1 \input texinfo-suppl.tex % contains @doubleleftarrow{} definition
2 % this line must come *before* \input texinfo
3 \input texinfo @c -*-texinfo-*-
6 @setfilename krb5-install.info
7 @settitle Kerberos V5 Installation Guide
8 @setchapternewpage odd @c chapter begins on next odd page
9 @c @setchapternewpage on @c chapter begins on next page
10 @c @smallbook @c Format for 7" X 9.25" paper
18 @include definitions.texinfo
21 @finalout @c don't print black warning boxes
24 @title @value{PRODUCT} Installation Guide
25 @subtitle Release: @value{RELEASE}
26 @subtitle Document Edition: @value{EDITION}
27 @subtitle Last updated: @value{UPDATED}
28 @author @value{COMPANY}
31 @vskip 0pt plus 1filll
34 @include copyright.texinfo
38 @node Top, Introduction, (dir), (dir)
39 @comment node-name, next, previous, up
42 This file documents how to install the @value{RELEASE} release of
45 @include copyright.texinfo
49 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
50 @c function. Don't forget to run M-x texinfo-every-node-update after
51 @c you add a new section or subsection, or after you've rearranged the
52 @c order of sections or subsections. Also, don't forget to add an @node
53 @c comand before each @section or @subsection! All you need to enter
56 @c @node New Section Name
58 @c @section New Section Name
60 @c M-x texinfo-every-node-update will take care of calculating the
61 @c node's forward and back pointers.
63 @c ---------------------------------------------------------------------
67 * Realm Configuration Decisions::
68 * Building Kerberos V5::
69 * Installing Kerberos V5::
70 * Bug Reports for Kerberos V5::
74 @node Introduction, Realm Configuration Decisions, Top, Top
78 * What is Kerberos and How Does it Work?::
79 * Why Should I use Kerberos?::
80 * Please Read the Documentation::
81 * Overview of This Guide::
84 @node What is Kerberos and How Does it Work?, Why Should I use Kerberos?, Introduction, Introduction
85 @section What is Kerberos and How Does it Work?
87 @value{PRODUCT} is based on the Kerberos authentication system developed
88 at MIT. Under Kerberos, a client (generally either a user or a service)
89 sends a request for a ticket to the Key Distribution Center (KDC). The
90 KDC creates a @dfn{ticket-granting ticket} (TGT) for the client,
91 encrypts it using the client's password as the key, and sends the
92 encrypted TGT back to the client. The client then attempts to decrypt
93 the TGT, using its password. If the client successfully decrypts the
94 TGT (@i{i.e.}, if the client gave the correct password), it keeps the
95 decrypted TGT, which indicates proof of the client's identity.
97 The TGT, which expires at a specified time, permits the client to obtain
98 additional tickets, which give permission for specific services. The
99 requesting and granting of these additional tickets is user-transparent.
101 @node Why Should I use Kerberos?, Please Read the Documentation, What is Kerberos and How Does it Work?, Introduction
102 @section Why Should I use Kerberos?
104 Since Kerberos negotiates authenticated, and optionally encrypted,
105 communications between two points anywhere on the Internet, it provides
106 a layer of security that is not dependent on which side of a firewall
107 either client is on. Since studies have shown that half of the computer
108 security breaches in industry happen from @i{inside} firewalls,
109 @value{PRODUCT} from @value{COMPANY} will play a vital role in the
110 security of your network.
112 @include document-list.texinfo
114 @node Please Read the Documentation, Overview of This Guide, Why Should I use Kerberos?, Introduction
115 @section Please Read the Documentation
117 As with any software package that uses a centrallized database, the
118 installation procedure is somewhat involved, and requires forethought
119 and planning. @value{COMPANY} has attempted to make this
120 @value{PRODUCT} Installation Guide as concise as possible, rather than
121 making it an exhaustive description of the details of Kerberos.
122 Consequently, everything in this guide appears because @value{COMPANY}
123 believes that it is important. Please read and follow these
124 instructions carefully, and if there is anything you do not understand
125 or are not sure of, please don't hesitate to call us.
127 @node Overview of This Guide, , Please Read the Documentation, Introduction
128 @section Overview of This Guide
130 The next chapter describes the decisions you need to make before
131 installing @value{PRODUCT}.
133 Chapter three describes installation procedures for each class of
138 Key Distribution Centers (KDCs).
149 Client machines (user machines):
153 UNIX client machines.
163 application server machines
167 Note that a machine can be both a client machine and an application
170 Chapter four describes our problem reporting system.
172 The appendices give sample configuration files.
174 @node Realm Configuration Decisions, Building Kerberos V5, Introduction, Top
175 @chapter Realm Configuration Decisions
177 Before installing @value{PRODUCT}, it is necessary to consider the
182 The name of your Kerberos realm (or the name of each realm, if you need
186 How you will map your hostnames onto Kerberos realms.
189 Which ports your KDC and and kadmin (database access) services will use.
192 How many slave KDCs you need and where they should be located.
195 The hostnames of your master and slave KDCs.
198 How frequently you will propagate the database from the master KDC to
202 Whether you need backward compatibility with Kerberos V4.
207 * Mapping Hostnames onto Kerberos Realms::
208 * Ports for the KDC and Admin Services::
210 * Hostnames for the Master and Slave KDCs::
211 * Database Propagation::
214 @node Kerberos Realms, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions, Realm Configuration Decisions
215 @section Kerberos Realms
217 Although your Kerberos realm can be any ASCII string, convention is to
218 make it the same as your domain name, in upper-case letters. For
219 example, hosts in the domain @value{SECONDDOMAIN} would be in the
220 Kerberos realm @value{SECONDREALM}.
222 If you need multiple Kerberos realms, @value{COMPANY} recommends that
223 you use descriptive names which end with your domain name, such as
224 BOSTON.@value{SECONDREALM} and SAN_FRANCISCO.@value{SECONDREALM}.
226 @node Mapping Hostnames onto Kerberos Realms, Ports for the KDC and Admin Services, Kerberos Realms, Realm Configuration Decisions
227 @section Mapping Hostnames onto Kerberos Realms
229 Mapping hostnames onto Kerberos realms is done through a set of rules in
230 the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can
231 specify mappings for an entire domain or subdomain, and/or on a
232 hostname-by-hostname basis. Since greater specificity takes precedence,
233 you would do this by specifying the mappings for a given domain or
234 subdomain and listing the exceptions.
