3
3
<title>Kerberos V5 Installation Guide</title>
4
<meta http-equiv="Content-Type" content="text/html">
4
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
5
5
<meta name="description" content="Kerberos V5 Installation Guide">
6
<meta name="generator" content="makeinfo 4.5">
7
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
6
<meta name="generator" content="makeinfo 4.13">
7
<link title="Top" rel="top" href="#Top">
8
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage">
9
Copyright © 1985-2010 by the Massachusetts Institute of Technology.-->
10
Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.-->
11
<meta http-equiv="Content-Style-Type" content="text/css">
12
<style type="text/css"><!--
13
pre.display { font-family:inherit }
14
pre.format { font-family:inherit }
15
pre.smalldisplay { font-family:inherit; font-size:smaller }
16
pre.smallformat { font-family:inherit; font-size:smaller }
17
pre.smallexample { font-size:smaller }
18
pre.smalllisp { font-size:smaller }
19
span.sc { font-variant:small-caps }
20
span.roman { font-family:serif; font-weight:normal; }
21
span.sansserif { font-family:sans-serif; font-weight:normal; }
12
25
<h1 class="settitle">Kerberos V5 Installation Guide</h1>
15
Node:<a name="Top">Top</a>,
16
Next:<a rel="next" accesskey="n" href="#Introduction">Introduction</a>,
17
Previous:<a rel="previous" accesskey="p" href="#dir">(dir)</a>,
18
Up:<a rel="up" accesskey="u" href="#dir">(dir)</a>
23
<li><a accesskey="1" href="#Introduction">Introduction</a>:
24
<li><a accesskey="2" href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>:
25
<li><a accesskey="3" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>:
26
<li><a accesskey="4" href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>:
27
<li><a accesskey="5" href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>:
28
<li><a accesskey="6" href="#Bug%20Reports%20for%20Kerberos%20V5">Bug Reports for Kerberos V5</a>:
29
<li><a accesskey="7" href="#Copyright">Copyright</a>:
34
Node:<a name="Introduction">Introduction</a>,
35
Next:<a rel="next" accesskey="n" href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>,
36
Previous:<a rel="previous" accesskey="p" href="#Top">Top</a>,
37
Up:<a rel="up" accesskey="u" href="#Top">Top</a>
41
<h2 class="chapter">Introduction</h2>
44
<li><a accesskey="1" href="#What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a>:
45
<li><a accesskey="2" href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>:
46
<li><a accesskey="3" href="#Please%20Read%20the%20Documentation">Please Read the Documentation</a>:
47
<li><a accesskey="4" href="#Overview%20of%20This%20Guide">Overview of This Guide</a>:
52
Node:<a name="What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a>,
53
Next:<a rel="next" accesskey="n" href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>,
54
Previous:<a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
55
Up:<a rel="up" accesskey="u" href="#Introduction">Introduction</a>
59
<h3 class="section">What is Kerberos and How Does it Work?</h3>
61
Kerberos V5 is based on the Kerberos authentication system developed
29
Next: <a rel="next" accesskey="n" href="#Introduction">Introduction</a>,
30
Previous: <a rel="previous" accesskey="p" href="#dir">(dir)</a>,
31
Up: <a rel="up" accesskey="u" href="#dir">(dir)</a>
35
<!-- node-name, next, previous, up -->
36
<!-- The master menu is updated using emacs19's M-x texinfo-all-menus-update -->
37
<!-- function. Don't forget to run M-x texinfo-every-node-update after -->
38
<!-- you add a new section or subsection, or after you've rearranged the -->
39
<!-- order of sections or subsections. Also, don't forget to add an @node -->
40
<!-- comand before each @section or @subsection! All you need to enter -->
42
<!-- @node New Section Name -->
43
<!-- @section New Section Name -->
44
<!-- M-x texinfo-every-node-update will take care of calculating the -->
45
<!-- node's forward and back pointers. -->
48
<li><a accesskey="1" href="#Introduction">Introduction</a>
49
<li><a accesskey="2" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
50
<li><a accesskey="3" href="#Building-Kerberos-V5">Building Kerberos V5</a>
51
<li><a accesskey="4" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
52
<li><a accesskey="5" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
53
<li><a accesskey="6" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>
54
<li><a accesskey="7" href="#Copyright">Copyright</a>
58
<a name="Introduction"></a>
60
Next: <a rel="next" accesskey="n" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
61
Previous: <a rel="previous" accesskey="p" href="#Top">Top</a>,
62
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
66
<h2 class="chapter">1 Introduction</h2>
69
<li><a accesskey="1" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>
70
<li><a accesskey="2" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>
71
<li><a accesskey="3" href="#Please-Read-the-Documentation">Please Read the Documentation</a>
72
<li><a accesskey="4" href="#Overview-of-This-Guide">Overview of This Guide</a>
76
<a name="What-is-Kerberos-and-How-Does-it-Work%3f"></a>
77
<a name="What-is-Kerberos-and-How-Does-it-Work_003f"></a>
79
Next: <a rel="next" accesskey="n" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
80
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
81
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
85
<h3 class="section">1.1 What is Kerberos and How Does it Work?</h3>
87
<p>Kerberos V5 is based on the Kerberos authentication system developed
62
88
at MIT. Under Kerberos, a client (generally either a user or a service)
63
89
sends a request for a ticket to the Key Distribution Center (KDC). The
64
90
KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client,
281
307
may wish to set it up anyway, for use when interacting with other sites.
283
309
<div class="node">
310
<a name="Ports-for-the-KDC-and-Admin-Services"></a>
285
Node:<a name="Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>,
286
Next:<a rel="next" accesskey="n" href="#Slave%20KDCs">Slave KDCs</a>,
287
Previous:<a rel="previous" accesskey="p" href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a>,
288
Up:<a rel="up" accesskey="u" href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>
312
Next: <a rel="next" accesskey="n" href="#Slave-KDCs">Slave KDCs</a>,
313
Previous: <a rel="previous" accesskey="p" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
314
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
292
<h3 class="section">Ports for the KDC and Admin Services</h3>
318
<h3 class="section">2.3 Ports for the KDC and Admin Services</h3>
294
320
<p>The default ports used by Kerberos are port 88 for the
295
KDC<a rel="footnote" href="#fn-1"><sup>1</sup></a> and
321
KDC<a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a> and
296
322
port 749 for the admin server. You can, however,
297
323
choose to run on other ports, as long as they are specified in each
298
324
host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the
299
325
<code>kdc.conf</code> file on each KDC. For a more thorough treatment of
300
326
port numbers used by the Kerberos V5 programs, refer to the
301
"Configuring Your Firewall to Work With Kerberos V5" section of
327
“Configuring Your Firewall to Work With Kerberos V5” section of
302
328
the <cite>Kerberos V5 System Administrator's Guide</cite>.
304
330
<div class="node">
331
<a name="Slave-KDCs"></a>
306
Node:<a name="Slave%20KDCs">Slave KDCs</a>,
307
Next:<a rel="next" accesskey="n" href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a>,
308
Previous:<a rel="previous" accesskey="p" href="#Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>,
309
Up:<a rel="up" accesskey="u" href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>
333
Next: <a rel="next" accesskey="n" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
334
Previous: <a rel="previous" accesskey="p" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
335
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
313
<h3 class="section">Slave KDCs</h3>
339
<h3 class="section">2.4 Slave KDCs</h3>
315
341
<p>Slave KDCs provide an additional source of Kerberos ticket-granting
316
342
services in the event of inaccessibility of the master KDC. The number
371
397
well.) Several different Kerberos-related service names are used:
374
<dt><code>_kerberos._udp</code>
375
<dd>This is for contacting any KDC by UDP. This entry will be used the most
376
often. Normally you should list port 88 on each of your KDCs.
400
<dt><code>_kerberos._udp</code><dd>This is for contacting any KDC by UDP. This entry will be used the most
401
often. Normally you should list port 88 on each of your KDCs.
402
<!-- Don't encourage continued use of port 750 for krb5. -->
403
<!-- It should be only for backwards compatibility with krb4. -->
404
<!-- Do the Mac/Windows krb4 libraries use this DNS entry? -->
405
<!-- The UNIX code does not. -->
378
<br><dt><code>_kerberos._tcp</code>
379
<dd>This is for contacting any KDC by TCP. The MIT KDC by default will not
407
<br><dt><code>_kerberos._tcp</code><dd>This is for contacting any KDC by TCP. The MIT KDC by default will not
380
408
listen on any TCP ports, so unless you've changed the configuration or
381
409
you're running another KDC implementation, you should leave this
382
410
unspecified. If you do enable TCP support, normally you should use
385
<br><dt><code>_kerberos-master._udp</code>
386
<dd>This entry should refer to those KDCs, if any, that will immediately see
413
<br><dt><code>_kerberos-master._udp</code><dd>This entry should refer to those KDCs, if any, that will immediately see
387
414
password changes to the Kerberos database. This entry is used only in
388
415
one case, when the user is logging in and the password appears to be
389
416
incorrect; the master KDC is then contacted, and the same password used
390
417
to try to decrypt the response, in case the user's password had recently
391
418
been changed and the first KDC contacted hadn't been updated. Only if
392
that fails is an "incorrect password" error given.
419
that fails is an “incorrect password” error given.
394
421
<p>If you have only one KDC, or for whatever reason there is no accessible
395
422
KDC that would get database changes faster than the others, you do not
396
423
need to define this entry.
398
<br><dt><code>_kerberos-adm._tcp</code>
399
<dd>This should list port 749 on your master KDC.
425
<br><dt><code>_kerberos-adm._tcp</code><dd>This should list port 749 on your master KDC.
400
426
Support for it is not complete at this time, but it will eventually be
401
427
used by the <code>kadmin</code> program and related utilities. For now, you
402
428
will also need the <code>admin_server</code> entry in <code>krb5.conf</code>.
403
(See <a href="#krb5.conf">krb5.conf</a>.)
429
(See <a href="#krb5_002econf">krb5.conf</a>.)
405
<br><dt><code>_kpasswd._udp</code>
406
<dd>This should list port 464 on your master KDC.
431
<br><dt><code>_kpasswd._udp</code><dd>This should list port 464 on your master KDC.
407
432
It is used when a user changes her password.
463
487
to additional slaves.
465
489
<div class="node">
490
<a name="Building-Kerberos-V5"></a>
467
Node:<a name="Building%20Kerberos%20V5">Building Kerberos V5</a>,
468
Next:<a rel="next" accesskey="n" href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>,
469
Previous:<a rel="previous" accesskey="p" href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>,
470
Up:<a rel="up" accesskey="u" href="#Top">Top</a>
492
Next: <a rel="next" accesskey="n" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
493
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
494
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
474
<h2 class="chapter">Building Kerberos V5</h2>
498
<h2 class="chapter">3 Building Kerberos V5</h2>
476
Kerberos V5 uses a configuration system built using the Free
477
Software Foundation's <code>autoconf</code> program. This system makes
500
<p>Kerberos V5 uses a configuration system built using the Free
501
Software Foundation's ‘<samp><span class="samp">autoconf</span></samp>’ program. This system makes
478
502
Kerberos V5 much simpler to build and reduces the amount of effort
479
503
required in porting Kerberos V5 to a new platform.
481
505
<ul class="menu">
482
<li><a accesskey="1" href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>: Description of the source tree.
483
<li><a accesskey="2" href="#Build%20Requirements">Build Requirements</a>: How much disk space, etc. you need to
506
<li><a accesskey="1" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>: Description of the source tree.
507
<li><a accesskey="2" href="#Build-Requirements">Build Requirements</a>: How much disk space, etc. you need to
485
<li><a accesskey="3" href="#Unpacking%20the%20Sources">Unpacking the Sources</a>: Preparing the source tree.
486
<li><a accesskey="4" href="#Doing%20the%20Build">Doing the Build</a>: Compiling Kerberos.
487
<li><a accesskey="5" href="#Installing%20the%20Binaries">Installing the Binaries</a>: Installing the compiled binaries.
488
<li><a accesskey="6" href="#Testing%20the%20Build">Testing the Build</a>: Making sure Kerberos built correctly.
489
<li><a accesskey="7" href="#Options%20to%20Configure">Options to Configure</a>: Command-line options to Configure
490
<li><a accesskey="8" href="#osconf.h">osconf.h</a>: Header file-specific configurations
491
<li><a accesskey="9" href="#Shared%20Library%20Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5
492
<li><a href="#OS%20Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.
493
<li><a href="#Using%20Autoconf">Using Autoconf</a>: Modifying Kerberos V5's
509
<li><a accesskey="3" href="#Unpacking-the-Sources">Unpacking the Sources</a>: Preparing the source tree.
510
<li><a accesskey="4" href="#Doing-the-Build">Doing the Build</a>: Compiling Kerberos.
511
<li><a accesskey="5" href="#Installing-the-Binaries">Installing the Binaries</a>: Installing the compiled binaries.
512
<li><a accesskey="6" href="#Testing-the-Build">Testing the Build</a>: Making sure Kerberos built correctly.
513
<li><a accesskey="7" href="#Options-to-Configure">Options to Configure</a>: Command-line options to Configure
514
<li><a accesskey="8" href="#osconf_002eh">osconf.h</a>: Header file-specific configurations
515
<li><a accesskey="9" href="#Shared-Library-Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5
516
<li><a href="#OS-Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.
517
<li><a href="#Using-Autoconf">Using Autoconf</a>: Modifying Kerberos V5's
494
518
configuration scripts.
497
521
<div class="node">
522
<a name="Organization-of-the-Source-Directory"></a>
499
Node:<a name="Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>,
500
Next:<a rel="next" accesskey="n" href="#Build%20Requirements">Build Requirements</a>,
501
Previous:<a rel="previous" accesskey="p" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>,
502
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
524
Next: <a rel="next" accesskey="n" href="#Build-Requirements">Build Requirements</a>,
525
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
526
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
506
<h3 class="section">Organization of the Source Directory</h3>
530
<h3 class="section">3.1 Organization of the Source Directory</h3>
508
532
<p>Below is a brief overview of the organization of the complete source
509
533
directory. More detailed descriptions follow.
513
<dd>applications with Kerberos V5 extensions
515
<dd>Kerberos V5 user programs
516
<dt><b>gen-manpages</b>
517
<dd>manpages for Kerberos V5 and the Kerberos V5 login program
521
<dd>administrative interface to the Kerberos master database
523
<dd>the Kerberos V5 Authentication Service and Key Distribution Center
525
<dd>utilities for converting between Kerberos 4 and Kerberos 5
527
<dd>libraries for use with/by Kerberos V5
529
<dd>source code for building Kerberos V5 on MacOS
531
<dd>templates for source code files
533
<dd>utilities for propagating the database to slave KDCs
537
<dd>various utilities for building/configuring the code, sending bug reports, etc.
