1%% Generated by Sphinx. 2\def\sphinxdocclass{report} 3\documentclass[letterpaper,10pt,english]{sphinxmanual} 4\ifdefined\pdfpxdimen 5 \let\sphinxpxdimen\pdfpxdimen\else\newdimen\sphinxpxdimen 6\fi \sphinxpxdimen=.75bp\relax 7 8\usepackage[utf8]{inputenc} 9\ifdefined\DeclareUnicodeCharacter 10 \ifdefined\DeclareUnicodeCharacterAsOptional 11 \DeclareUnicodeCharacter{"00A0}{\nobreakspace} 12 \DeclareUnicodeCharacter{"2500}{\sphinxunichar{2500}} 13 \DeclareUnicodeCharacter{"2502}{\sphinxunichar{2502}} 14 \DeclareUnicodeCharacter{"2514}{\sphinxunichar{2514}} 15 \DeclareUnicodeCharacter{"251C}{\sphinxunichar{251C}} 16 \DeclareUnicodeCharacter{"2572}{\textbackslash} 17 \else 18 \DeclareUnicodeCharacter{00A0}{\nobreakspace} 19 \DeclareUnicodeCharacter{2500}{\sphinxunichar{2500}} 20 \DeclareUnicodeCharacter{2502}{\sphinxunichar{2502}} 21 \DeclareUnicodeCharacter{2514}{\sphinxunichar{2514}} 22 \DeclareUnicodeCharacter{251C}{\sphinxunichar{251C}} 23 \DeclareUnicodeCharacter{2572}{\textbackslash} 24 \fi 25\fi 26\usepackage{cmap} 27\usepackage[T1]{fontenc} 28\usepackage{amsmath,amssymb,amstext} 29\usepackage{babel} 30\usepackage{times} 31\usepackage[Bjarne]{fncychap} 32\usepackage[dontkeepoldnames]{sphinx} 33 34\usepackage{geometry} 35 36% Include hyperref last. 37\usepackage{hyperref} 38% Fix anchor placement for figures with captions. 39\usepackage{hypcap}% it must be loaded after hyperref. 40% Set up styles of URL: it should be placed after hyperref. 41\urlstyle{same} 42 43\addto\captionsenglish{\renewcommand{\figurename}{Fig.}} 44\addto\captionsenglish{\renewcommand{\tablename}{Table}} 45\addto\captionsenglish{\renewcommand{\literalblockname}{Listing}} 46 47\addto\captionsenglish{\renewcommand{\literalblockcontinuedname}{continued from previous page}} 48\addto\captionsenglish{\renewcommand{\literalblockcontinuesname}{continues on next page}} 49 50\addto\extrasenglish{\def\pageautorefname{page}} 51 52\setcounter{tocdepth}{0} 53 54 55 56\title{Kerberos Administration Guide} 57\date{ } 58\release{1.19.2} 59\author{MIT} 60\newcommand{\sphinxlogo}{\vbox{}} 61\renewcommand{\releasename}{Release} 62\makeindex 63 64\begin{document} 65 66\maketitle 67\sphinxtableofcontents 68\phantomsection\label{\detokenize{admin/index::doc}} 69 70 71 72\chapter{Installation guide} 73\label{\detokenize{admin/install:for-administrators}}\label{\detokenize{admin/install::doc}}\label{\detokenize{admin/install:installation-guide}} 74 75\section{Contents} 76\label{\detokenize{admin/install:contents}} 77 78\subsection{Installing KDCs} 79\label{\detokenize{admin/install_kdc:installing-kdcs}}\label{\detokenize{admin/install_kdc::doc}} 80When setting up Kerberos in a production environment, it is best to 81have multiple replica KDCs alongside with a primary KDC to ensure the 82continued availability of the Kerberized services. Each KDC contains 83a copy of the Kerberos database. The primary KDC contains the 84writable copy of the realm database, which it replicates to the 85replica KDCs at regular intervals. All database changes (such as 86password changes) are made on the primary KDC. Replica KDCs provide 87Kerberos ticket-granting services, but not database administration, 88when the primary KDC is unavailable. MIT recommends that you install 89all of your KDCs to be able to function as either the primary or one 90of the replicas. This will enable you to easily switch your primary 91KDC with one of the replicas if necessary (see 92{\hyperref[\detokenize{admin/install_kdc:switch-primary-replica}]{\sphinxcrossref{\DUrole{std,std-ref}{Switching primary and replica KDCs}}}}). This installation procedure is based 93on that recommendation. 94 95\begin{sphinxadmonition}{warning}{Warning:}\begin{itemize} 96\item {} 97The Kerberos system relies on the availability of correct time 98information. Ensure that the primary and all replica KDCs have 99properly synchronized clocks. 100 101\item {} 102It is best to install and run KDCs on secured and dedicated 103hardware with limited access. If your KDC is also a file 104server, FTP server, Web server, or even just a client machine, 105someone who obtained root access through a security hole in any 106of those areas could potentially gain access to the Kerberos 107database. 108 109\end{itemize} 110\end{sphinxadmonition} 111 112 113\subsubsection{Install and configure the primary KDC} 114\label{\detokenize{admin/install_kdc:install-and-configure-the-primary-kdc}} 115Install Kerberos either from the OS-provided packages or from the 116source (See \DUrole{xref,std,std-ref}{do\_build}). 117 118\begin{sphinxadmonition}{note}{Note:} 119For the purpose of this document we will use the following 120names: 121 122\fvset{hllines={, ,}}% 123\begin{sphinxVerbatim}[commandchars=\\\{\}] 124\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}} \PYG{n}{primary} \PYG{n}{KDC} 125\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}} \PYG{n}{replica} \PYG{n}{KDC} 126\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}} \PYG{n}{realm} \PYG{n}{name} 127\PYG{o}{.}\PYG{n}{k5}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}} \PYG{n}{stash} \PYG{n}{file} 128\PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin} \PYG{o}{\PYGZhy{}} \PYG{n}{admin} \PYG{n}{principal} 129\end{sphinxVerbatim} 130 131See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default names and locations 132of the relevant to this topic files. Adjust the names and 133paths to your system environment. 134\end{sphinxadmonition} 135 136 137\subsubsection{Edit KDC configuration files} 138\label{\detokenize{admin/install_kdc:edit-kdc-configuration-files}} 139Modify the configuration files, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} and 140{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, to reflect the correct information (such as 141domain-realm mappings and Kerberos servers names) for your realm. 142(See {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the recommended default locations for 143these files). 144 145Most of the tags in the configuration have default values that will 146work well for most sites. There are some tags in the 147{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file whose values must be specified, and this 148section will explain those. 149 150If the locations for these configuration files differs from the 151default ones, set \sphinxstylestrong{KRB5\_CONFIG} and \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment 152variables to point to the krb5.conf and kdc.conf respectively. For 153example: 154 155\fvset{hllines={, ,}}% 156\begin{sphinxVerbatim}[commandchars=\\\{\}] 157\PYG{n}{export} \PYG{n}{KRB5\PYGZus{}CONFIG}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{conf} 158\PYG{n}{export} \PYG{n}{KRB5\PYGZus{}KDC\PYGZus{}PROFILE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{yourdir}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{conf} 159\end{sphinxVerbatim} 160 161 162\paragraph{krb5.conf} 163\label{\detokenize{admin/install_kdc:krb5-conf}} 164If you are not using DNS TXT records (see {\hyperref[\detokenize{admin/realm_config:mapping-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Mapping hostnames onto Kerberos realms}}}}), 165you must specify the \sphinxstylestrong{default\_realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} 166section. If you are not using DNS URI or SRV records (see 167{\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}} and {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), you must include the 168\sphinxstylestrong{kdc} tag for each \sphinxstyleemphasis{realm} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section. To 169communicate with the kadmin server in each realm, the \sphinxstylestrong{admin\_server} 170tag must be set in the 171{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section. 172 173An example krb5.conf file: 174 175\fvset{hllines={, ,}}% 176\begin{sphinxVerbatim}[commandchars=\\\{\}] 177\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 178 \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 179 180\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 181 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 182 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 183 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 184 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 185 \PYG{p}{\PYGZcb{}} 186\end{sphinxVerbatim} 187 188 189\paragraph{kdc.conf} 190\label{\detokenize{admin/install_kdc:kdc-conf}} 191The kdc.conf file can be used to control the listening ports of the 192KDC and kadmind, as well as realm-specific defaults, the database type 193and location, and logging. 194 195An example kdc.conf file: 196 197\fvset{hllines={, ,}}% 198\begin{sphinxVerbatim}[commandchars=\\\{\}] 199\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} 200 \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} 201 \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} 202 203\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 204 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 205 \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749} 206 \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} 207 \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} 208 \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts} 209 \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} 210 \PYG{c+c1}{\PYGZsh{} If the default location does not suit your setup,} 211 \PYG{c+c1}{\PYGZsh{} explicitly configure the following values:} 212 \PYG{c+c1}{\PYGZsh{} database\PYGZus{}name = /var/krb5kdc/principal} 213 \PYG{c+c1}{\PYGZsh{} key\PYGZus{}stash\PYGZus{}file = /var/krb5kdc/.k5.ATHENA.MIT.EDU} 214 \PYG{c+c1}{\PYGZsh{} acl\PYGZus{}file = /var/krb5kdc/kadm5.acl} 215 \PYG{p}{\PYGZcb{}} 216 217\PYG{p}{[}\PYG{n}{logging}\PYG{p}{]} 218 \PYG{c+c1}{\PYGZsh{} By default, the KDC and kadmind will log output using} 219 \PYG{c+c1}{\PYGZsh{} syslog. You can instead send log output to files like this:} 220 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log} 221 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} 222 \PYG{n}{default} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5lib}\PYG{o}{.}\PYG{n}{log} 223\end{sphinxVerbatim} 224 225Replace \sphinxcode{ATHENA.MIT.EDU} and \sphinxcode{kerberos.mit.edu} with the name of 226your Kerberos realm and server respectively. 227 228\begin{sphinxadmonition}{note}{Note:} 229You have to have write permission on the target directories 230(these directories must exist) used by \sphinxstylestrong{database\_name}, 231\sphinxstylestrong{key\_stash\_file}, and \sphinxstylestrong{acl\_file}. 232\end{sphinxadmonition} 233 234 235\subsubsection{Create the KDC database} 236\label{\detokenize{admin/install_kdc:create-the-kdc-database}}\label{\detokenize{admin/install_kdc:create-db}} 237You will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command on the primary KDC to 238create the Kerberos database and the optional \DUrole{xref,std,std-ref}{stash\_definition}. 239 240\begin{sphinxadmonition}{note}{Note:} 241If you choose not to install a stash file, the KDC will 242prompt you for the master key each time it starts up. This 243means that the KDC will not be able to start automatically, 244such as after a system reboot. 245\end{sphinxadmonition} 246 247{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} will prompt you for the master password for the 248Kerberos database. This password can be any string. A good password 249is one you can remember, but that no one else can guess. Examples of 250bad passwords are words that can be found in a dictionary, any common 251or popular name, especially a famous person (or cartoon character), 252your username in any form (e.g., forward, backward, repeated twice, 253etc.), and any of the sample passwords that appear in this manual. 254One example of a password which might be good if it did not appear in 255this manual is “MITiys4K5!”, which represents the sentence “MIT is 256your source for Kerberos 5!” (It’s the first letter of each word, 257substituting the numeral “4” for the word “for”, and includes the 258punctuation mark at the end.) 259 260The following is an example of how to create a Kerberos database and 261stash file on the primary KDC, using the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command. 262Replace \sphinxcode{ATHENA.MIT.EDU} with the name of your Kerberos realm: 263 264\fvset{hllines={, ,}}% 265\begin{sphinxVerbatim}[commandchars=\\\{\}] 266\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{s} 267 268\PYG{n}{Initializing} \PYG{n}{database} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{/usr/local/var/krb5kdc/principal}\PYG{l+s+s1}{\PYGZsq{}} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}}\PYG{p}{,} 269\PYG{n}{master} \PYG{n}{key} \PYG{n}{name} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{K/M@ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}} 270\PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.} 271\PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.} 272\PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{master} \PYG{n}{password}\PYG{o}{.} 273\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} 274\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 275\end{sphinxVerbatim} 276 277This will create five files in {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc} (or at the locations specified 278in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}): 279\begin{itemize} 280\item {} 281two Kerberos database files, \sphinxcode{principal}, and \sphinxcode{principal.ok} 282 283\item {} 284the Kerberos administrative database file, \sphinxcode{principal.kadm5} 285 286\item {} 287the administrative database lock file, \sphinxcode{principal.kadm5.lock} 288 289\item {} 290the stash file, in this example \sphinxcode{.k5.ATHENA.MIT.EDU}. If you do 291not want a stash file, run the above command without the \sphinxstylestrong{-s} 292option. 293 294\end{itemize} 295 296For more information on administrating Kerberos database see 297{\hyperref[\detokenize{admin/database:db-operations}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the Kerberos database}}}}. 298 299 300\subsubsection{Add administrators to the ACL file} 301\label{\detokenize{admin/install_kdc:add-administrators-to-the-acl-file}}\label{\detokenize{admin/install_kdc:admin-acl}} 302Next, you need create an Access Control List (ACL) file and put the 303Kerberos principal of at least one of the administrators into it. 304This file is used by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon to control which 305principals may view and make privileged modifications to the Kerberos 306database files. The ACL filename is determined by the \sphinxstylestrong{acl\_file} 307variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl}. 308 309For more information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. 310 311 312\subsubsection{Add administrators to the Kerberos database} 313\label{\detokenize{admin/install_kdc:add-administrators-to-the-kerberos-database}}\label{\detokenize{admin/install_kdc:addadmin-kdb}} 314Next you need to add administrative principals (i.e., principals who 315are allowed to administer Kerberos database) to the Kerberos database. 316You \sphinxstyleemphasis{must} add at least one principal now to allow communication 317between the Kerberos administration daemon kadmind and the kadmin 318program over the network for further administration. To do this, use 319the kadmin.local utility on the primary KDC. kadmin.local is designed 320to be run on the primary KDC host without using Kerberos 321authentication to an admin server; instead, it must have read and 322write access to the Kerberos database on the local filesystem. 323 324The administrative principals you create should be the ones you added 325to the ACL file (see {\hyperref[\detokenize{admin/install_kdc:admin-acl}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the ACL file}}}}). 326 327In the following example, the administrative principal \sphinxcode{admin/admin} 328is created: 329 330\fvset{hllines={, ,}}% 331\begin{sphinxVerbatim}[commandchars=\\\{\}] 332\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local} 333 334\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 335 336\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} 337\PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}}\PYG{o}{.} 338\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Enter} \PYG{n}{a} \PYG{n}{password}\PYG{o}{.} 339\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} 340\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{admin/admin@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 341\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local}\PYG{p}{:} 342\end{sphinxVerbatim} 343 344 345\subsubsection{Start the Kerberos daemons on the primary KDC} 346\label{\detokenize{admin/install_kdc:start-the-kerberos-daemons-on-the-primary-kdc}}\label{\detokenize{admin/install_kdc:start-kdc-daemons}} 347At this point, you are ready to start the Kerberos KDC 348({\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}) and administrative daemons on the primary KDC. To 349do so, type: 350 351\fvset{hllines={, ,}}% 352\begin{sphinxVerbatim}[commandchars=\\\{\}] 353\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} 354\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmind} 355\end{sphinxVerbatim} 356 357Each server daemon will fork and run in the background. 358 359\begin{sphinxadmonition}{note}{Note:} 360Assuming you want these daemons to start up automatically at 361boot time, you can add them to the KDC’s \sphinxcode{/etc/rc} or 362\sphinxcode{/etc/inittab} file. You need to have a 363\DUrole{xref,std,std-ref}{stash\_definition} in order to do this. 364\end{sphinxadmonition} 365 366You can verify that they started properly by checking for their 367startup messages in the logging locations you defined in 368{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} (see {\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}}). For example: 369 370\fvset{hllines={, ,}}% 371\begin{sphinxVerbatim}[commandchars=\\\{\}] 372\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{.}\PYG{n}{log} 373\PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{beeblebrox} \PYG{n}{krb5kdc}\PYG{p}{[}\PYG{l+m+mi}{3187}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{commencing} \PYG{n}{operation} 374\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{tail} \PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{log}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} 375\PYG{n}{Dec} \PYG{l+m+mi}{02} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{35}\PYG{p}{:}\PYG{l+m+mi}{52} \PYG{n}{beeblebrox} \PYG{n}{kadmind}\PYG{p}{[}\PYG{l+m+mi}{3189}\PYG{p}{]}\PYG{p}{(}\PYG{n}{info}\PYG{p}{)}\PYG{p}{:} \PYG{n}{starting} 376\end{sphinxVerbatim} 377 378Any errors the daemons encounter while starting will also be listed in 379the logging output. 