236 @node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions
237 @section Ports for the KDC and Admin Services
239 The default ports used by Kerberos are port 88 for the
240 KDC@footnote{Kerberos V4 used port 750. If necessary, you can run on
241 both ports for backward compatibility.} and port 749 for the admin
242 server. You can, however, choose to run on other ports, as long as they
243 are specified in each host's @code{/etc/services} and @code{krb5.conf}
244 files, and the @code{kdc.conf} file on each KDC. For a more thorough
245 treatment of port numbers used by the @value{PRODUCT} programs, refer to
246 the ``Configuring Your Firewall to Work With @value{PRODUCT}'' section
247 of the @cite{@value{PRODUCT} System Administrator's Guide}.
249 @node Slave KDCs, Hostnames for the Master and Slave KDCs, Ports for the KDC and Admin Services, Realm Configuration Decisions
252 Slave KDCs provide an additional source of Kerberos ticket-granting
253 services in the event of inaccessibility of the master KDC. The number
254 of slave KDCs you need and the decision of where to place them, both
255 physically and logically, depends on the specifics of your network.
257 All of the Kerberos authentication on your network requires that each
258 client be able to contact a KDC. Therefore, you need to anticipate any
259 likely reason a KDC might be unavailable and have a slave KDC to take up
262 Some considerations include:
266 Have at least one slave KDC as a backup, for when the master KDC is
267 down, is being upgraded, or is otherwise unavailable.
270 If your network is split such that a network outage is likely to cause
271 some segment or segments of the network to become cut off or isolated,
272 have a slave KDC accessible to each segment.
275 If possible, have at least one slave KDC in a different building from
276 the master, in case of power outages, fires, or other localized
282 @node Hostnames for the Master and Slave KDCs, Database Propagation, Slave KDCs, Realm Configuration Decisions
283 @section Hostnames for the Master and Slave KDCs
285 @value{COMPANY} recommends that your KDCs have a predefined set of
286 CNAMEs, such as @code{@value{KDCSERVER}} for the master KDC and
287 @code{@value{KDCSLAVE1}}, @code{@value{KDCSLAVE2}}, @dots{} for the
288 slave KDCs. This way, if you need to swap a machine, you only need to
289 change a DNS entry, rather than having to change hostnames.
291 @node Database Propagation, , Hostnames for the Master and Slave KDCs, Realm Configuration Decisions
292 @section Database Propagation
294 The Kerberos database resides on the master KDC, and must be propagated
295 regularly (usually by a cron job) to the slave KDCs. In deciding how
296 frequently the propagation should happen, you will need to balance the
297 amount of time the propagation takes against the maximum reasonable
298 amount of time a user should have to wait for a password change to take
301 If the propagation time is longer than this maximum reasonable time
302 (@i{e.g.,} you have a particularly large database, you have a lot of
303 slaves, and/or you experience frequent network delays), you may wish to
304 cut down on your propagation delay by performing the propagation in
305 parallel. To do this, have the master KDC propagate the database to one
306 set of slaves, and then have each of these slaves propagate the database
307 to additional slaves.
309 @node Building Kerberos V5, Installing Kerberos V5, Realm Configuration Decisions, Top
310 @chapter Building @value{PRODUCT}
312 @include build.texinfo
314 @node Installing Kerberos V5, Bug Reports for Kerberos V5, Building Kerberos V5, Top
315 @chapter Installing @value{PRODUCT}
317 The sections of this chapter describe procedures for installing
339 UNIX Application Servers
344 * Installing and Configuring UNIX Client Machines::
345 * UNIX Application Servers::
348 @node Installing KDCs, Installing and Configuring UNIX Client Machines, Installing Kerberos V5, Installing Kerberos V5
349 @section Installing KDCs
351 The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC
352 contains a copy of the Kerberos database. The master KDC contains the
353 master copy of the database, which it propagates to the slave KDCs at
354 regular intervals. All database changes (such as password changes) are
355 made on the master KDC.
357 Slave KDCs provide Kerberos ticket-granting services, but not database
358 access. This allows clients to continue to obtain tickets when the
359 master KDC is unavailable.
361 @value{COMPANY}'s recommends that you install all of your KDCs to be
362 able to function as either the master or one of the slaves. This will
363 enable you to easily switch your master KDC with one of the slaves if
364 necessary. (@xref{Switching Master and Slave KDCs}.) This installation
365 procedure is based on that recommendation.
368 * Install the Master KDC::
369 * Install the Slave KDCs::
370 * Back on the Master KDC::
371 * Finish Installing the Slave KDCs::
372 * Add Kerberos Principals to the Database::
373 * Limit Access to the KDCs::
374 * Switching Master and Slave KDCs::
375 * Upgrading existing Master and Slave KDCs to the current release::
378 @node Install the Master KDC, Install the Slave KDCs, Installing KDCs, Installing KDCs
379 @subsection Install the Master KDC
381 This installation procedure will require you to go back and forth a
382 couple of times between the master KDC and each of the slave KDCs. The
383 first few steps must be done on the master KDC.
386 * Edit the Configuration Files::
387 * Create the Database::
388 * Add Administrators to the Acl File::
389 * Add Administrators to the Kerberos Database::
390 * Create a kadmind Keytab::
391 * Start the Kerberos Daemons::
394 @node Edit the Configuration Files, Create the Database, Install the Master KDC, Install the Master KDC
395 @subsubsection Edit the Configuration Files
397 Modify the configuration files, @code{/etc/krb5.conf}
398 (@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf}
399 (@pxref{kdc.conf}) to reflect the correct information (such as the
400 hostnames and realm name) for your realm. @value{COMPANY} recommends
401 that you keep @code{krb5.conf} in @code{/etc}. The @code{krb5.conf}
402 file may contain a pointer to @code{kdc.conf}, which you need to change
403 if you want to move @code{kdc.conf} to another location.