539
<dd>source code for building Kerberos V5 on Windows (see windows/README)
536
<dt><b>appl</b><dd>applications with Kerberos V5 extensions
537
<dt><b>clients</b><dd>Kerberos V5 user programs
538
<dt><b>gen-manpages</b><dd>manpages for Kerberos V5 and the Kerberos V5 login program
539
<dt><b>include</b><dd>include files
540
<dt><b>kadmin</b><dd>administrative interface to the Kerberos master database
541
<dt><b>kdc</b><dd>the Kerberos V5 Authentication Service and Key Distribution Center
542
<dt><b>krb524</b><dd>utilities for converting between Kerberos 4 and Kerberos 5
543
<dt><b>lib</b><dd>libraries for use with/by Kerberos V5
544
<dt><b>mac</b><dd>source code for building Kerberos V5 on MacOS
545
<dt><b>prototype</b><dd>templates for source code files
546
<dt><b>slave</b><dd>utilities for propagating the database to slave KDCs
547
<dt><b>tests</b><dd>test suite
548
<dt><b>util</b><dd>various utilities for building/configuring the code, sending bug reports, etc.
549
<dt><b>windows</b><dd>source code for building Kerberos V5 on Windows (see windows/README)
542
552
<ul class="menu">
543
<li><a accesskey="1" href="#The%20appl%20Directory">The appl Directory</a>:
544
<li><a accesskey="2" href="#The%20clients%20Directory">The clients Directory</a>:
545
<li><a accesskey="3" href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a>:
546
<li><a accesskey="4" href="#The%20include%20Directory">The include Directory</a>:
547
<li><a accesskey="5" href="#The%20kadmin%20Directory">The kadmin Directory</a>:
548
<li><a accesskey="6" href="#The%20kdc%20Directory">The kdc Directory</a>:
549
<li><a accesskey="7" href="#The%20krb524%20Directory">The krb524 Directory</a>:
550
<li><a accesskey="8" href="#The%20lib%20Directory">The lib Directory</a>:
551
<li><a accesskey="9" href="#The%20prototype%20Directory">The prototype Directory</a>:
552
<li><a href="#The%20slave%20Directory">The slave Directory</a>:
553
<li><a href="#The%20util%20Directory">The util Directory</a>:
553
<li><a accesskey="1" href="#The-appl-Directory">The appl Directory</a>
554
<li><a accesskey="2" href="#The-clients-Directory">The clients Directory</a>
555
<li><a accesskey="3" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>
556
<li><a accesskey="4" href="#The-include-Directory">The include Directory</a>
557
<li><a accesskey="5" href="#The-kadmin-Directory">The kadmin Directory</a>
558
<li><a accesskey="6" href="#The-kdc-Directory">The kdc Directory</a>
559
<li><a accesskey="7" href="#The-krb524-Directory">The krb524 Directory</a>
560
<li><a accesskey="8" href="#The-lib-Directory">The lib Directory</a>
561
<li><a accesskey="9" href="#The-prototype-Directory">The prototype Directory</a>
562
<li><a href="#The-slave-Directory">The slave Directory</a>
563
<li><a href="#The-util-Directory">The util Directory</a>
556
566
<div class="node">
567
<a name="The-appl-Directory"></a>
558
Node:<a name="The%20appl%20Directory">The appl Directory</a>,
559
Next:<a rel="next" accesskey="n" href="#The%20clients%20Directory">The clients Directory</a>,
560
Previous:<a rel="previous" accesskey="p" href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>,
561
Up:<a rel="up" accesskey="u" href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>
569
Next: <a rel="next" accesskey="n" href="#The-clients-Directory">The clients Directory</a>,
570
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
571
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
565
<h4 class="subsection">The appl Directory</h4>
575
<h4 class="subsection">3.1.1 The appl Directory</h4>
567
577
<p>The <i>appl</i> directory contains sample Kerberos application client and
568
578
server programs. In previous releases, it contained Kerberized versions
572
582
<div class="node">
583
<a name="The-clients-Directory"></a>
574
Node:<a name="The%20clients%20Directory">The clients Directory</a>,
575
Next:<a rel="next" accesskey="n" href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a>,
576
Previous:<a rel="previous" accesskey="p" href="#The%20appl%20Directory">The appl Directory</a>,
577
Up:<a rel="up" accesskey="u" href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>
585
Next: <a rel="next" accesskey="n" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
586
Previous: <a rel="previous" accesskey="p" href="#The-appl-Directory">The appl Directory</a>,
587
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
581
<h4 class="subsection">The clients Directory</h4>
591
<h4 class="subsection">3.1.2 The clients Directory</h4>
583
593
<p>This directory contains the code for several user-oriented programs.
587
<dd>This program destroys the user's active Kerberos authorization tickets.
596
<dt><b>kdestroy</b><dd>This program destroys the user's active Kerberos authorization tickets.
588
597
MIT recommends that users <code>kdestroy</code> before logging out.
591
<dd>This program prompts users for their Kerberos principal name and password,
599
<dt><b>kinit</b><dd>This program prompts users for their Kerberos principal name and password,
592
600
and attempts to get an initial ticket-granting-ticket for that principal.
595
<dd>This program lists the Kerberos principal and Kerberos tickets held in
602
<dt><b>klist</b><dd>This program lists the Kerberos principal and Kerberos tickets held in
596
603
a credentials cache, or the keys held in a keytab file.
599
<dd>This program changes a user's Kerberos password.
605
<dt><b>kpasswd</b><dd>This program changes a user's Kerberos password.
602
<dd>This program is a Kerberized version of the <code>su</code> program that is
607
<dt><b>ksu</b><dd>This program is a Kerberized version of the <code>su</code> program that is
603
608
meant to securely change the real and effective user ID to that of the
604
609
target user and to create a new security context.
607
<dd>This program acquires a service ticket for the specified Kerberos
611
<dt><b>kvno</b><dd>This program acquires a service ticket for the specified Kerberos
608
612
principals and prints out the key version numbers of each.
611
615
<div class="node">
616
<a name="The-gen-manpages-Directory"></a>
617
<a name="The-gen_002dmanpages-Directory"></a>
613
Node:<a name="The%20gen-manpages%20Directory">The gen-manpages Directory</a>,
614
Next:<a rel="next" accesskey="n" href="#The%20include%20Directory">The include Directory</a>,
615
Previous:<a rel="previous" accesskey="p" href="#The%20clients%20Directory">The clients Directory</a>,
616
Up:<a rel="up" accesskey="u" href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>
619
Next: <a rel="next" accesskey="n" href="#The-include-Directory">The include Directory</a>,
620
Previous: <a rel="previous" accesskey="p" href="#The-clients-Directory">The clients Directory</a>,
621
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
620
<h4 class="subsection">The gen-manpages Directory</h4>
625
<h4 class="subsection">3.1.3 The gen-manpages Directory</h4>
622
627
<p>There are two manual pages in this directory. One is an introduction
623
628
to the Kerberos system. The other describes the <code>.k5login</code> file
781
786
support library <code>support</code> used by several of our other libraries.
783
788
<div class="node">
789
<a name="Build-Requirements"></a>
785
Node:<a name="Build%20Requirements">Build Requirements</a>,
786
Next:<a rel="next" accesskey="n" href="#Unpacking%20the%20Sources">Unpacking the Sources</a>,
787
Previous:<a rel="previous" accesskey="p" href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>,
788
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
791
Next: <a rel="next" accesskey="n" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
792
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
793
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
792
<h3 class="section">Build Requirements</h3>
797
<h3 class="section">3.2 Build Requirements</h3>
794
799
<p>In order to build Kerberos V5, you will need approximately 60-70
795
800
megabytes of disk space. The exact amount will vary depending on the
796
801
platform and whether the distribution is compiled with debugging symbol
799
<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89").
804
<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”).
800
805
Some operating systems do not have an ANSI C compiler, or their
801
806
default compiler requires extra command-line options to enable ANSI C
804
809
<p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled
805
<code>*.o</code> file and executables, separate from your source tree, you
806
will need a <code>make</code> program which supports <code>VPATH</code>, or
807
you will need to use a tool such as <code>lndir</code> to produce a symbolic
810
<samp><span class="file">*.o</span></samp> file and executables, separate from your source tree, you
811
will need a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’, or
812
you will need to use a tool such as ‘<samp><span class="samp">lndir</span></samp>’ to produce a symbolic
808
813
link tree for your build tree.
815
<!-- Library support... -->
810
816
<div class="node">
817
<a name="Unpacking-the-Sources"></a>
812
Node:<a name="Unpacking%20the%20Sources">Unpacking the Sources</a>,
813
Next:<a rel="next" accesskey="n" href="#Doing%20the%20Build">Doing the Build</a>,
814
Previous:<a rel="previous" accesskey="p" href="#Build%20Requirements">Build Requirements</a>,
815
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
819
Next: <a rel="next" accesskey="n" href="#Doing-the-Build">Doing the Build</a>,
820
Previous: <a rel="previous" accesskey="p" href="#Build-Requirements">Build Requirements</a>,
821
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
819
<h3 class="section">Unpacking the Sources</h3>
825
<h3 class="section">3.3 Unpacking the Sources</h3>
821
827
<p>The first step in each of these build procedures is to unpack the
822
828
source distribution. The Kerberos V5 distribution comes in a tar file,
823
generally named <code>krb5-1.9.tar</code>, which contains a
829
generally named <samp><span class="file">krb5-1.10.tar</span></samp>, which contains a
824
830
compressed tar file consisting of the sources for all of Kerberos
825
(generally <code>krb5-1.9.tar.gz</code>) and a PGP signature for
826
this source tree (generally <code>krb5-1.9.tar.gz.asc</code>).
831
(generally <samp><span class="file">krb5-1.10.tar.gz</span></samp>) and a PGP signature for
832
this source tree (generally <samp><span class="file">krb5-1.10.tar.gz.asc</span></samp>).
827
833
MIT highly recommends that you verify the integrity of the
828
834
source code using this signature.
830
836
<p>Unpack the compressed tar file in some directory, such as
831
<code>/u1/krb5-1.9</code>. (In the rest of this document, we
837
<samp><span class="file">/u1/krb5-1.10</span></samp>. (In the rest of this document, we
832
838
will assume that you have chosen to unpack the Kerberos V5 source
833
839
distribution in this directory. Note that the tarfiles will by default
834
all unpack into the <code>./krb5-1.9</code> directory, so that if
835
your current directory is <code>/u1</code> when you unpack the tarfiles, you
836
will get <code>/u1/krb5-1.9/src</code>, etc.)
840
all unpack into the <samp><span class="file">./krb5-1.10</span></samp> directory, so that if
841
your current directory is <samp><span class="file">/u1</span></samp> when you unpack the tarfiles, you
842
will get <samp><span class="file">/u1/krb5-1.10/src</span></samp>, etc.)
838
844
<div class="node">
845
<a name="Doing-the-Build"></a>
840
Node:<a name="Doing%20the%20Build">Doing the Build</a>,
841
Next:<a rel="next" accesskey="n" href="#Installing%20the%20Binaries">Installing the Binaries</a>,
842
Previous:<a rel="previous" accesskey="p" href="#Unpacking%20the%20Sources">Unpacking the Sources</a>,
843
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
847
Next: <a rel="next" accesskey="n" href="#Installing-the-Binaries">Installing the Binaries</a>,
848
Previous: <a rel="previous" accesskey="p" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
849
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
847
<h3 class="section">Doing the Build</h3>
853
<h3 class="section">3.4 Doing the Build</h3>
849
855
<p>You have a number of different options in how to build Kerberos. If you
850
856
only need to build Kerberos for one platform, using a single directory
851
857
tree which contains both the source files and the object files is the
852
858
simplest. However, if you need to maintain Kerberos for a large number
853
859
of platforms, you will probably want to use separate build trees for
854
each platform. We recommend that you look at <a href="#OS%20Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating
860
each platform. We recommend that you look at <a href="#OS-Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating
857
863
<ul class="menu">
858
<li><a accesskey="1" href="#Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>:
859
<li><a accesskey="2" href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>:
860
<li><a accesskey="3" href="#Building%20using%20lndir">Building using lndir</a>:
864
<li><a accesskey="1" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>
865
<li><a accesskey="2" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>
866
<li><a accesskey="3" href="#Building-using-lndir">Building using lndir</a>
863
869
<div class="node">
870
<a name="Building-Within-a-Single-Tree"></a>
865
Node:<a name="Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>,
866
Next:<a rel="next" accesskey="n" href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>,
867
Previous:<a rel="previous" accesskey="p" href="#Doing%20the%20Build">Doing the Build</a>,
868
Up:<a rel="up" accesskey="u" href="#Doing%20the%20Build">Doing the Build</a>
872
Next: <a rel="next" accesskey="n" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
873
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
874
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
872
<h4 class="subsection">Building Within a Single Tree</h4>
878
<h4 class="subsection">3.4.1 Building Within a Single Tree</h4>
874
880
<p>If you don't want separate build trees for each architecture, then
875
881
use the following abbreviated procedure.
877
883
<ol type=1 start=1>
878
<li> <code>cd /u1/krb5-1.9/src</code>
884
<li> <code>cd /u1/krb5-1.10/src</code>
879
885
<li> <code>./configure</code>
880
886
<li> <code>make</code>
885
891
<div class="node">
892
<a name="Building-with-Separate-Build-Directories"></a>
887
Node:<a name="Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>,
888
Next:<a rel="next" accesskey="n" href="#Building%20using%20lndir">Building using lndir</a>,
889
Previous:<a rel="previous" accesskey="p" href="#Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>,
890
Up:<a rel="up" accesskey="u" href="#Doing%20the%20Build">Doing the Build</a>
894
Next: <a rel="next" accesskey="n" href="#Building-using-lndir">Building using lndir</a>,
895
Previous: <a rel="previous" accesskey="p" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>,
896
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
894
<h4 class="subsection">Building with Separate Build Directories</h4>
900
<h4 class="subsection">3.4.2 Building with Separate Build Directories</h4>
896
902
<p>If you wish to keep separate build directories for each platform, you
897
903
can do so using the following procedure. (Note, this requires that your
898
<code>make</code> program support <code>VPATH</code>. GNU's make will provide this
899
functionality, for example.) If your <code>make</code> program does not
904
‘<samp><span class="samp">make</span></samp>’ program support ‘<samp><span class="samp">VPATH</span></samp>’. GNU's make will provide this
905
functionality, for example.) If your ‘<samp><span class="samp">make</span></samp>’ program does not
900
906
support this, see the next section.
902
908
<p>For example, if you wish to create a build directory for <code>pmax</code> binaries
903
909
you might use the following procedure:
905
911
<ol type=1 start=1>
906
<li><code>mkdir /u1/krb5-1.9/pmax</code>
907
<li> <code>cd /u1/krb5-1.9/pmax</code>
912
<li><code>mkdir /u1/krb5-1.10/pmax</code>
913
<li> <code>cd /u1/krb5-1.10/pmax</code>
908
914
<li> <code>../src/configure</code>
909
915
<li> <code>make</code>
912
918
<div class="node">
919
<a name="Building-using-lndir"></a>
914
Node:<a name="Building%20using%20lndir">Building using lndir</a>,
915
Previous:<a rel="previous" accesskey="p" href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>,
916
Up:<a rel="up" accesskey="u" href="#Doing%20the%20Build">Doing the Build</a>
921
Previous: <a rel="previous" accesskey="p" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
922
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
920
<h4 class="subsection">Building Using <code>lndir</code></h4>
926
<h4 class="subsection">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</h4>
922
928
<p>If you wish to keep separate build directories for each platform, and
923
you do not have access to a <code>make</code> program which supports <code>VPATH</code>,
924
all is not lost. You can use the <code>lndir</code> program to create
929
you do not have access to a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’,
930
all is not lost. You can use the ‘<samp><span class="samp">lndir</span></samp>’ program to create
925
931
symbolic link trees in your build directory.
