HP UX Kerberos Data Security Software 280

Managing Multiple Realms

Conﬁguring Direct Trust Relationships

•The Kerberos server does not recognize the realm listed in the interrealm ticket, that is, when a proper trust relationship between the realms is not established.

•The Kerberos server does not recognize the requested service principal, and has no further trust relationships for which it returns an interrealm ticket.

To set up a cross-realm authentication between the two realms ADMIN.BAMBI.COM and IT.BAMBI.COM, you need to create two special principals on each Key Distribution Center (KDC), as shown in the following example:

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM

This special principal indicates a two-way trust relationship. If you want to conﬁgure only a one-way trust relationship, you need to create the following special principal:

krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM

The passwords of the corresponding principals must be the same on both the KDCs. However, the different cross-realm principals do not have to have matching passwords.

For example, krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM must have the same password on each KDC, but

krbtgt/IT.BAMBI.COM@ADMIN.BAMBI.COM and krbtgt/ADMIN.BAMBI.COM@IT.BAMBI.COM do not have to share the same password.

280	Chapter 10

Contents

Kerberos Server Version Administrator’s Guide Warranty U.S. Government License Trademark Notices Copyright Notices Page Page 1. Overview 2. Installing the Kerberos Server 3. Migrating to a Newer Version of the Kerberos Server 4. Interoperability with Windows 5. Conﬁguring the Kerberos Server With C-TreeBackend 6. Conﬁguring the Kerberos Server with LDAP 7. Conﬁguring the Primary and Secondary Security Server 8. Administering the Kerberos Server Page Page 9. Propagating the Kerberos Server 10. Managing Multiple Realms 11. Troubleshooting Page Tables Page Figures Page Intended Audience What Is in This Document •Glossary •Index Typographic Conventions bold bold ﬁxed width HP-UXRelease Name and Release Identiﬁer Table HP-UX11i Releases Release Supported Related Documentation Accessing the World Wide Web Related Request for Comments (RFCs) HP Encourages Your Comments 1 Overview Page Introduction Introduction Kerberos How the Kerberos Server Works How the Kerberos Server Works Authentication Process Authentication Process Figure Authentication Process Step Page Page IMPORTANT DES Versus 3DES Key Type Settings DES Versus 3DES Key Type Settings Introduction to LDAP Introduction to LDAP LDAP Advantages Integrating Kerberos Server v3.1 with LDAP NOTE How is the Kerberos Principal Integrated in to the LDAP Directory Integrating a Kerberos Principal in to the LDAP Directory Installing the Kerberos Server Page Prerequisites Prerequisites System Requirements System Requirements Hardware Requirements Software Requirements Version Compatibility Installing the Server Installing the Server Mark For Install Install (analysis) Page Migrating to a Newer Version of the Kerberos Server Page Migrating from Kerberos Server Version 1.0 to Migrating from Kerberos Server Version 1.0 to Page Page Page Migrating from Kerberos Server Version 2.0 to Version Migrating from Kerberos Server Version 2.0 to Version Page Migrating from Kerberos Server Version 3.0 to Version Migrating from Kerberos Server Version 3.0 to Version Page Interoperability with Windows Page Understanding the Terminology Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Kerberos Server and Windows 2000 Interoperability Kerberos Server and Windows 2000 Interoperability Scenario Establishing Trust Between Kerberos Server and Windows Establishing Trust Between Kerberos Server and Windows Page Single Realm (Domain) Authentication Single Realm (Domain) Authentication Interrealm (Interdomain) Authentication Interrealm (Interdomain) Authentication Special Considerations for Interoperability Special Considerations for Interoperability Database Considerations Encryption Considerations Postdated Tickets Page Page Conﬁguring the Kerberos Server With C-TreeBackend Conﬁguration Files for the Kerberos Server Conﬁguration Files for the Kerberos Server Security Server Files That Require Conﬁguration Conﬁguration File Function The krb.conf File The krb.realms File The krb.realms File Format Wildcard Characters Wildcard Character Description Autoconﬁguring the Kerberos Server Autoconﬁguring the Kerberos Server Page Return Conﬁguring the Kerberos Server with C-Tree Page Server with LDAP Conﬁguration Files for LDAP Integration Conﬁguration Files for LDAP Integration LDAP Conﬁguration Files File The krb5_ldap.conf File The krb5_ldap.conf File Format krb5_ldap.conf File Format File Format Parameter krb5_ldap.conf File Format (Continued) The krb5_schema.conf File The krb5_schema.conf File Format The Page Page The krb5_map.conf File Page Planning Your LDAP Conﬁguration Planning Your LDAP Conﬁguration Before You Begin Setting up Your LDAP Conﬁguration Setting up Your LDAP Conﬁguration Page Page Page Autoconﬁguring the Kerberos Server With LDAP Integration Autoconﬁguring the Kerberos Server With LDAP Integration Conﬁguring the Kerberos Server with LDAP Page Page