HP UX Kerberos Data Security Software manual 118

Page 118

Administering the Kerberos Server

The admin_acl_ﬁle File

NOTE	IRDid is equivalent to the IRD permissions because the uppercase
	permissions (excluding the r and R modiﬁers) apply to all realms.

In either case, administrative principals can delete any principal from their own realm, but they have restricted delete privileges in realms other than their own.

For example, administrative principals with IDRm or IDRidm permissions assigned have restricted delete permissions in all other realms but their own, but they can modify and delete any principal in their own realm.

•The Rr modiﬁers restrict permissions for all principals in

admin_acl_file for all realms supported by the primary security server. For example, administrative principals with IMRimr permission assigned cannot modify principals included in admin_acl_file in any realm, including their own. They can only modify principals that are not included in admin_acl_file.

•The e, E, g, and G permissions are not affected by the r, R, and Rr modiﬁers.

•Administrative principals assigned with the icr or ICRicr permission are still able to change their own passwords using the administrative tools.

Permissions other than c and C are restricted for the restricted administrative principals. For instance, principals assigned with the imr permission are not able to modify their own principal accounts.

An administrative principal with r or R in combination with e or E can use the Kerberos administrative utilities to remove the r modiﬁer from their admin_acl_file entry, for example: ier, IER, IERr, or IEr. Do not assign these permission combinations.

•Administrative principals assigned with the ic, icr, IC, or ICR permission are able to change principal attributes and extract service keys in addition to changing principal passwords. According to the r and R modiﬁer rules, restricted administrators can only make the principal accounts, which are not included in admin_acl_file, perform these actions.

