1 \input texinfo-suppl.tex % contains @doubleleftarrow{} definition
2 % this line must come *before* \input texinfo
3 \input texinfo @c -*-texinfo-*-
6 @setfilename krb5-admin.info
7 @settitle Kerberos V5 System Administrator's Guide
8 @setchapternewpage odd @c chapter begins on next odd page
9 @c @setchapternewpage on @c chapter begins on next page
10 @c @smallbook @c Format for 7" X 9.25" paper
17 @include definitions.texinfo
19 @set UPDATED June 16, 2000
21 @finalout @c don't print black warning boxes
24 @title @value{PRODUCT} System Administrator's Guide
25 @subtitle Release: @value{RELEASE}
26 @subtitle Document Edition: @value{EDITION}
27 @subtitle Last updated: @value{UPDATED}
28 @author @value{COMPANY}
31 @vskip 0pt plus 1filll
35 @comment node-name, next, previous, up
36 @node Top, Copyright, (dir), (dir)
39 This document describes how to administrate a @value{PRODUCT}
43 @c The master menu is updated using emacs19's M-x texinfo-all-menus-update
44 @c function. Don't forget to run M-x texinfo-every-node-update after
45 @c you add a new section or subsection, or after you've rearranged the
46 @c order of sections or subsections. Also, don't forget to add an @node
47 @c comand before each @section or @subsection! All you need to enter
50 @c @node New Section Name
51 @c @section New Section Name
53 @c M-x texinfo-every-node-update will take care of calculating the
54 @c node's forward and back pointers.
56 @c ---------------------------------------------------------------------
61 * How Kerberos Works::
62 * Configuration Files::
64 * Administrating the Kerberos Database::
65 * Application Servers::
66 * Backups of Secure Hosts::
71 @node Copyright, Introduction, Top, Top
73 @include copyright.texinfo
76 @node Introduction, How Kerberos Works, Copyright, Top
80 * Why Should I use Kerberos?::
81 * Documentation for Kerberos V5::
82 * Overview of This Guide::
85 @node Why Should I use Kerberos?, Documentation for Kerberos V5, Introduction, Introduction
86 @section Why Should I use Kerberos?
88 Since Kerberos negotiates authenticated, and optionally encrypted,
89 communications between two points anywhere on the internet, it provides
90 a layer of security that is not dependent on which side of a firewall
91 either client is on. Since studies have shown that half of the computer
92 security breaches in industry happen from @i{inside} firewalls,
93 @value{PRODUCT} from @value{COMPANY} will play a vital role in the
94 security of your network.
96 @node Documentation for Kerberos V5, Overview of This Guide, Why Should I use Kerberos?, Introduction
97 @section Documentation for @value{PRODUCT}
99 @include document-list.texinfo
101 @node Overview of This Guide, , Documentation for Kerberos V5, Introduction
102 @section Overview of This Guide
104 The next chapter describes how Kerberos works.
106 Chapter three describes administration of the principals in the Kerberos
109 Chapter four describes how you can use DNS in configuring your Kerberos realm.
111 Chapter five describes administrative programs for manipulating the
112 Kerberos database as a whole.
114 Chapter six describes issues to consider when adding an application
115 server to the database.
117 Chapter seven describes our problem reporting system.
119 The appendices include the list of Kerberos error messages, and a
120 complete list of the time zones understood by @code{kadmin}.
122 @node How Kerberos Works, Configuration Files, Introduction, Top
123 @chapter How Kerberos Works
125 This section provides a simplified description of a general user's
126 interaction with the Kerberos system. This interaction happens
127 transparently---users don't need to know and probably don't care about
128 what's going on---but Kerberos administrators might find a schematic
129 description of the process useful. This description glosses over a lot
130 of details; for more information, see @i{Kerberos: An Authentication
131 Service for Open Network Systems}, a paper presented at Winter USENIX
132 1988, in Dallas, Texas. This paper can be retreived by FTP from
133 @code{athena-dist.mit.edu}, in the location:
134 @code{/pub/ATHENA/kerberos/doc/usenix.PS}.
137 * Network Services and Their Client Programs::
139 * The Kerberos Database::
141 * The Ticket-Granting Ticket::
142 * Network Services and the Master Database::
143 * The User/Kerberos Interaction::
147 @node Network Services and Their Client Programs, Kerberos Tickets, How Kerberos Works, How Kerberos Works
148 @section Network Services and Their Client Programs
150 In an environment that provides network services, you use @dfn{client}
151 programs to request @dfn{services} from @dfn{server} programs that are
152 somewhere on the network. Suppose you have logged in to a workstation
153 and you want to @samp{rlogin} to a typical UNIX host. You use the local
154 @samp{rlogin} client program to contact the remote machine's
155 @samp{rlogind} daemon.
157 @node Kerberos Tickets, The Kerberos Database, Network Services and Their Client Programs, How Kerberos Works
158 @section Kerberos Tickets
160 Under Kerberos, the @samp{klogind} daemon allows you to login to a
161 remote machine if you can provide @samp{klogind} a Kerberos ticket
162 which proves your identity. In addition to the ticket, you must also
163 have possession of the corresponding ticket session key. The
164 combination of a ticket and the ticket's session key is known as a credential.
166 Typically, a client program automatically obtains credentials
167 identifying the person using the client program. The credentials are
168 obtained from a Kerberos server that resides somewhere on the network.
169 A Kerberos server maintains a database of user, server, and password
172 @node The Kerberos Database, Kerberos Realms, Kerberos Tickets, How Kerberos Works
173 @section The Kerberos Database
175 Kerberos will give you credentials only if you have an entry in the
176 Kerberos server's @dfn{Kerberos database}. Your database entry includes
177 your Kerberos @dfn{principal} (an identifying string, which is often
178 just your username), and your Kerberos password. Every Kerberos user
179 must have an entry in this database.
181 @node Kerberos Realms, The Ticket-Granting Ticket, The Kerberos Database, How Kerberos Works
182 @section Kerberos Realms
184 Each administrative domain will have its own Kerberos database, which
185 contains information about the users and services for that particular
186 site or administrative domain. This administrative domain is the
187 @dfn{Kerberos realm}.
189 Each Kerberos realm will have at least one Kerberos server, where the
190 master Kerberos database for that site or administrative domain is
191 stored. A Kerberos realm may also have one or more @dfn{slave servers},
192 which have read-only copies of the Kerberos database that are
193 periodically propagated from the master server. For more details on how
194 this is done, see the ``Set Up the Slave KDCs for Database Propagation''
195 and ``Propagate the Database to Each Slave KDC'' sections of the
196 @value{PRODUCT} Installation Guide.
198 @node The Ticket-Granting Ticket, Network Services and the Master Database, Kerberos Realms, How Kerberos Works
199 @section The Ticket-Granting Ticket
201 The @samp{kinit} command prompts for your password. If you enter it
202 successfully, you will obtain a @dfn{ticket-granting ticket} and a
203 @dfn{ticket session key} which gives you the right to use the ticket.
204 This combination of the ticket and its associated key is known as your
205 @dfn{credentials}. As illustrated below, client programs use your
206 ticket-granting ticket credentials in order to obtain client-specific
207 credentials as needed.
209 Your credentials are stored in a @dfn{credentials cache}, which is often
210 just a file in @code{/tmp}. The credentials cache is also called the
211 @dfn{ticket file}, especially in Kerberos V4 documentation. Note,
212 however, that a credentials cache does not have to be stored in a file.
214 @node Network Services and the Master Database, The User/Kerberos Interaction, The Ticket-Granting Ticket, How Kerberos Works
215 @section Network Services and the Master Database
217 The master database also contains entries for all network services that
218 require Kerberos authentication. Suppose that your site has a machine,
219 @samp{laughter.@value{PRIMARYDOMAIN}}, that requires Kerberos
220 authentication from anyone who wants to @samp{rlogin} to it. The host's
221 Kerberos realm is @samp{@value{PRIMARYREALM}}.
223 This service must be registered in the Kerberos database, using the
224 proper service name, which in this case is the @dfn{principal}:
227 host/laughter.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
231 The @samp{/} character separates the Kerberos @dfn{primary} (in this
232 case, @samp{host}) from the @dfn{instance} (in this case,
233 @samp{laughter.@value{PRIMARYDOMAIN}}); the @samp{@@} character separates
234 the realm name (in this case, @samp{@value{PRIMARYREALM}}) from the rest
235 of the principal. The primary, @samp{host}, denotes the name or type of
236 the service that is being offered: generic host-level access to the
237 machine. The instance, @samp{laughter.@value{PRIMARYDOMAIN}}, names the
238 specific machine that is offering this service. There will generally be
239 many different machines, each offering one particular type of service,
240 and the instance serves to give each one of these servers a different
247 @node The Keytab File, , Network Services and the Master Database, Network Services and the Master Database
248 @subsection The Keytab File
250 For each service, there must also be a @dfn{service key} known only by
251 Kerberos and the service. On the Kerberos server, the service key is
252 stored in the Kerberos database.
254 On the server host, these service keys are stored in @dfn{key tables},
255 which are files known as @dfn{keytabs}.@footnote{Keytabs were called
256 @dfn{srvtabs} in Kerberos V4.} For example, the service keys used by
257 services that run as root are usually stored in the keytab file
258 @code{/etc/krb5.keytab}. @b{N.B.:} This service key is the equivalent
259 of the service's password, and must be kept secure. Data which is meant
260 to be read only by the service is encrypted using this key.
262 @node The User/Kerberos Interaction, Definitions, Network Services and the Master Database, How Kerberos Works
263 @section The User/Kerberos Interaction
265 Suppose that you walk up to a host intending to login to it, and then
266 @samp{rlogin} to the machine @samp{laughter}. Here's what happens:
270 You login to the workstation and use the @samp{kinit} command to get a
271 ticket-granting ticket. This command prompts you for your Kerberos
272 password. (On systems running the @value{PRODUCT} @samp{login} program,
273 this may be done as part of the login process, not requiring the user to
274 run a separate program.)
278 The @samp{kinit} command sends your request to the Kerberos master
279 server machine. The server software looks for your principal name's
280 entry in the Kerberos database.
283 If this entry exists, the Kerberos server creates and returns a
284 ticket-granting ticket and the key which allows you to use it, encrypted
285 by your password. If @samp{kinit} can decrypt the Kerberos reply using
286 the password you provide, it stores this ticket in a credentials cache
287 on your local machine for later use. The name of the credentials cache
288 can be specified in the @samp{KRB5CCNAME} environment variable. If this
289 variable is not set, the name of the file will be
290 @file{/tmp/krb5cc_<uid>}, where <uid> is your UNIX user-id, represented
296 Now you use the @samp{rlogin} client to access the machine
300 host% @b{rlogin laughter}
305 The @samp{rlogin} client checks your ticket file to see if you have a
306 ticket for the @samp{host} service for @samp{laughter}. You don't, so
307 @samp{rlogin} uses the credential cache's ticket-granting ticket to make
308 a request to the master server's ticket-granting service.
311 This ticket-granting service receives the request for a ticket for
312 @samp{host/laughter.@value{PRIMARYDOMAIN}}, and looks in the master
313 database for an entry for @samp{host/laughter.@value{PRIMARYDOMAIN}}.
314 If the entry exists, the ticket-granting service issues you a ticket for
315 that service. That ticket is also cached in your credentials cache.
318 The @samp{rlogin} client now sends that ticket to the @samp{laughter}
319 @samp{klogind} service program. The service program checks the ticket
320 by using its own service key. If the ticket is valid, it now knows your
321 identity. If you are allowed to login to @samp{laughter} (because your
322 username matches one in /etc/passwd, or your Kerberos principal is in
323 the appropriate @file{.k5login} file), @code{klogind} will let you
328 @node Definitions, , The User/Kerberos Interaction, How Kerberos Works
331 Following are definitions of some of the Kerberos terminology.
333 @include glossary.texinfo
335 @node Configuration Files, Using DNS, How Kerberos Works, Top
336 @chapter Configuration Files
339 * Supported Encryption Types::
345 @node Supported Encryption Types, Salts, Configuration Files, Configuration Files
346 @section Supported Encryption Types
348 Any tag in the configuration files which requires a list of encryption
349 types can be set to some combination of the following strings.
351 @include support-enc.texinfo
353 While aes128-cts and aes256-cts are supported for all Kerberos
354 operations, they are not supported by the GSSAPI. AES GSSAPI support
355 will be added after the necessary standardization work is
358 By default, AES is enabled on clients and application servers.
359 Because of the lack of support for GSSAPI, AES is disabled in the
360 default KDC supported_enctypes @ref{kdc.conf}. Sites wishing to use
361 AES encryption types on their KDCs need to be careful not to give
362 GSSAPI services AES keys. If GSSAPI services are given AES keys, then
363 services will start to fail in the future when clients supporting AES
364 for GSSAPI are deployed before updated servers that support AES for
365 GSSAPI. Sites may wish to use AES for user keys and for the ticket
366 granting ticket key, although doing so requires specifying what
367 encryption types are used as each principal is created. Alternatively
368 sites can use the default configuration which will make AES support
369 available in clients and servers but not actually use this support
370 until a future version of Kerberos adds support to GSSAPI.
372 @node Salts, krb5.conf, Supported Encryption Types, Configuration Files
375 Your Kerberos key is derived from your password. To ensure that people
376 who happen to pick the same password do not have the same key, Kerberos
377 5 incorporates more information into the key using something called a
378 salt. The supported values for salts are as follows.
380 @include salts.texinfo
382 @node krb5.conf, kdc.conf, Salts, Configuration Files
385 @include krb5conf.texinfo
391 * realms (krb5.conf)::
395 * Sample krb5.conf File::
398 @node libdefaults, appdefaults, krb5.conf, krb5.conf
399 @subsection [libdefaults]
401 The @code{libdefaults} section may contain any of the following
405 @itemx default_keytab_name
406 This relation specifies the default keytab name to be used by
407 application servers such as telnetd and rlogind. The default is
408 @value{DefaultDefaultKeytabName}.
411 Identifies the default Kerberos realm for the client. Set its value to
412 your Kerberos realm. If this is not specified and the TXT record
413 lookup is enabled (see @ref{Using DNS}), then that information will be
414 used to determine the default realm. If this tag is not set in this
415 configuration file and there is no DNS information found, then an error
418 @itemx default_tgs_enctypes
419 Identifies the supported list of session key encryption types that
420 should be returned by the KDC. The list may be delimited with commas
421 or whitespace. Kerberos supports many different encryption types, and
422 support for more is planned in the future. (see @ref{Supported Encryption
423 Types} for a list of the accepted values for this tag). The default
424 value is @value{DefaultDefaultTgsEnctypes}.
426 @itemx default_tkt_enctypes
427 Identifies the supported list of session key encryption types that
428 should be requested by the client. The format is the same as for
429 @emph{default_tgs_enctypes}. The default value for this tag is
430 @value{DefaultDefaultTktEnctypes}.
432 @itemx permitted_enctypes
433 Identifies all encryption types that are permitted for use in session
434 key encryption. The default value for this tag is
435 @value{DefaultPermittedEnctypes}.
438 Sets the maximum allowable amount of clockskew in seconds that the
439 library will tolerate before assuming that a Kerberos message is
440 invalid. The default value is @value{DefaultClockskew}.
443 If this is set to 1 (for true), then client machines will compute the
444 difference between their time and the time returned by the KDC in the
445 timestamps in the tickets and use this value to correct for an
446 inaccurate system clock. This corrective factor is only used by the
447 Kerberos library. The default is @value{DefaultKDCTimesync}.
449 @itemx kdc_req_checksum_type
450 @itemx ap_req_checksum_type
451 @itemx safe_checksum_type
452 An integer which specifies the type of checksum to use. Used for
453 compatability with DCE security servers which do not support the
454 default @value{DefaultChecksumType} used by this version of Kerberos.
