HP UX Kerberos Data Security Software manual Principal Expiration Attribute

Page 222

Administering the Kerberos Server

Manual Administration Using kadmin

Because the expiration time is calculated from the time you add a new principal to the database, the password change load on the server is distributed over time. Therefore, you can select a password expiration in the default group principal template without affecting the administrative load, provided you add new principals over a period of time.

To modify the parameter type attr of the principal admin to set the

Password Expiration attribute, you need to execute the following:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr

Attribute (or quit): {cpwexpnocpwexp}

Principal modified.

Principal Expiration Attribute

The Principal Expiration attribute determines the expiration time of a principal account. You can set the expiration time to a definite time or to never. An expired principal account is essentially locked; it can no longer be used to access the security network. However, this account can be re-enabled by resetting the expiration time, because the principal still exists in the principal database.

Setting a principal expiration time may be useful for granting access to temporary employees. However, if you specify an expiration date for the default group principal, all principals added using that template setting will expire at the same time. You must consider the administrative requirements of expiring all principal accounts on the same day.

You cannot set this attribute using the command-line administrator.

Maximum Ticket Lifetime Attribute

The Maximum Ticket Lifetime attribute determines the maximum lifetime for an initial or service ticket that the principal requests. If you set the lifetime to a time longer than the lifetime assigned to the krbtgt/REALM@REALM principal, the settings in the krbtgt/ principal take precedence.

You may choose to set a maximum ticket lifetime for the default group template that is different from the krbtgt/ principal if you plan to enter a block of users that have restricted ticket lifetimes. After adding the block of user principals, you can alter the default group setting again.