927
933
<p>For example, if you wish to create a build directory for solaris binaries
928
934
you might use the following procedure:
930
936
<ol type=1 start=1>
931
<li> <code>mkdir /u1/krb5-1.9/solaris</code>
932
<li> <code>cd /u1/krb5-1.9/solaris</code>
933
<li> <code>/u1/krb5-1.9/src/util/lndir `pwd`/../src</code>
937
<li> <code>mkdir /u1/krb5-1.10/solaris</code>
938
<li> <code>cd /u1/krb5-1.10/solaris</code>
939
<li> <code>/u1/krb5-1.10/src/util/lndir `pwd`/../src</code>
934
940
<li> <code>./configure</code>
935
941
<li> <code>make</code>
938
<p>You must give an absolute pathname to <code>lndir</code> because it has a bug that
944
<p>You must give an absolute pathname to ‘<samp><span class="samp">lndir</span></samp>’ because it has a bug that
939
945
makes it fail for relative pathnames. Note that this version differs
940
946
from the latest version as distributed and installed by the XConsortium
941
947
with X11R6. Either version should be acceptable.
943
949
<div class="node">
950
<a name="Installing-the-Binaries"></a>
945
Node:<a name="Installing%20the%20Binaries">Installing the Binaries</a>,
946
Next:<a rel="next" accesskey="n" href="#Testing%20the%20Build">Testing the Build</a>,
947
Previous:<a rel="previous" accesskey="p" href="#Doing%20the%20Build">Doing the Build</a>,
948
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
952
Next: <a rel="next" accesskey="n" href="#Testing-the-Build">Testing the Build</a>,
953
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
954
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
952
<h3 class="section">Installing the Binaries</h3>
958
<h3 class="section">3.5 Installing the Binaries</h3>
954
960
<p>Once you have built Kerberos, you should install the binaries. You
955
961
can do this by running:
957
963
<pre class="example"> % make install
960
965
<p>If you want to install the binaries into a destination directory that
961
966
is not their final destination, which may be convenient if you want to
962
967
build a binary distribution to be deployed on multiple hosts, you may
965
970
<pre class="example"> % make install DESTDIR=/path/to/destdir
968
972
<p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the
969
973
user programs will install into <code>DESTDIR/PREFIX/bin</code>, the
970
974
libraries into <code>DESTDIR/PREFIX/lib</code>, etc.
972
<p>Note that if you want to test the build (see <a href="#Testing%20the%20Build">Testing the Build</a>),
976
<p>Note that if you want to test the build (see <a href="#Testing-the-Build">Testing the Build</a>),
973
977
you usually do not need to do a <code>make install</code> first.
975
<p>Some implementations of <code>make</code> allow multiple commands to be run in
979
<p>Some implementations of ‘<samp><span class="samp">make</span></samp>’ allow multiple commands to be run in
976
980
parallel, for faster builds. We test our Makefiles in parallel builds with
977
GNU <code>make</code> only; they may not be compatible with other parallel build
981
GNU ‘<samp><span class="samp">make</span></samp>’ only; they may not be compatible with other parallel build
980
984
<div class="node">
985
<a name="Testing-the-Build"></a>
982
Node:<a name="Testing%20the%20Build">Testing the Build</a>,
983
Next:<a rel="next" accesskey="n" href="#Options%20to%20Configure">Options to Configure</a>,
984
Previous:<a rel="previous" accesskey="p" href="#Installing%20the%20Binaries">Installing the Binaries</a>,
985
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
987
Next: <a rel="next" accesskey="n" href="#Options-to-Configure">Options to Configure</a>,
988
Previous: <a rel="previous" accesskey="p" href="#Installing-the-Binaries">Installing the Binaries</a>,
989
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
989
<h3 class="section">Testing the Build</h3>
993
<h3 class="section">3.6 Testing the Build</h3>
991
995
<p>The Kerberos V5 distribution comes with built-in regression tests. To
992
996
run them, simply type the following command while in the top-level build
993
directory (i.e., the directory where you sent typed <code>make</code> to start
994
building Kerberos; see <a href="#Doing%20the%20Build">Doing the Build</a>.):
997
directory (i.e., the directory where you sent typed ‘<samp><span class="samp">make</span></samp>’ to start
998
building Kerberos; see <a href="#Doing-the-Build">Doing the Build</a>.):
996
1000
<pre class="example"> % make check
999
1002
<p>However, there are several prerequisites that must be satisfied first:
1002
1005
<li>Configure and build Kerberos with Tcl support. Tcl is used to drive the
1003
1006
test suite. This often means passing <code>--with-tcl</code> to configure to
1004
1007
tell it the location of the Tcl configuration script. (See
1005
See <a href="#Options%20to%20Configure">Options to Configure</a>.)
1008
See <a href="#Options-to-Configure">Options to Configure</a>.)
1007
<li>On some operating systems, you have to run <code>make install</code> before
1008
running <code>make check</code>, or the test suite will pick up installed
1010
<li>On some operating systems, you have to run ‘<samp><span class="samp">make install</span></samp>’ before
1011
running ‘<samp><span class="samp">make check</span></samp>’, or the test suite will pick up installed
1009
1012
versions of Kerberos libraries rather than the newly built ones. You
1010
1013
can install into a prefix that isn't in the system library search path,
1011
1014
though. Alternatively, you can configure with <code>--disable-rpath</code>,
1073
1076
src/lib/rpc, src/lib/kadm5.
1075
1078
<div class="node">
1079
<a name="Options-to-Configure"></a>
1077
Node:<a name="Options%20to%20Configure">Options to Configure</a>,
1078
Next:<a rel="next" accesskey="n" href="#osconf.h">osconf.h</a>,
1079
Previous:<a rel="previous" accesskey="p" href="#Testing%20the%20Build">Testing the Build</a>,
1080
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
1081
Next: <a rel="next" accesskey="n" href="#osconf_002eh">osconf.h</a>,
1082
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
1083
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1084
<h3 class="section">Options to Configure</h3>
1087
<h3 class="section">3.7 Options to Configure</h3>
1086
<p>There are a number of options to <code>configure</code> which you can use to
1089
<p>There are a number of options to ‘<samp><span class="samp">configure</span></samp>’ which you can use to
1087
1090
control how the Kerberos distribution is built. The following table
1088
lists the most commonly used options to Kerberos V5's <code>configure</code>
1091
lists the most commonly used options to Kerberos V5's ‘<samp><span class="samp">configure</span></samp>’
1093
<br><dt><code>--help</code>
1095
<dt><code>--help</code><dd>
1095
1096
Provides help to configure. This will list the set of commonly used
1096
1097
options for building Kerberos.
1098
<br><dt><code>--prefix=PREFIX</code>
1099
<br><dt><code>--prefix=PREFIX</code><dd>
1100
1100
By default, Kerberos will install the package's files rooted at
1101
1101
`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
1102
1102
desire a different location, use this option.
1104
<br><dt><code>--exec-prefix=EXECPREFIX</code>
1104
<br><dt><code>--exec-prefix=EXECPREFIX</code><dd>
1106
1105
This option allows one to separate the architecture independent programs
1107
1106
from the configuration files and manual pages.
1109
<br><dt><code>--localstatedir=LOCALSTATEDIR</code>
1108
<br><dt><code>--localstatedir=LOCALSTATEDIR</code><dd>
1111
1109
This option sets the directory for locally modifiable single-machine
1112
1110
data. In Kerberos, this mostly is useful for setting a location for the
1113
1111
KDC data files, as they will be installed in
1114
1112
<code>LOCALSTATEDIR/krb5kdc</code>, which is by default
1115
1113
<code>PREFIX/var/krb5kdc</code>.
1117
<br><dt><code>CC=COMPILER</code>
1115
<br><dt><code>CC=COMPILER</code><dd>
1119
1116
Use <code>COMPILER</code> as the C compiler.
1121
<br><dt><code>CFLAGS=FLAGS</code>
1118
<br><dt><code>CFLAGS=FLAGS</code><dd>
1123
1119
Use <code>FLAGS</code> as the default set of C compiler flags.
1125
1121
<p>Note that if you use the native Ultrix compiler on a
1126
1122
DECstation you are likely to lose if you pass no flags to cc; md4.c
1127
1123
takes an estimated 3,469 billion years to compile if you provide neither
1128
the <code>-g</code> flag nor the <code>-O</code> flag to <code>cc</code>.
1124
the ‘<samp><span class="samp">-g</span></samp>’ flag nor the ‘<samp><span class="samp">-O</span></samp>’ flag to ‘<samp><span class="samp">cc</span></samp>’.
1130
<br><dt><code>CPPFLAGS=CPPOPTS</code>
1126
<br><dt><code>CPPFLAGS=CPPOPTS</code><dd>
1132
1127
Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most
1133
1128
common use of this option is to select certain <code>#define</code>'s for use
1134
1129
with the operating system's include files.
1136
<br><dt><code>LD=LINKER</code>
1131
<br><dt><code>LD=LINKER</code><dd>
1138
1132
Use <code>LINKER</code> as the default loader if it should be different from C
1139
1133
compiler as specified above.
1141
<br><dt><code>LDFLAGS=LDOPTS</code>
1135
<br><dt><code>LDFLAGS=LDOPTS</code><dd>
1143
1136
This option allows one to specify optional arguments to be passed to the
1144
1137
linker. This might be used to specify optional library paths.
1146
<br><dt><code>--with-krb4</code>
1139
<br><dt><code>--with-krb4</code><dd>
1148
1140
This option enables Kerberos V4 backwards compatibility using the
1149
1141
builtin Kerberos V4 library.
1151
<br><dt><code>--with-krb4=KRB4DIR</code>
1143
<br><dt><code>--with-krb4=KRB4DIR</code><dd>
1153
1144
This option enables Kerberos V4 backwards compatibility using a
1154
1145
pre-existing Kerberos V4 installation. The directory specified by
1155
1146
<code>KRB4DIR</code> specifies where the V4 header files should be found
1156
(<code>KRB4DIR/include</code>) as well as where the V4 Kerberos library should
1157
be found (<code>KRB4DIR/lib</code>).
1147
(<samp><span class="file">KRB4DIR/include</span></samp>) as well as where the V4 Kerberos library should
1148
be found (<samp><span class="file">KRB4DIR/lib</span></samp>).
1159
<br><dt><code>--without-krb4</code>
1150
<br><dt><code>--without-krb4</code><dd>
1161
1151
Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
1162
1152
clients from using the V5 services including the KDC. This would be
1163
1153
useful if you know you will never install or need to interact with V4
1166
<br><dt><code>--with-netlib[=libs]</code>
1156
<br><dt><code>--with-netlib[=libs]</code><dd>
1168
1157
Allows for suppression of or replacement of network libraries. By
1169
1158
default, Kerberos V5 configuration will look for <code>-lnsl</code> and
1170
1159
<code>-lsocket</code>. If your operating system has a broken resolver library
1171
(see <a href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in
1172
<code>src/tests/resolv</code> you will need to use this option.
1160
(see <a href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in
1161
<samp><span class="file">src/tests/resolv</span></samp> you will need to use this option.
1174
<br><dt><code>--with-tcl=TCLPATH</code>
1163
<br><dt><code>--with-tcl=TCLPATH</code><dd>
1176
1164
Some of the unit-tests in the build tree rely upon using a program in
1177
1165
Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl
1178
header file (<code>TCLPATH/include/tcl.h</code> as well as where the Tcl
1179
library should be found (<code>TCLPATH/lib</code>).
1166
header file (<samp><span class="file">TCLPATH/include/tcl.h</span></samp> as well as where the Tcl
1167
library should be found (<samp><span class="file">TCLPATH/lib</span></samp>).
1181
<br><dt><code>--enable-shared</code>
1169
<br><dt><code>--enable-shared</code><dd>
1183
1170
This option will turn on the building and use of shared library objects
1184
1171
in the Kerberos build. This option is only supported on certain
1187
<br><dt><code>--enable-dns</code>
1188
<dd><br><dt><code>--enable-dns-for-kdc</code>
1189
<dd><br><dt><code>--enable-dns-for-realm</code>
1174
<br><dt><code>--enable-dns</code><br><dt><code>--enable-dns-for-kdc</code><br><dt><code>--enable-dns-for-realm</code><dd>
1191
1175
Enable the use of DNS to look up a host's Kerberos realm, or a realm's
1192
KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to
1193
locate the KDCs, and <a href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a> for
1176
KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to
1177
locate the KDCs, and <a href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a> for
1194
1178
information about using DNS to determine the default realm. By default,
1195
1179
DNS lookups are enabled for the former but not for the latter.
1197
<br><dt><code>--disable-kdc-lookaside-cache</code>
1181
<br><dt><code>--disable-kdc-lookaside-cache</code><dd>
1199
1182
Disables the cache in the KDC which detects retransmitted client
1200
1183
requests and resends the previous responses to them.
1202
<br><dt><code>--with-system-et</code>
1185
<br><dt><code>--with-system-et</code><dd>
1204
1186
Use an installed version of the error-table support software, the
1205
<code>compile_et</code> program, the <code>com_err.h</code> header file and the
1206
<code>com_err</code> library. If these are not in the default locations,
1187
‘<samp><span class="samp">compile_et</span></samp>’ program, the <samp><span class="file">com_err.h</span></samp> header file and the
1188
<samp><span class="file">com_err</span></samp> library. If these are not in the default locations,
1207
1189
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
1208
1190
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
1212
1194
sources will be built and installed along with the rest of the
1213
1195
Kerberos tree, for Kerberos applications to link against.
1215
<br><dt><code>--with-system-ss</code>
1197
<br><dt><code>--with-system-ss</code><dd>
1217
1198
Use an installed version of the subsystem command-line interface
1218
software, the <code>mk_cmds</code> program, the <code>ss/ss.h</code> header file
1219
and the <code>ss</code> library. If these are not in the default locations,
1199
software, the ‘<samp><span class="samp">mk_cmds</span></samp>’ program, the <samp><span class="file">ss/ss.h</span></samp> header file
1200
and the <samp><span class="file">ss</span></samp> library. If these are not in the default locations,
1220
1201
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
1221
1202
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
1222
well. See also the <code>SS_LIB</code> option.
1203
well. See also the ‘<samp><span class="samp">SS_LIB</span></samp>’ option.
1224
<p>If this option is not given, the <code>ss</code> library supplied with the
1205
<p>If this option is not given, the <samp><span class="file">ss</span></samp> library supplied with the
1225
1206
Kerberos sources will be compiled and linked into those programs that
1226
1207
need it; it will not be installed separately.
