@setchapternewpage odd @c chapter begins on next odd page
@c @setchapternewpage on @c chapter begins on next page
@c @smallbook @c Format for 7" X 9.25" paper
+@documentencoding UTF-8
@c %**end of header
+@copying
+Copyright @copyright{} 1985-2010 by the Massachusetts Institute of Technology.
+@end copying
@paragraphindent 0
@iftex
@parskip 6pt plus 6pt
@end iftex
+@dircategory Kerberos
+@direntry
+* krb5-install: (krb5-install). Kerberos V5 Installation Guide
+@end direntry
+
@include definitions.texinfo
-@set EDITION b7-1
+@set EDITION 1.1
@finalout @c don't print black warning boxes
@page
@vskip 0pt plus 1filll
-
-@iftex
-@include copyright.texinfo
-@end iftex
+@insertcopying
@end titlepage
@node Top, Introduction, (dir), (dir)
This file documents how to install the @value{RELEASE} release of
@value{PRODUCT}.
-@include copyright.texinfo
-
+@insertcopying
@end ifinfo
@c The master menu is updated using emacs19's M-x texinfo-all-menus-update
* Installing Kerberos V5::
* Upgrading Existing Kerberos V5 Installations::
* Bug Reports for Kerberos V5::
-* Files::
+* Copyright::
@end menu
@node Introduction, Realm Configuration Decisions, Top, Top
@value{PRODUCT} from @value{COMPANY} will play a vital role in the
security of your network.
-@include document-list.texinfo
-
@node Please Read the Documentation, Overview of This Guide, Why Should I use Kerberos?, Introduction
@section Please Read the Documentation
and planning. @value{COMPANY} has attempted to make this
@value{PRODUCT} Installation Guide as concise as possible, rather than
making it an exhaustive description of the details of Kerberos.
+@ifset CYGNUS
Consequently, everything in this guide appears because @value{COMPANY}
believes that it is important. Please read and follow these
instructions carefully, and if there is anything you do not understand
or are not sure of, please don't hesitate to call us.
+@end ifset
+@ifset MIT
+Consequently, everything in this guide appears because @value{COMPANY}
+believes that it is important. Please read and follow these
+instructions carefully.
+@end ifset
+
+@include document-list.texinfo
@node Overview of This Guide, , Please Read the Documentation, Introduction
@section Overview of This Guide
+@noindent
The next chapter describes the decisions you need to make before
installing @value{PRODUCT}.
-Chapter three describes installation procedures for each class of
+@noindent
+Chapter three provided instructions for building the Kerberos sources.
+
+@noindent
+Chapter four describes installation procedures for each class of
Kerberos machines:
@enumerate
@end enumerate
@item
-Client machines (user machines):
-
-@enumerate A
-@item
-UNIX client machines.
-
-@item
-Windows machines.
-
-@item
-Macintoshes.
-@end enumerate
+UNIX client machines
@item
-application server machines
+UNIX application server machines
@end enumerate
@noindent
Note that a machine can be both a client machine and an application
server.
-Chapter four describes our problem reporting system.
+@noindent
+Chapter five describes procedure for updating previous installations of
+@value{PRODUCT}.
-The appendices give sample configuration files.
+@noindent
+Chapter six describes our problem reporting system.
@node Realm Configuration Decisions, Building Kerberos V5, Introduction, Top
@chapter Realm Configuration Decisions
@item
How frequently you will propagate the database from the master KDC to
the slave KDCs.
-
-@item
-Whether you need backward compatibility with Kerberos V4.
@end itemize
@menu
If you need multiple Kerberos realms, @value{COMPANY} recommends that
you use descriptive names which end with your domain name, such as
-BOSTON.@value{SECONDREALM} and SAN_FRANCISCO.@value{SECONDREALM}.
+BOSTON.@value{SECONDREALM} and HOUSTON.@value{SECONDREALM}.
@node Mapping Hostnames onto Kerberos Realms, Ports for the KDC and Admin Services, Kerberos Realms, Realm Configuration Decisions
@section Mapping Hostnames onto Kerberos Realms
-Mapping hostnames onto Kerberos realms is done through a set of rules in
-the @code{krb5.conf} configuration file. (@xref{krb5.conf}.) You can
-specify mappings for an entire domain or subdomain, and/or on a
-hostname-by-hostname basis. Since greater specificity takes precedence,
-you would do this by specifying the mappings for a given domain or
-subdomain and listing the exceptions.
+@include dnstxt.texinfo
@node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions
@section Ports for the KDC and Admin Services
-The default ports used by Kerberos are port 88 for the
-KDC@footnote{Kerberos V4 used port 750. If necessary, you can run on
-both ports for backward compatibility.} and port 749 for the admin
-server. You can, however, choose to run on other ports, as long as they
-are specified in each host's @code{/etc/services} and @code{krb5.conf}
-files, and the @code{kdc.conf} file on each KDC. For a more thorough
-treatment of port numbers used by the @value{PRODUCT} programs, refer to
-the ``Configuring Your Firewall to Work With @value{PRODUCT}'' section
-of the @cite{@value{PRODUCT} System Administrator's Guide}.
+The default ports used by Kerberos are port @value{DefaultPort} for the
+KDC@footnote{Kerberos V4 used port @value{DefaultSecondPort}. If
+necessary, you can run on both ports for backward compatibility.} and
+port @value{DefaultKadmindPort} for the admin server. You can, however,
+choose to run on other ports, as long as they are specified in each
+host's @code{/etc/services} and @code{krb5.conf} files, and the
+@code{kdc.conf} file on each KDC. For a more thorough treatment of
+port numbers used by the @value{PRODUCT} programs, refer to the
+``Configuring Your Firewall to Work With @value{PRODUCT}'' section of
+the @cite{@value{PRODUCT} System Administrator's Guide}.
@node Slave KDCs, Hostnames for the Master and Slave KDCs, Ports for the KDC and Admin Services, Realm Configuration Decisions
@section Slave KDCs
down, is being upgraded, or is otherwise unavailable.
@item
-If your network is split such that a network outage is likely to cause
-some segment or segments of the network to become cut off or isolated,
-have a slave KDC accessible to each segment.
+If your network is split such that a network outage is likely to cause a
+network partition (some segment or segments of the network to become cut
+off or isolated from other segments), have a slave KDC accessible to
+each segment.
@item
If possible, have at least one slave KDC in a different building from
@node Hostnames for the Master and Slave KDCs, Database Propagation, Slave KDCs, Realm Configuration Decisions
@section Hostnames for the Master and Slave KDCs
-@value{COMPANY} recommends that your KDCs have a predefined set of
-CNAMEs, such as @code{@value{KDCSERVER}} for the master KDC and
-@code{@value{KDCSLAVE1}}, @code{@value{KDCSLAVE2}}, @dots{} for the
-slave KDCs. This way, if you need to swap a machine, you only need to
-change a DNS entry, rather than having to change hostnames.
+@include dnssrv.texinfo
@node Database Propagation, , Hostnames for the Master and Slave KDCs, Realm Configuration Decisions
@section Database Propagation
If the propagation time is longer than this maximum reasonable time
(@i{e.g.,} you have a particularly large database, you have a lot of
-slaves, and/or you experience frequent network delays), you may wish to
+slaves, or you experience frequent network delays), you may wish to
cut down on your propagation delay by performing the propagation in
parallel. To do this, have the master KDC propagate the database to one
set of slaves, and then have each of these slaves propagate the database
@item
The KDCs
-@item
-Client machines
-
-@enumerate A
@item
UNIX client machines
-@item
-Windows machines
-
-@item
-Macintoshes
-@end enumerate
-
@item
UNIX Application Servers
@end enumerate
made on the master KDC.