380 381As an additional verification, check if \DUrole{xref,std,std-ref}{kinit(1)} succeeds 382against the principals that you have created on the previous step 383({\hyperref[\detokenize{admin/install_kdc:addadmin-kdb}]{\sphinxcrossref{\DUrole{std,std-ref}{Add administrators to the Kerberos database}}}}). Run: 384 385\fvset{hllines={, ,}}% 386\begin{sphinxVerbatim}[commandchars=\\\{\}] 387\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kinit} \PYG{n}{admin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 388\end{sphinxVerbatim} 389 390 391\subsubsection{Install the replica KDCs} 392\label{\detokenize{admin/install_kdc:install-the-replica-kdcs}} 393You are now ready to start configuring the replica KDCs. 394 395\begin{sphinxadmonition}{note}{Note:} 396Assuming you are setting the KDCs up so that you can easily 397switch the primary KDC with one of the replicas, you should 398perform each of these steps on the primary KDC as well as 399the replica KDCs, unless these instructions specify 400otherwise. 401\end{sphinxadmonition} 402 403 404\paragraph{Create host keytabs for replica KDCs} 405\label{\detokenize{admin/install_kdc:create-host-keytabs-for-replica-kdcs}}\label{\detokenize{admin/install_kdc:replica-host-key}} 406Each KDC needs a \sphinxcode{host} key in the Kerberos database. These keys 407are used for mutual authentication when propagating the database dump 408file from the primary KDC to the secondary KDC servers. 409 410On the primary KDC, connect to administrative interface and create the 411host principal for each of the KDCs’ \sphinxcode{host} services. For example, 412if the primary KDC were called \sphinxcode{kerberos.mit.edu}, and you had a 413replica KDC named \sphinxcode{kerberos-1.mit.edu}, you would type the 414following: 415 416\fvset{hllines={, ,}}% 417\begin{sphinxVerbatim}[commandchars=\\\{\}] 418\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin} 419\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 420\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}} 421\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 422 423\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 424\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} \PYG{n}{assigning} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{default}\PYG{l+s+s2}{\PYGZdq{}} 425\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 426\end{sphinxVerbatim} 427 428It is not strictly necessary to have the primary KDC server in the 429Kerberos database, but it can be handy if you want to be able to swap 430the primary KDC with one of the replicas. 431 432Next, extract \sphinxcode{host} random keys for all participating KDCs and 433store them in each host’s default keytab file. Ideally, you should 434extract each keytab locally on its own KDC. If this is not feasible, 435you should use an encrypted session to send them across the network. 436To extract a keytab directly on a replica KDC called 437\sphinxcode{kerberos-1.mit.edu}, you would execute the following command: 438 439\fvset{hllines={, ,}}% 440\begin{sphinxVerbatim}[commandchars=\\\{\}] 441\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 442\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} 443 \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 444\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} 445 \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 446\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} 447 \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 448\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} 449 \PYG{n+nb}{type} \PYG{n}{arcfour}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 450\end{sphinxVerbatim} 451 452If you are instead extracting a keytab for the replica KDC called 453\sphinxcode{kerberos-1.mit.edu} on the primary KDC, you should use a dedicated 454temporary keytab file for that machine’s keytab: 455 456\fvset{hllines={, ,}}% 457\begin{sphinxVerbatim}[commandchars=\\\{\}] 458\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 459\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} 460 \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 461\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} 462 \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 463\end{sphinxVerbatim} 464 465The file \sphinxcode{/tmp/kerberos-1.keytab} can then be installed as 466\sphinxcode{/etc/krb5.keytab} on the host \sphinxcode{kerberos-1.mit.edu}. 467 468 469\paragraph{Configure replica KDCs} 470\label{\detokenize{admin/install_kdc:configure-replica-kdcs}} 471Database propagation copies the contents of the primary’s database, 472but does not propagate configuration files, stash files, or the kadm5 473ACL file. The following files must be copied by hand to each replica 474(see {\hyperref[\detokenize{mitK5defaults:mitk5defaults}]{\sphinxcrossref{\DUrole{std,std-ref}{MIT Kerberos defaults}}}} for the default locations for these files): 475\begin{itemize} 476\item {} 477krb5.conf 478 479\item {} 480kdc.conf 481 482\item {} 483kadm5.acl 484 485\item {} 486master key stash file 487 488\end{itemize} 489 490Move the copied files into their appropriate directories, exactly as 491on the primary KDC. kadm5.acl is only needed to allow a replica to 492swap with the primary KDC. 493 494The database is propagated from the primary KDC to the replica KDCs 495via the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} daemon. You must explicitly specify the 496principals which are allowed to provide Kerberos dump updates on the 497replica machine with a new database. Create a file named kpropd.acl 498in the KDC state directory containing the \sphinxcode{host} principals for each 499of the KDCs: 500 501\fvset{hllines={, ,}}% 502\begin{sphinxVerbatim}[commandchars=\\\{\}] 503\PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 504\PYG{n}{host}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 505\end{sphinxVerbatim} 506 507\begin{sphinxadmonition}{note}{Note:} 508If you expect that the primary and replica KDCs will be 509switched at some point of time, list the host principals 510from all participating KDC servers in kpropd.acl files on 511all of the KDCs. Otherwise, you only need to list the 512primary KDC’s host principal in the kpropd.acl files of the 513replica KDCs. 514\end{sphinxadmonition} 515 516Then, add the following line to \sphinxcode{/etc/inetd.conf} on each KDC 517(adjust the path to kpropd): 518 519\fvset{hllines={, ,}}% 520\begin{sphinxVerbatim}[commandchars=\\\{\}] 521\PYG{n}{krb5\PYGZus{}prop} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd} \PYG{n}{kpropd} 522\end{sphinxVerbatim} 523 524You also need to add the following line to \sphinxcode{/etc/services} on each 525KDC, if it is not already present (assuming that the default port is 526used): 527 528\fvset{hllines={, ,}}% 529\begin{sphinxVerbatim}[commandchars=\\\{\}] 530\PYG{n}{krb5\PYGZus{}prop} \PYG{l+m+mi}{754}\PYG{o}{/}\PYG{n}{tcp} \PYG{c+c1}{\PYGZsh{} Kerberos replica propagation} 531\end{sphinxVerbatim} 532 533Restart inetd daemon. 534 535Alternatively, start {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} as a stand-alone daemon. This is 536required when incremental propagation is enabled. 537 538Now that the replica KDC is able to accept database propagation, 539you’ll need to propagate the database from the primary server. 540 541NOTE: Do not start the replica KDC yet; you still do not have a copy 542of the primary’s database. 543 544 545\paragraph{Propagate the database to each replica KDC} 546\label{\detokenize{admin/install_kdc:kprop-to-replicas}}\label{\detokenize{admin/install_kdc:propagate-the-database-to-each-replica-kdc}} 547First, create a dump file of the database on the primary KDC, as 548follows: 549 550\fvset{hllines={, ,}}% 551\begin{sphinxVerbatim}[commandchars=\\\{\}] 552\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans} 553\end{sphinxVerbatim} 554 555Then, manually propagate the database to each replica KDC, as in the 556following example: 557 558\fvset{hllines={, ,}}% 559\begin{sphinxVerbatim}[commandchars=\\\{\}] 560\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kprop} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{replica\PYGZus{}datatrans} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 561 562\PYG{n}{Database} \PYG{n}{propagation} \PYG{n}{to} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{p}{:} \PYG{n}{SUCCEEDED} 563\end{sphinxVerbatim} 564 565You will need a script to dump and propagate the database. The 566following is an example of a Bourne shell script that will do this. 567 568\begin{sphinxadmonition}{note}{Note:} 569Remember that you need to replace \sphinxcode{/usr/local/var/krb5kdc} 570with the name of the KDC state directory. 571\end{sphinxadmonition} 572 573\fvset{hllines={, ,}}% 574\begin{sphinxVerbatim}[commandchars=\\\{\}] 575\PYGZsh{}!/bin/sh 576 577kdclist = \PYGZdq{}kerberos\PYGZhy{}1.mit.edu kerberos\PYGZhy{}2.mit.edu\PYGZdq{} 578 579kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/replica\PYGZus{}datatrans 580 581for kdc in \PYGZdl{}kdclist 582do 583 kprop \PYGZhy{}f /usr/local/var/krb5kdc/replica\PYGZus{}datatrans \PYGZdl{}kdc 584done 585\end{sphinxVerbatim} 586 587You will need to set up a cron job to run this script at the intervals 588you decided on earlier (see {\hyperref[\detokenize{admin/realm_config:db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Database propagation}}}}). 589 590Now that the replica KDC has a copy of the Kerberos database, you can 591start the krb5kdc daemon: 592 593\fvset{hllines={, ,}}% 594\begin{sphinxVerbatim}[commandchars=\\\{\}] 595\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} 596\end{sphinxVerbatim} 597 598As with the primary KDC, you will probably want to add this command to 599the KDCs’ \sphinxcode{/etc/rc} or \sphinxcode{/etc/inittab} files, so they will start 600the krb5kdc daemon automatically at boot time. 601 602 603\subparagraph{Propagation failed?} 604\label{\detokenize{admin/install_kdc:propagation-failed}} 605You may encounter the following error messages. For a more detailed 606discussion on possible causes and solutions click on the error link 607to be redirected to {\hyperref[\detokenize{admin/troubleshoot:troubleshoot}]{\sphinxcrossref{\DUrole{std,std-ref}{Troubleshooting}}}} section. 608\begin{enumerate} 609\item {} 610{\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}} 611 612\item {} 613{\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}} 614 615\item {} 616{\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}} 617 618\end{enumerate} 619 620 621\subsubsection{Add Kerberos principals to the database} 622\label{\detokenize{admin/install_kdc:add-kerberos-principals-to-the-database}} 623Once your KDCs are set up and running, you are ready to use 624{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to load principals for your users, hosts, and other 625services into the Kerberos database. This procedure is described 626fully in {\hyperref[\detokenize{admin/database:add-mod-del-princs}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding, modifying and deleting principals}}}}. 627 628You may occasionally want to use one of your replica KDCs as the 629primary. This might happen if you are upgrading the primary KDC, or 630if your primary KDC has a disk crash. See the following section for 631the instructions. 632 633 634\subsubsection{Switching primary and replica KDCs} 635\label{\detokenize{admin/install_kdc:switch-primary-replica}}\label{\detokenize{admin/install_kdc:switching-primary-and-replica-kdcs}} 636You may occasionally want to use one of your replica KDCs as the 637primary. This might happen if you are upgrading the primary KDC, or 638if your primary KDC has a disk crash. 639 640Assuming you have configured all of your KDCs to be able to function 641as either the primary KDC or a replica KDC (as this document 642recommends), all you need to do to make the changeover is: 643 644If the primary KDC is still running, do the following on the \sphinxstyleemphasis{old} 645primary KDC: 646\begin{enumerate} 647\item {} 648Kill the kadmind process. 649 650\item {} 651Disable the cron job that propagates the database. 652 653\item {} 654Run your database propagation script manually, to ensure that the 655replicas all have the latest copy of the database (see 656{\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}). 657 658\end{enumerate} 659 660On the \sphinxstyleemphasis{new} primary KDC: 661\begin{enumerate} 662\item {} 663Start the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon (see {\hyperref[\detokenize{admin/install_kdc:start-kdc-daemons}]{\sphinxcrossref{\DUrole{std,std-ref}{Start the Kerberos daemons on the primary KDC}}}}). 664 665\item {} 666Set up the cron job to propagate the database (see 667{\hyperref[\detokenize{admin/install_kdc:kprop-to-replicas}]{\sphinxcrossref{\DUrole{std,std-ref}{Propagate the database to each replica KDC}}}}). 668 669\item {} 670Switch the CNAMEs of the old and new primary KDCs. If you can’t do 671this, you’ll need to change the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file on every 672client machine in your Kerberos realm. 673 674\end{enumerate} 675 676 677\subsubsection{Incremental database propagation} 678\label{\detokenize{admin/install_kdc:incremental-database-propagation}} 679If you expect your Kerberos database to become large, you may wish to 680set up incremental propagation to replica KDCs. See 681{\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} for details. 682 683 684\subsection{Installing and configuring UNIX client machines} 685\label{\detokenize{admin/install_clients:installing-and-configuring-unix-client-machines}}\label{\detokenize{admin/install_clients::doc}} 686The Kerberized client programs include \DUrole{xref,std,std-ref}{kinit(1)}, 687\DUrole{xref,std,std-ref}{klist(1)}, \DUrole{xref,std,std-ref}{kdestroy(1)}, and \DUrole{xref,std,std-ref}{kpasswd(1)}. All of 688these programs are in the directory {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{BINDIR}}}}. 689 690You can often integrate Kerberos with the login system on client 691machines, typically through the use of PAM. The details vary by 692operating system, and should be covered in your operating system’s 693documentation. If you do this, you will need to make sure your users 694know to use their Kerberos passwords when they log in. 695 696You will also need to educate your users to use the ticket management 697programs kinit, klist, and kdestroy. If you do not have Kerberos 698password changing integrated into the native password program (again, 699typically through PAM), you will need to educate users to use kpasswd 700in place of its non-Kerberos counterparts passwd. 701 702 703\subsubsection{Client machine configuration files} 704\label{\detokenize{admin/install_clients:client-machine-configuration-files}} 705Each machine running Kerberos should have a {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file. 706At a minimum, it should define a \sphinxstylestrong{default\_realm} setting in 707{\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. If you are not using DNS SRV records 708({\hyperref[\detokenize{admin/realm_config:kdc-hostnames}]{\sphinxcrossref{\DUrole{std,std-ref}{Hostnames for KDCs}}}}) or URI records ({\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC Discovery}}}}), it must 709also contain a {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section containing information for your 710realm’s KDCs. 711 712Consider setting \sphinxstylestrong{rdns} to false in order to reduce your dependence 713on precisely correct DNS information for service hostnames. Turning 714this flag off means that service hostnames will be canonicalized 715through forward name resolution (which adds your domain name to 716unqualified hostnames, and resolves CNAME records in DNS), but not 717through reverse address lookup. The default value of this flag is 718true for historical reasons only. 719 720If you anticipate users frequently logging into remote hosts 721(e.g., using ssh) using forwardable credentials, consider setting 722\sphinxstylestrong{forwardable} to true so that users obtain forwardable tickets by 723default. Otherwise users will need to use \sphinxcode{kinit -f} to get 724forwardable tickets. 725 726Consider adjusting the \sphinxstylestrong{ticket\_lifetime} setting to match the likely 727length of sessions for your users. For instance, if most of your 728users will be logging in for an eight-hour workday, you could set the 729default to ten hours so that tickets obtained in the morning expire 730shortly after the end of the workday. Users can still manually 731request longer tickets when necessary, up to the maximum allowed by 732each user’s principal record on the KDC. 733 734If a client host may access services in different realms, it may be 735useful to define a {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} mapping so that clients know 736which hosts belong to which realms. However, if your clients and KDC 737are running release 1.7 or later, it is also reasonable to leave this 738section out on client machines and just define it in the KDC’s 739krb5.conf. 740 741 742\subsection{UNIX Application Servers} 743\label{\detokenize{admin/install_appl_srv:unix-application-servers}}\label{\detokenize{admin/install_appl_srv::doc}} 744An application server is a host that provides one or more services 745over the network. Application servers can be “secure” or “insecure.” 746A “secure” host is set up to require authentication from every client 747connecting to it. An “insecure” host will still provide Kerberos 748authentication, but will also allow unauthenticated clients to 749connect. 750 751If you have Kerberos V5 installed on all of your client machines, MIT 752recommends that you make your hosts secure, to take advantage of the 753security that Kerberos authentication affords. However, if you have 754some clients that do not have Kerberos V5 installed, you can run an 755insecure server, and still take advantage of Kerberos V5’s single 756sign-on capability. 757 758 759\subsubsection{The keytab file} 760\label{\detokenize{admin/install_appl_srv:the-keytab-file}}\label{\detokenize{admin/install_appl_srv:keytab-file}} 761All Kerberos server machines need a keytab file to authenticate to the 762KDC. By default on UNIX-like systems this file is named {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. 763The keytab file is an local copy of the host’s key. The keytab file 764is a potential point of entry for a break-in, and if compromised, 765would allow unrestricted access to its host. The keytab file should 766be readable only by root, and should exist only on the machine’s local 767disk. The file should not be part of any backup of the machine, 768unless access to the backup data is secured as tightly as access to 769the machine’s root password. 