1228
<br><dt><code>SS_LIB=libs...</code>
1230
If <code>-lss</code> is not the correct way to link in your installed
1231
<code>ss</code> library, for example if additional support libraries are
1209
<br><dt><code>SS_LIB=libs...</code><dd>
1210
If ‘<samp><span class="samp">-lss</span></samp>’ is not the correct way to link in your installed
1211
<samp><span class="file">ss</span></samp> library, for example if additional support libraries are
1232
1212
needed, specify the correct link options here. Some variants of this
1233
1213
library are around which allow for Emacs-like line editing, but
1234
1214
different versions require different support libraries to be
1235
1215
explicitly specified.
1237
<p>This option is ignored if <code>--with-system-ss</code> is not specified.
1217
<p>This option is ignored if ‘<samp><span class="samp">--with-system-ss</span></samp>’ is not specified.
1239
<br><dt><code>--with-system-db</code>
1219
<br><dt><code>--with-system-db</code><dd>
1241
1220
Use an installed version of the Berkeley DB package, which must
1242
1221
provide an API compatible with version 1.85. This option is
1243
1222
<em>unsupported</em> and untested. In particular, we do not know if the
1272
1248
<p>For example, in order to configure Kerberos on a Solaris machine using
1273
the <code>suncc</code> compiler with the optimizer turned on, run the configure
1249
the ‘<samp><span class="samp">suncc</span></samp>’ compiler with the optimizer turned on, run the configure
1274
1250
script with the following options:
1276
1252
<pre class="example"> % ./configure CC=suncc CFLAGS=-O
1279
1254
<p>For a slightly more complicated example, consider a system where
1280
1255
several packages to be used by Kerberos are installed in
1281
<code>/usr/foobar</code>, including Berkeley DB 3.3, and an <code>ss</code>
1282
library that needs to link against the <code>curses</code> library. The
1256
‘<samp><span class="samp">/usr/foobar</span></samp>’, including Berkeley DB 3.3, and an ‘<samp><span class="samp">ss</span></samp>’
1257
library that needs to link against the ‘<samp><span class="samp">curses</span></samp>’ library. The
1283
1258
configuration of Kerberos might be done thus:
1285
1260
<pre class="example"> % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
1286
1261
--with-system-et --with-system-ss --with-system-db \
1287
1262
SS_LIB='-lss -lcurses' \
1288
1263
DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
1291
1265
<p>In previous releases, <code>--with-</code> options were used to specify the
1292
1266
compiler and linker and their options.
1294
1268
<div class="node">
1269
<a name="osconf.h"></a>
1270
<a name="osconf_002eh"></a>
1296
Node:<a name="osconf.h">osconf.h</a>,
1297
Next:<a rel="next" accesskey="n" href="#Shared%20Library%20Support">Shared Library Support</a>,
1298
Previous:<a rel="previous" accesskey="p" href="#Options%20to%20Configure">Options to Configure</a>,
1299
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
1272
Next: <a rel="next" accesskey="n" href="#Shared-Library-Support">Shared Library Support</a>,
1273
Previous: <a rel="previous" accesskey="p" href="#Options-to-Configure">Options to Configure</a>,
1274
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1303
<h3 class="section"><code>osconf.h</code></h3>
1278
<h3 class="section">3.8 <samp><span class="file">osconf.h</span></samp></h3>
1305
1280
<p>There is one configuration file which you may wish to edit to control
1306
1281
various compile-time parameters in the Kerberos distribution:
1307
<code>include/stock/osconf.h</code>. The list that follows is by no means
1282
<samp><span class="file">include/stock/osconf.h</span></samp>. The list that follows is by no means
1308
1283
complete, just some of the more interesting variables.
1310
<p>Please note: The former configuration file <code>config.h</code> no longer
1285
<p>Please note: The former configuration file <samp><span class="file">config.h</span></samp> no longer
1311
1286
exists as its functionality has been merged into the auto-configuration
1312
process. See <a href="#Options%20to%20Configure">Options to Configure</a>.
1287
process. See <a href="#Options-to-Configure">Options to Configure</a>.
1316
<br><dt><code>DEFAULT_PROFILE_PATH</code>
1290
<dt><code>DEFAULT_PROFILE_PATH</code><dd>
1318
1291
The pathname to the file which contains the profiles for the known realms,
1319
1292
their KDCs, etc. The default value is /etc/krb5.conf.
1321
1294
<p>The profile file format is no longer the same format as Kerberos V4's
1322
<code>krb.conf</code> file.
1295
<samp><span class="file">krb.conf</span></samp> file.
1324
<br><dt><code>DEFAULT_KEYTAB_NAME</code>
1297
<br><dt><code>DEFAULT_KEYTAB_NAME</code><dd>
1326
1298
The type and pathname to the default server keytab file (the
1327
equivalent of Kerberos V4's <code>/etc/srvtab</code>). The default is
1299
equivalent of Kerberos V4's <samp><span class="file">/etc/srvtab</span></samp>). The default is
1328
1300
/etc/krb5.keytab.
1330
<br><dt><code>DEFAULT_KDC_ENCTYPE</code>
1302
<br><dt><code>DEFAULT_KDC_ENCTYPE</code><dd>
1332
1303
The default encryption type for the KDC. The default value is
1335
<br><dt><code>KDCRCACHE</code>
1306
<br><dt><code>KDCRCACHE</code><dd>
1337
1307
The name of the replay cache used by the KDC. The default value is
1338
1308
krb5kdc_rcache.
1340
<br><dt><code>RCTMPDIR</code>
1310
<br><dt><code>RCTMPDIR</code><dd>
1342
1311
The directory which stores replay caches. The default is to try
1343
1312
/var/tmp, /usr/tmp, /var/usr/tmp, and /tmp.
1345
<br><dt><code>DEFAULT_KDB_FILE</code>
1314
<br><dt><code>DEFAULT_KDB_FILE</code><dd>
1347
1315
The location of the default database. The default value is
1348
1316
/usr/local/var/krb5kdc/principal.
1352
1320
<div class="node">
1321
<a name="Shared-Library-Support"></a>
1354
Node:<a name="Shared%20Library%20Support">Shared Library Support</a>,
1355
Next:<a rel="next" accesskey="n" href="#OS%20Incompatibilities">OS Incompatibilities</a>,
1356
Previous:<a rel="previous" accesskey="p" href="#osconf.h">osconf.h</a>,
1357
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
1323
Next: <a rel="next" accesskey="n" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1324
Previous: <a rel="previous" accesskey="p" href="#osconf_002eh">osconf.h</a>,
1325
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1361
<h3 class="section">Shared Library Support</h3>
1329
<h3 class="section">3.9 Shared Library Support</h3>
1363
1331
<p>Shared library support is provided for a few operating systems. There
1364
1332
are restrictions as to which compiler to use when using shared
1405
1373
<ul class="menu">
1406
<li><a accesskey="1" href="#AIX">AIX</a>:
1407
<li><a accesskey="2" href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>:
1408
<li><a accesskey="3" href="#Alpha%20OSF%2f1%20V2.0">Alpha OSF/1 V2.0</a>:
1409
<li><a accesskey="4" href="#Alpha%20OSF%2f1%20V4.0">Alpha OSF/1 V4.0</a>:
1410
<li><a accesskey="5" href="#BSDI">BSDI</a>:
1411
<li><a accesskey="6" href="#HPUX">HPUX</a>:
1412
<li><a accesskey="7" href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>:
1413
<li><a accesskey="8" href="#Solaris%202.X">Solaris 2.X</a>:
1414
<li><a accesskey="9" href="#Solaris%209">Solaris 9</a>:
1415
<li><a href="#SGI%20Irix%205.X">SGI Irix 5.X</a>:
1416
<li><a href="#Ultrix%204.2%2f3">Ultrix 4.2/3</a>:
1374
<li><a accesskey="1" href="#AIX">AIX</a>
1375
<li><a accesskey="2" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>
1376
<li><a accesskey="3" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>
1377
<li><a accesskey="4" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>
1378
<li><a accesskey="5" href="#BSDI">BSDI</a>
1379
<li><a accesskey="6" href="#HPUX">HPUX</a>
1380
<li><a accesskey="7" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>
1381
<li><a accesskey="8" href="#Solaris-2_002eX">Solaris 2.X</a>
1382
<li><a accesskey="9" href="#Solaris-9">Solaris 9</a>
1383
<li><a href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>
1384
<li><a href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>
1419
1387
<div class="node">
1421
Node:<a name="AIX">AIX</a>,
1422
Next:<a rel="next" accesskey="n" href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>,
1423
Previous:<a rel="previous" accesskey="p" href="#OS%20Incompatibilities">OS Incompatibilities</a>,
1424
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1390
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
1391
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1392
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1428
<h4 class="subsection">AIX</h4>
1396
<h4 class="subsection">3.10.1 AIX</h4>
1430
1398
<p>The AIX 3.2.5 linker dumps core trying to build a shared
1431
<code>libkrb5.a</code> produced with the GNU C compiler. The native AIX
1399
‘<samp><span class="samp">libkrb5.a</span></samp>’ produced with the GNU C compiler. The native AIX
1432
1400
compiler works fine. This problem is fixed using the AIX 4.1 linker.
1434
1402
<div class="node">
1403
<a name="Alpha-OSF%2f1-V1.3"></a>
1404
<a name="Alpha-OSF_002f1-V1_002e3"></a>
1436
Node:<a name="Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>,
1437
Next:<a rel="next" accesskey="n" href="#Alpha%20OSF%2f1%20V2.0">Alpha OSF/1 V2.0</a>,
1438
Previous:<a rel="previous" accesskey="p" href="#AIX">AIX</a>,
1439
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1406
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
1407
Previous: <a rel="previous" accesskey="p" href="#AIX">AIX</a>,
1408
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1443
<h4 class="subsection">Alpha OSF/1 V1.3</h4>
1412
<h4 class="subsection">3.10.2 Alpha OSF/1 V1.3</h4>
1445
<p>Using the native compiler, compiling with the <code>-O</code> compiler flag
1414
<p>Using the native compiler, compiling with the ‘<samp><span class="samp">-O</span></samp>’ compiler flag
1446
1415
causes the <code>asn.1</code> library to be compiled incorrectly.
1448
1417
<p>Using GCC version 2.6.3 or later instead of the native compiler will also work
1449
1418
fine, both with or without optimization.
1451
1420
<div class="node">
1421
<a name="Alpha-OSF%2f1-V2.0"></a>
1422
<a name="Alpha-OSF_002f1-V2_002e0"></a>
1453
Node:<a name="Alpha%20OSF%2f1%20V2.0">Alpha OSF/1 V2.0</a>,
1454
Next:<a rel="next" accesskey="n" href="#Alpha%20OSF%2f1%20V4.0">Alpha OSF/1 V4.0</a>,
1455
Previous:<a rel="previous" accesskey="p" href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>,
1456
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1424
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
1425
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
1426
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1460
<h4 class="subsection">Alpha OSF/1 V2.0</h4>
1430
<h4 class="subsection">3.10.3 Alpha OSF/1 V2.0</h4>
1462
1432
<p>There used to be a bug when using the native compiler in compiling
1463
<code>md4.c</code> when compiled without either the <code>-O</code> or <code>-g</code>
1433
<samp><span class="file">md4.c</span></samp> when compiled without either the ‘<samp><span class="samp">-O</span></samp>’ or ‘<samp><span class="samp">-g</span></samp>’
1464
1434
compiler options. We have changed the code and there is no problem
1465
1435
under V2.1, but we do not have access to V2.0 to test and see if the
1466
1436
problem would exist there. (We welcome feedback on this issue). There
1470
1440
this sort of problem with the native compiler.
1472
1442
<div class="node">
1443
<a name="Alpha-OSF%2f1-V4.0"></a>
1444
<a name="Alpha-OSF_002f1-V4_002e0"></a>
1474
Node:<a name="Alpha%20OSF%2f1%20V4.0">Alpha OSF/1 V4.0</a>,
1475
Next:<a rel="next" accesskey="n" href="#BSDI">BSDI</a>,
1476
Previous:<a rel="previous" accesskey="p" href="#Alpha%20OSF%2f1%20V2.0">Alpha OSF/1 V2.0</a>,
1477
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1446
Next: <a rel="next" accesskey="n" href="#BSDI">BSDI</a>,
1447
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
1448
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1481
<h4 class="subsection">Alpha OSF/1 (Digital UNIX) V4.0</h4>
1452
<h4 class="subsection">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</h4>
1483
1454
<p>The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)
1484
1455
defaults to an extended K&R C mode, not ANSI C. You need to provide
1485
the <code>-std</code> argument to the compiler (i.e., <code>./configure
1486
CC='cc -std'</code>) to enable extended ANSI C mode. More recent versions
1456
the ‘<samp><span class="samp">-std</span></samp>’ argument to the compiler (i.e., ‘<samp><span class="samp">./configure
1457
CC='cc -std'</span></samp>’) to enable extended ANSI C mode. More recent versions
1487
1458
of the operating system, such as 5.0, seem to have C compilers which
1488
default to <code>-std</code>.
1459
default to ‘<samp><span class="samp">-std</span></samp>’.
1461
<!-- @node Alpha Tru64 UNIX 5.0 -->
1462
<!-- @subsection Alpha Tru64 UNIX 5.0 -->
1463
<!-- ... login.krb5 problems -->
1490
1464
<div class="node">
1492
Node:<a name="BSDI">BSDI</a>,
1493
Next:<a rel="next" accesskey="n" href="#HPUX">HPUX</a>,
1494
Previous:<a rel="previous" accesskey="p" href="#Alpha%20OSF%2f1%20V4.0">Alpha OSF/1 V4.0</a>,
1495
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1467
Next: <a rel="next" accesskey="n" href="#HPUX">HPUX</a>,
1468
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
1469
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1499
<h4 class="subsection">BSDI</h4>
1473
<h4 class="subsection">3.10.5 BSDI</h4>
1501
<p>BSDI versions 1.0 and 1.1 reportedly has a bad <code>sed</code> which causes
1475
<p>BSDI versions 1.0 and 1.1 reportedly has a bad ‘<samp><span class="samp">sed</span></samp>’ which causes
1502
1476
it to go into an infinite loop during the build. The work around is
1503
to use a <code>sed</code> from somewhere else, such as GNU. (This may be
1477
to use a ‘<samp><span class="samp">sed</span></samp>’ from somewhere else, such as GNU. (This may be
1504
1478
true for some versions of other systems derived from BSD 4.4, such as
1505
1479
NetBSD and FreeBSD.)
1507
1481
<div class="node">
1509
Node:<a name="HPUX">HPUX</a>,
1510
Next:<a rel="next" accesskey="n" href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>,
1511
Previous:<a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,
1512
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1484
Next: <a rel="next" accesskey="n" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
1485
Previous: <a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,
1486
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1516
<h4 class="subsection">HPUX</h4>
1490
<h4 class="subsection">3.10.6 HPUX</h4>
1518
1492
<p>The native (bundled) compiler for HPUX currently will not work,
1519
1493
because it is not a full ANSI C compiler. The optional ANSI C
1520
compiler should work as long as you give it the <code>-Ae</code> flag
1521
(i.e. <code>./configure CC='cc -Ae'</code>). This is equivalent to
1522
<code>./configure CC='c89 -D_HPUX_SOURCE'</code>, which was the previous
1494
compiler should work as long as you give it the ‘<samp><span class="samp">-Ae</span></samp>’ flag
1495
(i.e. ‘<samp><span class="samp">./configure CC='cc -Ae'</span></samp>’). This is equivalent to
1496
‘<samp><span class="samp">./configure CC='c89 -D_HPUX_SOURCE'</span></samp>’, which was the previous
1523
1497
recommendation. This has only been tested recently for HPUX 10.20.
