey="4" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>

1925

1926

1927

<li><a accesskey="7" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>

1928

<li><a accesskey="8" href="#Solaris-2_002eX">Solaris 2.X</a>

1929

<li><a accesskey="9" href="#Solaris-9">Solaris 9</a>

1930

1931

<li><a href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>

1932

</ul>

1933

1934

1935

<p><hr>

1936

<a name="AIX"></a>Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,

1937

Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,

1938

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1939

<br>

1940

</div>

1941

1942

1943

1944

<p>The AIX 3.2.5 linker dumps core trying to build a shared

1945

<span class="samp">libkrb5.a</span> produced with the GNU C compiler. The native AIX

1946

compiler works fine. This problem is fixed using the AIX 4.1 linker.

1947

1948

1949

<p><hr>

1950

<a name="Alpha-OSF_002f1-V1_002e3"></a>Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,

1951

Previous: <a rel="previous" accesskey="p" href="#AIX">AIX</a>,

1952

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1953

<br>

1954

</div>

1955

1956

<h4 class="subsection">3.10.2 Alpha OSF/1 V1.3</h4>

1957

1958

<p>Using the native compiler, compiling with the <span class="samp">-O</span> compiler flag

1959

causes the <code>asn.1</code> library to be compiled incorrectly.

1960

1961

<p>Using GCC version 2.6.3 or later instead of the native compiler will also work

1962

fine, both with or without optimization.

1963

1964

1965

<p><hr>

1966

<a name="Alpha-OSF_002f1-V2_002e0"></a>Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,

1967

Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,

1968

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1969

<br>

1970

</div>

1971

1972

<h4 class="subsection">3.10.3 Alpha OSF/1 V2.0</h4>

1973

1974

<p>There used to be a bug when using the native compiler in compiling

1975

<span class="file">md4.c</span> when compiled without either the <span class="samp">-O</span> or <span class="samp">-g</span>

1976

compiler options. We have changed the code and there is no problem

1977

under V2.1, but we do not have access to V2.0 to test and see if the

1978

problem would exist there. (We welcome feedback on this issue). There

1979

was never a problem in using GCC version 2.6.3.

1980

1981

<p>In version 3.2 and beyond of the operating system, we have not seen

1982

this sort of problem with the native compiler.

1983

1984

1985

<p><hr>

1986

<a name="Alpha-OSF_002f1-V4_002e0"></a>Next: <a rel="next" accesskey="n" href="#BSDI">BSDI</a>,

1987

Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,

1988

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

1989

<br>

1990

</div>

1991

1992

<h4 class="subsection">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</h4>

1993

1994

<p>The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)

1995

defaults to an extended K&R C mode, not ANSI C. You need to provide

1996

the <span class="samp">-std</span> argument to the compiler (i.e., <span class="samp">./configure

1997

CC='cc -std'</span>) to enable extended ANSI C mode. More recent versions

1998

of the operating system, such as 5.0, seem to have C compilers which

1999

default to <span class="samp">-std</span>.

2000

2001

2002

2003

2004

2005

<p><hr>

2006

<a name="BSDI"></a>Next: <a rel="next" accesskey="n" href="#HPUX">HPUX</a>,

2007

Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,

2008

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2009

<br>

2010

</div>

2011

2012

2013

2014

<p>BSDI versions 1.0 and 1.1 reportedly has a bad <span class="samp">sed</span> which causes

2015

it to go into an infinite loop during the build. The work around is

2016

to use a <span class="samp">sed</span> from somewhere else, such as GNU. (This may be

2017

true for some versions of other systems derived from BSD 4.4, such as

2018

NetBSD and FreeBSD.)

2019

2020

2021

<p><hr>

2022

<a name="HPUX"></a>Next: <a rel="next" accesskey="n" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,

2023

Previous: <a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,

2024

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2025

<br>

2026

</div>

2027

2028

2029

2030

<p>The native (bundled) compiler for HPUX currently will not work,

2031

because it is not a full ANSI C compiler. The optional ANSI C

2032

compiler should work as long as you give it the <span class="samp">-Ae</span> flag

2033

(i.e. <span class="samp">./configure CC='cc -Ae'</span>). This is equivalent to

2034

<span class="samp">./configure CC='c89 -D_HPUX_SOURCE'</span>, which was the previous

2035

recommendation. This has only been tested recently for HPUX 10.20.

2036

2037

<p>You will need to configure with <span class="samp">--disable-shared

2038

--enable-static</span>, because as of 1.4 we don't have support for HPUX

2039

shared library finalization routines, nor the option (yet) to ignore

2040

that lack of support (which means repeated

2041

<code>dlopen</code>/<code>dlclose</code> cycles on the Kerberos libraries may not

2042

be safe) and build the shared libraries anyways.

2043

2044

<p>You will also need to configure the build tree with

2045

<span class="samp">--disable-thread-support</span> if you are on HPUX 10 and do not have

2046

the DCE development package installed, because that's where the

2047

<code>pthread.h</code> header file is found. (We don't know if our code

2048

will work with such a package installed, because according to some HP

2049

documentation, their <code>pthread.h</code> has to be included before any

2050

other header files, and our code doesn't do that.)

2051

2052

<p>If you use GCC, it may work, but some versions of GCC have omitted

2053

certain important preprocessor defines, like <code>__STDC_EXT__</code> and

2054

<code>__hpux</code>.

2055

2056

2057

<p><hr>

2058

<a name="Solaris-versions-2_002e0-through-2_002e3"></a>Next: <a rel="next" accesskey="n" href="#Solaris-2_002eX">Solaris 2.X</a>,

2059

Previous: <a rel="previous" accesskey="p" href="#HPUX">HPUX</a>,

2060

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2061

<br>

2062

</div>

2063

2064

<h4 class="subsection">3.10.7 Solaris versions 2.0 through 2.3</h4>

2065

2066

<p>The <code>gethostbyname()</code> routine is broken; it does not return a fully

2067

qualified domain name, even if you are using the Domain Name Service

2068

routines. Since Kerberos V5 uses the fully qualified domain name as the

2069

second component of a service principal (i.e,

2070

<span class="samp">host/tsx-11.mit.edu@ATHENA.MIT.EDU</span>), this causes problems for servers

2071

who try to figure out their own fully qualified domain name.

2072

2073

<p>Workarounds:

2074

2075

2076

2077

<li> Supply your own resolver library. (such as bind-4.9.3pl1 available

2078

from ftp.vix.com)

2079

2080

<li> Upgrade to Solaris 2.4

2081

2082

<li> Make sure your /etc/nsswitch.conf has `files' before `dns' like:

2083

2084

<pre class="example"> hosts: files dns

2085

</pre>

2086

<p>and then in /etc/hosts, make sure there is a line with your

2087

workstation's IP address and hostname, with the fully qualified domain

2088

name first. Example:

2089

2090

<pre class="example"> 18.172.1.4 dcl.mit.edu dcl

2091

</pre>

2092

<p>Note that making this change may cause other programs in your

2093

environment to break or behave differently.

2094

2095

</ol>

2096

2097

2098

<p><hr>

2099

<a name="Solaris-2_002eX"></a>Next: <a rel="next" accesskey="n" href="#Solaris-9">Solaris 9</a>,

2100

Previous: <a rel="previous" accesskey="p" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,

2101

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2102

<br>

2103

</div>

2104

2105

<h4 class="subsection">3.10.8 Solaris 2.X</h4>

2106

2107

<p>You <b>must</b> compile Kerberos V5 without the UCB compatibility

2108

libraries. This means that <span class="file">/usr/ucblib</span> must not be in the

2109

LD_LIBRARY_PATH environment variable when you compile it. Alternatively

2110

you can use the <code>-i</code> option to <span class="samp">cc</span>, by using the specifying

2111

<code>CFLAGS=-i</code> option to <span class="samp">configure</span>.

2112

2113

<p>If you are compiling for a 64-bit execution environment, you may need

2114

to configure with the option <code>CFLAGS="-D_XOPEN_SOURCE=500

2115

-D__EXTENSIONS__"</code>. This is not well tested; at MIT we work primarily

2116

with the 32-bit execution environment.

2117

2118

2119

<p><hr>

2120

<a name="Solaris-9"></a>Next: <a rel="next" accesskey="n" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,

2121

Previous: <a rel="previous" accesskey="p" href="#Solaris-2_002eX">Solaris 2.X</a>,

2122

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2123

<br>

2124

</div>

2125

2126

<h4 class="subsection">3.10.9 Solaris 9</h4>

2127

2128

<p>Solaris 9 has a kernel race condition which causes the final output

2129

written to the slave side of a pty to be lost upon the final close()

2130

of the slave device. This causes the dejagnu-based tests to fail

2131

intermittently. A workaround exists, but requires some help from the

2132

scheduler, and the “make check” must be executed from a shell with

2133

elevated priority limits.

2134

2135

<p>Run something like

2136

2137

<p><code>priocntl -s -c FX -m 30 -p 30 -i pid nnnn</code>

2138

2139

<p>as root, where <code>nnnn</code> is the pid of the shell whose priority

2140

limit you wish to raise.

2141

2142

<p>Sun has released kernel patches for this race condition. Apply patch

2143

117171-11 for sparc, or patch 117172-11 for x86. Later revisions of

2144

the patches should also work. It is not necessary to run “make

2145

check” from a shell with elevated priority limits once the patch has

2146

been applied.

2147

2148

2149

<p><hr>

2150

<a name="SGI-Irix-5_002eX"></a>Next: <a rel="next" accesskey="n" href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>,

2151

Previous: <a rel="previous" accesskey="p" href="#Solaris-9">Solaris 9</a>,

2152

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2153

<br>

2154

</div>

2155

2156

2157

2158

<p>If you are building in a tree separate from the source tree, the vendors

2159

version of make does not work properly with regards to

2160

<span class="samp">VPATH</span>. It also has problems with standard inference rules in 5.2

2161

(not tested yet in 5.3) so one needs to use GNU's make.

2162

2163

<p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code>

2164

library in which the routine <code>gethostbyname()</code> is broken. The

2165

system supplied version in <code>-lc</code> appears to work though so one may

2166

simply specify <code>--with-netlib</code> option to <span class="samp">configure</span>.

2167

2168

<p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and

2169

is no longer an issue.

2170

2171

2172

<p><hr>

2173

<a name="Ultrix-4_002e2_002f3"></a>Previous: <a rel="previous" accesskey="p" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,

2174

Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>

2175

<br>

2176

</div>

2177

2178

<h4 class="subsection">3.10.11 Ultrix 4.2/3</h4>

2179

2180

<p>The DEC MIPS platform currently will not support the native compiler,

2181

since the Ultrix compiler is not a full ANSI C compiler. You should use

2182

GCC instead.

2183

2184

2185

<p><hr>

2186

<a name="Using-Autoconf"></a>Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,

2187

Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>

2188

<br>

2189

</div>

2190

2191

<h3 class="section">3.11 Using <span class="samp">Autoconf</span></h3>

2192

2193

<p>(If you are not a developer, you can skip this section.)

2194

2195

<p>In most of the Kerberos V5 source directories, there is a

2196

<span class="file">configure</span> script which automatically determines the compilation

2197

environment and creates the proper Makefiles for a particular

2198

platform. These <span class="file">configure</span> files are generated using

2199

<span class="samp">autoconf</span>, which can be found in the <span class="file">src/util/autoconf</span>

2200

directory in the distribution.

2201

2202

<p>Normal users will not need to worry about running <span class="samp">autoconf</span>; the

2203

distribution comes with the <span class="file">configure</span> files already prebuilt.

2204

Developers who wish to modify the <span class="file">configure.in</span> files should see

2205

<a href="autoconf.html#Top">Overview (The Autoconf Manual)</a>.