770 771In order to generate a keytab for a host, the host must have a 772principal in the Kerberos database. The procedure for adding hosts to 773the database is described fully in {\hyperref[\detokenize{admin/database:add-mod-del-princs}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding, modifying and deleting principals}}}}. (See 774{\hyperref[\detokenize{admin/install_kdc:replica-host-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Create host keytabs for replica KDCs}}}} for a brief description.) The keytab is 775generated by running {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and issuing the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:ktadd}]{\sphinxcrossref{\DUrole{std,std-ref}{ktadd}}}} 776command. 777 778For example, to generate a keytab file to allow the host 779\sphinxcode{trillium.mit.edu} to authenticate for the services host, ftp, and 780pop, the administrator \sphinxcode{joeadmin} would issue the command (on 781\sphinxcode{trillium.mit.edu}): 782 783\fvset{hllines={, ,}}% 784\begin{sphinxVerbatim}[commandchars=\\\{\}] 785\PYG{n}{trillium}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmin} 786\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} 787\PYG{n}{Password} \PYG{k}{for} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 788\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 789\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 790\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{ftp}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 791\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{pop}\PYG{o}{/}\PYG{n}{trillium}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 792\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{quit} 793\PYG{n}{trillium}\PYG{o}{\PYGZpc{}} 794\end{sphinxVerbatim} 795 796If you generate the keytab file on another host, you need to get a 797copy of the keytab file onto the destination host (\sphinxcode{trillium}, in 798the above example) without sending it unencrypted over the network. 799 800 801\subsubsection{Some advice about secure hosts} 802\label{\detokenize{admin/install_appl_srv:some-advice-about-secure-hosts}} 803Kerberos V5 can protect your host from certain types of break-ins, but 804it is possible to install Kerberos V5 and still leave your host 805vulnerable to attack. Obviously an installation guide is not the 806place to try to include an exhaustive list of countermeasures for 807every possible attack, but it is worth noting some of the larger holes 808and how to close them. 809 810We recommend that backups of secure machines exclude the keytab file 811({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}). If this is not possible, the backups should at least be 812done locally, rather than over a network, and the backup tapes should 813be physically secured. 814 815The keytab file and any programs run by root, including the Kerberos 816V5 binaries, should be kept on local disk. The keytab file should be 817readable only by root. 818 819 820\section{Additional references} 821\label{\detokenize{admin/install:additional-references}}\begin{enumerate} 822\item {} 823Debian: \sphinxhref{http://techpubs.spinlocksolutions.com/dklar/kerberos.html}{Setting up MIT Kerberos 5} 824 825\item {} 826Solaris: \sphinxhref{https://docs.oracle.com/cd/E19253-01/816-4557/6maosrjv2/index.html}{Configuring the Kerberos Service} 827 828\end{enumerate} 829 830 831\chapter{Configuration Files} 832\label{\detokenize{admin/conf_files/index:configuration-files}}\label{\detokenize{admin/conf_files/index::doc}} 833Kerberos uses configuration files to allow administrators to specify 834settings on a per-machine basis. {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} applies to all 835applications using the Kerboros library, on clients and servers. 836For KDC-specific applications, additional settings can be specified in 837{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}; the two files are merged into a configuration profile 838used by applications accessing the KDC database directly. {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} 839is also only used on the KDC, it controls permissions for modifying the 840KDC database. 841 842 843\section{Contents} 844\label{\detokenize{admin/conf_files/index:contents}} 845 846\subsection{krb5.conf} 847\label{\detokenize{admin/conf_files/krb5_conf::doc}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf}}\label{\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}} 848The krb5.conf file contains Kerberos configuration information, 849including the locations of KDCs and admin servers for the Kerberos 850realms of interest, defaults for the current realm and for Kerberos 851applications, and mappings of hostnames onto Kerberos realms. 852Normally, you should install your krb5.conf file in the directory 853\sphinxcode{/etc}. You can override the default location by setting the 854environment variable \sphinxstylestrong{KRB5\_CONFIG}. Multiple colon-separated 855filenames may be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files which are 856present will be read. Starting in release 1.14, directory names can 857also be specified in \sphinxstylestrong{KRB5\_CONFIG}; all files within the directory 858whose names consist solely of alphanumeric characters, dashes, or 859underscores will be read. 860 861 862\subsubsection{Structure} 863\label{\detokenize{admin/conf_files/krb5_conf:structure}} 864The krb5.conf file is set up in the style of a Windows INI file. 865Lines beginning with ‘\#’ or ‘;’ (possibly after initial whitespace) 866are ignored as comments. Sections are headed by the section name, in 867square brackets. Each section may contain zero or more relations, of 868the form: 869 870\fvset{hllines={, ,}}% 871\begin{sphinxVerbatim}[commandchars=\\\{\}] 872\PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar} 873\end{sphinxVerbatim} 874 875or: 876 877\fvset{hllines={, ,}}% 878\begin{sphinxVerbatim}[commandchars=\\\{\}] 879\PYG{n}{fubar} \PYG{o}{=} \PYG{p}{\PYGZob{}} 880 \PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar} 881 \PYG{n}{baz} \PYG{o}{=} \PYG{n}{quux} 882\PYG{p}{\PYGZcb{}} 883\end{sphinxVerbatim} 884 885Placing a ‘*’ after the closing bracket of a section name indicates 886that the section is \sphinxstyleemphasis{final}, meaning that if the same section appears 887within a later file specified in \sphinxstylestrong{KRB5\_CONFIG}, it will be ignored. 888A subsection can be marked as final by placing a ‘*’ after either the 889tag name or the closing brace. 890 891The krb5.conf file can include other files using either of the 892following directives at the beginning of a line: 893 894\fvset{hllines={, ,}}% 895\begin{sphinxVerbatim}[commandchars=\\\{\}] 896\PYG{n}{include} \PYG{n}{FILENAME} 897\PYG{n}{includedir} \PYG{n}{DIRNAME} 898\end{sphinxVerbatim} 899 900\sphinxstyleemphasis{FILENAME} or \sphinxstyleemphasis{DIRNAME} should be an absolute path. The named file or 901directory must exist and be readable. Including a directory includes 902all files within the directory whose names consist solely of 903alphanumeric characters, dashes, or underscores. Starting in release 9041.15, files with names ending in “.conf” are also included, unless the 905name begins with “.”. Included profile files are syntactically 906independent of their parents, so each included file must begin with a 907section header. Starting in release 1.17, files are read in 908alphanumeric order; in previous releases, they may be read in any 909order. 910 911The krb5.conf file can specify that configuration should be obtained 912from a loadable module, rather than the file itself, using the 913following directive at the beginning of a line before any section 914headers: 915 916\fvset{hllines={, ,}}% 917\begin{sphinxVerbatim}[commandchars=\\\{\}] 918\PYG{n}{module} \PYG{n}{MODULEPATH}\PYG{p}{:}\PYG{n}{RESIDUAL} 919\end{sphinxVerbatim} 920 921\sphinxstyleemphasis{MODULEPATH} may be relative to the library path of the krb5 922installation, or it may be an absolute path. \sphinxstyleemphasis{RESIDUAL} is provided 923to the module at initialization time. If krb5.conf uses a module 924directive, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} should also use one if it exists. 925 926 927\subsubsection{Sections} 928\label{\detokenize{admin/conf_files/krb5_conf:sections}} 929The krb5.conf file may contain the following sections: 930 931 932\begin{savenotes}\sphinxattablestart 933\centering 934\begin{tabulary}{\linewidth}[t]{|T|T|} 935\hline 936 937{\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} 938& 939Settings used by the Kerberos V5 library 940\\ 941\hline 942{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} 943& 944Realm-specific contact information and settings 945\\ 946\hline 947{\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} 948& 949Maps server hostnames to Kerberos realms 950\\ 951\hline 952{\hyperref[\detokenize{admin/conf_files/krb5_conf:capaths}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}capaths{]}}}}} 953& 954Authentication paths for non-hierarchical cross-realm 955\\ 956\hline 957{\hyperref[\detokenize{admin/conf_files/krb5_conf:appdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}appdefaults{]}}}}} 958& 959Settings used by some Kerberos V5 applications 960\\ 961\hline 962{\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}} 963& 964Controls plugin module registration 965\\ 966\hline 967\end{tabulary} 968\par 969\sphinxattableend\end{savenotes} 970 971Additionally, krb5.conf may include any of the relations described in 972{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but it is not a recommended practice. 973 974 975\paragraph{{[}libdefaults{]}} 976\label{\detokenize{admin/conf_files/krb5_conf:libdefaults}}\label{\detokenize{admin/conf_files/krb5_conf:id1}} 977The libdefaults section may contain any of the following relations: 978\begin{description} 979\item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode 980If this flag is set to false, then weak encryption types (as noted 981in {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}) will be filtered 982out of the lists \sphinxstylestrong{default\_tgs\_enctypes}, 983\sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{permitted\_enctypes}. The default 984value for this tag is false. 985 986\item[{\sphinxstylestrong{canonicalize}}] \leavevmode 987If this flag is set to true, initial ticket requests to the KDC 988will request canonicalization of the client principal name, and 989answers with different client principals than the requested 990principal will be accepted. The default value is false. 991 992\item[{\sphinxstylestrong{ccache\_type}}] \leavevmode 993This parameter determines the format of credential cache types 994created by \DUrole{xref,std,std-ref}{kinit(1)} or other programs. The default value 995is 4, which represents the most current format. Smaller values 996can be used for compatibility with very old implementations of 997Kerberos which interact with credential caches on the same host. 998 999\item[{\sphinxstylestrong{clockskew}}] \leavevmode 1000Sets the maximum allowable amount of clockskew in seconds that the 1001library will tolerate before assuming that a Kerberos message is 1002invalid. The default value is 300 seconds, or five minutes. 1003 1004The clockskew setting is also used when evaluating ticket start 1005and expiration times. For example, tickets that have reached 1006their expiration time can still be used (and renewed if they are 1007renewable tickets) if they have been expired for a shorter 1008duration than the \sphinxstylestrong{clockskew} setting. 1009 1010\item[{\sphinxstylestrong{default\_ccache\_name}}] \leavevmode 1011This relation specifies the name of the default credential cache. 1012The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCCNAME}}}}. This relation is subject to parameter 1013expansion (see below). New in release 1.11. 1014 1015\item[{\sphinxstylestrong{default\_client\_keytab\_name}}] \leavevmode 1016This relation specifies the name of the default keytab for 1017obtaining client credentials. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}. This 1018relation is subject to parameter expansion (see below). 1019New in release 1.11. 1020 1021\item[{\sphinxstylestrong{default\_keytab\_name}}] \leavevmode 1022This relation specifies the default keytab name to be used by 1023application servers such as sshd. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. This 1024relation is subject to parameter expansion (see below). 1025 1026\item[{\sphinxstylestrong{default\_rcache\_name}}] \leavevmode 1027This relation specifies the name of the default replay cache. 1028The default is \sphinxcode{dfl:}. This relation is subject to parameter 1029expansion (see below). New in release 1.18. 1030 1031\item[{\sphinxstylestrong{default\_realm}}] \leavevmode 1032Identifies the default Kerberos realm for the client. Set its 1033value to your Kerberos realm. If this value is not set, then a 1034realm must be specified with every Kerberos principal when 1035invoking programs such as \DUrole{xref,std,std-ref}{kinit(1)}. 1036 1037\item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode 1038Identifies the supported list of session key encryption types that 1039the client should request when making a TGS-REQ, in order of 1040preference from highest to lowest. The list may be delimited with 1041commas or whitespace. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in 1042{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the accepted values for this tag. 1043Starting in release 1.18, the default value is the value of 1044\sphinxstylestrong{permitted\_enctypes}. For previous releases or if 1045\sphinxstylestrong{permitted\_enctypes} is not set, the default value is 1046\sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac}. 1047 1048Do not set this unless required for specific backward 1049compatibility purposes; stale values of this setting can prevent 1050clients from taking advantage of new stronger enctypes when the 1051libraries are upgraded. 1052 1053\item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode 1054Identifies the supported list of session key encryption types that 1055the client should request when making an AS-REQ, in order of 1056preference from highest to lowest. The format is the same as for 1057default\_tgs\_enctypes. Starting in release 1.18, the default 1058value is the value of \sphinxstylestrong{permitted\_enctypes}. For previous 1059releases or if \sphinxstylestrong{permitted\_enctypes} is not set, the default 1060value is \sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac}. 1061 1062Do not set this unless required for specific backward 1063compatibility purposes; stale values of this setting can prevent 1064clients from taking advantage of new stronger enctypes when the 1065libraries are upgraded. 1066 1067\item[{\sphinxstylestrong{dns\_canonicalize\_hostname}}] \leavevmode 1068Indicate whether name lookups will be used to canonicalize 1069hostnames for use in service principal names. Setting this flag 1070to false can improve security by reducing reliance on DNS, but 1071means that short hostnames will not be canonicalized to 1072fully-qualified hostnames. If this option is set to \sphinxcode{fallback} (new 1073in release 1.18), DNS canonicalization will only be performed the 1074server hostname is not found with the original name when 1075requesting credentials. The default value is true. 1076 1077\item[{\sphinxstylestrong{dns\_lookup\_kdc}}] \leavevmode 1078Indicate whether DNS SRV records should be used to locate the KDCs 1079and other servers for a realm, if they are not listed in the 1080krb5.conf information for the realm. (Note that the admin\_server 1081entry must be in the krb5.conf realm information in order to 1082contact kadmind, because the DNS implementation for kadmin is 1083incomplete.) 1084 1085Enabling this option does open up a type of denial-of-service 1086attack, if someone spoofs the DNS records and redirects you to 1087another server. However, it’s no worse than a denial of service, 1088because that fake KDC will be unable to decode anything you send 1089it (besides the initial ticket request, which has no encrypted 1090data), and anything the fake KDC sends will not be trusted without 1091verification using some secret that it won’t know. 1092 1093\item[{\sphinxstylestrong{dns\_uri\_lookup}}] \leavevmode 1094Indicate whether DNS URI records should be used to locate the KDCs 1095and other servers for a realm, if they are not listed in the 1096krb5.conf information for the realm. SRV records are used as a 1097fallback if no URI records were found. The default value is true. 1098New in release 1.15. 1099 1100\item[{\sphinxstylestrong{enforce\_ok\_as\_delegate}}] \leavevmode 1101If this flag to true, GSSAPI credential delegation will be 1102disabled when the \sphinxcode{ok-as-delegate} flag is not set in the 1103service ticket. If this flag is false, the \sphinxcode{ok-as-delegate} 1104ticket flag is only enforced when an application specifically 1105requests enforcement. The default value is false. 1106 1107\item[{\sphinxstylestrong{err\_fmt}}] \leavevmode 1108This relation allows for custom error message formatting. If a 1109value is set, error messages will be formatted by substituting a 1110normal error message for \%M and an error code for \%C in the value. 1111 1112\item[{\sphinxstylestrong{extra\_addresses}}] \leavevmode 1113This allows a computer to use multiple local addresses, in order 1114to allow Kerberos to work in a network that uses NATs while still 1115using address-restricted tickets. The addresses should be in a 1116comma-separated list. This option has no effect if 1117\sphinxstylestrong{noaddresses} is true. 1118 1119\item[{\sphinxstylestrong{forwardable}}] \leavevmode 1120If this flag is true, initial tickets will be forwardable by 1121default, if allowed by the KDC. The default value is false. 1122 1123\item[{\sphinxstylestrong{ignore\_acceptor\_hostname}}] \leavevmode 1124When accepting GSSAPI or krb5 security contexts for host-based 1125service principals, ignore any hostname passed by the calling 1126application, and allow clients to authenticate to any service 1127principal in the keytab matching the service name and realm name 1128(if given). This option can improve the administrative 1129flexibility of server applications on multihomed hosts, but could 1130compromise the security of virtual hosting environments. The 1131default value is false. New in release 1.10. 