1525
<p>You will need to configure with <code>--disable-shared
1526
--enable-static</code>, because as of 1.4 we don't have support for HPUX
1499
<p>You will need to configure with ‘<samp><span class="samp">--disable-shared
1500
--enable-static</span></samp>’, because as of 1.4 we don't have support for HPUX
1527
1501
shared library finalization routines, nor the option (yet) to ignore
1528
1502
that lack of support (which means repeated
1529
1503
<code>dlopen</code>/<code>dlclose</code> cycles on the Kerberos libraries may not
1530
1504
be safe) and build the shared libraries anyways.
1532
1506
<p>You will also need to configure the build tree with
1533
<code>--disable-thread-support</code> if you are on HPUX 10 and do not have
1507
‘<samp><span class="samp">--disable-thread-support</span></samp>’ if you are on HPUX 10 and do not have
1534
1508
the DCE development package installed, because that's where the
1535
1509
<code>pthread.h</code> header file is found. (We don't know if our code
1536
1510
will work with such a package installed, because according to some HP
1635
1609
<p>Sun has released kernel patches for this race condition. Apply patch
1636
1610
117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
1637
the patches should also work. It is not necessary to run "make
1638
check" from a shell with elevated priority limits once the patch has
1611
the patches should also work. It is not necessary to run “make
1612
check” from a shell with elevated priority limits once the patch has
1641
1615
<div class="node">
1616
<a name="SGI-Irix-5.X"></a>
1617
<a name="SGI-Irix-5_002eX"></a>
1643
Node:<a name="SGI%20Irix%205.X">SGI Irix 5.X</a>,
1644
Next:<a rel="next" accesskey="n" href="#Ultrix%204.2%2f3">Ultrix 4.2/3</a>,
1645
Previous:<a rel="previous" accesskey="p" href="#Solaris%209">Solaris 9</a>,
1646
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1619
Next: <a rel="next" accesskey="n" href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>,
1620
Previous: <a rel="previous" accesskey="p" href="#Solaris-9">Solaris 9</a>,
1621
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1650
<h4 class="subsection">SGI Irix 5.X</h4>
1625
<h4 class="subsection">3.10.10 SGI Irix 5.X</h4>
1652
1627
<p>If you are building in a tree separate from the source tree, the vendors
1653
1628
version of make does not work properly with regards to
1654
<code>VPATH</code>. It also has problems with standard inference rules in 5.2
1629
‘<samp><span class="samp">VPATH</span></samp>’. It also has problems with standard inference rules in 5.2
1655
1630
(not tested yet in 5.3) so one needs to use GNU's make.
1657
1632
<p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code>
1658
1633
library in which the routine <code>gethostbyname()</code> is broken. The
1659
1634
system supplied version in <code>-lc</code> appears to work though so one may
1660
simply specify <code>--with-netlib</code> option to <code>configure</code>.
1635
simply specify <code>--with-netlib</code> option to ‘<samp><span class="samp">configure</span></samp>’.
1662
1637
<p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and
1663
1638
is no longer an issue.
1665
1640
<div class="node">
1641
<a name="Ultrix-4.2%2f3"></a>
1642
<a name="Ultrix-4_002e2_002f3"></a>
1667
Node:<a name="Ultrix%204.2%2f3">Ultrix 4.2/3</a>,
1668
Previous:<a rel="previous" accesskey="p" href="#SGI%20Irix%205.X">SGI Irix 5.X</a>,
1669
Up:<a rel="up" accesskey="u" href="#OS%20Incompatibilities">OS Incompatibilities</a>
1644
Previous: <a rel="previous" accesskey="p" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
1645
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
1673
<h4 class="subsection">Ultrix 4.2/3</h4>
1649
<h4 class="subsection">3.10.11 Ultrix 4.2/3</h4>
1675
1651
<p>The DEC MIPS platform currently will not support the native compiler,
1676
1652
since the Ultrix compiler is not a full ANSI C compiler. You should use
1679
1655
<div class="node">
1656
<a name="Using-Autoconf"></a>
1681
Node:<a name="Using%20Autoconf">Using Autoconf</a>,
1682
Previous:<a rel="previous" accesskey="p" href="#OS%20Incompatibilities">OS Incompatibilities</a>,
1683
Up:<a rel="up" accesskey="u" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
1658
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
1659
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
1687
<h3 class="section">Using <code>Autoconf</code></h3>
1663
<h3 class="section">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</h3>
1689
1665
<p>(If you are not a developer, you can skip this section.)
1691
1667
<p>In most of the Kerberos V5 source directories, there is a
1692
<code>configure</code> script which automatically determines the compilation
1668
<samp><span class="file">configure</span></samp> script which automatically determines the compilation
1693
1669
environment and creates the proper Makefiles for a particular
1694
platform. These <code>configure</code> files are generated using
1695
<code>autoconf</code>, which can be found in the <code>src/util/autoconf</code>
1670
platform. These <samp><span class="file">configure</span></samp> files are generated using
1671
‘<samp><span class="samp">autoconf</span></samp>’, which can be found in the <samp><span class="file">src/util/autoconf</span></samp>
1696
1672
directory in the distribution.
1698
<p>Normal users will not need to worry about running <code>autoconf</code>; the
1699
distribution comes with the <code>configure</code> files already prebuilt.
1700
Developers who wish to modify the <code>configure.in</code> files should see
1674
<p>Normal users will not need to worry about running ‘<samp><span class="samp">autoconf</span></samp>’; the
1675
distribution comes with the <samp><span class="file">configure</span></samp> files already prebuilt.
1676
Developers who wish to modify the <samp><span class="file">configure.in</span></samp> files should see
1701
1677
<a href="autoconf.html#Top">Overview</a>.
1703
<p>Note that in order to run <code>autoconf</code>, you must have GNU <code>m4</code>
1704
in your path. Before you use the <code>autoconf</code> in the Kerberos V5
1705
source tree, you may also need to run <code>configure</code>, and then run
1706
<code>make</code> in the <code>src/util/autoconf</code> directory in order to
1707
properly set up <code>autoconf</code>.
1679
<p>Note that in order to run ‘<samp><span class="samp">autoconf</span></samp>’, you must have GNU ‘<samp><span class="samp">m4</span></samp>’
1680
in your path. Before you use the ‘<samp><span class="samp">autoconf</span></samp>’ in the Kerberos V5
1681
source tree, you may also need to run ‘<samp><span class="samp">configure</span></samp>’, and then run
1682
‘<samp><span class="samp">make</span></samp>’ in the <samp><span class="file">src/util/autoconf</span></samp> directory in order to
1683
properly set up ‘<samp><span class="samp">autoconf</span></samp>’.
1709
1685
<p>One tool which is provided for the convenience of developers can be
1710
found in <code>src/util/reconf</code>. This program should be run while the
1686
found in <samp><span class="file">src/util/reconf</span></samp>. This program should be run while the
1711
1687
current directory is the top source directory. It will automatically
1712
rebuild any <code>configure</code> files which need rebuilding. If you know
1688
rebuild any <samp><span class="file">configure</span></samp> files which need rebuilding. If you know
1713
1689
that you have made a change that will require that all the
1714
<code>configure</code> files need to be rebuilt from scratch, specify the
1690
<samp><span class="file">configure</span></samp> files need to be rebuilt from scratch, specify the
1715
1691
<code>--force</code> option:
1717
<pre class="example"> % cd /u1/krb5-1.9/src
1693
<pre class="example"> % cd /u1/krb5-1.10/src
1718
1694
% ./util/reconf --force
1721
1696
<p>The developmental sources are a raw source tree (before it's been packaged
1722
for public release), without the pre-built <code>configure</code> files.
1697
for public release), without the pre-built <samp><span class="file">configure</span></samp> files.
1723
1698
In order to build from such a source tree, you must do:
1725
1700
<pre class="example"> % cd krb5/util/autoconf
1786
1759
administration. This allows clients to continue to obtain tickets when
1787
1760
the master KDC is unavailable.
1789
MIT recommends that you install all of your KDCs to be able
1762
<p>MIT recommends that you install all of your KDCs to be able
1790
1763
to function as either the master or one of the slaves. This will enable
1791
1764
you to easily switch your master KDC with one of the slaves if
1792
necessary. (See <a href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>.) This installation
1765
necessary. (See <a href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>.) This installation
1793
1766
procedure is based on that recommendation.
1795
1768
<ul class="menu">
1796
<li><a accesskey="1" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>:
1797
<li><a accesskey="2" href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>:
1798
<li><a accesskey="3" href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>:
1799
<li><a accesskey="4" href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>:
1800
<li><a accesskey="5" href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>:
1801
<li><a accesskey="6" href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>:
1802
<li><a accesskey="7" href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>:
1803
<li><a accesskey="8" href="#Incremental%20Database%20Propagation">Incremental Database Propagation</a>:
1769
<li><a accesskey="1" href="#Install-the-Master-KDC">Install the Master KDC</a>
1770
<li><a accesskey="2" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
1771
<li><a accesskey="3" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
1772
<li><a accesskey="4" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
1773
<li><a accesskey="5" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>
1774
<li><a accesskey="6" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>
1775
<li><a accesskey="7" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>
1776
<li><a accesskey="8" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
1806
1779
<div class="node">
1780
<a name="Install-the-Master-KDC"></a>
1808
Node:<a name="Install%20the%20Master%20KDC">Install the Master KDC</a>,
1809
Next:<a rel="next" accesskey="n" href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>,
1810
Previous:<a rel="previous" accesskey="p" href="#Installing%20KDCs">Installing KDCs</a>,
1811
Up:<a rel="up" accesskey="u" href="#Installing%20KDCs">Installing KDCs</a>
1782
Next: <a rel="next" accesskey="n" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
1783
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
1784
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
1815
<h4 class="subsection">Install the Master KDC</h4>
1788
<h4 class="subsection">4.1.1 Install the Master KDC</h4>
1817
1790
<p>This installation procedure will require you to go back and forth a
1818
1791
couple of times between the master KDC and each of the slave KDCs. The
1819
1792
first few steps must be done on the master KDC.
1821
1794
<ul class="menu">
1822
<li><a accesskey="1" href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>:
1823
<li><a accesskey="2" href="#krb5.conf">krb5.conf</a>:
1824
<li><a accesskey="3" href="#kdc.conf">kdc.conf</a>:
1825
<li><a accesskey="4" href="#Create%20the%20Database">Create the Database</a>:
1826
<li><a accesskey="5" href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>:
1827
<li><a accesskey="6" href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>:
1828
<li><a accesskey="7" href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>:
1829
<li><a accesskey="8" href="#Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons</a>:
1795
<li><a accesskey="1" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>
1796
<li><a accesskey="2" href="#krb5_002econf">krb5.conf</a>
1797
<li><a accesskey="3" href="#kdc_002econf">kdc.conf</a>
1798
<li><a accesskey="4" href="#Create-the-Database">Create the Database</a>
1799
<li><a accesskey="5" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>
1800
<li><a accesskey="6" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>
1801
<li><a accesskey="7" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>
1802
<li><a accesskey="8" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>
1832
1805
<div class="node">
1806
<a name="Edit-the-Configuration-Files"></a>
1834
Node:<a name="Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>,
1835
Next:<a rel="next" accesskey="n" href="#krb5.conf">krb5.conf</a>,
1836
Previous:<a rel="previous" accesskey="p" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>,
1837
Up:<a rel="up" accesskey="u" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>
1808
Next: <a rel="next" accesskey="n" href="#krb5_002econf">krb5.conf</a>,
1809
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
1810
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
1841
<h5 class="subsubsection">Edit the Configuration Files</h5>
1814
<h5 class="subsubsection">4.1.1.1 Edit the Configuration Files</h5>
1843
1816
<p>Modify the configuration files, <code>/etc/krb5.conf</code> and
1844
1817
<code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct
1982
1944
kdc = FILE:/var/log/krb5kdc.log
1983
1945
admin_server = FILE:/var/log/kadmin.log
1984
1946
default = FILE:/var/log/krb5lib.log
1987
1948
<div class="node">
1949
<a name="kdc.conf"></a>
1950
<a name="kdc_002econf"></a>
1989
Node:<a name="kdc.conf">kdc.conf</a>,
1990
Next:<a rel="next" accesskey="n" href="#Create%20the%20Database">Create the Database</a>,
1991
Previous:<a rel="previous" accesskey="p" href="#krb5.conf">krb5.conf</a>,
1992
Up:<a rel="up" accesskey="u" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>
1952
Next: <a rel="next" accesskey="n" href="#Create-the-Database">Create the Database</a>,
1953
Previous: <a rel="previous" accesskey="p" href="#krb5_002econf">krb5.conf</a>,
1954
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
1996
<h5 class="subsubsection">kdc.conf</h5>
1958
<h5 class="subsubsection">4.1.1.3 kdc.conf</h5>
1998
1960
<p>The <code>kdc.conf</code> file contains KDC configuration information,
1999
1961
including defaults used when issuing Kerberos tickets. Normally, you
2000
1962
should install your <code>kdc.conf</code> file in the directory
2001
1963
<code>/usr/local/var/krb5kdc</code>. You can override the default
2002
location by setting the environment variable <code>KRB5_KDC_PROFILE</code>.
1964
location by setting the environment variable ‘<samp><span class="samp">KRB5_KDC_PROFILE</span></samp>’.
2004
1966
<p>The <code>kdc.conf</code> file is set up in the same format as the
2005
<code>krb5.conf</code> file. (See <a href="#krb5.conf">krb5.conf</a>.) The <code>kdc.conf</code> file
1967
<code>krb5.conf</code> file. (See <a href="#krb5_002econf">krb5.conf</a>.) The <code>kdc.conf</code> file
2006
1968
may contain any or all of the following three sections:
2009
<dt><b>kdcdefaults</b>
2010
<dd>Contains default values for overall behavior of the KDC.
1971
<dt><b>kdcdefaults</b><dd>Contains default values for overall behavior of the KDC.
2012
<br><dt><b>realms</b>
2013
<dd>Contains subsections keyed by Kerberos realm names. Each subsection
1973
<br><dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
2014
1974
describes realm-specific information, including where to find the
2015
1975
Kerberos servers for that realm.
2017
<br><dt><b>logging</b>
2018
<dd>Contains relations which determine how Kerberos programs are to perform
1977
<br><dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
2022
1981
<div class="node">
1982
<a name="Create-the-Database"></a>
2024
Node:<a name="Create%20the%20Database">Create the Database</a>,
2025
Next:<a rel="next" accesskey="n" href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>,
2026
Previous:<a rel="previous" accesskey="p" href="#kdc.conf">kdc.conf</a>,
2027
Up:<a rel="up" accesskey="u" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>
1984
Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
1985
Previous: <a rel="previous" accesskey="p" href="#kdc_002econf">kdc.conf</a>,
1986
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2031
<h5 class="subsubsection">Create the Database</h5>
1990
<h5 class="subsubsection">4.1.1.4 Create the Database</h5>
2033
1992
<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to
2034
1993
create the Kerberos database and the optional stash file. The
2057
2016
especially a famous person (or cartoon character), your username in any
2058
2017
form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of
2059
2018
the sample keys that appear in this manual. One example of a key which
2060
might be good if it did not appear in this manual is "MITiys4K5!",
2061
which represents the sentence "MIT is your source for Kerberos 5!"