Slave KDCs provide Kerberos ticket-granting services, but not database
-access. This allows clients to continue to obtain tickets when the
-master KDC is unavailable.
+administration. This allows clients to continue to obtain tickets when
+the master KDC is unavailable.
-@value{COMPANY}'s recommends that you install all of your KDCs to be
-able to function as either the master or one of the slaves. This will
-enable you to easily switch your master KDC with one of the slaves if
+@value{COMPANY} recommends that you install all of your KDCs to be able
+to function as either the master or one of the slaves. This will enable
+you to easily switch your master KDC with one of the slaves if
necessary. (@xref{Switching Master and Slave KDCs}.) This installation
procedure is based on that recommendation.
* Add Kerberos Principals to the Database::
* Limit Access to the KDCs::
* Switching Master and Slave KDCs::
+* Incremental Database Propagation::
@end menu
@node Install the Master KDC, Install the Slave KDCs, Installing KDCs, Installing KDCs
@menu
* Edit the Configuration Files::
+* krb5.conf::
+* kdc.conf::
* Create the Database::
* Add Administrators to the Acl File::
* Add Administrators to the Kerberos Database::
-* Create a kadmind Keytab::
+* Create a kadmind Keytab (optional)::
* Start the Kerberos Daemons::
@end menu
-@node Edit the Configuration Files, Create the Database, Install the Master KDC, Install the Master KDC
+@node Edit the Configuration Files, krb5.conf, Install the Master KDC, Install the Master KDC
@subsubsection Edit the Configuration Files
-Modify the configuration files, @code{/etc/krb5.conf}
-(@pxref{krb5.conf}) and @code{@value{ROOTDIR}/var/krb5kdc/kdc.conf}
-(@pxref{kdc.conf}) to reflect the correct information (such as the
-hostnames and realm name) for your realm. @value{COMPANY} recommends
-that you keep @code{krb5.conf} in @code{/etc}. The @code{krb5.conf}
-file may contain a pointer to @code{kdc.conf}, which you need to change
-if you want to move @code{kdc.conf} to another location.
+Modify the configuration files, @code{/etc/krb5.conf} and
+@code{@value{ROOTDIR}/var/krb5kdc/kdc.conf} to reflect the correct
+information (such as the hostnames and realm name) for your realm.
+@value{COMPANY} recommends that you keep @code{krb5.conf} in @code{/etc}.
+
+Most of the tags in the configuration have default values that will
+work well for most sites. There are some tags in the @code{krb5.conf}
+file whose values must be specified, and this section will explain
+those as well as give an overview of all of the sections in both
+configuration files. For more information on changing defaults with
+the configuration files, see the @value{PRODUCT} System Administrator's
+Guide sections on configuration files.
+
+@node krb5.conf, kdc.conf, Edit the Configuration Files, Install the Master KDC
+@subsubsection krb5.conf
+
+@include krb5conf.texinfo
+
+If you are not using DNS TXT records, you must specify the
+@code{default_realm} in the @code{libdefaults} section. If you are not
+using DNS SRV records, you must include the @code{kdc} tag for each
+realm in the @code{realms} section. To communicate with the kadmin
+server in each realm, the @code{admin_server} tag must be set in the
+@code{realms} section. If your domain name and realm name are not the
+same, you must provide a translation in @code{domain_realm}. It is
+also higly recommeneded that you create a @code{[logging]} stanza if
+the computer will be functioning as a KDC so that the KDC and kadmind
+will generate logging output.
+
+An example @code{krb5.conf} file:
+
+@smallexample
+@group
+[libdefaults]
+ default_realm = @value{PRIMARYREALM}
+
+[realms]
+ @value{PRIMARYREALM} = @{
+ kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+ kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
+ kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
+ admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
+ @{
-@node Create the Database, Add Administrators to the Acl File, Edit the Configuration Files, Install the Master KDC
+[logging]
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmin.log
+ default = FILE:/var/log/krb5lib.log
+@end group
+@end smallexample
+
+@node kdc.conf, Create the Database, krb5.conf, Install the Master KDC
+@subsubsection kdc.conf
+
+@include kdcconf.texinfo
+
+@node Create the Database, Add Administrators to the Acl File, kdc.conf, Install the Master KDC
@subsubsection Create the Database
You will use the @code{kdb5_util} command @emph{on the Master KDC} to
authenticate the KDC to itself automatically before starting the
@code{kadmind} and @code{krb5kdc} daemons (@i{e.g.,} as part of the
machine's boot sequence). The stash file, like the keytab file
-(@xref{The Keytab File}) is a potential point-of-entry for a break-in,
+(see @xref{The Keytab File}, for more information) is a potential
+point-of-entry for a break-in,
and if compromised, would allow unrestricted access to the Kerberos
database. If you choose to install a stash file, it should be readable
only by root, and should exist only on the KDC's local disk. The file
backup data is secured as tightly as access to the master password
itself.
+If you choose not to install a stash file, the KDC will prompt you for
+the master key each time it starts up. This means that the KDC will
+not be able to start automatically, such as after a system reboot.
+
Note that @code{kdb5_util} will prompt you for the master key for the
Kerberos database. This key can be any string. A good key is one you
can remember, but that no one else can guess. Examples of bad keys are
especially a famous person (or cartoon character), your username in any
form (@i{e.g.}, forward, backward, repeated twice, @i{etc.}), and any of
the sample keys that appear in this manual. One example of a key which
-would be good if it did not appear in this manual is ``MITiys4K5!'',
-which represents the sentence ``@value{COMPANY} is your source for
-Kerberos 5!'' (It's the first letter of each word, substituting the
-numeral ``4'' for the word ``for'', and includes the punctuation mark at
-the end.)
+might be good if it did not appear in this manual is ``MITiys4K5!'',
+which represents the sentence ``MIT is your source for Kerberos 5!''
+(It's the first letter of each word, substituting the numeral ``4'' for
+the word ``for'', and includes the punctuation mark at the end.)
The following is an example of how to create a Kerberos database and
stash file on the master KDC, using the @code{kdb5_util} command. (The
@b{Enter KDC database master key:} @i{<= Type the master password.}
@b{Re-enter KDC database master key to verify:} @i{<= Type it again.}
@end ifinfo
+@ifhtml
+@b{Enter KDC database master key:} @i{<= Type the master password.}
+@b{Re-enter KDC database master key to verify:} @i{<= Type it again.}
+@end ifhtml
@b{shell%}
@end group
@end smallexample
@subsubsection Add Administrators to the Acl File
Next, you need create an Access Control List (acl) file, and put the
-Kerberos principal of at least one of the administrators into it. The
-filename should match the value you have set for ``acl_file'' in your
-@code{kdc.conf} file. The default file name is @samp{kadm5.acl}. The
-format of the file is:
+Kerberos principal of at least one of the administrators into it. This
+file is used by the @code{kadmind} daemon to control which principals
+may view and make privileged modifications to the Kerberos database
+files. The filename should match the value you have set for
+``acl_file'' in your @code{kdc.conf} file. The default file name is
+@samp{@value{DefaultAclFile}}.
