Version | HP UX Kerberos Data Security Software specification

Migrating to a Newer Version of the Kerberos Server

Migrating from Kerberos Server Version 2.0 to Version 3.0

		Migrating from Kerberos Server Version 2.0 to
		Version 3.0
		If you want to use the Kerberos server with C-tree as the backend
		database, migrate your existing Kerberos server to Kerberos server v3.0.
		In the Kerberos server v2.x, the password policy was based on the
		instance name to which the principal belongs. Starting with the
		Kerberos server v3.0, the password policy is not based on the instance
		name but is based on the policy subscribed to the principal, which
		provides the ﬂexibility for a principal to subscribe to any policy in the
		/opt/krb5/password.policy ﬁle.
		You must securely copy the adm_acl_file from the Kerberos server v2.0
		to the v3.0 system.

IMPORTANT		After migrating the v2.0 database to the v3.0 server, you must modify the
		v2.0 principals with the appropriate policy names (policy names are
		present in the /opt/krb5/password.policy ﬁle). The instance-based
		rules apply if you do not specify the policy name.
		To retain the v2.0 policies, copy the password.policy ﬁle to the v3.0
		server before creating a new principal.
		You can change the policy name using one of the administrative tools:
		kadminl, kadmin, kadminl_ui or kadmin_ui.
		When you migrate the v2.0 database to the v3.0 server, the default
		principal of the v2.0 database does not contain the policy name ﬁeld.
		Therefore, the default policy applicable to the created principals is * (the
		default policy), until you modify the default policy of the principal.
		To migrate from Kerberos server v2.0 to v3.0, complete the following

		steps:
Step	1. Dump the database on the v2.0 server.
		On the Kerberos server v2.0, dump the database with the default dump
		version. The dump ﬁle must contain the default header, “kdb5_util
		load_dump version 5.0”.

Chapter 3

47

Image 47

HP UX Kerberos Data Security Software manual Migrating from Kerberos Server Version 2.0 to