Page Manually Conﬁguring the Kerberos Server with LDAP Manually Conﬁguring the Kerberos Server with LDAP Editing the Conﬁguration Files Page Page Conﬁguring the Primary and Secondary Security Server Conﬁguring the Primary Security Server Conﬁguring the Primary Security Server Create the Principal Database After Installation Add an Administrative Principal To add an Administrative Principal Using the HP Kerberos Administrator Use the Edit>Edit Administrative Permissions menu to assign ALL Require Password Change Create the host/<fqdn> Principal and Extracting the Service Key Start the Kerberos Daemons Deﬁne Secondary Security Server Network Locations Security Policies Security Policies Password Policy File The admin_acl_ﬁle Starting the Security Server Starting the Security Server Conﬁguring the Secondary Security Servers with C-Tree Conﬁguring the Secondary Security Servers with C-Tree Creating the Principal Database Copying the Kerberos Conﬁguration File Creating a host/<fqdn> Principal and Extracting the Key kdb_stash Page Using Indexes to Improve Database Performance Using Indexes to Improve Database Performance Page Administering the Kerberos Server Page Administering the Kerberos Database Administering the Kerberos Database The kadmind Command The kadmind Command Conﬁguration Files Required for kadmind File Name The admin_acl_ﬁle File The admin_acl_ﬁle File Assigning Administrative Permissions Administrative Permission Settings Administrator Field Name ACL File Character Page Adding Entries to admin_acl_ﬁle Principal Information window>Attribute tab Creating Administrative Accounts Using Restricted Administrator How the r/R Modiﬁers Work Page Password Policy File Password Policy File Editing the Default File Default Password Policy Settings for the Base Group Password Policy Setting Default Value Page Principals Page Adding User Principals Adding New Service Principals Reserved Service Principals K/M@REALM: default@REALM: krbtgt/REALM@REALM: kadmin/REALM@REALM: kadmin/changepw@REALM: kcpwd/REALM@REALM: host/fqdn@REALM: Removing User Principals Removing Special Privilege Settings Protecting a Secret Key Removing Service Principals Page The kadmin and kadminl Utilities The kadmin and kadminl Utilities Administration Utilities Administration Utilities Name HP Kerberos Administrator HP Kerberos Administrator Standard Functionality of the Administrator Function of OK, Apply, and Cancel Buttons Button Name Action Apply Local Administrator – kadminl_ui Using kadminl_ui Page Principals Tab Principals Tab Principals Tab Principals Tab Components Component Name Realm Principals Tab Components (Continued) List All Search String Search List of Principals General Tab (Principal Information Window) Principal Information Window Principal Information Window Components Field Name Principal Principal Information Window Components (Continued) LDAP DN General Tab Password Tab Attributes Tab General Tab Components (Continued) Principal Expiration Maximum Ticket Lifetime Maximum Renew Time Allow Password Policy Last Modiﬁed Modiﬁed By Adding Principals to the Database Adding Principals to the Database Principal Information>Edit>Load Default values Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Creating an Administrative Principal Require Preauthentication Select Principal Information>Edit>Edit Administrative Permissions Administrative Permissions Window *All Page Searching for a Principal Searching for a Principal Search Criteria Search Criteria (Continued) Deleting a Principal Deleting a Principal Loading Default Values for a Principal Loading Default Values for a Principal Edit>Edit Default Group Edit >Load Default Values Restoring Previously Saved Values for a Principal Restoring Previously Saved Values for a Principal Edit>Restore Values Changing Ticket Information Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Ticket Lifetime General>Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Rules for Setting Maximum Renew Time Principal Information>General>Maximum Renew Time Allow Renewable window>Attributes Information>General Page Changing Password Information Changing Password Information Password Expiration Date Principals Page Password Tab (Principal Information Window) Password Tab (Principal Information Window) Password Tab Components Password Tab Components (Continued) Password Expiration/Date Key Version Number Change Password Window (Password Tab) Generate Random Key Change Password Window Components Components Generate Random Key New Password Veriﬁcation Changing a Key Type Changing a Key Type Changing a DES-CRCor DES-MD5Principal Key Type to 3DES DES-CRC DES-MD5 Page Changing Principal Attributes Attributes Tab (Principal Information Page Page Page Page Page Page LDAP Attributes Tab (Prinicpal Information Window) Page Deleting a Service Principal Deleting a Service Principal Yes Extracting Service Keys Extracting Service Keys Select Principal Information>Edit>Extract Service Key to display 8. Select the Generate New Random Key before Extracting option. HP Extracting a Service Key Table Extract Service Key Table Components Component Service Key Table Type Table Name Using Groups to Control Settings