-@smallexample
-Kerberos principal permissions optional target principal
-@end smallexample
-
-The Kerberos principal (and optional target principal) can include the
-``@b{*}'' wildcard, so if you want any principal with the instance
-``admin'' to have full permissions on the database, you could use the
-principal ``@code{*/admin@@REALM}'' where ``REALM'' is your Kerberos
-realm.
-
-Note: a common use of an @i{admin} instance is so you can grant
-separate permissions (such as administrator access to the Kerberos
-database) to a separate Kerberos principal. For example, the user
-@code{@value{ADMINUSER}} might have a principal for his administrative
-use, called @code{@value{ADMINUSER}/admin}. This way,
-@code{@value{ADMINUSER}} would obtain @code{@value{ADMINUSER}/admin}
-tickets only when he actually needs to use those permissions. Refer to
-the @value{PRODUCT} Administrator's Guide or the @value{PRODUCT} User's
-Guide for more detailed explanations of @dfn{principals} and
-@dfn{instances}.
-
-The permissions (acls) recognized in the acl file
-are the following:
-
-@table @b
-@itemx a
-allows the addition of principals or policies in the database.
-@itemx A
-prohibits the addition of principals or policies in the database.
-@itemx d
-allows the deletion of principals or policies in the database.
-@itemx D
-prohibits the deletion of principals or policies in the database.
-@itemx m
-allows the modification of principals or policies in the database.
-@itemx M
-prohibits the modification of principals or policies in the database.
-@itemx c
-allows the changing of passwords for principals in the database.
-@itemx C
-prohibits the changing of passwords for principals in the database.
-@itemx i
-allows inquiries to the database.
-@itemx I
-prohibits inquiries to the database.
-@itemx l
-allows the listing of principals or policies in the database.
-@itemx L
-prohibits the listing of principals or policies in the database.
-@itemx *
-Short for all privileges (admcil).
-@itemx x
-Short for all privileges (admcil); identical to ``*''.
-@end table
-
-To give the principal @code{*/admin@@@value{PRIMARYREALM}} permission to
-change all of the database permissions on any principal permissions, you
-would place the following line in the file:
-
-@smallexample
-*/admin@@@value{PRIMARYREALM} *
-@end smallexample
+@include kadm5acl.texinfo
-To give the principal @code{@value{ADMINUSER}@@@value{PRIMARYREALM}}
-permission to add, list, and inquire about any principal that has the
-instance ``root'', you would add the following line to the acl file:
-
-@smallexample
-@value{ADMINUSER}@@@value{PRIMARYREALM} ali */root@@@value{PRIMARYREALM}
-@end smallexample
-
-@node Add Administrators to the Kerberos Database, Create a kadmind Keytab, Add Administrators to the Acl File, Install the Master KDC
+@node Add Administrators to the Kerberos Database, Create a kadmind Keytab (optional), Add Administrators to the Acl File, Install the Master KDC
@subsubsection Add Administrators to the Kerberos Database
Next you need to add administrative principals to the Kerberos database.
(You must add at least one now.) To do this, use @code{kadmin.local}
-@emph{on the master KDC}, as in the following example:
+@emph{on the master KDC}. The administrative principals you create
+should be the ones you added to the ACL file. (See @xref{Add
+Administrators to the Acl File}.) In the following example, the
+administration principal @code{admin/admin} is created:
@smallexample
@group
@b{shell%} @value{ROOTDIR}/sbin/kadmin.local
@b{kadmin.local:} addprinc admin/admin@@@value{PRIMARYREALM}
-@b{WARNING: no policy specified for "admin/admin@@@value{PRIMARYREALM}";
-defaulting to no policy.}
+@b{NOTICE: no policy specified for "admin/admin@@@value{PRIMARYREALM}";
+assigning "default".}
@iftex
@b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Enter a password.}
Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{@doubleleftarrow{} Type it again.}
@b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.}
Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.}
@end ifinfo
+@ifhtml
+@b{Enter password for principal admin/admin@@@value{PRIMARYREALM}:} @i{<= Enter a password.}
+Re-enter password for principal admin/admin@@@value{PRIMARYREALM}: @i{<= Type it again.}
+@end ifhtml
@b{Principal "admin/admin@@@value{PRIMARYREALM}" created.
kadmin.local:}
@end group
@end smallexample
-@node Create a kadmind Keytab, Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
-@subsubsection Create a kadmind Keytab
-The kadmind keytab is the key that kadmind will use to decrypt
-administrators' Kerberos tickets to determine whether or not it should
-give them access to the database. You need to create the kadmin keytab
-with entries for the principals @code{kadmin/admin} and
+
+@node Create a kadmind Keytab (optional), Start the Kerberos Daemons, Add Administrators to the Kerberos Database, Install the Master KDC
+@subsubsection Create a kadmind Keytab (optional)
+
+The kadmind keytab is the key that the legacy admininstration daemons
+@code{kadmind4} and @code{v5passwdd} will use to decrypt
+administrators' or clients' Kerberos tickets to determine whether or
+not they should have access to the database. You need to create the
+kadmin keytab with entries for the principals @code{kadmin/admin} and
@code{kadmin/changepw}. (These principals are placed in the Kerberos
database automatically when you create it.) To create the kadmin
-keytab, run @code{kadmin.local} and use the @code{ktadd} command, as in
-the following example. (The line beginning with @result{} is a
+keytab, run @code{kadmin.local} and use the @code{ktadd} command, as
+in the following example. (The line beginning with @result{} is a
continuation of the previous line.):
@smallexample
@b{shell%} @value{ROOTDIR}/sbin/kadmin.local
@b{kadmin.local:} ktadd -k @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
@result{} kadmin/admin kadmin/changepw
-@b{Entry for principal kadmin/admin@@@value{PRIMARYREALM} with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab.
-Entry for principal kadmin/changepw@@@value{PRIMARYREALM} with
- kvno 3, encryption type DES-CBC-CRC added to keytab
- WRFILE:@value{ROOTDIR}/var/krb5kdc/kadm5.keytab.
+@b{ Entry for principal kadmin/admin with kvno 5, encryption
+ type Triple DES cbc mode with HMAC/sha1 added to keytab
+ WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
+Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode
+ with CRC-32 added to keytab
+ WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
+Entry for principal kadmin/changepw with kvno 5, encryption
+ type Triple DES cbc mode with HMAC/sha1 added to keytab
+ WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
+Entry for principal kadmin/changepw with kvno 5,
+ encryption type DES cbc mode with CRC-32 added to keytab
+ WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
kadmin.local:} quit
@b{shell%}
@end group
@noindent
As specified in the @samp{-k} argument, @code{ktadd} will save the
-extracted keytab as @code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}.
+extracted keytab as @* @code{@value{ROOTDIR}/var/krb5kdc/kadm5.keytab}.
The filename you use must be the one specified in your @code{kdc.conf}
file.
@need 2000
-@node Start the Kerberos Daemons, , Create a kadmind Keytab, Install the Master KDC
+@node Start the Kerberos Daemons, , Create a kadmind Keytab (optional), Install the Master KDC
@subsubsection Start the Kerberos Daemons on the Master KDC
At this point, you are ready to start the Kerberos daemons on the Master
to the KDC's @code{/etc/rc} or @code{/etc/inittab} file. You need to
have a stash file in order to do this.
