HP UX Kerberos Data Security Software manual Allow As Service Attribute

Page 218

Administering the Kerberos Server

Manual Administration Using kadmin

To modify the type of the parameter attr for the principal admin and to set the Lock Principal attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute.

Following is a sample output of the Lock Principal attribute:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr

Attribute (or quit): {locknolock}

Principal modified.

Allow As Service Attribute

You must select the Allow As Service attribute for any principal that is used as a service.

This attribute applies to both the user principal and the service principal. Selecting this attribute does not necessarily mean that the principal account is being used by a network service application. Select this attribute for user principals that run programs requiring user-to-user authentication.

When you set the Allow As Service attribute, the name of the principal name appears in the server ﬁeld of the service ticket. If you do not set this attribute, the Kerberos server cannot issue a service ticket for that principal because the name of the principal cannot appear in the server ﬁeld of the service ticket.

This attribute is set by default, allowing principals to act as a service and enabling user-to-user authentication for user principals.

To modify the type of the parameter attr for the principal admin and to set the Allow As Service attribute, type kadmin at the HP-UX prompt and specify the mod command, the principal name, the attr parameter type, and the attribute.

Following is a sample output of the Allow As Service attribute:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr

Attribute (or quit): {svrnosvr}

Principal modified.

218

Chapter 8

Image 218

Contents Edition Manufacturing Part Number T1417-90009 E0905Legal Notices Copyright NoticesPage Page Contents Conﬁguring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Conﬁguration Worksheet Explanation Figures Figures What Is in This Document Intended AudienceInteroperability with Windows 2000, on GlossaryBold ﬁxed Typographic ConventionsIndex WidthRelated Software Products HP-UX Release Name and Release IdentiﬁerPublishing History Related Request for Comments RFCs Accessing the World Wide WebRelated Documentation HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Authentication Process Illustrates the actions of the components and the KerberosStep Authentication Process DES Versus 3DES Key Type Settings Introduction to Ldap Ldap AdvantagesIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Software Requirements System RequirementsHardware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump ﬁle to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Migrating from Kerberos Server Version 2.0 to VersionCopy the dump ﬁle to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Kerberos Server and Windows 2000 Interoperability ScenarioEstablishing Trust Between Kerberos Server and Windows Fqdn qualiﬁer speciﬁes the fully qualiﬁed domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Encryption Considerations Special Considerations for InteroperabilityDatabase Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Conﬁguring the Kerberos Conﬁguration File Function Conﬁguration Files for the Kerberos ServerSecurity Server Files That Require Conﬁguration Krb.conf File Krb.conf File FormatKrb.realms File Krb.realms File Format Wildcard Characters Wildcard Character DescriptionAutoconﬁguring the Kerberos Server To conﬁgure the server, select option Conﬁguring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Ldap Conﬁguration Files Conﬁguration Files for Ldap IntegrationKrb5ldap.conf File File FunctionKrb5ldap.conf File Format Parameter DescriptionThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Conﬁguration Files for Ldap Integration Krb5map.conf File Krb5map.conf File FormatHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Planning Your Ldap Conﬁguration Before You BeginSetting up Your Ldap Conﬁguration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Step Select one of the following options Autoconﬁguring the Kerberos Server With Ldap IntegrationConﬁguring the Kerberos Server with Ldap Qualiﬁed host name or the IP address HpKrbKey Autoconﬁguring the Kerberos Server With Ldap Integration Manually Conﬁguring the Kerberos Server with Ldap Editing the Conﬁguration FilesManually Conﬁguring the Kerberos Server with Ldap Manually Conﬁguring the Kerberos Server with Ldap Chapter Conﬁguring the Primary Create the Principal Database After Installation Conﬁguring the Primary Security ServerAdministrator Add an Administrative PrincipalTo add an Administrative Principal Using the HP Kerberos To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Deﬁne Secondary Security Server Network Locations Security Policies Password Policy FileAdminaclﬁle Starting the Security Server Copying the Kerberos Conﬁguration File Conﬁguring the Secondary Security Servers with C-TreeCreating the Principal Database Creating a host/fqdn Principal and Extracting the Key Creating a stash ﬁle using the kdbstash utility Conﬁguring the Secondary Security Servers with Ldap106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database File Name Description Kadmind CommandConﬁguration Files Required for kadmind Adminaclﬁle File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclﬁle How the r/R Modiﬁers Work Creating Administrative AccountsUsing Restricted Administrator 118 Default Password Policy Settings for the Base Group Password Policy FileEditing the Default File Password Policy Setting Default Value120 Principals 122 Adding New Service Principals Adding User PrincipalsReserved Service Principals Chapter 125 126 Removing Special Privilege Settings Removing User PrincipalsRemoving Service Principals Protecting a Secret KeyChapter 129 Kadmin and kadminl Utilities Administration Utilities Administration Utilities Name DescriptionHP Kerberos Administrator Cancel Standard Functionality of the AdministratorFunction of OK, Apply, and Cancel Buttons Button Name ActionLocal Administrator kadminlui Using kadminluiChapter 135 Principals Tab Principals Tab Principals Tab ComponentsSearch Component Name Description List AllSearch String List of PrincipalsPrincipal Information Window Components General Tab Principal