HP UX Kerberos Data Security Software manual Reporting Problems to Your HP Support Contact

Page 308

Troubleshooting

Reporting Problems to Your HP Support Contact

Reporting Problems to Your HP Support

Contact

If you do not have a service contract with HP, you may follow the procedure described below but you will be billed accordingly for time and materials.

If you have a service contract with HP, document the problem as a Service Request (SR) and forward it to your HP support contact. Include the following information where applicable:

A characterization of the problem.

Describe the events leading up to and including the problem. Attempt to describe the source of the problem. Describe the symptoms of the problem.

Your characterization of the problem must include the following: HP-UX commands, communication subsystem commands, job streams, result codes and messages, and data that can reproduce the problem.

Illustrate as clearly as possible the context of any message. Prepare copies of information displayed at the system console and user terminal.

Obtain the version, update, and fix information for all software.

To check your Kerberos server version, execute the what binary_name command, where the binary_name indicates a Kerberos server binary, such as kadmin, kdcd, or kadmind.

To check the version of your kernel, execute uname -r.

This allows your support contact to determine if the problem is already known, and if the correct software is installed at your site.

Record all error messages and numbers that appear at the user terminal and the system console.

Save all network log files.

Prepare the formatted output and a copy of the log file for your HP support contact to further analyze.