+You can verify that they started properly by checking for their startup
+messages in the logging locations you defined in @code{/etc/krb5.conf}.
+(@xref{Edit the Configuration Files}.) For example:
+
+@smallexample
+@b{shell%} tail /var/log/krb5kdc.log
+Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
+@b{shell%} tail /var/log/kadmin.log
+Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
+@end smallexample
+
+Any errors the daemons encounter while starting will also be listed in
+the logging output.
+
+
@node Install the Slave KDCs, Back on the Master KDC, Install the Master KDC, Installing KDCs
@subsection Install the Slave KDCs
@smallexample
@group
@b{shell%} @value{ROOTDIR}/sbin/kadmin
-@b{kadmin:} addprinc -randpass host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}
-@b{WARNING: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
-defaulting to no policy.
+@b{kadmin:} addprinc -randkey host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}
+@b{NOTICE: no policy specified for "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
+assigning "default"
Principal "host/@value{KDCSERVER}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.
-kadmin:} addprinc -randpass host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
-@b{WARNING: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
-defaulting to no policy.
+kadmin:} addprinc -randkey host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
+@b{NOTICE: no policy specified for "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
+assigning "default"
Principal "host/@value{KDCSLAVE1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.}
-@b{kadmin:} addprinc -randpass host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
-@b{WARNING: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
-defaulting to no policy.
+@b{kadmin:} addprinc -randkey host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}
+@b{NOTICE: no policy specified for "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}";
+assigning "default"
Principal "host/@value{KDCSLAVE2}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}" created.
kadmin:}
@end group
@end smallexample
@need 1000
-Then, add the following lines to @code{/etc/inetd.conf} file on each KDC
-(the line beginnng with @result{} is a continuation of the previous
-line):
+Then, add the following line to @code{/etc/inetd.conf} file on each KDC:
@smallexample
@group
krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -k -c -e
@end group
@end smallexample
@noindent
-The first line sets up the @code{kpropd} database propagation daemon.
-The second line sets up the @code{eklogin} daemon, allowing
-Kerberos-authenticated, encrypted rlogin to the KDC.
-
You also need to add the following lines to @code{/etc/services} on each
KDC:
kerberos 88/udp kdc # Kerberos authentication (udp)
kerberos 88/tcp kdc # Kerberos authentication (tcp)
krb5_prop 754/tcp # Kerberos slave propagation
-kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
-kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
-eklogin 2105/tcp # Kerberos encrypted rlogin
+kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
+kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
@end group
@end smallexample
kdclist = "@value{KDCSLAVE1}.@value{PRIMARYDOMAIN} @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}"
-@value{ROOTDIR}/sbin/kdb5_util -R "dump
+@value{ROOTDIR}/sbin/kdb5_util "dump
@result{} @value{ROOTDIR}/var/krb5kdc/slave_datatrans"
for kdc in $kdclist
@ifinfo
@b{Enter KDC database master key:} @i{<= Enter the database master key.}
@end ifinfo
+@ifhtml
+@b{Enter KDC database master key:} @i{<= Enter the database master key.}
+@end ifhtml
@b{shell%}
@end group
@end smallexample
@code{kadmin} to load principals for your users, hosts, and other
services into the Kerberos database. This procedure is described fully in the
``Adding or Modifying Principals'' section of the @value{PRODUCT} System
-Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs} for a
+Administrator's Guide. (@xref{Create Host Keys for the Slave KDCs}, for a
brief description.) The keytab is generated by running @code{kadmin}
and issuing the @code{ktadd} command.
root access through a security hole in any of those areas could gain
access to the Kerberos database.
-@need 4700
-@value{COMPANY} recommends that your KDCs use the following
-@code{/etc/inetd.conf} file. (Note: each line beginning with @result{}
-is a continuation of the previous line.):
-
-@smallexample
-@group
-#
-# Configuration file for inetd(1M). See inetd.conf(4).
-#
-# To re-configure the running inetd process, edit this file, then
-# send the inetd process a SIGHUP.
-#
-# Syntax for socket-based Internet services:
-# <service_name> <socket_type> <proto> <flags> <user>
-@result{} <server_pathname> <args>
-#
-# Syntax for TLI-based Internet services:
-#
-# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
-#
-# Ftp and telnet are standard Internet services.
-#
-# This machine is a secure Kerberos Key Distribution Center (KDC).
-# Services are limited.
-#
-#
-# Time service is used for clock synchronization.
-#
-time stream tcp nowait root internal
-time dgram udp wait root internal
-#
-# Limited Kerberos services
-#
-krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -5 -c -e
-@end group
-@end smallexample
-
-@node Switching Master and Slave KDCs, , Limit Access to the KDCs, Installing KDCs
+@node Switching Master and Slave KDCs, Incremental Database Propagation, Limit Access to the KDCs, Installing KDCs
@subsection Switching Master and Slave KDCs
You may occasionally want to use one of your slave KDCs as the master.
@item
Run your database propagation script manually, to ensure that the slaves
all have the latest copy of the database. (@xref{Propagate the Database
-to Each Slave KDC}.)
+to Each Slave KDC}.) If there is a need to preserve per-principal
+policy information from the database, you should do a ``kdb5_util dump
+-ov'' in order to preserve that information and propogate that dump file
+securely by some means to the slave so that its database has the correct
+state of the per-principal policy information.
@end enumerate
On the @emph{new} master KDC:
@enumerate
@item
-Create a database keytab. (@xref{Create a kadmind Keytab}.)
+Create a database keytab. (@xref{Create a kadmind Keytab (optional)}.)
@item
Start the @code{kadmind} daemon. (@xref{Start the Kerberos Daemons}.)
Switch the CNAMEs of the old and new master KDCs. (If you don't do
this, you'll need to change the @code{krb5.conf} file on every client
machine in your Kerberos realm.)
+
@end enumerate
+@node Incremental Database Propagation, , Switching Master and Slave KDCs, Installing KDCs
+@subsection Incremental Database Propagation
+
+At some very large sites, dumping and transmitting the database can
+take more time than is desirable for changes to propagate from the
+master KDC to the slave KDCs. The incremental propagation support
+added in the 1.7 release is intended to address this.
+
+With incremental propagation enabled, all programs on the master KDC
+that change the database also write information about the changes to
+an ``update log'' file, maintained as a circular buffer of a certain
+size. A process on each slave KDC connects to a service on the master
+KDC (currently implemented in the @code{kadmind} server) and
+periodically requests the changes that have been made since the last
+check. By default, this check is done every two minutes. If the
+database has just been modified in the previous several seconds
+(currently the threshold is hard-coded at 10 seconds), the slave will
+not retrieve updates, but instead will pause and try again soon after.
+This reduces the likelihood that incremental update queries will cause
+delays for an administrator trying to make a bunch of changes to the
+database at the same time.
+
+Incremental propagation uses the following entries in the per-realm
+data in the KDC config file:
+
+@table @asis
+@item @code{iprop_enable} (boolean)
+If this is set to @code{true}, then incremental propagation is
+enabled, and (as noted below) normal @code{kprop} propagation is
+disabled. The default is @code{false}.
+
+@item @code{iprop_master_ulogsize} (integer)
+This indicates the number of entries that should be retained in the
+update log. The default is 1000; the maximum number is 2500.