222

Chapter 8

Page 221 Page 223
Image 222
Page 221 Page 223
Contents Edition Manufacturing Part Number T1417-90009 E0905Legal Notices Copyright NoticesPage Page Contents Configuring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Configuration Worksheet Explanation Figures Figures What Is in This Document Intended AudienceInteroperability with Windows 2000, on GlossaryBold fixed Typographic ConventionsIndex WidthHP-UX Release Name and Release Identifier Publishing HistoryRelated Software Products Accessing the World Wide Web Related DocumentationRelated Request for Comments RFCs HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Authentication Process Illustrates the actions of the components and the KerberosStep Authentication Process DES Versus 3DES Key Type Settings Introduction to Ldap Ldap AdvantagesIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Software Requirements System RequirementsHardware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump file to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Migrating from Kerberos Server Version 2.0 to VersionCopy the dump file to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Kerberos Server and Windows 2000 Interoperability ScenarioEstablishing Trust Between Kerberos Server and Windows Fqdn qualifier specifies the fully qualified domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Encryption Considerations Special Considerations for InteroperabilityDatabase Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Configuring the Kerberos Configuration Files for the Kerberos Server Security Server Files That Require ConfigurationConfiguration File Function Krb.conf File Krb.conf File FormatKrb.realms File Krb.realms File Format Wildcard Characters Wildcard Character DescriptionAutoconfiguring the Kerberos Server To configure the server, select option Configuring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Ldap Configuration Files Configuration Files for Ldap IntegrationKrb5ldap.conf File File FunctionKrb5ldap.conf File Format Parameter DescriptionThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Configuration Files for Ldap Integration Krb5map.conf File Krb5map.conf File FormatHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Planning Your Ldap Configuration Before You BeginSetting up Your Ldap Configuration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Autoconfiguring the Kerberos Server With Ldap Integration Configuring the Kerberos Server with LdapStep Select one of the following options Qualified host name or the IP address HpKrbKey Autoconfiguring the Kerberos Server With Ldap Integration Manually Configuring the Kerberos Server with Ldap Editing the Configuration FilesManually Configuring the Kerberos Server with Ldap Manually Configuring the Kerberos Server with Ldap Chapter Configuring the Primary Create the Principal Database After Installation Configuring the Primary Security ServerAdd an Administrative Principal To add an Administrative Principal Using the HP KerberosAdministrator To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Define Secondary Security Server Network Locations Password Policy File AdminaclfileSecurity Policies Starting the Security Server Configuring the Secondary Security Servers with C-Tree Creating the Principal DatabaseCopying the Kerberos Configuration File Creating a host/fqdn Principal and Extracting the Key Creating a stash file using the kdbstash utility Configuring the Secondary Security Servers with Ldap106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database Kadmind Command Configuration Files Required for kadmindFile Name Description Adminaclfile File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclfile Creating Administrative Accounts Using Restricted AdministratorHow the r/R Modifiers Work 118 Default Password Policy Settings for the Base Group Password Policy FileEditing the Default File Password Policy Setting Default Value120 Principals 122 Adding New Service Principals Adding User PrincipalsReserved Service Principals Chapter 125 126 Removing Special Privilege Settings Removing User PrincipalsRemoving Service Principals Protecting a Secret KeyChapter 129 Kadmin and kadminl Utilities Administration Utilities Administration Utilities Name DescriptionHP Kerberos Administrator Cancel Standard Functionality of the AdministratorFunction of OK, Apply, and Cancel Buttons Button Name ActionLocal Administrator kadminlui Using kadminluiChapter 135 Principals Tab Principals Tab Principals Tab ComponentsSearch Component Name Description List AllSearch String List of PrincipalsGeneral Tab Principal Information Window Principal Information WindowPrincipal Information Window Components General Tab Password TabField Name Description Attributes TabMaximum Ticket Lifetime General Tab ComponentsField Name Description Principal Expiration Maximum Renew TimeField Name Description Password Policy Last ModifiedModified By Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Searching for a Principal Search CriteriaCharacter Description 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Window Password Tab Principal InformationPassword Tab Components Displays the Ldap DN that you are editingChange Password Component Name Description PasswordPassword Last Expiration/DateChange Password Window Password Tab Entering a password Change Password Window ComponentsComponents Description New Password VerificationChanging a Key Type Changing a DES-CRC or DES-MD5 Principal Key TypeTo 3DES 166 Changing Principal Attributes Attributes Tab Principal Information 12 describes the components of the Attributes tabAttributes Tab Components Allow Renewable Components DescriptionAllow Postdated Tickets170 Allow Duplicate Components Description Allow ForwardableAllow Proxy Session KeysComponents Description Require PreauthenticationRequire Password ChangeAllow As Service Components Description Lock PrincipalChange Service AuthenticationSet As Password Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Component Description Principal Extract Service Key Table ComponentsService Key Table TypeUsing Groups to Control Settings Editing the Default GroupChapter 183 Group Information Window Principal InformationEditEdit Default Group to display the Group Group Information Window ComponentsComponent Description Group Principal Attributes Setting the Default Group Principal AttributesDefault Principal Attributes Component DescriptionChapter 187 Setting Administrative Permissions Administrative Permissions 11 Administrative Permissions WindowModify Add PrincipalsPrincipals Principals Inquire aboutInformationEditEdit Default GroupGroup Information Override the Principal InformationEditEdit Group DefaultDefaults Component Description Restricted192 Realms Tab Realms Tab Realms Tab ComponentsRealm Information Window Realm Information Window ComponentsAdding a Realm Deleting a Realm Remote Administrator kadminui Logon screen displays as shown in Figure Logon Screen200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Specifying a New Password Adding a Random KeyChanging Password to a New Randomly Generated Deleting a PrincipalExtracting a Principal 3DESListing the Attributes of a Principal Modifying a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Policy Name AttributesAllow Postdated Attribute Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication Attribute Require Password Change AttributeLock Principal Attribute Allow As Service Attribute Require Initial Authentication Attribute Principal InformationEditEdit Administrative PermissionsAuthentication Select Require Initial Authentication Set As Password Change Service AttributeNo text shows Password Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime AttributeMaximum Renew Time Attribute Key Type AttributeSalt Type Attribute Principal Database Utilities Principal Database UtilitiesUtility Task Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons and Services Situation Starting and Stopping DaemonsProtecting Security Server Secrets Maintenance TasksMaster Password Host/fqdn@REALMBacking Up primary security server Data Backing Up the Principal Database238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Hierarchy Propagation RelationshipsService Key Table Extracting a Key to the Service Key Table FileMaintaining Secret Keys in the Key Table File Creating a New Service Key Table File Deleting Older Keys from the Service Key Table FilePropagation Tools Propagation Tools If You Want To Use This ToolOne or more servers once Propagation is configured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Defaultvalues Section SectionsChapter 253 Secsrvname Section Examples Configuration file256 Prpadmin Administrative Application Setting Up Propagation Primary security server Services and Daemons Daemon Name Function Generic Usage260 Chapter 261 262 Critical Error Messages Monitoring PropagationMonitoring the Log File Monitoring Propagation Queue Files Monitoring Old File Date and Large File SizeAuthentication problems Updating the principal.ok Time StampComparing the Database to Its Copies Administration appears normal Log files indicate problemsMismatch between the number of principals Kdbdump Utility Restarting Propagation Using a Simple Process Restarting Propagation Using the Full Dump MethodPropagation Failure Converting a secondary security server to a primary Security serverRestarting Services Cleaning the Temp DirectoryConfiguring Multirealm Enterprises Number of Realms per DatabasePrimary security servers Supporting Multiple Realms Multiple primary security servers Supporting a Single Realm Adding More Realms to a Multirealm DatabaseDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 Considering a Trust Relationship One-Way TrustTwo-Way Trust Hierarchical Trust Other Types of TrustConfiguring Direct Trust Relationships 280 Hierarchical Interrealm Trust Hierarchical Chain of TrustHierarchical Interrealm Configuration Chapter 283 Configuring the Local Realm Configuring the Intermediate Realm Configuring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Diagnostic Tools Summary Diagnostic ToolsTool Description Name Troubleshooting Kerberos Error MessagesLogging Capabilities Unix Syslog File Services Checklist Troubleshooting TechniquesTroubleshooting Scenarios Cause Tips Troubleshooting Scenarios 298 Troubleshooting Scenarios for your LDAP-based Kerberos Server Scenario Cause Troubleshooting Tips300 Chapter 301 302 General Errors Forgotten PasswordsLocking and Unlocking Accounts Clock SynchronizationUser Error Messages Decrypt Integrity Check FailedAdministrative Error Messages Password Has Expired While Getting Initial TicketService Key Not Available While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Configuration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Glossary Key Distribution Center See KDCGlossary V5srvtab Ticket-granting ticket See TGTTicket-granting ticket Symbols Index326 327
Related manuals
Manual 13 pages 9.67 Kb Manual 285 pages 23.05 Kb
Top Page Image Contents