2206

2207

<p>Note that in order to run <span class="samp">autoconf</span>, you must have GNU <span class="samp">m4</span>

2208

in your path. Before you use the <span class="samp">autoconf</span> in the Kerberos V5

2209

source tree, you may also need to run <span class="samp">configure</span>, and then run

2210

<span class="samp">make</span> in the <span class="file">src/util/autoconf</span> directory in order to

2211

properly set up <span class="samp">autoconf</span>.

2212

2213

<p>One tool which is provided for the convenience of developers can be

2214

found in <span class="file">src/util/reconf</span>. This program should be run while the

2215

current directory is the top source directory. It will automatically

2216

rebuild any <span class="file">configure</span> files which need rebuilding. If you know

2217

that you have made a change that will require that all the

2218

<span class="file">configure</span> files need to be rebuilt from scratch, specify the

2219

<code>--force</code> option:

2220

2221

<pre class="example"> % cd /u1/krb5-1.7/src

2222

% ./util/reconf --force

2223

</pre>

2224

<p>The developmental sources are a raw source tree (before it's been packaged

2225

for public release), without the pre-built <span class="file">configure</span> files.

2226

In order to build from such a source tree, you must do:

2227

2228

<pre class="example"> % cd krb5/util/autoconf

2229

% ./configure

2230

% make

2231

% cd ../..

2232

% util/reconf

2233

</pre>

2234

<p>Then follow the instructions for building packaged source trees (above).

2235

To install the binaries into a binary tree, do:

2236

2237

<pre class="example"> % cd /u1/krb5-1.7/src

2238

% make all

2239

% make install DESTDIR=somewhere-else

2240

</pre>

2241

2242

<p><hr>

2243

<a name="Installing-Kerberos-V5"></a>Next: <a rel="next" accesskey="n" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,

2244

Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,

2245

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

2246

<br>

2247

</div>

2248

2249

<h2 class="chapter">4 Installing Kerberos V5</h2>

2250

2251

<p>The sections of this chapter describe procedures for installing

2252

Kerberos V5 on:

2253

2254

2255

<li>The KDCs

2256

2257

<li>UNIX client machines

2258

2259

<li>UNIX Application Servers

2260

</ol>

2261

2262

2263

<li><a accesskey="1" href="#Installing-KDCs">Installing KDCs</a>

2264

<li><a accesskey="2" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>

2265

<li><a accesskey="3" href="#UNIX-Application-Servers">UNIX Application Servers</a>

2266

</ul>

2267

2268

2269

<p><hr>

2270

<a name="Installing-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,

2271

Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,

2272

Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

2273

<br>

2274

</div>

2275

2276

<h3 class="section">4.1 Installing KDCs</h3>

2277

2278

<p>The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC

2279

contains a copy of the Kerberos database. The master KDC contains the

2280

master copy of the database, which it propagates to the slave KDCs at

2281

regular intervals. All database changes (such as password changes) are

2282

made on the master KDC.

2283

2284

<p>Slave KDCs provide Kerberos ticket-granting services, but not database

2285

administration. This allows clients to continue to obtain tickets when

2286

the master KDC is unavailable.

2287

2288

<p>MIT recommends that you install all of your KDCs to be able

2289

to function as either the master or one of the slaves. This will enable

2290

you to easily switch your master KDC with one of the slaves if

2291

necessary. (See <a href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>.) This installation

2292

procedure is based on that recommendation.

2293

2294

2295

<li><a accesskey="1" href="#Install-the-Master-KDC">Install the Master KDC</a>

2296

<li><a accesskey="2" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2297

<li><a accesskey="3" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>

2298

<li><a accesskey="4" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>

2299

<li><a accesskey="5" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>

2300

<li><a accesskey="6" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>

2301

<li><a accesskey="7" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>

2302

<li><a accesskey="8" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>

2303

</ul>

2304

2305

2306

<p><hr>

2307

<a name="Install-the-Master-KDC"></a>Next: <a rel="next" accesskey="n" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,

2308

Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,

2309

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2310

<br>

2311

</div>

2312

2313

<h4 class="subsection">4.1.1 Install the Master KDC</h4>

2314

2315

<p>This installation procedure will require you to go back and forth a

2316

couple of times between the master KDC and each of the slave KDCs. The

2317

first few steps must be done on the master KDC.

2318

2319

2320

<li><a accesskey="1" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>

2321

2322

2323

<li><a accesskey="4" href="#Create-the-Database">Create the Database</a>

2324

<li><a accesskey="5" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>

2325

<li><a accesskey="6" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>

2326

<li><a accesskey="7" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>

2327

<li><a accesskey="8" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>

2328

</ul>

2329

2330

2331

<p><hr>

2332

<a name="Edit-the-Configuration-Files"></a>Next: <a rel="next" accesskey="n" href="#krb5_002econf">krb5.conf</a>,

2333

Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,

2334

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2335

<br>

2336

</div>

2337

2338

<h5 class="subsubsection">4.1.1.1 Edit the Configuration Files</h5>

2339

2340

<p>Modify the configuration files, <code>/etc/krb5.conf</code> and

2341

<code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct

2342

information (such as the hostnames and realm name) for your realm.

2343

MIT recommends that you keep <code>krb5.conf</code> in <code>/etc</code>.

2344

2345

<p>Most of the tags in the configuration have default values that will

2346

work well for most sites. There are some tags in the <code>krb5.conf</code>

2347

file whose values must be specified, and this section will explain

2348

those as well as give an overview of all of the sections in both

2349

configuration files. For more information on changing defaults with

2350

the configuration files, see the Kerberos V5 System Administrator's

2351

Guide sections on configuration files.

2352

2353

2354

<p><hr>

2355

<a name="krb5_002econf"></a>Next: <a rel="next" accesskey="n" href="#kdc_002econf">kdc.conf</a>,

2356

Previous: <a rel="previous" accesskey="p" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>,

2357

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2358

<br>

2359

</div>

2360

2361

2362

2363

<p>The <code>krb5.conf</code> file contains Kerberos configuration information,

2364

including the locations of KDCs and admin servers for the Kerberos

2365

realms of interest, defaults for the current realm and for Kerberos

2366

applications, and mappings of hostnames onto Kerberos realms. Normally,

2367

you should install your <code>krb5.conf</code> file in the directory

2368

<code>/etc</code>. You can override the default location by setting the

2369

environment variable <span class="samp">KRB5_CONFIG</span>.

2370

2371

<p>The <code>krb5.conf</code> file is set up in the style of a Windows INI file.

2372

Sections are headed by the section name, in square brackets. Each

2373

section may contain zero or more relations, of the form:

2374

2375

<pre class="smallexample"> foo = bar

2376

</pre>

2377

<p class="noindent">or

2378

2379

<pre class="smallexample"> fubar = {

2380

foo = bar

2381

baz = quux

2382

}

2383

</pre>

2384

<p>Placing a `*' at the end of a line indicates that this is the

2385

<dfn>final</dfn> value for the tag. This means that neither the remainder

2386

of this configuration file nor any other configuration file will be

2387

checked for any other values for this tag.

2388

2389

<p>For example, if you have the following lines:

2390

2391

<pre class="smallexample"> foo = bar*

2392

foo = baz

2393

</pre>

2394

<p>then the second value of foo (baz) would never be read.

2395

2396

<p>The <code>krb5.conf</code> file may contain any or all of the following

2397

sections:

2398

2399

<dl>

2400

<dt><b>libdefaults</b><dd>Contains default values used by the Kerberos V5 library.

2401

2402

<dt><b>login</b><dd>Contains default values used by the Kerberos V5 login program.

2403

2404

<dt><b>appdefaults</b><dd>Contains default values that can be used by Kerberos V5 applications.

2405

2406

<dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection

2407

describes realm-specific information, including where to find the

2408

Kerberos servers for that realm.

2409

2410

<dt><b>domain_realm</b><dd>Contains relations which map domain names and subdomains onto Kerberos

2411

realm names. This is used by programs to determine what realm a host

2412

should be in, given its fully qualified domain name.

2413

2414

<dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform

2415

logging.

2416

2417

<dt><b>capaths</b><dd>Contains the authentication paths used with direct (nonhierarchical)

2418

cross-realm authentication. Entries in this section are used by the

2419

client to determine the intermediate realms which may be used in

2420

cross-realm authentication. It is also used by the end-service when

2421

checking the transited field for trusted intermediate realms.

2422

2423

</dl>

2424

2425

<p>If you are not using DNS TXT records, you must specify the

2426

<code>default_realm</code> in the <code>libdefaults</code> section. If you are not

2427

using DNS SRV records, you must include the <code>kdc</code> tag for each

2428

realm in the <code>realms</code> section. To communicate with the kadmin

2429

server in each realm, the <code>admin_server</code> tag must be set in the

2430

<code>realms</code> section. If your domain name and realm name are not the

2431

same, you must provide a translation in <code>domain_realm</code>. It is

2432

also higly recommeneded that you create a <code>[logging]</code> stanza if

2433

the computer will be functioning as a KDC so that the KDC and kadmind

2434

will generate logging output.

2435

2436

<p>An example <code>krb5.conf</code> file:

2437

2438

<pre class="smallexample"> [libdefaults]

2439

default_realm = ATHENA.MIT.EDU

2440

2441

[realms]

2442

ATHENA.MIT.EDU = {

2443

kdc = kerberos.mit.edu

2444

kdc = kerberos-1.mit.edu

2445

kdc = kerberos-2.mit.edu

2446

admin_server = kerberos.mit.edu

2447

{

2448

2449

[logging]

2450

kdc = FILE:/var/log/krb5kdc.log

2451

admin_server = FILE:/var/log/kadmin.log

2452

default = FILE:/var/log/krb5lib.log

2453

</pre>

2454

2455

<p><hr>

2456

<a name="kdc_002econf"></a>Next: <a rel="next" accesskey="n" href="#Create-the-Database">Create the Database</a>,

2457

Previous: <a rel="previous" accesskey="p" href="#krb5_002econf">krb5.conf</a>,

2458

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2459

<br>

2460

</div>

2461

2462

2463

2464

<p>The <code>kdc.conf</code> file contains KDC configuration information,

2465

including defaults used when issuing Kerberos tickets. Normally, you

2466

should install your <code>kdc.conf</code> file in the directory

2467

<code>/usr/local/var/krb5kdc</code>. You can override the default

2468

location by setting the environment variable <span class="samp">KRB5_KDC_PROFILE</span>.

2469

2470

<p>The <code>kdc.conf</code> file is set up in the same format as the

2471

<code>krb5.conf</code> file. (See <a href="#krb5_002econf">krb5.conf</a>.) The <code>kdc.conf</code> file

2472

may contain any or all of the following three sections:

2473

2474

<dl>

2475

<dt><b>kdcdefaults</b><dd>Contains default values for overall behavior of the KDC.

2476

2477

<br><dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection

2478

describes realm-specific information, including where to find the

2479

Kerberos servers for that realm.

2480

2481

<br><dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform

2482

logging.

2483

</dl>

2484

2485

2486

<p><hr>

2487

<a name="Create-the-Database"></a>Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,

2488

Previous: <a rel="previous" accesskey="p" href="#kdc_002econf">kdc.conf</a>,

2489

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2490

<br>

2491

</div>

2492

2493

<h5 class="subsubsection">4.1.1.4 Create the Database</h5>

2494

2495

<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to

2496

create the Kerberos database and the optional stash file. The

2497

<dfn>stash file</dfn> is a local copy of the master key that resides in

2498

encrypted form on the KDC's local disk. The stash file is used to

2499

authenticate the KDC to itself automatically before starting the

2500

<code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the

2501

machine's boot sequence). The stash file, like the keytab file

2502

(see See <a href="#The-Keytab-File">The Keytab File</a>, for more information) is a potential

2503

point-of-entry for a break-in,

2504

and if compromised, would allow unrestricted access to the Kerberos

2505

database. If you choose to install a stash file, it should be readable

2506

only by root, and should exist only on the KDC's local disk. The file

2507

should not be part of any backup of the machine, unless access to the

2508

backup data is secured as tightly as access to the master password

2509

itself.