405 @node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC
406 @subsubsection Create the Database
408 You will use the @code{kdb5_util} command @emph{on the Master KDC} to
409 create the Kerberos database and the optional stash file. The
410 @dfn{stash file} is a local copy of the master key that resides in
411 encrypted form on the KDC's local disk. The stash file is used to
412 authenticate the KDC to itself automatically before starting the
413 @code{kadmind} and @code{krb5kdc} daemons (@i{e.g.,} as part of the
414 machine's boot sequence). The stash file, like the keytab file
415 (@xref{The Keytab File}) is a potential point-of-entry for a break-in,
416 and if compromised, would allow unrestricted access to the Kerberos
417 database. If you choose to install a stash file, it should be readable
418 only by root, and should exist only on the KDC's local disk. The file
419 should not be part of any backup of the machine, unless access to the
420 backup data is secured as tightly as access to the master password
423 Note that @code{kdb5_util} will prompt you for the master key for the
424 Kerberos database. This key can be any string. A good key is one you
425 can remember, but that no one else can guess. Examples of bad keys are
426 words that can be found in a dictionary, any common or popular name,
427 especially a famous person (or cartoon character), your username in any
428 form (@i{e.g.}, forward, backward, repeated twice, @i{etc.}), and any of
429 the sample keys that appear in this manual. One example of a key which
430 would be good if it did not appear in this manual is ``MITiys4K5!'',
431 which represents the sentence ``@value{COMPANY} is your source for
432 Kerberos 5!'' (It's the first letter of each word, substituting the
433 numeral ``4'' for the word ``for'', and includes the punctuation mark at
436 The following is an example of how to create a Kerberos database and
437 stash file on the master KDC, using the @code{kdb5_util} command. (The
438 line that begins with @result{} is a continuation of the previous line.)
439 Replace @i{@value{PRIMARYREALM}} with the name of your Kerberos realm.
443 @b{shell%} @value{ROOTDIR}/sbin/kdb5_util create -r @value{PRIMARYREALM} -s
444 @b{Initializing database '@value{ROOTDIR}/var/krb5kdc/principal' for
445 @result{} realm '@value{PRIMARYREALM}',
446 master key name 'K/M@@@value{PRIMARYREALM}'
447 You will be prompted for the database Master Password.
448 It is important that you NOT FORGET this password.}
450 @b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the master password.}
451 @b{Re-enter KDC database master key to verify:} @i{@doubleleftarrow{} Type it again.}
454 @b{Enter KDC database master key:} @i{<= Type the master password.}
455 @b{Re-enter KDC database master key to verify:} @i{<= Type it again.}
461 This will create five files in the directory specified in your
462 @code{kdc.conf} file: two Kerberos database files, @code{principal.db},
463 and @code{principal.ok}; the Kerberos administrative database file,
464 @code{principal.kadm5}; the administrative database lock file,
465 @code{principal.kadm5.lock}; and the stash file, @code{.k5stash}. (The
466 default directory is @code{@value{ROOTDIR}/var/krb5kdc}.) If you do not
467 want a stash file, run the above command without the @code{-s} option.
469 @node Add Administrators to the Acl File, Add Administrators to the Kerberos Database, Create the Database, Install the Master KDC
470 @subsubsection Add Administrators to the Acl File
472 Next, you need create an Access Control List (acl) file, and put the
473 Kerberos principal of at least one of the administrators into it. The
474 filename should match the value you have set for ``acl_file'' in your
475 @code{kdc.conf} file. The default file name is @samp{kadm5.acl}. The
476 format of the file is:
479 Kerberos principal permissions optional target principal
482 The Kerberos principal (and optional target principal) can include the
483 ``@b{*}'' wildcard, so if you want any principal with the instance
484 ``admin'' to have full permissions on the database, you could use the
485 principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos
488 Note: a common use of an @i{admin} instance is so you can grant
489 separate permissions (such as administrator access to the Kerberos
490 database) to a separate Kerberos principal. For example, the user
491 @code{@value{ADMINUSER}} might have a principal for his administrative
492 use, called @code{@value{ADMINUSER}/admin}. This way,
493 @code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin}
494 tickets only when he actually needs to use those permissions. Refer to
495 the @value{PRODUCT} Administrator's Guide or the @value{PRODUCT} User's
496 Guide for more detailed explanations of @dfn{principals} and
499 The permissions (acls) recognized in the acl file
504 allows the addition of principals or policies in the database.
506 prohibits the addition of principals or policies in the database.
508 allows the deletion of principals or policies in the database.
510 prohibits the deletion of principals or policies in the database.
512 allows the modification of principals or policies in the database.
514 prohibits the modification of principals or policies in the database.
516 allows the changing of passwords for principals in the database.
518 prohibits the changing of passwords for principals in the database.
520 allows inquiries to the database.
522 prohibits inquiries to the database.
524 allows the listing of principals or policies in the database.
526 prohibits the listing of principals or policies in the database.
528 Short for all privileges (admcil).
530 Short for all privileges (admcil); identical to ``*''.
533 To give the principal @code{*/admin@@@value{PRIMARYREALM}} permission to
534 change all of the database permissions on any principal permissions, you
535 would place the following line in the file:
538 */admin@@@value{PRIMARYREALM} *
541 To give the principal @code{@value{ADMINUSER}@@@value{PRIMARYREALM}}
542 permission to add, list, and inquire about any principal that has the
543 instance ``root'', you would add the following line to the acl file:
546 @value{ADMINUSER}@@@value{PRIMARYREALM} ali */root@@@value{PRIMARYREALM}
549 @node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC
550 @subsubsection Add Administrators to the Kerberos Database
552 Next you need to add administrative principals to the Kerberos database.
553 (You must add at least one now.) To do this, use @code{kadmin.local}
554 @emph{on the master KDC}, as in the following example:
558 @b{shell%} @value{ROOTDIR}/sbin/kadmin.local
559 @b{kadmin.local:} addprinc admin/admin@@@value{PRIMARYREALM}
560 @b{WARNING: no policy specified for "admin/admin@@@value{PRIMARYREALM}";
561 defaulting to no policy.}
563 @b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Enter a password.}
564 Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{@doubleleftarrow{} Type it again.}
567 @b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.}
568 Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.}
570 @b{Principal "admin/admin@@@value{PRIMARYREALM}" created.