118

Chapter 8

Image 118

Contents Edition Manufacturing Part Number T1417-90009 E0905Legal Notices Copyright NoticesPage Page Contents Conﬁguring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Conﬁguration Worksheet Explanation Figures Figures What Is in This Document Intended AudienceInteroperability with Windows 2000, on GlossaryBold ﬁxed Typographic ConventionsIndex WidthPublishing History HP-UX Release Name and Release IdentiﬁerRelated Software Products Related Documentation Accessing the World Wide WebRelated Request for Comments RFCs HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Authentication Process Illustrates the actions of the components and the KerberosStep Authentication Process DES Versus 3DES Key Type Settings Introduction to Ldap Ldap AdvantagesIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Software Requirements System RequirementsHardware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump ﬁle to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Migrating from Kerberos Server Version 2.0 to VersionCopy the dump ﬁle to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Kerberos Server and Windows 2000 Interoperability ScenarioEstablishing Trust Between Kerberos Server and Windows Fqdn qualiﬁer speciﬁes the fully qualiﬁed domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Encryption Considerations Special Considerations for InteroperabilityDatabase Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Conﬁguring the Kerberos Security Server Files That Require Conﬁguration Conﬁguration Files for the Kerberos ServerConﬁguration File Function Krb.conf File Krb.conf File FormatKrb.realms File Krb.realms File Format Wildcard Characters Wildcard Character DescriptionAutoconﬁguring the Kerberos Server To conﬁgure the server, select option Conﬁguring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Ldap Conﬁguration Files Conﬁguration Files for Ldap IntegrationKrb5ldap.conf File File FunctionKrb5ldap.conf File Format Parameter DescriptionThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Conﬁguration Files for Ldap Integration Krb5map.conf File Krb5map.conf File FormatHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Planning Your Ldap Conﬁguration Before You BeginSetting up Your Ldap Conﬁguration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Conﬁguring the Kerberos Server with Ldap Autoconﬁguring the Kerberos Server With Ldap IntegrationStep Select one of the following options Qualiﬁed host name or the IP address HpKrbKey Autoconﬁguring the Kerberos Server With Ldap Integration Manually Conﬁguring the Kerberos Server with Ldap Editing the Conﬁguration FilesManually Conﬁguring the Kerberos Server with Ldap Manually Conﬁguring the Kerberos Server with Ldap Chapter Conﬁguring the Primary Create the Principal Database After Installation Conﬁguring the Primary Security ServerTo add an Administrative Principal Using the HP Kerberos Add an Administrative PrincipalAdministrator To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Deﬁne Secondary Security Server Network Locations Adminaclﬁle Password Policy FileSecurity Policies Starting the Security Server Creating the Principal Database Conﬁguring the Secondary Security Servers with C-TreeCopying the Kerberos Conﬁguration File Creating a host/fqdn Principal and Extracting the Key Creating a stash ﬁle using the kdbstash utility Conﬁguring the Secondary Security Servers with Ldap106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database Conﬁguration Files Required for kadmind Kadmind CommandFile Name Description Adminaclﬁle File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclﬁle Using Restricted Administrator Creating Administrative AccountsHow the r/R Modiﬁers Work 118 Default Password Policy Settings for the Base Group Password Policy FileEditing the Default File Password Policy Setting Default Value120 Principals 122 Adding New Service Principals Adding User PrincipalsReserved Service Principals Chapter 125 126 Removing Special Privilege Settings Removing User PrincipalsRemoving Service Principals Protecting a Secret KeyChapter 129 Kadmin and kadminl Utilities Administration Utilities Administration Utilities Name DescriptionHP Kerberos Administrator Cancel Standard Functionality of the AdministratorFunction of OK, Apply, and Cancel Buttons Button Name ActionLocal Administrator kadminlui Using kadminluiChapter 135 Principals Tab Principals Tab Principals Tab ComponentsSearch Component Name Description List AllSearch String List of PrincipalsPrincipal Information Window General Tab Principal Information WindowPrincipal Information Window Components General Tab Password TabField Name Description Attributes TabMaximum Ticket Lifetime General Tab ComponentsField Name Description Principal Expiration Maximum Renew TimeLast Modiﬁed Field Name Description Password PolicyModiﬁed By Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Search Criteria Searching for a PrincipalCharacter Description 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Window Password Tab Principal InformationPassword Tab Components Displays the Ldap DN that you are editingChange Password Component Name Description PasswordPassword Last Expiration/DateChange Password Window Password Tab Entering a password Change Password Window ComponentsComponents Description New Password VeriﬁcationChanging a DES-CRC or DES-MD5 Principal Key Type Changing a Key TypeTo 3DES 166 Changing Principal Attributes 12 describes the components of the Attributes tab Attributes Tab Principal InformationAttributes Tab Components Allow Renewable Components DescriptionAllow Postdated Tickets170 Allow Duplicate Components Description Allow ForwardableAllow Proxy Session KeysComponents Description Require PreauthenticationRequire Password ChangeAllow As Service Components Description Lock PrincipalChange Service AuthenticationSet As Password Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Component Description Principal Extract Service Key Table ComponentsService Key Table TypeUsing Groups to Control Settings Editing the Default GroupChapter 183 Group Information Window Principal Group Information Window Components InformationEditEdit Default Group to display the GroupComponent Description Group Principal Attributes Setting the Default Group Principal AttributesDefault Principal Attributes Component DescriptionChapter 187 Setting Administrative Permissions Administrative Permissions 11 Administrative Permissions WindowModify Add PrincipalsPrincipals Principals Inquire aboutInformationEditEdit Default GroupGroup Information Override the Principal InformationEditEdit Group DefaultDefaults Component Description Restricted192 Realms Tab Realms Tab Realms Tab ComponentsRealm Information Window Realm Information Window ComponentsAdding a Realm Deleting a Realm Remote Administrator kadminui Logon screen displays as shown in Figure Logon Screen200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Specifying a New Password Adding a Random KeyChanging Password to a New Randomly Generated Deleting a PrincipalExtracting a Principal 3DESListing the Attributes of a Principal Modifying a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Attributes Policy NameAllow Postdated Attribute Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication Attribute Require Password Change AttributeLock Principal Attribute Allow As Service Attribute Require Initial Authentication Attribute Principal InformationEditEdit Administrative PermissionsAuthentication Set As Password Change Service Attribute Authentication Select Require InitialNo text shows Password Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime AttributeKey Type Attribute Maximum Renew Time AttributeSalt Type Attribute Principal Database Utilities Principal Database UtilitiesUtility Task Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons and Services Situation Starting and Stopping DaemonsProtecting Security Server Secrets Maintenance TasksMaster Password Host/fqdn@REALMBacking Up primary security server Data Backing Up the Principal Database238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Hierarchy Propagation RelationshipsExtracting a Key to the Service Key Table File Service Key TableMaintaining Secret Keys in the Key Table File Creating a New Service Key Table File Deleting Older Keys from the Service Key Table FilePropagation Tools Propagation Tools If You Want To Use This ToolOne or more servers once Propagation is conﬁgured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Defaultvalues Section SectionsChapter 253 Secsrvname Section Examples Conﬁguration ﬁle256 Prpadmin Administrative Application Setting Up Propagation Primary security server Services and Daemons Daemon Name Function Generic Usage260 Chapter 261 262 Monitoring Propagation Critical Error MessagesMonitoring the Log File Monitoring Propagation Queue Files Monitoring Old File Date and Large File SizeUpdating the principal.ok Time Stamp Authentication problemsComparing the Database to Its Copies Log ﬁles indicate problems Administration appears normalMismatch between the number of principals Kdbdump Utility Restarting Propagation Using a Simple Process Restarting Propagation Using the Full Dump MethodPropagation Failure Converting a secondary security server to a primary Security serverRestarting Services Cleaning the Temp DirectoryNumber of Realms per Database Conﬁguring Multirealm EnterprisesPrimary security servers Supporting Multiple Realms Multiple primary security servers Supporting a Single Realm Adding More Realms to a Multirealm DatabaseDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 One-Way Trust Considering a Trust RelationshipTwo-Way Trust Hierarchical Trust Other Types of TrustConﬁguring Direct Trust Relationships 280 Hierarchical Interrealm Trust Hierarchical Chain of TrustHierarchical Interrealm Conﬁguration Chapter 283 Conﬁguring the Local Realm Conﬁguring the Intermediate Realm Conﬁguring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Diagnostic Tools Diagnostic Tools SummaryTool Description Name Error Messages Troubleshooting KerberosLogging Capabilities Unix Syslog File Troubleshooting Techniques Services ChecklistTroubleshooting Scenarios Cause Tips Troubleshooting Scenarios 298 Troubleshooting Scenarios for your LDAP-based Kerberos Server Scenario Cause Troubleshooting Tips300 Chapter 301 302 General Errors Forgotten PasswordsLocking and Unlocking Accounts Clock SynchronizationUser Error Messages Decrypt Integrity Check FailedPassword Has Expired While Getting Initial Ticket Administrative Error MessagesService Key Not Available While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Conﬁguration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Glossary Key Distribution Center See KDCGlossary V5srvtab Ticket-granting ticket See TGTTicket-granting ticket Symbols Index326 327

Related manuals

Manual 13 pages 9.67 Kb

Manual 285 pages 23.05 Kb