455 The possible values and their meanings are as follows.
457 @comment taken from krb5/src/include/krb5.h[in]
476 Microsoft MD5 HMAC checksum type
479 @comment see lib/krb5/ccache/fcc.h
481 Use this parameter on systems which are DCE clients, to specify the
482 type of cache to be created by kinit, or when forwarded tickets are
483 received. DCE and Kerberos can share the cache, but some versions of
484 DCE do not support the default cache as created by this version of
485 Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
486 DCE 1.1 systems. The default value is @value{DefaultCcacheType}.
490 The default lifetime of a ticket. The default is
491 @value{DefaultTktLifetime}. This is currently not supported by the
496 Specifies the location of the Kerberos V4 srvtab file. Default is
497 @value{DefaultKrb4Srvtab}.
500 Specifies the location of hte Kerberos V4 configuration file. Default
501 is @value{DefaultKrb4Config}.
504 Specifies the location of the Kerberos V4 domain/realm translation
505 file. Default is @value{DefaultKrb4Realms}.
507 @itemx dns_lookup_kdc
508 Indicate whether DNS SRV records should be used to locate the KDCs and
509 other servers for a realm, if they are not listed in the information for
510 the realm. (Note that the @samp{admin_server} entry must be in the
511 file, because the DNS implementation for it is incomplete.)
513 Enabling this option does open up a type of denial-of-service attack, if
514 someone spoofs the DNS records and redirects you to another server.
515 However, it's no worse than a denial of service, because that fake KDC
516 will be unable to decode anything you send it (besides the initial
517 ticket request, which has no encrypted data), and anything the fake KDC
518 sends will not be trusted without verification using some secret that it
521 If this option is not specified but @samp{dns_fallback} is, that value
522 will be used instead. If neither option is specified, the behavior
523 depends on configure-time options; if none were given, the default is to
524 enable this option. If the DNS support is not compiled in, this entry
527 @itemx dns_lookup_realm
528 Indicate whether DNS TXT records should be used to determine the
529 Kerberos realm of a host.
531 Enabling this option may permit a redirection attack, where spoofed DNS
532 replies persuade a client to authenticate to the wrong realm, when
533 talking to the wrong host (either by spoofing yet more DNS records or by
534 intercepting the net traffic). Depending on how the client software
535 manages hostnames, however, it could already be vulnerable to such
536 attacks. We are looking at possible ways to minimize or eliminate this
537 exposure. For now, we encourage more adventurous sites to try using
540 If this option is not specified but @samp{dns_fallback} is, that value
541 will be used instead. If neither option is specified, the behavior
542 depends on configure-time options; if none were given, the default is to
543 disable this option. If the DNS support is not compiled in, this entry
547 General flag controlling the use of DNS for Kerberos information. If
548 both of the preceding options are specified, this option has no effect.
550 @itemx extra_addresses
551 This allows a computer to use multiple local addresses, in order to
552 allow Kerberos to work in a network that uses NATs. The addresses
553 should be in a comma-separated list.
555 @itemx udp_preference_limit
556 When sending a message to the KDC, the library will try using TCP before
557 UDP if the size of the message is above @code{udp_preference_list}.
558 If the message is smaller than @code{udp_preference_list}, then UDP
559 will be tried before TCP. Regardless of the size, both protocols will
560 be tried if the first attempt fails.
562 @itemx verify_ap_req_nofail
563 If this flag is set, then an attempt to get initial credentials will
564 fail if the client machine does not have a keytab. The default for the
565 flag is @value{DefaultVerifyApReqNofail}.
567 @itemx renew_lifetime
568 The value of this tag is the default renewable lifetime for
569 initial tickets. The default value for the tag is
570 @value{DefaultRenewLifetime}.
573 Setting this flag causes the initial Kerberos ticket to be addressless.
574 The default for the flag is @value{DefaultNoaddresses}.
577 If this flag is set, initial tickets by default will be forwardable.
578 The default value for this flag is @value{DefaultForwardable}.
581 If this flag is set, initial tickets by default will be proxiable.
582 The default value for this flag is @value{DefaultProxiable}.
586 @node appdefaults, login, libdefaults, krb5.conf
587 @subsection [appdefaults]
589 Each tag in the [appdefaults] section names a Kerberos V5 application
590 or an option that is used by some Kerberos V5 application[s]. The
591 value of the tag defines the default behaviors for that application.
599 @value{PRIMARYREALM} = @{
607 @value{PRIMARYREALM} = @{
615 The above four ways of specifying the value of an option are shown
616 in order of decreasing precedence. In this example, if telnet is
617 running in the realm @value{SECONDREALM}, it should, by default, have
618 option1 and option2 set to true. However, a telnet program in the realm
619 @value{PRIMARYREALM} should have option1 set to false and option2 set
620 to true. Any other programs in @value{PRIMARYREALM} should have option2
621 set to false by default. Any programs running in other realms should
622 have option2 set to true.
624 The list of specifiable options for each application may be found in
625 that application's man pages. The application defaults specified here
626 are overridden by those specified in the [realms] section.
628 A special application name (afs_krb5) is used by the krb524 service to
629 know whether new format AFS tokens based on Kerberos 5 can be used
630 rather than the older format which used a converted Kerberos 4 ticket.
631 The new format allows for cross-realm authentication without
632 introducing a security hole. It is used by default. Older AFS
633 servers (before OpenAFS 1.2.8) will not support the new format. If
634 servers in your cell do not support the new format, you will need to
635 add an @code{afs_krb5} relation to the @code{appdefaults} section.
636 The following config file shows how to disable new format AFS tickets
637 for the @code{afs.example.com} cell in the @code{EXAMPLE.COM} realm.
644 afs/afs.example.com = false
655 @node login, realms (krb5.conf), appdefaults, krb5.conf
658 Each tag in the [login] section of the file is an option for
659 login.krb5. This section may contain any of the following relations:
662 @itemx krb5_get_tickets
663 Indicate whether or not to use a user's password to get V5 tickets.
664 The default value is @value{DefaultKrb5GetTickets}.
666 @itemx krb4_get_tickets
667 Indicate whether or not to user a user's password to get V4 tickets.
668 The default value is @value{DefaultKrb4GetTickets}.
671 Indicate whether or not to use the Kerberos conversion daemon to get V4
672 tickets. The default value is @value{DefaultKrb4Convert}. If this is
673 set to false and krb4_get_tickets is true, then login will get the V5
674 tickets directly using the Kerberos V4 protocol directly. This does
675 not currently work with non-MIT-V4 salt types (such as the AFS3 salt
676 type). Note that if this is set to true and krb524d is not running,
677 login will hang for approximately a minute under Solaris, due to a
678 Solaris socket emulation bug.
681 Indicate whether or not to run aklog. The default value is
682 @value{DefaultKrbRunAklog}.
685 Indicate where to find aklog. The default value is
686 @value{DefaultAklogPath}.
689 A true value will cause login not to accept plaintext passwords. The
690 default value is @value{DefaultAcceptPasswd}. This is not yet
694 @node realms (krb5.conf), domain_realm, login, krb5.conf
697 Each tag in the [realms] section of the file is the name of a Kerberos
698 realm. The value of the tag is a subsection with relations that define
699 the properties of that particular realm. For each realm, the following
700 tags may be specified in the realm's subsection:
704 The name of a host running a KDC for that realm. An optional port
705 number (separated from the hostname by a colon) may be included. For
706 your computer to be able to communicate with the KDC for each realm,
707 this tag must be given a value in each realm subsection in the
708 configuration file, or there must be DNS SRV records specifying the
709 KDCs (see @ref{Using DNS}).
712 Identifies the host where the administration server is running.
713 Typically, this is the master Kerberos server. This tag must be given
714 a value in order to communicate with the kadmin server for the realm.
717 this doesn't seem to be used in the code
718 @itemx application defaults
719 Application defaults that are specific to a particular realm may be
720 specified within that realm's tag. Realm-specific application defaults
721 override the global defaults specified in the [appdefaults] section.
724 @itemx default_domain
725 This tag is used for Kerberos 4 compatibility. Kerberos 4 does not
726 require the entire hostname of a server to be in its principal like
727 Kerberos 5 does. This tag provides the domain name needed to produce a
728 full hostname when translating V4 principal names into V5 principal
729 names. All servers in this realm are assumed to be in the domain given
730 as the value of this tag
732 @itemx v4_instance_convert
733 This subsection allows the administrator to configure exceptions to the
734 default_domain mapping rule. It contains V4 instances (the tag name)
735 which should be translated to some specific hostname (the tag value) as
736 the second component in a Kerberos V5 principal name.
739 This relation is used by the krb524 library routines when converting a
740 V5 principal name to a V4 principal name. It is used when the V4 realm
741 name and the V5 realm name are not the same, but still share the same
742 principal names and passwords. The tag value is the Kerberos V4 realm
745 @itemx auth_to_local_names
746 This subsection allows you to set explicit mappings from principal
747 names to local user names. The tag is the mapping name, and the value
748 is the corresponding local user name.
751 This tag allows you to set a general rule for mapping principal names
752 to local user names. It will be used if there is not an explicit
753 mapping for the principal name that is being translated. The possible
758 @item DB:@i{filename}
759 The principal will be looked up in the database @i{filename}. Support
760 for this is not currently compiled in by default.
763 The local name will be formulated from @i{exp}.
765 The format for @i{exp} is
766 @code{[@i{n}:$@i{d}..@i{string}](@i{regexp})s/@i{pattern}/@i{replacement}/g}.
767 The integer @i{n} indicates how many components the target principal
768 should have. If this matches, then a string will be formed by putting
769 together the components of the principal in the order indicated by each
770 integer @i{d}, and the arbitrary string @i{string} (i.e. if the
771 principal was @value{RANDOMUSER}/admin then [2:$2$1foo] would result in
772 the string "admin@value{RANDOMUSER}foo". If this string matches
773 @i{regexp}, then the @code{s//[g]} substitution command will be run over the
774 string. The optional g will cause the substitution to be global over
775 the string, instead of replacing only the first match in the string.
778 The principal name will be used as the local user name. If the
779 principal has more than one component or is not in the default realm,
780 this rule is not applicable and the conversion will fail.
789 @value{PRIMARYREALM} = @{
791 RULE:[2:$1](@value{RANDOMUSER})s/^.*$/guest/
792 RULE:[2:$1;$2](^.*;admin$)s/;admin$//
793 RULE:[2:$2](^.*;root)s/^.*$/root/
800 would result in any principal without @code{root} or @code{admin} as
801 the second component to be translated with the default rule. A
802 principal with a second component of @code{admin} will become its first
803 component. @code{root} will be used as the local name for any
804 principal with a second component of @code{root}. The exception to
805 these two rules are any principals @value{RANDOMUSER}/*, which will
806 always get the local name @code{guest}.
810 @node domain_realm, logging, realms (krb5.conf), krb5.conf
811 @subsection [domain_realm]
813 The [domain_realm] section provides a translation from a domain name or
814 hostname to a Kerberos realm name. The tag name can be a host name, or
815 a domain name, where domain names are indicated by a prefix of a period
816 (@samp{.}). The value of the relation is the Kerberos realm name for
817 that particular host or domain. Host names and domain names should be
820 If no translation entry applies, the host's realm is considered to be
821 the hostname's domain portion converted to upper case. For example, the
822 following [domain_realm] section:
828 .mit.edu = ATHENA.MIT.EDU
830 @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
831 crash.@value{PRIMARYDOMAIN} = TEST.@value{PRIMARYREALM}
832 @value{SECONDDOMAIN} = @value{SECONDREALM}
837 maps crash.@value{PRIMARYDOMAIN} into the TEST.@value{PRIMARYREALM}
838 realm. All other hosts in the @value{PRIMARYDOMAIN} domain will map by
839 default to the @value{PRIMARYREALM} realm, and all hosts in the
840 @value{SECONDDOMAIN} domain will map by default into the
841 @value{SECONDREALM} realm. Note the entries for the hosts
842 @value{PRIMARYDOMAIN} and @value{SECONDDOMAIN}. Without these entries,
844 these hosts would be mapped into the Kerberos realms @samp{COM} and
847 these hosts would be mapped into the Kerberos realms @samp{EDU} and
849 @samp{ORG}, respectively.
851 @node logging, capaths, domain_realm, krb5.conf
852 @subsection [logging]
853 The [logging] section indicates how a particular entity is to perform
854 its logging. The relations in this section assign one or more values to
855 the entity name. Currently, the following entities are used:
860 These entries specify how the KDC is to perform its logging.
863 These entries specify how the administrative server
864 is to perform its logging.
867 These entries specify how to perform logging in the
868 absence of explicit specifications otherwise.
871 Values are of the following forms:
874 @itemx FILE=<filename>
876 @itemx FILE:<filename>
877 This value causes the entity's logging messages to go to the specified
878 file. If the @samp{=} form is used, the file is overwritten. If the
879 @samp{:} form is used, the file is appended to.
882 This value causes the entity's logging messages to go to its standard
886 This value causes the entity's logging messages to go to the console, if
887 the system supports it.
889 @itemx DEVICE=<devicename>
890 This causes the entity's logging messages to go to the specified device.
892 @itemx SYSLOG[:<severity>[:<facility>]]
893 This causes the entity's logging messages to go to the system log.
895 The @dfn{severity} argument specifies the default severity of system log
896 messages. This may be any of the following severities supported by the
897 @code{syslog(3)} call, minus the LOG_ prefix: LOG_EMERG, LOG_ALERT,
898 LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG.
899 For example, a value of @samp{CRIT} would specify LOG_CRIT severity.
901 The facility argument specifies the facility under which the messages
902 are logged. This may be any of the following facilities supported by
903 the syslog(3) call minus the LOG_ prefix: LOG_KERN, LOG_USER, LOG_MAIL,
904 LOG_DAEMON, LOG_AUTH, LOG_LPR, LOG_NEWS, LOG_UUCP, LOG_CRON, and
905 LOG_LOCAL0 through LOG_LOCAL7.
907 If no severity is specified, the default is ERR. If no facility is
908 specified, the default is AUTH.
911 In the following example, the logging messages from the KDC will go to
912 the console and to the system log under the facility LOG_DAEMON with
913 default severity of LOG_INFO; and the logging messages from the
914 administrative server will be appended to the file /var/adm/kadmin.log
915 and sent to the device /dev/tty04.
921 kdc = SYSLOG:INFO:DAEMON
922 admin_server = FILE:/var/adm/kadmin.log
923 admin_server = DEVICE=/dev/tty04
927 @node capaths, Sample krb5.conf File, logging, krb5.conf
928 @subsection [capaths]
930 In order to perform direct (non-hierarchical) cross-realm
931 authentication, a database is needed to construct the authentication
932 paths between the realms. This section defines that database.
934 A client will use this section to find the authentication path between
935 its realm and the realm of the server. The server will use this section
936 to verify the authentication path used by the client, by checking the
937 transited field of the received ticket.
939 There is a tag for each participating realm, and each tag has subtags
940 for each of the realms. The value of the subtags is an intermediate
941 realm which may participate in the cross-realm authentication. The
942 subtags may be repeated if there is more then one intermediate realm. A
943 value of "." means that the two realms share keys directly, and no
944 intermediate realms should be allowd to participate.
946 There are n**2 possible entries in this table, but only those entries
947 which will be needed on the client or the server need to be present.
948 The client needs a tag for its local realm, with subtags for all the
949 realms of servers it will need to authenticate with. A server needs a
950 tag for each realm of the clients it will serve.
952 For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to use the ES.NET
953 realm as an intermediate realm. ANL has a sub realm of TEST.ANL.GOV
954 which will authenticate with NERSC.GOV but not PNL.GOV. The [capaths]
955 section for ANL.GOV systems would look like this:
981 The [capaths] section of the configuration file used on NERSC.GOV systems
982 would look like this:
989 TEST.ANL.GOV = ES.NET
990 TEST.ANL.GOV = ANL.GOV
1010 In the above examples, the ordering is not important, except when the
1011 same subtag name is used more then once. The client will use this to
1012 determine the path. (It is not important to the server, since the
1013 transited field is not sorted.)