Information WindowPrincipal Information Window General Tab Password TabField Name Description Attributes TabMaximum Ticket Lifetime General Tab ComponentsField Name Description Principal Expiration Maximum Renew TimeModiﬁed By Field Name Description Password PolicyLast Modiﬁed Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Character Description Searching for a PrincipalSearch Criteria 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Window Password Tab Principal InformationPassword Tab Components Displays the Ldap DN that you are editingChange Password Component Name Description PasswordPassword Last Expiration/DateChange Password Window Password Tab Entering a password Change Password Window ComponentsComponents Description New Password VeriﬁcationTo 3DES Changing a Key TypeChanging a DES-CRC or DES-MD5 Principal Key Type 166 Changing Principal Attributes Attributes Tab Components Attributes Tab Principal Information12 describes the components of the Attributes tab Allow Renewable Components DescriptionAllow Postdated Tickets170 Allow Duplicate Components Description Allow ForwardableAllow Proxy Session KeysComponents Description Require PreauthenticationRequire Password ChangeAllow As Service Components Description Lock PrincipalChange Service AuthenticationSet As Password Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Component Description Principal Extract Service Key Table ComponentsService Key Table TypeUsing Groups to Control Settings Editing the Default GroupChapter 183 Group Information Window Principal Component Description Group InformationEditEdit Default Group to display the GroupGroup Information Window Components Principal Attributes Setting the Default Group Principal AttributesDefault Principal Attributes Component DescriptionChapter 187 Setting Administrative Permissions Administrative Permissions 11 Administrative Permissions WindowModify Add PrincipalsPrincipals Principals Inquire aboutInformationEditEdit Default GroupGroup Information Override the Principal InformationEditEdit Group DefaultDefaults Component Description Restricted192 Realms Tab Realms Tab Realms Tab ComponentsRealm Information Window Realm Information Window ComponentsAdding a Realm Deleting a Realm Remote Administrator kadminui Logon screen displays as shown in Figure Logon Screen200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Specifying a New Password Adding a Random KeyChanging Password to a New Randomly Generated Deleting a PrincipalExtracting a Principal 3DESListing the Attributes of a Principal Modifying a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Allow Postdated Attribute Policy NameAttributes Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication Attribute Require Password Change AttributeLock Principal Attribute Allow As Service Attribute Require Initial Authentication Attribute Principal InformationEditEdit Administrative PermissionsNo text shows Authentication Select Require InitialAuthentication Set As Password Change Service Attribute Password Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime AttributeSalt Type Attribute Maximum Renew Time AttributeKey Type Attribute Utility Task Principal Database UtilitiesPrincipal Database Utilities Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons and Services Situation Starting and Stopping DaemonsProtecting Security Server Secrets Maintenance TasksMaster Password Host/fqdn@REALMBacking Up primary security server Data Backing Up the Principal Database238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Hierarchy Propagation RelationshipsMaintaining Secret Keys in the Key Table File Service Key TableExtracting a Key to the Service Key Table File Creating a New Service Key Table File Deleting Older Keys from the Service Key Table FilePropagation Tools Propagation Tools If You Want To Use This ToolOne or more servers once Propagation is conﬁgured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Defaultvalues Section SectionsChapter 253 Secsrvname Section Examples Conﬁguration ﬁle256 Prpadmin Administrative Application Setting Up Propagation Primary security server Services and Daemons Daemon Name Function Generic Usage260 Chapter 261 262 Monitoring the Log File Critical Error MessagesMonitoring Propagation Monitoring Propagation Queue Files Monitoring Old File Date and Large File SizeComparing the Database to Its Copies Authentication problemsUpdating the principal.ok Time Stamp Mismatch between the number of principals Administration appears normalLog ﬁles indicate problems Kdbdump Utility Restarting Propagation Using a Simple Process Restarting Propagation Using the Full Dump MethodPropagation Failure Converting a secondary security server to a primary Security serverRestarting Services Cleaning the Temp DirectoryPrimary security servers Supporting Multiple Realms Conﬁguring Multirealm EnterprisesNumber of Realms per Database Multiple primary security servers Supporting a Single Realm Adding More Realms to a Multirealm DatabaseDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 Two-Way Trust Considering a Trust RelationshipOne-Way Trust Hierarchical Trust Other Types of TrustConﬁguring Direct Trust Relationships 280 Hierarchical Interrealm Trust Hierarchical Chain of TrustHierarchical Interrealm Conﬁguration Chapter 283 Conﬁguring the Local Realm Conﬁguring the Intermediate Realm Conﬁguring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Tool Description Name Diagnostic Tools SummaryDiagnostic Tools Logging Capabilities Troubleshooting KerberosError Messages Unix Syslog File Troubleshooting Scenarios Cause Tips Services ChecklistTroubleshooting Techniques Troubleshooting Scenarios 298 Troubleshooting Scenarios for your LDAP-based Kerberos Server Scenario Cause Troubleshooting Tips300 Chapter 301 302 General Errors Forgotten PasswordsLocking and Unlocking Accounts Clock SynchronizationUser Error Messages Decrypt Integrity Check FailedService Key Not Available While Getting Initial Ticket Administrative Error MessagesPassword Has Expired While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Conﬁguration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Glossary Key Distribution Center See KDCGlossary V5srvtab Ticket-granting ticket See TGTTicket-granting ticket Symbols Index326 327

Related manuals

Manual 13 pages 9.67 Kb

Manual 285 pages 23.05 Kb