2062
(It's the first letter of each word, substituting the numeral "4" for
2063
the word "for", and includes the punctuation mark at the end.)
2019
might be good if it did not appear in this manual is “MITiys4K5!”,
2020
which represents the sentence “MIT is your source for Kerberos 5!”
2021
(It's the first letter of each word, substituting the numeral “4” for
2022
the word “for”, and includes the punctuation mark at the end.)
2065
2024
<p>The following is an example of how to create a Kerberos database and
2066
2025
stash file on the master KDC, using the <code>kdb5_util</code> command. (The
2067
line that begins with => is a continuation of the previous line.)
2026
line that begins with ⇒ is a continuation of the previous line.)
2068
2027
Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.
2070
2029
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
2071
2030
<b>Initializing database '/usr/local/var/krb5kdc/principal' for
2072
=> realm 'ATHENA.MIT.EDU',
2031
⇒ realm 'ATHENA.MIT.EDU',
2073
2032
master key name 'K/M@ATHENA.MIT.EDU'
2074
2033
You will be prompted for the database Master Password.
2075
2034
It is important that you NOT FORGET this password.</b>
2076
2035
<b>Enter KDC database master key:</b> <i><= Type the master password.</i>
2077
2036
<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>
2081
2039
<p>This will create five files in the directory specified in your
2082
2040
<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,
2083
2041
and <code>principal.ok</code>; the Kerberos administrative database file,
2087
2045
want a stash file, run the above command without the <code>-s</code> option.
2089
2047
<div class="node">
2048
<a name="Add-Administrators-to-the-Acl-File"></a>
2091
Node:<a name="Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>,
2092
Next:<a rel="next" accesskey="n" href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>,
2093
Previous:<a rel="previous" accesskey="p" href="#Create%20the%20Database">Create the Database</a>,
2094
Up:<a rel="up" accesskey="u" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>
2050
Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
2051
Previous: <a rel="previous" accesskey="p" href="#Create-the-Database">Create the Database</a>,
2052
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2098
<h5 class="subsubsection">Add Administrators to the Acl File</h5>
2056
<h5 class="subsubsection">4.1.1.5 Add Administrators to the Acl File</h5>
2100
2058
<p>Next, you need create an Access Control List (acl) file, and put the
2101
2059
Kerberos principal of at least one of the administrators into it. This
2102
2060
file is used by the <code>kadmind</code> daemon to control which principals
2103
2061
may view and make privileged modifications to the Kerberos database
2104
2062
files. The filename should match the value you have set for
2105
"acl_file" in your <code>kdc.conf</code> file. The default file name is
2106
<code>/usr/local/var/krb5kdc/kadm5.acl</code>.
2063
“acl_file” in your <code>kdc.conf</code> file. The default file name is
2064
‘<samp><span class="samp">/usr/local/var/krb5kdc/kadm5.acl</span></samp>’.
2108
2066
<p>The format of the file is:
2110
2068
<pre class="smallexample"> Kerberos_principal permissions [target_principal] [restrictions]
2113
2070
<p>The Kerberos principal (and optional target principal) can include the
2114
"<b>*</b>" wildcard, so if you want any principal with the instance
2115
"admin" to have full permissions on the database, you could use the
2116
principal "<code>*/admin@REALM</code>" where "REALM" is your Kerberos
2071
“<b>*</b>” wildcard, so if you want any principal with the instance
2072
“admin” to have full permissions on the database, you could use the
2073
principal “<code>*/admin@REALM</code>” where “REALM” is your Kerberos
2117
2074
realm. <code>target_principal</code> can also include backreferences to
2118
<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i><b></b>" matches the
2075
<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i>" matches the
2119
2076
component <i>number</i> in the <code>Kerberos_principal</code>.
2121
2078
<p>Note: a common use of an <i>admin</i> instance is so you can grant
2130
2087
represent negative permissions. The permissions are:
2134
<dd>allows the addition of principals or policies in the database.
2136
<dd>disallows the addition of principals or policies in the database.
2138
<dd>allows the deletion of principals or policies in the database.
2140
<dd>disallows the deletion of principals or policies in the database.
2142
<dd>allows the modification of principals or policies in the database.
2144
<dd>disallows the modification of principals or policies in the database.
2146
<dd>allows the changing of passwords for principals in the database.
2148
<dd>disallows the changing of passwords for principals in the database.
2150
<dd>allows inquiries to the database.
2152
<dd>disallows inquiries to the database.
2154
<dd>allows the listing of principals or policies in the database.
2156
<dd>disallows the listing of principals or policies in the database.
2158
<dd>allows the explicit setting of the key for a principal
2160
<dd>disallows the explicit setting of the key for a principal
2162
<dd>All privileges (admcil).
2164
<dd>All privileges (admcil); identical to "*".
2090
<dt><b>a</b><dd>allows the addition of principals or policies in the database.
2091
<dt><b>A</b><dd>disallows the addition of principals or policies in the database.
2092
<dt><b>d</b><dd>allows the deletion of principals or policies in the database.
2093
<dt><b>D</b><dd>disallows the deletion of principals or policies in the database.
2094
<dt><b>m</b><dd>allows the modification of principals or policies in the database.
2095
<dt><b>M</b><dd>disallows the modification of principals or policies in the database.
2096
<dt><b>c</b><dd>allows the changing of passwords for principals in the database.
2097
<dt><b>C</b><dd>disallows the changing of passwords for principals in the database.
2098
<dt><b>i</b><dd>allows inquiries to the database.
2099
<dt><b>I</b><dd>disallows inquiries to the database.
2100
<dt><b>l</b><dd>allows the listing of principals or policies in the database.
2101
<dt><b>L</b><dd>disallows the listing of principals or policies in the database.
2102
<dt><b>s</b><dd>allows the explicit setting of the key for a principal
2103
<dt><b>S</b><dd>disallows the explicit setting of the key for a principal
2104
<dt><b>*</b><dd>All privileges (admcil).
2105
<dt><b>x</b><dd>All privileges (admcil); identical to “*”.
2167
2108
<p>The restrictions are a string of flags. Allowed restrictions are:
2170
<dt><b>[+ -]</b><i>flagname</i><b></b>
2171
<dd>flag is forced to indicated value. The permissible flags are the same
2111
<dt><b>[+ -]</b><i>flagname</i><dd>flag is forced to indicated value. The permissible flags are the same
2172
2112
as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and
2173
2113
<code>modprinc</code> commands.
2174
<dt><b>-clearpolicy</b>
2175
<dd>policy is forced to clear
2176
<dt><b>-policy </b><i>pol</i><b></b>
2177
<dd>policy is forced to be <i>pol</i>
2178
<dt><b>expire </b><i>time</i><b></b>
2179
<dd><dt><b>pwexpire </b><i>time</i><b></b>
2180
<dd><dt><b>maxlife </b><i>time</i><b></b>
2181
<dd><dt><b>maxrenewlife </b><i>time</i><b></b>
2182
<dd>associated value will be forced to MIN(<i>time</i>, requested value)
2114
<dt><b>-clearpolicy</b><dd>policy is forced to clear
2115
<dt><b>-policy </b><i>pol</i><dd>policy is forced to be <i>pol</i>
2116
<dt><b>expire </b><i>time</i><dt><b>pwexpire </b><i>time</i><dt><b>maxlife </b><i>time</i><dt><b>maxrenewlife </b><i>time</i><dd>associated value will be forced to MIN(<i>time</i>, requested value)
2185
2119
<p>The above flags act as restrictions on any add or modify operation
2280
2213
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
2281
2214
kadmin.local:</b> quit
2285
<p>As specified in the <code>-k</code> argument, <code>ktadd</code> will save the
2217
<p class="noindent">As specified in the ‘<samp><span class="samp">-k</span></samp>’ argument, <code>ktadd</code> will save the
2286
2218
extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>.
2287
2219
The filename you use must be the one specified in your <code>kdc.conf</code>
2290
2222
<div class="node">
2223
<a name="Start-the-Kerberos-Daemons"></a>
2292
Node:<a name="Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons</a>,
2293
Previous:<a rel="previous" accesskey="p" href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>,
2294
Up:<a rel="up" accesskey="u" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>
2225
Previous: <a rel="previous" accesskey="p" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
2226
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
2298
<h5 class="subsubsection">Start the Kerberos Daemons on the Master KDC</h5>
2230
<h5 class="subsubsection">4.1.1.8 Start the Kerberos Daemons on the Master KDC</h5>
2300
2232
<p>At this point, you are ready to start the Kerberos daemons on the Master
2301
2233
KDC. To do so, type:
2303
2235
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
2304
2236
<b>shell%</b> /usr/local/sbin/kadmind
2307
<p>Each daemon will fork and run in the background. Assuming you want
2238
<p class="noindent">Each daemon will fork and run in the background. Assuming you want
2308
2239
these daemons to start up automatically at boot time, you can add them
2309
2240
to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to
2310
2241
have a stash file in order to do this.
2312
2243
<p>You can verify that they started properly by checking for their startup
2313
2244
messages in the logging locations you defined in <code>/etc/krb5.conf</code>.
2314
(See <a href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>.) For example:
2245
(See <a href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>.) For example:
2316
2247
<pre class="smallexample"> <b>shell%</b> tail /var/log/krb5kdc.log
2317
2248
Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
2318
2249
<b>shell%</b> tail /var/log/kadmin.log
2319
2250
Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
2322
2252
<p>Any errors the daemons encounter while starting will also be listed in
2323
2253
the logging output.
2325
2255
<div class="node">
2256
<a name="Install-the-Slave-KDCs"></a>
2327
Node:<a name="Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>,
2328
Next:<a rel="next" accesskey="n" href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>,
2329
Previous:<a rel="previous" accesskey="p" href="#Install%20the%20Master%20KDC">Install the Master KDC</a>,
2330
Up:<a rel="up" accesskey="u" href="#Installing%20KDCs">Installing KDCs</a>
2258
Next: <a rel="next" accesskey="n" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2259
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
2260
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2334
<h4 class="subsection">Install the Slave KDCs</h4>
2264
<h4 class="subsection">4.1.2 Install the Slave KDCs</h4>
2336
2266
<p>You are now ready to start configuring the slave KDCs. Assuming you are
2337
2267
setting the KDCs up so that you can easily switch the master KDC with
2455
2381
krb5_prop 754/tcp # Kerberos slave propagation
2456
2382
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
2457
2383
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
2460
2385
<div class="node">
2386
<a name="Back-on-the-Master-KDC"></a>
2462
Node:<a name="Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>,
2463
Next:<a rel="next" accesskey="n" href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>,
2464
Previous:<a rel="previous" accesskey="p" href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>,
2465
Up:<a rel="up" accesskey="u" href="#Installing%20KDCs">Installing KDCs</a>
2388
Next: <a rel="next" accesskey="n" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2389
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
2390
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2469
<h4 class="subsection">Back on the Master KDC</h4>
2394
<h4 class="subsection">4.1.3 Back on the Master KDC</h4>
2471
2396
<p>Now that the slave KDCs are able to accept database propagation, you'll
2472
2397
need to propagate the database to each of them.
2474
2399
<ul class="menu">
2475
<li><a accesskey="1" href="#Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>:
2400
<li><a accesskey="1" href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>
2478
2403
<div class="node">
2404
<a name="Propagate-the-Database-to-Each-Slave-KDC"></a>
2480
Node:<a name="Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>,
2481
Previous:<a rel="previous" accesskey="p" href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>,
2482
Up:<a rel="up" accesskey="u" href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>
2406
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2407
Up: <a rel="up" accesskey="u" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
2486
<h5 class="subsubsection">Propagate the Database to Each Slave KDC</h5>
2411
<h5 class="subsubsection">4.1.3.1 Propagate the Database to Each Slave KDC</h5>
2488
2413
<p>First, create a dump of the database on the master KDC, as follows:
2490
2415
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
2494
2418
<p>Next, you need to manually propagate the database to each slave KDC, as
2495
in the following example. (The lines beginning with => are
2419
in the following example. (The lines beginning with ⇒ are
2496
2420
continuations of the previous line.):
2498
2422
<pre class="smallexample"> /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
2499
=> kerberos-1.mit.edu
2423
⇒ kerberos-1.mit.edu
2500
2424
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
2501
=> kerberos-2.mit.edu
2425
⇒ kerberos-2.mit.edu
2504
2427
<p>You will need a script to dump and propagate the database. The
2505
2428
following is an example of a bourne shell script that will do this.
2506
(Note that the line that begins with => is a continuation of the
2429
(Note that the line that begins with ⇒ is a continuation of the
2507
2430
previous line. Remember that you need to replace /usr/local with
2508
2431
the name of the directory in which you installed Kerberos V5.)
2512
2435
kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
2514
2437
/usr/local/sbin/kdb5_util "dump
2515
=> /usr/local/var/krb5kdc/slave_datatrans"
2438
⇒ /usr/local/var/krb5kdc/slave_datatrans"
2517
2440
for kdc in $kdclist
2519
2442
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
2523
<p>You will need to set up a cron job to run this script at the intervals
2524
you decided on earlier (See <a href="#Database%20Propagation">Database Propagation</a>.)
2445
<p class="noindent">You will need to set up a cron job to run this script at the intervals
2446
you decided on earlier (See <a href="#Database-Propagation">Database Propagation</a>.)
2526
2448
<div class="node">
2449
<a name="Finish-Installing-the-Slave-KDCs"></a>
2528
Node:<a name="Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>,
2529
Next:<a rel="next" accesskey="n" href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>,
2530
Previous:<a rel="previous" accesskey="p" href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>,
2531
Up:<a rel="up" accesskey="u" href="#Installing%20KDCs">Installing KDCs</a>
2451
Next: <a rel="next" accesskey="n" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
2452
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
2453
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2535
<h4 class="subsection">Finish Installing the Slave KDCs</h4>
2457
<h4 class="subsection">4.1.4 Finish Installing the Slave KDCs</h4>
2537
2459
<p>Now that the slave KDCs have copies of the Kerberos database, you can
2538
2460
create stash files for them and start the <code>krb5kdc</code> daemon.