308

Chapter 11

Page 307 Page 309
Image 308
Page 307 Page 309
Contents Edition Manufacturing Part Number T1417-90009 E0905Legal Notices Copyright NoticesPage Page Contents Configuring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Configuration Worksheet Explanation Figures Figures What Is in This Document Intended AudienceInteroperability with Windows 2000, on GlossaryTypographic Conventions IndexBold fixed WidthRelated Software Products HP-UX Release Name and Release IdentifierPublishing History Related Request for Comments RFCs Accessing the World Wide WebRelated Documentation HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Authentication Process Illustrates the actions of the components and the KerberosStep Authentication Process DES Versus 3DES Key Type Settings Introduction to Ldap Ldap AdvantagesIntegrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites System Requirements Hardware RequirementsSoftware Requirements Version CompatibilityInstalling the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump file to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Migrating from Kerberos Server Version 2.0 to VersionCopy the dump file to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Kerberos Server and Windows 2000 Interoperability ScenarioEstablishing Trust Between Kerberos Server and Windows Fqdn qualifier specifies the fully qualified domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Special Considerations for Interoperability Database ConsiderationsEncryption Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Configuring the Kerberos Configuration File Function Configuration Files for the Kerberos ServerSecurity Server Files That Require Configuration Krb.conf File Krb.conf File FormatKrb.realms File Krb.realms File Format Wildcard Characters Wildcard Character DescriptionAutoconfiguring the Kerberos Server To configure the server, select option Configuring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Configuration Files for Ldap Integration Krb5ldap.conf FileLdap Configuration Files File FunctionKrb5ldap.conf File Format Parameter DescriptionThis line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Configuration Files for Ldap Integration Krb5map.conf File Krb5map.conf File FormatHpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Planning Your Ldap Configuration Before You BeginSetting up Your Ldap Configuration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Step Select one of the following options Autoconfiguring the Kerberos Server With Ldap IntegrationConfiguring the Kerberos Server with Ldap Qualified host name or the IP address HpKrbKey Autoconfiguring the Kerberos Server With Ldap Integration Manually Configuring the Kerberos Server with Ldap Editing the Configuration FilesManually Configuring the Kerberos Server with Ldap Manually Configuring the Kerberos Server with Ldap Chapter Configuring the Primary Create the Principal Database After Installation Configuring the Primary Security ServerAdministrator Add an Administrative PrincipalTo add an Administrative Principal Using the HP Kerberos To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Define Secondary Security Server Network Locations Security Policies Password Policy FileAdminaclfile Starting the Security Server Copying the Kerberos Configuration File Configuring the Secondary Security Servers with C-TreeCreating the Principal Database Creating a host/fqdn Principal and Extracting the Key Creating a stash file using the kdbstash utility Configuring the Secondary Security Servers with Ldap106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database File Name Description Kadmind CommandConfiguration Files Required for kadmind Adminaclfile File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclfile How the r/R Modifiers Work Creating Administrative AccountsUsing Restricted Administrator 118 Password Policy File Editing the Default FileDefault Password Policy Settings for the Base Group Password Policy Setting Default Value120 Principals 122 Adding New Service Principals Adding User PrincipalsReserved Service Principals Chapter 125 126 Removing Special Privilege Settings Removing User PrincipalsRemoving Service Principals Protecting a Secret KeyChapter 129 Kadmin and kadminl Utilities Administration Utilities Administration Utilities Name DescriptionHP Kerberos Administrator Standard Functionality of the Administrator Function of OK, Apply, and Cancel ButtonsCancel Button Name ActionLocal Administrator kadminlui Using kadminluiChapter 135 Principals Tab Principals Tab Principals Tab ComponentsComponent Name Description List All Search StringSearch List of PrincipalsPrincipal Information Window Components General Tab Principal Information WindowPrincipal Information Window Password Tab Field Name DescriptionGeneral Tab Attributes TabGeneral Tab Components Field Name Description Principal ExpirationMaximum Ticket Lifetime Maximum Renew TimeModified By Field Name Description Password PolicyLast Modified Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Character Description Searching for a PrincipalSearch Criteria 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Password Tab Principal Information Password Tab ComponentsWindow Displays the Ldap DN that you are editingComponent Name Description Password Password LastChange Password Expiration/DateChange Password Window Password Tab Entering a password Change Password Window ComponentsComponents Description New Password VerificationTo 3DES Changing a Key TypeChanging a DES-CRC or DES-MD5 Principal Key Type 166 Changing Principal Attributes Attributes Tab Components Attributes Tab Principal Information12 describes the components of the Attributes tab Components Description Allow PostdatedAllow Renewable Tickets170 Components Description Allow Forwardable Allow ProxyAllow Duplicate Session KeysPreauthentication Require PasswordComponents Description Require ChangeAllow As Service Components Description Lock PrincipalAuthentication Set As PasswordChange Service Components Description Require InitialLdap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Extract Service Key Table Components Service KeyComponent Description Principal Table TypeUsing Groups to Control Settings Editing the Default GroupChapter 183 Group Information Window Principal Component Description Group InformationEditEdit Default Group to display the GroupGroup Information Window Components Setting the Default Group Principal Attributes Default Principal AttributesPrincipal Attributes Component DescriptionChapter 187 Setting Administrative Permissions Administrative Permissions 11 Administrative Permissions WindowAdd Principals PrincipalsModify Principals Inquire aboutOverride the Principal InformationEditEdit Group Default DefaultsInformationEditEdit Default GroupGroup Information Component Description Restricted192 Realms Tab Realms Tab Realms Tab ComponentsRealm Information Window Realm Information Window ComponentsAdding a Realm Deleting a Realm Remote Administrator kadminui Logon screen displays as shown in Figure Logon Screen200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Specifying a New Password Adding a Random KeyChanging Password to a New Randomly Generated Deleting a PrincipalExtracting a Principal 3DESListing the Attributes of a Principal Modifying a PrincipalNumber of Authentication Failures fcnt Key Version Number Attribute Allow Postdated Attribute Policy NameAttributes Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication Attribute Require Password Change AttributeLock Principal Attribute Allow As Service Attribute Require Initial Authentication Attribute Principal InformationEditEdit Administrative PermissionsNo text shows Authentication Select Require InitialAuthentication Set As Password Change Service Attribute Password Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime AttributeSalt Type Attribute Maximum Renew Time AttributeKey Type Attribute Utility Task Principal Database UtilitiesPrincipal Database Utilities Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons and Services Situation Starting and Stopping DaemonsMaintenance Tasks Master PasswordProtecting Security Server Secrets Host/fqdn@REALMBacking Up primary security server Data Backing Up the Principal Database238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Hierarchy Propagation RelationshipsMaintaining Secret Keys in the Key Table File Service Key TableExtracting a Key to the Service Key Table File Creating a New Service Key Table File Deleting Older Keys from the Service Key Table FilePropagation Tools Propagation Tools If You Want To Use This ToolOne or more servers once Propagation is configured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Defaultvalues Section SectionsChapter 253 Secsrvname Section Examples Configuration file256 Prpadmin Administrative Application Setting Up Propagation Primary security server Services and Daemons Daemon Name Function Generic Usage260 Chapter 261 262 Monitoring the Log File Critical Error MessagesMonitoring Propagation Monitoring Propagation Queue Files Monitoring Old File Date and Large File SizeComparing the Database to Its Copies Authentication problemsUpdating the principal.ok Time Stamp Mismatch between the number of principals Administration appears normalLog files indicate problems Kdbdump Utility Restarting Propagation Using a Simple Process Restarting Propagation Using the Full Dump MethodPropagation Failure Converting a secondary security server to a primary Security serverRestarting Services Cleaning the Temp DirectoryPrimary security servers Supporting Multiple Realms Configuring Multirealm EnterprisesNumber of Realms per Database Multiple primary security servers Supporting a Single Realm Adding More Realms to a Multirealm DatabaseDatabase Propagation for Multirealm Databases Managing Multiple Realms 276 Two-Way Trust Considering a Trust RelationshipOne-Way Trust Hierarchical Trust Other Types of TrustConfiguring Direct Trust Relationships 280 Hierarchical Interrealm Trust Hierarchical Chain of TrustHierarchical Interrealm Configuration Chapter 283 Configuring the Local Realm Configuring the Intermediate Realm Configuring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Tool Description Name Diagnostic Tools SummaryDiagnostic Tools Logging Capabilities Troubleshooting KerberosError Messages Unix Syslog File Troubleshooting Scenarios Cause Tips Services ChecklistTroubleshooting Techniques Troubleshooting Scenarios 298 Troubleshooting Scenarios for your LDAP-based Kerberos Server Scenario Cause Troubleshooting Tips300 Chapter 301 302 General Errors Forgotten PasswordsLocking and Unlocking Accounts Clock SynchronizationUser Error Messages Decrypt Integrity Check FailedService Key Not Available While Getting Initial Ticket Administrative Error MessagesPassword Has Expired While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Configuration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Glossary Key Distribution Center See KDCGlossary V5srvtab Ticket-granting ticket See TGTTicket-granting ticket Symbols Index326 327
Related manuals
Manual 13 pages 9.67 Kb Manual 285 pages 23.05 Kb
Top Page Image Contents