1132 1133\item[{\sphinxstylestrong{k5login\_authoritative}}] \leavevmode 1134If this flag is true, principals must be listed in a local user’s 1135k5login file to be granted login access, if a \DUrole{xref,std,std-ref}{.k5login(5)} 1136file exists. If this flag is false, a principal may still be 1137granted login access through other mechanisms even if a k5login 1138file exists but does not list the principal. The default value is 1139true. 1140 1141\item[{\sphinxstylestrong{k5login\_directory}}] \leavevmode 1142If set, the library will look for a local user’s k5login file 1143within the named directory, with a filename corresponding to the 1144local username. If not set, the library will look for k5login 1145files in the user’s home directory, with the filename .k5login. 1146For security reasons, .k5login files must be owned by 1147the local user or by root. 1148 1149\item[{\sphinxstylestrong{kcm\_mach\_service}}] \leavevmode 1150On macOS only, determines the name of the bootstrap service used to 1151contact the KCM daemon for the KCM credential cache type. If the 1152value is \sphinxcode{-}, Mach RPC will not be used to contact the KCM 1153daemon. The default value is \sphinxcode{org.h5l.kcm}. 1154 1155\item[{\sphinxstylestrong{kcm\_socket}}] \leavevmode 1156Determines the path to the Unix domain socket used to access the 1157KCM daemon for the KCM credential cache type. If the value is 1158\sphinxcode{-}, Unix domain sockets will not be used to contact the KCM 1159daemon. The default value is 1160\sphinxcode{/var/run/.heim\_org.h5l.kcm-socket}. 1161 1162\item[{\sphinxstylestrong{kdc\_default\_options}}] \leavevmode 1163Default KDC options (Xored for multiple values) when requesting 1164initial tickets. By default it is set to 0x00000010 1165(KDC\_OPT\_RENEWABLE\_OK). 1166 1167\item[{\sphinxstylestrong{kdc\_timesync}}] \leavevmode 1168Accepted values for this relation are 1 or 0. If it is nonzero, 1169client machines will compute the difference between their time and 1170the time returned by the KDC in the timestamps in the tickets and 1171use this value to correct for an inaccurate system clock when 1172requesting service tickets or authenticating to services. This 1173corrective factor is only used by the Kerberos library; it is not 1174used to change the system clock. The default value is 1. 1175 1176\item[{\sphinxstylestrong{noaddresses}}] \leavevmode 1177If this flag is true, requests for initial tickets will not be 1178made with address restrictions set, allowing the tickets to be 1179used across NATs. The default value is true. 1180 1181\item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode 1182Identifies the encryption types that servers will permit for 1183session keys and for ticket and authenticator encryption, ordered 1184by preference from highest to lowest. Starting in release 1.18, 1185this tag also acts as the default value for 1186\sphinxstylestrong{default\_tgs\_enctypes} and \sphinxstylestrong{default\_tkt\_enctypes}. The 1187default value for this tag is \sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac}. 1188 1189\item[{\sphinxstylestrong{plugin\_base\_dir}}] \leavevmode 1190If set, determines the base directory where krb5 plugins are 1191located. The default value is the \sphinxcode{krb5/plugins} subdirectory 1192of the krb5 library directory. This relation is subject to 1193parameter expansion (see below) in release 1.17 and later. 1194 1195\item[{\sphinxstylestrong{preferred\_preauth\_types}}] \leavevmode 1196This allows you to set the preferred preauthentication types which 1197the client will attempt before others which may be advertised by a 1198KDC. The default value for this setting is “17, 16, 15, 14”, 1199which forces libkrb5 to attempt to use PKINIT if it is supported. 1200 1201\item[{\sphinxstylestrong{proxiable}}] \leavevmode 1202If this flag is true, initial tickets will be proxiable by 1203default, if allowed by the KDC. The default value is false. 1204 1205\item[{\sphinxstylestrong{qualify\_shortname}}] \leavevmode 1206If this string is set, it determines the domain suffix for 1207single-component hostnames when DNS canonicalization is not used 1208(either because \sphinxstylestrong{dns\_canonicalize\_hostname} is false or because 1209forward canonicalization failed). The default value is the first 1210search domain of the system’s DNS configuration. To disable 1211qualification of shortnames, set this relation to the empty string 1212with \sphinxcode{qualify\_shortname = ""}. (New in release 1.18.) 1213 1214\item[{\sphinxstylestrong{rdns}}] \leavevmode 1215If this flag is true, reverse name lookup will be used in addition 1216to forward name lookup to canonicalizing hostnames for use in 1217service principal names. If \sphinxstylestrong{dns\_canonicalize\_hostname} is set 1218to false, this flag has no effect. The default value is true. 1219 1220\item[{\sphinxstylestrong{realm\_try\_domains}}] \leavevmode 1221Indicate whether a host’s domain components should be used to 1222determine the Kerberos realm of the host. The value of this 1223variable is an integer: -1 means not to search, 0 means to try the 1224host’s domain itself, 1 means to also try the domain’s immediate 1225parent, and so forth. The library’s usual mechanism for locating 1226Kerberos realms is used to determine whether a domain is a valid 1227realm, which may involve consulting DNS if \sphinxstylestrong{dns\_lookup\_kdc} is 1228set. The default is not to search domain components. 1229 1230\item[{\sphinxstylestrong{renew\_lifetime}}] \leavevmode 1231(\DUrole{xref,std,std-ref}{duration} string.) Sets the default renewable lifetime 1232for initial ticket requests. The default value is 0. 1233 1234\item[{\sphinxstylestrong{spake\_preauth\_groups}}] \leavevmode 1235A whitespace or comma-separated list of words which specifies the 1236groups allowed for SPAKE preauthentication. The possible values 1237are: 1238 1239 1240\begin{savenotes}\sphinxattablestart 1241\centering 1242\begin{tabulary}{\linewidth}[t]{|T|T|} 1243\hline 1244 1245edwards25519 1246& 1247Edwards25519 curve (\index{RFC!RFC 7748}\sphinxhref{https://tools.ietf.org/html/rfc7748.html}{\sphinxstylestrong{RFC 7748}}) 1248\\ 1249\hline 1250P-256 1251& 1252NIST P-256 curve (\index{RFC!RFC 5480}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) 1253\\ 1254\hline 1255P-384 1256& 1257NIST P-384 curve (\index{RFC!RFC 5480}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) 1258\\ 1259\hline 1260P-521 1261& 1262NIST P-521 curve (\index{RFC!RFC 5480}\sphinxhref{https://tools.ietf.org/html/rfc5480.html}{\sphinxstylestrong{RFC 5480}}) 1263\\ 1264\hline 1265\end{tabulary} 1266\par 1267\sphinxattableend\end{savenotes} 1268 1269The default value for the client is \sphinxcode{edwards25519}. The default 1270value for the KDC is empty. New in release 1.17. 1271 1272\item[{\sphinxstylestrong{ticket\_lifetime}}] \leavevmode 1273(\DUrole{xref,std,std-ref}{duration} string.) Sets the default lifetime for initial 1274ticket requests. The default value is 1 day. 1275 1276\item[{\sphinxstylestrong{udp\_preference\_limit}}] \leavevmode 1277When sending a message to the KDC, the library will try using TCP 1278before UDP if the size of the message is above 1279\sphinxstylestrong{udp\_preference\_limit}. If the message is smaller than 1280\sphinxstylestrong{udp\_preference\_limit}, then UDP will be tried before TCP. 1281Regardless of the size, both protocols will be tried if the first 1282attempt fails. 1283 1284\item[{\sphinxstylestrong{verify\_ap\_req\_nofail}}] \leavevmode 1285If this flag is true, then an attempt to verify initial 1286credentials will fail if the client machine does not have a 1287keytab. The default value is false. 1288 1289\item[{\sphinxstylestrong{client\_aware\_channel\_bindings}}] \leavevmode 1290If this flag is true, then all application protocol authentication 1291requests will be flagged to indicate that the application supports 1292channel bindings when operating over a secure channel. The 1293default value is false. 1294 1295\end{description} 1296 1297 1298\paragraph{{[}realms{]}} 1299\label{\detokenize{admin/conf_files/krb5_conf:id2}}\label{\detokenize{admin/conf_files/krb5_conf:realms}} 1300Each tag in the {[}realms{]} section of the file is the name of a Kerberos 1301realm. The value of the tag is a subsection with relations that 1302define the properties of that particular realm. For each realm, the 1303following tags may be specified in the realm’s subsection: 1304\begin{description} 1305\item[{\sphinxstylestrong{admin\_server}}] \leavevmode 1306Identifies the host where the administration server is running. 1307Typically, this is the primary Kerberos server. This tag must be 1308given a value in order to communicate with the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} 1309server for the realm. 1310 1311\item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode 1312This tag allows you to set a general rule for mapping principal 1313names to local user names. It will be used if there is not an 1314explicit mapping for the principal name that is being 1315translated. The possible values are: 1316\begin{description} 1317\item[{\sphinxstylestrong{RULE:}\sphinxstyleemphasis{exp}}] \leavevmode 1318The local name will be formulated from \sphinxstyleemphasis{exp}. 1319 1320The format for \sphinxstyleemphasis{exp} is \sphinxstylestrong{{[}}\sphinxstyleemphasis{n}\sphinxstylestrong{:}\sphinxstyleemphasis{string}\sphinxstylestrong{{]}(}\sphinxstyleemphasis{regexp}\sphinxstylestrong{)s/}\sphinxstyleemphasis{pattern}\sphinxstylestrong{/}\sphinxstyleemphasis{replacement}\sphinxstylestrong{/g}. 1321The integer \sphinxstyleemphasis{n} indicates how many components the target 1322principal should have. If this matches, then a string will be 1323formed from \sphinxstyleemphasis{string}, substituting the realm of the principal 1324for \sphinxcode{\$0} and the \sphinxstyleemphasis{n}’th component of the principal for 1325\sphinxcode{\$n} (e.g., if the principal was \sphinxcode{johndoe/admin} then 1326\sphinxcode{{[}2:\$2\$1foo{]}} would result in the string 1327\sphinxcode{adminjohndoefoo}). If this string matches \sphinxstyleemphasis{regexp}, then 1328the \sphinxcode{s//{[}g{]}} substitution command will be run over the 1329string. The optional \sphinxstylestrong{g} will cause the substitution to be 1330global over the \sphinxstyleemphasis{string}, instead of replacing only the first 1331match in the \sphinxstyleemphasis{string}. 1332 1333\item[{\sphinxstylestrong{DEFAULT}}] \leavevmode 1334The principal name will be used as the local user name. If 1335the principal has more than one component or is not in the 1336default realm, this rule is not applicable and the conversion 1337will fail. 1338 1339\end{description} 1340 1341For example: 1342 1343\fvset{hllines={, ,}}% 1344\begin{sphinxVerbatim}[commandchars=\\\{\}] 1345[realms] 1346 ATHENA.MIT.EDU = \PYGZob{} 1347 auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1](johndoe)s/\PYGZca{}.*\PYGZdl{}/guest/ 1348 auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1;\PYGZdl{}2](\PYGZca{}.*;admin\PYGZdl{})s/;admin\PYGZdl{}// 1349 auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}2](\PYGZca{}.*;root)s/\PYGZca{}.*\PYGZdl{}/root/ 1350 auth\PYGZus{}to\PYGZus{}local = DEFAULT 1351 \PYGZcb{} 1352\end{sphinxVerbatim} 1353 1354would result in any principal without \sphinxcode{root} or \sphinxcode{admin} as the 1355second component to be translated with the default rule. A 1356principal with a second component of \sphinxcode{admin} will become its 1357first component. \sphinxcode{root} will be used as the local name for any 1358principal with a second component of \sphinxcode{root}. The exception to 1359these two rules are any principals \sphinxcode{johndoe/*}, which will 1360always get the local name \sphinxcode{guest}. 1361 1362\item[{\sphinxstylestrong{auth\_to\_local\_names}}] \leavevmode 1363This subsection allows you to set explicit mappings from principal 1364names to local user names. The tag is the mapping name, and the 1365value is the corresponding local user name. 1366 1367\item[{\sphinxstylestrong{default\_domain}}] \leavevmode 1368This tag specifies the domain used to expand hostnames when 1369translating Kerberos 4 service principals to Kerberos 5 principals 1370(for example, when converting \sphinxcode{rcmd.hostname} to 1371\sphinxcode{host/hostname.domain}). 1372 1373\item[{\sphinxstylestrong{disable\_encrypted\_timestamp}}] \leavevmode 1374If this flag is true, the client will not perform encrypted 1375timestamp preauthentication if requested by the KDC. Setting this 1376flag can help to prevent dictionary attacks by active attackers, 1377if the realm’s KDCs support SPAKE preauthentication or if initial 1378authentication always uses another mechanism or always uses FAST. 1379This flag persists across client referrals during initial 1380authentication. This flag does not prevent the KDC from offering 1381encrypted timestamp. New in release 1.17. 1382 1383\item[{\sphinxstylestrong{http\_anchors}}] \leavevmode 1384When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag 1385can be used to specify the location of the CA certificate which should be 1386trusted to issue the certificate for a proxy server. If left unspecified, 1387the system-wide default set of CA certificates is used. 1388 1389The syntax for values is similar to that of values for the 1390\sphinxstylestrong{pkinit\_anchors} tag: 1391 1392\sphinxstylestrong{FILE:} \sphinxstyleemphasis{filename} 1393 1394\sphinxstyleemphasis{filename} is assumed to be the name of an OpenSSL-style ca-bundle file. 1395 1396\sphinxstylestrong{DIR:} \sphinxstyleemphasis{dirname} 1397 1398\sphinxstyleemphasis{dirname} is assumed to be an directory which contains CA certificates. 1399All files in the directory will be examined; if they contain certificates 1400(in PEM format), they will be used. 1401 1402\sphinxstylestrong{ENV:} \sphinxstyleemphasis{envvar} 1403 1404\sphinxstyleemphasis{envvar} specifies the name of an environment variable which has been set 1405to a value conforming to one of the previous values. For example, 1406\sphinxcode{ENV:X509\_PROXY\_CA}, where environment variable \sphinxcode{X509\_PROXY\_CA} has 1407been set to \sphinxcode{FILE:/tmp/my\_proxy.pem}. 1408 1409\item[{\sphinxstylestrong{kdc}}] \leavevmode 1410The name or address of a host running a KDC for that realm. An 1411optional port number, separated from the hostname by a colon, may 1412be included. If the name or address contains colons (for example, 1413if it is an IPv6 address), enclose it in square brackets to 1414distinguish the colon from a port separator. For your computer to 1415be able to communicate with the KDC for each realm, this tag must 1416be given a value in each realm subsection in the configuration 1417file, or there must be DNS SRV records specifying the KDCs. 1418 1419\item[{\sphinxstylestrong{kpasswd\_server}}] \leavevmode 1420Points to the server where all the password changes are performed. 1421If there is no such entry, DNS will be queried (unless forbidden 1422by \sphinxstylestrong{dns\_lookup\_kdc}). Finally, port 464 on the \sphinxstylestrong{admin\_server} 1423host will be tried. 1424 1425\item[{\sphinxstylestrong{master\_kdc}}] \leavevmode 1426The name for \sphinxstylestrong{primary\_kdc} prior to release 1.19. Its value is 1427used as a fallback if \sphinxstylestrong{primary\_kdc} is not specified. 1428 1429\item[{\sphinxstylestrong{primary\_kdc}}] \leavevmode 1430Identifies the primary KDC(s). Currently, this tag is used in only 1431one case: If an attempt to get credentials fails because of an 1432invalid password, the client software will attempt to contact the 1433primary KDC, in case the user’s password has just been changed, and 1434the updated database has not been propagated to the replica 1435servers yet. New in release 1.19. 1436 1437\item[{\sphinxstylestrong{v4\_instance\_convert}}] \leavevmode 1438This subsection allows the administrator to configure exceptions 1439to the \sphinxstylestrong{default\_domain} mapping rule. It contains V4 instances 1440(the tag name) which should be translated to some specific 1441hostname (the tag value) as the second component in a Kerberos V5 1442principal name. 1443 1444\item[{\sphinxstylestrong{v4\_realm}}] \leavevmode 1445This relation is used by the krb524 library routines when 1446converting a V5 principal name to a V4 principal name. It is used 1447when the V4 realm name and the V5 realm name are not the same, but 1448still share the same principal names and passwords. The tag value 1449is the Kerberos V4 realm name. 1450 1451\end{description} 1452 1453 1454\paragraph{{[}domain\_realm{]}} 1455\label{\detokenize{admin/conf_files/krb5_conf:id3}}\label{\detokenize{admin/conf_files/krb5_conf:domain-realm}} 1456The {[}domain\_realm{]} section provides a translation from a domain name 1457or hostname to a Kerberos realm name. The tag name can be a host name 1458or domain name, where domain names are indicated by a prefix of a 1459period (\sphinxcode{.}). The value of the relation is the Kerberos realm name 1460for that particular host or domain. A host name relation implicitly 1461provides the corresponding domain name relation, unless an explicit domain 1462name relation is provided. The Kerberos realm may be 1463identified either in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section or using DNS SRV records. 1464Host names and domain names should be in lower case. For example: 1465 1466\fvset{hllines={, ,}}% 1467\begin{sphinxVerbatim}[commandchars=\\\{\}] 1468\PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]} 1469 \PYG{n}{crash}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 1470 \PYG{o}{.}\PYG{n}{dev}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 1471 \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 1472\end{sphinxVerbatim} 1473 1474maps the host with the name \sphinxcode{crash.mit.edu} into the 1475\sphinxcode{TEST.ATHENA.MIT.EDU} realm. The second entry maps all hosts under the 1476domain \sphinxcode{dev.mit.edu} into the \sphinxcode{TEST.ATHENA.MIT.EDU} realm, but not 1477the host with the name \sphinxcode{dev.mit.edu}. That host is matched 1478by the third entry, which maps the host \sphinxcode{mit.edu} and all hosts 1479under the domain \sphinxcode{mit.edu} that do not match a preceding rule 1480into the realm \sphinxcode{ATHENA.MIT.EDU}. 1481 1482If no translation entry applies to a hostname used for a service 1483principal for a service ticket request, the library will try to get a 1484referral to the appropriate realm from the client realm’s KDC. If 1485that does not succeed, the host’s realm is considered to be the 1486hostname’s domain portion converted to uppercase, unless the 1487\sphinxstylestrong{realm\_try\_domains} setting in {[}libdefaults{]} causes a different 1488parent domain to be used. 1489 1490 1491\paragraph{{[}capaths{]}} 1492\label{\detokenize{admin/conf_files/krb5_conf:id4}}\label{\detokenize{admin/conf_files/krb5_conf:capaths}} 1493In order to perform direct (non-hierarchical) cross-realm 1494authentication, configuration is needed to determine the 1495authentication paths between realms. 