2510

2511

<p>If you choose not to install a stash file, the KDC will prompt you for

2512

the master key each time it starts up. This means that the KDC will

2513

not be able to start automatically, such as after a system reboot.

2514

2515

<p>Note that <code>kdb5_util</code> will prompt you for the master key for the

2516

Kerberos database. This key can be any string. A good key is one you

2517

can remember, but that no one else can guess. Examples of bad keys are

2518

words that can be found in a dictionary, any common or popular name,

2519

especially a famous person (or cartoon character), your username in any

2520

form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of

2521

the sample keys that appear in this manual. One example of a key which

2522

might be good if it did not appear in this manual is “MITiys4K5!”,

2523

which represents the sentence “MIT is your source for Kerberos 5!”

2524

(It's the first letter of each word, substituting the numeral “4” for

2525

the word “for”, and includes the punctuation mark at the end.)

2526

2527

<p>The following is an example of how to create a Kerberos database and

2528

stash file on the master KDC, using the <code>kdb5_util</code> command. (The

2529

line that begins with => is a continuation of the previous line.)

2530

Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.

2531

2532

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s

2533

<b>Initializing database '/usr/local/var/krb5kdc/principal' for

2534

=> realm 'ATHENA.MIT.EDU',

2535

master key name 'K/M@ATHENA.MIT.EDU'

2536

You will be prompted for the database Master Password.

2537

It is important that you NOT FORGET this password.</b>

2538

<b>Enter KDC database master key:</b> <i><= Type the master password.</i>

2539

<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>

2540

<b>shell%</b>

2541

</pre>

2542

<p>This will create five files in the directory specified in your

2543

<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,

2544

and <code>principal.ok</code>; the Kerberos administrative database file,

2545

<code>principal.kadm5</code>; the administrative database lock file,

2546

<code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The

2547

default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not

2548

want a stash file, run the above command without the <code>-s</code> option.

2549

2550

2551

<p><hr>

2552

<a name="Add-Administrators-to-the-Acl-File"></a>Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,

2553

Previous: <a rel="previous" accesskey="p" href="#Create-the-Database">Create the Database</a>,

2554

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2555

<br>

2556

</div>

2557

2558

<h5 class="subsubsection">4.1.1.5 Add Administrators to the Acl File</h5>

2559

2560

<p>Next, you need create an Access Control List (acl) file, and put the

2561

Kerberos principal of at least one of the administrators into it. This

2562

file is used by the <code>kadmind</code> daemon to control which principals

2563

may view and make privileged modifications to the Kerberos database

2564

files. The filename should match the value you have set for

2565

“acl_file” in your <code>kdc.conf</code> file. The default file name is

2566

<span class="samp">/usr/local/var/krb5kdc/kadm5.acl</span>.

2567

2568

<p>The format of the file is:

2569

2570

<pre class="smallexample"> Kerberos_principal permissions [target_principal] [restrictions]

2571

</pre>

2572

<p>The Kerberos principal (and optional target principal) can include the

2573

“<b>*</b>” wildcard, so if you want any principal with the instance

2574

“admin” to have full permissions on the database, you could use the

2575

principal “<code>*/admin@REALM</code>” where “REALM” is your Kerberos

2576

realm. <code>target_principal</code> can also include backreferences to

2577

<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i>" matches the

2578

component <i>number</i> in the <code>Kerberos_principal</code>.

2579

2580

<p>Note: a common use of an <i>admin</i> instance is so you can grant

2581

separate permissions (such as administrator access to the Kerberos

2582

database) to a separate Kerberos principal. For example, the user

2583

<code>joeadmin</code> might have a principal for his administrative

2584

use, called <code>joeadmin/admin</code>. This way,

2585

<code>joeadmin</code> would obtain <code>joeadmin/admin</code>

2586

tickets only when he actually needs to use those permissions.

2587

2588

<p>The permissions are represented by single letters; UPPER-CASE letters

2589

represent negative permissions. The permissions are:

2590

2591

<dl>

2592

<dt><b>a</b><dd>allows the addition of principals or policies in the database.

2593

<dt><b>A</b><dd>disallows the addition of principals or policies in the database.

2594

<dt><b>d</b><dd>allows the deletion of principals or policies in the database.

2595

<dt><b>D</b><dd>disallows the deletion of principals or policies in the database.

2596

<dt><b>m</b><dd>allows the modification of principals or policies in the database.

2597

<dt><b>M</b><dd>disallows the modification of principals or policies in the database.

2598

<dt><b>c</b><dd>allows the changing of passwords for principals in the database.

2599

<dt><b>C</b><dd>disallows the changing of passwords for principals in the database.

2600

<dt><b>i</b><dd>allows inquiries to the database.

2601

<dt><b>I</b><dd>disallows inquiries to the database.

2602

<dt><b>l</b><dd>allows the listing of principals or policies in the database.

2603

<dt><b>L</b><dd>disallows the listing of principals or policies in the database.

2604

<dt><b>s</b><dd>allows the explicit setting of the key for a principal

2605

<dt><b>S</b><dd>disallows the explicit setting of the key for a principal

2606

<dt><b>*</b><dd>All privileges (admcil).

2607

<dt><b>x</b><dd>All privileges (admcil); identical to “*”.

2608

</dl>

2609

2610

<p>The restrictions are a string of flags. Allowed restrictions are:

2611

2612

<dl>

2613

<dt><b>[+ -]</b><i>flagname</i><dd>flag is forced to indicated value. The permissible flags are the same

2614

as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and

2615

<code>modprinc</code> commands.

2616

<dt><b>-clearpolicy</b><dd>policy is forced to clear

2617

<dt><b>-policy </b><i>pol</i><dd>policy is forced to be <i>pol</i>

2618

<dt><b>expire </b><i>time</i><dt><b>pwexpire </b><i>time</i><dt><b>maxlife </b><i>time</i><dt><b>maxrenewlife </b><i>time</i><dd>associated value will be forced to MIN(<i>time</i>, requested value)

2619

</dl>

2620

2621

<p>The above flags act as restrictions on any add or modify operation

2622

which is allowed due to that ACL line.

2623

2624

<p>Here is an example of a <code>kadm5.acl</code> file. Note that order is

2625

important; permissions are determined by the first matching entry.

2626

2627

<pre class="smallexample"> */admin@ATHENA.MIT.EDU *

2628

joeadmin@ATHENA.MIT.EDU ADMCIL

2629

joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU

2630

*@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU

2631

*/*@ATHENA.MIT.EDU i

2632

*/admin@EXAMPLE.COM * -maxlife 9h -postdateable

2633

</pre>

2634

<p class="noindent">In the above file, any principal in the

2635

ATHENA.MIT.EDU realm with an <code>admin</code> instance has all

2636

administrative privileges. The user <code>joeadmin</code>

2637

has all permissions with his <code>admin</code> instance,

2638

<code>joeadmin/admin@ATHENA.MIT.EDU</code> (matches the first

2639

line). He has no permissions at all with his <code>null</code> instance,

2640

<code>joeadmin@ATHENA.MIT.EDU</code> (matches the second line).

2641

His root instance has <i>inquire</i> and <i>list</i> permissions with any

2642

other principal that has the instance <code>root</code>. Any principal

2643

in ATHENA.MIT.EDU can inquire, list, or change the password of

2644

their <code>admin</code> instance, but not any other <code>admin</code> instance.

2645

Any principal in the realm <code>ATHENA.MIT.EDU</code> (except for

2646

<code>joeadmin@ATHENA.MIT.EDU</code>, as mentioned above) has

2647

<i>inquire</i> privileges. Finally, any principal with an admin instance

2648

in EXAMPLE.COM has all permissions, but any principal that they

2649

create or modify will not be able to get postdateable tickets or tickets

2650

with a life of longer than 9 hours.

2651

2652

2653

<p><hr>

2654

<a name="Add-Administrators-to-the-Kerberos-Database"></a>Next: <a rel="next" accesskey="n" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,

2655

Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,

2656

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2657

<br>

2658

</div>

2659

2660

<h5 class="subsubsection">4.1.1.6 Add Administrators to the Kerberos Database</h5>

2661

2662

<p>Next you need to add administrative principals to the Kerberos database.

2663

(You must add at least one now.) To do this, use <code>kadmin.local</code>

2664

<em>on the master KDC</em>. The administrative principals you create

2665

should be the ones you added to the ACL file. (See See <a href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>.) In the following example, the

2666

administration principal <code>admin/admin</code> is created:

2667

2668

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local

2669

<b>kadmin.local:</b> addprinc admin/admin@ATHENA.MIT.EDU

2670

<b>NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU";

2671

assigning "default".</b>

2672

<b>Enter password for principal admin/admin@ATHENA.MIT.EDU:</b> <i><= Enter a password.</i>

2673

Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <i><= Type it again.</i>

2674

<b>Principal "admin/admin@ATHENA.MIT.EDU" created.

2675

kadmin.local:</b>

2676

</pre>

2677

2678

<p><hr>

2679

<a name="Create-a-kadmind-Keytab-_0028optional_0029"></a>Next: <a rel="next" accesskey="n" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>,

2680

Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,

2681

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2682

<br>

2683

</div>

2684

2685

<h5 class="subsubsection">4.1.1.7 Create a kadmind Keytab (optional)</h5>

2686

2687

<p>The kadmind keytab is the key that the legacy admininstration daemons

2688

<code>kadmind4</code> and <code>v5passwdd</code> will use to decrypt

2689

administrators' or clients' Kerberos tickets to determine whether or

2690

not they should have access to the database. You need to create the

2691

kadmin keytab with entries for the principals <code>kadmin/admin</code> and

2692

<code>kadmin/changepw</code>. (These principals are placed in the Kerberos

2693

database automatically when you create it.) To create the kadmin

2694

keytab, run <code>kadmin.local</code> and use the <code>ktadd</code> command, as

2695

in the following example. (The line beginning with => is a

2696

continuation of the previous line.):

2697

2698

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local

2699

<b>kadmin.local:</b> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab

2700

=> kadmin/admin kadmin/changepw

2701

<b> Entry for principal kadmin/admin with kvno 5, encryption

2702

type Triple DES cbc mode with HMAC/sha1 added to keytab

2703

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2704

Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode

2705

with CRC-32 added to keytab

2706

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2707

Entry for principal kadmin/changepw with kvno 5, encryption

2708

type Triple DES cbc mode with HMAC/sha1 added to keytab

2709

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2710

Entry for principal kadmin/changepw with kvno 5,

2711

encryption type DES cbc mode with CRC-32 added to keytab

2712

WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.

2713

kadmin.local:</b> quit

2714

<b>shell%</b>

2715

</pre>

2716

<p class="noindent">As specified in the <span class="samp">-k</span> argument, <code>ktadd</code> will save the

2717

extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>.

2718

The filename you use must be the one specified in your <code>kdc.conf</code>

2719

file.

2720

2721

2722

<p><hr>

2723

<a name="Start-the-Kerberos-Daemons"></a>Previous: <a rel="previous" accesskey="p" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,

2724

Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>

2725

<br>

2726

</div>

2727

2728

<h5 class="subsubsection">4.1.1.8 Start the Kerberos Daemons on the Master KDC</h5>

2729

2730

<p>At this point, you are ready to start the Kerberos daemons on the Master

2731

KDC. To do so, type:

2732

2733

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc

2734

<b>shell%</b> /usr/local/sbin/kadmind

2735

</pre>

2736

<p class="noindent">Each daemon will fork and run in the background. Assuming you want

2737

these daemons to start up automatically at boot time, you can add them

2738

to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to

2739

have a stash file in order to do this.