Contents

Manufacturing Part Number T1417-90009 E0905 Edition Copyright Notices Legal NoticesPage Page Contents Conﬁguring the Kerberos Server with Ldap Administering the Kerberos Server Contents Contents Propagating the Kerberos Server Managing Multiple Realms Contents Tables Table A-2. Conﬁguration Worksheet Explanation Figures Figures Intended Audience What Is in This Document Glossary Interoperability with Windows 2000, on Width Typographic ConventionsIndex Bold ﬁxed Related Software Products HP-UX Release Name and Release IdentiﬁerPublishing History Related Request for Comments RFCs Accessing the World Wide WebRelated Documentation HP Encourages Your Comments Overview Overview Introduction How the Kerberos Server Works Authentication Process Illustrates the actions of the components and the Kerberos Authentication Process Step Authentication Process DES Versus 3DES Key Type Settings Ldap Advantages Introduction to Ldap Integrating Kerberos Server v3.1 with Ldap Integrating a Kerberos Principal in to the Ldap Directory Installing the Kerberos Server Installing the Kerberos Server Prerequisites Version Compatibility System RequirementsHardware Requirements Software Requirements Installing the Server Installing the Server Chapter Migrating to a Newer Version Migrating to a Newer Version of the Kerberos Server Migrating from Kerberos Server Version 1.0 to Copy the dump ﬁle to the new system where you are installing Upon success, the following message appears Migrating from Kerberos Server Version 1.0 to Version Migrating from Kerberos Server Version 2.0 to Copy the dump ﬁle to the system on which you are installing Migrating from Kerberos Server Version 3.0 to Version Migrating to a Newer Version of the Kerberos Server Interoperability with Windows Interoperability with Windows Understanding the Terminology Table of Analogous Terms Kerberos Server Windows Scenario Kerberos Server and Windows 2000 Interoperability Establishing Trust Between Kerberos Server and Windows Fqdn qualiﬁer speciﬁes the fully qualiﬁed domain name Single Realm Domain Authentication Interrealm Interdomain Authentication Postdated Tickets Special Considerations for InteroperabilityDatabase Considerations Encryption Considerations Special Considerations for Interoperability Chapter Special Considerations for Interoperability Chapter Conﬁguring the Kerberos Conﬁguration File Function Conﬁguration Files for the Kerberos ServerSecurity Server Files That Require Conﬁguration Krb.conf File Format Krb.conf File Krb.realms File Krb.realms File Format Wildcard Character Description Wildcard Characters Autoconﬁguring the Kerberos Server To conﬁgure the server, select option Conﬁguring the Kerberos Server with C-Tree Value, DES-MD5, is selected Server with Ldap File Function Conﬁguration Files for Ldap IntegrationKrb5ldap.conf File Ldap Conﬁguration Files Parameter Description Krb5ldap.conf File Format This line indicates a space Krb5schema.conf File Krb5schema.conf File Format Ticket’ Syntax Conﬁguration Files for Ldap Integration Krb5map.conf File Format Krb5map.conf File HpKrbAuthzData HpKrbKeyVersion HpKrbKeyData Before You Begin Planning Your Ldap Conﬁguration Setting up Your Ldap Conﬁguration For example, ou=people, o=bambi.com For example, ou=accounts, ou=people, o=bambi.com For example, uid. cn, homedirectory, gidnumber, uidnumber Step Select one of the following options Autoconﬁguring the Kerberos Server With Ldap IntegrationConﬁguring the Kerberos Server with Ldap Qualiﬁed host name or the IP address HpKrbKey Autoconﬁguring the Kerberos Server With Ldap Integration Editing the Conﬁguration Files Manually Conﬁguring the Kerberos Server with Ldap Manually Conﬁguring the Kerberos Server with Ldap Manually Conﬁguring the Kerberos Server with Ldap Chapter Conﬁguring the Primary Conﬁguring the Primary Security Server Create the Principal Database After Installation Administrator Add an Administrative PrincipalTo add an Administrative Principal Using the HP Kerberos To Add an Administrative Principal Through the Command Line Start the Kerberos Daemons Deﬁne Secondary Security Server Network Locations Security Policies Password Policy FileAdminaclﬁle Starting the Security Server Copying the Kerberos Conﬁguration File Conﬁguring the Secondary Security Servers with C-TreeCreating the Principal Database Creating a host/fqdn Principal and Extracting the Key Conﬁguring the Secondary Security Servers with Ldap Creating a stash ﬁle using the kdbstash utility 106 Using Indexes to Improve Database Performance 108 Administering the Kerberos 110 Administering the Kerberos Database File Name Description Kadmind CommandConﬁguration Files Required for kadmind Adminaclﬁle File Assigning Administrative Permissions Chapter 115 Adding Entries to adminaclﬁle How the r/R Modiﬁers Work Creating Administrative AccountsUsing Restricted Administrator 118 Password Policy Setting Default Value Password Policy FileEditing the Default File Default Password Policy Settings for the Base Group 120 Principals 122 Adding User Principals Adding New Service Principals Reserved Service Principals Chapter 125 126 Removing User Principals Removing Special Privilege Settings Protecting a Secret Key Removing Service Principals Chapter 129 Kadmin and kadminl Utilities Administration Utilities Name Description Administration Utilities HP Kerberos Administrator Button Name Action Standard Functionality of the AdministratorFunction of OK, Apply, and Cancel Buttons Cancel Using kadminlui Local Administrator kadminlui Chapter 135 Principals Tab Principals Tab Components Principals Tab List of Principals Component Name Description List AllSearch String Search Principal Information Window Components General Tab Principal Information WindowPrincipal Information Window Attributes Tab Password TabField Name Description General Tab Maximum Renew Time General Tab ComponentsField Name Description Principal Expiration Maximum Ticket Lifetime Modiﬁed By Field Name Description Password PolicyLast Modiﬁed Adding Principals to the Database Change Password Window Adding Multiple Principals with Similar Settings Creating an Administrative Principal Administering the Kerberos Server 148 Character Description Searching for a PrincipalSearch Criteria 150 Deleting a Principal Loading Default Values for a Principal Restoring Previously Saved Values for a Principal Changing Ticket Information Rules for Setting Maximum Ticket Lifetime Rules for Setting Maximum Renew Time Chapter 157 Changing Password Information Chapter 159 Displays the Ldap