1015 This feature is not currently supported by DCE. DCE security servers
1016 can be used with Kerberized clients and servers, but versions prior to
1017 DCE 1.1 did not fill in the transited field, and should be used with
1020 @node Sample krb5.conf File, , capaths, krb5.conf
1021 @subsection Sample krb5.conf File
1023 Here is an example of a generic @code{krb5.conf} file:
1028 default_realm = @value{PRIMARYREALM}
1029 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
1030 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
1031 dns_lookup_kdc = true
1032 dns_lookup_realm = false
1035 @value{PRIMARYREALM} = @{
1036 kdc = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
1037 kdc = @value{KDCSLAVE1}.@value{PRIMARYDOMAIN}
1038 kdc = @value{KDCSLAVE2}.@value{PRIMARYDOMAIN}:750
1039 admin_server = @value{KDCSERVER}.@value{PRIMARYDOMAIN}
1040 default_domain = @value{PRIMARYDOMAIN}
1042 @value{SECONDREALM} = @{
1043 kdc = @value{KDCSERVER}.@value{SECONDDOMAIN}
1044 kdc = @value{KDCSLAVE1}.@value{SECONDDOMAIN}
1045 admin_server = @value{KDCSERVER}.@value{SECONDDOMAIN}
1050 .mit.edu = ATHENA.MIT.EDU
1052 @value{PRIMARYDOMAIN} = @value{PRIMARYREALM}
1055 @value{PRIMARYREALM} = @{
1056 @value{SECONDREALM} = .
1058 @value{SECONDREALM} = @{
1059 @value{PRIMARYREALM} = .
1064 admin_server = FILE=/var/kadm5.log
1073 @node kdc.conf, , krb5.conf, Configuration Files
1076 @include kdcconf.texinfo
1080 * realms (kdc.conf)::
1081 * Sample kdc.conf File::
1084 @node kdcdefaults, realms (kdc.conf), kdc.conf, kdc.conf
1085 @subsection [kdcdefaults]
1087 The following relation is defined in the [kdcdefaults] section:
1091 This relation lists the ports on which the Kerberos server should
1092 listen for UDP requests by default. This list is a comma separated
1094 If this relation is not specified, the compiled-in default is
1095 @value{DefaultKdcPorts}, the first being the assigned Kerberos port
1096 and the second which was used by Kerberos V4.
1098 @itemx kdc_tcp_ports
1099 This relation lists the ports on which the Kerberos server should
1100 listen for TCP connections by default. This list is a comma separated
1102 If this relation is not specified, the compiled-in default is not to
1103 listen for TCP connections at all.
1105 If you wish to change this (which we do not recommend, because the
1106 current implementation has little protection against denial-of-service
1107 attacks), the standard port number assigned for Kerberos TCP traffic
1111 This string specifies how the KDC should respond to Kerberos 4
1112 packets. The possible values are none, disable, full, and nopreauth.
1113 The default value is @value{DefaultV4Mode}.
1114 @comment these values found in krb5/src/kdc/kerberos_v4.c in v4mode_table
1117 @node realms (kdc.conf), Sample kdc.conf File, kdcdefaults, kdc.conf
1118 @subsection [realms]
1120 Each tag in the [realms] section of the file names a Kerberos realm.
1121 The value of the tag is a subsection where the relations in that
1122 subsection define KDC parameters for that particular realm.
1124 For each realm, the following tags may be specified in the [realms]
1129 (String.) Location of the access control list (acl) file that kadmin
1130 uses to determine which principals are allowed which permissions on the
1131 database. The default is @code{@value{DefaultAclFile}}.
1134 (String.) Location of the keytab file that the legacy administration
1135 daemons @code{kadmind4} and @code{v5passwdd} use to authenticate to
1136 the database. The default is @code{@value{DefaultAdminKeytab}}.
1138 @itemx database_name
1139 (String.) Location of the Kerberos database for this realm. The
1140 default is @* @code{@value{DefaultDatabaseName}}.
1142 @itemx default_principal_expiration
1143 (Absolute time string.) Specifies the default expiration date of
1144 principals created in this realm. The default value for this tag is
1145 @value{DefaultDefaultPrincipalExpiration}.
1147 @itemx default_principal_flags
1148 (Flag string.) Specifies the default attributes of principals created
1149 in this realm. The format for this string is a comma-separated list of
1150 flags, with '+' before each flag that should be enabled and '-' before
1151 each flag that should be disabled. The default is
1152 @value{DefaultDefaultPrincipalFlags}.
1154 There are a number of possible flags:
1158 Enabling this flag allows the principal to obtain postdateable tickets.
1161 Enabling this flag allows the principal to obtain forwardable tickets.
1164 Enabling this flag allows a principal to obtain tickets based on a
1165 ticket-granting-ticket, rather than repeating the authentication
1166 process that was used to obtain the TGT.
1169 Enabling this flag allows the principal to obtain renewable tickets.
1172 Enabling this flag allows the principal to obtain proxy tickets.
1175 Enabling this flag allows the principal to obtain a session key for
1176 another user, permitting user-to-user authentication for this principal.
1178 @itemx allow-tickets
1179 Enabling this flag means that the KDC will issue tickets for this
1180 principal. Disabling this flag essentially deactivates the principal
1184 If this flag is enabled on a client principal, then that principal is
1185 required to preauthenticate to the KDC before receiving any tickets.
1186 On a service principal, enabling this flag means that service tickets
1187 for this principal will only be issued to clients with a TGT that has
1188 the preauthenticated ticket set.
1191 If this flag is enabled, then the principal is required to
1192 preauthenticate using a hardware device before receiving any tickets.
1195 Enabling this flag forces a password change for this principal.
1198 Enabling this flag allows the the KDC to issue service tickets for this
1202 If this flag is enabled, it marks this principal as a password change
1203 service. This should only be used in special cases, for example, if a
1204 user's password has expired, then the user has to get tickets for that
1205 principal without going through the normal password authentication in
1206 order to be able to change the password.
1211 (String.) Location of the dictionary file containing strings that are
1212 not allowed as passwords. If none is specified or if there is no
1213 policy assigned to the principal, no dictionary checks of passwords
1217 (Port number.) Specifies the port on which the kadmind daemon is to
1218 listen for this realm. The assigned port for kadmind is
1219 @value{DefaultKadmindPort}.
1222 (Port number.) Specifies the port on which the kpasswd daemon is to
1223 listen for this realm. The default is @value{DefaultKpasswdPort}.
1225 @itemx key_stash_file
1226 (String.) Specifies the location where the master key has been stored
1227 (via @code{kdb5_util stash}). The default is
1228 @code{@value{DefaultKeyStashFileStub}@i{REALM}}, where @i{REALM} is the
1232 (String.) Specifies the list of ports that the KDC is to listen to
1233 for UDP requests for this realm. By default, the value of kdc_ports
1234 as specified in the [kdcdefaults] section is used.
1236 @itemx kdc_tcp_ports
1237 (String.) Specifies the list of ports that the KDC is to listen to
1238 for TCP requests for this realm. By default, the value of
1239 kdc_tcp_ports as specified in the [kdcdefaults] section is used.
1241 @itemx master_key_name
1242 (String.) Specifies the name of the principal associated with the
1243 master key. The default is @value{DefaultMasterKeyName}.
1245 @itemx master_key_type
1246 (Key type string.) Specifies the master key's key type. The default
1247 value for this is @value{DefaultMasterKeyType}. For a list of all
1248 possible values, see @ref{Supported Encryption Types}.
1251 (Delta time string.) Specifes the maximum time period for which a
1252 ticket may be valid in this realm. The default value is
1253 @value{DefaultMaxLife}.
1255 @itemx max_renewable_life
1256 (Delta time string.) Specifies the maximum time period during which a
1257 valid ticket may be renewed in this realm. The default value is
1258 @value{DefaultMaxRenewableLife}.
1260 @itemx supported_enctypes
1261 List of key:salt strings. Specifies the default key/salt combinations of
1262 principals for this realm. Any principals created through @code{kadmin}
1263 will have keys of these types. The default value for this tag is
1264 @value{DefaultSupportedEnctypes}. For lists of possible values, see
1265 @ref{Supported Encryption Types} and @ref{Salts}.
1267 @itemx kdc_supported_enctypes
1268 Specifies the permitted key/salt combinations of principals for this
1269 realm. The format is the same as @code{supported_enctypes}.
1271 @itemx reject_bad_transit
1272 A boolean value (@code{true}, @code{false}). If set to @code{true}, the
1273 KDC will check the list of transited realms for cross-realm tickets
1274 against the transit path computed from the realm names and the
1275 @code{capaths} section of its @code{krb5.conf} file; if the path in the
1276 ticket to be issued contains any realms not in the computed path, the
1277 ticket will not be issued, and an error will be returned to the client
1278 instead. If this value is set to @code{false}, such tickets will be
1279 issued anyways, and it will be left up to the application server to
1280 validate the realm transit path.
1282 If the @code{disable-transited-check} flag is set in the incoming
1283 request, this check is not performed at all. Having the
1284 @code{reject_bad_transit} option will cause such ticket requests to be
1287 This transit path checking and config file option currently apply only
1290 Earlier versions of the MIT release (before 1.2.3) had bugs in the
1291 application server support such that the server-side checks may not be
1292 performed correctly. We recommend turning this option on, unless you
1293 know that all application servers in this realm have been updated to
1294 fixed versions of the software, and for whatever reason, you don't want
1295 the KDC to do the validation.
1297 This is a per-realm option so that multiple-realm KDCs may control it
1298 separately for each realm, in case (for example) one realm has had the
1299 software on its application servers updated but another has not.
1301 This option defaults to @code{true}.
1305 @node Sample kdc.conf File, , realms (kdc.conf), kdc.conf
1306 @subsection Sample kdc.conf File
1308 Here's an example of a @code{kdc.conf} file:
1316 @value{PRIMARYREALM} = @{
1318 max_life = 12h 0m 0s
1319 max_renewable_life = 7d 0h 0m 0s
1320 master_key_type = des3-hmac-sha1
1321 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
1322 kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
1326 kdc = FILE:@value{ROOTDIR}/var/krb5kdc/kdc.log
1327 admin_server = FILE:@value{ROOTDIR}/var/krb5kdc/kadmin.log
1332 @node Using DNS, Administrating the Kerberos Database, Configuration Files, Top
1336 * Mapping Hostnames onto Kerberos Realms::
1337 * Hostnames for KDCs::
1340 @node Mapping Hostnames onto Kerberos Realms, Hostnames for KDCs, Using DNS, Using DNS
1341 @section Mapping Hostnames onto Kerberos Realms
1343 @include dnstxt.texinfo
1345 @node Hostnames for KDCs, , Mapping Hostnames onto Kerberos Realms, Using DNS
1346 @section Hostnames for KDCs
1348 @include dnssrv.texinfo
1350 @node Administrating the Kerberos Database, Application Servers, Using DNS, Top
1351 @chapter Administrating the Kerberos Database
1353 Your Kerberos database contains all of your realm's Kerberos principals,
1354 their passwords, and other administrative information about each
1355 principal. For the most part, you will use the @code{kdb5_util} program
1356 to manipulate the Kerberos database as a whole, and the @code{kadmin}
1357 program to make changes to the entries in the database. (One notable
1358 exception is that users will use the @code{kpasswd} program to change
1359 their own passwords.) The @code{kadmin} program has its own
1360 command-line interface, to which you type the database administrating
1363 @code{Kdb5_util} provides a means to create, delete, load, or dump a
1364 Kerberos database. It also includes a command to stash a copy of the
1365 master database key in a file on a KDC, so that the KDC can authenticate
1366 itself to the @code{kadmind} and @code{krb5kdc} daemons at boot time.
1368 @code{Kadmin} provides for the maintenance of Kerberos principals, KADM5
1369 policies, and service key tables (keytabs). It exists as both a
1370 Kerberos client, @code{kadmin}, using Kerberos authentication and an
1371 RPC, to operate securely from anywhere on the network, and as a local
1372 client, @code{kadmin.local}, intended to run directly on the KDC without
1373 Kerberos authentication. Other than the fact that the remote client
1374 uses Kerberos to authenticate the person using it, the functionalities
1375 of the two versions are identical. The local version is necessary to
1376 enable you to set up enough of the database to be able to use the remote
1377 version. It replaces the now obsolete @code{kdb5_edit} (except for
1378 database dump and load, which are provided by @code{kdb5_util}).
1380 The remote version authenticates to the KADM5 server using the service
1381 principal @code{kadmin/admin}. If the credentials cache contains a
1382 ticket for the @code{kadmin/admin} principal, and the @samp{-c ccache}
1383 option is specified, that ticket is used to authenticate to KADM5.
1384 Otherwise, the @samp{-p} and @samp{-k} options are used to specify the
1385 client Kerberos principal name used to authenticate. Once kadmin has
1386 determined the principal name, it requests a @code{kadmin/admin}
1387 Kerberos service ticket from the KDC, and uses that service ticket to
1388 authenticate to KADM5.
1395 * Global Operations on the Kerberos Database::
1396 * Cross-realm Authentication::
1399 @node Kadmin Options, Date Format, Administrating the Kerberos Database, Administrating the Kerberos Database
1400 @section Kadmin Options
1402 You can invoke @code{kadmin} or @code{kadmin.local} with any of the
1406 @item @b{-r} @i{REALM}
1407 Use @i{REALM} as the default Kerberos realm for the database.
1409 @item @b{-p} @i{principal}
1410 Use the Kerberos principal @i{principal} to authenticate to Kerberos.
1411 If this option is not given, @code{kadmin} will append @code{admin} to
1412 either the primary principal name, the environment variable USER, or to
1413 the username obtained from @code{getpwuid}, in order of preference.
1415 @item @b{-q} @i{query}
1416 Pass @i{query} directly to @code{kadmin}. This is useful for writing
1417 scripts that pass specific queries to @code{kadmin}.
1420 You can invoke @code{kadmin} with any of the following options:
1422 @item @b{-k} [@b{-t} @i{keytab}]
1423 Use the keytab @i{keytab} to decrypt the KDC response instead of
1424 prompting for a password on the TTY. In this case, the principal will
1425 be @samp{host/@i{hostname}}. If @b{-t} is not used to specify a keytab,
1426 then the default keytab will be used.
1428 @item @b{-c} @i{credentials cache}
1429 Use @i{credentials_cache} as the credentials cache. The credentials
1430 cache should contain a service ticket for the @code{kadmin/admin}
1431 service, which can be acquired with the @code{kinit} program. If this
1432 option is not specified, @code{kadmin} requests a new service ticket
1433 from the KDC, and stores it in its own temporary ccache.
1435 @item @b{-w} @i{password}
1436 Use @i{password} as the password instead of prompting for one on the
1437 TTY. Note: placing the password for a Kerberos principal with
1438 administration access into a shell script can be dangerous if
1439 unauthorized users gain read access to the script.
1441 @item @b{-s} @i{admin_server[:port]}
1442 Specifies the admin server that kadmin should contact.
1445 You can invoke @code{kadmin.local} with an of the follwing options:
1447 @item @b{-d_ @i{dbname}}
1448 Specifies the name of the Kerberos database.
1450 @item @b{-e} @i{"enctypes ..."}
1451 Sets the list of cryptosystem and salt types to be used for any new
1452 keys created. See @ref{Supported Encryption Types} and @ref{Salts} for
1456 Do not authenticate using a keytab. This option will cause kadmin to
1457 prompt for the master database password.
1461 @node Date Format, Principals, Kadmin Options, Administrating the Kerberos Database
1462 @section Date Format
1464 Many of the @code{kadmin} commands take a duration or time as an
1465 argument. The date can appear in a wide variety of formats, such as:
1482 "3/31/1992 10:00:07 PST"
1483 "January 23, 2007 10:05pm"
1488 Note that if the date specification contains spaces, you must enclose it
1489 in double quotes. Note also that you cannot use a number without a
1490 unit. (I.e., ``"60 seconds"'' is correct, but ``60'' is incorrect.)
1491 All keywords are case-insensitive. The following is a list of all of
1492 the allowable keywords.