2740

2741

<p>You can verify that they started properly by checking for their startup

2742

messages in the logging locations you defined in <code>/etc/krb5.conf</code>.

2743

(See <a href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>.) For example:

2744

2745

<pre class="smallexample"> <b>shell%</b> tail /var/log/krb5kdc.log

2746

Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation

2747

<b>shell%</b> tail /var/log/kadmin.log

2748

Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting

2749

</pre>

2750

<p>Any errors the daemons encounter while starting will also be listed in

2751

the logging output.

2752

2753

2754

<p><hr>

2755

<a name="Install-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,

2756

Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,

2757

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2758

<br>

2759

</div>

2760

2761

<h4 class="subsection">4.1.2 Install the Slave KDCs</h4>

2762

2763

<p>You are now ready to start configuring the slave KDCs. Assuming you are

2764

setting the KDCs up so that you can easily switch the master KDC with

2765

one of the slaves, you should perform each of these steps on the master

2766

KDC as well as the slave KDCs, unless these instructions specify

2767

otherwise.

2768

2769

2770

<li><a accesskey="1" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>

2771

<li><a accesskey="2" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>

2772

<li><a accesskey="3" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>

2773

</ul>

2774

2775

2776

<p><hr>

2777

<a name="Create-Host-Keys-for-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,

2778

Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,

2779

Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2780

<br>

2781

</div>

2782

2783

<h5 class="subsubsection">4.1.2.1 Create Host Keys for the Slave KDCs</h5>

2784

2785

<p>Each KDC needs a host principal in the Kerberos database. You can enter

2786

these from any host, once the <code>kadmind</code> daemon is running. For

2787

example, if your master KDC were called

2788

kerberos.mit.edu, and you had two KDC slaves

2789

named kerberos-1.mit.edu and

2790

kerberos-2.mit.edu, you would type the following:

2791

2792

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin

2793

<b>kadmin:</b> addprinc -randkey host/kerberos.mit.edu

2794

<b>NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU";

2795

assigning "default"

2796

Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.

2797

kadmin:</b> addprinc -randkey host/kerberos-1.mit.edu

2798

<b>NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU";

2799

assigning "default"

2800

Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</b>

2801

<b>kadmin:</b> addprinc -randkey host/kerberos-2.mit.edu

2802

<b>NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU";

2803

assigning "default"

2804

Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created.

2805

kadmin:</b>

2806

</pre>

2807

<p class="noindent">It is not actually necessary to have the master KDC server in the

2808

Kerberos database, but it can be handy if:

2809

2810

<ul>

2811

<li>anyone will be logging into the machine as something other than root

2812

2813

<li>you want to be able to swap the master KDC with one of the slaves if

2814

necessary.

2815

</ul>

2816

2817

2818

<p><hr>

2819

<a name="Extract-Host-Keytabs-for-the-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>,

2820

Previous: <a rel="previous" accesskey="p" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>,

2821

Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2822

<br>

2823

</div>

2824

2825

<h5 class="subsubsection">4.1.2.2 Extract Host Keytabs for the KDCs</h5>

2826

2827

<p>Each KDC (including the master) needs a keytab to decrypt tickets.

2828

Ideally, you should extract each keytab locally on its own KDC. If this

2829

is not feasible, you should use an encrypted session to send them across

2830

the network. To extract a keytab on a KDC called

2831

kerberos.mit.edu, you would execute the following

2832

command:

2833

2834

<pre class="smallexample"> <b>kadmin:</b> ktadd host/kerberos.mit.edu

2835

<b>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with

2836

kvno 1, encryption type DES-CBC-CRC added to keytab

2837

WRFILE:/etc/krb5.keytab.

2838

kadmin:</b>

2839

</pre>

2840

<p class="noindent">Note that the principal must exist in the Kerberos database in order to

2841

extract the keytab.

2842

2843

2844

<p><hr>

2845

<a name="Set-Up-the-Slave-KDCs-for-Database-Propagation"></a>Previous: <a rel="previous" accesskey="p" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,

2846

Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>

2847

<br>

2848

</div>

2849

2850

<h5 class="subsubsection">4.1.2.3 Set Up the Slave KDCs for Database Propagation</h5>

2851

2852

<p>The database is propagated from the master KDC to the slave KDCs via the

2853

<code>kpropd</code> daemon. To set up propagation, create a file on each KDC,

2854

named <code>/usr/local/var/krb5kdc/kpropd.acl</code>, containing the

2855

principals for each of the KDCs.

2856

For example, if the master KDC were

2857

<code>kerberos.mit.edu</code>, the slave KDCs were

2858

<code>kerberos-1.mit.edu</code> and

2859

<code>kerberos-2.mit.edu</code>, and the realm were

2860

<code>ATHENA.MIT.EDU</code>, then the file's contents would be:

2861

2862

<pre class="smallexample"> host/kerberos.mit.edu@ATHENA.MIT.EDU

2863

host/kerberos-1.mit.edu@ATHENA.MIT.EDU

2864

host/kerberos-2.mit.edu@ATHENA.MIT.EDU

2865

</pre>

2866

<p>Then, add the following lines to <code>/etc/inetd.conf</code> file on each KDC

2867

(the line beginnng with => is a continuation of the previous

2868

line):

2869

2870

<pre class="smallexample"> krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd

2871

eklogin stream tcp nowait root /usr/local/sbin/klogind

2872

=> klogind -k -c -e

2873

</pre>

2874

<p class="noindent">The first line sets up the <code>kpropd</code> database propagation daemon.

2875

The second line sets up the <code>eklogin</code> daemon, allowing

2876

Kerberos-authenticated, encrypted rlogin to the KDC.

2877

2878

<p>You also need to add the following lines to <code>/etc/services</code> on each

2879

KDC:

2880

2881

<pre class="smallexample"> kerberos 88/udp kdc # Kerberos authentication (udp)

2882

kerberos 88/tcp kdc # Kerberos authentication (tcp)

2883

krb5_prop 754/tcp # Kerberos slave propagation

2884

kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)

2885

kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)

2886

eklogin 2105/tcp # Kerberos encrypted rlogin

2887

</pre>

2888

2889

<p><hr>

2890

<a name="Back-on-the-Master-KDC"></a>Next: <a rel="next" accesskey="n" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,

2891

Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,

2892

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2893

<br>

2894

</div>

2895

2896

<h4 class="subsection">4.1.3 Back on the Master KDC</h4>

2897

2898

<p>Now that the slave KDCs are able to accept database propagation, you'll

2899

need to propagate the database to each of them.

2900

2901

2902

<li><a accesskey="1" href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>

2903

</ul>

2904

2905

2906

<p><hr>

2907

<a name="Propagate-the-Database-to-Each-Slave-KDC"></a>Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,

2908

Up: <a rel="up" accesskey="u" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>

2909

<br>

2910

</div>

2911

2912

<h5 class="subsubsection">4.1.3.1 Propagate the Database to Each Slave KDC</h5>

2913

2914

<p>First, create a dump of the database on the master KDC, as follows:

2915

2916

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans

2917

<b>shell%</b>

2918

</pre>

2919

<p>Next, you need to manually propagate the database to each slave KDC, as

2920

in the following example. (The lines beginning with => are

2921

continuations of the previous line.):

2922

2923

<pre class="smallexample"> /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans

2924

=> kerberos-1.mit.edu

2925

/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans

2926

=> kerberos-2.mit.edu

2927

</pre>

2928

<p>You will need a script to dump and propagate the database. The

2929

following is an example of a bourne shell script that will do this.

2930

(Note that the line that begins with => is a continuation of the

2931

previous line. Remember that you need to replace /usr/local with

2932

the name of the directory in which you installed Kerberos V5.)

2933

2934

<pre class="smallexample"> #!/bin/sh

2935

2936

kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"

2937

2938

/usr/local/sbin/kdb5_util "dump

2939

=> /usr/local/var/krb5kdc/slave_datatrans"

2940

2941

for kdc in $kdclist

2942

2943

/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc

2944

done

2945

</pre>

2946

<p class="noindent">You will need to set up a cron job to run this script at the intervals

2947

you decided on earlier (See <a href="#Database-Propagation">Database Propagation</a>.)

2948

2949

2950

<p><hr>

2951

<a name="Finish-Installing-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,

2952

Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,

2953

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

2954

<br>

2955

</div>

2956

2957

<h4 class="subsection">4.1.4 Finish Installing the Slave KDCs</h4>

2958

2959

<p>Now that the slave KDCs have copies of the Kerberos database, you can

2960

create stash files for them and start the <code>krb5kdc</code> daemon.

2961

2962

2963

<li><a accesskey="1" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>

2964

<li><a accesskey="2" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>

2965

</ul>

2966

2967

2968

<p><hr>

2969

<a name="Create-Stash-Files-on-the-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>,

2970

Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,

2971

Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>

2972

<br>

2973

</div>

2974

2975

<h5 class="subsubsection">4.1.4.1 Create Stash Files on the Slave KDCs</h5>

2976

2977

<p>Create stash files, by issuing the following commands on each slave KDC:

2978

2979

<pre class="smallexample"> <b>shell%</b> kdb5_util stash

2980

<b>kdb5_util: Cannot find/read stored master key while reading master key

2981

kdb5_util: Warning: proceeding without master key</b>

2982

<b>Enter KDC database master key:</b> <i><= Enter the database master key.</i>

2983

<b>shell%</b>

2984

</pre>

2985

<p>As mentioned above, the stash file is necessary for your KDCs to be able

2986

authenticate to themselves, such as when they reboot. You could run

2987

your KDCs without stash files, but you would then need to type in the

2988

Kerberos database master key by hand every time you start a KDC daemon.

2989

2990

2991

<p><hr>

2992

<a name="Start-the-krb5kdc-Daemon-on-Each-KDC"></a>Previous: <a rel="previous" accesskey="p" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>,

2993

Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>

2994

<br>

2995

</div>

2996

2997

<h5 class="subsubsection">4.1.4.2 Start the krb5kdc Daemon on Each KDC</h5>

2998

2999

<p>The final step in configuing your slave KDCs is to run the KDC daemon:

3000

3001

<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc

3002

</pre>

3003

<p>As with the master KDC, you will probably want to add this command to

3004

the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will

3005

start the krb5kdc daemon automatically at boot time.

3006

3007

3008

<p><hr>

3009

<a name="Add-Kerberos-Principals-to-the-Database"></a>Next: <a rel="next" accesskey="n" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,

3010

Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,

3011

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

3012

<br>

3013

</div>

3014

3015

<h4 class="subsection">4.1.5 Add Kerberos Principals to the Database</h4>

3016

3017

<p>Once your KDCs are set up and running, you are ready to use

3018

<code>kadmin</code> to load principals for your users, hosts, and other

3019

services into the Kerberos database. This procedure is described fully in the

3020

“Adding or Modifying Principals” section of the Kerberos V5 System

3021

Administrator's Guide. (See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>, for a

3022

brief description.) The keytab is generated by running <code>kadmin</code>

3023

and issuing the <code>ktadd</code> command.

3024

3025

3026

<p><hr>

3027

<a name="Limit-Access-to-the-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,

3028

Previous: <a rel="previous" accesskey="p" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,

3029

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

3030

<br>

3031

</div>

3032

3033

<h4 class="subsection">4.1.6 Limit Access to the KDCs</h4>

3034

3035

<p>To limit the possibility that your Kerberos database could be

3036

compromised, MIT recommends that each KDC be a dedicated

3037

host, with limited access. If your KDC is also a file server, FTP

3038

server, Web server, or even just a client machine, someone who obtained

3039

root access through a security hole in any of those areas could gain

3040

access to the Kerberos database.