575 @node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
576 @subsubsection Create a kadmind Keytab
578 The kadmind keytab is the key that kadmind will use to decrypt
579 administrators' Kerberos tickets to determine whether or not it should
580 give them access to the database. You need to create the kadmin keytab
581 with entries for the principals @code{kadmin/admin} and
582 @code{kadmin/changepw}. (These principals are placed in the Kerberos
583 database automatically when you create it.) To create the kadmin
584 keytab, run @code{kadmin.local} and use the @code{ktadd} command, as in
585 the following example. (The line beginning with @result{} is a
586 continuation of the previous line.):
590 @b{shell%} @value{ROOTDIR}/sbin/kadmin.local
591 @b{kadmin.local:} ktadd -k @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
592 @result{} kadmin/admin kadmin/changepw
593 @b{Entry for principal kadmin/admin@@@value{PRIMARYREALM} with
594 kvno 3, encryption type DES-CBC-CRC added to keytab
595 WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab.
596 Entry for principal kadmin/changepw@@@value{PRIMARYREALM} with
597 kvno 3, encryption type DES-CBC-CRC added to keytab
598 WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab.
605 As specified in the @samp{-k} argument, @code{ktadd} will save the
606 extracted keytab as @code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}.
607 The filename you use must be the one specified in your @code{kdc.conf}
611 @node Start the Kerberos Daemons, , Create a kadmind Keytab, Install the Master KDC
612 @subsubsection Start the Kerberos Daemons on the Master KDC
614 At this point, you are ready to start the Kerberos daemons on the Master
618 @b{shell%} @value{ROOTDIR}/sbin/krb5kdc
619 @b{shell%} @value{ROOTDIR}/sbin/kadmind
623 Each daemon will fork and run in the background. Assuming you want
624 these daemons to start up automatically at boot time, you can add them
625 to the KDC's @code{/etc/rc} or @code{/etc/inittab} file. You need to
626 have a stash file in order to do this.
628 @node Install the Slave KDCs, Back on the Master KDC, Install the Master KDC, Installing KDCs
629 @subsection Install the Slave KDCs
631 You are now ready to start configuring the slave KDCs. Assuming you are
632 setting the KDCs up so that you can easily switch the master KDC with
633 one of the slaves, you should perform each of these steps on the master
634 KDC as well as the slave KDCs, unless these instructions specify
639 * Create Host Keys for the Slave KDCs::
640 * Extract Host Keytabs for the KDCs::
641 * Set Up the Slave KDCs for Database Propagation::
644 @node Create Host Keys for the Slave KDCs, Extract Host Keytabs for the KDCs, Install the Slave KDCs, Install the Slave KDCs
645 @subsubsection Create Host Keys for the Slave KDCs
647 Each KDC needs a host principal in the Kerberos database. You can enter
648 these from any host, once the @code{kadmind} daemon is running. For
649 example, if your master KDC were called
650 @value{KDCSERVER}.@value{PRIMARYDOMAIN}, and you had two KDC slaves
651 named @value{KDCSLAVE1}.@value{PRIMARYDOMAIN} and
652 @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}, you would type the following:
656 @b{shell%} @value{ROOTDIR}/sbin/kadmin
657 @b{kadmin:} addprinc -randpass host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}
658 @b{WARNING: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
659 defaulting to no policy.
660 Principal "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.
661 kadmin:} addprinc -randpass host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
662 @b{WARNING: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
663 defaulting to no policy.
664 Principal "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.}
665 @b{kadmin:} addprinc -randpass host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
666 @b{WARNING: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
667 defaulting to no policy.
668 Principal "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.
674 It is not actually necessary to have the master KDC server in the
675 Kerberos database, but it can be handy if:
679 anyone will be logging into the machine as something other than root
682 you want to be able to swap the master KDC with one of the slaves if
686 @node Extract Host Keytabs for the KDCs, Set Up the Slave KDCs for Database Propagation, Create Host Keys for the Slave KDCs, Install the Slave KDCs
687 @subsubsection Extract Host Keytabs for the KDCs
689 Each KDC (including the master) needs a keytab to decrypt tickets.
690 Ideally, you should extract each keytab locally on its own KDC. If this
691 is not feasible, you should use an encrypted session to send them across
692 the network. To extract a keytab on a KDC called
693 @value{KDCSERVER}.@value{PRIMARYDOMAIN}, you would execute the following
698 @b{kadmin:} ktadd host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}
699 @b{kadmin: Entry for principal host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
700 kvno 1, encryption type DES-CBC-CRC added to keytab
701 WRFILE:/etc/v5srvtab.
707 Note that the principal must exist in the Kerberos database in order to
710 @node Set Up the Slave KDCs for Database Propagation, , Extract Host Keytabs for the KDCs, Install the Slave KDCs
711 @subsubsection Set Up the Slave KDCs for Database Propagation
713 The database is propagated from the master KDC to the slave KDCs via the
714 @code{kpropd} daemon. To set up propagation, create a file on each KDC,
715 named @code{@value{ROOTDIR}/var/krb5kdc/kpropd.acl}, containing the
716 principals for each of the KDCs.