1496 january, jan, february, feb, march, mar, april, apr, may, june, jun,
1497 july, jul, august, aug, september, sep, sept, october, oct, november,
1501 sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed,
1502 thursday, thurs, thur, thu, friday, fri, saturday, sat
1505 year, month, fortnight, week, day, hour, minute, min, second, sec
1508 tomorrow, yesterday, today, now, last, this, next, first, second,
1509 third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh,
1513 @code{kadmin} recognizes abbreviations for most of the world's time
1514 zones. A complete listing appears in @ref{kadmin Time Zones}.
1516 @item 12-hour Time Delimiters
1520 @node Principals, Policies, Date Format, Administrating the Kerberos Database
1523 Each entry in the Kerberos database contains a Kerberos principal
1524 (@pxref{Definitions}) and the attributes and policies associated with
1528 * Retrieving Information About a Principal::
1530 * Adding or Modifying Principals::
1531 * Deleting Principals::
1532 * Changing Passwords::
1535 @node Retrieving Information About a Principal, Privileges, Principals, Principals
1536 @subsection Retrieving Information About a Principal
1540 * Retrieving a List of Principals::
1543 @node Attributes, Retrieving a List of Principals, Retrieving Information About a Principal, Retrieving Information About a Principal
1544 @subsubsection Attributes
1546 To retrieve a listing of the attributes and/or policies associated with
1547 a principal, use the @code{kadmin} @code{get_principal} command, which
1548 requires the ``inquire'' administrative privilege. The syntax is:
1551 @b{get_principal} @i{principal}
1555 The @code{get_principal} command has the alias @code{getprinc}.
1557 For example, suppose you wanted to view the attributes of the
1558 principal @* @code{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM}}.
1564 @b{kadmin:} getprinc @value{RANDOMUSER1}/root
1565 @b{Principal: @value{RANDOMUSER1}/root@@@value{PRIMARYREALM}
1566 Expiration date: [never]
1567 Last password change: Mon Jan 31 02:06:40 EDT 2002
1568 Password Expiration date: [none]
1569 Maximum ticket life: 0 days 10:00:00
1570 Maximum renewable life: 7 days 00:00:00
1571 Last modified: Wed Jul 24 14:46:25 EDT 2002 (@value{ADMINUSER}/admin@@@value{PRIMARYREALM})
1572 Last successful authentication: Mon Jul 29 18:20:17 EDT 2002
1573 Last failed authentication: Mon Jul 29 18:18:54 EDT 2002
1574 Failed password attempts: 3
1576 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
1577 Key: vno 2, DES cbc mode with CRC-32, no salt
1578 Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE
1584 The @code{get_principal} command has a @code{-terse} option, which lists
1585 the fields as a quoted, tab-separated string. For example:
1589 @b{kadmin:} getprinc -terse @value{RANDOMUSER1}/root
1590 @b{@value{RANDOMUSER1}/root@@@value{PRIMARYREALM} 0 1027458564
1591 0 36000 (@value{ADMINUSER}/admin@@@value{PRIMARYREALM}
1592 1027536385 18 2 0 [none] 604800 1027980137
1593 1027980054 3 2 1 2 16 0 1
1599 @node Retrieving a List of Principals, , Attributes, Retrieving Information About a Principal
1600 @subsubsection Retrieving a List of Principals
1602 To generate a listing of principals, use the @code{kadmin}
1603 @code{list_principals} command, which requires the ``list'' privilege.
1607 @b{list_principals} [@i{expression}]
1610 @noindent where @i{expression} is a shell-style glob expression that
1611 can contain the characters @samp{*}, @samp{?}, @samp{[}, and @samp{]}.
1612 All policy names matching the expression are displayed. The
1613 @code{list_principals} command has the aliases @code{listprincs},
1614 @code{get_principals}, and @code{getprincs}. For example:
1618 @b{kadmin:} listprincs test*
1619 @b{test3@@@value{PRIMARYREALM}
1620 test2@@@value{PRIMARYREALM}
1621 test1@@@value{PRIMARYREALM}
1622 testuser@@@value{PRIMARYREALM}
1628 If no expression is provided, all principals are printed.
1630 @node Privileges, Adding or Modifying Principals, Retrieving Information About a Principal, Principals
1631 @subsection Privileges
1633 Administrative privileges for the Kerberos database are stored in the
1634 file @code{kadm5.acl}.
1636 @include kadm5acl.texinfo
1638 @node Adding or Modifying Principals, Deleting Principals, Privileges, Principals
1639 @subsection Adding or Modifying Principals
1641 To add a principal to the database, use the kadmin @code{add_principal}
1642 command, which requires the ``add'' administrative privilege. This
1643 function creates the new principal, prompting twice for a password, and,
1644 if neither the -policy nor -clearpolicy options are specified and the
1645 policy ``default'' exists, assigns it that policy. The syntax is:
1648 @b{kadmin:} add_principal [@i{options}] @i{principal}
1651 To modify attributes of a principal, use the kadmin
1652 @code{modify_principal} command, which requires the ``modify''
1653 administrative privilege. The syntax is:
1656 @b{kadmin:} modify_principal [@i{options}] @i{principal}
1660 @code{add_principal} has the aliases @code{addprinc} and
1661 @code{ank}@footnote{@code{ank} was the short form of the equivalent
1662 command using the deprecated @code{kadmin5} database administrative tool.
1663 It has been kept}. @code{modify_principal} has the alias @code{modprinc}.
1665 The @code{add_principal} and @code{modify_principal} commands take the
1669 @item -expire @i{date}
1670 Sets the expiration date of the principal to @i{date}.
1672 @item -pwexpire @i{date}
1673 Sets the expiration date of the password to @i{date}.
1675 @item -maxlife @i{maxlife}
1676 Sets the maximum ticket life of the principal to @i{maxlife}.
1678 @item -maxrenewlife @i{maxrenewlife}
1679 Sets the maximum renewable life of tickets for the principal to
1682 @item -kvno @i{number}
1683 Explicity sets the key version number to @i{number}. @value{COMPANY}
1684 does not recommend doing this unless there is a specific reason.
1686 @item -policy @i{policy}
1687 Sets the policy used by this principal. (@xref{Policies}.) With
1688 @code{modify_principal}, the current policy assigned to the principal is
1689 set or changed. With @code{add_principal}, if this option is not
1690 supplied, the -clearpolicy is not specified, and the policy ``default''
1691 exists, that policy is assigned. If a principal is created with no
1692 policy, @code{kadmin} will print a warning message.
1695 For @code{modify_principal}, removes the current policy from a
1696 principal. For @code{add_principal}, suppresses the automatic
1697 assignment of the policy ``default''.
1699 @item @{-|+@}allow_postdated
1700 The ``-allow_postdated'' option prohibits this principal from obtaining
1701 postdated tickets. ``+allow_postdated'' clears this flag. In effect,
1702 ``-allow_postdated'' sets the KRB5_KDB_DISALLOW_POSTDATED flag on the
1703 principal in the database.
1705 @item @{-|+@}allow_forwardable
1706 The ``-allow_forwardable'' option prohibits this principal from
1707 obtaining forwardable tickets. ``+allow_forwardable'' clears this flag.
1708 In effect, ``-allow_forwardable'' sets the KRB5_KDB_DISALLOW_FORWARDABLE
1709 flag on the principal in the database.
1711 @item @{-|+@}allow_renewable
1712 The ``-allow_renewable'' option prohibits this principal from obtaining
1713 renewable tickets. ``+allow_renewable'' clears this flag. In effect,
1714 ``-allow_renewable'' sets the KRB5_KDB_DISALLOW_RENEWABLE flag on the
1715 principal in the database.
1717 @item @{-|+@}allow_proxiable
1718 The ``-allow_proxiable'' option prohibits this principal from obtaining
1719 proxiable tickets. ``+allow_proxiable'' clears this flag. In effect,
1720 ``-allow_proxiable'' sets the @* KRB5_KDB_DISALLOW_PROXIABLE flag. on
1721 the principal in the database.
1723 @item @{-|+@}allow_dup_skey
1724 The ``-allow_dup_skey'' option disables user-to-user authentication for
1725 this principal by prohibiting this principal from obtaining a session
1726 key for another user. ``+allow_dup_skey'' clears this flag. In effect,
1727 ``-allow_dup_skey'' sets the @* KRB5_KDB_DISALLOW_DUP_SKEY flag on the
1728 principal in the database.
1730 @item @{-|+@}requires_preauth
1731 The ``+requires_preauth'' option requires this principal to
1732 preauthenticate before being allowed to kinit. -requires_preauth clears
1733 this flag. In effect, +requires_preauth sets the
1734 KRB5_KDB_REQUIRES_PRE_AUTH flag on the principal in the database.
1736 @item @{-|+@}requires_hwauth
1737 The ``+requires_hwauth'' flag requires the principal to preauthenticate
1738 using a hardware device before being allowed to kinit.
1739 ``-requires_hwauth'' clears this flag. In effect, ``+requires_hwauth''
1740 sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
1743 @item @{-|+@}allow_svr
1744 The ``-allow_svr'' flag prohibits the issuance of service tickets for
1745 this principal. ``+allow_svr'' clears this flag. In effect,
1746 ``-allow_svr'' sets the @* KRB5_KDB_DISALLOW_SVR flag on the principal
1749 @item @{-|+@}allow_tgs_req
1750 The ``-allow_tgs_req'' option specifies that a Ticket-Granting Service
1751 (TGS) request for a service ticket for this principal is not permitted.
1752 You will probably never need to use this option. ``+allow_tgs_req''
1753 clears this flag. The default is ``+allow_tgs_req''. In effect,
1754 ``-allow_tgs_req'' sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the
1755 principal in the database.
1757 @item @{-|+@}allow_tix
1758 The ``-allow_tix'' option forbids the issuance of any tickets for this
1759 principal. ``+allow_tix'' clears this flag. The default is
1760 ``+allow_tix''. In effect, ``-allow_tix'' sets the @*
1761 KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.
1763 @item @{-|+@}needchange
1764 The ``+needchange'' option sets a flag in attributes field to force a
1765 password change; ``-needchange'' clears it. The default is
1766 ``-needchange''. In effect, ``+needchange'' sets the
1767 KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.
1769 @item @{-|+@}password_changing_service
1770 The ``+password_changing_service'' option sets a flag in the attributes
1771 field marking this principal as a password change service. (Again, you
1772 will probably never need to use this option.)
1773 ``-password_changing_service'' clears the flag. The default is
1774 ``-password_changing_service''. In effect, the
1775 ``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE
1776 flag on the principal in the database.
1779 Sets the key for the principal to a random value (@code{add_principal}
1780 only). @value{COMPANY} recommends using this option for host keys.
1782 @item -pw @i{password}
1783 Sets the key of the principal to the specified string and does not
1784 prompt for a password (@code{add_principal} only). @value{COMPANY} does
1785 not recommend using this option.
1787 @item -e @i{enc:salt...}
1788 Uses the specified list of enctype-salttype pairs for setting the key
1789 of the principal. The quotes are necessary if there are multiple
1790 enctype-salttype pairs. This will not function against kadmin daemons
1791 earlier than krb5-1.2. See @ref{Supported Encryption Types} and
1792 @ref{Salts} for available types.
1795 If you want to just use the default values, all you need to do is:
1799 @b{kadmin:} addprinc @value{RANDOMUSER1}
1800 @b{WARNING: no policy specified for "@value{RANDOMUSER1}@@@value{PRIMARYREALM}";
1801 defaulting to no policy.}
1803 @b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type the password.}
1804 @b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type it again.}
1807 @b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<= Type the password.}
1808 @b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<=Type it again.}
1811 @b{Enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<= Type the password.}
1812 @b{Re-enter password for principal @value{RANDOMUSER1}@@@value{PRIMARYREALM}:} @i{<=Type it again.}
1814 @b{Principal "@value{RANDOMUSER1}@@@value{PRIMARYREALM}" created.
1819 If, on the other hand, you want to set up an account that expires on
1820 January 1, 2000, that uses a policy called ``stduser'', with a temporary
1821 password (which you want the user to change immediately), you would type
1822 the following. (Note: each line beginning with @result{} is a
1823 continuation of the previous line.)
1828 @b{kadmin:} addprinc @value{RANDOMUSER2} -expire "1/1/2000 12:01am EST" -policy stduser
1829 @result{} +needchange
1831 @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type the password.}
1832 @b{Re-enter password for principal
1833 @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type it again.}
1836 @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the password.}
1837 @b{Re-enter password for principal
1838 @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.}
1841 @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the password.}
1842 @b{Re-enter password for principal
1843 @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.}
1845 @b{Principal "@value{RANDOMUSER2}@@@value{PRIMARYREALM}" created.
1851 If you will need cross-realm authentication, you need to add principals
1852 for the other realm's TGT to each realm. For example, if you need to
1853 do cross-realm authentication between the realms @value{PRIMARYREALM}
1854 and @value{SECONDREALM}, you would need to add the principals @*
1855 @samp{krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}} and
1856 @samp{krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}} to both
1857 databases. You need to be sure the passwords and the key version
1858 numbers (kvno) are the same in both databases. This may require
1859 explicitly setting the kvno with the @samp{-kvno} option. See
1860 @ref{Cross-realm Authentication} for more details.
1862 @node Deleting Principals, Changing Passwords, Adding or Modifying Principals, Principals
1863 @subsection Deleting Principals
1865 To delete a principal, use the kadmin @code{delete_principal} command,
1866 which requires the ``delete'' administrative privilege. The syntax is:
1869 @b{delete_principal} [@b{-force}] @i{principal}
1872 @noindent @code{delete_principal} has the alias @code{delprinc}. The
1873 @code{-force} option causes @code{delete_principal} not to ask if you're
1878 @b{kadmin:} delprinc @value{RANDOMUSER1}
1879 @b{Are you sure you want to delete the principal
1880 "@value{RANDOMUSER1}@@@value{PRIMARYREALM}"? (yes/no):} yes
1881 @b{Principal "@value{RANDOMUSER1}@@@value{PRIMARYREALM}" deleted.
1882 Make sure that you have removed this principal from
1883 all ACLs before reusing.
1888 @node Changing Passwords, , Deleting Principals, Principals
1889 @subsection Changing Passwords
1891 To change a principal's password use the kadmin @code{change_password}
1892 command, which requires the ``modify'' administrative privilege (unless
1893 the principal is changing his/her own password). The syntax is:
1896 @b{change_password} [@i{options}] @i{principal}
1899 @noindent The @code{change_password} option has the alias @code{cpw}.
1900 @code{change_password} takes the following options:
1904 Sets the key of the principal to a random value.
1906 @item @b{-pw} @i{password}
1907 Sets the password to the string @i{password}. @value{COMPANY} does not
1908 recommend using this option.
1910 @item @b{-e} @i{"enc:salt..."}
1911 Uses the specified list of enctype-salttype pairs for setting the key
1912 of the principal. The quotes are necessary if there are multiple
1913 enctype-salttype pairs. This will not function against kadmin daemons
1914 earlier than krb5-1.2. See @ref{Supported Encryption Types} and
1915 @ref{Salts} for possible values.
1918 Keeps the previous kvno's keys around. There is no easy way to delete
1919 the old keys, and this flag is usually not necessary except perhaps for
1920 TGS keys. Don't use this flag unless you know what you're doing.
1928 @b{kadmin:} cpw @value{RANDOMUSER2}
1930 @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type the new password.}
1931 @b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{@doubleleftarrow{} Type it again.}
1934 @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the new password.}
1935 @b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.}
1938 @b{Enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type the new password.}
1939 @b{Re-enter password for principal @value{RANDOMUSER2}@@@value{PRIMARYREALM}:} @i{<= Type it again.}
1941 @b{Password for @value{RANDOMUSER2}@@@value{PRIMARYREALM} changed.
1946 Note that @code{change_password} will not let you change the password to
1947 one that is in the principal's password history.
1949 @node Policies, Global Operations on the Kerberos Database, Principals, Administrating the Kerberos Database
1952 A policy is a set of rules governing passwords. Policies can dictate
1953 minimum and maximum password lifetimes, minimum number of characters and
1954 character classes a password must contain, and the number of old
1955 passwords kept in the database.