3041

3042

<p>MIT recommends that your KDCs use the following

3043

<code>/etc/inetd.conf</code> file. (Note: each line beginning with =>

3044

is a continuation of the previous line.):

3045

3046

<pre class="smallexample"> #

3047

# Configuration file for inetd(1M). See inetd.conf(4).

3048

3049

# To re-configure the running inetd process, edit this file, then

3050

# send the inetd process a SIGHUP.

3051

3052

# Syntax for socket-based Internet services:

3053

# <service_name> <socket_type> <proto> <flags> <user>

3054

=> <server_pathname> <args>

3055

3056

# Syntax for TLI-based Internet services:

3057

3058

# <service_name> tli <proto> <flags> <user> <server_pathname> <args>

3059

3060

# Ftp and telnet are standard Internet services.

3061

3062

# This machine is a secure Kerberos Key Distribution Center (KDC).

3063

# Services are limited.

3064

3065

3066

# Time service is used for clock synchronization.

3067

3068

time stream tcp nowait root internal

3069

time dgram udp wait root internal

3070

3071

# Limited Kerberos services

3072

3073

krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd

3074

eklogin stream tcp nowait root /usr/local/sbin/klogind

3075

=> klogind -5 -c -e

3076

</pre>

3077

3078

<p><hr>

3079

<a name="Switching-Master-and-Slave-KDCs"></a>Next: <a rel="next" accesskey="n" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,

3080

Previous: <a rel="previous" accesskey="p" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,

3081

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

3082

<br>

3083

</div>

3084

3085

<h4 class="subsection">4.1.7 Switching Master and Slave KDCs</h4>

3086

3087

<p>You may occasionally want to use one of your slave KDCs as the master.

3088

This might happen if you are upgrading the master KDC, or if your master

3089

KDC has a disk crash.

3090

3091

<p>Assuming you have configured all of your KDCs to be able to function as

3092

either the master KDC or a slave KDC (as this document recommends), all

3093

you need to do to make the changeover is:

3094

3095

<p>If the master KDC is still running, do the following on the <em>old</em>

3096

master KDC:

3097

3098

3099

<li>Kill the <code>kadmind</code> process.

3100

3101

<li>Disable the cron job that propagates the database.

3102

3103

<li>Run your database propagation script manually, to ensure that the slaves

3104

all have the latest copy of the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.) If there is a need to preserve per-principal

3105

policy information from the database, you should do a “kdb5_util dump

3106

-ov” in order to preserve that information and propogate that dump file

3107

securely by some means to the slave so that its database has the correct

3108

state of the per-principal policy information.

3109

</ol>

3110

3111

<p>On the <em>new</em> master KDC:

3112

3113

3114

<li>Create a database keytab. (See <a href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>.)

3115

3116

<li>Start the <code>kadmind</code> daemon. (See <a href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>.)

3117

3118

<li>Set up the cron job to propagate the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.)

3119

3120

<li>Switch the CNAMEs of the old and new master KDCs. (If you don't do

3121

this, you'll need to change the <code>krb5.conf</code> file on every client

3122

machine in your Kerberos realm.)

3123

3124

</ol>

3125

3126

3127

<p><hr>

3128

<a name="Incremental-Database-Propagation"></a>Previous: <a rel="previous" accesskey="p" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,

3129

Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>

3130

<br>

3131

</div>

3132

3133

<h4 class="subsection">4.1.8 Incremental Database Propagation</h4>

3134

3135

<p>At some very large sites, dumping and transmitting the database can

3136

take more time than is desirable for changes to propagate from the

3137

master KDC to the slave KDCs. The incremental propagation support

3138

added in the 1.7 release is intended to address this.

3139

3140

<p>With incremental propagation enabled, all programs on the master KDC

3141

that change the database also write information about the changes to

3142

an “update log” file, maintained as a circular buffer of a certain

3143

size. A process on each slave KDC connects to a service on the master

3144

KDC (currently implmented in the <code>kadmind</code> server) and

3145

periodically requests the changes that have been made since the last

3146

check. By default, this check is done every two minutes. If the

3147

database has just been modified in the previous several seconds

3148

(currently the threshold is hard-coded at 10 seconds), the slave will

3149

not retrieve updates, but instead will pause and try again soon after.

3150

This reduces the likelihood that incremental update queries will cause

3151

delays for an administrator trying to make a bunch of changes to the

3152

database at the same time.

3153

3154

<p>Incremental propagation uses the following entries in the per-realm

3155

data in the KDC config file:

3156

3157

<dl>

3158

<dt><code>iprop_enable</code> (boolean)<dd>If this is set to <code>true</code>, then incremental propagation is

3159

enabled, and (as noted below) normal <code>kprop</code> propagation is

3160

disabled. The default is <code>false</code>.

3161

3162

<br><dt><code>iprop_master_ulogsize</code> (integer)<dd>This indicates the number of entries that should be retained in the

3163

update log. The default is 1000; the maximum number is 2500.

3164

3165

<br><dt><code>iprop_slave_poll</code> (time interval)<dd>This indicates how often the slave should poll the master KDC for

3166

changes to the database. The default is two minutes.

3167

3168

<br><dt><code>iprop_port</code> (integer)<dd>This specifies the port number to be used for incremental

3169

propagation. This is required in both master and slave configuration

3170

files.

3171

3172

<br><dt><code>iprop_logfile</code> (file name)<dd>This specifies where the update log file for the realm database is to

3173

be stored. The default is to use the <code>database_name</code> entry from

3174

the <code>realms</code> section of the config file, with <span class="file">.ulog</span> appended.

3175

(NOTE: If <code>database_name</code> isn't specified in the <code>realms</code>

3176

section, perhaps because the LDAP database back end is being used, or

3177

the file name is specified in the <code>dbmodules</code> section, then the

3178

hard-coded default for <code>database_name</code> is used. Determination of

3179

the <code>iprop_logfile</code> default value will not use values from the

3180

<code>dbmodules</code> section.)

3181

</dl>

3182

3183

<p>Both master and slave sides must have principals named

3184

<code>kiprop/</code><var>hostname</var> (where <var>hostname</var> is, as usual, the

3185

lower-case, fully-qualified, canonical name for the host) registered

3186

and keys stored in the default keytab file (<span class="file">/etc/krb5.keytab</span>).

3187

3188

3189

3190

<p>On the master KDC side, the <code>kiprop/</code><var>hostname</var> principal

3191

must be listed in the <code>kadmind</code> ACL file <code>kadm5.acl</code>, and

3192

given the <code>p</code> privilege.

3193

3194

<p>On the slave KDC side, <code>kpropd</code> should be run. When incremental

3195

propagation is enabled, it will connect to the <code>kadmind</code> on the

3196

master KDC and start requesting updates.

3197

3198

<p>The normal <code>kprop</code> mechanism is disabled by the incremental

3199

propagation support. However, if the slave has been unable to fetch

3200

changes from the master KDC for too long (network problems, perhaps),

3201

the log on the master may wrap around and overwrite some of the

3202

updates that the slave has not yet retrieved. In this case, the slave

3203

will instruct the master KDC to dump the current database out to a

3204

file and invoke a one-time <code>kprop</code> propagation, with special

3205

options to also convey the point in the update log at which the slave

3206

should resume fetching incremental updates. Thus, all the keytab and

3207

ACL setup previously described for <code>kprop</code> propagation is still

3208

needed.

3209

3210

<p>There are several known bugs and restrictions in the current

3211

implementation:

3212

<ul>

3213

<li>The “call out to <code>kprop</code>” mechanism is a bit fragile; if the

3214

<code>kprop</code> propagation fails to connect for some reason, the process

3215

on the slave may hang waiting for it, and will need to be restarted.

3216

<li>The master and slave must be able to initiate TCP connections in both

3217

directions, without an intervening NAT. They must also be able to

3218

communicate over IPv4, since MIT's kprop and RPC code does not

3219

currently support IPv6.

3220

</ul>

3221

3222

3223

<li><a accesskey="1" href="#Sun_002fMIT-Incremental-Propagation-Differences">Sun/MIT Incremental Propagation Differences</a>

3224

</ul>

3225

3226

3227

<p><hr>

3228

<a name="Sun_002fMIT-Incremental-Propagation-Differences"></a>Previous: <a rel="previous" accesskey="p" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,

3229

Up: <a rel="up" accesskey="u" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>

3230

<br>

3231

</div>

3232

3233

<h5 class="subsubsection">4.1.8.1 Sun/MIT Incremental Propagation Differences</h5>

3234

3235

<p>Sun donated the original code for supporting incremental database

3236

propagation to MIT. Some changes have been made in the MIT source

3237

tree that will be visible to administrators. (These notes are based

3238

on Sun's patches. Changes to Sun's implementation since then may not

3239

be reflected here.)

3240

3241

<p>The Sun config file support looks for <code>sunw_dbprop_enable</code>,

3242

<code>sunw_dbprop_master_ulogsize</code>, and <code>sunw_dbprop_slave_poll</code>.

3243

3244

<p>The incremental propagation service is implemented as an ONC RPC

3245

service. In the Sun implementation, the service is registered with

3246

<code>rpcbind</code> (also known as <code>portmapper</code>) and the client looks

3247

up the port number to contact. In the MIT implementation, where

3248

interaction with some modern versions of <code>rpcbind</code> doesn't always

3249

work well, the port number must be specified in the config file on

3250

both the master and slave sides.

3251

3252

<p>The Sun implementation hard-codes pathnames in <span class="file">/var/krb5</span> for

3253

the update log and the per-slave <code>kprop</code> dump files. In the MIT

3254

implementation, the pathname for the update log is specified in the

3255

config file, and the per-slave dump files are stored in

3256

<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var>.

3257

3258

3259

<p><hr>

3260

<a name="Installing-and-Configuring-UNIX-Client-Machines"></a>Next: <a rel="next" accesskey="n" href="#UNIX-Application-Servers">UNIX Application Servers</a>,

3261

Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,

3262

Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

3263

<br>

3264

</div>

3265

3266

<h3 class="section">4.2 Installing and Configuring UNIX Client Machines</h3>

3267

3268

<p>Client machine installation is much more straightforward than

3269

installation of the KDCs.

3270

3271

3272

<li><a accesskey="1" href="#Client-Programs">Client Programs</a>

3273

<li><a accesskey="2" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>

3274

</ul>

3275

3276

3277

<p><hr>

3278

<a name="Client-Programs"></a>Next: <a rel="next" accesskey="n" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,

3279

Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,

3280

Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>

3281

<br>

3282

</div>

3283

3284

<h4 class="subsection">4.2.1 Client Programs</h4>

3285

3286

<p>The Kerberized client programs are <code>login.krb5</code>, <code>rlogin</code>,

3287

<code>telnet</code>, <code>ftp</code>, <code>rcp</code>, <code>rsh</code>, <code>kinit</code>,

3288

<code>klist</code>, <code>kdestroy</code>, <code>kpasswd</code>, <code>ksu</code>, and

3289

<code>krb524init</code>. All of these programs are in the directory

3290

<code>/usr/local/bin</code>, except for <code>login.krb5</code> which is in

3291

<code>/usr/local/sbin</code>.

3292

3293

<p>You will probably want to have your users put <code>/usr/local/bin</code>

3294

ahead of <code>/bin</code> and <code>/usr/bin</code> in their paths, so they will by

3295

default get the Kerberos V5 versions of <code>rlogin</code>,

3296

<code>telnet</code>, <code>ftp</code>, <code>rcp</code>, and <code>rsh</code>.

3297

3298

<p>MIT recommends that you use <code>login.krb5</code> in place of

3299

<code>/bin/login</code> to give your users a single-sign-on system. You will

3300

need to make sure your users know to use their Kerberos passwords when

3301

they log in.

3302

3303

<p>You will also need to educate your users to use the ticket management

3304

programs <code>kinit</code>,

3305

3306

<code>klist</code>, <code>kdestroy</code>, and to use the Kerberos programs

3307

3308

<code>ksu</code>, and <code>kpasswd</code> in place of their non-Kerberos

3309

counterparts

3310

3311

<code>su</code>, <code>passwd</code>, and <code>rdist</code>.