1496 1497A client will use this section to find the authentication path between 1498its realm and the realm of the server. The server will use this 1499section to verify the authentication path used by the client, by 1500checking the transited field of the received ticket. 1501 1502There is a tag for each participating client realm, and each tag has 1503subtags for each of the server realms. The value of the subtags is an 1504intermediate realm which may participate in the cross-realm 1505authentication. The subtags may be repeated if there is more then one 1506intermediate realm. A value of “.” means that the two realms share 1507keys directly, and no intermediate realms should be allowed to 1508participate. 1509 1510Only those entries which will be needed on the client or the server 1511need to be present. A client needs a tag for its local realm with 1512subtags for all the realms of servers it will need to authenticate to. 1513A server needs a tag for each realm of the clients it will serve, with 1514a subtag of the server realm. 1515 1516For example, \sphinxcode{ANL.GOV}, \sphinxcode{PNL.GOV}, and \sphinxcode{NERSC.GOV} all wish to 1517use the \sphinxcode{ES.NET} realm as an intermediate realm. ANL has a sub 1518realm of \sphinxcode{TEST.ANL.GOV} which will authenticate with \sphinxcode{NERSC.GOV} 1519but not \sphinxcode{PNL.GOV}. The {[}capaths{]} section for \sphinxcode{ANL.GOV} systems 1520would look like this: 1521 1522\fvset{hllines={, ,}}% 1523\begin{sphinxVerbatim}[commandchars=\\\{\}] 1524\PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]} 1525 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1526 \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} 1527 \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1528 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1529 \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.} 1530 \PYG{p}{\PYGZcb{}} 1531 \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1532 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} 1533 \PYG{p}{\PYGZcb{}} 1534 \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1535 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1536 \PYG{p}{\PYGZcb{}} 1537 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1538 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1539 \PYG{p}{\PYGZcb{}} 1540 \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1541 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} 1542 \PYG{p}{\PYGZcb{}} 1543\end{sphinxVerbatim} 1544 1545The {[}capaths{]} section of the configuration file used on \sphinxcode{NERSC.GOV} 1546systems would look like this: 1547 1548\fvset{hllines={, ,}}% 1549\begin{sphinxVerbatim}[commandchars=\\\{\}] 1550\PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]} 1551 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1552 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1553 \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1554 \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} 1555 \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1556 \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{o}{.} 1557 \PYG{p}{\PYGZcb{}} 1558 \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1559 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1560 \PYG{p}{\PYGZcb{}} 1561 \PYG{n}{PNL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1562 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1563 \PYG{p}{\PYGZcb{}} 1564 \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1565 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{o}{.} 1566 \PYG{p}{\PYGZcb{}} 1567 \PYG{n}{TEST}\PYG{o}{.}\PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1568 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ANL}\PYG{o}{.}\PYG{n}{GOV} 1569 \PYG{n}{NERSC}\PYG{o}{.}\PYG{n}{GOV} \PYG{o}{=} \PYG{n}{ES}\PYG{o}{.}\PYG{n}{NET} 1570 \PYG{p}{\PYGZcb{}} 1571\end{sphinxVerbatim} 1572 1573When a subtag is used more than once within a tag, clients will use 1574the order of values to determine the path. The order of values is not 1575important to servers. 1576 1577 1578\paragraph{{[}appdefaults{]}} 1579\label{\detokenize{admin/conf_files/krb5_conf:id5}}\label{\detokenize{admin/conf_files/krb5_conf:appdefaults}} 1580Each tag in the {[}appdefaults{]} section names a Kerberos V5 application 1581or an option that is used by some Kerberos V5 application{[}s{]}. The 1582value of the tag defines the default behaviors for that application. 1583 1584For example: 1585 1586\fvset{hllines={, ,}}% 1587\begin{sphinxVerbatim}[commandchars=\\\{\}] 1588\PYG{p}{[}\PYG{n}{appdefaults}\PYG{p}{]} 1589 \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1590 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1591 \PYG{n}{option1} \PYG{o}{=} \PYG{n}{false} 1592 \PYG{p}{\PYGZcb{}} 1593 \PYG{p}{\PYGZcb{}} 1594 \PYG{n}{telnet} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1595 \PYG{n}{option1} \PYG{o}{=} \PYG{n}{true} 1596 \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true} 1597 \PYG{p}{\PYGZcb{}} 1598 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1599 \PYG{n}{option2} \PYG{o}{=} \PYG{n}{false} 1600 \PYG{p}{\PYGZcb{}} 1601 \PYG{n}{option2} \PYG{o}{=} \PYG{n}{true} 1602\end{sphinxVerbatim} 1603 1604The above four ways of specifying the value of an option are shown in 1605order of decreasing precedence. In this example, if telnet is running 1606in the realm EXAMPLE.COM, it should, by default, have option1 and 1607option2 set to true. However, a telnet program in the realm 1608\sphinxcode{ATHENA.MIT.EDU} should have \sphinxcode{option1} set to false and 1609\sphinxcode{option2} set to true. Any other programs in ATHENA.MIT.EDU should 1610have \sphinxcode{option2} set to false by default. Any programs running in 1611other realms should have \sphinxcode{option2} set to true. 1612 1613The list of specifiable options for each application may be found in 1614that application’s man pages. The application defaults specified here 1615are overridden by those specified in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{realms}}} section. 1616 1617 1618\paragraph{{[}plugins{]}} 1619\label{\detokenize{admin/conf_files/krb5_conf:id6}}\label{\detokenize{admin/conf_files/krb5_conf:plugins}}\begin{itemize} 1620\item {} 1621{\hyperref[\detokenize{admin/conf_files/krb5_conf:pwqual}]{\sphinxcrossref{pwqual}}} interface 1622 1623\item {} 1624{\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-hook}]{\sphinxcrossref{kadm5\_hook}}} interface 1625 1626\item {} 1627{\hyperref[\detokenize{admin/conf_files/krb5_conf:clpreauth}]{\sphinxcrossref{clpreauth}}} and {\hyperref[\detokenize{admin/conf_files/krb5_conf:kdcpreauth}]{\sphinxcrossref{kdcpreauth}}} interfaces 1628 1629\end{itemize} 1630 1631Tags in the {[}plugins{]} section can be used to register dynamic plugin 1632modules and to turn modules on and off. Not every krb5 pluggable 1633interface uses the {[}plugins{]} section; the ones that do are documented 1634here. 1635 1636New in release 1.9. 1637 1638Each pluggable interface corresponds to a subsection of {[}plugins{]}. 1639All subsections support the same tags: 1640\begin{description} 1641\item[{\sphinxstylestrong{disable}}] \leavevmode 1642This tag may have multiple values. If there are values for this 1643tag, then the named modules will be disabled for the pluggable 1644interface. 1645 1646\item[{\sphinxstylestrong{enable\_only}}] \leavevmode 1647This tag may have multiple values. If there are values for this 1648tag, then only the named modules will be enabled for the pluggable 1649interface. 1650 1651\item[{\sphinxstylestrong{module}}] \leavevmode 1652This tag may have multiple values. Each value is a string of the 1653form \sphinxcode{modulename:pathname}, which causes the shared object 1654located at \sphinxstyleemphasis{pathname} to be registered as a dynamic module named 1655\sphinxstyleemphasis{modulename} for the pluggable interface. If \sphinxstyleemphasis{pathname} is not an 1656absolute path, it will be treated as relative to the 1657\sphinxstylestrong{plugin\_base\_dir} value from {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. 1658 1659\end{description} 1660 1661For pluggable interfaces where module order matters, modules 1662registered with a \sphinxstylestrong{module} tag normally come first, in the order 1663they are registered, followed by built-in modules in the order they 1664are documented below. If \sphinxstylestrong{enable\_only} tags are used, then the 1665order of those tags overrides the normal module order. 1666 1667The following subsections are currently supported within the {[}plugins{]} 1668section: 1669 1670 1671\subparagraph{ccselect interface} 1672\label{\detokenize{admin/conf_files/krb5_conf:ccselect}}\label{\detokenize{admin/conf_files/krb5_conf:ccselect-interface}} 1673The ccselect subsection controls modules for credential cache 1674selection within a cache collection. In addition to any registered 1675dynamic modules, the following built-in modules exist (and may be 1676disabled with the disable tag): 1677\begin{description} 1678\item[{\sphinxstylestrong{k5identity}}] \leavevmode 1679Uses a .k5identity file in the user’s home directory to select a 1680client principal 1681 1682\item[{\sphinxstylestrong{realm}}] \leavevmode 1683Uses the service realm to guess an appropriate cache from the 1684collection 1685 1686\item[{\sphinxstylestrong{hostname}}] \leavevmode 1687If the service principal is host-based, uses the service hostname 1688to guess an appropriate cache from the collection 1689 1690\end{description} 1691 1692 1693\subparagraph{pwqual interface} 1694\label{\detokenize{admin/conf_files/krb5_conf:pwqual-interface}}\label{\detokenize{admin/conf_files/krb5_conf:pwqual}} 1695The pwqual subsection controls modules for the password quality 1696interface, which is used to reject weak passwords when passwords are 1697changed. The following built-in modules exist for this interface: 1698\begin{description} 1699\item[{\sphinxstylestrong{dict}}] \leavevmode 1700Checks against the realm dictionary file 1701 1702\item[{\sphinxstylestrong{empty}}] \leavevmode 1703Rejects empty passwords 1704 1705\item[{\sphinxstylestrong{hesiod}}] \leavevmode 1706Checks against user information stored in Hesiod (only if Kerberos 1707was built with Hesiod support) 1708 1709\item[{\sphinxstylestrong{princ}}] \leavevmode 1710Checks against components of the principal name 1711 1712\end{description} 1713 1714 1715\subparagraph{kadm5\_hook interface} 1716\label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-hook}} 1717The kadm5\_hook interface provides plugins with information on 1718principal creation, modification, password changes and deletion. This 1719interface can be used to write a plugin to synchronize MIT Kerberos 1720with another database such as Active Directory. No plugins are built 1721in for this interface. 1722 1723 1724\subparagraph{kadm5\_auth interface} 1725\label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:kadm5-auth}} 1726The kadm5\_auth section (introduced in release 1.16) controls modules 1727for the kadmin authorization interface, which determines whether a 1728client principal is allowed to perform a kadmin operation. The 1729following built-in modules exist for this interface: 1730\begin{description} 1731\item[{\sphinxstylestrong{acl}}] \leavevmode 1732This module reads the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file, and authorizes 1733operations which are allowed according to the rules in the file. 1734 1735\item[{\sphinxstylestrong{self}}] \leavevmode 1736This module authorizes self-service operations including password 1737changes, creation of new random keys, fetching the client’s 1738principal record or string attributes, and fetching the policy 1739record associated with the client principal. 1740 1741\end{description} 1742\phantomsection\label{\detokenize{admin/conf_files/krb5_conf:clpreauth}} 1743 1744\subparagraph{clpreauth and kdcpreauth interfaces} 1745\label{\detokenize{admin/conf_files/krb5_conf:clpreauth-and-kdcpreauth-interfaces}}\label{\detokenize{admin/conf_files/krb5_conf:clpreauth}}\label{\detokenize{admin/conf_files/krb5_conf:kdcpreauth}} 1746The clpreauth and kdcpreauth interfaces allow plugin modules to 1747provide client and KDC preauthentication mechanisms. The following 1748built-in modules exist for these interfaces: 1749\begin{description} 1750\item[{\sphinxstylestrong{pkinit}}] \leavevmode 1751This module implements the PKINIT preauthentication mechanism. 1752 1753\item[{\sphinxstylestrong{encrypted\_challenge}}] \leavevmode 1754This module implements the encrypted challenge FAST factor. 1755 1756\item[{\sphinxstylestrong{encrypted\_timestamp}}] \leavevmode 1757This module implements the encrypted timestamp mechanism. 1758 1759\end{description} 1760 1761 1762\subparagraph{hostrealm interface} 1763\label{\detokenize{admin/conf_files/krb5_conf:hostrealm-interface}}\label{\detokenize{admin/conf_files/krb5_conf:hostrealm}} 1764The hostrealm section (introduced in release 1.12) controls modules 1765for the host-to-realm interface, which affects the local mapping of 1766hostnames to realm names and the choice of default realm. The following 1767built-in modules exist for this interface: 1768\begin{description} 1769\item[{\sphinxstylestrong{profile}}] \leavevmode 1770This module consults the {[}domain\_realm{]} section of the profile for 1771authoritative host-to-realm mappings, and the \sphinxstylestrong{default\_realm} 1772variable for the default realm. 1773 1774\item[{\sphinxstylestrong{dns}}] \leavevmode 1775This module looks for DNS records for fallback host-to-realm 1776mappings and the default realm. It only operates if the 1777\sphinxstylestrong{dns\_lookup\_realm} variable is set to true. 1778 1779\item[{\sphinxstylestrong{domain}}] \leavevmode 1780This module applies heuristics for fallback host-to-realm 1781mappings. It implements the \sphinxstylestrong{realm\_try\_domains} variable, and 1782uses the uppercased parent domain of the hostname if that does not 1783produce a result. 1784 1785\end{description} 1786 1787 1788\subparagraph{localauth interface} 1789\label{\detokenize{admin/conf_files/krb5_conf:localauth-interface}}\label{\detokenize{admin/conf_files/krb5_conf:localauth}} 1790The localauth section (introduced in release 1.12) controls modules 1791for the local authorization interface, which affects the relationship 1792between Kerberos principals and local system accounts. The following 1793built-in modules exist for this interface: 1794\begin{description} 1795\item[{\sphinxstylestrong{default}}] \leavevmode 1796This module implements the \sphinxstylestrong{DEFAULT} type for \sphinxstylestrong{auth\_to\_local} 1797values. 1798 1799\item[{\sphinxstylestrong{rule}}] \leavevmode 1800This module implements the \sphinxstylestrong{RULE} type for \sphinxstylestrong{auth\_to\_local} 1801values. 1802 1803\item[{\sphinxstylestrong{names}}] \leavevmode 1804This module looks for an \sphinxstylestrong{auth\_to\_local\_names} mapping for the 1805principal name. 1806 1807\item[{\sphinxstylestrong{auth\_to\_local}}] \leavevmode 1808This module processes \sphinxstylestrong{auth\_to\_local} values in the default 1809realm’s section, and applies the default method if no 1810\sphinxstylestrong{auth\_to\_local} values exist. 1811 1812\item[{\sphinxstylestrong{k5login}}] \leavevmode 1813This module authorizes a principal to a local account according to 1814the account’s \DUrole{xref,std,std-ref}{.k5login(5)} file. 1815 1816\item[{\sphinxstylestrong{an2ln}}] \leavevmode 1817This module authorizes a principal to a local account if the 1818principal name maps to the local account name. 1819 1820\end{description} 1821 1822 1823\subparagraph{certauth interface} 1824\label{\detokenize{admin/conf_files/krb5_conf:certauth}}\label{\detokenize{admin/conf_files/krb5_conf:certauth-interface}} 1825The certauth section (introduced in release 1.16) controls modules for 1826the certificate authorization interface, which determines whether a 1827certificate is allowed to preauthenticate a user via PKINIT. The 1828following built-in modules exist for this interface: 1829\begin{description} 1830\item[{\sphinxstylestrong{pkinit\_san}}] \leavevmode 1831This module authorizes the certificate if it contains a PKINIT 1832Subject Alternative Name for the requested client principal, or a 1833Microsoft UPN SAN matching the principal if \sphinxstylestrong{pkinit\_allow\_upn} 1834is set to true for the realm. 1835 1836\item[{\sphinxstylestrong{pkinit\_eku}}] \leavevmode 1837This module rejects the certificate if it does not contain an 1838Extended Key Usage attribute consistent with the 1839\sphinxstylestrong{pkinit\_eku\_checking} value for the realm. 1840 1841\item[{\sphinxstylestrong{dbmatch}}] \leavevmode 1842This module authorizes or rejects the certificate according to 1843whether it matches the \sphinxstylestrong{pkinit\_cert\_match} string attribute on 1844the client principal, if that attribute is present. 1845 1846\end{description} 1847 1848 1849\subsubsection{PKINIT options} 1850\label{\detokenize{admin/conf_files/krb5_conf:pkinit-options}} 1851\begin{sphinxadmonition}{note}{Note:} 1852The following are PKINIT-specific options. These values may 1853be specified in {[}libdefaults{]} as global defaults, or within 1854a realm-specific subsection of {[}libdefaults{]}, or may be 1855specified as realm-specific values in the {[}realms{]} section. 1856A realm-specific value overrides, not adds to, a generic 1857{[}libdefaults{]} specification. The search order is: 1858\end{sphinxadmonition} 1859\begin{enumerate} 1860\item {} 1861realm-specific subsection of {[}libdefaults{]}: 1862 1863\fvset{hllines={, ,}}% 1864\begin{sphinxVerbatim}[commandchars=\\\{\}] 1865\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 1866 \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1867 \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt} 1868 \PYG{p}{\PYGZcb{}} 1869\end{sphinxVerbatim} 1870 1871\item {} 1872realm-specific value in the {[}realms{]} section: 1873 1874\fvset{hllines={, ,}}% 1875\begin{sphinxVerbatim}[commandchars=\\\{\}] 1876\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 1877 \PYG{n}{OTHERREALM}\PYG{o}{.}\PYG{n}{ORG} \PYG{o}{=} \PYG{p}{\PYGZob{}} 1878 \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{otherrealm}\PYG{o}{.}\PYG{n}{org}\PYG{o}{.