+
+@item @code{iprop_slave_poll} (time interval)
+This indicates how often the slave should poll the master KDC for
+changes to the database. The default is two minutes.
+
+@item @code{iprop_port} (integer)
+This specifies the port number to be used for incremental
+propagation. This is required in both master and slave configuration
+files.
+
+@item @code{iprop_logfile} (file name)
+This specifies where the update log file for the realm database is to
+be stored. The default is to use the @code{database_name} entry from
+the @code{realms} section of the config file, with @file{.ulog} appended.
+(NOTE: If @code{database_name} isn't specified in the @code{realms}
+section, perhaps because the LDAP database back end is being used, or
+the file name is specified in the @code{dbmodules} section, then the
+hard-coded default for @code{database_name} is used. Determination of
+the @code{iprop_logfile} default value will not use values from the
+@code{dbmodules} section.)
+@end table
+
+Both master and slave sides must have principals named
+@code{kiprop/@var{hostname}} (where @var{hostname} is, as usual, the
+lower-case, fully-qualified, canonical name for the host) registered
+and keys stored in the default keytab file (@file{/etc/krb5.keytab}).
+@c XXX: I think the master side, at least, might be able to read the
+@c key out of the database. Test and document this.
+
+On the master KDC side, the @code{kiprop/@var{hostname}} principal
+must be listed in the @code{kadmind} ACL file @code{kadm5.acl}, and
+given the @code{p} privilege.
+
+On the slave KDC side, @code{kpropd} should be run. When incremental
+propagation is enabled, it will connect to the @code{kadmind} on the
+master KDC and start requesting updates.
+
+The normal @code{kprop} mechanism is disabled by the incremental
+propagation support. However, if the slave has been unable to fetch
+changes from the master KDC for too long (network problems, perhaps),
+the log on the master may wrap around and overwrite some of the
+updates that the slave has not yet retrieved. In this case, the slave
+will instruct the master KDC to dump the current database out to a
+file and invoke a one-time @code{kprop} propagation, with special
+options to also convey the point in the update log at which the slave
+should resume fetching incremental updates. Thus, all the keytab and
+ACL setup previously described for @code{kprop} propagation is still
+needed.
+
+There are several restrictions in the current implementation:
+
+@itemize
+@item
+Changes to password policy objects are not propagated incrementally.
+Changes to which policy applies to a principal are propagated.
+@item
+The master and slave must be able to initiate TCP connections in both
+directions, without an intervening NAT.
+@item
+If the slave has an IPv6 interface address but needs to accept
+connections over IPv4, the operating system needs ``dual stack'' support
+(i.e. the ability to accept IPv6 and IPv4 connections on a single IPv6
+listener socket). At this time, all modern Unix-like operating systems
+have dual stack support except OpenBSD.
+@end itemize
+
+@menu
+* Sun/MIT Incremental Propagation Differences::
+@end menu
+
+@node Sun/MIT Incremental Propagation Differences, , Incremental Database Propagation, Incremental Database Propagation
+@subsubsection Sun/MIT Incremental Propagation Differences
+
+Sun donated the original code for supporting incremental database
+propagation to MIT. Some changes have been made in the MIT source
+tree that will be visible to administrators. (These notes are based
+on Sun's patches. Changes to Sun's implementation since then may not
+be reflected here.)
+
+The Sun config file support looks for @code{sunw_dbprop_enable},
+@code{sunw_dbprop_master_ulogsize}, and @code{sunw_dbprop_slave_poll}.
+
+The incremental propagation service is implemented as an ONC RPC
+service. In the Sun implementation, the service is registered with
+@code{rpcbind} (also known as @code{portmapper}) and the client looks
+up the port number to contact. In the MIT implementation, where
+interaction with some modern versions of @code{rpcbind} doesn't always
+work well, the port number must be specified in the config file on
+both the master and slave sides.
+
+The Sun implementation hard-codes pathnames in @file{/var/krb5} for
+the update log and the per-slave @code{kprop} dump files. In the MIT
+implementation, the pathname for the update log is specified in the
+config file, and the per-slave dump files are stored in
+@code{@value{ROOTDIR}/var/krb5kdc/slave_datatrans_@var{hostname}}.
+
@node Installing and Configuring UNIX Client Machines, UNIX Application Servers, Installing KDCs, Installing Kerberos V5
@section Installing and Configuring UNIX Client Machines
@node Client Programs, Client Machine Configuration Files, Installing and Configuring UNIX Client Machines, Installing and Configuring UNIX Client Machines
@subsection Client Programs
-The Kerberized client programs are @code{login.krb5}, @code{rlogin},
-@code{telnet}, @code{ftp}, @code{rcp}, @code{rsh}, @code{kinit},
-@code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ksu}, and
-@code{krb524init}. All of these programs are in the directory
-@code{@value{ROOTDIR}/bin}, except for @code{login.krb5} which is in
-@code{@value{ROOTDIR}/sbin}.
-
-You will probably want to have your users put @code{@value{ROOTDIR}/bin}
-ahead of @code{/bin} and @code{/usr/bin} in their paths, so they will by
-default get the @value{PRODUCT} versions of @code{rlogin},
-@code{telnet}, @code{ftp}, @code{rcp}, and @code{rsh}.
+The Kerberized client programs are @code{kinit}, @code{klist},
+@code{kdestroy}, @code{kpasswd}, and @code{ksu}. All of these programs
+are in the directory @code{@value{ROOTDIR}/bin}.
@value{COMPANY} recommends that you use @code{login.krb5} in place of
@code{/bin/login} to give your users a single-sign-on system. You will
they log in.
You will also need to educate your users to use the ticket management
-programs @code{kinit},
-@c @code{krb524init},
-@code{klist}, @code{kdestroy}, and to use the Kerberos programs
-@c @code{pfrom},
-@code{ksu}, and @code{kpasswd} in place of their non-Kerberos
-counterparts
-@c @code{from}
-@code{su}, @code{passwd}, and @code{rdist}.
+programs @code{kinit}, @code{klist}, @code{kdestroy}, and to use the
+Kerberos programs @code{ksu} and @code{kpasswd} in place of their
+non-Kerberos counterparts @code{su} and @code{passwd}.
@node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines
@subsection Client Machine Configuration Files
Each machine running Kerberos must have a @code{/etc/krb5.conf} file.
-(@xref{krb5.conf})
+(@xref{krb5.conf}.)
@need 4000
-Also, you must add the appropriate Kerberos services to each client
-machine's @code{/etc/services} file. If you are using the default
-configuration for @value{PRODUCT}, you should be able to just insert the
-following code:
+Also, for most UNIX systems, you must add the appropriate Kerberos
+services to each client machine's @code{/etc/services} file. If you are
+using the default configuration for @value{PRODUCT}, you should be able
+to just insert the following code:
@smallexample
@group
-#
-# Note --- if you are using Kerberos V4 and you either:
-#
-# (a) haven't converted all your master or slave KDCs to V5, or
-#
-# (b) are worried about inter-realm interoperability with other KDC's
-# that are still using V4
-#
-# you will need to switch the "kerberos" service to port 750 and create a
-# "kerberos-sec" service on port 88.