1958 * Retrieving Policies::
1959 * Retrieving the List of Policies::
1960 * Adding or Modifying Policies::
1961 * Deleting Policies::
1964 @node Retrieving Policies, Retrieving the List of Policies, Policies, Policies
1965 @subsection Retrieving Policies
1967 To retrieve a policy, use the kadmin @code{get_policy} command, which
1968 requires the ``inquire'' administrative privilege. The syntax is:
1971 @b{get_policy} [@b{-terse}] @i{policy}
1974 The @code{get_policy} command has the alias @code{getpol}. For example:
1978 @b{kadmin:} get_policy admin
1980 Maximum password life: 180 days 00:00:00
1981 Minimum password life: 00:00:00
1982 Minimum password length: 6
1983 Minimum number of password character classes: 2
1984 Number of old keys kept: 5
1990 @noindent The @dfn{reference count} is the number of principals using
1993 The @code{get_policy} command has a @code{-terse} option, which lists
1994 each field as a quoted, tab-separated string. For example:
1998 @b{kadmin:} get_policy -terse admin
1999 @b{admin 15552000 0 6 2 5 17
2004 @node Retrieving the List of Policies, Adding or Modifying Policies, Retrieving Policies, Policies
2005 @subsection Retrieving the List of Policies
2007 You can retrieve the list of policies with the kadmin
2008 @code{list_policies} command, which requires the ``list'' privilege. The
2012 @b{list_policies} [@i{expression}]
2015 @noindent where @i{expression} is a shell-style glob expression that can
2016 contain the characters *, ?, and []. All policy names matching the
2017 expression are displayed. The @code{list_policies} command has the aliases
2018 @code{listpols}, @code{get_policies}, and @code{getpols}. For example:
2022 @b{kadmin:} listpols
2028 @b{kadmin:} listpols t*
2035 @node Adding or Modifying Policies, Deleting Policies, Retrieving the List of Policies, Policies
2036 @subsection Adding or Modifying Policies
2038 To add a new policy, use the kadmin @code{add_policy} command, which
2039 requires the ``add'' administrative privilege. The syntax is:
2042 @b{add_policy} [@i{options}] @i{policy_name}
2045 To modify attributes of a principal, use the kadmin @code{modify_policy}
2046 command, which requires the ``modify'' administrative privilege. The
2050 @b{modify_policy} [@i{options}] @i{policy_name}
2053 @noindent @code{add_policy} has the alias @code{addpol}.
2054 @code{modify_poilcy} has the alias @code{modpol}.
2056 The @code{add_policy} and @code{modify_policy} commands take the
2060 @item -maxlife @i{time}
2061 Sets the maximum lifetime of a password to @i{time}.
2063 @item -minlife @i{time}
2064 Sets the minimum lifetime of a password to @i{time}.
2066 @item -minlength @i{length}
2067 Sets the minimum length of a password to @i{length} characters.
2069 @item -minclasses @i{number}
2070 Requires at least @i{number} of character classes in a password.
2072 @item -history @i{number}
2073 Sets the number of past keys kept for a principal to @i{number}.
2076 @c **** An example here would be nice. ****
2078 @node Deleting Policies, , Adding or Modifying Policies, Policies
2079 @subsection Deleting Policies
2081 To delete a policy, use the @code{kadmin} @code{delete_policy} command,
2082 which requires the ``delete'' administrative privilege. The syntax is:
2085 @b{delete_policy [-force]} @i{policy_name}
2088 @noindent The @code{delete_policy} command has the alias @code{delpol}.
2089 It prompts for confirmation before deletion.
2094 @b{kadmin:} delete_policy guests
2095 @b{Are you sure you want to delete the policy "guests"?
2101 Note that you must cancel the policy from all principals before deleting
2102 it. The @code{delete_policy} command will fail if it is in use by any
2105 @node Global Operations on the Kerberos Database, Cross-realm Authentication, Policies, Administrating the Kerberos Database
2106 @section Global Operations on the Kerberos Database
2109 * Dumping a Kerberos Database to a File::
2110 * Restoring a Kerberos Database from a Dump File::
2111 * Creating a Stash File::
2112 * Creating and Destroying a Kerberos Database::
2115 The @code{kdb5_util} command is the primary tool for administrating the
2116 Kerberos database. The syntax is:
2119 @b{kdb5_util} @i{command} [@i{kdb5_util_options}] [@i{command_options}]
2122 The @code{kdb5_util} command takes the following options, which override
2123 the defaults specified in the configuration files:
2127 specifies the the Kerberos realm of the database.
2129 @itemx -d @i{database_name}
2130 specifies the name under which the principal database is stored.
2132 @itemx -k @i{master_key_type}
2133 specifies the key type of the master key in the database.
2135 @itemx -M @i{master_key_name}
2136 specifies the principal name of the master key in the database.
2139 indicates that the master database password should be read from the TTY
2140 rather than fetched from a file on disk.
2142 @itemx -sf @i{stash_file}
2143 specifies the stash file of the master database password
2145 @itemx -P @i{password}
2146 specifies the master database password. @value{COMPANY} does not
2147 recommend using this option.
2151 @node Dumping a Kerberos Database to a File, Restoring a Kerberos Database from a Dump File, Global Operations on the Kerberos Database, Global Operations on the Kerberos Database
2152 @subsection Dumping a Kerberos Database to a File
2154 To dump a Kerberos database into a file, use the @code{kdb5_util}
2155 @code{dump} command on one of the KDCs. The syntax is:
2158 @b{kdb5_util dump} [@b{-old}] [@b{-b6}] [@b{-b7}] [@b{-ov}]
2159 [@b{-verbose}] [-mkey_convert] [-new_mkey_file] [@i{filename}
2160 [@i{principals...}]]
2163 The @code{kdb5_util dump} command takes the following options:
2167 causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format
2168 (``kdb5_edit load_dump version 2.0'').
2170 causes the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit
2171 load_dump version 3.0'').
2173 causes the dump to be in the Kerberos 5 Beta 7 format (``kdbt_edit
2174 load_dump version 4'').
2176 causes the dump to be in ovsec_adm_export format. Currently, the only
2177 way to preserve per-principal policy information is to use this in
2178 conjunction with a normal dump.
2180 causes the name of each principal and policy to be printed as it is
2182 @itemx -mkey_convert
2183 prompts for a new master password, and then dumps the database with
2184 all keys reencrypted in this new master key
2185 @itemx -new_mkey_file
2186 reads a new key from the default keytab and then dumps the database
2187 with all keys reencrypted in this new master key
2194 @b{shell%} kdb5_util dump dumpfile
2201 @b{shell%} kbd5_util dump -verbose dumpfile
2202 @b{kadmin/admin@@@value{PRIMARYREALM}
2203 krbtgt/@value{PRIMARYREALM}@@@value{PRIMARYREALM}
2204 kadmin/history@@@value{PRIMARYREALM}
2205 K/M@@@value{PRIMARYREALM}
2206 kadmin/changepw@@@value{PRIMARYREALM}
2212 If you specify which principals to dump, you must use the full
2213 principal, as in the following example. (The line beginning with
2214 @result{} is a continuation of the previous line.):
2218 @b{shell%} kdb5_util dump -verbose dumpfile K/M@@@value{PRIMARYREALM}
2219 @result{} kadmin/admin@@@value{PRIMARYREALM}
2220 @b{kadmin/admin@@@value{PRIMARYREALM}
2221 K/M@@@value{PRIMARYREALM}
2227 Otherwise, the principals will not match those in the database and will
2232 @b{shell%} kdb5_util dump -verbose dumpfile K/M kadmin/admin
2238 If you do not specify a dump file, @code{kdb5_util} will dump the
2239 database to the standard output.
2241 There is currently a bug where the default dump format omits the
2242 per-principal policy information. In order to dump all the data
2243 contained in the Kerberos database, you must perform a normal dump (with
2244 no option flags) and an additional dump using the ``-ov'' flag to a
2247 @node Restoring a Kerberos Database from a Dump File, Creating a Stash File, Dumping a Kerberos Database to a File, Global Operations on the Kerberos Database
2248 @subsection Restoring a Kerberos Database from a Dump File
2250 To restore a Kerberos database dump from a file, use the
2251 @code{kdb5_util} @code{load} command on one of the KDCs. The syntax
2255 @b{kdb5_util load} [@b{-old}] [@b{-b6}] [@b{-b7}] [@b{-ov}] [@b{-verbose}]
2256 [@b{-update}] [@b{-hash}] @i{dumpfilename} @i{dbname} [@i{admin_dbname}]
2259 The @code{kdb5_util load} command takes the following options:
2263 requires the dump to be in the Kerberos 5 Beta 5 and earlier dump format
2264 (``kdb5_edit load_dump version 2.0'').
2266 requires the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit
2267 load_dump version 3.0'').
2269 requires the dump to be in the Kerberos 5 Beta 7 format (``kdb5_edit
2270 load_dump version 4'').
2272 requires the dump to be in ovsec_adm_export format.
2274 causes the name of each principal and policy to be printed as it is
2277 causes records from the dump file to be updated in or added to the
2278 existing database. This is useful in conjunction with an
2279 ovsec_adm_export format dump if you want to preserve per-principal
2280 policy information, since the current default format does not contain
2283 causes the database to be stored as a hash rather than a binary tree.
2290 @b{shell%} kdb5_util load dumpfile principal
2297 @b{shell%} kdb5_util load -update dumpfile principal
2303 If the database file exists, and the @b{-update} flag was not given,
2304 @code{kdb5_util} will overwrite the existing database.
2306 @node Creating a Stash File, Creating and Destroying a Kerberos Database, Restoring a Kerberos Database from a Dump File, Global Operations on the Kerberos Database
2307 @subsection Creating a Stash File
2309 A stash file allows a KDC to authenticate itself to the database
2310 utilities, such as @code{kadmin}, @code{kadmind}, @code{krb5kdc}, and
2313 To create a stash file, use the @code{kdb5_util} @code{stash} command.
2317 @b{kdb5_util stash} [@b{-f} @i{keyfile}]
2324 @b{shell%} kdb5_util stash
2325 @b{kdb5_util: Cannot find/read stored master key while reading master key
2326 kdb5_util: Warning: proceeding without master key}
2328 @b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the KDC database master password.}
2331 @b{Enter KDC database master key:} @i{<= Type the KDC database master password.}
2334 @b{Enter KDC database master key:} @i{<= Type the KDC database master password.}
2341 If you do not specify a stash file, @code{kdb5_util} will stash the key
2342 in the file specified in your @code{kdc.conf} file.
2344 @node Creating and Destroying a Kerberos Database, , Creating a Stash File, Global Operations on the Kerberos Database
2345 @subsection Creating and Destroying a Kerberos Database
2347 If you need to create a new Kerberos database, use the @code{kdb5_util}
2348 @code{create} command. The syntax is:
2351 @b{kdb5_util create} [@b{-s}]
2354 If you specify the @samp{-s} option, @code{kdb5_util} will stash a copy
2355 of the master key in a stash file. (@xref{Creating a Stash File}.) For
2360 @b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} create -s
2361 @b{kdb5_util: No such file or directory while setting active database to
2362 @result{} '@value{ROOTDIR}/var/krb5kdc/principal'
2363 Initializing database '@value{ROOTDIR}/var/krb5kdc/principal' for
2364 @result{} realm '@value{PRIMARYREALM}',
2365 master key name 'K/M@@@value{PRIMARYREALM}'
2366 You will be prompted for the database Master Password.
2367 It is important that you NOT FORGET this password.}
2369 @b{Enter KDC database master key:} @i{@doubleleftarrow{} Type the master password.}
2370 @b{Re-enter KDC database master key to verify:} @i{@doubleleftarrow{} Type it again.}
2373 @b{Enter KDC database master key:} @i{<= Type the master password.}
2374 @b{Re-enter KDC database master key to verify:} @i{<= Type it again.}
2377 @b{Enter KDC database master key:} @i{<= Type the master password.}
2378 @b{Re-enter KDC database master key to verify:} @i{<= Type it again.}
2384 If you need to destroy the current Kerberos database, use the
2385 @code{kdb5_util} @code{destroy} command. The syntax is:
2388 @b{kdb5_util destroy} [@b{-f}]
2391 The @code{destroy} command destroys the database, first overwriting the
2392 disk sectors and then unlinking the files. If you specify the
2393 @samp{-f} option, @code{kdb5_util} will not prompt you for a
2394 confirmation before destroying the database.
2398 @b{shell%} @value{ROOTDIR}/sbin/kdb5_util -r @value{PRIMARYREALM} destroy
2400 @b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure
2401 (type yes to confirm)?} @i{@doubleleftarrow{}yes}
2404 @b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure
2405 (type yes to confirm)?} @i{<== yes}
2408 @b{kdb5_util: Deleting KDC database stored in @value{DefaultDatabaseName}, are you sure
2409 (type yes to confirm)?} @i{<== yes}
2411 @b{OK, deleting database '@value{DefaultDatabaseName}'...}
2418 @c @node The KDC Logs, , Creating and Destroying a Kerberos Database, Administrating the Kerberos Database
2419 @c @section The KDC Logs
2421 This will have to wait until the next release. *sigh*
2424 @node Cross-realm Authentication, , Global Operations on the Kerberos Database, Administrating the Kerberos Database
2425 @section Cross-realm Authentication
2427 In order for a KDC in one realm to authenticate Kerberos users in a
2428 different realm, it must share a key with the KDC in the other realm.
2429 In both databases, there must be krbtgt service principals for realms.
2430 These principals should all have the same passwords, key version
2431 numbers, and encryption types. For example, if the administrators of
2432 @value{PRIMARYREALM} and @value{SECONDREALM} wanted to authenticate
2433 across the realms, they would run the following commands on the KDCs in
2438 @b{shell%:} kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4"
2439 @b{kadmin:} add_princ -requires_preauth krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}
2440 @b{Enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:}
2441 @b{Re-enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:}
2442 @b{kadmin:} add_princ -requires_preauth krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}
2443 @b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}:}
2444 @b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALML}:}
2449 Even if most principals in a realm are generally created with the
2450 requires_preauth flag enabled, this flag is not desirable on
2451 cross-realm authentication keys because doing so makes it impossible to
2452 disable preauthentication on a service-by-service basis. Disabling it
2453 as in the example above is recommended.
2455 It is also very important that these principals have good passwords.
2456 @value{COMPANY} recommends that TGT principal passwords be at least 26
2457 characters of random ASCII text.
2459 @node Application Servers, Backups of Secure Hosts, Administrating the Kerberos Database, Top
2460 @chapter Application Servers
2462 If you need to install the @value{PRODUCT} programs on an application
2463 server, please refer to the @value{PRODUCT} Installation Guide. Once
2464 you have installed the software, you need to add that host to the
2465 Kerberos database (@pxref{Adding or Modifying Principals}), and generate
2466 a @dfn{keytab} for that host, that contains the host's key. You also
2467 need to make sure the host's clock is within your maximum clock skew of
2473 * Getting DNS Information Correct::
2474 * Configuring Your Firewall to Work With Kerberos V5::
2477 @node Keytabs, Clock Skew, Application Servers, Application Servers
2480 A @dfn{keytab} is a host's copy of its own keylist, which is analogous
2481 to a user's password. An application server that needs to authenticate
2482 itself to the KDC has to have a keytab that contains its own principal
2483 and key. Just as it is important for users to protect their passwords,
2484 it is equally important for hosts to protect their keytabs. You should
2485 always store keytab files on local disk, and make them readable only by
2486 root, and you should never send a keytab file over a network in the
2487 clear. Ideally, you should run the @code{kadmin} command to extract a
2488 keytab on the host on which the keytab is to reside.