Editing the Default Group Choose Principal Information>Edit, and select the Edit Defaults Page Group Information Window (Principal Information Window) Group Information Window (Principal Information Window) Page Principal Attributes Setting the Default Group Principal Attributes Default Principal Attributes Page Setting Administrative Permissions Setting Administrative Permissions Choose the Principal Information>Edit, and choose the Edit Administrative Permissions Administrative Permissions Administrative Permissions Principal Information>Edit Edit Administrative Permissions Figure 8-11Administrative Permissions Window Add Principals Modify Inquire about Permission for this principal in This Realm box>Inquire about Principals attribute Group Information Window Components (Continued) Restricted override the Principal Information>Edit>Edit Group Default Edit Group Defaults Administrative Information>Edit>Edit Administrative Permissions>Administrative Permissions window All Realms Tab Realms Tab Realms Realms Tab Realms Tab Components List of Realms Realm Information Window Figure 8-13Realm Information Window Realm Information Window Components Adding a Realm Adding a Realm Deleting a Realm Deleting a Realm Remote Administrator – kadmin_ui Remote Administrator – kadmin_ui Logon Screen Change Password Screen Warning Message Page Manual Administration Using kadmin Manual Administration Using kadmin Page Adding a New Principal Adding a Random Key Specifying a New Password Changing Password to a New Randomly Generated Password Deleting a Principal Extracting a Principal Listing the Attributes of a Principal Modifying a Principal Number of Authentication Failures (fcnt) Key Version Number Attribute Policy Name Allow Postdated Attribute Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Preauthentication Attribute Require Password Change Attribute Lock Principal Attribute Allow As Service Attribute Require Initial Authentication Attribute In Principal Information>Edit>Edit Administrative Permissions Require Initial Authentication Attribute Settings Attributes Tab Check-Box HP Kerberos kadmin inq Setting Password Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime Attribute Maximum Renew Time Attribute Key Type Attribute Salt Type Attribute Principal Database Utilities Principal Database Utilities Principal Database Utilities Utility Task Kerberos Database Utilities Kerberos Database Utilities Page Database Encryption Database Master Password Destroying the Kerberos Database Destroying the Kerberos Database yes Page Dumping the Kerberos Database Dumping the Kerberos Database Loading the Kerberos Database Loading the Kerberos Database Stashing the Master Key Stashing the Master Key Page Starting and Stopping Daemons Starting and Stopping Daemons Starting and Stopping Daemons and Services Situation Daemons and Services Maintenance Tasks Maintenance Tasks Protecting Security Server Secrets host/fqdn@REALM Master Password Backing Up primary security server Data Backing Up the Principal Database Page Removing Unused Space from the Database Removing Unused Space from the Database Page Propagating the Kerberos Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page 10 Managing Multiple Realms Page Considering a Trust Relationship Considering a Trust Relationship One-WayTrust Two-WayTrust Hierarchical Trust Other Types of Trust Conﬁguring Direct Trust Relationships Conﬁguring Direct Trust Relationships Page Hierarchical Interrealm Trust Hierarchical Interrealm Trust Hierarchical Chain of Trust Hierarchical Interrealm Conﬁguration Figure 10-1Hierarchical Interrealm Conﬁguration Conﬁguring the Local Realm Conﬁguring the Intermediate Realm Conﬁguring the Target Realm Page Page 11 Troubleshooting Page Characterizing a Problem Characterizing a Problem Page Diagnostic Tools Summary Diagnostic Tools Summary Diagnostic Tools Tool Troubleshooting Kerberos Error Messages Logging Capabilities UNIX Syslog File Services Checklist Troubleshooting Techniques Troubleshooting Scenarios Cause Troubleshooting Troubleshooting Scenarios (Continued) Page Troubleshooting Scenarios for your LDAP-basedKerberos server server (Continued) Page Page General Errors General Errors Forgotten Passwords Locking and Unlocking Accounts Administrator>Principal Information>Principals Clock Synchronization User Error Messages User Error Messages Decrypt Integrity Check Failed Explanation: Action: Password Has Already Been Used or Is Too Close to Current One Administrative Error Messages Password Has Expired While Getting Initial Ticket Principal Information>Attributes Service Key Not Available While Getting Initial Ticket Page Reporting Problems to Your HP Support Contact Reporting Problems to Your HP Support Contact Page Page A Conﬁguration Worksheet Table A-1 Conﬁguration Worksheet Conﬁguration Worksheet for LDAP database Table A-2 Conﬁguration Worksheet Explanation Conﬁguration Worksheet Explanation (Continued) Page Sample krb.conf File Page The services File The services File Page Sample krb.realms File Page Glossary A-B kpropd.ini kpropd.ini krb.conf krb.realms mkpropcf password.policy v5srvtab Ticket-grantingticket See TGT v5srvtab Page Symbols Index