}\PYG{n}{crt} 1879 \PYG{p}{\PYGZcb{}} 1880\end{sphinxVerbatim} 1881 1882\item {} 1883generic value in the {[}libdefaults{]} section: 1884 1885\fvset{hllines={, ,}}% 1886\begin{sphinxVerbatim}[commandchars=\\\{\}] 1887\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 1888 \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/} 1889\end{sphinxVerbatim} 1890 1891\end{enumerate} 1892 1893 1894\paragraph{Specifying PKINIT identity information} 1895\label{\detokenize{admin/conf_files/krb5_conf:specifying-pkinit-identity-information}}\label{\detokenize{admin/conf_files/krb5_conf:pkinit-identity}} 1896The syntax for specifying Public Key identity, trust, and revocation 1897information for PKINIT is as follows: 1898\begin{description} 1899\item[{\sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}{[}\sphinxstylestrong{,}\sphinxstyleemphasis{keyfilename}{]}}] \leavevmode 1900This option has context-specific behavior. 1901 1902In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{filename} 1903specifies the name of a PEM-format file containing the user’s 1904certificate. If \sphinxstyleemphasis{keyfilename} is not specified, the user’s 1905private key is expected to be in \sphinxstyleemphasis{filename} as well. Otherwise, 1906\sphinxstyleemphasis{keyfilename} is the name of the file containing the private key. 1907 1908In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{filename} is assumed to 1909be the name of an OpenSSL-style ca-bundle file. 1910 1911\item[{\sphinxstylestrong{DIR:}\sphinxstyleemphasis{dirname}}] \leavevmode 1912This option has context-specific behavior. 1913 1914In \sphinxstylestrong{pkinit\_identity} or \sphinxstylestrong{pkinit\_identities}, \sphinxstyleemphasis{dirname} 1915specifies a directory with files named \sphinxcode{*.crt} and \sphinxcode{*.key} 1916where the first part of the file name is the same for matching 1917pairs of certificate and private key files. When a file with a 1918name ending with \sphinxcode{.crt} is found, a matching file ending with 1919\sphinxcode{.key} is assumed to contain the private key. If no such file 1920is found, then the certificate in the \sphinxcode{.crt} is not used. 1921 1922In \sphinxstylestrong{pkinit\_anchors} or \sphinxstylestrong{pkinit\_pool}, \sphinxstyleemphasis{dirname} is assumed to 1923be an OpenSSL-style hashed CA directory where each CA cert is 1924stored in a file named \sphinxcode{hash-of-ca-cert.\#}. This infrastructure 1925is encouraged, but all files in the directory will be examined and 1926if they contain certificates (in PEM format), they will be used. 1927 1928In \sphinxstylestrong{pkinit\_revoke}, \sphinxstyleemphasis{dirname} is assumed to be an OpenSSL-style 1929hashed CA directory where each revocation list is stored in a file 1930named \sphinxcode{hash-of-ca-cert.r\#}. This infrastructure is encouraged, 1931but all files in the directory will be examined and if they 1932contain a revocation list (in PEM format), they will be used. 1933 1934\item[{\sphinxstylestrong{PKCS12:}\sphinxstyleemphasis{filename}}] \leavevmode 1935\sphinxstyleemphasis{filename} is the name of a PKCS \#12 format file, containing the 1936user’s certificate and private key. 1937 1938\item[{\sphinxstylestrong{PKCS11:}{[}\sphinxstylestrong{module\_name=}{]}\sphinxstyleemphasis{modname}{[}\sphinxstylestrong{:slotid=}\sphinxstyleemphasis{slot-id}{]}{[}\sphinxstylestrong{:token=}\sphinxstyleemphasis{token-label}{]}{[}\sphinxstylestrong{:certid=}\sphinxstyleemphasis{cert-id}{]}{[}\sphinxstylestrong{:certlabel=}\sphinxstyleemphasis{cert-label}{]}}] \leavevmode 1939All keyword/values are optional. \sphinxstyleemphasis{modname} specifies the location 1940of a library implementing PKCS \#11. If a value is encountered 1941with no keyword, it is assumed to be the \sphinxstyleemphasis{modname}. If no 1942module-name is specified, the default is \sphinxcode{opensc-pkcs11.so}. 1943\sphinxcode{slotid=} and/or \sphinxcode{token=} may be specified to force the use of 1944a particular smard card reader or token if there is more than one 1945available. \sphinxcode{certid=} and/or \sphinxcode{certlabel=} may be specified to 1946force the selection of a particular certificate on the device. 1947See the \sphinxstylestrong{pkinit\_cert\_match} configuration option for more ways 1948to select a particular certificate to use for PKINIT. 1949 1950\item[{\sphinxstylestrong{ENV:}\sphinxstyleemphasis{envvar}}] \leavevmode 1951\sphinxstyleemphasis{envvar} specifies the name of an environment variable which has 1952been set to a value conforming to one of the previous values. For 1953example, \sphinxcode{ENV:X509\_PROXY}, where environment variable 1954\sphinxcode{X509\_PROXY} has been set to \sphinxcode{FILE:/tmp/my\_proxy.pem}. 1955 1956\end{description} 1957 1958 1959\paragraph{PKINIT krb5.conf options} 1960\label{\detokenize{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}}\begin{description} 1961\item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode 1962Specifies the location of trusted anchor (root) certificates which 1963the client trusts to sign KDC certificates. This option may be 1964specified multiple times. These values from the config file are 1965not used if the user specifies X509\_anchors on the command line. 1966 1967\item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode 1968Specifies matching rules that the client certificate must match 1969before it is used to attempt PKINIT authentication. If a user has 1970multiple certificates available (on a smart card, or via other 1971media), there must be exactly one certificate chosen before 1972attempting PKINIT authentication. This option may be specified 1973multiple times. All the available certificates are checked 1974against each rule in order until there is a match of exactly one 1975certificate. 1976 1977The Subject and Issuer comparison strings are the \index{RFC!RFC 2253}\sphinxhref{https://tools.ietf.org/html/rfc2253.html}{\sphinxstylestrong{RFC 2253}} 1978string representations from the certificate Subject DN and Issuer 1979DN values. 1980 1981The syntax of the matching rules is: 1982\begin{quote} 1983 1984{[}\sphinxstyleemphasis{relation-operator}{]}\sphinxstyleemphasis{component-rule} … 1985\end{quote} 1986 1987where: 1988\begin{description} 1989\item[{\sphinxstyleemphasis{relation-operator}}] \leavevmode 1990can be either \sphinxcode{\&\&}, meaning all component rules must match, 1991or \sphinxcode{\textbar{}\textbar{}}, meaning only one component rule must match. The 1992default is \sphinxcode{\&\&}. 1993 1994\item[{\sphinxstyleemphasis{component-rule}}] \leavevmode 1995can be one of the following. Note that there is no 1996punctuation or whitespace between component rules. 1997\begin{quote} 1998 1999\begin{DUlineblock}{0em} 2000\item[] \sphinxstylestrong{\textless{}SUBJECT\textgreater{}}\sphinxstyleemphasis{regular-expression} 2001\item[] \sphinxstylestrong{\textless{}ISSUER\textgreater{}}\sphinxstyleemphasis{regular-expression} 2002\item[] \sphinxstylestrong{\textless{}SAN\textgreater{}}\sphinxstyleemphasis{regular-expression} 2003\item[] \sphinxstylestrong{\textless{}EKU\textgreater{}}\sphinxstyleemphasis{extended-key-usage-list} 2004\item[] \sphinxstylestrong{\textless{}KU\textgreater{}}\sphinxstyleemphasis{key-usage-list} 2005\end{DUlineblock} 2006\end{quote} 2007 2008\sphinxstyleemphasis{extended-key-usage-list} is a comma-separated list of 2009required Extended Key Usage values. All values in the list 2010must be present in the certificate. Extended Key Usage values 2011can be: 2012\begin{itemize} 2013\item {} 2014pkinit 2015 2016\item {} 2017msScLogin 2018 2019\item {} 2020clientAuth 2021 2022\item {} 2023emailProtection 2024 2025\end{itemize} 2026 2027\sphinxstyleemphasis{key-usage-list} is a comma-separated list of required Key 2028Usage values. All values in the list must be present in the 2029certificate. Key Usage values can be: 2030\begin{itemize} 2031\item {} 2032digitalSignature 2033 2034\item {} 2035keyEncipherment 2036 2037\end{itemize} 2038 2039\end{description} 2040 2041Examples: 2042 2043\fvset{hllines={, ,}}% 2044\begin{sphinxVerbatim}[commandchars=\\\{\}] 2045\PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\textbar{}}\PYG{o}{\textbar{}}\PYG{o}{\PYGZlt{}}\PYG{n}{SUBJECT}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*}\PYG{o}{\PYGZlt{}}\PYG{n}{SAN}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} 2046\PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZam{}}\PYG{o}{\PYGZam{}}\PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{ISSUER}\PYG{o}{\PYGZgt{}}\PYG{o}{.}\PYG{o}{*}\PYG{n}{DoE}\PYG{o}{.}\PYG{o}{*} 2047\PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{EKU}\PYG{o}{\PYGZgt{}}\PYG{n}{msScLogin}\PYG{p}{,}\PYG{n}{clientAuth}\PYG{o}{\PYGZlt{}}\PYG{n}{KU}\PYG{o}{\PYGZgt{}}\PYG{n}{digitalSignature} 2048\end{sphinxVerbatim} 2049 2050\item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode 2051This option specifies what Extended Key Usage value the KDC 2052certificate presented to the client must contain. (Note that if 2053the KDC certificate has the pkinit SubjectAlternativeName encoded 2054as the Kerberos TGS name, EKU checking is not necessary since the 2055issuing CA has certified this as a KDC certificate.) The values 2056recognized in the krb5.conf file are: 2057\begin{description} 2058\item[{\sphinxstylestrong{kpKDC}}] \leavevmode 2059This is the default value and specifies that the KDC must have 2060the id-pkinit-KPKdc EKU as defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. 2061 2062\item[{\sphinxstylestrong{kpServerAuth}}] \leavevmode 2063If \sphinxstylestrong{kpServerAuth} is specified, a KDC certificate with the 2064id-kp-serverAuth EKU will be accepted. This key usage value 2065is used in most commercially issued server certificates. 2066 2067\item[{\sphinxstylestrong{none}}] \leavevmode 2068If \sphinxstylestrong{none} is specified, then the KDC certificate will not be 2069checked to verify it has an acceptable EKU. The use of this 2070option is not recommended. 2071 2072\end{description} 2073 2074\item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode 2075Specifies the size of the Diffie-Hellman key the client will 2076attempt to use. The acceptable values are 1024, 2048, and 4096. 2077The default is 2048. 2078 2079\item[{\sphinxstylestrong{pkinit\_identities}}] \leavevmode 2080Specifies the location(s) to be used to find the user’s X.509 2081identity information. If this option is specified multiple times, 2082each value is attempted in order until certificates are found. 2083Note that these values are not used if the user specifies 2084\sphinxstylestrong{X509\_user\_identity} on the command line. 2085 2086\item[{\sphinxstylestrong{pkinit\_kdc\_hostname}}] \leavevmode 2087The presence of this option indicates that the client is willing 2088to accept a KDC certificate with a dNSName SAN (Subject 2089Alternative Name) rather than requiring the id-pkinit-san as 2090defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. This option may be specified multiple 2091times. Its value should contain the acceptable hostname for the 2092KDC (as contained in its certificate). 2093 2094\item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode 2095Specifies the location of intermediate certificates which may be 2096used by the client to complete the trust chain between a KDC 2097certificate and a trusted anchor. This option may be specified 2098multiple times. 2099 2100\item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode 2101The default certificate verification process will always check the 2102available revocation information to see if a certificate has been 2103revoked. If a match is found for the certificate in a CRL, 2104verification fails. If the certificate being verified is not 2105listed in a CRL, or there is no CRL present for its issuing CA, 2106and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification 2107succeeds. 2108 2109However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is 2110no CRL information available for the issuing CA, then verification 2111fails. 2112 2113\sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the 2114policy is such that up-to-date CRLs must be present for every CA. 2115 2116\item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode 2117Specifies the location of Certificate Revocation List (CRL) 2118information to be used by the client when verifying the validity 2119of the KDC certificate presented. This option may be specified 2120multiple times. 2121 2122\end{description} 2123 2124 2125\subsubsection{Parameter expansion} 2126\label{\detokenize{admin/conf_files/krb5_conf:id7}}\label{\detokenize{admin/conf_files/krb5_conf:parameter-expansion}} 2127Starting with release 1.11, several variables, such as 2128\sphinxstylestrong{default\_keytab\_name}, allow parameters to be expanded. 2129Valid parameters are: 2130\begin{quote} 2131 2132 2133\begin{savenotes}\sphinxattablestart 2134\centering 2135\begin{tabulary}{\linewidth}[t]{|T|T|} 2136\hline 2137 2138\%\{TEMP\} 2139& 2140Temporary directory 2141\\ 2142\hline 2143\%\{uid\} 2144& 2145Unix real UID or Windows SID 2146\\ 2147\hline 2148\%\{euid\} 2149& 2150Unix effective user ID or Windows SID 2151\\ 2152\hline 2153\%\{USERID\} 2154& 2155Same as \%\{uid\} 2156\\ 2157\hline 2158\%\{null\} 2159& 2160Empty string 2161\\ 2162\hline 2163\%\{LIBDIR\} 2164& 2165Installation library directory 2166\\ 2167\hline 2168\%\{BINDIR\} 2169& 2170Installation binary directory 2171\\ 2172\hline 2173\%\{SBINDIR\} 2174& 2175Installation admin binary directory 2176\\ 2177\hline 2178\%\{username\} 2179& 2180(Unix) Username of effective user ID 2181\\ 2182\hline 2183\%\{APPDATA\} 2184& 2185(Windows) Roaming application data for current user 2186\\ 2187\hline 2188\%\{COMMON\_APPDATA\} 2189& 2190(Windows) Application data for all users 2191\\ 2192\hline 2193\%\{LOCAL\_APPDATA\} 2194& 2195(Windows) Local application data for current user 2196\\ 2197\hline 2198\%\{SYSTEM\} 2199& 2200(Windows) Windows system folder 2201\\ 2202\hline 2203\%\{WINDOWS\} 2204& 2205(Windows) Windows folder 2206\\ 2207\hline 2208\%\{USERCONFIG\} 2209& 2210(Windows) Per-user MIT krb5 config file directory 2211\\ 2212\hline 2213\%\{COMMONCONFIG\} 2214& 2215(Windows) Common MIT krb5 config file directory 2216\\ 2217\hline 2218\end{tabulary} 2219\par 2220\sphinxattableend\end{savenotes} 2221\end{quote} 2222 2223 2224\subsubsection{Sample krb5.conf file} 2225\label{\detokenize{admin/conf_files/krb5_conf:sample-krb5-conf-file}} 2226Here is an example of a generic krb5.conf file: 2227 2228\fvset{hllines={, ,}}% 2229\begin{sphinxVerbatim}[commandchars=\\\{\}] 2230\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 2231 \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 2232 \PYG{n}{dns\PYGZus{}lookup\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{true} 2233 \PYG{n}{dns\PYGZus{}lookup\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false} 2234 2235\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 2236 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 2237 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 2238 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 2239 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{2.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 2240 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 2241 \PYG{n}{primary\PYGZus{}kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 2242 \PYG{p}{\PYGZcb{}} 2243 \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} 2244 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 2245 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{\PYGZhy{}}\PYG{l+m+mf}{1.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 2246 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 2247 \PYG{p}{\PYGZcb{}} 2248 2249\PYG{p}{[}\PYG{n}{domain\PYGZus{}realm}\PYG{p}{]} 2250 \PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 2251 2252\PYG{p}{[}\PYG{n}{capaths}\PYG{p}{]} 2253 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 2254 \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{o}{.} 2255 \PYG{p}{\PYGZcb{}} 2256 \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} 2257 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{o}{.} 2258 \PYG{p}{\PYGZcb{}} 2259\end{sphinxVerbatim} 2260 2261 2262\subsubsection{FILES} 2263\label{\detokenize{admin/conf_files/krb5_conf:files}} 2264\sphinxcode{/etc/krb5.conf} 2265 2266 2267\subsubsection{SEE ALSO} 2268\label{\detokenize{admin/conf_files/krb5_conf:see-also}} 2269syslog(3) 2270 2271 2272\subsection{kdc.conf} 2273\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf}}\label{\detokenize{admin/conf_files/kdc_conf::doc}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}} 2274The kdc.conf file supplements {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} for programs which 2275are typically only used on a KDC, such as the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and 2276{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemons and the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} program. 2277Relations documented here may also be specified in krb5.conf; for the 2278KDC programs mentioned, krb5.conf and kdc.conf will be merged into a 2279single configuration profile. 2280 2281Normally, the kdc.conf file is found in the KDC state directory, 2282{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}. You can override the default location by setting the 2283environment variable \sphinxstylestrong{KRB5\_KDC\_PROFILE}. 2284 2285Please note that you need to restart the KDC daemon for any configuration 2286changes to take effect. 2287 2288 2289\subsubsection{Structure} 2290\label{\detokenize{admin/conf_files/kdc_conf:structure}} 2291The kdc.conf file is set up in the same format as the 2292{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file. 2293 2294 2295\subsubsection{Sections} 2296\label{\detokenize{admin/conf_files/kdc_conf:sections}} 2297The kdc.conf file may contain the following sections: 2298 2299 2300\begin{savenotes}\sphinxattablestart 2301\centering 2302\begin{tabulary}{\linewidth}[t]{|T|T|} 2303\hline 2304 2305{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} 2306& 2307Default values for KDC behavior 2308\\ 2309\hline 2310{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} 2311& 2312Realm-specific database configuration and settings 2313\\ 2314\hline 2315{\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} 2316& 2317Default database settings 2318\\ 2319\hline 2320{\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} 2321& 2322Per-database settings 2323\\ 2324\hline 2325{\hyperref[\detokenize{admin/conf_files/kdc_conf:logging}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}logging{]}}}}} 2326& 2327Controls how Kerberos daemons perform logging 2328\\ 2329\hline 2330\end{tabulary} 2331\par 2332\sphinxattableend\end{savenotes} 2333 2334 2335\paragraph{{[}kdcdefaults{]}} 2336\label{\detokenize{admin/conf_files/kdc_conf:kdcdefaults}}\label{\detokenize{admin/conf_files/kdc_conf:id1}} 2337Some relations in the {[}kdcdefaults{]} section specify default values for 2338realm variables, to be used if the {[}realms{]} subsection does not 2339contain a relation for the tag. See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for 2340the definitions of these relations. 