-#
-kerberos 88/udp kdc # Kerberos V5 KDC
-kerberos 88/tcp kdc # Kerberos V5 KDC
-klogin 543/tcp # Kerberos authenticated rlogin
-kshell 544/tcp cmd # and remote shell
-kerberos-adm 749/tcp # Kerberos 5 admin/changepw
-kerberos-adm 749/udp # Kerberos 5 admin/changepw
-krb5_prop 754/tcp # Kerberos slave propagation
-@c kpop 1109/tcp # Pop with Kerberos
-eklogin 2105/tcp # Kerberos auth. & encrypted rlogin
-krb524 4444/tcp # Kerberos 5 to 4 ticket translator
+kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
+kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
+kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw
+kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw
+krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation
+krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator
@end group
@end smallexample
-@noindent As described in the comments in the above code, if your master
-KDC or any of your slave KDCs is running Kerberos V4, (or if you will be
-authenticating to any Kerberos V4 KDCs in another realm) you will need
-to switch the port number for @code{kerberos} to 750 and create a
-@code{kerberos-sec} service (tcp and udp) on port 88, so the Kerberos
-V4 KDC(s) will continue to work properly.
-
-@node UNIX Application Servers, , Installing and Configuring UNIX Client Machines, Installing Kerberos V5
-@section UNIX Application Servers
-
-An application server is a host that provides one or more services over
-the network. Application servers can be ``secure'' or ``insecure.'' A
-``secure'' host is set up to require authentication from every client
-connecting to it. An ``insecure'' host will still provide Kerberos
-authentication, but will also allow unauthenticated clients to connect.
-
-If you have @value{PRODUCT} installed on all of your client machines,
-@value{COMPANY} recommends that you make your hosts secure, to take
-advantage of the security that Kerberos authentication affords.
-However, if you have some clients that do not have @value{PRODUCT}
-installed, you can run an insecure server, and still take advantage of
-@value{PRODUCT}'s single sign-on on capability.
-
@menu
-* Server Programs::
-* Server Configuration Files::
-* The Keytab File::
-* Some Advice about Secure Hosts::
+* Mac OS X Configuration::
@end menu
-@node Server Programs, Server Configuration Files, UNIX Application Servers, UNIX Application Servers
-@subsection Server Programs
+@node Mac OS X Configuration, , Client Machine Configuration Files, Client Machine Configuration Files
+@subsubsection Mac OS X Configuration
-Just as @value{PRODUCT} provided its own Kerberos-enhanced versions of
-client UNIX network programs, @value{PRODUCT} also provides
-Kerberos-enhanced versions of server UNIX network daemons. These are
-@code{ftpd}, @code{klogind}, @code{kshd}, and @code{telnetd}.
-@c @code{popper},
-These programs are installed in the directory
-@code{@value{ROOTDIR}/sbin}. You may want to add this directory to
-root's path.
+To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the
+directions for generic Unix-based OS's, except for the
+@code{/etc/services} updates described above.
-@node Server Configuration Files, The Keytab File, Server Programs, UNIX Application Servers
-@subsection Server Configuration Files
+Mac OS X and Mac OS X Server use a database called NetInfo to store
+the contents of files normally found in @code{/etc}. Instead of
+modifying @code{/etc/services}, you should run the following commands
+to add the Kerberos service entries to NetInfo:
-For a @emph{secure} server, make the following changes to
-@code{/etc/inetd.conf}:
+@smallexample
+@group
+$ niutil -create . /services/kerberos
+$ niutil -createprop . /services/kerberos name kerberos kdc
+$ niutil -createprop . /services/kerberos port 750
+$ niutil -createprop . /services/kerberos protocol tcp udp
+$ niutil -create . /services/krbupdate
+$ niutil -createprop . /services/krbupdate name krbupdate kreg
+$ niutil -createprop . /services/krbupdate port 760
+$ niutil -createprop . /services/krbupdate protocol tcp
+$ niutil -create . /services/kpasswd
+$ niutil -createprop . /services/kpasswd name kpasswd kpwd
+$ niutil -createprop . /services/kpasswd port 761
+$ niutil -createprop . /services/kpasswd protocol tcp
+$ niutil -create . /services/klogin
+$ niutil -createprop . /services/klogin port 543
+$ niutil -createprop . /services/klogin protocol tcp
+$ niutil -create . /services/eklogin
+$ niutil -createprop . /services/eklogin port 2105
+$ niutil -createprop . /services/eklogin protocol tcp
+$ niutil -create . /services/kshell
+$ niutil -createprop . /services/kshell name kshell krcmd
+$ niutil -createprop . /services/kshell port 544
+$ niutil -createprop . /services/kshell protocol tcp
+@end group
+@end smallexample
-Find and comment out any lines for the services @code{ftp},
-@code{telnet}, @code{shell}, @code{login}, and @code{exec}.
+In addition to adding services to NetInfo, you must also modify the
+resolver configuration in NetInfo so that the machine resolves its own
+hostname as a FQDN (fully qualified domain name). By default, Mac OS X
+and Mac OS X Server machines query NetInfo to resolve hostnames before
+falling back to DNS. Because NetInfo has an unqualified name for all
+the machines in the NetInfo database, the machine's own hostname will
+resolve to an unqualified name. Kerberos needs a FQDN to look up keys
+in the machine's keytab file.
-@need 1800
-Add the following lines. (Note: each line beginning with @result{} is
-a continuation of the previous line.)
+Fortunately, you can change the @code{lookupd} caching order to query
+DNS first. Run the following NetInfo commands and reboot the machine:
@smallexample
@group
-klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -k -c
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -k -c -e
-kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
-@result{} kshd -k -c -A
-ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
-@result{} ftpd -a
-telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
-@result{} telnetd -a valid
+$ niutil -create . /locations/lookupd/hosts
+$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
+ NIAgent NILAgent
@end group
@end smallexample
-For an @emph{insecure} server, make the following changes instead to
-@code{/etc/inetd.conf}:
+Once you have rebooted, you can verify that the resolver now behaves
+correctly. Compile the Kerberos 5 distribution and run:
-@need 1800
-Find and comment out any lines for the services @code{ftp} and
-@code{telnet}.
+@smallexample
+@group
+$ cd .../src/tests/resolve
+$ ./resolve
+@end group
+@end smallexample
+
+This will tell you whether or not your machine returns FQDNs on name
+lookups. If the test still fails, you can also try turning off DNS
+caching. Run the following commands and reboot:
-Add the following lines. (Note: each line beginning with @result{} is
-a continuation of the previous line.)
@smallexample
@group
-klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -k -c
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
-@result{} klogind -k -c -e
-kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
-@result{} kshd -k -c -A
-ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
-@result{} ftpd
-telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
-@result{} telnetd -a none
+$ niutil -create . /locations/lookupd/hosts
+$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
+ CacheAgent NIAgent NILAgent
@end group
@end smallexample
-@node The Keytab File, Some Advice about Secure Hosts, Server Configuration Files, UNIX Application Servers
+The remainder of the setup of a Mac OS X client machine or application
+server should be the same as for other UNIX-based systems.
+
+@node UNIX Application Servers, , Installing and Configuring UNIX Client Machines, Installing Kerberos V5
+@section UNIX Application Servers
+
+An application server is a host that provides one or more services over
+the network. Application servers can be ``secure'' or ``insecure.'' A
+``secure'' host is set up to require authentication from every client
+connecting to it. An ``insecure'' host will still provide Kerberos
+authentication, but will also allow unauthenticated clients to connect.