718 For example, if the master KDC were
719 @code{@value{KDCSERVER}.@value{PRIMARYDOMAIN}}, the slave KDCs were
720 @code{@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}} and
721 @code{@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}}, and the realm were
722 @code{@value{PRIMARYREALM}}, then the file's contents would be:
726 host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
727 host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
728 host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
733 Then, add the following lines to @code{/etc/inetd.conf} file on each KDC
734 (the line beginnng with @result{} is a continuation of the previous
739 krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
740 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
741 @result{} klogind -k -c -e
746 The first line sets up the @code{kpropd} database propagation daemon.
747 The second line sets up the @code{eklogin} daemon, allowing
748 Kerberos-authenticated, encrypted rlogin to the KDC.
750 You also need to add the following lines to @code{/etc/services} on each
755 kerberos 88/udp kdc # Kerberos authentication (udp)
756 kerberos 88/tcp kdc # Kerberos authentication (tcp)
757 krb5_prop 754/tcp # Kerberos slave propagation
758 kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
759 kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
760 eklogin 2105/tcp # Kerberos encrypted rlogin
764 @node Back on the Master KDC, Finish Installing the Slave KDCs, Install the Slave KDCs, Installing KDCs
765 @subsection Back on the Master KDC
767 Now that the slave KDCs are able to accept database propagation, you'll
768 need to propagate the database to each of them.
771 * Propagate the Database to Each Slave KDC::
774 @node Propagate the Database to Each Slave KDC, , Back on the Master KDC, Back on the Master KDC
775 @subsubsection Propagate the Database to Each Slave KDC
777 First, create a dump of the database on the master KDC, as follows:
781 @b{shell%} @value{ROOTDIR}/sbin/kdb5_util dump @value{ROOTDIR}/var/krb5kdc/slave_datatrans
786 Next, you need to manually propagate the database to each slave KDC, as
787 in the following example. (The lines beginning with @result{} are
788 continuations of the previous line.):
792 @value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/var/krb5kdc/slave_datatrans
793 @result{} @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
794 @value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/var/krb5kdc/slave_datatrans
795 @result{} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
799 You will need a script to dump and propagate the database. The
800 following is an example of a bourne shell script that will do this.
801 (Note that the line that begins with @result{} is a continuation of the
802 previous line. Remember that you need to replace @value{ROOTDIR} with
803 the name of the directory in which you installed @value{PRODUCT}.)
809 kdclist = "@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}"
811 @value{ROOTDIR}/sbin/kdb5_util -R "dump
812 @result{} @value{ROOTDIR}/var/krb5kdc/slave_datatrans"
816 @value{ROOTDIR}/sbin/kprop -f @value{ROOTDIR}/var/krb5kdc/slave_datatrans $kdc
822 You will need to set up a cron job to run this script at the intervals
823 you decided on earlier (@xref{Database Propagation}.)
825 @node Finish Installing the Slave KDCs, Add Kerberos Principals to the Database, Back on the Master KDC, Installing KDCs
826 @subsection Finish Installing the Slave KDCs
828 Now that the slave KDCs have copies of the Kerberos database, you can
829 create stash files for them and start the @code{krb5kdc} daemon.
832 * Create Stash Files on the Slave KDCs::
833 * Start the krb5kdc Daemon on Each KDC::
836 @node Create Stash Files on the Slave KDCs, Start the krb5kdc Daemon on Each KDC, Finish Installing the Slave KDCs, Finish Installing the Slave KDCs
837 @subsubsection Create Stash Files on the Slave KDCs
839 Create stash files, by issuing the following commands on each slave KDC:
843 @b{shell%} kdb5_util stash
844 @b{kdb5_util: Cannot find/read stored master key while reading master key
845 kdb5_util: Warning: proceeding without master key}
847 @b{Enter KDC database master key:} @i{@doubleleftarrow{} Enter the database master key.}
850 @b{Enter KDC database master key:} @i{<= Enter the database master key.}
856 As mentioned above, the stash file is necessary for your KDCs to be able
857 authenticate to themselves, such as when they reboot. You could run
858 your KDCs without stash files, but you would then need to type in the
859 Kerberos database master key by hand every time you start a KDC daemon.
861 @node Start the krb5kdc Daemon on Each KDC, , Create Stash Files on the Slave KDCs, Finish Installing the Slave KDCs
862 @subsubsection Start the krb5kdc Daemon on Each KDC
864 The final step in configuing your slave KDCs is to run the KDC daemon:
868 @b{shell%} @value{ROOTDIR}/sbin/krb5kdc
872 As with the master KDC, you will probably want to add this command to
873 the KDCs' @code{/etc/rc} or @code{/etc/inittab} files, so they will
874 start the krb5kdc daemon automatically at boot time.
876 @node Add Kerberos Principals to the Database, Limit Access to the KDCs, Finish Installing the Slave KDCs, Installing KDCs
877 @subsection Add Kerberos Principals to the Database
880 Once your KDCs are set up and running, you are ready to use
881 @code{kadmin} to load principals for your users, hosts, and other
882 services into the Kerberos database. This procedure is described fully in the
883 ``Adding or Modifying Principals'' section of the @value{PRODUCT} System
884 Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs} for a
885 brief description.) The keytab is generated by running @code{kadmin}
886 and issuing the @code{ktadd} command.
888 @node Limit Access to the KDCs, Switching Master and Slave KDCs, Add Kerberos Principals to the Database, Installing KDCs
889 @subsection Limit Access to the KDCs
891 To limit the possibility that your Kerberos database could be
892 compromised, @value{COMPANY} recommends that each KDC be a dedicated
893 host, with limited access. If your KDC is also a file server, FTP
894 server, Web server, or even just a client machine, someone who obtained
895 root access through a security hole in any of those areas could gain
896 access to the Kerberos database.
899 @value{COMPANY} recommends that your KDCs use the following
900 @code{/etc/inetd.conf} file. (Note: each line beginning with @result{}
901 is a continuation of the previous line.):
906 # Configuration file for inetd(1M). See inetd.conf(4).
908 # To re-configure the running inetd process, edit this file, then
909 # send the inetd process a SIGHUP.
911 # Syntax for socket-based Internet services:
912 # <service_name> <socket_type> <proto> <flags> <user>
913 @result{} <server_pathname> <args>
915 # Syntax for TLI-based Internet services:
917 # <service_name> tli <proto> <flags> <user> <server_pathname> <args>
919 # Ftp and telnet are standard Internet services.