2341\begin{itemize} 2342\item {} 2343\sphinxstylestrong{host\_based\_services} 2344 2345\item {} 2346\sphinxstylestrong{kdc\_listen} 2347 2348\item {} 2349\sphinxstylestrong{kdc\_ports} 2350 2351\item {} 2352\sphinxstylestrong{kdc\_tcp\_listen} 2353 2354\item {} 2355\sphinxstylestrong{kdc\_tcp\_ports} 2356 2357\item {} 2358\sphinxstylestrong{no\_host\_referral} 2359 2360\item {} 2361\sphinxstylestrong{restrict\_anonymous\_to\_tgt} 2362 2363\end{itemize} 2364 2365The following {[}kdcdefaults{]} variables have no per-realm equivalent: 2366\begin{description} 2367\item[{\sphinxstylestrong{kdc\_max\_dgram\_reply\_size}}] \leavevmode 2368Specifies the maximum packet size that can be sent over UDP. The 2369default value is 4096 bytes. 2370 2371\item[{\sphinxstylestrong{kdc\_tcp\_listen\_backlog}}] \leavevmode 2372(Integer.) Set the size of the listen queue length for the KDC 2373daemon. The value may be limited by OS settings. The default 2374value is 5. 2375 2376\item[{\sphinxstylestrong{spake\_preauth\_kdc\_challenge}}] \leavevmode 2377(String.) Specifies the group for a SPAKE optimistic challenge. 2378See the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} 2379for possible values. The default is not to issue an optimistic 2380challenge. (New in release 1.17.) 2381 2382\end{description} 2383 2384 2385\paragraph{{[}realms{]}} 2386\label{\detokenize{admin/conf_files/kdc_conf:realms}}\label{\detokenize{admin/conf_files/kdc_conf:kdc-realms}} 2387Each tag in the {[}realms{]} section is the name of a Kerberos realm. The 2388value of the tag is a subsection where the relations define KDC 2389parameters for that particular realm. The following example shows how 2390to define one parameter for the ATHENA.MIT.EDU realm: 2391 2392\fvset{hllines={, ,}}% 2393\begin{sphinxVerbatim}[commandchars=\\\{\}] 2394\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 2395 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 2396 \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} 2397 \PYG{p}{\PYGZcb{}} 2398\end{sphinxVerbatim} 2399 2400The following tags may be specified in a {[}realms{]} subsection: 2401\begin{description} 2402\item[{\sphinxstylestrong{acl\_file}}] \leavevmode 2403(String.) Location of the access control list file that 2404{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} uses to determine which principals are allowed 2405which permissions on the Kerberos database. To operate without an 2406ACL file, set this relation to the empty string with \sphinxcode{acl\_file = 2407""}. The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl}. For more 2408information on Kerberos ACL file see {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. 2409 2410\item[{\sphinxstylestrong{database\_module}}] \leavevmode 2411(String.) This relation indicates the name of the configuration 2412section under {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} for database-specific parameters 2413used by the loadable database library. The default value is the 2414realm name. If this configuration section does not exist, default 2415values will be used for all database parameters. 2416 2417\item[{\sphinxstylestrong{database\_name}}] \leavevmode 2418(String, deprecated.) This relation specifies the location of the 2419Kerberos database for this realm, if the DB2 module is being used 2420and the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} configuration section does not specify a 2421database name. The default value is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/principal}. 2422 2423\item[{\sphinxstylestrong{default\_principal\_expiration}}] \leavevmode 2424(\DUrole{xref,std,std-ref}{abstime} string.) Specifies the default expiration date of 2425principals created in this realm. The default value is 0, which 2426means no expiration date. 2427 2428\item[{\sphinxstylestrong{default\_principal\_flags}}] \leavevmode 2429(Flag string.) Specifies the default attributes of principals 2430created in this realm. The format for this string is a 2431comma-separated list of flags, with ‘+’ before each flag that 2432should be enabled and ‘-‘ before each flag that should be 2433disabled. The \sphinxstylestrong{postdateable}, \sphinxstylestrong{forwardable}, \sphinxstylestrong{tgt-based}, 2434\sphinxstylestrong{renewable}, \sphinxstylestrong{proxiable}, \sphinxstylestrong{dup-skey}, \sphinxstylestrong{allow-tickets}, and 2435\sphinxstylestrong{service} flags default to enabled. 2436 2437There are a number of possible flags: 2438\begin{description} 2439\item[{\sphinxstylestrong{allow-tickets}}] \leavevmode 2440Enabling this flag means that the KDC will issue tickets for 2441this principal. Disabling this flag essentially deactivates 2442the principal within this realm. 2443 2444\item[{\sphinxstylestrong{dup-skey}}] \leavevmode 2445Enabling this flag allows the KDC to issue user-to-user 2446service tickets for this principal. 2447 2448\item[{\sphinxstylestrong{forwardable}}] \leavevmode 2449Enabling this flag allows the principal to obtain forwardable 2450tickets. 2451 2452\item[{\sphinxstylestrong{hwauth}}] \leavevmode 2453If this flag is enabled, then the principal is required to 2454preauthenticate using a hardware device before receiving any 2455tickets. 2456 2457\item[{\sphinxstylestrong{no-auth-data-required}}] \leavevmode 2458Enabling this flag prevents PAC or AD-SIGNEDPATH data from 2459being added to service tickets for the principal. 2460 2461\item[{\sphinxstylestrong{ok-as-delegate}}] \leavevmode 2462If this flag is enabled, it hints the client that credentials 2463can and should be delegated when authenticating to the 2464service. 2465 2466\item[{\sphinxstylestrong{ok-to-auth-as-delegate}}] \leavevmode 2467Enabling this flag allows the principal to use S4USelf tickets. 2468 2469\item[{\sphinxstylestrong{postdateable}}] \leavevmode 2470Enabling this flag allows the principal to obtain postdateable 2471tickets. 2472 2473\item[{\sphinxstylestrong{preauth}}] \leavevmode 2474If this flag is enabled on a client principal, then that 2475principal is required to preauthenticate to the KDC before 2476receiving any tickets. On a service principal, enabling this 2477flag means that service tickets for this principal will only 2478be issued to clients with a TGT that has the preauthenticated 2479bit set. 2480 2481\item[{\sphinxstylestrong{proxiable}}] \leavevmode 2482Enabling this flag allows the principal to obtain proxy 2483tickets. 2484 2485\item[{\sphinxstylestrong{pwchange}}] \leavevmode 2486Enabling this flag forces a password change for this 2487principal. 2488 2489\item[{\sphinxstylestrong{pwservice}}] \leavevmode 2490If this flag is enabled, it marks this principal as a password 2491change service. This should only be used in special cases, 2492for example, if a user’s password has expired, then the user 2493has to get tickets for that principal without going through 2494the normal password authentication in order to be able to 2495change the password. 2496 2497\item[{\sphinxstylestrong{renewable}}] \leavevmode 2498Enabling this flag allows the principal to obtain renewable 2499tickets. 2500 2501\item[{\sphinxstylestrong{service}}] \leavevmode 2502Enabling this flag allows the the KDC to issue service tickets 2503for this principal. In release 1.17 and later, user-to-user 2504service tickets are still allowed if the \sphinxstylestrong{dup-skey} flag is 2505set. 2506 2507\item[{\sphinxstylestrong{tgt-based}}] \leavevmode 2508Enabling this flag allows a principal to obtain tickets based 2509on a ticket-granting-ticket, rather than repeating the 2510authentication process that was used to obtain the TGT. 2511 2512\end{description} 2513 2514\item[{\sphinxstylestrong{dict\_file}}] \leavevmode 2515(String.) Location of the dictionary file containing strings that 2516are not allowed as passwords. The file should contain one string 2517per line, with no additional whitespace. If none is specified or 2518if there is no policy assigned to the principal, no dictionary 2519checks of passwords will be performed. 2520 2521\item[{\sphinxstylestrong{encrypted\_challenge\_indicator}}] \leavevmode 2522(String.) Specifies the authentication indicator value that the KDC 2523asserts into tickets obtained using FAST encrypted challenge 2524pre-authentication. New in 1.16. 2525 2526\item[{\sphinxstylestrong{host\_based\_services}}] \leavevmode 2527(Whitespace- or comma-separated list.) Lists services which will 2528get host-based referral processing even if the server principal is 2529not marked as host-based by the client. 2530 2531\item[{\sphinxstylestrong{iprop\_enable}}] \leavevmode 2532(Boolean value.) Specifies whether incremental database 2533propagation is enabled. The default value is false. 2534 2535\item[{\sphinxstylestrong{iprop\_ulogsize}}] \leavevmode 2536(Integer.) Specifies the maximum number of log entries to be 2537retained for incremental propagation. The default value is 1000. 2538Prior to release 1.11, the maximum value was 2500. New in release 25391.19. 2540 2541\item[{\sphinxstylestrong{iprop\_master\_ulogsize}}] \leavevmode 2542The name for \sphinxstylestrong{iprop\_ulogsize} prior to release 1.19. Its value is 2543used as a fallback if \sphinxstylestrong{iprop\_ulogsize} is not specified. 2544 2545\item[{\sphinxstylestrong{iprop\_replica\_poll}}] \leavevmode 2546(Delta time string.) Specifies how often the replica KDC polls 2547for new updates from the primary. The default value is \sphinxcode{2m} 2548(that is, two minutes). New in release 1.17. 2549 2550\item[{\sphinxstylestrong{iprop\_slave\_poll}}] \leavevmode 2551(Delta time string.) The name for \sphinxstylestrong{iprop\_replica\_poll} prior to 2552release 1.17. Its value is used as a fallback if 2553\sphinxstylestrong{iprop\_replica\_poll} is not specified. 2554 2555\item[{\sphinxstylestrong{iprop\_listen}}] \leavevmode 2556(Whitespace- or comma-separated list.) Specifies the iprop RPC 2557listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. 2558Each entry may be an interface address, a port number, or an 2559address and port number separated by a colon. If the address 2560contains colons, enclose it in square brackets. If no address is 2561specified, the wildcard address is used. If kadmind fails to bind 2562to any of the specified addresses, it will fail to start. The 2563default (when \sphinxstylestrong{iprop\_enable} is true) is to bind to the wildcard 2564address at the port specified in \sphinxstylestrong{iprop\_port}. New in release 25651.15. 2566 2567\item[{\sphinxstylestrong{iprop\_port}}] \leavevmode 2568(Port number.) Specifies the port number to be used for 2569incremental propagation. When \sphinxstylestrong{iprop\_enable} is true, this 2570relation is required in the replica KDC configuration file, and 2571this relation or \sphinxstylestrong{iprop\_listen} is required in the primary 2572configuration file, as there is no default port number. Port 2573numbers specified in \sphinxstylestrong{iprop\_listen} entries will override this 2574port number for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. 2575 2576\item[{\sphinxstylestrong{iprop\_resync\_timeout}}] \leavevmode 2577(Delta time string.) Specifies the amount of time to wait for a 2578full propagation to complete. This is optional in configuration 2579files, and is used by replica KDCs only. The default value is 5 2580minutes (\sphinxcode{5m}). New in release 1.11. 2581 2582\item[{\sphinxstylestrong{iprop\_logfile}}] \leavevmode 2583(File name.) Specifies where the update log file for the realm 2584database is to be stored. The default is to use the 2585\sphinxstylestrong{database\_name} entry from the realms section of the krb5 config 2586file, with \sphinxcode{.ulog} appended. (NOTE: If \sphinxstylestrong{database\_name} isn’t 2587specified in the realms section, perhaps because the LDAP database 2588back end is being used, or the file name is specified in the 2589{[}dbmodules{]} section, then the hard-coded default for 2590\sphinxstylestrong{database\_name} is used. Determination of the \sphinxstylestrong{iprop\_logfile} 2591default value will not use values from the {[}dbmodules{]} section.) 2592 2593\item[{\sphinxstylestrong{kadmind\_listen}}] \leavevmode 2594(Whitespace- or comma-separated list.) Specifies the kadmin RPC 2595listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. 2596Each entry may be an interface address, a port number, or an 2597address and port number separated by a colon. If the address 2598contains colons, enclose it in square brackets. If no address is 2599specified, the wildcard address is used. If kadmind fails to bind 2600to any of the specified addresses, it will fail to start. The 2601default is to bind to the wildcard address at the port specified 2602in \sphinxstylestrong{kadmind\_port}, or the standard kadmin port (749). New in 2603release 1.15. 2604 2605\item[{\sphinxstylestrong{kadmind\_port}}] \leavevmode 2606(Port number.) Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} 2607daemon is to listen for this realm. Port numbers specified in 2608\sphinxstylestrong{kadmind\_listen} entries will override this port number. The 2609assigned port for kadmind is 749, which is used by default. 2610 2611\item[{\sphinxstylestrong{key\_stash\_file}}] \leavevmode 2612(String.) Specifies the location where the master key has been 2613stored (via kdb5\_util stash). The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/.k5.REALM}, where \sphinxstyleemphasis{REALM} is the Kerberos realm. 2614 2615\item[{\sphinxstylestrong{kdc\_listen}}] \leavevmode 2616(Whitespace- or comma-separated list.) Specifies the UDP 2617listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. 2618Each entry may be an interface address, a port number, or an 2619address and port number separated by a colon. If the address 2620contains colons, enclose it in square brackets. If no address is 2621specified, the wildcard address is used. If no port is specified, 2622the standard port (88) is used. If the KDC daemon fails to bind 2623to any of the specified addresses, it will fail to start. The 2624default is to bind to the wildcard address on the standard port. 2625New in release 1.15. 2626 2627\item[{\sphinxstylestrong{kdc\_ports}}] \leavevmode 2628(Whitespace- or comma-separated list, deprecated.) Prior to 2629release 1.15, this relation lists the ports for the 2630{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests. In 2631release 1.15 and later, it has the same meaning as \sphinxstylestrong{kdc\_listen} 2632if that relation is not defined. 2633 2634\item[{\sphinxstylestrong{kdc\_tcp\_listen}}] \leavevmode 2635(Whitespace- or comma-separated list.) Specifies the TCP 2636listening addresses and/or ports for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon. 2637Each entry may be an interface address, a port number, or an 2638address and port number separated by a colon. If the address 2639contains colons, enclose it in square brackets. If no address is 2640specified, the wildcard address is used. If no port is specified, 2641the standard port (88) is used. To disable listening on TCP, set 2642this relation to the empty string with \sphinxcode{kdc\_tcp\_listen = ""}. 2643If the KDC daemon fails to bind to any of the specified addresses, 2644it will fail to start. The default is to bind to the wildcard 2645address on the standard port. New in release 1.15. 2646 2647\item[{\sphinxstylestrong{kdc\_tcp\_ports}}] \leavevmode 2648(Whitespace- or comma-separated list, deprecated.) Prior to 2649release 1.15, this relation lists the ports for the 2650{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to listen on for UDP requests. In 2651release 1.15 and later, it has the same meaning as 2652\sphinxstylestrong{kdc\_tcp\_listen} if that relation is not defined. 2653 2654\item[{\sphinxstylestrong{kpasswd\_listen}}] \leavevmode 2655(Comma-separated list.) Specifies the kpasswd listening addresses 2656and/or ports for the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon. Each entry may be 2657an interface address, a port number, or an address and port number 2658separated by a colon. If the address contains colons, enclose it 2659in square brackets. If no address is specified, the wildcard 2660address is used. If kadmind fails to bind to any of the specified 2661addresses, it will fail to start. The default is to bind to the 2662wildcard address at the port specified in \sphinxstylestrong{kpasswd\_port}, or the 2663standard kpasswd port (464). New in release 1.15. 2664 2665\item[{\sphinxstylestrong{kpasswd\_port}}] \leavevmode 2666(Port number.) Specifies the port on which the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} 2667daemon is to listen for password change requests for this realm. 2668Port numbers specified in \sphinxstylestrong{kpasswd\_listen} entries will override 2669this port number. The assigned port for password change requests 2670is 464, which is used by default. 2671 2672\item[{\sphinxstylestrong{master\_key\_name}}] \leavevmode 2673(String.) Specifies the name of the principal associated with the 2674master key. The default is \sphinxcode{K/M}. 2675 2676\item[{\sphinxstylestrong{master\_key\_type}}] \leavevmode 2677(Key type string.) Specifies the master key’s key type. The 2678default value for this is \sphinxcode{aes256-cts-hmac-sha1-96}. For a list of all possible 2679values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}. 2680 2681\item[{\sphinxstylestrong{max\_life}}] \leavevmode 2682(\DUrole{xref,std,std-ref}{duration} string.) Specifies the maximum time period for 2683which a ticket may be valid in this realm. The default value is 268424 hours. 2685 2686\item[{\sphinxstylestrong{max\_renewable\_life}}] \leavevmode 2687(\DUrole{xref,std,std-ref}{duration} string.) Specifies the maximum time period 2688during which a valid ticket may be renewed in this realm. 2689The default value is 0. 2690 2691\item[{\sphinxstylestrong{no\_host\_referral}}] \leavevmode 2692(Whitespace- or comma-separated list.) Lists services to block 2693from getting host-based referral processing, even if the client 2694marks the server principal as host-based or the service is also 2695listed in \sphinxstylestrong{host\_based\_services}. \sphinxcode{no\_host\_referral = *} will 2696disable referral processing altogether. 2697 2698\item[{\sphinxstylestrong{reject\_bad\_transit}}] \leavevmode 2699(Boolean value.) If set to true, the KDC will check the list of 2700transited realms for cross-realm tickets against the transit path 2701computed from the realm names and the capaths section of its 2702{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file; if the path in the ticket to be issued 2703contains any realms not in the computed path, the ticket will not 2704be issued, and an error will be returned to the client instead. 