DN that you are editing Password Tab Principal InformationPassword Tab Components Window Expiration/Date Component Name Description PasswordPassword Last Change Password Change Password Window Password Tab Change Password Window Components Entering a password Veriﬁcation Components Description New Password To 3DES Changing a Key TypeChanging a DES-CRC or DES-MD5 Principal Key Type 166 Changing Principal Attributes Attributes Tab Components Attributes Tab Principal Information12 describes the components of the Attributes tab Tickets Components DescriptionAllow Postdated Allow Renewable 170 Session Keys Components Description Allow ForwardableAllow Proxy Allow Duplicate Change PreauthenticationRequire Password Components Description Require Components Description Lock Principal Allow As Service Components Description Require Initial AuthenticationSet As Password Change Service Ldap Attributes Tab Prinicpal Information Window 176 Deleting a Service Principal Extracting Service Keys Chapter 179 Extracting a Service Key Table Table Type Extract Service Key Table ComponentsService Key Component Description Principal Editing the Default Group Using Groups to Control Settings Chapter 183 Group Information Window Principal Component Description Group InformationEditEdit Default Group to display the GroupGroup Information Window Components Component Description Setting the Default Group Principal AttributesDefault Principal Attributes Principal Attributes Chapter 187 Setting Administrative Permissions 11 Administrative Permissions Window Administrative Permissions Principals Inquire about Add PrincipalsPrincipals Modify Component Description Restricted Override the Principal InformationEditEdit Group DefaultDefaults InformationEditEdit Default GroupGroup Information 192 Realms Tab Realms Tab Components Realms Tab Realm Information Window Components Realm Information Window Adding a Realm Deleting a Realm Remote Administrator kadminui Logon Screen Logon screen displays as shown in Figure 200 Chapter 201 Manual Administration Using kadmin Chapter 203 Adding a New Principal Adding a Random Key Specifying a New Password Deleting a Principal Changing Password to a New Randomly Generated 3DES Extracting a Principal Modifying a Principal Listing the Attributes of a Principal Number of Authentication Failures fcnt Key Version Number Attribute Allow Postdated Attribute Policy NameAttributes Allow Renewable Attribute Allow Forwardable Attribute Allow Proxy Attribute Allow Duplicate Session Key Attribute Require Password Change Attribute Require Preauthentication Attribute Lock Principal Attribute Allow As Service Attribute Principal InformationEditEdit Administrative Permissions Require Initial Authentication Attribute No text shows Authentication Select Require InitialAuthentication Set As Password Change Service Attribute Password Expiration Attribute Maximum Ticket Lifetime Attribute Principal Expiration Attribute Salt Type Attribute Maximum Renew Time AttributeKey Type Attribute Utility Task Principal Database UtilitiesPrincipal Database Utilities Kerberos Database Utilities 226 Database Encryption Database Master Password Destroying the Kerberos Database 230 Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key 234 Starting and Stopping Daemons Starting and Stopping Daemons and Services Situation Host/fqdn@REALM Maintenance TasksMaster Password Protecting Security Server Secrets Backing Up the Principal Database Backing Up primary security server Data 238 Removing Unused Space from the Database 240 Propagating the Kerberos 242 Propagation Relationships Propagation Hierarchy Maintaining Secret Keys in the Key Table File Service Key TableExtracting a Key to the Service Key Table File Deleting Older Keys from the Service Key Table File Creating a New Service Key Table File Propagation Tools If You Want To Use This Tool Propagation Tools One or more servers once Propagation is conﬁgured Started Kpropd Daemon Mkpropcf Tool 250 Kpropd.ini File Sections Defaultvalues Section Chapter 253 Secsrvname Section Conﬁguration ﬁle Examples 256 Prpadmin Administrative Application Setting Up Propagation Daemon Name Function Generic Usage Primary security server Services and Daemons 260 Chapter 261 262 Monitoring the Log File Critical Error MessagesMonitoring Propagation Monitoring Old File Date and Large File Size Monitoring Propagation Queue Files Comparing the Database to Its Copies Authentication problemsUpdating the principal.ok Time Stamp Mismatch between the number of principals Administration appears normalLog ﬁles indicate problems Kdbdump Utility Restarting Propagation Using the Full Dump Method Restarting Propagation Using a Simple Process Propagation Failure Security server Converting a secondary security server to a primary Cleaning the Temp Directory Restarting Services Primary security servers Supporting Multiple Realms Conﬁguring Multirealm EnterprisesNumber of Realms per Database Adding More Realms to a Multirealm Database Multiple primary security servers Supporting a Single Realm Database Propagation for Multirealm Databases Managing Multiple Realms 276 Two-Way Trust Considering a Trust RelationshipOne-Way Trust Other Types of Trust Hierarchical Trust Conﬁguring Direct Trust Relationships 280 Hierarchical Chain of Trust Hierarchical Interrealm Trust Hierarchical Interrealm Conﬁguration Chapter 283 Conﬁguring the Local Realm Conﬁguring the Intermediate Realm Conﬁguring the Target Realm Hierarchical Interrealm Trust Chapter 287 288 Troubleshooting 290 Characterizing a Problem 292 Tool Description Name Diagnostic Tools SummaryDiagnostic Tools Logging Capabilities Troubleshooting KerberosError Messages Unix Syslog File Troubleshooting Scenarios Cause Tips Services ChecklistTroubleshooting Techniques Troubleshooting Scenarios 298 Server Scenario Cause Troubleshooting Tips Troubleshooting Scenarios for your LDAP-based Kerberos 300 Chapter 301 302 Forgotten Passwords General Errors Clock Synchronization Locking and Unlocking Accounts Decrypt Integrity Check Failed User Error Messages Service Key Not Available While Getting Initial Ticket Administrative Error MessagesPassword Has Expired While Getting Initial Ticket Chapter 307 Reporting Problems to Your HP Support Contact Chapter 309 310 Conﬁguration Worksheet Appendix a Appendix a 313 314 Sample krb.conf File Appendix B Services File 318 Sample krb.realms File Appendix C Key Distribution Center See KDC Glossary Glossary Ticket-granting ticket See TGT V5srvtab Ticket-granting ticket Index Symbols 326 327