HP UX Kerberos Data Security Software manual Updating the principal.ok Time Stamp

Page 265

Propagating the Kerberos Server

Monitoring Propagation

For example, a prop_hostname file that is older than 48 hours or is unusually large indicates a propagation problem between the primary and secondary security servers as specified in hostname.

Updating the principal.ok Time Stamp

You may notice that, by default, the time stamp of the principal.ok file on the primary security server does not update after propagation. On the primary security server, the principal.ok file retains the date when the database is initially created. Do not change this database unless the database is deleted and rebuilt.

On the secondary security server, the principal.ok file is updated each time a propagation full dump from the primary is successfully completed. During a full dump, the database updates are copied to temporary files on the secondary security server. When all of the temporary files are updated, they are put into place on the secondary security server as permanent database files. If a full dump is not completed, the principal database files on the secondary security server, including the principal.ok file, remain unchanged, and the date does not change.

Because most propagation occurs as incremental propagation, an old time stamp on the principal.ok file of the secondary security server does not necessarily indicate a propagation failure, whereas a new principal.ok file indicates a failure.

Comparing the Database to Its Copies

No built-in functionality is available in the principal database to automatically ensure consistency between the database on the primary security server and the secondary security servers. However, you can use /opt/krb5/admin/kdb_dump to manually compare the contents of two databases and to identify discrepancies.

You must periodically check that the primary and secondary databases are synchronized. An out-of-sync condition is likely to exist when the following events occur:

Authentication problems

The out-of-sync condition may first appear as an intermittent authentication failure. In this scenario, a principal that changes the password after the password expires is unable to authenticate, even though the password change is successful. The principal continues its attempt to authenticate, and succeeds if the authentication

