HP UX Kerberos Data Security Software manual

Page 125

IMPORTANT

IMPORTANT

IMPORTANT

Administering the Kerberos Server

Principals

the database secret key. All records in the principal database are encrypted using this key. The key for this principal is stored on each Kerberos server in the .k5.realm file.

Do not remove, modify, or change the key type for this principal. Do not generate a new key for this principal.

default@REALM: The default@REALM principal name contains the default group principal attributes for the realm. This principal is required in each realm. This principal, called the default group, is automatically created when a realm is added to the database.

The attributes and properties of this principal act as a template for adding principals to a realm in the principal database of the Kerberos server. This principal uses a random key. However, you must not extract this key to a service key table file. This principal is locked by default, eliminating the security risk of an external attack to authenticate using this principal account.

Do not remove this principal entry or unlock this principal account.

krbtgt/REALM@REALM: You can use the secret key of the krbtgt/REALM@REALM principal to encrypt and decrypt ticket-granting tickets (TGTs) issued by the Kerberos server for principals in the REALM.

Do not remove or modify this principal entry, except when adding a 3DES key if you need to add support for this encryption type.

To configure interrealm authentication, create distinct reserved principals with the prefix name krbtgt/ for each realm.

If you change any attribute or password of the krbtgt/REALM@REALM principal for the default realm, that is, the realm that contains the K/M@REALM principal, you must close all administrative programs, including kadmin, kadminl_ui, and kdcd. Then, restart all administrative services and daemons in that realm for the changes to take effect.