921 # This machine is a secure Kerberos Key Distribution Center (KDC).
922 # Services are limited.
925 # Time service is used for clock synchronization.
927 time stream tcp nowait root internal
928 time dgram udp wait root internal
930 # Limited Kerberos services
932 krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
933 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
934 @result{} klogind -5 -c -e
938 @node Switching Master and Slave KDCs, Upgrading existing Master and Slave KDCs to the current release, Limit Access to the KDCs, Installing KDCs
939 @subsection Switching Master and Slave KDCs
941 You may occasionally want to use one of your slave KDCs as the master.
942 This might happen if you are upgrading the master KDC, or if your master
943 KDC has a disk crash.
945 Assuming you have configured all of your KDCs to be able to function as
946 either the master KDC or a slave KDC (as this document recommends), all
947 you need to do to make the changeover is:
949 If the master KDC is still running, do the following on the @emph{old}
954 Kill the @code{kadmind} process.
957 Disable the cron job that propagates the database.
960 Run your database propagation script manually, to ensure that the slaves
961 all have the latest copy of the database. (@xref{Propagate the Database
965 On the @emph{new} master KDC:
969 Create a database keytab. (@xref{Create a kadmind Keytab}.)
972 Start the @code{kadmind} daemon. (@xref{Start the Kerberos Daemons}.)
975 Set up the cron job to propagate the database. (@xref{Propagate the
976 Database to Each Slave KDC}.)
979 Switch the CNAMEs of the old and new master KDCs. (If you don't do
980 this, you'll need to change the @code{krb5.conf} file on every client
981 machine in your Kerberos realm.)
984 @node Upgrading existing Master and Slave KDCs to the current release, , Switching Master and Slave KDCs, Installing KDCs
985 @subsection Upgrading existing Master and Slave KDCs to the current release
987 If you already have an existing Kerberos database that you created with
988 a prior release of Kerberos 5, you can upgrade it to work with the
989 current release with the @code{kdb5_util} command. As of Kerberos 5
990 version 1.0, this upgrade process is only necessary if you are using a
991 Kerberos database created with Kerberos 5 beta 6 or earlier; newer
992 installations can continue to be used without modification. The process
993 for upgrading a Master KDC involves the following steps (the lines
994 beginning with => indicate a continuation of the previous line):
998 @item Stopping your current KDC and administration
999 server processes, if any.
1001 @item Dumping your existing Kerberos database to an ASCII file with
1002 @code{kdb5_edit}'s ``dump'' command:
1006 @b{shell%} kdb5_edit -r @value{PRIMARYREALM} -R 'dump_db' >
1007 @result{} @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
1012 @item If you were using OpenV*Secure or AXXiON*Authenticate, dumping your
1013 policy database to an ASCII file with the @code{ovsec_adm_export}
1018 @b{shell%} ovsec_adm_export -r @value{PRIMARYREALM} >
1019 @result{} @value{ROOTDIR}/var/krb5kdc/old-adb-dump
1024 @item Creating a new Master KDC installation (@xref{Install the Master
1025 KDC}). If you have a stash file for your current database, choose any
1026 new master password but then copy your existing stash file to the
1027 location specified by your kdc.conf; if you do not have a stash file for
1028 your current database, you must choose the same master password.
1030 @item Load your old Kerberos database into the new system with
1031 @code{kdb5_util}'s ``load'' command:
1035 @b{shell%} kdb5_util load @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
1040 @item If you were using OpenV*Secure or AXXiON*Authenticate, merging
1041 your policy database with @code{kdb5_util}'s ``load'' command with the
1046 @b{shell%} kdb5_util load -update @value{ROOTDIR}/var/krb5kdc/old-adb-dump
1053 The process for upgrading a Slave KDC is simpler. All you have to do is
1054 make sure that the stash file on the Slave KDC is correct, stop the old
1055 server processes on the Slave KDC, install the new server binaries, and
1056 re-start the server processes. The Slave KDC database will be upgraded
1057 automatically when the next propagation is run. Note that if you
1058 changed your master key when creating your new Master KDC database, you
1059 will have to run a Slave KDC propagation before you can restart the
1060 server processes on the Slave KDC itself; otherwise, the new stash file
1061 that you create on the slave will not match the old database that exists
1062 until the propagation occurs, and the server processes will not start.
1064 @node Installing and Configuring UNIX Client Machines, UNIX Application Servers, Installing KDCs, Installing Kerberos V5
1065 @section Installing and Configuring UNIX Client Machines
1067 Client machine installation is much more straightforward than
1068 installation of the KDCs.
1072 * Client Machine Configuration Files::
1075 @node Client Programs, Client Machine Configuration Files, Installing and Configuring UNIX Client Machines, Installing and Configuring UNIX Client Machines
1076 @subsection Client Programs
1078 The Kerberized client programs are @code{login.krb5}, @code{rlogin},
1079 @code{telnet}, @code{ftp}, @code{rcp}, @code{rsh}, @code{kinit},
1080 @code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ksu}, and
1081 @code{krb524init}. All of these programs are in the directory
1082 @code{@value{ROOTDIR}/bin}, except for @code{login.krb5} which is in
1083 @code{@value{ROOTDIR}/sbin}.
1085 You will probably want to have your users put @code{@value{ROOTDIR}/bin}
1086 ahead of @code{/bin} and @code{/usr/bin} in their paths, so they will by
1087 default get the @value{PRODUCT} versions of @code{rlogin},
1088 @code{telnet}, @code{ftp}, @code{rcp}, and @code{rsh}.
1090 @value{COMPANY} recommends that you use @code{login.krb5} in place of
1091 @code{/bin/login} to give your users a single-sign-on system. You will
1092 need to make sure your users know to use their Kerberos passwords when
1095 You will also need to educate your users to use the ticket management
1096 programs @code{kinit},
1097 @c @code{krb524init},
1098 @code{klist}, @code{kdestroy}, and to use the Kerberos programs
1100 @code{ksu}, and @code{kpasswd} in place of their non-Kerberos
1103 @code{su}, @code{passwd}, and @code{rdist}.