2491 * Adding Principals to Keytabs::
2492 * Removing Principals from Keytabs::
2495 @node Adding Principals to Keytabs, Removing Principals from Keytabs, Keytabs, Keytabs
2496 @subsection Adding Principals to Keytabs
2498 To generate a keytab, or to add a principal to an existing keytab, use
2499 the @code{ktadd} command from @code{kadmin}, which requires the
2500 ``inquire'' administrative privilege. (If you use the @b{-glob}
2501 @i{princ_exp} option, it also requires the ``list'' administrative
2502 privilege.) The syntax is:
2505 @b{ktadd} [@b{-k[eytab]} @i{keytab}] [@b{-q}] [@b{-e}
2506 @i{key:salt_list}] [@i{principal} | @b{-glob} @i{princ_exp}]
2510 The @code{ktadd} command takes the following switches:
2513 @item -k[eytab] @i{keytab}
2514 use @i{keytab} as the keytab file. Otherwise, @code{ktadd} will use the
2515 default keytab file (@code{@value{DefaultDefaultKeytabName}}).
2517 @item @b{-e} @i{"enc:salt..."}
2518 Uses the specified list of enctype-salttype pairs for setting the key
2519 of the principal. The quotes are necessary if there are multiple
2520 enctype-salttype pairs. This will not function against kadmin daemons
2521 earlier than krb5-1.2. See @ref{Supported Encryption Types} and
2522 @ref{Salts} for all possible values.
2525 run in quiet mode. This causes @code{ktadd} to display less verbose
2528 @item @i{principal} | -glob @i{principal expression}
2529 add @i{principal}, or all principals matching @i{principal expression}
2530 to the keytab. The rules for @i{principal expression} are the same as
2531 for the kadmin @code{list_principals} (@pxref{Retrieving a List of
2532 Principals}) command.
2535 Here is a sample session, using configuration files that enable only
2536 @samp{des-cbc-crc} encryption. (The line beginning with @result{} is a
2537 continuation of the previous line.)
2541 @b{kadmin:} ktadd host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
2542 @b{kadmin: Entry for principal host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM} with
2543 kvno 2, encryption type DES-CBC-CRC added to keytab
2544 WRFILE:/etc/krb5.keytab.
2551 @b{kadmin:} ktadd -k @value{ROOTDIR}/var/krb5kdc/kadmind.keytab
2552 @result{} kadmin/admin kadmin/changepw
2553 @b{kadmin: Entry for principal kadmin/admin@@@value{PRIMARYREALM} with
2554 kvno 3, encryption type DES-CBC-CRC added to keytab
2555 WRFILE:@value{ROOTDIR}/var/krb5kdc/kadmind.keytab.
2560 @node Removing Principals from Keytabs, , Adding Principals to Keytabs, Keytabs
2561 @subsection Removing Principals from Keytabs
2563 To remove a principal from an existing keytab, use the kadmin
2564 @code{ktremove} command. The syntax is:
2567 @b{ktremove} [@b{-k[eytab]} @i{keytab}] [@b{-q}] @i{principal} [@i{kvno} | @b{all} | @b{old}]
2570 The @code{ktremove} command takes the following switches:
2573 @item -k[eytab] @i{keytab}
2574 use @i{keytab} as the keytab file. Otherwise, @code{ktremove} will use
2575 the default keytab file (@code{/etc/krb5.keytab}).
2578 run in quiet mode. This causes @code{ktremove} to display less verbose
2582 the principal to remove from the keytab. (Required.)
2585 remove all entries for the specified principal whose Key Version Numbers
2589 remove all entries for the specified principal
2592 remove all entries for the specified principal except those with the
2600 @b{kadmin:} ktremove -k @value{ROOTDIR}/var/krb5kdc/kadmind.keytab kadmin/admin
2601 @b{kadmin: Entry for principal kadmin/admin with kvno 3 removed
2602 from keytab WRFILE:@value{ROOTDIR}/var/krb5kdc/kadmind.keytab.
2607 @node Clock Skew, Getting DNS Information Correct, Keytabs, Application Servers
2610 In order to prevent intruders from resetting their system clocks in
2611 order to continue to use expired tickets, @value{PRODUCT} is set up to
2612 reject ticket requests from any host whose clock is not within the
2613 specified maximum clock skew of the KDC (as specified in the
2614 @code{kdc.conf} file). Similarly, hosts are configured to reject
2615 responses from any KDC whose clock is not within the specified maximum
2616 clock skew of the host (as specified in the @code{krb5.conf} file). The
2617 default value for maximum clock skew is @value{DefaultClockskew}.
2619 @value{COMPANY} suggests that you add a line to client machines'
2620 @code{/etc/rc} files to synchronize the machine's clock to your KDC at
2621 boot time. On UNIX hosts, assuming you had a kdc called
2622 @code{@value{KDCSERVER}} in your realm, this would be:
2625 gettime -s @value{KDCSERVER}
2628 If the host is not likely to be rebooted frequently, you may also want
2629 to set up a cron job that adjusts the time on a regular basis.
2631 @node Getting DNS Information Correct, Configuring Your Firewall to Work With Kerberos V5, Clock Skew, Application Servers
2632 @section Getting DNS Information Correct
2634 Several aspects of Kerberos rely on name service. In order for Kerberos
2635 to provide its high level of security, it is less forgiving of name
2636 service problems than some other parts of your network. It is important
2637 that your Domain Name System (DNS) entries and your hosts have the
2638 correct information.
2640 Each host's canonical name must be the fully-qualified host name
2641 (including the domain), and each host's IP address must reverse-resolve
2642 to the canonical name.
2644 Other than the @code{localhost} entry, make all entries in each
2645 machine's @code{/etc/hosts} file in the following form:
2648 IP address fully-qualified hostname aliases
2651 Here is a sample @code{/etc/hosts} file:
2656 127.0.0.1 localhost localhost@@@value{PRIMARYDOMAIN}
2657 @value{RANDOMHOST1IP} @value{RANDOMHOST1}.@value{PRIMARYDOMAIN} trillium wake-robin
2661 Additionally, on Solaris machines, you need to be sure the ``hosts''
2662 entry in the file @* @code{/etc/nsswitch.conf} includes the source
2663 ``dns'' as well as ``file''.
2665 Finally, each host's keytab file must include a host/key pair for the
2666 host's canonical name. You can list the keys in a keytab file by
2667 issuing the command @code{klist -k}. For example:
2672 Keytab name: /etc/krb5.keytab
2674 ---- ------------------------------------------------------------
2675 1 host/@value{RANDOMHOST1}.@value{PRIMARYDOMAIN}@@@value{PRIMARYREALM}
2679 If you telnet to the host with a fresh credentials cache (ticket file),
2680 and then @code{klist}, the host's service principal should be
2681 @i{host/fully-qualified-hostname@@REALM_NAME}.
2683 @node Configuring Your Firewall to Work With Kerberos V5, , Getting DNS Information Correct, Application Servers
2684 @section Configuring Your Firewall to Work With @value{PRODUCT}
2686 If you need off-site users to be able to get Kerberos tickets in your
2687 realm, they must be able to get to your KDC. This requires either that
2688 you have a slave KDC outside your firewall, or you configure your
2689 firewall to allow UDP requests into at least one of your KDCs, on
2690 whichever port the KDC is running. (The default is port
2691 @value{DefaultPort}; other ports may be specified in the KDC's kdc.conf
2692 file.) Similarly, if you need off-site users to be able to change
2693 their passwords in your realm, they must be able to get to your
2694 Kerberos admin server. The default port for the admin server is
2695 @value{DefaultKadmindPort}.
2697 If your on-site users inside your firewall will need to get to KDCs in
2698 other realms, you will also need to configure your firewall to allow
2699 outgoing TCP and UDP requests to port @value{DefaultPort}.
2700 Additionally, if they will need to get to any Kerberos V4 KDCs, you may
2701 also need to allow TCP and UDP requests to port
2702 @value{DefaultSecondPort}. If your on-site users inside your firewall
2703 will need to get to Kerberos admin servers in other realms, you will
2704 also need to allow outgoing TCP and UDP requests to port
2705 @value{DefaultKadmindPort}.
2707 If any of your KDCs are outside your firewall, you will need to allow
2708 @code{kprop} requests to get through to the remote KDC. @code{Kprop}
2709 uses the krb5_prop service on port @value{DefaultKrbPropPort} (tcp).
2711 If you need your off-site users to have access to machines inside your
2712 firewall, you need to allow TCP connections from their off-site hosts on
2713 the appropriate ports for the programs they will be using. The
2714 following lines from @code{/etc/services} show the default port numbers
2715 for the @value{PRODUCT} programs:
2719 ftp @value{DefaultFTPPort}/tcp # Kerberos ftp and telnet use the
2720 telnet @value{DefaultTelnetPort}/tcp # default ports
2721 kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
2722 kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
2723 klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin
2724 kshell @value{DefaultKshellPort}/tcp cmd # and remote shell
2725 kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw
2726 kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw
2727 krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation
2728 @c kpop 1109/tcp # Pop with Kerberos
2729 eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin
2730 krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator
2734 By default, @value{PRODUCT} @code{telnet} and @code{ftp} use the same
2735 ports as the standard @code{telnet} and @code{ftp} programs, so if you
2736 already allow telnet and ftp connections through your firewall, the
2737 @value{PRODUCT} versions will get through as well. If you do not
2738 already allow telnet and ftp connections through your firewall, but need
2739 your users to be able to use @value{PRODUCT} telnet and ftp, you can
2740 either allow ftp and telnet connections on the standard ports, or switch
2741 these programs to non-default port numbers and allow ftp and telnet
2742 connections on those ports to get through.
2744 @value{PRODUCT} @code{rlogin} uses the @code{klogin} service, which by
2745 default uses port @value{DefaultKloginPort}. Encrypted @value{PRODUCT}
2746 rlogin uses the @code{eklogin} service, which by default uses port
2747 @value{DefaultEkloginPort}.
2749 @value{PRODUCT} @code{rsh} uses the @code{kshell} service, which by
2750 default uses port @value{DefaultKshellPort}. However, the server must
2751 be able to make a TCP connection from the kshell port to an arbitrary
2752 port on the client, so if your users are to be able to use @code{rsh}
2753 from outside your firewall, the server they connect to must be able to
2754 send outgoing packets to arbitrary port numbers. Similarly, if your
2755 users need to run @code{rsh} from inside your firewall to hosts outside
2756 your firewall, the outside server needs to be able to connect to an
2757 arbitrary port on the machine inside your firewall. Because
2758 @value{PRODUCT} @code{rcp} uses @code{rsh}, the same issues apply. If
2759 you need to use @code{rsh} (or @code{rcp}) through your firewall and
2760 are concerned with the security implications of allowing connections to
2761 arbitrary ports, @value{COMPANY} suggests that you have rules that
2762 specifically name these applications and, if possible, list the allowed
2765 The book @cite{UNIX System Security}, by David Curry, is a good
2766 starting point for learning to configure firewalls.
2769 @c @node Enabling Users to Connect from Off-Site, , Configuring Your Firewall to Work With @value{PRODUCT}, Application Servers
2770 @c @section Enabling Users to Connect from Off-Site
2772 This will have to wait until the next release. *sigh*
2775 @node Backups of Secure Hosts, Bug Reporting, Application Servers, Top
2776 @chapter Backups of Secure Hosts
2778 When you back up a secure host, you should exclude the host's keytab
2779 file from the backup. If someone obtained a copy of the keytab from a
2780 backup, that person could make any host masquerade as the host whose
2781 keytab was compromised. This could be particularly dangerous if the
2782 compromised keytab was from one of your KDCs. If the machine has a disk
2783 crash and the keytab file is lost, it is easy to generate another keytab
2784 file. (@xref{Adding Principals to Keytabs}.) If you are unable to
2785 exclude particular files from backups, you should ensure that the
2786 backups are kept as secure as the host's root password.
2789 * Backing Up the Kerberos Database::
2792 @node Backing Up the Kerberos Database, , Backups of Secure Hosts, Backups of Secure Hosts
2793 @section Backing Up the Kerberos Database
2795 As with any file, it is possible that your Kerberos database could
2796 become corrupted. If this happens on one of the slave KDCs, you might
2797 never notice, since the next automatic propagation of the database would
2798 install a fresh copy. However, if it happens to the master KDC, the
2799 corrupted database would be propagated to all of the slaves during the
2800 next propagation. For this reason, @value{COMPANY} recommends that you
2801 back up your Kerberos database regularly. Because the master KDC is
2802 continuously dumping the database to a file in order to propagate it to
2803 the slave KDCs, it is a simple matter to have a cron job periodically
2804 copy the dump file to a secure machine elsewhere on your network. (Of
2805 course, it is important to make the host where these backups are stored
2806 as secure as your KDCs, and to encrypt its transmission across your
2807 network.) Then if your database becomes corrupted, you can load the
2808 most recent dump onto the master KDC. (@xref{Restoring a Kerberos
2809 Database from a Dump File}.)
2811 @node Bug Reporting, Appendix, Backups of Secure Hosts, Top
2812 @chapter Bug Reporting
2814 @include send-pr.texinfo
2816 @node Appendix, , Bug Reporting, Top
2821 * kadmin Time Zones::
2824 @node Errors, kadmin Time Zones, Appendix, Appendix
2825 @appendixsec Kerberos Error Messages
2828 * Kerberos V5 Library Error Codes::
2829 * Kerberos V5 Database Library Error Codes::
2830 * Kerberos V5 Magic Numbers Error Codes::
2831 * ASN.1 Error Codes::
2832 * GSSAPI Error Codes::
2835 @node Kerberos V5 Library Error Codes, Kerberos V5 Database Library Error Codes, Errors, Errors
2836 @appendixsubsec Kerberos V5 Library Error Codes
2838 This is the Kerberos v5 library error code table. Protocol error codes
2839 are @* ERROR_TABLE_BASE_krb5 + the protocol error code number; other
2840 error codes start at ERROR_TABLE_BASE_krb5 + 128.