3312

3313

3314

<p><hr>

3315

<a name="Client-Machine-Configuration-Files"></a>Previous: <a rel="previous" accesskey="p" href="#Client-Programs">Client Programs</a>,

3316

Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>

3317

<br>

3318

</div>

3319

3320

<h4 class="subsection">4.2.2 Client Machine Configuration Files</h4>

3321

3322

<p>Each machine running Kerberos must have a <code>/etc/krb5.conf</code> file.

3323

(See <a href="#krb5_002econf">krb5.conf</a>.)

3324

3325

<p>Also, for most UNIX systems, you must add the appropriate Kerberos

3326

services to each client machine's <code>/etc/services</code> file. If you are

3327

using the default configuration for Kerberos V5, you should be able

3328

to just insert the following code:

3329

3330

<pre class="smallexample"> kerberos 88/udp kdc # Kerberos V5 KDC

3331

kerberos 88/tcp kdc # Kerberos V5 KDC

3332

klogin 543/tcp # Kerberos authenticated rlogin

3333

kshell 544/tcp cmd # and remote shell

3334

kerberos-adm 749/tcp # Kerberos 5 admin/changepw

3335

kerberos-adm 749/udp # Kerberos 5 admin/changepw

3336

krb5_prop 754/tcp # Kerberos slave propagation

3337

3338

eklogin 2105/tcp # Kerberos auth. & encrypted rlogin

3339

krb524 4444/tcp # Kerberos 5 to 4 ticket translator

3340

</pre>

3341

3342

<li><a accesskey="1" href="#Mac-OS-X-Configuration">Mac OS X Configuration</a>

3343

</ul>

3344

3345

3346

<p><hr>

3347

<a name="Mac-OS-X-Configuration"></a>Previous: <a rel="previous" accesskey="p" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,

3348

Up: <a rel="up" accesskey="u" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>

3349

<br>

3350

</div>

3351

3352

<h5 class="subsubsection">4.2.2.1 Mac OS X Configuration</h5>

3353

3354

<p>To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the

3355

directions for generic Unix-based OS's, except for the

3356

<code>/etc/services</code> updates described above.

3357

3358

<p>Mac OS X and Mac OS X Server use a database called NetInfo to store

3359

the contents of files normally found in <code>/etc</code>. Instead of

3360

modifying <code>/etc/services</code>, you should run the following commands

3361

to add the Kerberos service entries to NetInfo:

3362

3363

<pre class="smallexample"> $ niutil -create . /services/kerberos

3364

$ niutil -createprop . /services/kerberos name kerberos kdc

3365

$ niutil -createprop . /services/kerberos port 750

3366

$ niutil -createprop . /services/kerberos protocol tcp udp

3367

$ niutil -create . /services/krbupdate

3368

$ niutil -createprop . /services/krbupdate name krbupdate kreg

3369

$ niutil -createprop . /services/krbupdate port 760

3370

$ niutil -createprop . /services/krbupdate protocol tcp

3371

$ niutil -create . /services/kpasswd

3372

$ niutil -createprop . /services/kpasswd name kpasswd kpwd

3373

$ niutil -createprop . /services/kpasswd port 761

3374

$ niutil -createprop . /services/kpasswd protocol tcp

3375

$ niutil -create . /services/klogin

3376

$ niutil -createprop . /services/klogin port 543

3377

$ niutil -createprop . /services/klogin protocol tcp

3378

$ niutil -create . /services/eklogin

3379

$ niutil -createprop . /services/eklogin port 2105

3380

$ niutil -createprop . /services/eklogin protocol tcp

3381

$ niutil -create . /services/kshell

3382

$ niutil -createprop . /services/kshell name kshell krcmd

3383

$ niutil -createprop . /services/kshell port 544

3384

$ niutil -createprop . /services/kshell protocol tcp

3385

</pre>

3386

<p>In addition to adding services to NetInfo, you must also modify the

3387

resolver configuration in NetInfo so that the machine resolves its own

3388

hostname as a FQDN (fully qualified domain name). By default, Mac OS X

3389

and Mac OS X Server machines query NetInfo to resolve hostnames before

3390

falling back to DNS. Because NetInfo has an unqualified name for all

3391

the machines in the NetInfo database, the machine's own hostname will

3392

resolve to an unqualified name. Kerberos needs a FQDN to look up keys

3393

in the machine's keytab file.

3394

3395

<p>Fortunately, you can change the <code>lookupd</code> caching order to query

3396

DNS first. Run the following NetInfo commands and reboot the machine:

3397

3398

<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts

3399

$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent

3400

NIAgent NILAgent

3401

</pre>

3402

<p>Once you have rebooted, you can verify that the resolver now behaves

3403

correctly. Compile the Kerberos 5 distribution and run:

3404

3405

<pre class="smallexample"> $ cd .../src/tests/resolve

3406

$ ./resolve

3407

</pre>

3408

<p>This will tell you whether or not your machine returns FQDNs on name

3409

lookups. If the test still fails, you can also try turning off DNS

3410

caching. Run the following commands and reboot:

3411

3412

<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts

3413

$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent

3414

CacheAgent NIAgent NILAgent

3415

</pre>

3416

<p>The remainder of the setup of a Mac OS X client machine or application

3417

server should be the same as for other UNIX-based systems.

3418

3419

3420

<p><hr>

3421

<a name="UNIX-Application-Servers"></a>Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,

3422

Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>

3423

<br>

3424

</div>

3425

3426

<h3 class="section">4.3 UNIX Application Servers</h3>

3427

3428

<p>An application server is a host that provides one or more services over

3429

the network. Application servers can be “secure” or “insecure.” A

3430

“secure” host is set up to require authentication from every client

3431

connecting to it. An “insecure” host will still provide Kerberos

3432

authentication, but will also allow unauthenticated clients to connect.

3433

3434

<p>If you have Kerberos V5 installed on all of your client machines,

3435

MIT recommends that you make your hosts secure, to take

3436

advantage of the security that Kerberos authentication affords.

3437

However, if you have some clients that do not have Kerberos V5

3438

installed, you can run an insecure server, and still take advantage of

3439

Kerberos V5's single sign-on capability.

3440

3441

3442

<li><a accesskey="1" href="#Server-Programs">Server Programs</a>

3443

<li><a accesskey="2" href="#Server-Configuration-Files">Server Configuration Files</a>

3444

<li><a accesskey="3" href="#The-Keytab-File">The Keytab File</a>

3445

<li><a accesskey="4" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>

3446

</ul>

3447

3448

3449

<p><hr>

3450

<a name="Server-Programs"></a>Next: <a rel="next" accesskey="n" href="#Server-Configuration-Files">Server Configuration Files</a>,

3451

Previous: <a rel="previous" accesskey="p" href="#UNIX-Application-Servers">UNIX Application Servers</a>,

3452

Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>

3453

<br>

3454

</div>

3455

3456

<h4 class="subsection">4.3.1 Server Programs</h4>

3457

3458

<p>Just as Kerberos V5 provided its own Kerberos-enhanced versions of

3459

client UNIX network programs, Kerberos V5 also provides

3460

Kerberos-enhanced versions of server UNIX network daemons. These are

3461

<code>ftpd</code>, <code>klogind</code>, <code>kshd</code>, and <code>telnetd</code>.

3462

3463

These programs are installed in the directory

3464

<code>/usr/local/sbin</code>. You may want to add this directory to

3465

root's path.

3466

3467

3468

<p><hr>

3469

<a name="Server-Configuration-Files"></a>Next: <a rel="next" accesskey="n" href="#The-Keytab-File">The Keytab File</a>,

3470

Previous: <a rel="previous" accesskey="p" href="#Server-Programs">Server Programs</a>,

3471

Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>

3472

<br>

3473

</div>

3474

3475

<h4 class="subsection">4.3.2 Server Configuration Files</h4>

3476

3477

<p>For a <em>secure</em> server, make the following changes to

3478

<code>/etc/inetd.conf</code>:

3479

3480

<p>Find and comment out any lines for the services <code>ftp</code>,

3481

<code>telnet</code>, <code>shell</code>, <code>login</code>, and <code>exec</code>.

3482

3483

<p>Add the following lines. (Note: each line beginning with => is

3484

a continuation of the previous line.)

3485

3486

<pre class="smallexample"> klogin stream tcp nowait root /usr/local/sbin/klogind

3487

=> klogind -k -c

3488

eklogin stream tcp nowait root /usr/local/sbin/klogind

3489

=> klogind -k -c -e

3490

kshell stream tcp nowait root /usr/local/sbin/kshd

3491

=> kshd -k -c -A

3492

ftp stream tcp nowait root /usr/local/sbin/ftpd

3493

=> ftpd -a

3494

telnet stream tcp nowait root /usr/local/sbin/telnetd

3495

=> telnetd -a valid

3496

</pre>

3497

<p>For an <em>insecure</em> server, make the following changes instead to

3498

<code>/etc/inetd.conf</code>:

3499

3500

<p>Find and comment out any lines for the services <code>ftp</code> and

3501

<code>telnet</code>.

3502

3503

<p>Add the following lines. (Note: each line beginning with => is

3504

a continuation of the previous line.)

3505

<pre class="smallexample"> klogin stream tcp nowait root /usr/local/sbin/klogind

3506

=> klogind -k -c

3507

eklogin stream tcp nowait root /usr/local/sbin/klogind

3508

=> klogind -k -c -e

3509

kshell stream tcp nowait root /usr/local/sbin/kshd

3510

=> kshd -k -c -A

3511

ftp stream tcp nowait root /usr/local/sbin/ftpd

3512

=> ftpd

3513

telnet stream tcp nowait root /usr/local/sbin/telnetd

3514

=> telnetd -a none

3515

</pre>

3516

3517

<p><hr>

3518

<a name="The-Keytab-File"></a>Next: <a rel="next" accesskey="n" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>,

3519

Previous: <a rel="previous" accesskey="p" href="#Server-Configuration-Files">Server Configuration Files</a>,

3520

Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>

3521

<br>

3522

</div>

3523

3524

<h4 class="subsection">4.3.3 The Keytab File</h4>

3525

3526

<p>All Kerberos server machines need a <dfn>keytab</dfn> file, called

3527

<code>/etc/krb5.keytab</code>, to authenticate to the KDC. The keytab file is

3528

an encrypted, local, on-disk copy of the host's key. The keytab file,

3529

like the stash file (<a href="#Create-the-Database">Create the Database</a>) is a potential

3530

point-of-entry for a break-in, and if compromised, would allow

3531

unrestricted access to its host. The keytab file should be readable

3532

only by root, and should exist only on the machine's local disk. The

3533

file should not be part of any backup of the machine, unless access to

3534

the backup data is secured as tightly as access to the machine's root

3535

password itself.

3536

3537

<p>In order to generate a keytab for a host, the host must have a principal

3538

in the Kerberos database. The procedure for adding hosts to the

3539

database is described fully in the “Adding or Modifying Principals”

3540

section of the <cite>Kerberos V5 System Administrator's Guide</cite>.

3541

See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>. for a brief description.)

3542

The keytab is generated by running <code>kadmin</code> and issuing the

3543

<code>ktadd</code> command.

3544

3545

<p>For example, to generate a keytab file to allow the host

3546

trillium.mit.edu to authenticate for the services

3547

<code>host</code>, <code>ftp</code>, and <code>pop</code>, the administrator

3548

<code>joeadmin</code> would issue the command (on

3549

trillium.mit.edu):

3550

3551

<pre class="smallexample"> <b>trillium%</b> /usr/local/sbin/kadmin

3552

<b>kadmin5:</b> ktadd host/trillium.mit.edu ftp/trillium.mit.edu

3553

=> pop/trillium.mit.edu

3554

<b>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with

3555

kvno 3, encryption type DES-CBC-CRC added to keytab

3556

WRFILE:/etc/krb5.keytab.