1105 @node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines
1106 @subsection Client Machine Configuration Files
1108 Each machine running Kerberos must have a @code{/etc/krb5.conf} file.
1112 Also, you must add the appropriate Kerberos services to each client
1113 machine's @code{/etc/services} file. If you are using the default
1114 configuration for @value{PRODUCT}, you should be able to just insert the
1120 # Note --- if you are using Kerberos V4 and you either:
1122 # (a) haven't converted all your master or slave KDCs to V5, or
1124 # (b) are worried about inter-realm interoperability with other KDC's
1125 # that are still using V4
1127 # you will need to switch the "kerberos" service to port 750 and create a
1128 # "kerberos-sec" service on port 88.
1130 kerberos 88/udp kdc # Kerberos V5 KDC
1131 kerberos 88/tcp kdc # Kerberos V5 KDC
1132 klogin 543/tcp # Kerberos authenticated rlogin
1133 kshell 544/tcp cmd # and remote shell
1134 kerberos-adm 749/tcp # Kerberos 5 admin/changepw
1135 kerberos-adm 749/udp # Kerberos 5 admin/changepw
1136 krb5_prop 754/tcp # Kerberos slave propagation
1137 @c kpop 1109/tcp # Pop with Kerberos
1138 eklogin 2105/tcp # Kerberos auth. & encrypted rlogin
1139 krb524 4444/tcp # Kerberos 5 to 4 ticket translator
1143 @noindent As described in the comments in the above code, if your master
1144 KDC or any of your slave KDCs is running Kerberos V4, (or if you will be
1145 authenticating to any Kerberos V4 KDCs in another realm) you will need
1146 to switch the port number for @code{kerberos} to 750 and create a
1147 @code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos
1148 V4 KDC(s) will continue to work properly.
1150 @node UNIX Application Servers, , Installing and Configuring UNIX Client Machines, Installing Kerberos V5
1151 @section UNIX Application Servers
1153 An application server is a host that provides one or more services over
1154 the network. Application servers can be ``secure'' or ``insecure.'' A
1155 ``secure'' host is set up to require authentication from every client
1156 connecting to it. An ``insecure'' host will still provide Kerberos
1157 authentication, but will also allow unauthenticated clients to connect.
1159 If you have @value{PRODUCT} installed on all of your client machines,
1160 @value{COMPANY} recommends that you make your hosts secure, to take
1161 advantage of the security that Kerberos authentication affords.
1162 However, if you have some clients that do not have @value{PRODUCT}
1163 installed, you can run an insecure server, and still take advantage of
1164 @value{PRODUCT}'s single sign-on on capability.
1168 * Server Configuration Files::
1170 * Some Advice about Secure Hosts::
1173 @node Server Programs, Server Configuration Files, UNIX Application Servers, UNIX Application Servers
1174 @subsection Server Programs
1176 Just as @value{PRODUCT} provided its own Kerberos-enhanced versions of
1177 client UNIX network programs, @value{PRODUCT} also provides
1178 Kerberos-enhanced versions of server UNIX network daemons. These are
1179 @code{ftpd}, @code{klogind}, @code{kshd}, and @code{telnetd}.
1181 These programs are installed in the directory
1182 @code{@value{ROOTDIR}/sbin}. You may want to add this directory to
1185 @node Server Configuration Files, The Keytab File, Server Programs, UNIX Application Servers
1186 @subsection Server Configuration Files
1188 For a @emph{secure} server, make the following changes to
1189 @code{/etc/inetd.conf}:
1191 Find and comment out any lines for the services @code{ftp},
1192 @code{telnet}, @code{shell}, @code{login}, and @code{exec}.
1195 Add the following lines. (Note: each line beginning with @result{} is
1196 a continuation of the previous line.)
1200 klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1201 @result{} klogind -k -c
1202 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1203 @result{} klogind -k -c -e
1204 kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
1205 @result{} kshd -k -c -A
1206 ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
1208 telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
1209 @result{} telnetd -a valid
1213 For an @emph{insecure} server, make the following changes instead to
1214 @code{/etc/inetd.conf}:
1217 Find and comment out any lines for the services @code{ftp} and
1220 Add the following lines. (Note: each line beginning with @result{} is
1221 a continuation of the previous line.)
1224 klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1225 @result{} klogind -k -c
1226 eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
1227 @result{} klogind -k -c -e
1228 kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
1229 @result{} kshd -k -c -A
1230 ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
1232 telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
1233 @result{} telnetd -a none
1237 @node The Keytab File, Some Advice about Secure Hosts, Server Configuration Files, UNIX Application Servers
1238 @subsection The Keytab File
1240 All Kerberos server machines need a @dfn{keytab} file, called
1241 @code{/etc/v5srvtab},@footnote{The keytab was called a @dfn{srvtab} in
1242 Kerberos V4. The @code{v5srvtab} file has not been renamed to reflect
1243 the change in terminology.} to authenticate to the KDC. The keytab file
1244 is an encrypted, local, on-disk copy of the host's key. The keytab
1245 file, like the stash file (@ref{Create the Database}) is a potential
1246 point-of-entry for a break-in, and if compromised, would allow
1247 unrestricted access to its host. The keytab file should be readable
1248 only by root, and should exist only on the machine's local disk. The
1249 file should not be part of any backup of the machine, unless access to
1250 the backup data is secured as tightly as access to the machine's root
1253 In order to generate a keytab for a host, the host must have a principal
1254 in the Kerberos database. The procedure for adding hosts to the
1255 database is described fully in the ``Adding or Modifying Principals''
1256 section of the @cite{@value{PRODUCT} System Administrator's Guide}.
1257 @xref{Create Host Keys for the Slave KDCs} for a brief description.)
1258 The keytab is generated by running @code{kadmin} and issuing the
1259 @code{ktadd} command.