Chapter 8

125

Image 125
Contents Manufacturing Part Number T1417-90009 E0905 EditionCopyright Notices Legal NoticesPage Page Contents Configuring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Configuration Worksheet Explanation Figures Figures Intended Audience What Is in This DocumentGlossary Interoperability with Windows 2000, onIndex Typographic ConventionsBold fixed WidthRelated Software Products HP-UX Release Name and Release IdentifierPublishing History Related Request for Comments RFCs Accessing the World Wide WebRelated Documentation HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Illustrates the actions of the components and the Kerberos Authentication ProcessStep Authentication Process DES Versus 3DES Key Type Settings Ldap Advantages Introduction to LdapIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Hardware Requirements System RequirementsSoftware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump file to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Version Migrating from Kerberos Server Version 2.0 toCopy the dump file to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Scenario Kerberos Server and Windows 2000 InteroperabilityEstablishing Trust Between Kerberos Server and Windows Fqdn qualifier specifies the fully qualified domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Database Considerations Special Considerations for InteroperabilityEncryption Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Configuring the Kerberos Configuration File Function Configuration Files for the Kerberos ServerSecurity Server Files That Require Configuration Krb.conf File Format Krb.conf FileKrb.realms File Krb.realms File Format Wildcard Character Description Wildcard CharactersAutoconfiguring the Kerberos Server To configure the server, select option Configuring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Krb5ldap.conf File Configuration Files for Ldap IntegrationLdap Configuration Files File FunctionParameter Description Krb5ldap.conf File FormatThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Configuration Files for Ldap Integration Krb5map.conf File Format Krb5map.conf FileHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Before You Begin Planning Your Ldap ConfigurationSetting up Your Ldap Configuration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Step Select one of the following options Autoconfiguring the Kerberos Server With Ldap IntegrationConfiguring the Kerberos Server with Ldap Qualified host name or the IP address HpKrbKey Autoconfiguring the Kerberos Server With Ldap Integration Editing the Configuration Files Manually Configuring the Kerberos Server with LdapManually Configuring the Kerberos Server with Ldap Manually Configuring the Kerberos Server with Ldap Chapter Configuring the Primary Configuring the Primary Security Server Create the Principal Database After InstallationAdministrator Add an Administrative PrincipalTo add an Administrative Principal Using the HP Kerberos To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Define Secondary Security Server Network Locations Security Policies Password Policy FileAdminaclfile Starting the Security Server Copying the Kerberos Configuration File Configuring the Secondary Security Servers with C-TreeCreating the Principal Database Creating a host/fqdn Principal and Extracting the Key Configuring the Secondary Security Servers with Ldap Creating a stash file using the kdbstash utility106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database File Name Description Kadmind CommandConfiguration Files Required for kadmind Adminaclfile File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclfile How the r/R Modifiers Work Creating Administrative AccountsUsing Restricted Administrator 118 Editing the Default File Password Policy FileDefault Password Policy Settings for the Base Group Password Policy Setting Default Value120 Principals 122 Adding User Principals Adding New Service PrincipalsReserved Service Principals Chapter 125 126 Removing User Principals Removing Special Privilege SettingsProtecting a Secret Key Removing Service PrincipalsChapter 129 Kadmin and kadminl Utilities Administration Utilities Name Description Administration UtilitiesHP Kerberos Administrator Function of OK, Apply, and Cancel Buttons Standard Functionality of the AdministratorCancel Button Name ActionUsing kadminlui Local Administrator kadminluiChapter 135 Principals Tab Principals Tab Components Principals TabSearch String Component Name Description List AllSearch List of PrincipalsPrincipal Information Window Components General Tab Principal Information WindowPrincipal Information Window Field Name Description Password TabGeneral Tab Attributes TabField Name Description Principal Expiration General Tab ComponentsMaximum Ticket Lifetime Maximum Renew TimeModified By Field Name Description Password PolicyLast Modified Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Character Description Searching for a PrincipalSearch Criteria 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Password Tab Components Password Tab Principal InformationWindow Displays the Ldap DN that you are editingPassword Last Component Name Description PasswordChange Password Expiration/DateChange Password Window Password Tab Change Password Window Components Entering a passwordVerification Components Description New PasswordTo 3DES Changing a Key TypeChanging a DES-CRC or DES-MD5 Principal Key Type 166 Changing Principal Attributes Attributes Tab Components Attributes Tab Principal Information12 describes the components of the Attributes tab Allow Postdated Components DescriptionAllow Renewable Tickets170 Allow Proxy Components Description Allow ForwardableAllow Duplicate Session KeysRequire Password PreauthenticationComponents Description Require ChangeComponents Description Lock Principal Allow As ServiceSet As Password AuthenticationChange Service Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Service Key Extract Service Key Table ComponentsComponent Description Principal Table TypeEditing the Default Group Using Groups to Control SettingsChapter 183 Group Information Window Principal Component Description Group InformationEditEdit Default Group to display the GroupGroup Information Window Components Default Principal Attributes Setting the Default Group Principal AttributesPrincipal Attributes Component DescriptionChapter 187 Setting Administrative Permissions 11 Administrative Permissions Window Administrative PermissionsPrincipals Add PrincipalsModify Principals Inquire aboutDefaults Override the Principal InformationEditEdit Group DefaultInformationEditEdit Default GroupGroup Information Component Description Restricted192 Realms Tab Realms Tab Components Realms TabRealm Information Window Components Realm Information WindowAdding a Realm Deleting a Realm Remote Administrator kadminui Logon Screen Logon screen displays as shown in Figure200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Adding a Random Key Specifying a New PasswordDeleting a Principal Changing Password to a New Randomly Generated3DES Extracting a PrincipalModifying a Principal Listing the Attributes of a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Allow Postdated Attribute Policy NameAttributes Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Password Change Attribute Require Preauthentication AttributeLock Principal Attribute Allow As Service Attribute Principal InformationEditEdit Administrative Permissions Require Initial Authentication AttributeNo text shows Authentication Select Require InitialAuthentication Set As Password Change Service Attribute Password Expiration Attribute Maximum Ticket Lifetime Attribute Principal Expiration AttributeSalt Type Attribute Maximum Renew Time AttributeKey Type Attribute Utility Task Principal Database UtilitiesPrincipal Database Utilities Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons Starting and Stopping Daemons and Services SituationMaster Password Maintenance TasksProtecting Security Server Secrets Host/fqdn@REALMBacking Up the Principal Database Backing Up primary security server Data238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Relationships Propagation HierarchyMaintaining Secret Keys in the Key Table File Service Key TableExtracting a Key to the Service Key Table File Deleting Older Keys from the Service Key Table File Creating a New Service Key Table FilePropagation Tools If You Want To Use This Tool Propagation ToolsOne or more servers once Propagation is configured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Sections Defaultvalues SectionChapter 253 Secsrvname Section Configuration file Examples256 Prpadmin Administrative Application Setting Up Propagation Daemon Name Function Generic Usage Primary security server Services and Daemons260 Chapter 261 262 Monitoring the Log File Critical Error MessagesMonitoring Propagation Monitoring Old File Date and Large File Size Monitoring Propagation Queue FilesComparing the Database to Its Copies Authentication problemsUpdating the principal.ok Time Stamp Mismatch between the number of principals Administration appears normalLog files indicate problems Kdbdump Utility Restarting Propagation Using the Full Dump Method Restarting Propagation Using a Simple ProcessPropagation Failure Security server Converting a secondary security server to a primaryCleaning the Temp Directory Restarting ServicesPrimary security servers Supporting Multiple Realms Configuring Multirealm EnterprisesNumber of Realms per Database Adding More Realms to a Multirealm Database Multiple primary security servers Supporting a Single RealmDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 Two-Way Trust Considering a Trust RelationshipOne-Way Trust Other Types of Trust Hierarchical TrustConfiguring Direct Trust Relationships 280 Hierarchical Chain of Trust Hierarchical Interrealm TrustHierarchical Interrealm Configuration Chapter 283 Configuring the Local Realm Configuring the Intermediate Realm Configuring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Tool Description Name Diagnostic Tools SummaryDiagnostic Tools Logging Capabilities Troubleshooting KerberosError Messages Unix Syslog File Troubleshooting Scenarios Cause Tips Services ChecklistTroubleshooting Techniques Troubleshooting Scenarios 298 Server Scenario Cause Troubleshooting Tips Troubleshooting Scenarios for your LDAP-based Kerberos300 Chapter 301 302 Forgotten Passwords General ErrorsClock Synchronization Locking and Unlocking AccountsDecrypt Integrity Check Failed User Error MessagesService Key Not Available While Getting Initial Ticket Administrative Error MessagesPassword Has Expired While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Configuration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Key Distribution Center See KDC GlossaryGlossary Ticket-granting ticket See TGT V5srvtabTicket-granting ticket Index Symbols326 327
Related manuals
Manual 13 pages 9.67 Kb Manual 285 pages 23.05 Kb