HP UX Kerberos Data Security Software manual Change Password Window Password Tab

Page 162

Administering the Kerberos Server

Password Tab (Principal Information Window)

Table 8-10

Password Tab Components (Continued)

 

 

 

 

Component Name

Description

 

 

 

 

Failed Auth Count

Specifies the number of failed authentication

 

 

 

attempts since the last successful

 

 

 

authentication by the principal. Every failed

 

 

 

SignOn request by the client increments the

 

 

 

Failed Auth Count value by 1. If the number

 

 

 

exceeds the maximum value allowed by the

 

 

 

MaxFailAuthCnt parameter in the password

 

 

 

policy file, the principal account is

 

 

 

automatically locked. To determine if a

 

 

 

principal account is locked, click Principal

 

 

 

Information>Attributes and verify if Lock

 

 

 

Principal check box is selected. To unlock a

 

 

 

principal, clear the check box.

 

 

 

 

 

Primary and

 

Specifies the available key encryption options:

 

Secondary Key

 

DES3, DES-MD5,and DES-CRC. Select a key

 

Types

 

encryption type for each salt type that you

 

 

 

use.

 

 

 

 

 

Primary and

 

Specifies the salt type for a principal. A Salt

 

Secondary Salt

 

is a string of characters added to a password

 

Types

 

before it is transformed into the secret key.

 

 

 

Each salt type, except None, has some data

 

 

 

associated with it. The salt data is appended

 

 

 

to the password before generating the DES3 or

 

 

 

DES encrypted key. The salt key settings are

 

 

 

controlled through the Password tab. Salts

 

 

 

are used to strengthen passwords and to

 

 

 

ensure that principals with the same

 

 

 

passwords do not have the same key.

 

 

 

 

Change Password Window (Password Tab)

When you create a new principal using the Principal Information window>Password tab, HP Kerberos Administrator automatically displays the Change Password window (Figure 8-6). Enter a new password and verify the password for user principals. You must select