+
+If you have @value{PRODUCT} installed on all of your client machines,
+@value{COMPANY} recommends that you make your hosts secure, to take
+advantage of the security that Kerberos authentication affords.
+However, if you have some clients that do not have @value{PRODUCT}
+installed, you can run an insecure server, and still take advantage of
+@value{PRODUCT}'s single sign-on capability.
+
+@menu
+* The Keytab File::
+* Some Advice about Secure Hosts::
+@end menu
+
+@node The Keytab File, Some Advice about Secure Hosts, UNIX Application Servers, UNIX Application Servers
@subsection The Keytab File
All Kerberos server machines need a @dfn{keytab} file, called
-@code{/etc/krb5.keytab} (@xref{Upgrading the application servers}), to
-authenticate to the KDC. The keytab file is an encrypted, local,
-on-disk copy of the host's key. The keytab file, like the stash file
-(@ref{Create the Database}) is a potential point-of-entry for a
-break-in, and if compromised, would allow unrestricted access to its
-host. The keytab file should be readable only by root, and should exist
-only on the machine's local disk. The file should not be part of any
-backup of the machine, unless access to the backup data is secured as
-tightly as access to the machine's root password itself.
+@code{/etc/krb5.keytab}, to authenticate to the KDC. The keytab file is
+an encrypted, local, on-disk copy of the host's key. The keytab file,
+like the stash file (@ref{Create the Database}) is a potential
+point-of-entry for a break-in, and if compromised, would allow
+unrestricted access to its host. The keytab file should be readable
+only by root, and should exist only on the machine's local disk. The
+file should not be part of any backup of the machine, unless access to
+the backup data is secured as tightly as access to the machine's root
+password itself.
In order to generate a keytab for a host, the host must have a principal
in the Kerberos database. The procedure for adding hosts to the
database is described fully in the ``Adding or Modifying Principals''
section of the @cite{@value{PRODUCT} System Administrator's Guide}.
-@xref{Create Host Keys for the Slave KDCs} for a brief description.)
+@xref{Create Host Keys for the Slave KDCs}. for a brief description.)
The keytab is generated by running @code{kadmin} and issuing the
@code{ktadd} command.
If you generate the keytab file on another host, you need to get a copy
of the keytab file onto the destination host (@code{trillium}, in the
-above example) without sending it unencrypted over the network. If you
-have installed the @value{PRODUCT} client programs, you can use
-encrypted @code{rcp}.
+above example) without sending it unencrypted over the network.
@node Some Advice about Secure Hosts, , The Keytab File, UNIX Application Servers
@subsection Some Advice about Secure Hosts
possible attack, but it is worth noting some of the larger holes and how
to close them.
-As stated earlier in this section, @value{COMPANY} recommends that on a
-secure host, you disable the standard @code{ftp}, @code{login},
-@code{telnet}, @code{shell}, and @code{exec} services in
-@code{/etc/inetd.conf}. We also recommend that secure hosts have an empty
-@code{/etc/hosts.equiv} file and that there not be a @code{.rhosts} file
-in @code{root}'s home directory. You can grant Kerberos-authenticated
-root access to specific Kerberos principals by placing those principals
-in the file @code{.k5login} in root's home directory.
-
We recommend that backups of secure machines exclude the keytab file
(@code{/etc/krb5.keytab}). If this is not possible, the backups should
at least be done locally, rather than over a network, and the backup
tapes should be physically secured.
-Finally, the keytab file and any programs run by root, including the
+The keytab file and any programs run by root, including the
@value{PRODUCT} binaries, should be kept on local disk. The keytab file
should be readable only by root.
@node Upgrading Existing Kerberos V5 Installations, Bug Reports for Kerberos V5, Installing Kerberos V5, Top
@chapter Upgrading Existing @value{PRODUCT} Installations
-@menu
-* Upgrading existing Master and Slave KDCs to the current release::
-* Upgrading the application servers::
-@end menu
-
-@node Upgrading existing Master and Slave KDCs to the current release, Upgrading the application servers, Upgrading Existing Kerberos V5 Installations, Upgrading Existing Kerberos V5 Installations
-@section Upgrading existing Master and Slave KDCs to the current release
-
If you already have an existing Kerberos database that you created with
a prior release of Kerberos 5, you can upgrade it to work with the
-current release with the @code{kdb5_util} command. As of Kerberos 5
-version 1.0, this upgrade process is only necessary if you are using a
-Kerberos database created with Kerberos 5 beta 6 or earlier; newer
-installations can continue to be used without modification. The process
-for upgrading a Master KDC involves the following steps (the lines
-beginning with => indicate a continuation of the previous line):
+current release with the @code{kdb5_util} command. It is only
+necessary to perform this dump/undump procedure if you were running a
+krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you
+were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer
+KDC. The process for upgrading a Master KDC involves the following
+steps:
@enumerate
-@item Stopping your current KDC and administration
+@item Stop your current KDC and administration
server processes, if any.
-@item Dumping your existing Kerberos database to an ASCII file with
-@code{kdb5_edit}'s ``dump'' command:
-
-@smallexample
-@group
-@b{shell%} kdb5_edit -r @value{PRIMARYREALM} -R 'dump_db' >
-@result{} @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
-@b{shell%}
-@end group
-@end smallexample
-
-@item If you were using OpenV*Secure or AXXiON*Authenticate, dumping your
-policy database to an ASCII file with the @code{ovsec_adm_export}
-command:
+@item Dump your existing Kerberos database to an ASCII file with
+@code{kdb5_util}'s ``dump'' command:
@smallexample
@group
-@b{shell%} ovsec_adm_export -r @value{PRIMARYREALM} >
-@result{} @value{ROOTDIR}/var/krb5kdc/old-adb-dump
+@b{shell%} cd @value{ROOTDIR}/var/krb5kdc
+@b{shell%} kdb5_util dump old-kdb-dump
+@b{shell%} kdb5_util dump -ov old-kdb-dump.ov
@b{shell%}
@end group
@end smallexample
-@item Creating a new Master KDC installation (@xref{Install the Master
-KDC}). If you have a stash file for your current database, choose any
+@item Create a new Master KDC installation (@xref{Install the Master
+KDC}.). If you have a stash file for your current database, choose any
new master password but then copy your existing stash file to the
location specified by your kdc.conf; if you do not have a stash file for
your current database, you must choose the same master password.
@smallexample
@group
-@b{shell%} kdb5_util load @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
-@b{shell%}
-@end group
-@end smallexample
-
-@item If you were using OpenV*Secure or AXXiON*Authenticate, merging
-your policy database with @code{kdb5_util}'s ``load'' command with the
-``-update'' option:
-
-@smallexample
-@group
-@b{shell%} kdb5_util load -update @value{ROOTDIR}/var/krb5kdc/old-adb-dump
+@b{shell%} cd @value{ROOTDIR}/var/krb5kdc
+@b{shell%} kdb5_util load old-kdb-dump
+@b{shell%} kdb5_util load -update old-kdb-dump.ov
@b{shell%}
@end group
@end smallexample
@end enumerate
-The process for upgrading a Slave KDC is simpler. All you have to do is
-make sure that the stash file on the Slave KDC is correct, stop the old
-server processes on the Slave KDC, install the new server binaries, and
-re-start the server processes. The Slave KDC database will be upgraded
-automatically when the next propagation is run. Note that if you
-changed your master key when creating your new Master KDC database, you
-will have to run a Slave KDC propagation before you can restart the
-server processes on the Slave KDC itself; otherwise, the new stash file
-that you create on the slave will not match the old database that exists
-until the propagation occurs, and the server processes will not start.
