HP UX Kerberos Data Security Software manual

IMPORTANT

IMPORTANT

IMPORTANT

Administering the Kerberos Server

Principals

the database secret key. All records in the principal database are encrypted using this key. The key for this principal is stored on each Kerberos server in the .k5.realm ﬁle.

Do not remove, modify, or change the key type for this principal. Do not generate a new key for this principal.

default@REALM: The default@REALM principal name contains the default group principal attributes for the realm. This principal is required in each realm. This principal, called the default group, is automatically created when a realm is added to the database.

The attributes and properties of this principal act as a template for adding principals to a realm in the principal database of the Kerberos server. This principal uses a random key. However, you must not extract this key to a service key table ﬁle. This principal is locked by default, eliminating the security risk of an external attack to authenticate using this principal account.

Do not remove this principal entry or unlock this principal account.

krbtgt/REALM@REALM: You can use the secret key of the krbtgt/REALM@REALM principal to encrypt and decrypt ticket-granting tickets (TGTs) issued by the Kerberos server for principals in the REALM.

Do not remove or modify this principal entry, except when adding a 3DES key if you need to add support for this encryption type.

To conﬁgure interrealm authentication, create distinct reserved principals with the preﬁx name krbtgt/ for each realm.

If you change any attribute or password of the krbtgt/REALM@REALM principal for the default realm, that is, the realm that contains the K/M@REALM principal, you must close all administrative programs, including kadmin, kadminl_ui, and kdcd. Then, restart all administrative services and daemons in that realm for the changes to take effect.