162

Chapter 8

Image 162
Contents Edition Manufacturing Part Number T1417-90009 E0905Legal Notices Copyright NoticesPage Page Contents Configuring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Configuration Worksheet Explanation Figures Figures What Is in This Document Intended AudienceInteroperability with Windows 2000, on GlossaryBold fixed Typographic ConventionsIndex WidthHP-UX Release Name and Release Identifier Publishing HistoryRelated Software Products Accessing the World Wide Web Related DocumentationRelated Request for Comments RFCs HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Authentication Process Illustrates the actions of the components and the KerberosStep Authentication Process DES Versus 3DES Key Type Settings Introduction to Ldap Ldap AdvantagesIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Software Requirements System RequirementsHardware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump file to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Migrating from Kerberos Server Version 2.0 to VersionCopy the dump file to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Kerberos Server and Windows 2000 Interoperability ScenarioEstablishing Trust Between Kerberos Server and Windows Fqdn qualifier specifies the fully qualified domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Encryption Considerations Special Considerations for InteroperabilityDatabase Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Configuring the Kerberos Configuration Files for the Kerberos Server Security Server Files That Require ConfigurationConfiguration File Function Krb.conf File Krb.conf File FormatKrb.realms File Krb.realms File Format Wildcard Characters Wildcard Character DescriptionAutoconfiguring the Kerberos Server To configure the server, select option Configuring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Ldap Configuration Files Configuration Files for Ldap IntegrationKrb5ldap.conf File File FunctionKrb5ldap.conf File Format Parameter DescriptionThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Configuration Files for Ldap Integration Krb5map.conf File Krb5map.conf File FormatHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Planning Your Ldap Configuration Before You BeginSetting up Your Ldap Configuration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Autoconfiguring the Kerberos Server With Ldap Integration Configuring the Kerberos Server with LdapStep Select one of the following options Qualified host name or the IP address HpKrbKey Autoconfiguring the Kerberos Server With Ldap Integration Manually Configuring the Kerberos Server with Ldap Editing the Configuration FilesManually Configuring the Kerberos Server with Ldap Manually Configuring the Kerberos Server with Ldap Chapter Configuring the Primary Create the Principal Database After Installation Configuring the Primary Security ServerAdd an Administrative Principal To add an Administrative Principal Using the HP KerberosAdministrator To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Define Secondary Security Server Network Locations Password Policy File AdminaclfileSecurity Policies Starting the Security Server Configuring the Secondary Security Servers with C-Tree Creating the Principal DatabaseCopying the Kerberos Configuration File Creating a host/fqdn Principal and Extracting the Key Creating a stash file using the kdbstash utility Configuring the Secondary Security Servers with Ldap106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database Kadmind Command Configuration Files Required for kadmindFile Name Description Adminaclfile File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclfile Creating Administrative Accounts Using Restricted AdministratorHow the r/R Modifiers Work 118 Default Password Policy Settings for the Base Group Password Policy FileEditing the Default File Password Policy Setting Default Value120 Principals 122 Adding New Service Principals Adding User PrincipalsReserved Service Principals Chapter 125 126 Removing Special Privilege Settings Removing User PrincipalsRemoving Service Principals Protecting a Secret KeyChapter 129 Kadmin and kadminl Utilities Administration Utilities Administration Utilities Name DescriptionHP Kerberos Administrator Cancel Standard Functionality of the AdministratorFunction of OK, Apply, and Cancel Buttons Button Name ActionLocal Administrator kadminlui Using kadminluiChapter 135 Principals Tab Principals Tab Principals Tab ComponentsSearch Component Name Description List AllSearch String List of PrincipalsGeneral Tab Principal Information Window Principal Information WindowPrincipal Information Window Components General Tab Password TabField Name Description Attributes TabMaximum Ticket Lifetime General Tab ComponentsField Name Description Principal Expiration Maximum Renew TimeField Name Description Password Policy Last ModifiedModified By Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Searching for a Principal Search CriteriaCharacter Description 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Window Password Tab Principal InformationPassword Tab Components Displays the Ldap DN that you are editingChange Password Component Name Description PasswordPassword Last Expiration/DateChange Password Window Password Tab Entering a password Change Password Window ComponentsComponents Description New Password VerificationChanging a Key Type Changing a DES-CRC or DES-MD5 Principal Key TypeTo 3DES 166 Changing Principal Attributes Attributes Tab Principal Information 12 describes the components of the Attributes tabAttributes Tab Components Allow Renewable Components DescriptionAllow Postdated Tickets170 Allow Duplicate Components Description Allow ForwardableAllow Proxy Session KeysComponents Description Require PreauthenticationRequire Password ChangeAllow As Service Components Description Lock PrincipalChange Service AuthenticationSet As Password Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Component Description Principal Extract Service Key Table ComponentsService Key Table TypeUsing Groups to Control Settings Editing the Default GroupChapter 183 Group Information Window Principal InformationEditEdit Default Group to display the Group Group Information Window ComponentsComponent Description Group Principal Attributes Setting the Default Group Principal AttributesDefault Principal Attributes Component DescriptionChapter 187 Setting Administrative Permissions Administrative Permissions 11 Administrative Permissions WindowModify Add PrincipalsPrincipals Principals Inquire aboutInformationEditEdit Default GroupGroup Information Override the Principal InformationEditEdit Group DefaultDefaults Component Description Restricted192 Realms Tab Realms Tab Realms Tab ComponentsRealm Information Window Realm Information Window ComponentsAdding a Realm Deleting a Realm Remote Administrator kadminui Logon screen displays as shown in Figure Logon Screen200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Specifying a New Password Adding a Random KeyChanging Password to a New Randomly Generated Deleting a PrincipalExtracting a Principal 3DESListing the Attributes of a Principal Modifying a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Policy Name AttributesAllow Postdated Attribute Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication Attribute Require Password Change AttributeLock Principal Attribute Allow As Service Attribute Require Initial Authentication Attribute Principal InformationEditEdit Administrative PermissionsAuthentication Select Require Initial Authentication Set As Password Change Service AttributeNo text shows Password Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime AttributeMaximum Renew Time Attribute Key Type AttributeSalt Type Attribute Principal Database Utilities Principal Database UtilitiesUtility Task Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons and Services Situation Starting and Stopping DaemonsProtecting Security Server Secrets Maintenance TasksMaster Password Host/fqdn@REALMBacking Up primary security server Data Backing Up the Principal Database238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Hierarchy Propagation RelationshipsService Key Table Extracting a Key to the Service Key Table FileMaintaining Secret Keys in the Key Table File Creating a New Service Key Table File Deleting Older Keys from the Service Key Table FilePropagation Tools Propagation Tools If You Want To Use This ToolOne or more servers once Propagation is configured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Defaultvalues Section SectionsChapter 253 Secsrvname Section Examples Configuration file256 Prpadmin Administrative Application Setting Up Propagation Primary security server Services and Daemons Daemon Name Function Generic Usage260 Chapter 261 262 Critical Error Messages Monitoring PropagationMonitoring the Log File Monitoring Propagation Queue Files Monitoring Old File Date and Large File SizeAuthentication problems Updating the principal.ok Time StampComparing the Database to Its Copies Administration appears normal Log files indicate problemsMismatch between the number of principals Kdbdump Utility Restarting Propagation Using a Simple Process Restarting Propagation Using the Full Dump MethodPropagation Failure Converting a secondary security server to a primary Security serverRestarting Services Cleaning the Temp DirectoryConfiguring Multirealm Enterprises Number of Realms per DatabasePrimary security servers Supporting Multiple Realms Multiple primary security servers Supporting a Single Realm Adding More Realms to a Multirealm DatabaseDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 Considering a Trust Relationship One-Way TrustTwo-Way Trust Hierarchical Trust Other Types of TrustConfiguring Direct Trust Relationships 280 Hierarchical Interrealm Trust Hierarchical Chain of TrustHierarchical Interrealm Configuration Chapter 283 Configuring the Local Realm Configuring the Intermediate Realm Configuring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Diagnostic Tools Summary Diagnostic ToolsTool Description Name Troubleshooting Kerberos Error MessagesLogging Capabilities Unix Syslog File Services Checklist Troubleshooting TechniquesTroubleshooting Scenarios Cause Tips Troubleshooting Scenarios 298 Troubleshooting Scenarios for your LDAP-based Kerberos Server Scenario Cause Troubleshooting Tips300 Chapter 301 302 General Errors Forgotten PasswordsLocking and Unlocking Accounts Clock SynchronizationUser Error Messages Decrypt Integrity Check FailedAdministrative Error Messages Password Has Expired While Getting Initial TicketService Key Not Available While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Configuration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Glossary Key Distribution Center See KDCGlossary V5srvtab Ticket-granting ticket See TGTTicket-granting ticket Symbols Index326 327
Related manuals
Manual 13 pages 9.67 Kb Manual 285 pages 23.05 Kb