3557

kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with

3558

kvno 3, encryption type DES-CBC-CRC added to keytab

3559

WRFILE:/etc/krb5.keytab.

3560

kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with

3561

kvno 3, encryption type DES-CBC-CRC added to keytab

3562

WRFILE:/etc/krb5.keytab.

3563

kadmin5:</b> quit

3564

<b>trillium%</b>

3565

</pre>

3566

<p>If you generate the keytab file on another host, you need to get a copy

3567

of the keytab file onto the destination host (<code>trillium</code>, in the

3568

above example) without sending it unencrypted over the network. If you

3569

have installed the Kerberos V5 client programs, you can use

3570

encrypted <code>rcp</code>.

3571

3572

3573

<p><hr>

3574

<a name="Some-Advice-about-Secure-Hosts"></a>Previous: <a rel="previous" accesskey="p" href="#The-Keytab-File">The Keytab File</a>,

3575

Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>

3576

<br>

3577

</div>

3578

3579

<h4 class="subsection">4.3.4 Some Advice about Secure Hosts</h4>

3580

3581

<p>Kerberos V5 can protect your host from certain types of break-ins,

3582

but it is possible to install Kerberos V5 and still leave your host

3583

vulnerable to attack. Obviously an installation guide is not the place

3584

to try to include an exhaustive list of countermeasures for every

3585

possible attack, but it is worth noting some of the larger holes and how

3586

to close them.

3587

3588

<p>As stated earlier in this section, MIT recommends that on a

3589

secure host, you disable the standard <code>ftp</code>, <code>login</code>,

3590

<code>telnet</code>, <code>shell</code>, and <code>exec</code> services in

3591

<code>/etc/inetd.conf</code>. We also recommend that secure hosts have an empty

3592

<code>/etc/hosts.equiv</code> file and that there not be a <code>.rhosts</code> file

3593

in <code>root</code>'s home directory. You can grant Kerberos-authenticated

3594

root access to specific Kerberos principals by placing those principals

3595

in the file <code>.k5login</code> in root's home directory.

3596

3597

<p>We recommend that backups of secure machines exclude the keytab file

3598

(<code>/etc/krb5.keytab</code>). If this is not possible, the backups should

3599

at least be done locally, rather than over a network, and the backup

3600

tapes should be physically secured.

3601

3602

<p>Finally, the keytab file and any programs run by root, including the

3603

Kerberos V5 binaries, should be kept on local disk. The keytab file

3604

should be readable only by root.

3605

3606

3607

<p><hr>

3608

<a name="Upgrading-Existing-Kerberos-V5-Installations"></a>Next: <a rel="next" accesskey="n" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,

3609

Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,

3610

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

3611

<br>

3612

</div>

3613

3614

<h2 class="chapter">5 Upgrading Existing Kerberos V5 Installations</h2>

3615

3616

<p>If you already have an existing Kerberos database that you created with

3617

a prior release of Kerberos 5, you can upgrade it to work with the

3618

current release with the <code>kdb5_util</code> command. It is only

3619

necessary to perform this dump/undump procedure if you were running a

3620

krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you

3621

were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer

3622

KDC. The process for upgrading a Master KDC involves the following

3623

steps:

3624

3625

3626

3627

<li>Stop your current KDC and administration

3628

server processes, if any.

3629

3630

<li>Dump your existing Kerberos database to an ASCII file with

3631

<code>kdb5_util</code>'s “dump” command:

3632

3633

<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc

3634

<b>shell%</b> kdb5_util dump old-kdb-dump

3635

<b>shell%</b> kdb5_util dump -ov old-kdb-dump.ov

3636

<b>shell%</b>

3637

</pre>

3638

<li>Create a new Master KDC installation (See <a href="#Install-the-Master-KDC">Install the Master KDC</a>.). If you have a stash file for your current database, choose any

3639

new master password but then copy your existing stash file to the

3640

location specified by your kdc.conf; if you do not have a stash file for

3641

your current database, you must choose the same master password.

3642

3643

<li>Load your old Kerberos database into the new system with

3644

<code>kdb5_util</code>'s “load” command:

3645

3646

<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc

3647

<b>shell%</b> kdb5_util load old-kdb-dump

3648

<b>shell%</b> kdb5_util load -update old-kdb-dump.ov

3649

<b>shell%</b>

3650

</pre>

3651

</ol>

3652

3653

<p>The “dump -ov” and “load -update” commands are necessary in order to

3654

preserve per-principal policy information, since the default dump format

3655

filters out that information. If you omit those steps, the loaded

3656

database database will lose the policy information for each principal

3657

that has a policy.

3658

3659

<p>To update a Slave KDC, you must stop the old server processes on the

3660

Slave KDC, install the new server binaries, reload the most recent slave

3661

dump file, and re-start the server processes.

3662

3663

3664

<li><a accesskey="1" href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>

3665

</ul>

3666

3667

3668

<p><hr>

3669

<a name="Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys"></a>Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,

3670

Up: <a rel="up" accesskey="u" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>

3671

<br>

3672

</div>

3673

3674

<h3 class="section">5.1 Upgrading to Triple-DES Encryption Keys</h3>

3675

3676

<p>Beginning with the 1.2 release from MIT, Kerberos includes

3677

a stronger encryption algorithm called “triple DES” – essentially,

3678

three applications of the basic DES encryption algorithm, greatly

3679

increasing the resistance to a brute-force search for the key by an

3680

attacker. This algorithm is more secure, but encryption is much

3681

slower.

3682

3683

<p>Release 1.1 had some support for triple-DES service keys, but with

3684

release 1.2 we have added support for user keys and session keys as

3685

well. Release 1.0 had very little support for multiple cryptosystems,

3686

and some of that software may not function properly in an environment

3687

using triple-DES as well as plain DES.

3688

3689

<p>In the 1.3 release from MIT, Kerberos also includes the RC4

3690

encryption alogorithm, a stream cipher symmetric key algorithm

3691

developed in 1987 by Ronald Rivest at RSA Data Security. Please note

3692

that RC4 is not part of the IETF standard.

3693

3694

<p>Because of the way the MIT Kerberos database is structured, the KDC

3695

will assume that a service supports only those encryption types for

3696

which keys are found in the database. Thus, if a service has only a

3697

single-DES key in the database, the KDC will not issue tickets for that

3698

service that use triple-DES or RC4 session keys; it will instead issue

3699

only single-DES session keys, even if other services are already

3700

capable of using triple-DES or RC4. So if you make sure your

3701

application server software is updated before adding a triple-DES or

3702

RC4 key for the service, clients should be able to talk to services at

3703

all times during the updating process.

3704

3705

<p>Normally, the listed <code>supported_enctypes</code> in <code>kdc.conf</code> are

3706

all used when a new key is generated. You can control this with

3707

command-line flags to <code>kadmin</code> and <code>kadmin.local</code>. You may

3708

want to exclude triple-DES and RC4 by default until you have updated a

3709

lot of your application servers, and then change the default to include

3710

triple-DES and RC4. We recommend that you always include

3711

<code>des-cbc-crc</code> in the default list.

3712

3713

3714

<p><hr>

3715

<a name="Bug-Reports-for-Kerberos-V5"></a>Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,

3716

Up: <a rel="up" accesskey="u" href="#Top">Top</a>

3717

<br>

3718

</div>

3719

3720

<h2 class="chapter">6 Bug Reports for Kerberos V5</h2>

3721

3722

<p>In any complex software, there will be bugs. If you have successfully

3723

built and installed Kerberos V5, please use the <code>krb5-send-pr</code>

3724

program to fill out a Problem Report should you encounter any errors in

3725

our software.

3726

3727

<p>Bug reports that include proposed fixes are especially welcome. If you

3728

do include fixes, please send them using either context diffs or unified

3729

diffs (using <span class="samp">diff -c</span> or <span class="samp">diff -u</span>, respectively). Please be

3730

careful when using “cut and paste” or other such means to copy a patch

3731

into a bug report; depending on the system being used, that can result

3732

in converting TAB characters into spaces, which makes applying the

3733

patches more difficult.

3734

3735

<p>The <code>krb5-send-pr</code> program is installed in the directory

3736

<code>/usr/local/sbin</code>.

3737

3738

<p>The <code>krb5-send-pr</code> program enters the problem report into our

3739

Problem Report Management System (PRMS), which automatically assigns it

3740

to the engineer best able to help you with problems in the assigned

3741

category.

3742

3743

<p>The <code>krb5-send-pr</code> program will try to intelligently fill in as

3744

many fields as it can. You need to choose the <dfn>category</dfn>,

3745

<dfn>class</dfn>, <dfn>severity</dfn>, and <dfn>priority</dfn> of the problem, as well

3746

as giving us as much information as you can about its exact nature.

3747

3748

<p>The PR <b>category</b> will be one of:

3749

3750

<pre class="smallexample"> krb5-admin krb5-appl krb5-build krb5-clients

3751

krb5-doc krb5-kdc krb5-libs krb5-misc

3752

pty telnet test

3753

</pre>

3754

<p class="noindent">Choose the category that best describes the area under which your

3755

problem falls.

3756

3757

<p>The <b>class</b> can be <dfn>sw-bug</dfn>, <dfn>doc-bug</dfn>, <dfn>change-request</dfn>,

3758

or <dfn>support</dfn>. The first two are exactly as their names imply. Use

3759

<i>change-request</i> when the software is behaving according to

3760

specifications, but you want to request changes in some feature or

3761

behavior. The <i>support</i> class is intended for more general questions

3762

about building or using Kerberos V5.

3763

3764

<p>The <b>severity</b> of the problem indicates the problem's impact on the

3765

usability of Kerberos V5. If a problem is <dfn>critical</dfn>, that

3766

means the product, component or concept is completely non-operational,

3767

or some essential functionality is missing, and no workaround is known.

3768

A <dfn>serious</dfn> problem is one in which the product, component or

3769

concept is not working properly or significant functionality is missing.

3770

Problems that would otherwise be considered <i>critical</i> are rated

3771

<i>serious</i> when a workaround is known. A <dfn>non-critical</dfn> problem is

3772

one that is indeed a problem, but one that is having a minimal effect on

3773

your ability to use Kerberos V5. <i>E.g.</i>, The product, component

3774

or concept is working in general, but lacks features, has irritating

3775

behavior, does something wrong, or doesn't match its documentation. The

3776

default severity is <i>serious</i>.

3777

3778

<p>The <b>priority</b> indicates how urgent this particular problem is in

3779

relation to your work. Note that low priority does not imply low

3780

importance.

3781

A priority of <dfn>high</dfn> means a solution is needed as soon as possible.

3782

A priority of <dfn>medium</dfn> means the problem should be solved no later

3783

than the next release. A priority of <dfn>low</dfn> means the problem should

3784

be solved in a future release, but it is not important to your work how

3785

soon this happens. The default priority is <i>medium</i>.

3786

3787

<p>Note that a given severity does not necessarily imply a given priority.

3788

For example, a non-critical problem might still have a high priority if

3789

you are faced with a hard deadline. Conversely, a serious problem might

3790

have a low priority if the feature it is disabling is one that you do

3791

not need.

3792

3793

<p>It is important that you fill in the <i>release</i> field and tell us

3794

what changes you have made, if any.