Chapter 9

265

Page 264 Page 266
Image 265
Page 264 Page 266
Contents Manufacturing Part Number T1417-90009 E0905 EditionCopyright Notices Legal NoticesPage Page Contents Configuring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Configuration Worksheet Explanation Figures Figures Intended Audience What Is in This DocumentGlossary Interoperability with Windows 2000, onIndex Typographic ConventionsBold fixed WidthPublishing History HP-UX Release Name and Release IdentifierRelated Software Products Related Documentation Accessing the World Wide WebRelated Request for Comments RFCs HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Illustrates the actions of the components and the Kerberos Authentication ProcessStep Authentication Process DES Versus 3DES Key Type Settings Ldap Advantages Introduction to LdapIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Hardware Requirements System RequirementsSoftware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump file to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Version Migrating from Kerberos Server Version 2.0 toCopy the dump file to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Scenario Kerberos Server and Windows 2000 InteroperabilityEstablishing Trust Between Kerberos Server and Windows Fqdn qualifier specifies the fully qualified domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Database Considerations Special Considerations for InteroperabilityEncryption Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Configuring the Kerberos Security Server Files That Require Configuration Configuration Files for the Kerberos ServerConfiguration File Function Krb.conf File Format Krb.conf FileKrb.realms File Krb.realms File Format Wildcard Character Description Wildcard CharactersAutoconfiguring the Kerberos Server To configure the server, select option Configuring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Krb5ldap.conf File Configuration Files for Ldap IntegrationLdap Configuration Files File FunctionParameter Description Krb5ldap.conf File FormatThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Configuration Files for Ldap Integration Krb5map.conf File Format Krb5map.conf FileHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Before You Begin Planning Your Ldap ConfigurationSetting up Your Ldap Configuration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Configuring the Kerberos Server with Ldap Autoconfiguring the Kerberos Server With Ldap IntegrationStep Select one of the following options Qualified host name or the IP address HpKrbKey Autoconfiguring the Kerberos Server With Ldap Integration Editing the Configuration Files Manually Configuring the Kerberos Server with LdapManually Configuring the Kerberos Server with Ldap Manually Configuring the Kerberos Server with Ldap Chapter Configuring the Primary Configuring the Primary Security Server Create the Principal Database After InstallationTo add an Administrative Principal Using the HP Kerberos Add an Administrative PrincipalAdministrator To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Define Secondary Security Server Network Locations Adminaclfile Password Policy FileSecurity Policies Starting the Security Server Creating the Principal Database Configuring the Secondary Security Servers with C-TreeCopying the Kerberos Configuration File Creating a host/fqdn Principal and Extracting the Key Configuring the Secondary Security Servers with Ldap Creating a stash file using the kdbstash utility106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database Configuration Files Required for kadmind Kadmind CommandFile Name Description Adminaclfile File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclfile Using Restricted Administrator Creating Administrative AccountsHow the r/R Modifiers Work 118 Editing the Default File Password Policy FileDefault Password Policy Settings for the Base Group Password Policy Setting Default Value120 Principals 122 Adding User Principals Adding New Service PrincipalsReserved Service Principals Chapter 125 126 Removing User Principals Removing Special Privilege SettingsProtecting a Secret Key Removing Service PrincipalsChapter 129 Kadmin and kadminl Utilities Administration Utilities Name Description Administration UtilitiesHP Kerberos Administrator Function of OK, Apply, and Cancel Buttons Standard Functionality of the AdministratorCancel Button Name ActionUsing kadminlui Local Administrator kadminluiChapter 135 Principals Tab Principals Tab Components Principals TabSearch String Component Name Description List AllSearch List of PrincipalsPrincipal Information Window General Tab Principal Information WindowPrincipal Information Window Components Field Name Description Password TabGeneral Tab Attributes TabField Name Description Principal Expiration General Tab ComponentsMaximum Ticket Lifetime Maximum Renew TimeLast Modified Field Name Description Password PolicyModified By Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Search Criteria Searching for a PrincipalCharacter Description 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Password Tab Components Password Tab Principal InformationWindow Displays the Ldap DN that you are editingPassword Last Component Name Description PasswordChange Password Expiration/DateChange Password Window Password Tab Change Password Window Components Entering a passwordVerification Components Description New PasswordChanging a DES-CRC or DES-MD5 Principal Key Type Changing a Key TypeTo 3DES 166 Changing Principal Attributes 12 describes the components of the Attributes tab Attributes Tab Principal InformationAttributes Tab Components Allow Postdated Components DescriptionAllow Renewable Tickets170 Allow Proxy Components Description Allow ForwardableAllow Duplicate Session KeysRequire Password PreauthenticationComponents Description Require ChangeComponents Description Lock Principal Allow As ServiceSet As Password AuthenticationChange Service Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Service Key Extract Service Key Table ComponentsComponent Description Principal Table TypeEditing the Default Group Using Groups to Control SettingsChapter 183 Group Information Window Principal Group Information Window Components InformationEditEdit Default Group to display the GroupComponent Description Group Default Principal Attributes Setting the Default Group Principal AttributesPrincipal Attributes Component DescriptionChapter 187 Setting Administrative Permissions 11 Administrative Permissions Window Administrative PermissionsPrincipals Add PrincipalsModify Principals Inquire aboutDefaults Override the Principal InformationEditEdit Group DefaultInformationEditEdit Default GroupGroup Information Component Description Restricted192 Realms Tab Realms Tab Components Realms TabRealm Information Window Components Realm Information WindowAdding a Realm Deleting a Realm Remote Administrator kadminui Logon Screen Logon screen displays as shown in Figure200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Adding a Random Key Specifying a New PasswordDeleting a Principal Changing Password to a New Randomly Generated3DES Extracting a PrincipalModifying a Principal Listing the Attributes of a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Attributes Policy NameAllow Postdated Attribute Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Password Change Attribute Require Preauthentication AttributeLock Principal Attribute Allow As Service Attribute Principal InformationEditEdit Administrative Permissions Require Initial Authentication AttributeAuthentication Set As Password Change Service Attribute Authentication Select Require InitialNo text shows Password Expiration Attribute Maximum Ticket Lifetime Attribute Principal Expiration AttributeKey Type Attribute Maximum Renew Time AttributeSalt Type Attribute Principal Database Utilities Principal Database UtilitiesUtility Task Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons Starting and Stopping Daemons and Services SituationMaster Password Maintenance TasksProtecting Security Server Secrets Host/fqdn@REALMBacking Up the Principal Database Backing Up primary security server Data238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Relationships Propagation HierarchyExtracting a Key to the Service Key Table File Service Key TableMaintaining Secret Keys in the Key Table File Deleting Older Keys from the Service Key Table File Creating a New Service Key Table FilePropagation Tools If You Want To Use This Tool Propagation ToolsOne or more servers once Propagation is configured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Sections Defaultvalues SectionChapter 253 Secsrvname Section Configuration file Examples256 Prpadmin Administrative Application Setting Up Propagation Daemon Name Function Generic Usage Primary security server Services and Daemons260 Chapter 261 262 Monitoring Propagation Critical Error MessagesMonitoring the Log File Monitoring Old File Date and Large File Size Monitoring Propagation Queue FilesUpdating the principal.ok Time Stamp Authentication problemsComparing the Database to Its Copies Log files indicate problems Administration appears normalMismatch between the number of principals Kdbdump Utility Restarting Propagation Using the Full Dump Method Restarting Propagation Using a Simple ProcessPropagation Failure Security server Converting a secondary security server to a primaryCleaning the Temp Directory Restarting ServicesNumber of Realms per Database Configuring Multirealm EnterprisesPrimary security servers Supporting Multiple Realms Adding More Realms to a Multirealm Database Multiple primary security servers Supporting a Single RealmDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 One-Way Trust Considering a Trust RelationshipTwo-Way Trust Other Types of Trust Hierarchical TrustConfiguring Direct Trust Relationships 280 Hierarchical Chain of Trust Hierarchical Interrealm TrustHierarchical Interrealm Configuration Chapter 283 Configuring the Local Realm Configuring the Intermediate Realm Configuring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Diagnostic Tools Diagnostic Tools SummaryTool Description Name Error Messages Troubleshooting KerberosLogging Capabilities Unix Syslog File Troubleshooting Techniques Services ChecklistTroubleshooting Scenarios Cause Tips Troubleshooting Scenarios 298 Server Scenario Cause Troubleshooting Tips Troubleshooting Scenarios for your LDAP-based Kerberos300 Chapter 301 302 Forgotten Passwords General ErrorsClock Synchronization Locking and Unlocking AccountsDecrypt Integrity Check Failed User Error MessagesPassword Has Expired While Getting Initial Ticket Administrative Error MessagesService Key Not Available While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Configuration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Key Distribution Center See KDC GlossaryGlossary Ticket-granting ticket See TGT V5srvtabTicket-granting ticket Index Symbols326 327
Related manuals
Manual 13 pages 9.67 Kb Manual 285 pages 23.05 Kb
Top Page Image Contents