2540
2462
<ul class="menu">
2541
<li><a accesskey="1" href="#Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>:
2542
<li><a accesskey="2" href="#Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>:
2463
<li><a accesskey="1" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>
2464
<li><a accesskey="2" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>
2545
2467
<div class="node">
2468
<a name="Create-Stash-Files-on-the-Slave-KDCs"></a>
2547
Node:<a name="Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>,
2548
Next:<a rel="next" accesskey="n" href="#Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>,
2549
Previous:<a rel="previous" accesskey="p" href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>,
2550
Up:<a rel="up" accesskey="u" href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>
2470
Next: <a rel="next" accesskey="n" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>,
2471
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2472
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2554
<h5 class="subsubsection">Create Stash Files on the Slave KDCs</h5>
2476
<h5 class="subsubsection">4.1.4.1 Create Stash Files on the Slave KDCs</h5>
2556
2478
<p>Create stash files, by issuing the following commands on each slave KDC:
2560
2482
kdb5_util: Warning: proceeding without master key</b>
2561
2483
<b>Enter KDC database master key:</b> <i><= Enter the database master key.</i>
2565
2486
<p>As mentioned above, the stash file is necessary for your KDCs to be able
2566
2487
authenticate to themselves, such as when they reboot. You could run
2567
2488
your KDCs without stash files, but you would then need to type in the
2568
2489
Kerberos database master key by hand every time you start a KDC daemon.
2570
2491
<div class="node">
2492
<a name="Start-the-krb5kdc-Daemon-on-Each-KDC"></a>
2572
Node:<a name="Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>,
2573
Previous:<a rel="previous" accesskey="p" href="#Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>,
2574
Up:<a rel="up" accesskey="u" href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>
2494
Previous: <a rel="previous" accesskey="p" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>,
2495
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
2578
<h5 class="subsubsection">Start the krb5kdc Daemon on Each KDC</h5>
2499
<h5 class="subsubsection">4.1.4.2 Start the krb5kdc Daemon on Each KDC</h5>
2580
2501
<p>The final step in configuing your slave KDCs is to run the KDC daemon:
2582
2503
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
2585
2505
<p>As with the master KDC, you will probably want to add this command to
2586
2506
the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will
2587
2507
start the krb5kdc daemon automatically at boot time.
2589
2509
<div class="node">
2510
<a name="Add-Kerberos-Principals-to-the-Database"></a>
2591
Node:<a name="Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>,
2592
Next:<a rel="next" accesskey="n" href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>,
2593
Previous:<a rel="previous" accesskey="p" href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>,
2594
Up:<a rel="up" accesskey="u" href="#Installing%20KDCs">Installing KDCs</a>
2512
Next: <a rel="next" accesskey="n" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
2513
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
2514
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2598
<h4 class="subsection">Add Kerberos Principals to the Database</h4>
2518
<h4 class="subsection">4.1.5 Add Kerberos Principals to the Database</h4>
2600
2520
<p>Once your KDCs are set up and running, you are ready to use
2601
2521
<code>kadmin</code> to load principals for your users, hosts, and other
2602
2522
services into the Kerberos database. This procedure is described fully in the
2603
"Adding or Modifying Principals" section of the Kerberos V5 System
2604
Administrator's Guide. (See <a href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>, for a
2523
“Adding or Modifying Principals” section of the Kerberos V5 System
2524
Administrator's Guide. (See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>, for a
2605
2525
brief description.) The keytab is generated by running <code>kadmin</code>
2606
2526
and issuing the <code>ktadd</code> command.
2608
2528
<div class="node">
2529
<a name="Limit-Access-to-the-KDCs"></a>
2610
Node:<a name="Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>,
2611
Next:<a rel="next" accesskey="n" href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>,
2612
Previous:<a rel="previous" accesskey="p" href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>,
2613
Up:<a rel="up" accesskey="u" href="#Installing%20KDCs">Installing KDCs</a>
2531
Next: <a rel="next" accesskey="n" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
2532
Previous: <a rel="previous" accesskey="p" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
2533
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
2617
<h4 class="subsection">Limit Access to the KDCs</h4>
2537
<h4 class="subsection">4.1.6 Limit Access to the KDCs</h4>
2619
2539
<p>To limit the possibility that your Kerberos database could be
2620
2540
compromised, MIT recommends that each KDC be a dedicated
2761
2678
ACL setup previously described for <code>kprop</code> propagation is still
2764
<p>There are several known bugs and restrictions in the current
2681
<p>There are several restrictions in the current implementation:
2767
<li>The "call out to <code>kprop</code>" mechanism is a bit fragile; if the
2768
<code>kprop</code> propagation fails to connect for some reason, the process
2769
on the slave may hang waiting for it, and will need to be restarted.
2684
<li>Changes to password policy objects are not propagated incrementally.
2685
Changes to which policy applies to a principal are propagated.
2770
2686
<li>The master and slave must be able to initiate TCP connections in both
2771
directions, without an intervening NAT. They must also be able to
2772
communicate over IPv4, since MIT's kprop and RPC code does not
2773
currently support IPv6.
2687
directions, without an intervening NAT.
2688
<li>If the slave has an IPv6 interface address but needs to accept
2689
connections over IPv4, the operating system needs “dual stack” support
2690
(i.e. the ability to accept IPv6 and IPv4 connections on a single IPv6
2691
listener socket). At this time, all modern Unix-like operating systems
2692
have dual stack support except OpenBSD.
2776
2695
<ul class="menu">
2777
<li><a accesskey="1" href="#Sun%2fMIT%20Incremental%20Propagation%20Differences">Sun/MIT Incremental Propagation Differences</a>:
2696
<li><a accesskey="1" href="#Sun_002fMIT-Incremental-Propagation-Differences">Sun/MIT Incremental Propagation Differences</a>
2780
2699
<div class="node">
2700
<a name="Sun%2fMIT-Incremental-Propagation-Differences"></a>
2701
<a name="Sun_002fMIT-Incremental-Propagation-Differences"></a>
2782
Node:<a name="Sun%2fMIT%20Incremental%20Propagation%20Differences">Sun/MIT Incremental Propagation Differences</a>,
2783
Previous:<a rel="previous" accesskey="p" href="#Incremental%20Database%20Propagation">Incremental Database Propagation</a>,
2784
Up:<a rel="up" accesskey="u" href="#Incremental%20Database%20Propagation">Incremental Database Propagation</a>
2703
Previous: <a rel="previous" accesskey="p" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
2704
Up: <a rel="up" accesskey="u" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
2788
<h5 class="subsubsection">Sun/MIT Incremental Propagation Differences</h5>
2708
<h5 class="subsubsection">4.1.8.1 Sun/MIT Incremental Propagation Differences</h5>
2790
2710
<p>Sun donated the original code for supporting incremental database
2791
2711
propagation to MIT. Some changes have been made in the MIT source
2804
2724
work well, the port number must be specified in the config file on
2805
2725
both the master and slave sides.
2807
<p>The Sun implementation hard-codes pathnames in <code>/var/krb5</code> for
2727
<p>The Sun implementation hard-codes pathnames in <samp><span class="file">/var/krb5</span></samp> for
2808
2728
the update log and the per-slave <code>kprop</code> dump files. In the MIT
2809
2729
implementation, the pathname for the update log is specified in the
2810
2730
config file, and the per-slave dump files are stored in
2811
<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var><code></code>.
2731
<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var>.
2813
2733
<div class="node">
2734
<a name="Installing-and-Configuring-UNIX-Client-Machines"></a>
2815
Node:<a name="Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>,
2816
Next:<a rel="next" accesskey="n" href="#UNIX%20Application%20Servers">UNIX Application Servers</a>,
2817
Previous:<a rel="previous" accesskey="p" href="#Installing%20KDCs">Installing KDCs</a>,
2818
Up:<a rel="up" accesskey="u" href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>
2736
Next: <a rel="next" accesskey="n" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
2737
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
2738
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
2822
<h3 class="section">Installing and Configuring UNIX Client Machines</h3>
2742
<h3 class="section">4.2 Installing and Configuring UNIX Client Machines</h3>
2824
2744
<p>Client machine installation is much more straightforward than
2825
2745
installation of the KDCs.
2827
2747
<ul class="menu">
2828
<li><a accesskey="1" href="#Client%20Programs">Client Programs</a>:
2829
<li><a accesskey="2" href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>:
2748
<li><a accesskey="1" href="#Client-Programs">Client Programs</a>
2749
<li><a accesskey="2" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
2832
2752
<div class="node">
2753
<a name="Client-Programs"></a>
2834
Node:<a name="Client%20Programs">Client Programs</a>,
2835
Next:<a rel="next" accesskey="n" href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>,
2836
Previous:<a rel="previous" accesskey="p" href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>,
2837
Up:<a rel="up" accesskey="u" href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>
2755
Next: <a rel="next" accesskey="n" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
2756
Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
2757
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
2841
<h4 class="subsection">Client Programs</h4>
2761
<h4 class="subsection">4.2.1 Client Programs</h4>
2843
2763
<p>The Kerberized client programs are <code>kinit</code>, <code>klist</code>,
2844
2764
<code>kdestroy</code>, <code>kpasswd</code>, and <code>ksu</code>. All of these programs
2845
2765
are in the directory <code>/usr/local/bin</code>.
2847
MIT recommends that you use <code>login.krb5</code> in place of
2767
<p>MIT recommends that you use <code>login.krb5</code> in place of
2848
2768
<code>/bin/login</code> to give your users a single-sign-on system. You will
2849
2769
need to make sure your users know to use their Kerberos passwords when
3431
3342
the name of FundsXpress. not be used in advertising or publicity pertaining
3432
3343
to distribution of the software without specific, written prior
3433
3344
permission. FundsXpress makes no representations about the suitability of
3434
this software for any purpose. It is provided "as is" without express
3345
this software for any purpose. It is provided “as is” without express
3435
3346
or implied warranty.
3437
<p>THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
3348
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
3438
3349
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
3439
3350
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
3444
<p>The implementation of the Yarrow pseudo-random number generator
3445
in <code>src/lib/crypto/krb/prng/yarrow</code> has the following copyright:
3448
Copyright 2000 by Zero-Knowledge Systems, Inc.
3450
<p>Permission to use, copy, modify, distribute, and sell this software
3451
and its documentation for any purpose is hereby granted without fee,
3452
provided that the above copyright notice appear in all copies and that
3453
both that copyright notice and this permission notice appear in
3454
supporting documentation, and that the name of Zero-Knowledge Systems,
3455
Inc. not be used in advertising or publicity pertaining to
3456
distribution of the software without specific, written prior
3457
permission. Zero-Knowledge Systems, Inc. makes no representations
3458
about the suitability of this software for any purpose. It is
3459
provided "as is" without express or implied warranty.
3461
<p>ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
3462
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
3463
FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
3464
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
3465
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
3466
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
3467
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
3472
3355
<p>The implementation of the AES encryption algorithm in
3473
3356
<code>src/lib/crypto/builtin/aes</code> has the following copyright:
4004
3885
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
4010
3891
Copyright © 1991, 1992, 1994 by Cygnus Support.
4012
<p>Permission to use, copy, modify, and
3893
<p>Permission to use, copy, modify, and
4013
3894
distribute this software and its documentation for any purpose and
4014
3895
without fee is hereby granted, provided that the above copyright
4015
3896
notice appear in all copies and that both that copyright notice and
4016
3897
this permission notice appear in supporting documentation.
4017
3898
Cygnus Support makes no representations about the suitability of
4018
this software for any purpose. It is provided "as is" without express
3899
this software for any purpose. It is provided “as is” without express
4019
3900
or implied warranty.
4025
3906
Copyright © 2006 Secure Endpoints Inc.
4027
<p>Permission is hereby granted, free of charge, to any person
3908
<p>Permission is hereby granted, free of charge, to any person
4028
3909
obtaining a copy of this software and associated documentation
4029
files (the "Software"), to deal in the Software without
3910
files (the “Software”), to deal in the Software without
4030
3911
restriction, including without limitation the rights to use, copy,
4031
3912
modify, merge, publish, distribute, sublicense, and/or sell copies
4032
3913
of the Software, and to permit persons to whom the Software is
4033
3914
furnished to do so, subject to the following conditions:
4035
<p>The above copyright notice and this permission notice shall be
3916
<p>The above copyright notice and this permission notice shall be
4036
3917
included in all copies or substantial portions of the Software.
4038
<p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
3919
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
4039
3920
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
4040
3921
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
4041
3922
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
4442
4323
fashion that it might be confused with the original M.I.T. software.
4443
4324
Neither M.I.T., the Open Computing Security Group, nor
4444
4325
CyberSAFE Corporation make any representations about the suitability of
4445
this software for any purpose. It is provided "as is" without express
4326
this software for any purpose. It is provided “as is” without express
4446
4327
or implied warranty.
4332
<p>Portions contributed by PADL Software are subject to the following
4336
Copyright (c) 2011, PADL Software Pty Ltd.
4337
All rights reserved.
4339
<p>Redistribution and use in source and binary forms, with or without
4340
modification, are permitted provided that the following conditions
4343
<p>1. Redistributions of source code must retain the above copyright
4344
notice, this list of conditions and the following disclaimer.
4346
<p>2. Redistributions in binary form must reproduce the above copyright
4347
notice, this list of conditions and the following disclaimer in the
4348
documentation and/or other materials provided with the distribution.
4350
<p>3. Neither the name of PADL Software nor the names of its contributors
4351
may be used to endorse or promote products derived from this software
4352
without specific prior written permission.
4354
<p>THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS “AS IS” AND
4355
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4356
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4357
ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
4358
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4359
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4360
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4361
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4362
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
4363
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
4369
<p>The bundled libev source code is subject to the following license:
4372
All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann.
4374
<p>Redistribution and use in source and binary forms, with or without
4375
modification, are permitted provided that the following conditions are
4379
<li>Redistributions of source code must retain the above copyright
4380
notice, this list of conditions and the following disclaimer.
4381
<li>Redistributions in binary form must reproduce the above
4382
copyright notice, this list of conditions and the following
4383
disclaimer in the documentation and/or other materials provided
4384
with the distribution.
4387
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
4388
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
4389
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
4390
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
4391
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4392
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
4393
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
4394
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
4395
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
4396
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
4397
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
4399
<p>Alternatively, the contents of this package may be used under the terms
4400
of the GNU General Public License ("GPL") version 2 or any later version,
4401
in which case the provisions of the GPL are applicable instead of the
4402
above. If you wish to allow the use of your version of this package only
4403
under the terms of the GPL and not to allow others to use your version of
4404
this file under the BSD license, indicate your decision by deleting the
4405
provisions above and replace them with the notice and other provisions
4406
required by the GPL in this and the other files of this package. If you do
4407
not delete the provisions above, a recipient may use your version of this
4408
file under either the BSD or the GPL.
4451
4413
<p>Permission is granted to make and distribute verbatim copies of this
4452
4414
manual provided the copyright notices and this permission notice are
4460
4422
<p>Permission is granted to copy and distribute translations of this manual
4461
4423
into another language, under the above conditions for modified versions.