-
-@node Upgrading the application servers, , Upgrading existing Master and Slave KDCs to the current release, Upgrading Existing Kerberos V5 Installations
-@section Upgrading the application servers
-
-The default keytab name has changed from @code{/etc/v5srvtab} to
-@code{/etc/krb5.keytab}. You should rename the old keytab files on all
-of your application servers when you update their server binaries.
-Alternatively, you may add a relation to the library configuration file
-to override the new name, for example:
+The ``dump -ov'' and ``load -update'' commands are necessary in order to
+preserve per-principal policy information, since the default dump format
+filters out that information. If you omit those steps, the loaded
+database database will lose the policy information for each principal
+that has a policy.
-@smallexample
-@group
-[libdefaults]
- default_keytab_name = /etc/v5srvtab
-@end group
-@end smallexample
-
-The keytab name defaulted to /etc/v5srvtab in prior releases of Kerberos
-V5. It was called a @dfn{srvtab} in Kerberos V4. The @code{v5srvtab}
-file has been renamed to @code{krb5.keytab} to reflect the change in
-terminology.
-
-@node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top
-@chapter Bug Reports for @value{PRODUCT}
-@include bug-report.texinfo
-
-@node Files, , Bug Reports for Kerberos V5, Top
-@appendix Files
+To update a Slave KDC, you must stop the old server processes on the
+Slave KDC, install the new server binaries, reload the most recent slave
+dump file, and re-start the server processes.
@menu
-* krb5.conf::
-* kdc.conf::
+* Upgrading to Triple-DES and RC4 Encryption Keys::
@end menu
-@node krb5.conf, kdc.conf, Files, Files
-@appendixsec krb5.conf
-
-Here is an example @code{krb5.conf} file:
-
-@smallexample
-@group
-[libdefaults]
- ticket_lifetime = 600
- default_realm = @value{PRIMARYREALM}
- default_tkt_enctypes = des-cbc-crc
- default_tgs_enctypes = des-cbc-crc
-
-[realms]
- @value{PRIMARYREALM} = @{
- kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:88
- kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}:88
- kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:88
- admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}:749
- default_domain = @value{PRIMARYDOMAIN}
- @}
-
-[domain_realm]
- .@value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
- @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
-@end group
-@end smallexample
-
-For the KDCs, add a section onto the end of the @code{krb5.conf} file
-telling how logging information should be stored, as in the following
-example:
-
-@smallexample
-@group
-[logging]
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmin.log
- default = FILE:/var/log/krb5lib.log
-@end group
-@end smallexample
-
-@iftex
-@vfill
-@end iftex
-@page
-
-@node kdc.conf, , krb5.conf, Files
-@appendixsec kdc.conf
-
-Here's an example of a kdc.conf file:
-
-@smallexample
-@group
-[kdcdefaults]
- kdc_ports = 88,750
-
-[realms]
- @value{PRIMARYREALM} = @{
- database_name = @value{ROOTDIR}/var/krb5kdc/principal
- admin_keytab = @value{ROOTDIR}/var/krb5kdc/kadm5.keytab
- acl_file = @value{ROOTDIR}/var/krb5kdc/kadm5.acl
- dict_file = @value{ROOTDIR}/var/krb5kdc/kadm5.dict
- key_stash_file = @value{ROOTDIR}/var/krb5kdc/.k5.@value{PRIMARYREALM}
- kadmind_port = 749
- max_life = 10h 0m 0s
- max_renewable_life = 7d 0h 0m 0s
- master_key_type = des-cbc-crc
- supported_enctypes = des-cbc-crc:normal
- @}
-@end group
-@end smallexample
-
-To add Kerberos V4 support, change the @code{supported_enctypes} line to:
-
-@smallexample
- supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
-@end smallexample
-
-@menu
-* Encryption Types and Salt Types::
-@end menu
-
-@node Encryption Types and Salt Types, , kdc.conf, kdc.conf
-@appendixsubsec Encryption Types and Salt Types
-
-Currently, @value{PRODUCT} supports only DES encryption. The encoding
-type is @code{des-cbc-crc}. The @dfn{salt} is additional information
-encoded within the key that tells what kind of key it is. The only
-salts that you will be likely to encounter are:
-
-@itemize @bullet
-@item @dfn{normal}, which @value{COMPANY} recommends using for all of
-your @value{PRODUCT} keys
-
-@item @dfn{v4}, which is necessary only for compatibility with a v4 KDC
+@node Upgrading to Triple-DES and RC4 Encryption Keys, , Upgrading Existing Kerberos V5 Installations, Upgrading Existing Kerberos V5 Installations
+@section Upgrading to Triple-DES Encryption Keys
+
+Beginning with the 1.2 release from @value{COMPANY}, Kerberos includes
+a stronger encryption algorithm called ``triple DES'' -- essentially,
+three applications of the basic DES encryption algorithm, greatly
+increasing the resistance to a brute-force search for the key by an
+attacker. This algorithm is more secure, but encryption is much
+slower.
+
+Release 1.1 had some support for triple-DES service keys, but with
+release 1.2 we have added support for user keys and session keys as
+well. Release 1.0 had very little support for multiple cryptosystems,
+and some of that software may not function properly in an environment
+using triple-DES as well as plain DES.
+
+In the 1.3 release from @value{COMPANY}, Kerberos also includes the RC4
+encryption alogorithm, a stream cipher symmetric key algorithm
+developed in 1987 by Ronald Rivest at RSA Data Security. Please note
+that RC4 is not part of the IETF standard.
+
+Because of the way the MIT Kerberos database is structured, the KDC
+will assume that a service supports only those encryption types for
+which keys are found in the database. Thus, if a service has only a
+single-DES key in the database, the KDC will not issue tickets for that
+service that use triple-DES or RC4 session keys; it will instead issue
+only single-DES session keys, even if other services are already
+capable of using triple-DES or RC4. So if you make sure your
+application server software is updated before adding a triple-DES or
+RC4 key for the service, clients should be able to talk to services at
+all times during the updating process.
+
+Normally, the listed @code{supported_enctypes} in @code{kdc.conf} are
+all used when a new key is generated. You can control this with
+command-line flags to @code{kadmin} and @code{kadmin.local}. You may
+want to exclude triple-DES and RC4 by default until you have updated a
+lot of your application servers, and then change the default to include
+triple-DES and RC4. We recommend that you always include
+@code{des-cbc-crc} in the default list.
+
+@node Bug Reports for Kerberos V5, Copyright, Upgrading Existing Kerberos V5 Installations, Top
+@chapter Bug Reports for @value{PRODUCT}
-@item @dfn{afs}, which you will never need to generate, and which you will
-encounter only if you dump an AFS database into a Kerberos database
-@end itemize
+@include send-pr.texinfo
-Support for additional encryption types is planned in the future.
+@node Copyright, , Bug Reports for Kerberos V5, Top
+@appendix Copyright
+@include copyright.texinfo
@contents
@bye
projects / krb5.git / blobdiff