Chapter 8

125

Image 125

HP UX Kerberos Data Security Software manual

Contents

Manufacturing Part Number T1417-90009 E0905 Edition Copyright Notices Legal NoticesPage Page Contents Conﬁguring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Conﬁguration Worksheet Explanation Figures Figures Intended Audience What Is in This Document Glossary Interoperability with Windows 2000, on Index Typographic ConventionsBold ﬁxed Width Related Software Products HP-UX Release Name and Release IdentiﬁerPublishing History Related Request for Comments RFCs Accessing the World Wide WebRelated Documentation HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Illustrates the actions of the components and the Kerberos Authentication Process Step Authentication Process DES Versus 3DES Key Type Settings Ldap Advantages Introduction to Ldap Integrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Hardware Requirements System RequirementsSoftware Requirements Version Compatibility Installing the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump ﬁle to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Version Migrating from Kerberos Server Version 2.0 to Copy the dump ﬁle to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Scenario Kerberos Server and Windows 2000 Interoperability Establishing Trust Between Kerberos Server and Windows Fqdn qualiﬁer speciﬁes the fully qualiﬁed domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Database Considerations Special Considerations for InteroperabilityEncryption Considerations Postdated Tickets Special Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Conﬁguring the Kerberos Conﬁguration File Function Conﬁguration Files for the Kerberos ServerSecurity Server Files That Require Conﬁguration Krb.conf File Format Krb.conf File Krb.realms File Krb.realms File Format Wildcard Character Description Wildcard Characters Autoconﬁguring the Kerberos Server To conﬁgure the server, select option Conﬁguring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap Krb5ldap.conf File Conﬁguration Files for Ldap IntegrationLdap Conﬁguration Files File Function Parameter Description Krb5ldap.conf File Format This line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Conﬁguration Files for Ldap Integration Krb5map.conf File Format Krb5map.conf File HpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Before You Begin Planning Your Ldap Conﬁguration Setting up Your Ldap Conﬁguration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Step Select one of the following options Autoconﬁguring the Kerberos Server With Ldap IntegrationConﬁguring the Kerberos Server with Ldap Qualiﬁed host name or the IP address HpKrbKey Autoconﬁguring the Kerberos Server With Ldap Integration Editing the Conﬁguration Files Manually Conﬁguring the Kerberos Server with Ldap Manually Conﬁguring the Kerberos Server with Ldap Manually Conﬁguring the Kerberos Server with Ldap Chapter Conﬁguring the Primary Conﬁguring the Primary Security Server Create the Principal Database After Installation Administrator Add an Administrative PrincipalTo add an Administrative Principal Using the HP Kerberos To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Deﬁne Secondary Security Server Network Locations Security Policies Password Policy FileAdminaclﬁle Starting the Security Server Copying the Kerberos Conﬁguration File Conﬁguring the Secondary Security Servers with C-TreeCreating the Principal Database Creating a host/fqdn Principal and Extracting the Key Conﬁguring the Secondary Security Servers with Ldap Creating a stash ﬁle using the kdbstash utility 106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database File Name Description Kadmind CommandConﬁguration Files Required for kadmind Adminaclﬁle File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclﬁle How the r/R Modiﬁers Work Creating Administrative AccountsUsing Restricted Administrator 118 Editing the Default File Password Policy FileDefault Password Policy Settings for the Base Group Password Policy Setting Default Value 120 Principals 122 Adding User Principals Adding New Service Principals Reserved Service Principals Chapter 125 126 Removing User Principals Removing Special Privilege Settings Protecting a Secret Key Removing Service Principals Chapter 129 Kadmin and kadminl Utilities Administration Utilities Name Description Administration Utilities HP Kerberos Administrator Function of OK, Apply, and Cancel Buttons Standard Functionality of the AdministratorCancel Button Name Action Using kadminlui Local Administrator kadminlui Chapter 135 Principals Tab Principals Tab Components Principals Tab Search String Component Name Description List AllSearch List of Principals Principal Information Window Components General Tab Principal Information WindowPrincipal Information Window Field Name Description Password TabGeneral Tab Attributes Tab Field Name Description Principal Expiration General Tab ComponentsMaximum Ticket Lifetime Maximum Renew Time Modiﬁed By Field Name Description Password PolicyLast Modiﬁed Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Character Description Searching for a PrincipalSearch Criteria 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Password Tab Components Password Tab Principal InformationWindow Displays the Ldap DN that you are editing Password Last Component Name Description PasswordChange Password Expiration/Date Change Password Window Password Tab Change Password Window Components Entering a password Veriﬁcation Components Description New Password To 3DES Changing a Key TypeChanging a DES-CRC or DES-MD5 Principal Key Type 166 Changing Principal Attributes Attributes Tab Components Attributes Tab Principal Information12 describes the components of the Attributes tab Allow Postdated Components DescriptionAllow Renewable Tickets 170 Allow Proxy Components Description Allow ForwardableAllow Duplicate Session Keys Require Password PreauthenticationComponents Description Require Change Components Description Lock Principal Allow As Service Set As Password AuthenticationChange Service Components Description Require Initial Ldap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Service Key Extract Service Key Table ComponentsComponent Description Principal Table Type Editing the Default Group Using Groups to Control Settings Chapter 183 Group Information Window Principal Component Description Group InformationEditEdit Default Group to display the GroupGroup Information Window Components Default Principal Attributes Setting the Default Group Principal AttributesPrincipal Attributes Component Description Chapter 187 Setting Administrative Permissions 11 Administrative Permissions Window Administrative Permissions Principals Add PrincipalsModify Principals Inquire about Defaults Override the Principal InformationEditEdit Group DefaultInformationEditEdit Default GroupGroup Information Component Description Restricted 192 Realms Tab Realms Tab Components Realms Tab Realm Information Window Components Realm Information Window Adding a Realm Deleting a Realm Remote Administrator kadminui Logon Screen Logon screen displays as shown in Figure 200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Adding a Random Key Specifying a New Password Deleting a Principal Changing Password to a New Randomly Generated 3DES Extracting a Principal Modifying a Principal Listing the Attributes of a Principal Number of Authentication Failures fcnt Key Version Number Attribute Allow Postdated Attribute Policy NameAttributes Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Password Change Attribute Require Preauthentication Attribute Lock Principal Attribute Allow As Service Attribute Principal InformationEditEdit Administrative Permissions Require Initial Authentication Attribute No text shows Authentication Select Require InitialAuthentication Set As Password Change Service Attribute Password Expiration Attribute Maximum Ticket Lifetime Attribute Principal Expiration Attribute Salt Type Attribute Maximum Renew Time AttributeKey Type Attribute Utility Task Principal Database UtilitiesPrincipal Database Utilities Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons Starting and Stopping Daemons and Services Situation Master Password Maintenance TasksProtecting Security Server Secrets Host/fqdn@REALM Backing Up the Principal Database Backing Up primary security server Data 238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Relationships Propagation Hierarchy Maintaining Secret Keys in the Key Table File Service Key TableExtracting a Key to the Service Key Table File Deleting Older Keys from the Service Key Table File Creating a New Service Key Table File Propagation Tools If You Want To Use This Tool Propagation Tools One or more servers once Propagation is conﬁgured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Sections Defaultvalues Section Chapter 253 Secsrvname Section Conﬁguration ﬁle Examples 256 Prpadmin Administrative Application Setting Up Propagation Daemon Name Function Generic Usage Primary security server Services and Daemons 260 Chapter 261 262 Monitoring the Log File Critical Error MessagesMonitoring Propagation Monitoring Old File Date and Large File Size Monitoring Propagation Queue Files Comparing the Database to Its Copies Authentication problemsUpdating the principal.ok Time Stamp Mismatch between the number of principals Administration appears normalLog ﬁles indicate problems Kdbdump Utility Restarting Propagation Using the Full Dump Method Restarting Propagation Using a Simple Process Propagation Failure Security server Converting a secondary security server to a primary Cleaning the Temp Directory Restarting Services Primary security servers Supporting Multiple Realms Conﬁguring Multirealm EnterprisesNumber of Realms per Database Adding More Realms to a Multirealm Database Multiple primary security servers Supporting a Single Realm Database Propagation for Multirealm Databases Managing Multiple Realms 276 Two-Way Trust Considering a Trust RelationshipOne-Way Trust Other Types of Trust Hierarchical Trust Conﬁguring Direct Trust Relationships 280 Hierarchical Chain of Trust Hierarchical Interrealm Trust Hierarchical Interrealm Conﬁguration Chapter 283 Conﬁguring the Local Realm Conﬁguring the Intermediate Realm Conﬁguring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Tool Description Name Diagnostic Tools SummaryDiagnostic Tools Logging Capabilities Troubleshooting KerberosError Messages Unix Syslog File Troubleshooting Scenarios Cause Tips Services ChecklistTroubleshooting Techniques Troubleshooting Scenarios 298 Server Scenario Cause Troubleshooting Tips Troubleshooting Scenarios for your LDAP-based Kerberos 300 Chapter 301 302 Forgotten Passwords General Errors Clock Synchronization Locking and Unlocking Accounts Decrypt Integrity Check Failed User Error Messages Service Key Not Available While Getting Initial Ticket Administrative Error MessagesPassword Has Expired While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Conﬁguration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Key Distribution Center See KDC Glossary Glossary Ticket-granting ticket See TGT V5srvtab Ticket-granting ticket Index Symbols 326 327