2842 @c error table numbering starts at 0
2845 KRB5KDC_ERR_NONE: No error
2847 KRB5KDC_ERR_NAME_EXP: Client's entry in database has expired
2849 KRB5KDC_ERR_SERVICE_EXP: Server's entry in database has expired
2851 KRB5KDC_ERR_BAD_PVNO: Requested protocol version not supported
2853 KRB5KDC_ERR_C_OLD_MAST_KVNO: Client's key is encrypted in an old master
2856 KRB5KDC_ERR_S_OLD_MAST_KVNO: Server's key is encrypted in an old master
2859 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database
2861 KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos database
2863 KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE: Principal has multiple entries in
2866 KRB5KDC_ERR_NULL_KEY: Client or server has a null key
2868 KRB5KDC_ERR_CANNOT_POSTDATE: Ticket is ineligible for postdating
2870 KRB5KDC_ERR_NEVER_VALID: Requested effective lifetime is negative or
2873 KRB5KDC_ERR_POLICY: KDC policy rejects request
2875 KRB5KDC_ERR_BADOPTION: KDC can't fulfill requested option
2877 KRB5KDC_ERR_ETYPE_NOSUPP: KDC has no support for encryption type
2879 KRB5KDC_ERR_SUMTYPE_NOSUPP: KDC has no support for checksum type
2881 KRB5KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type
2883 KRB5KDC_ERR_TRTYPE_NOSUPP: KDC has no support for transited type
2885 KRB5KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
2887 KRB5KDC_ERR_SERVICE_REVOKED: Credentials for server have been revoked
2889 KRB5KDC_ERR_TGT_REVOKED: TGT has been revoked
2891 KRB5KDC_ERR_CLIENT_NOTYET: Client not yet valid - try again later
2893 KRB5KDC_ERR_SERVICE_NOTYET: Server not yet valid - try again later
2895 KRB5KDC_ERR_KEY_EXP: Password has expired
2897 KRB5KDC_ERR_PREAUTH_FAILED: Preauthentication failed
2899 KRB5KDC_ERR_PREAUTH_REQUIRED: Additional pre-auth@-en@-ti@-ca@-tion required
2901 KRB5KDC_ERR_SERVER_NOMATCH: Requested server and ticket don't match
2903 KRB5PLACEHOLD_27: KRB5 error code 27
2905 KRB5PLACEHOLD_28: KRB5 error code 28
2907 KRB5PLACEHOLD_29: KRB5 error code 29
2909 KRB5PLACEHOLD_30: KRB5 error code 30
2911 KRB5KRB_AP_ERR_BAD_INTEGRITY: Decrypt integrity check failed
2913 KRB5KRB_AP_ERR_TKT_EXPIRED: Ticket expired
2915 KRB5KRB_AP_ERR_TKT_NYV: Ticket not yet valid
2917 KRB5KRB_AP_ERR_REPEAT: Request is a replay
2919 KRB5KRB_AP_ERR_NOT_US: The ticket isn't for us
2921 KRB5KRB_AP_ERR_BADMATCH: Ticket/authenticator don't match
2923 KRB5KRB_AP_ERR_SKEW: Clock skew too great
2925 KRB5KRB_AP_ERR_BADADDR: Incorrect net address
2927 KRB5KRB_AP_ERR_BADVERSION: Protocol version mismatch
2929 KRB5KRB_AP_ERR_MSG_TYPE: Invalid message type
2931 KRB5KRB_AP_ERR_MODIFIED: Message stream modified
2933 KRB5KRB_AP_ERR_BADORDER: Message out of order
2935 KRB5KRB_AP_ERR_ILL_CR_TKT: Illegal cross-realm ticket
2937 KRB5KRB_AP_ERR_BADKEYVER: Key version is not available
2939 KRB5KRB_AP_ERR_NOKEY: Service key not available
2941 KRB5KRB_AP_ERR_MUT_FAIL: Mutual authentication failed
2943 KRB5KRB_AP_ERR_BADDIRECTION: Incorrect message direction
2945 KRB5KRB_AP_ERR_METHOD: Alternative authentication method required
2947 KRB5KRB_AP_ERR_BADSEQ: Incorrect sequence number in message
2949 KRB5KRB_AP_ERR_INAPP_CKSUM: Inappropriate type of checksum in message
2951 KRB5KRB_AP_PATH_NOT_ACCEPTED: Policy rejects transited path
2953 KRB5KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP, retry with TCP
2955 KRB5PLACEHOLD_53: KRB5 error code 53
2957 KRB5PLACEHOLD_54: KRB5 error code 54
2959 KRB5PLACEHOLD_55: KRB5 error code 55
2961 KRB5PLACEHOLD_56: KRB5 error code 56
2963 KRB5PLACEHOLD_57: KRB5 error code 57
2965 KRB5PLACEHOLD_58: KRB5 error code 58
2967 KRB5PLACEHOLD_59: KRB5 error code 59
2969 KRB5KRB_ERR_GENERIC: Generic error (see e-text)
2971 KRB5KRB_ERR_FIELD_TOOLONG: Field is too long for this implementation
2973 KRB5PLACEHOLD_62: KRB5 error code 62
2975 KRB5PLACEHOLD_63: KRB5 error code 63
2977 KRB5PLACEHOLD_64: KRB5 error code 64
2979 KRB5PLACEHOLD_65: KRB5 error code 65
2981 KRB5PLACEHOLD_66: KRB5 error code 66
2983 KRB5PLACEHOLD_67: KRB5 error code 67
2985 KRB5PLACEHOLD_68: KRB5 error code 68
2987 KRB5PLACEHOLD_69: KRB5 error code 69
2989 KRB5PLACEHOLD_70: KRB5 error code 70
2991 KRB5PLACEHOLD_71: KRB5 error code 71
2993 KRB5PLACEHOLD_72: KRB5 error code 72
2995 KRB5PLACEHOLD_73: KRB5 error code 73
2997 KRB5PLACEHOLD_74: KRB5 error code 74
2999 KRB5PLACEHOLD_75: KRB5 error code 75
3001 KRB5PLACEHOLD_76: KRB5 error code 76
3003 KRB5PLACEHOLD_77: KRB5 error code 77
3005 KRB5PLACEHOLD_78: KRB5 error code 78
3007 KRB5PLACEHOLD_79: KRB5 error code 79
3009 KRB5PLACEHOLD_80: KRB5 error code 80
3011 KRB5PLACEHOLD_81: KRB5 error code 81
3013 KRB5PLACEHOLD_82: KRB5 error code 82
3015 KRB5PLACEHOLD_83: KRB5 error code 83
3017 KRB5PLACEHOLD_84: KRB5 error code 84
3019 KRB5PLACEHOLD_85: KRB5 error code 85
3021 KRB5PLACEHOLD_86: KRB5 error code 86
3023 KRB5PLACEHOLD_87: KRB5 error code 87
3025 KRB5PLACEHOLD_88: KRB5 error code 88
3027 KRB5PLACEHOLD_89: KRB5 error code 89
3029 KRB5PLACEHOLD_90: KRB5 error code 90
3031 KRB5PLACEHOLD_91: KRB5 error code 91
3033 KRB5PLACEHOLD_92: KRB5 error code 92
3035 KRB5PLACEHOLD_93: KRB5 error code 93
3037 KRB5PLACEHOLD_94: KRB5 error code 94
3039 KRB5PLACEHOLD_95: KRB5 error code 95
3041 KRB5PLACEHOLD_96: KRB5 error code 96
3043 KRB5PLACEHOLD_97: KRB5 error code 97
3045 KRB5PLACEHOLD_98: KRB5 error code 98
3047 KRB5PLACEHOLD_99: KRB5 error code 99
3049 KRB5PLACEHOLD_100: KRB5 error code 100
3051 KRB5PLACEHOLD_101: KRB5 error code 101
3053 KRB5PLACEHOLD_102: KRB5 error code 102
3055 KRB5PLACEHOLD_103: KRB5 error code 103
3057 KRB5PLACEHOLD_104: KRB5 error code 104
3059 KRB5PLACEHOLD_105: KRB5 error code 105
3061 KRB5PLACEHOLD_106: KRB5 error code 106
3063 KRB5PLACEHOLD_107: KRB5 error code 107
3065 KRB5PLACEHOLD_108: KRB5 error code 108
3067 KRB5PLACEHOLD_109: KRB5 error code 109
3069 KRB5PLACEHOLD_110: KRB5 error code 110
3071 KRB5PLACEHOLD_111: KRB5 error code 111
3073 KRB5PLACEHOLD_112: KRB5 error code 112
3075 KRB5PLACEHOLD_113: KRB5 error code 113
3077 KRB5PLACEHOLD_114: KRB5 error code 114
3079 KRB5PLACEHOLD_115: KRB5 error code 115
3081 KRB5PLACEHOLD_116: KRB5 error code 116
3083 KRB5PLACEHOLD_117: KRB5 error code 117
3085 KRB5PLACEHOLD_118: KRB5 error code 118
3087 KRB5PLACEHOLD_119: KRB5 error code 119
3089 KRB5PLACEHOLD_120: KRB5 error code 120
3091 KRB5PLACEHOLD_121: KRB5 error code 121
3093 KRB5PLACEHOLD_122: KRB5 error code 122
3095 KRB5PLACEHOLD_123: KRB5 error code 123
3097 KRB5PLACEHOLD_124: KRB5 error code 124
3099 KRB5PLACEHOLD_125: KRB5 error code 125
3101 KRB5PLACEHOLD_126: KRB5 error code 126
3103 KRB5PLACEHOLD_127: KRB5 error code 127
3105 KRB5_ERR_RCSID: (RCS Id string for the krb5 error table)
3107 KRB5_LIBOS_BADLOCKFLAG: Invalid flag for file lock mode
3109 KRB5_LIBOS_CANTREADPWD: Cannot read password
3111 KRB5_LIBOS_BADPWDMATCH: Password mismatch
3113 KRB5_LIBOS_PWDINTR: Password read interrupted
3115 KRB5_PARSE_ILLCHAR: Illegal character in component name
3117 KRB5_PARSE_MALFORMED: Malformed representation of principal
3119 KRB5_CONFIG_CANTOPEN: Can't open/find Kerberos configuration file
3121 KRB5_CONFIG_BADFORMAT: Improper format of Kerberos configuration file
3123 KRB5_CONFIG_NOTENUFSPACE: Insufficient space to return complete
3126 KRB5_BADMSGTYPE: Invalid message type specified for encoding
3128 KRB5_CC_BADNAME: Credential cache name malformed
3130 KRB5_CC_UNKNOWN_TYPE: Unknown credential cache type
3132 KRB5_CC_NOTFOUND: Matching credential not found
3134 KRB5_CC_END: End of credential cache reached
3136 KRB5_NO_TKT_SUPPLIED: Request did not supply a ticket
3138 KRB5KRB_AP_WRONG_PRINC: Wrong principal in request
3140 KRB5KRB_AP_ERR_TKT_INVALID: Ticket has invalid flag set
3142 KRB5_PRINC_NOMATCH: Requested principal and ticket don't match
3144 KRB5_KDCREP_MODIFIED: KDC reply did not match expectations
3146 KRB5_KDCREP_SKEW: Clock skew too great in KDC reply
3148 KRB5_IN_TKT_REALM_MISMATCH: Client/server realm mismatch in initial
3151 KRB5_PROG_ETYPE_NOSUPP: Program lacks support for encryption type
3153 KRB5_PROG_KEYTYPE_NOSUPP: Program lacks support for key type
3155 KRB5_WRONG_ETYPE: Requested encryption type not used in message
3157 KRB5_PROG_SUMTYPE_NOSUPP: Program lacks support for checksum type
3159 KRB5_REALM_UNKNOWN: Cannot find KDC for requested realm
3161 KRB5_SERVICE_UNKNOWN: Kerberos service unknown
3163 KRB5_KDC_UNREACH: Cannot contact any KDC for requested realm
3165 KRB5_NO_LOCALNAME: No local name found for principal name
3167 KRB5_MUTUAL_FAILED: Mutual authentication failed
3169 KRB5_RC_TYPE_EXISTS: Replay cache type is already registered
3171 KRB5_RC_MALLOC: No more memory to allocate (in replay cache code)
3173 KRB5_RC_TYPE_NOTFOUND: Replay cache type is unknown
3175 KRB5_RC_UNKNOWN: Generic unknown RC error
3177 KRB5_RC_REPLAY: Message is a replay
3179 KRB5_RC_IO: Replay I/O operation failed XXX
3181 KRB5_RC_NOIO: Replay cache type does not support non-volatile storage
3183 KRB5_RC_PARSE: Replay cache name parse/format error
3185 KRB5_RC_IO_EOF: End-of-file on replay cache I/O
3187 KRB5_RC_IO_MALLOC: No more memory to allocate (in replay cache I/O
3190 KRB5_RC_IO_PERM: Permission denied in replay cache code
3192 KRB5_RC_IO_IO: I/O error in replay cache i/o code
3194 KRB5_RC_IO_UNKNOWN: Generic unknown RC/IO error
3196 KRB5_RC_IO_SPACE: Insufficient system space to store replay information
3198 KRB5_TRANS_CANTOPEN: Can't open/find realm translation file
3200 KRB5_TRANS_BADFORMAT: Improper format of realm translation file
3202 KRB5_LNAME_CANTOPEN: Can't open/find lname translation database
3204 KRB5_LNAME_NOTRANS: No translation available for requested principal
3206 KRB5_LNAME_BADFORMAT: Improper format of translation database entry
3208 KRB5_CRYPTO_INTERNAL: Cryptosystem internal error
3210 KRB5_KT_BADNAME: Key table name malformed
3212 KRB5_KT_UNKNOWN_TYPE: Unknown Key table type
3214 KRB5_KT_NOTFOUND: Key table entry not found
3216 KRB5_KT_END: End of key table reached
3218 KRB5_KT_NOWRITE: Cannot write to specified key table
3220 KRB5_KT_IOERR: Error writing to key table
3222 KRB5_NO_TKT_IN_RLM: Cannot find ticket for requested realm
3224 KRB5DES_BAD_KEYPAR: DES key has bad parity
3226 KRB5DES_WEAK_KEY: DES key is a weak key
3228 KRB5_BAD_ENCTYPE: Bad encryption type
3230 KRB5_BAD_KEYSIZE: Key size is incompatible with encryption type
3232 KRB5_BAD_MSIZE: Message size is incompatible with encryption type
3234 KRB5_CC_TYPE_EXISTS: Credentials cache type is already registered.
3236 KRB5_KT_TYPE_EXISTS: Key table type is already registered.
3238 KRB5_CC_IO: Credentials cache I/O operation failed XXX
3240 KRB5_FCC_PERM: Credentials cache file permissions incorrect
3242 KRB5_FCC_NOFILE: No credentials cache found
3244 KRB5_FCC_INTERNAL: Internal credentials cache error
3246 KRB5_CC_WRITE: Error writing to credentials cache
3248 KRB5_CC_NOMEM: No more memory to allocate (in credentials cache code)
3250 KRB5_CC_FORMAT: Bad format in credentials cache
3252 KRB5_INVALID_FLAGS: Invalid KDC option combination (library internal
3253 error) [for dual tgt library calls]
3255 KRB5_NO_2ND_TKT: Request missing second ticket [for dual tgt library
3258 KRB5_NOCREDS_SUPPLIED: No credentials supplied to library routine
3260 KRB5_SENDAUTH_BADAUTHVERS: Bad sendauth version was sent
3262 KRB5_SENDAUTH_BADAPPLVERS: Bad application version was sent (via
3265 KRB5_SENDAUTH_BADRESPONSE: Bad response (during sendauth exchange)
3267 KRB5_SENDAUTH_REJECTED: Server rejected authentication (during sendauth
3270 KRB5_PREAUTH_BAD_TYPE: Unsupported preauthentication type
3272 KRB5_PREAUTH_NO_KEY: Required preauthentication key not supplied
3274 KRB5_PREAUTH_FAILED: Generic preauthentication failure
3276 KRB5_RCACHE_BADVNO: Unsupported replay cache format version number
3278 KRB5_CCACHE_BADVNO: Unsupported credentials cache format version number
3280 KRB5_KEYTAB_BADVNO: Unsupported key table format version number
3282 KRB5_PROG_ATYPE_NOSUPP: Program lacks support for address type
3284 KRB5_RC_REQUIRED: Message replay detection requires rcache parameter
3286 KRB5_ERR_BAD_HOSTNAME: Hostname cannot be canonicalized
3288 KRB5_ERR_HOST_REALM_UNKNOWN: Cannot determine realm for host
3290 KRB5_SNAME_UNSUPP_NAMETYPE: Conversion to service principal undefined
3293 KRB5KRB_AP_ERR_V4_REPLY: Initial Ticket response appears to be Version
3296 KRB5_REALM_CANT_RESOLVE: Cannot resolve KDC for requested realm
3298 KRB5_TKT_NOT_FORWARDABLE: Requesting ticket can't get forwardable
3301 KRB5_FWD_BAD_PRINCIPAL: Bad principal name while trying to forward
3304 KRB5_GET_IN_TKT_LOOP: Looping detected inside krb5_get_in_tkt
3306 KRB5_CONFIG_NODEFREALM: Configuration file does not specify default realm
3308 KRB5_SAM_UNSUPPORTED: Bad SAM flags in obtain_sam_padata
3310 KRB5_KT_NAME_TOOLONG: Keytab name too long
3312 KRB5_KT_KVNONOTFOUND: Key version number for principal in key table is incorrect
3314 KRB5_APPL_EXPIRED: This application has expired
3316 KRB5_LIB_EXPIRED: This Krb5 library has expired
3318 KRB5_CHPW_PWDNULL: New password cannot be zero length
3320 KRB5_CHPW_FAIL: Password change failed
3322 KRB5_KT_FORMAT: Bad format in keytab
3324 KRB5_NOPERM_ETYPE: Encryption type not permitted
3326 KRB5_CONFIG_ETYPE_NOSUPP: No supported encryption types (config file error?)
3328 KRB5_OBSOLETE_FN: Program called an obsolete, deleted function
3330 KRB5_EAI_FAIL: unknown getaddrinfo failure
3332 KRB5_EAI_NODATA: no data available for host/domain name
3334 KRB5_EAI_NONAME: host/domain name not found
3336 KRB5_EAI_SERVICE: service name unknown
3338 KRB5_ERR_NUMERIC_REALM: Cannot determine realm for numeric host address
3341 @node Kerberos V5 Database Library Error Codes, Kerberos V5 Magic Numbers Error Codes, Kerberos V5 Library Error Codes, Errors