4464
4425
<div class="contents">
4465
4426
<h2>Table of Contents</h2>
4467
<li><a name="toc_Introduction" href="#Introduction">Introduction</a>
4469
<li><a href="#What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a>
4470
<li><a href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>
4471
<li><a href="#Please%20Read%20the%20Documentation">Please Read the Documentation</a>
4472
<li><a href="#Overview%20of%20This%20Guide">Overview of This Guide</a>
4474
<li><a name="toc_Realm%20Configuration%20Decisions" href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>
4476
<li><a href="#Kerberos%20Realms">Kerberos Realms</a>
4477
<li><a href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a>
4478
<li><a href="#Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>
4479
<li><a href="#Slave%20KDCs">Slave KDCs</a>
4480
<li><a href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a>
4481
<li><a href="#Database%20Propagation">Database Propagation</a>
4483
<li><a name="toc_Building%20Kerberos%20V5" href="#Building%20Kerberos%20V5">Building Kerberos V5</a>
4485
<li><a href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>
4487
<li><a href="#The%20appl%20Directory">The appl Directory</a>
4488
<li><a href="#The%20clients%20Directory">The clients Directory</a>
4489
<li><a href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a>
4490
<li><a href="#The%20include%20Directory">The include Directory</a>
4491
<li><a href="#The%20kadmin%20Directory">The kadmin Directory</a>
4492
<li><a href="#The%20kdc%20Directory">The kdc Directory</a>
4493
<li><a href="#The%20krb524%20Directory">The krb524 Directory</a>
4494
<li><a href="#The%20lib%20Directory">The lib Directory</a>
4495
<li><a href="#The%20prototype%20Directory">The prototype Directory</a>
4496
<li><a href="#The%20slave%20Directory">The slave Directory</a>
4497
<li><a href="#The%20util%20Directory">The util Directory</a>
4499
<li><a href="#Build%20Requirements">Build Requirements</a>
4500
<li><a href="#Unpacking%20the%20Sources">Unpacking the Sources</a>
4501
<li><a href="#Doing%20the%20Build">Doing the Build</a>
4503
<li><a href="#Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>
4504
<li><a href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>
4505
<li><a href="#Building%20using%20lndir">Building Using <code>lndir</code></a>
4507
<li><a href="#Installing%20the%20Binaries">Installing the Binaries</a>
4508
<li><a href="#Testing%20the%20Build">Testing the Build</a>
4510
<li><a href="#The%20DejaGnu%20Tests">The DejaGnu Tests</a>
4511
<li><a href="#The%20KADM5%20Tests">The KADM5 Tests</a>
4513
<li><a href="#Options%20to%20Configure">Options to Configure</a>
4514
<li><a href="#osconf.h"><code>osconf.h</code></a>
4515
<li><a href="#Shared%20Library%20Support">Shared Library Support</a>
4516
<li><a href="#OS%20Incompatibilities">Operating System Incompatibilities</a>
4518
<li><a href="#AIX">AIX</a>
4519
<li><a href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>
4520
<li><a href="#Alpha%20OSF%2f1%20V2.0">Alpha OSF/1 V2.0</a>
4521
<li><a href="#Alpha%20OSF%2f1%20V4.0">Alpha OSF/1 (Digital UNIX) V4.0</a>
4522
<li><a href="#BSDI">BSDI</a>
4523
<li><a href="#HPUX">HPUX</a>
4524
<li><a href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>
4525
<li><a href="#Solaris%202.X">Solaris 2.X</a>
4526
<li><a href="#Solaris%209">Solaris 9</a>
4527
<li><a href="#SGI%20Irix%205.X">SGI Irix 5.X</a>
4528
<li><a href="#Ultrix%204.2%2f3">Ultrix 4.2/3</a>
4530
<li><a href="#Using%20Autoconf">Using <code>Autoconf</code></a>
4532
<li><a name="toc_Installing%20Kerberos%20V5" href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>
4534
<li><a href="#Installing%20KDCs">Installing KDCs</a>
4536
<li><a href="#Install%20the%20Master%20KDC">Install the Master KDC</a>
4538
<li><a href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>
4539
<li><a href="#krb5.conf">krb5.conf</a>
4540
<li><a href="#kdc.conf">kdc.conf</a>
4541
<li><a href="#Create%20the%20Database">Create the Database</a>
4542
<li><a href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>
4543
<li><a href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>
4544
<li><a href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>
4545
<li><a href="#Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons on the Master KDC</a>
4547
<li><a href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>
4549
<li><a href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>
4550
<li><a href="#Extract%20Host%20Keytabs%20for%20the%20KDCs">Extract Host Keytabs for the KDCs</a>
4551
<li><a href="#Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation">Set Up the Slave KDCs for Database Propagation</a>
4553
<li><a href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>
4555
<li><a href="#Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>
4557
<li><a href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>
4559
<li><a href="#Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>
4560
<li><a href="#Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>
4562
<li><a href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>
4563
<li><a href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>
4564
<li><a href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>
4565
<li><a href="#Incremental%20Database%20Propagation">Incremental Database Propagation</a>
4567
<li><a href="#Sun%2fMIT%20Incremental%20Propagation%20Differences">Sun/MIT Incremental Propagation Differences</a>
4570
<li><a href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>
4572
<li><a href="#Client%20Programs">Client Programs</a>
4573
<li><a href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>
4575
<li><a href="#Mac%20OS%20X%20Configuration">Mac OS X Configuration</a>
4578
<li><a href="#UNIX%20Application%20Servers">UNIX Application Servers</a>
4580
<li><a href="#The%20Keytab%20File">The Keytab File</a>
4581
<li><a href="#Some%20Advice%20about%20Secure%20Hosts">Some Advice about Secure Hosts</a>
4584
<li><a name="toc_Upgrading%20Existing%20Kerberos%20V5%20Installations" href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>
4586
<li><a href="#Upgrading%20to%20Triple-DES%20and%20RC4%20Encryption%20Keys">Upgrading to Triple-DES Encryption Keys</a>
4588
<li><a name="toc_Bug%20Reports%20for%20Kerberos%20V5" href="#Bug%20Reports%20for%20Kerberos%20V5">Bug Reports for Kerberos V5</a>
4589
<li><a name="toc_Copyright" href="#Copyright">Copyright</a>
4428
<li><a name="toc_Introduction" href="#Introduction">1 Introduction</a>
4430
<li><a href="#What-is-Kerberos-and-How-Does-it-Work_003f">1.1 What is Kerberos and How Does it Work?</a>
4431
<li><a href="#Why-Should-I-use-Kerberos_003f">1.2 Why Should I use Kerberos?</a>
4432
<li><a href="#Please-Read-the-Documentation">1.3 Please Read the Documentation</a>
4433
<li><a href="#Overview-of-This-Guide">1.4 Overview of This Guide</a>
4435
<li><a name="toc_Realm-Configuration-Decisions" href="#Realm-Configuration-Decisions">2 Realm Configuration Decisions</a>
4437
<li><a href="#Kerberos-Realms">2.1 Kerberos Realms</a>
4438
<li><a href="#Mapping-Hostnames-onto-Kerberos-Realms">2.2 Mapping Hostnames onto Kerberos Realms</a>
4439
<li><a href="#Ports-for-the-KDC-and-Admin-Services">2.3 Ports for the KDC and Admin Services</a>
4440
<li><a href="#Slave-KDCs">2.4 Slave KDCs</a>
4441
<li><a href="#Hostnames-for-the-Master-and-Slave-KDCs">2.5 Hostnames for the Master and Slave KDCs</a>
4442
<li><a href="#Database-Propagation">2.6 Database Propagation</a>
4444
<li><a name="toc_Building-Kerberos-V5" href="#Building-Kerberos-V5">3 Building Kerberos V5</a>
4446
<li><a href="#Organization-of-the-Source-Directory">3.1 Organization of the Source Directory</a>
4448
<li><a href="#The-appl-Directory">3.1.1 The appl Directory</a>
4449
<li><a href="#The-clients-Directory">3.1.2 The clients Directory</a>
4450
<li><a href="#The-gen_002dmanpages-Directory">3.1.3 The gen-manpages Directory</a>
4451
<li><a href="#The-include-Directory">3.1.4 The include Directory</a>
4452
<li><a href="#The-kadmin-Directory">3.1.5 The kadmin Directory</a>
4453
<li><a href="#The-kdc-Directory">3.1.6 The kdc Directory</a>
4454
<li><a href="#The-krb524-Directory">3.1.7 The krb524 Directory</a>
4455
<li><a href="#The-lib-Directory">3.1.8 The lib Directory</a>
4456
<li><a href="#The-prototype-Directory">3.1.9 The prototype Directory</a>
4457
<li><a href="#The-slave-Directory">3.1.10 The slave Directory</a>
4458
<li><a href="#The-util-Directory">3.1.11 The util Directory</a>
4460
<li><a href="#Build-Requirements">3.2 Build Requirements</a>
4461
<li><a href="#Unpacking-the-Sources">3.3 Unpacking the Sources</a>
4462
<li><a href="#Doing-the-Build">3.4 Doing the Build</a>
4464
<li><a href="#Building-Within-a-Single-Tree">3.4.1 Building Within a Single Tree</a>
4465
<li><a href="#Building-with-Separate-Build-Directories">3.4.2 Building with Separate Build Directories</a>
4466
<li><a href="#Building-using-lndir">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</a>
4468
<li><a href="#Installing-the-Binaries">3.5 Installing the Binaries</a>
4469
<li><a href="#Testing-the-Build">3.6 Testing the Build</a>
4471
<li><a href="#The-DejaGnu-Tests">3.6.1 The DejaGnu Tests</a>
4472
<li><a href="#The-KADM5-Tests">3.6.2 The KADM5 Tests</a>
4474
<li><a href="#Options-to-Configure">3.7 Options to Configure</a>
4475
<li><a href="#osconf_002eh">3.8 <samp><span class="file">osconf.h</span></samp></a>
4476
<li><a href="#Shared-Library-Support">3.9 Shared Library Support</a>
4477
<li><a href="#OS-Incompatibilities">3.10 Operating System Incompatibilities</a>
4479
<li><a href="#AIX">3.10.1 AIX</a>
4480
<li><a href="#Alpha-OSF_002f1-V1_002e3">3.10.2 Alpha OSF/1 V1.3</a>
4481
<li><a href="#Alpha-OSF_002f1-V2_002e0">3.10.3 Alpha OSF/1 V2.0</a>
4482
<li><a href="#Alpha-OSF_002f1-V4_002e0">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</a>
4483
<li><a href="#BSDI">3.10.5 BSDI</a>
4484
<li><a href="#HPUX">3.10.6 HPUX</a>
4485
<li><a href="#Solaris-versions-2_002e0-through-2_002e3">3.10.7 Solaris versions 2.0 through 2.3</a>
4486
<li><a href="#Solaris-2_002eX">3.10.8 Solaris 2.X</a>
4487
<li><a href="#Solaris-9">3.10.9 Solaris 9</a>
4488
<li><a href="#SGI-Irix-5_002eX">3.10.10 SGI Irix 5.X</a>
4489
<li><a href="#Ultrix-4_002e2_002f3">3.10.11 Ultrix 4.2/3</a>
4491
<li><a href="#Using-Autoconf">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</a>
4493
<li><a name="toc_Installing-Kerberos-V5" href="#Installing-Kerberos-V5">4 Installing Kerberos V5</a>
4495
<li><a href="#Installing-KDCs">4.1 Installing KDCs</a>
4497
<li><a href="#Install-the-Master-KDC">4.1.1 Install the Master KDC</a>
4499
<li><a href="#Edit-the-Configuration-Files">4.1.1.1 Edit the Configuration Files</a>
4500
<li><a href="#krb5_002econf">4.1.1.2 krb5.conf</a>
4501
<li><a href="#kdc_002econf">4.1.1.3 kdc.conf</a>
4502
<li><a href="#Create-the-Database">4.1.1.4 Create the Database</a>
4503
<li><a href="#Add-Administrators-to-the-Acl-File">4.1.1.5 Add Administrators to the Acl File</a>
4504
<li><a href="#Add-Administrators-to-the-Kerberos-Database">4.1.1.6 Add Administrators to the Kerberos Database</a>
4505
<li><a href="#Create-a-kadmind-Keytab-_0028optional_0029">4.1.1.7 Create a kadmind Keytab (optional)</a>
4506
<li><a href="#Start-the-Kerberos-Daemons">4.1.1.8 Start the Kerberos Daemons on the Master KDC</a>
4508
<li><a href="#Install-the-Slave-KDCs">4.1.2 Install the Slave KDCs</a>
4510
<li><a href="#Create-Host-Keys-for-the-Slave-KDCs">4.1.2.1 Create Host Keys for the Slave KDCs</a>
4511
<li><a href="#Extract-Host-Keytabs-for-the-KDCs">4.1.2.2 Extract Host Keytabs for the KDCs</a>
4512
<li><a href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">4.1.2.3 Set Up the Slave KDCs for Database Propagation</a>
4514
<li><a href="#Back-on-the-Master-KDC">4.1.3 Back on the Master KDC</a>
4516
<li><a href="#Propagate-the-Database-to-Each-Slave-KDC">4.1.3.1 Propagate the Database to Each Slave KDC</a>
4518
<li><a href="#Finish-Installing-the-Slave-KDCs">4.1.4 Finish Installing the Slave KDCs</a>
4520
<li><a href="#Create-Stash-Files-on-the-Slave-KDCs">4.1.4.1 Create Stash Files on the Slave KDCs</a>
4521
<li><a href="#Start-the-krb5kdc-Daemon-on-Each-KDC">4.1.4.2 Start the krb5kdc Daemon on Each KDC</a>
4523
<li><a href="#Add-Kerberos-Principals-to-the-Database">4.1.5 Add Kerberos Principals to the Database</a>
4524
<li><a href="#Limit-Access-to-the-KDCs">4.1.6 Limit Access to the KDCs</a>
4525
<li><a href="#Switching-Master-and-Slave-KDCs">4.1.7 Switching Master and Slave KDCs</a>
4526
<li><a href="#Incremental-Database-Propagation">4.1.8 Incremental Database Propagation</a>
4528
<li><a href="#Sun_002fMIT-Incremental-Propagation-Differences">4.1.8.1 Sun/MIT Incremental Propagation Differences</a>
4531
<li><a href="#Installing-and-Configuring-UNIX-Client-Machines">4.2 Installing and Configuring UNIX Client Machines</a>
4533
<li><a href="#Client-Programs">4.2.1 Client Programs</a>
4534
<li><a href="#Client-Machine-Configuration-Files">4.2.2 Client Machine Configuration Files</a>
4536
<li><a href="#Mac-OS-X-Configuration">4.2.2.1 Mac OS X Configuration</a>
4539
<li><a href="#UNIX-Application-Servers">4.3 UNIX Application Servers</a>
4541
<li><a href="#The-Keytab-File">4.3.1 The Keytab File</a>
4542
<li><a href="#Some-Advice-about-Secure-Hosts">4.3.2 Some Advice about Secure Hosts</a>
4545
<li><a name="toc_Upgrading-Existing-Kerberos-V5-Installations" href="#Upgrading-Existing-Kerberos-V5-Installations">5 Upgrading Existing Kerberos V5 Installations</a>
4547
<li><a href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">5.1 Upgrading to Triple-DES Encryption Keys</a>
4549
<li><a name="toc_Bug-Reports-for-Kerberos-V5" href="#Bug-Reports-for-Kerberos-V5">6 Bug Reports for Kerberos V5</a>
4550
<li><a name="toc_Copyright" href="#Copyright">Appendix A Copyright</a>
4593
4554
<div class="footnote">
4597
<li><a name="fn-1"></a>
4598
<p>Kerberos V4 used port 750. If
4556
<a name="texinfo-footnotes-in-document"></a><h4>Footnotes</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Kerberos V4 used port 750. If
4599
4557
necessary, you can run on both ports for backward compatibility.</p>