1262 For example, to generate a keytab file to allow the host
1263 trillium.@value{PRIMARYDOMAIN} to authenticate for the services
1264 @code{host}, @code{ftp}, and @code{pop}, the administrator
1265 @code{@value{ADMINUSER}} would issue the command (on
1266 trillium.@value{PRIMARYDOMAIN}):
1270 @b{trillium%} @value{ROOTDIR}/sbin/kadmin
1271 @b{kadmin5:} ktadd host/trillium.@value{PRIMARYDOMAIN} ftp/trillium.@value{PRIMARYDOMAIN}
1272 @result{} pop/trillium.@value{PRIMARYDOMAIN}
1273 @b{kadmin: Entry for principal host/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
1274 kvno 3, encryption type DES-CBC-CRC added to keytab
1275 WRFILE:/etc/v5srvtab.
1276 kadmin: Entry for principal ftp/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
1277 kvno 3, encryption type DES-CBC-CRC added to keytab
1278 WRFILE:/etc/v5srvtab.
1279 kadmin: Entry for principal pop/trillium.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
1280 kvno 3, encryption type DES-CBC-CRC added to keytab
1281 WRFILE:/etc/v5srvtab.
1287 If you generate the keytab file on another host, you need to get a copy
1288 of the keytab file onto the destination host (@code{trillium}, in the
1289 above example) without sending it unencrypted over the network. If you
1290 have installed the @value{PRODUCT} client programs, you can use
1291 encrypted @code{rcp}.
1293 @node Some Advice about Secure Hosts, , The Keytab File, UNIX Application Servers
1294 @subsection Some Advice about Secure Hosts
1296 @value{PRODUCT} can protect your host from certain types of break-ins,
1297 but it is possible to install @value{PRODUCT} and still leave your host
1298 vulnerable to attack. Obviously an installation guide is not the place
1299 to try to include an exhaustive list of countermeasures for every
1300 possible attack, but it is worth noting some of the larger holes and how
1303 As stated earlier in this section, @value{COMPANY} recommends that on a
1304 secure host, you disable the standard @code{ftp}, @code{login},
1305 @code{telnet}, @code{shell}, and @code{exec} services in
1306 @code{/etc/inetd.conf}. We also recommend that secure hosts have an empty
1307 @code{/etc/hosts.equiv} file and that there not be a @code{.rhosts} file
1308 in @code{root}'s home directory. You can grant Kerberos-authenticated
1309 root access to specific Kerberos principals by placing those principals
1310 in the file @code{.k5login} in root's home directory.
1312 We recommend that backups of secure machines exclude the keytab file
1313 (@code{/etc/v5srvtab}). If this is not possible, the backups should at
1314 least be done locally, rather than over a network, and the backup tapes
1315 should be physically secured.
1317 Finally, the keytab file and any programs run by root, including the
1318 @value{PRODUCT} binaries, should be kept on local disk. The keytab file
1319 should be readable only by root.
1321 @node Bug Reports for Kerberos V5, Files, Installing Kerberos V5, Top
1322 @chapter Bug Reports for @value{PRODUCT}
1323 @include bug-report.texinfo
1325 @node Files, , Bug Reports for Kerberos V5, Top
1333 @node krb5.conf, kdc.conf, Files, Files
1334 @appendixsec krb5.conf
1336 Here is an example of a generic @code{krb5.conf} file:
1341 ticket_lifetime = 600
1342 default_realm = @value{PRIMARYREALM}
1343 default_tkt_enctypes = des-cbc-crc
1344 default_tgs_enctypes = des-cbc-crc
1347 @value{PRIMARYREALM} = @{
1348 kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88
1349 kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88
1350 kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88
1351 admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749
1352 default_domain = @value{PRIMARYDOMAIN}
1356 .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
1357 @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
1361 For the KDCs, add a section onto the end of the @code{krb5.conf} file
1362 telling where the @code{kdc.conf} file is located, as in the following
1368 profile = @value{ROOTDIR}/var/krb5kdc/kdc.conf
1371 kdc = FILE:/var/log/krb5kdc.log
1372 admin_server = FILE:/var/log/kadmin.log
1373 default = FILE:/var/log/krb5lib.log
1382 @node kdc.conf, , krb5.conf, Files
1383 @appendixsec kdc.conf
1385 Here's an example of a generic kdc.conf file:
1393 @value{PRIMARYREALM} = @{
1394 profile = /etc/krb5.conf
1395 database_name = @value{ROOTDIR}/var/krb5kdc/principal
1396 admin_database_name = @value{ROOTDIR}/var/krb5kdc/principal.kadm5
1397 admin_database_lockfile = @value{ROOTDIR}/var/krb5kdc/principal.kadm5.lock
1398 admin_keytab = @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
1399 acl_file = @value{ROOTDIR}/var/krb5kdc/kadm5.acl
1400 dict_file = @value{ROOTDIR}/var/krb5kdc/kadm5.dict
1401 key_stash_file = @value{ROOTDIR}/var/krb5kdc/.k5.@value{PRIMARYREALM}
1403 max_life = 10h 0m 0s
1404 max_renewable_life = 7d 0h 0m 0s
1405 master_key_type = des-cbc-crc
1406 supported_enctypes = des-cbc-crc:normal
1411 To add Kerberos V4 support, change the @code{supported_enctypes} line to:
1414 supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
1418 * Encryption Types and Salt Types::
1421 @node Encryption Types and Salt Types, , kdc.conf, kdc.conf
1422 @appendixsubsec Encryption Types and Salt Types
1424 Currently, @value{PRODUCT} supports only DES encryption. The encoding
1425 type is @code{des-cbc-crc}. The @dfn{salt} is additional information
1426 encoded within the key that tells what kind of key it is. The only
1427 salts that you will be likely to encounter are:
1430 @item @dfn{normal}, which @value{COMPANY} recommends using for all of
1431 your @value{PRODUCT} keys
1433 @item @dfn{v4}, which is necessary only for compatibility with a v4 KDC
1435 @item @dfn{afs}, which you will never need to generate, and which you will
1436 encounter only if you dump an AFS database into a Kerberos database
1439 Support for additional encryption types is planned in the future.