3342 @appendixsubsec Kerberos V5 Database Library Error Codes
3344 This is the Kerberos v5 database library error code table.
3346 @c error table numbering starts at 0
3349 KRB5_KDB_RCSID: (RCS Id string for the kdb error table)
3351 KRB5_KDB_INUSE: Entry already exists in database
3353 KRB5_KDB_UK_SERROR: Database store error
3355 KRB5_KDB_UK_RERROR: Database read error
3357 KRB5_KDB_UNAUTH: Insufficient access to perform requested operation
3359 KRB5_KDB_NOENTRY: No such entry in the database
3361 KRB5_KDB_ILL_WILDCARD: Illegal use of wildcard
3363 KRB5_KDB_DB_INUSE: Database is locked or in use--try again later
3365 KRB5_KDB_DB_CHANGED: Database was modified during read
3367 KRB5_KDB_TRUNCATED_RECORD: Database record is incomplete or corrupted
3369 KRB5_KDB_RECURSIVELOCK: Attempt to lock database twice
3371 KRB5_KDB_NOTLOCKED: Attempt to unlock database when not locked
3373 KRB5_KDB_BADLOCKMODE: Invalid kdb lock mode
3375 KRB5_KDB_DBNOTINITED: Database has not been initialized
3377 KRB5_KDB_DBINITED: Database has already been initialized
3379 KRB5_KDB_ILLDIRECTION: Bad direction for converting keys
3381 KRB5_KDB_NOMASTERKEY: Cannot find master key record in database
3383 KRB5_KDB_BADMASTERKEY: Master key does not match database
3385 KRB5_KDB_INVALIDKEYSIZE: Key size in database is invalid
3387 KRB5_KDB_CANTREAD_STORED: Cannot find/read stored master key
3389 KRB5_KDB_BADSTORED_MKEY: Stored master key is corrupted
3391 KRB5_KDB_CANTLOCK_DB: Insufficient access to lock database
3393 KRB5_KDB_DB_CORRUPT: Database format error
3395 KRB5_KDB_BAD_VERSION: Unsupported version in database entry
3397 KRB5_KDB_BAD_SALTTYPE: Unsupported salt type
3399 KRB5_KDB_BAD_ENCTYPE: Unsupported encryption type
3401 KRB5_KDB_BAD_CREATEFLAGS: Bad database creation flags
3403 KRB5_KDB_NO_PERMITTED_KEY: No matching key in entry having a permitted enc type
3405 KRB5_KDB_NO_MATCHING_KEY: No matching key in entry
3408 @node Kerberos V5 Magic Numbers Error Codes, ASN.1 Error Codes, Kerberos V5 Database Library Error Codes, Errors
3409 @appendixsubsec Kerberos V5 Magic Numbers Error Codes
3411 This is the Kerberos v5 magic numbers error code table.
3413 @c error table numbering starts at 0
3416 KV5M_NONE: Kerberos V5 magic number table
3418 KV5M_PRINCIPAL: Bad magic number for krb5_principal structure
3420 KV5M_DATA: Bad magic number for krb5_data structure
3422 KV5M_KEYBLOCK: Bad magic number for krb5_keyblock structure
3424 KV5M_CHECKSUM: Bad magic number for krb5_checksum structure
3426 KV5M_ENCRYPT_BLOCK: Bad magic number for krb5_encrypt_block structure
3428 KV5M_ENC_DATA: Bad magic number for krb5_enc_data structure
3430 KV5M_CRYPTOSYSTEM_ENTRY: Bad magic number for krb5_cryp@-to@-sys@-tem_entry
3433 KV5M_CS_TABLE_ENTRY: Bad magic number for krb5_cs_table_entry structure
3435 KV5M_CHECKSUM_ENTRY: Bad magic number for krb5_check@-sum_en@-try structure
3437 KV5M_AUTHDATA: Bad magic number for krb5_authdata structure
3439 KV5M_TRANSITED: Bad magic number for krb5_transited structure
3441 KV5M_ENC_TKT_PART: Bad magic number for krb5_enc_tkt_part structure
3443 KV5M_TICKET: Bad magic number for krb5_ticket structure
3445 KV5M_AUTHENTICATOR: Bad magic number for krb5_authenticator structure
3447 KV5M_TKT_AUTHENT: Bad magic number for krb5_tkt_authent structure
3449 KV5M_CREDS: Bad magic number for krb5_creds structure
3451 KV5M_LAST_REQ_ENTRY: Bad magic number for krb5_last_req_entry structure
3453 KV5M_PA_DATA: Bad magic number for krb5_pa_data structure
3455 KV5M_KDC_REQ: Bad magic number for krb5_kdc_req structure
3457 KV5M_ENC_KDC_REP_PART: Bad magic number for @*
3458 krb5_enc_kdc_rep_part structure
3460 KV5M_KDC_REP: Bad magic number for krb5_kdc_rep structure
3462 KV5M_ERROR: Bad magic number for krb5_error structure
3464 KV5M_AP_REQ: Bad magic number for krb5_ap_req structure
3466 KV5M_AP_REP: Bad magic number for krb5_ap_rep structure
3468 KV5M_AP_REP_ENC_PART: Bad magic number for @*
3469 krb5_ap_rep_enc_part structure
3471 KV5M_RESPONSE: Bad magic number for krb5_response structure
3473 KV5M_SAFE: Bad magic number for krb5_safe structure
3475 KV5M_PRIV: Bad magic number for krb5_priv structure
3477 KV5M_PRIV_ENC_PART: Bad magic number for krb5_priv_enc_part structure
3479 KV5M_CRED: Bad magic number for krb5_cred structure
3481 KV5M_CRED_INFO: Bad magic number for krb5_cred_info structure
3483 KV5M_CRED_ENC_PART: Bad magic number for krb5_cred_enc_part structure
3485 KV5M_PWD_DATA: Bad magic number for krb5_pwd_data structure
3487 KV5M_ADDRESS: Bad magic number for krb5_address structure
3489 KV5M_KEYTAB_ENTRY: Bad magic number for krb5_keytab_entry structure
3491 KV5M_CONTEXT: Bad magic number for krb5_context structure
3493 KV5M_OS_CONTEXT: Bad magic number for krb5_os_context structure
3495 KV5M_ALT_METHOD: Bad magic number for krb5_alt_method structure
3497 KV5M_ETYPE_INFO_ENTRY: Bad magic number for @*
3498 krb5_etype_info_entry structure
3500 KV5M_DB_CONTEXT: Bad magic number for krb5_db_context structure
3502 KV5M_AUTH_CONTEXT: Bad magic number for krb5_auth_context structure
3504 KV5M_KEYTAB: Bad magic number for krb5_keytab structure
3506 KV5M_RCACHE: Bad magic number for krb5_rcache structure
3508 KV5M_CCACHE: Bad magic number for krb5_ccache structure
3510 KV5M_PREAUTH_OPS: Bad magic number for krb5_preauth_ops
3512 KV5M_SAM_CHALLENGE: Bad magic number for krb5_sam_challenge
3514 KV5M_SAM_KEY: Bad magic number for krb5_sam_key
3516 KV5M_ENC_SAM_RESPONSE_ENC: Bad magic number for @*
3517 krb5_enc_sam_response_enc
3519 KV5M_SAM_RESPONSE: Bad magic number for krb5_sam_response
3521 KV5M_PREDICTED_SAM_RESPONSE: Bad magic number for
3522 krb5_predicted_sam_response
3524 KV5M_PASSWD_PHRASE_ELEMENT: Bad magic number for passwd_phrase_element
3526 KV5M_GSS_OID: Bad magic number for GSSAPI OID
3528 KV5M_GSS_QUEUE: Bad magic number for GSSAPI QUEUE
3531 @node ASN.1 Error Codes, GSSAPI Error Codes, Kerberos V5 Magic Numbers Error Codes, Errors
3532 @appendixsubsec ASN.1 Error Codes
3534 @c error table numbering starts at 0
3537 ASN1_BAD_TIMEFORMAT: ASN.1 failed call to system time library
3539 ASN1_MISSING_FIELD: ASN.1 structure is missing a required field
3541 ASN1_MISPLACED_FIELD: ASN.1 unexpected field number
3543 ASN1_TYPE_MISMATCH: ASN.1 type numbers are inconsistent
3545 ASN1_OVERFLOW: ASN.1 value too large
3547 ASN1_OVERRUN: ASN.1 encoding ended unexpectedly
3549 ASN1_BAD_ID: ASN.1 identifier doesn't match expected value
3551 ASN1_BAD_LENGTH: ASN.1 length doesn't match expected value
3553 ASN1_BAD_FORMAT: ASN.1 badly-formatted encoding
3555 ASN1_PARSE_ERROR: ASN.1 parse error
3557 ASN1_BAD_GMTIME: ASN.1 bad return from gmtime
3559 ASN1_MISMATCH_INDEF: ASN.1 non-constructed indefinite encoding
3561 ASN1_MISSING_EOC: ASN.1 missing expected EOC
3564 @node GSSAPI Error Codes, , ASN.1 Error Codes, Errors
3565 @appendixsubsec GSSAPI Error Codes
3567 Generic GSSAPI Errors:
3569 @c error table numbering starts at 0
3572 G_BAD_SERVICE_NAME: No @ in SERVICE-NAME name string
3574 G_BAD_STRING_UID: STRING-UID-NAME contains nondigits
3576 G_NOUSER: UID does not resolve to username
3578 G_VALIDATE_FAILED: Validation error
3580 G_BUFFER_ALLOC: Couldn't allocate gss_buffer_t data
3582 G_BAD_MSG_CTX: Message context invalid
3584 G_WRONG_SIZE: Buffer is the wrong size
3586 G_BAD_USAGE: Credential usage type is unknown
3588 G_UNKNOWN_QOP: Unknown quality of protection specified
3590 G_BAD_HOSTNAME: Hostname in SERVICE-NAME string could not be
3593 G_WRONG_MECH: Mechanism is incorrect
3595 G_BAD_TOK_HEADER: Token header is malformed or corrupt
3597 G_BAD_DIRECTION: Packet was replayed in wrong direction
3599 G_TOK_TRUNC: Token is missing data
3601 G_REFLECT: Token was reflected
3603 G_WRONG_TOKID: Received token ID does not match expected token ID
3606 Kerberos 5 GSSAPI Errors:
3608 @c error table numbering starts at 0
3611 KG_CCACHE_NOMATCH: Principal in credential cache does not match desired
3614 KG_KEYTAB_NOMATCH: No principal in keytab matches desired name
3616 KG_TGT_MISSING: Credential cache has no TGT
3618 KG_NO_SUBKEY: Authenticator has no subkey
3620 KG_CONTEXT_ESTABLISHED: Context is already fully established
3622 KG_BAD_SIGN_TYPE: Unknown signature type in token
3624 KG_BAD_LENGTH: Invalid field length in token
3626 KG_CTX_INCOMPLETE: Attempt to use incomplete security context
3628 KG_CONTEXT: Bad magic number for krb5_gss_ctx_id_t
3630 KG_CRED: Bad magic number for krb5_gss_cred_id_t
3632 KG_ENC_DESC: Bad magic number for krb5_gss_enc_desc
3634 KG_BAD_SEQ: Sequence number in token is corrupt
3636 KG_EMPTY_CCACHE: Credential cache is empty
3638 KG_NO_CTYPES: Acceptor and Initiator share no checksum types
3641 @node kadmin Time Zones, , Errors, Appendix
3642 @appendixsec kadmin Time Zones
3644 This is a complete listing of the time zones recognized by the
3645 @code{kadmin} command.
3651 Universal Time (Coordinated).
3653 Western European Time. (Same as GMT.)
3655 British Summer Time. (1 hour ahead of GMT.)
3657 West Africa Time. (1 hour behind GMT.)
3659 Azores Time. (2 hours behind GMT.)
3661 Brazil Standard Time. (3 hours behind GMT.) Note that the abbreviation
3662 BST also stands for British Summer Time.
3664 Greenland Standard Time. (3 hours behind GMT.) Note that the
3665 abbreviation GST also stands for Guam Standard Time.
3667 Newfoundland Time. (3.5 hours behind GMT.)
3669 Newfoundland Standard Time. (3.5 hours behind GMT.)
3671 Newfoundland Daylight Time. (2.5 hours behind GMT.)
3673 Atlantic Standard Time. (4 hours behind GMT.)
3675 Atlantic Daylight Time. (3 hours behind GMT.)
3677 Eastern Standard Time. (5 hours behind GMT.)
3679 Eastern Daylight Time. (4 hours behind GMT.)
3681 Central Standard Time. (6 hours behind GMT.)
3683 Central Daylight Time. (5 hours behind GMT.)
3685 Mountain Standard Time. (7 hours behind GMT.)
3687 Mountain Daylight Time. (6 hours behind GMT.)
3689 Pacific Standard Time. (8 hours behind GMT.)
3691 Pacific Daylight Time. (7 hours behind GMT.)
3693 Yukon Standard Time. (9 hours behind GMT.)
3695 Yukon Daylight Time. (8 hours behind GMT.)
3697 Hawaii Standard Time. (10 hours behind GMT.)
3699 Hawaii Daylight Time. (9 hours behind GMT.)
3701 Central Alaska Time. (10 hours behind GMT.)
3703 Alaska-Hawaii Standard Time. (10 hours behind GMT.)
3705 Nome Time. (11 hours behind GMT.)
3707 International Date Line West Time. (12 hours behind GMT.)
3709 Central European Time. (1 hour ahead of GMT.)
3711 Middle European Time. (1 hour ahead of GMT.)
3713 Middle European Winter Time. (1 hour ahead of GMT.)
3715 Middle European Summer Time. (2 hours ahead of GMT.)
3717 Swedish Winter Time. (1 hour ahead of GMT.)
3719 Swedish Summer Time. (1 hours ahead of GMT.)
3721 French Winter Time. (1 hour ahead of GMT.)
3723 French Summer Time. (2 hours ahead of GMT.)
3725 Eastern Europe Time; Russia Zone 1. (2 hours ahead of GMT.)
3727 Baghdad Time; Russia Zone 2. (3 hours ahead of GMT.)
3729 Iran Time. (3.5 hours ahead of GMT.)
3731 Russia Zone 3. (4 hours ahead of GMT.)
3733 Russia Zone 4. (5 hours ahead of GMT.)
3735 Indian Standard Time. (5.5 hours ahead of GMT.)
3737 Russia Zone 5. (6 hours ahead of GMT.)
3739 North Sumatra Time. (6.5 hours ahead of GMT.) Note that the
3740 abbreviation NST is also used for Newfoundland Stanard Time.
3742 South Sumatra Time; Russia Zone 6. (7 hours ahead of GMT.) Note that
3743 SST is also Swedish Summer Time.
3745 West Australian Standard Time. (7 hours ahead of GMT.)
3747 West Australian Daylight Time. (8 hours ahead of GMT.)
3749 Java Time. (7.5 hours ahead of GMT.)
3751 China Coast Time; Russia Zone 7. (8 hours ahead of GMT.)
3753 Japan Standard time; Russia Zone 8. (9 hours ahead of GMT.)
3755 Korean Standard Time. (9 hours ahead of GMT.)
3757 Central Australian Standard Time. (9.5 hours ahead of GMT.)
3759 Central Australian Daylight Time. (10.5 hours ahead of GMT.)
3761 Eastern Australian Standard Time. (10 hours ahead of GMT.)
3763 Eastern Australian Daylight Time. (11 hours ahead of GMT.)
3765 Guam Standard Time; Russia Zone 9. (10 hours ahead of GMT.)
3767 Korean Daylight Time. (10 hours ahead of GMT.)
3769 New Zealand Time. (12 hours ahead of GMT.)
3771 New Zealand Standard Time. (12 hours ahead of GMT.)
3773 New Zealand Daylight Time. (13 hours ahead of GMT.)
3775 International Date Line East. (12 hours ahead of GMT.)