3795

3796

<p>A sample filled-out form from a company named “Toasters, Inc.” might

3797

look like this:

3798

3799

<pre class="smallexample"> To: krb5-bugs@mit.edu

3800

Subject: misspelled "Kerberos" in title of installation guide

3801

From: jcb

3802

Reply-To: jcb

3803

Cc:

3804

X-send-pr-version: 3.99

3805

3806

3807

>Submitter-Id: mit

3808

>Originator: Jeffrey C. Gilman Bigler

3809

>Organization:

3810

mit

3811

>Confidential: no

3812

>Synopsis: Misspelled "Kerberos" in title of installation guide

3813

>Severity: non-critical

3814

>Priority: low

3815

>Category: krb5-doc

3816

>Class: doc-bug

3817

>Release: 1.0-development

3818

>Environment:

3819

<machine, os, target, libraries (multiple lines)>

3820

System: ULTRIX imbrium 4.2 0 RISC

3821

Machine: mips

3822

>Description:

3823

Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"

3824

>How-To-Repeat:

3825

N/A

3826

>Fix:

3827

Correct the spelling.

3828

</pre>

3829

<p>If the <code>krb5-send-pr</code> program does not work for you, or if you did

3830

not get far enough in the process to have an installed and working

3831

<code>krb5-send-pr</code>, you can generate your own form, using the above as

3832

an example.

3833

3834

3835

<h2>Table of Contents</h2>

3836

<ul>

3837

<li><a name="toc_Copyright" href="#Copyright">Copyright</a>

3838

<li><a name="toc_Introduction" href="#Introduction">1 Introduction</a>

3839

<ul>

3840

<li><a href="#What-is-Kerberos-and-How-Does-it-Work_003f">1.1 What is Kerberos and How Does it Work?</a>

3841

<li><a href="#Why-Should-I-use-Kerberos_003f">1.2 Why Should I use Kerberos?</a>

3842

<li><a href="#Please-Read-the-Documentation">1.3 Please Read the Documentation</a>

3843

<li><a href="#Overview-of-This-Guide">1.4 Overview of This Guide</a>

3844

</li></ul>

3845

<li><a name="toc_Realm-Configuration-Decisions" href="#Realm-Configuration-Decisions">2 Realm Configuration Decisions</a>

3846

<ul>

3847

<li><a href="#Kerberos-Realms">2.1 Kerberos Realms</a>

3848

<li><a href="#Mapping-Hostnames-onto-Kerberos-Realms">2.2 Mapping Hostnames onto Kerberos Realms</a>

3849

<li><a href="#Ports-for-the-KDC-and-Admin-Services">2.3 Ports for the KDC and Admin Services</a>

3850

<li><a href="#Slave-KDCs">2.4 Slave KDCs</a>

3851

<li><a href="#Hostnames-for-the-Master-and-Slave-KDCs">2.5 Hostnames for the Master and Slave KDCs</a>

3852

<li><a href="#Database-Propagation">2.6 Database Propagation</a>

3853

</li></ul>

3854

<li><a name="toc_Building-Kerberos-V5" href="#Building-Kerberos-V5">3 Building Kerberos V5</a>

3855

<ul>

3856

<li><a href="#Organization-of-the-Source-Directory">3.1 Organization of the Source Directory</a>

3857

<ul>

3858

<li><a href="#The-appl-Directory">3.1.1 The appl Directory</a>

3859

<li><a href="#The-clients-Directory">3.1.2 The clients Directory</a>

3860

<li><a href="#The-gen_002dmanpages-Directory">3.1.3 The gen-manpages Directory</a>

3861

<li><a href="#The-include-Directory">3.1.4 The include Directory</a>

3862

<li><a href="#The-kadmin-Directory">3.1.5 The kadmin Directory</a>

3863

<li><a href="#The-kdc-Directory">3.1.6 The kdc Directory</a>

3864

<li><a href="#The-krb524-Directory">3.1.7 The krb524 Directory</a>

3865

<li><a href="#The-lib-Directory">3.1.8 The lib Directory</a>

3866

<li><a href="#The-prototype-Directory">3.1.9 The prototype Directory</a>

3867

<li><a href="#The-slave-Directory">3.1.10 The slave Directory</a>

3868

<li><a href="#The-util-Directory">3.1.11 The util Directory</a>

3869

</li></ul>

3870

<li><a href="#Build-Requirements">3.2 Build Requirements</a>

3871

<li><a href="#Unpacking-the-Sources">3.3 Unpacking the Sources</a>

3872

<li><a href="#Doing-the-Build">3.4 Doing the Build</a>

3873

<ul>

3874

<li><a href="#Building-Within-a-Single-Tree">3.4.1 Building Within a Single Tree</a>

3875

<li><a href="#Building-with-Separate-Build-Directories">3.4.2 Building with Separate Build Directories</a>

3876

<li><a href="#Building-using-lndir">3.4.3 Building Using <span class="samp">lndir</span></a>

3877

</li></ul>

3878

<li><a href="#Installing-the-Binaries">3.5 Installing the Binaries</a>

3879

<li><a href="#Testing-the-Build">3.6 Testing the Build</a>

3880

<ul>

3881

<li><a href="#The-DejaGnu-Tests">3.6.1 The DejaGnu Tests</a>

3882

<li><a href="#The-KADM5-Tests">3.6.2 The KADM5 Tests</a>

3883

</li></ul>

3884

<li><a href="#Options-to-Configure">3.7 Options to Configure</a>

3885

<li><a href="#osconf_002eh">3.8 <span class="file">osconf.h</span></a>

3886

<li><a href="#Shared-Library-Support">3.9 Shared Library Support</a>

3887

<li><a href="#OS-Incompatibilities">3.10 Operating System Incompatibilities</a>

3888

<ul>

3889

3890

<li><a href="#Alpha-OSF_002f1-V1_002e3">3.10.2 Alpha OSF/1 V1.3</a>

3891

<li><a href="#Alpha-OSF_002f1-V2_002e0">3.10.3 Alpha OSF/1 V2.0</a>

3892

<li><a href="#Alpha-OSF_002f1-V4_002e0">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</a>

3893

3894

3895

<li><a href="#Solaris-versions-2_002e0-through-2_002e3">3.10.7 Solaris versions 2.0 through 2.3</a>

3896

<li><a href="#Solaris-2_002eX">3.10.8 Solaris 2.X</a>

3897

<li><a href="#Solaris-9">3.10.9 Solaris 9</a>

3898

3899

<li><a href="#Ultrix-4_002e2_002f3">3.10.11 Ultrix 4.2/3</a>

3900

</li></ul>

3901

<li><a href="#Using-Autoconf">3.11 Using <span class="samp">Autoconf</span></a>

3902

</li></ul>

3903

<li><a name="toc_Installing-Kerberos-V5" href="#Installing-Kerberos-V5">4 Installing Kerberos V5</a>

3904

<ul>

3905

<li><a href="#Installing-KDCs">4.1 Installing KDCs</a>

3906

<ul>

3907

<li><a href="#Install-the-Master-KDC">4.1.1 Install the Master KDC</a>

3908

<ul>

3909

<li><a href="#Edit-the-Configuration-Files">4.1.1.1 Edit the Configuration Files</a>

3910

3911

3912

<li><a href="#Create-the-Database">4.1.1.4 Create the Database</a>

3913

<li><a href="#Add-Administrators-to-the-Acl-File">4.1.1.5 Add Administrators to the Acl File</a>

3914

<li><a href="#Add-Administrators-to-the-Kerberos-Database">4.1.1.6 Add Administrators to the Kerberos Database</a>

3915

<li><a href="#Create-a-kadmind-Keytab-_0028optional_0029">4.1.1.7 Create a kadmind Keytab (optional)</a>

3916

<li><a href="#Start-the-Kerberos-Daemons">4.1.1.8 Start the Kerberos Daemons on the Master KDC</a>

3917

</li></ul>

3918

<li><a href="#Install-the-Slave-KDCs">4.1.2 Install the Slave KDCs</a>

3919

<ul>

3920

<li><a href="#Create-Host-Keys-for-the-Slave-KDCs">4.1.2.1 Create Host Keys for the Slave KDCs</a>

3921

<li><a href="#Extract-Host-Keytabs-for-the-KDCs">4.1.2.2 Extract Host Keytabs for the KDCs</a>

3922

<li><a href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">4.1.2.3 Set Up the Slave KDCs for Database Propagation</a>

3923

</li></ul>

3924

<li><a href="#Back-on-the-Master-KDC">4.1.3 Back on the Master KDC</a>

3925

<ul>

3926

<li><a href="#Propagate-the-Database-to-Each-Slave-KDC">4.1.3.1 Propagate the Database to Each Slave KDC</a>

3927

</li></ul>

3928

<li><a href="#Finish-Installing-the-Slave-KDCs">4.1.4 Finish Installing the Slave KDCs</a>

3929

<ul>

3930

<li><a href="#Create-Stash-Files-on-the-Slave-KDCs">4.1.4.1 Create Stash Files on the Slave KDCs</a>

3931

<li><a href="#Start-the-krb5kdc-Daemon-on-Each-KDC">4.1.4.2 Start the krb5kdc Daemon on Each KDC</a>

3932

</li></ul>

3933

<li><a href="#Add-Kerberos-Principals-to-the-Database">4.1.5 Add Kerberos Principals to the Database</a>

3934

<li><a href="#Limit-Access-to-the-KDCs">4.1.6 Limit Access to the KDCs</a>

3935

<li><a href="#Switching-Master-and-Slave-KDCs">4.1.7 Switching Master and Slave KDCs</a>

3936

<li><a href="#Incremental-Database-Propagation">4.1.8 Incremental Database Propagation</a>

3937

<ul>

3938

<li><a href="#Sun_002fMIT-Incremental-Propagation-Differences">4.1.8.1 Sun/MIT Incremental Propagation Differences</a>

3939

</li></ul>

3940

</li></ul>

3941

<li><a href="#Installing-and-Configuring-UNIX-Client-Machines">4.2 Installing and Configuring UNIX Client Machines</a>

3942

<ul>

3943

<li><a href="#Client-Programs">4.2.1 Client Programs</a>

3944

<li><a href="#Client-Machine-Configuration-Files">4.2.2 Client Machine Configuration Files</a>

3945

<ul>

3946

<li><a href="#Mac-OS-X-Configuration">4.2.2.1 Mac OS X Configuration</a>

3947

</li></ul>

3948

</li></ul>

3949

<li><a href="#UNIX-Application-Servers">4.3 UNIX Application Servers</a>

3950

<ul>

3951

<li><a href="#Server-Programs">4.3.1 Server Programs</a>

3952

<li><a href="#Server-Configuration-Files">4.3.2 Server Configuration Files</a>

3953

<li><a href="#The-Keytab-File">4.3.3 The Keytab File</a>

3954

<li><a href="#Some-Advice-about-Secure-Hosts">4.3.4 Some Advice about Secure Hosts</a>

3955

</li></ul>

3956

</li></ul>

3957

<li><a name="toc_Upgrading-Existing-Kerberos-V5-Installations" href="#Upgrading-Existing-Kerberos-V5-Installations">5 Upgrading Existing Kerberos V5 Installations</a>

3958

<ul>

3959

<li><a href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">5.1 Upgrading to Triple-DES Encryption Keys</a>

3960

</li></ul>

3961

<li><a name="toc_Bug-Reports-for-Kerberos-V5" href="#Bug-Reports-for-Kerberos-V5">6 Bug Reports for Kerberos V5</a>

3962

</li></ul>

3963

</div>

3964

3965

3966

<hr>

3967

<a name="texinfo-footnotes-in-document"></a><h4>Footnotes</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Kerberos V4 used port 750. If

3968

necessary, you can run on both ports for backward compatibility.</p>

3969

3970

<p class="footnote"><small>[<a name="fn-2" href="#fnd-2">2</a>]</small> If you are fortunate enough to

3971

have a previous version of Kerberos V5 or V4 installed, and the Kerberos

3972

rlogin is first in your path, you can setup <span class="file">.k5login</span> or

3973

<span class="file">.klogin</span> respectively to allow you access.</p>

3974

3975

3976

3977

</body></html>

3978

Older »