2705If this value is set to false, such tickets will be issued 2706anyways, and it will be left up to the application server to 2707validate the realm transit path. 2708 2709If the disable-transited-check flag is set in the incoming 2710request, this check is not performed at all. Having the 2711\sphinxstylestrong{reject\_bad\_transit} option will cause such ticket requests to 2712be rejected always. 2713 2714This transit path checking and config file option currently apply 2715only to TGS requests. 2716 2717The default value is true. 2718 2719\item[{\sphinxstylestrong{restrict\_anonymous\_to\_tgt}}] \leavevmode 2720(Boolean value.) If set to true, the KDC will reject ticket 2721requests from anonymous principals to service principals other 2722than the realm’s ticket-granting service. This option allows 2723anonymous PKINIT to be enabled for use as FAST armor tickets 2724without allowing anonymous authentication to services. The 2725default value is false. New in release 1.9. 2726 2727\item[{\sphinxstylestrong{spake\_preauth\_indicator}}] \leavevmode 2728(String.) Specifies an authentication indicator value that the 2729KDC asserts into tickets obtained using SPAKE pre-authentication. 2730The default is not to add any indicators. This option may be 2731specified multiple times. New in release 1.17. 2732 2733\item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode 2734(List of \sphinxstyleemphasis{key}:\sphinxstyleemphasis{salt} strings.) Specifies the default key/salt 2735combinations of principals for this realm. Any principals created 2736through {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} will have keys of these types. The 2737default value for this tag is \sphinxcode{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal}. For lists of 2738possible values, see {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}}. 2739 2740\end{description} 2741 2742 2743\paragraph{{[}dbdefaults{]}} 2744\label{\detokenize{admin/conf_files/kdc_conf:id2}}\label{\detokenize{admin/conf_files/kdc_conf:dbdefaults}} 2745The {[}dbdefaults{]} section specifies default values for some database 2746parameters, to be used if the {[}dbmodules{]} subsection does not contain 2747a relation for the tag. See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} section for the 2748definitions of these relations. 2749\begin{itemize} 2750\item {} 2751\sphinxstylestrong{ldap\_kerberos\_container\_dn} 2752 2753\item {} 2754\sphinxstylestrong{ldap\_kdc\_dn} 2755 2756\item {} 2757\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} 2758 2759\item {} 2760\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} 2761 2762\item {} 2763\sphinxstylestrong{ldap\_kdc\_sasl\_mech} 2764 2765\item {} 2766\sphinxstylestrong{ldap\_kdc\_sasl\_realm} 2767 2768\item {} 2769\sphinxstylestrong{ldap\_kadmind\_dn} 2770 2771\item {} 2772\sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} 2773 2774\item {} 2775\sphinxstylestrong{ldap\_kadmind\_sasl\_authzid} 2776 2777\item {} 2778\sphinxstylestrong{ldap\_kadmind\_sasl\_mech} 2779 2780\item {} 2781\sphinxstylestrong{ldap\_kadmind\_sasl\_realm} 2782 2783\item {} 2784\sphinxstylestrong{ldap\_service\_password\_file} 2785 2786\item {} 2787\sphinxstylestrong{ldap\_conns\_per\_server} 2788 2789\end{itemize} 2790 2791 2792\paragraph{{[}dbmodules{]}} 2793\label{\detokenize{admin/conf_files/kdc_conf:dbmodules}}\label{\detokenize{admin/conf_files/kdc_conf:id3}} 2794The {[}dbmodules{]} section contains parameters used by the KDC database 2795library and database modules. Each tag in the {[}dbmodules{]} section is 2796the name of a Kerberos realm or a section name specified by a realm’s 2797\sphinxstylestrong{database\_module} parameter. The following example shows how to 2798define one database parameter for the ATHENA.MIT.EDU realm: 2799 2800\fvset{hllines={, ,}}% 2801\begin{sphinxVerbatim}[commandchars=\\\{\}] 2802\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} 2803 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 2804 \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true} 2805 \PYG{p}{\PYGZcb{}} 2806\end{sphinxVerbatim} 2807 2808The following tags may be specified in a {[}dbmodules{]} subsection: 2809\begin{description} 2810\item[{\sphinxstylestrong{database\_name}}] \leavevmode 2811This DB2-specific tag indicates the location of the database in 2812the filesystem. The default is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/principal}. 2813 2814\item[{\sphinxstylestrong{db\_library}}] \leavevmode 2815This tag indicates the name of the loadable database module. The 2816value should be \sphinxcode{db2} for the DB2 module, \sphinxcode{klmdb} for the LMDB 2817module, or \sphinxcode{kldap} for the LDAP module. 2818 2819\item[{\sphinxstylestrong{disable\_last\_success}}] \leavevmode 2820If set to \sphinxcode{true}, suppresses KDC updates to the “Last successful 2821authentication” field of principal entries requiring 2822preauthentication. Setting this flag may improve performance. 2823(Principal entries which do not require preauthentication never 2824update the “Last successful authentication” field.). First 2825introduced in release 1.9. 2826 2827\item[{\sphinxstylestrong{disable\_lockout}}] \leavevmode 2828If set to \sphinxcode{true}, suppresses KDC updates to the “Last failed 2829authentication” and “Failed password attempts” fields of principal 2830entries requiring preauthentication. Setting this flag may 2831improve performance, but also disables account lockout. First 2832introduced in release 1.9. 2833 2834\item[{\sphinxstylestrong{ldap\_conns\_per\_server}}] \leavevmode 2835This LDAP-specific tag indicates the number of connections to be 2836maintained per LDAP server. 2837 2838\item[{\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn}}] \leavevmode 2839These LDAP-specific tags indicate the default DN for binding to 2840the LDAP server. The {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon uses 2841\sphinxstylestrong{ldap\_kdc\_dn}, while the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon and other 2842administrative programs use \sphinxstylestrong{ldap\_kadmind\_dn}. The kadmind DN 2843must have the rights to read and write the Kerberos data in the 2844LDAP database. The KDC DN must have the same rights, unless 2845\sphinxstylestrong{disable\_lockout} and \sphinxstylestrong{disable\_last\_success} are true, in 2846which case it only needs to have rights to read the Kerberos data. 2847These tags are ignored if a SASL mechanism is set with 2848\sphinxstylestrong{ldap\_kdc\_sasl\_mech} or \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}. 2849 2850\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_mech} and \sphinxstylestrong{ldap\_kadmind\_sasl\_mech}}] \leavevmode 2851These LDAP-specific tags specify the SASL mechanism (such as 2852\sphinxcode{EXTERNAL}) to use when binding to the LDAP server. New in 2853release 1.13. 2854 2855\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid}}] \leavevmode 2856These LDAP-specific tags specify the SASL authentication identity 2857to use when binding to the LDAP server. Not all SASL mechanisms 2858require an authentication identity. If the SASL mechanism 2859requires a secret (such as the password for \sphinxcode{DIGEST-MD5}), these 2860tags also determine the name within the 2861\sphinxstylestrong{ldap\_service\_password\_file} where the secret is stashed. New 2862in release 1.13. 2863 2864\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_authzid} and \sphinxstylestrong{ldap\_kadmind\_sasl\_authzid}}] \leavevmode 2865These LDAP-specific tags specify the SASL authorization identity 2866to use when binding to the LDAP server. In most circumstances 2867they do not need to be specified. New in release 1.13. 2868 2869\item[{\sphinxstylestrong{ldap\_kdc\_sasl\_realm} and \sphinxstylestrong{ldap\_kadmind\_sasl\_realm}}] \leavevmode 2870These LDAP-specific tags specify the SASL realm to use when 2871binding to the LDAP server. In most circumstances they do not 2872need to be set. New in release 1.13. 2873 2874\item[{\sphinxstylestrong{ldap\_kerberos\_container\_dn}}] \leavevmode 2875This LDAP-specific tag indicates the DN of the container object 2876where the realm objects will be located. 2877 2878\item[{\sphinxstylestrong{ldap\_servers}}] \leavevmode 2879This LDAP-specific tag indicates the list of LDAP servers that the 2880Kerberos servers can connect to. The list of LDAP servers is 2881whitespace-separated. The LDAP server is specified by a LDAP URI. 2882It is recommended to use \sphinxcode{ldapi:} or \sphinxcode{ldaps:} URLs to connect 2883to the LDAP server. 2884 2885\item[{\sphinxstylestrong{ldap\_service\_password\_file}}] \leavevmode 2886This LDAP-specific tag indicates the file containing the stashed 2887passwords (created by \sphinxcode{kdb5\_ldap\_util stashsrvpw}) for the 2888\sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn} objects, or for the 2889\sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or \sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} names 2890for SASL authentication. This file must be kept secure. 2891 2892\item[{\sphinxstylestrong{mapsize}}] \leavevmode 2893This LMDB-specific tag indicates the maximum size of the two 2894database environments in megabytes. The default value is 128. 2895Increase this value to address “Environment mapsize limit reached” 2896errors. New in release 1.17. 2897 2898\item[{\sphinxstylestrong{max\_readers}}] \leavevmode 2899This LMDB-specific tag indicates the maximum number of concurrent 2900reading processes for the databases. The default value is 128. 2901New in release 1.17. 2902 2903\item[{\sphinxstylestrong{nosync}}] \leavevmode 2904This LMDB-specific tag can be set to improve the throughput of 2905kadmind and other administrative agents, at the expense of 2906durability (recent database changes may not survive a power outage 2907or other sudden reboot). It does not affect the throughput of the 2908KDC. The default value is false. New in release 1.17. 2909 2910\item[{\sphinxstylestrong{unlockiter}}] \leavevmode 2911If set to \sphinxcode{true}, this DB2-specific tag causes iteration 2912operations to release the database lock while processing each 2913principal. Setting this flag to \sphinxcode{true} can prevent extended 2914blocking of KDC or kadmin operations when dumps of large databases 2915are in progress. First introduced in release 1.13. 2916 2917\end{description} 2918 2919The following tag may be specified directly in the {[}dbmodules{]} 2920section to control where database modules are loaded from: 2921\begin{description} 2922\item[{\sphinxstylestrong{db\_module\_dir}}] \leavevmode 2923This tag controls where the plugin system looks for database 2924modules. The value should be an absolute path. 2925 2926\end{description} 2927 2928 2929\paragraph{{[}logging{]}} 2930\label{\detokenize{admin/conf_files/kdc_conf:id4}}\label{\detokenize{admin/conf_files/kdc_conf:logging}} 2931The {[}logging{]} section indicates how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and 2932{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} perform logging. It may contain the following 2933relations: 2934\begin{description} 2935\item[{\sphinxstylestrong{admin\_server}}] \leavevmode 2936Specifies how {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} performs logging. 2937 2938\item[{\sphinxstylestrong{kdc}}] \leavevmode 2939Specifies how {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} performs logging. 2940 2941\item[{\sphinxstylestrong{default}}] \leavevmode 2942Specifies how either daemon performs logging in the absence of 2943relations specific to the daemon. 2944 2945\item[{\sphinxstylestrong{debug}}] \leavevmode 2946(Boolean value.) Specifies whether debugging messages are 2947included in log outputs other than SYSLOG. Debugging messages are 2948always included in the system log output because syslog performs 2949its own priority filtering. The default value is false. New in 2950release 1.15. 2951 2952\end{description} 2953 2954Logging specifications may have the following forms: 2955\begin{description} 2956\item[{\sphinxstylestrong{FILE=}\sphinxstyleemphasis{filename} or \sphinxstylestrong{FILE:}\sphinxstyleemphasis{filename}}] \leavevmode 2957This value causes the daemon’s logging messages to go to the 2958\sphinxstyleemphasis{filename}. If the \sphinxcode{=} form is used, the file is overwritten. 2959If the \sphinxcode{:} form is used, the file is appended to. 2960 2961\item[{\sphinxstylestrong{STDERR}}] \leavevmode 2962This value causes the daemon’s logging messages to go to its 2963standard error stream. 2964 2965\item[{\sphinxstylestrong{CONSOLE}}] \leavevmode 2966This value causes the daemon’s logging messages to go to the 2967console, if the system supports it. 2968 2969\item[{\sphinxstylestrong{DEVICE=}\sphinxstyleemphasis{\textless{}devicename\textgreater{}}}] \leavevmode 2970This causes the daemon’s logging messages to go to the specified 2971device. 2972 2973\item[{\sphinxstylestrong{SYSLOG}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{severity}{[}\sphinxstylestrong{:}\sphinxstyleemphasis{facility}{]}{]}}] \leavevmode 2974This causes the daemon’s logging messages to go to the system log. 2975 2976For backward compatibility, a severity argument may be specified, 2977and must be specified in order to specify a facility. This 2978argument will be ignored. 2979 2980The facility argument specifies the facility under which the 2981messages are logged. This may be any of the following facilities 2982supported by the syslog(3) call minus the LOG\_ prefix: \sphinxstylestrong{KERN}, 2983\sphinxstylestrong{USER}, \sphinxstylestrong{MAIL}, \sphinxstylestrong{DAEMON}, \sphinxstylestrong{AUTH}, \sphinxstylestrong{LPR}, \sphinxstylestrong{NEWS}, 2984\sphinxstylestrong{UUCP}, \sphinxstylestrong{CRON}, and \sphinxstylestrong{LOCAL0} through \sphinxstylestrong{LOCAL7}. If no 2985facility is specified, the default is \sphinxstylestrong{AUTH}. 2986 2987\end{description} 2988 2989In the following example, the logging messages from the KDC will go to 2990the console and to the system log under the facility LOG\_DAEMON, and 2991the logging messages from the administrative server will be appended 2992to the file \sphinxcode{/var/adm/kadmin.log} and sent to the device 2993\sphinxcode{/dev/tty04}. 2994 2995\fvset{hllines={, ,}}% 2996\begin{sphinxVerbatim}[commandchars=\\\{\}] 2997\PYG{p}{[}\PYG{n}{logging}\PYG{p}{]} 2998 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{CONSOLE} 2999 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{SYSLOG}\PYG{p}{:}\PYG{n}{INFO}\PYG{p}{:}\PYG{n}{DAEMON} 3000 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{adm}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} 3001 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{DEVICE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{tty04} 3002\end{sphinxVerbatim} 3003 3004If no logging specification is given, the default is to use syslog. 3005To disable logging entirely, specify \sphinxcode{default = DEVICE=/dev/null}. 3006 3007 3008\paragraph{{[}otp{]}} 3009\label{\detokenize{admin/conf_files/kdc_conf:otp}}\label{\detokenize{admin/conf_files/kdc_conf:id5}} 3010Each subsection of {[}otp{]} is the name of an OTP token type. The tags 3011within the subsection define the configuration required to forward a 3012One Time Password request to a RADIUS server. 3013 3014For each token type, the following tags may be specified: 3015\begin{description} 3016\item[{\sphinxstylestrong{server}}] \leavevmode 3017This is the server to send the RADIUS request to. It can be a 3018hostname with optional port, an ip address with optional port, or 3019a Unix domain socket address. The default is 3020{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/\textless{}name\textgreater{}.socket}. 3021 3022\item[{\sphinxstylestrong{secret}}] \leavevmode 3023This tag indicates a filename (which may be relative to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}) 3024containing the secret used to encrypt the RADIUS packets. The 3025secret should appear in the first line of the file by itself; 3026leading and trailing whitespace on the line will be removed. If 3027the value of \sphinxstylestrong{server} is a Unix domain socket address, this tag 3028is optional, and an empty secret will be used if it is not 3029specified. Otherwise, this tag is required. 3030 3031\item[{\sphinxstylestrong{timeout}}] \leavevmode 3032An integer which specifies the time in seconds during which the 3033KDC should attempt to contact the RADIUS server. This tag is the 3034total time across all retries and should be less than the time 3035which an OTP value remains valid for. The default is 5 seconds. 3036 3037\item[{\sphinxstylestrong{retries}}] \leavevmode 3038This tag specifies the number of retries to make to the RADIUS 3039server. The default is 3 retries (4 tries). 3040 3041\item[{\sphinxstylestrong{strip\_realm}}] \leavevmode 3042If this tag is \sphinxcode{true}, the principal without the realm will be 3043passed to the RADIUS server. Otherwise, the realm will be 3044included. The default value is \sphinxcode{true}. 3045 3046\item[{\sphinxstylestrong{indicator}}] \leavevmode 3047This tag specifies an authentication indicator to be included in 3048the ticket if this token type is used to authenticate. This 3049option may be specified multiple times. (New in release 1.14.) 3050 3051\end{description} 3052 3053In the following example, requests are sent to a remote server via UDP: 3054 3055\fvset{hllines={, ,}}% 3056\begin{sphinxVerbatim}[commandchars=\\\{\}] 3057[otp] 3058 MyRemoteTokenType = \PYGZob{} 3059 server = radius.mydomain.com:1812 3060 secret = SEmfiajf42\PYGZdl{} 3061 timeout = 15 3062 retries = 5 3063 strip\PYGZus{}realm = true 3064 \PYGZcb{} 3065\end{sphinxVerbatim} 3066 3067An implicit default token type named \sphinxcode{DEFAULT} is defined for when 3068the per-principal configuration does not specify a token type. Its 3069configuration is shown below. You may override this token type to 3070something applicable for your situation: 3071 3072\fvset{hllines={, ,}}% 3073\begin{sphinxVerbatim}[commandchars=\\\{\}] 3074\PYG{p}{[}\PYG{n}{otp}\PYG{p}{]} 3075 \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}} 3076 \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false} 3077 \PYG{p}{\PYGZcb{}} 3078\end{sphinxVerbatim} 3079 3080 3081\subsubsection{PKINIT options} 3082\label{\detokenize{admin/conf_files/kdc_conf:pkinit-options}} 3083\begin{sphinxadmonition}{note}{Note:} 3084The following are pkinit-specific options. These values may 3085be specified in {[}kdcdefaults{]} as global defaults, or within 3086a realm-specific subsection of {[}realms{]}. Also note that a 3087realm-specific value over-rides, does not add to, a generic 3088{[}kdcdefaults{]} specification. The search order is: 3089\end{sphinxadmonition} 3090\begin{enumerate} 3091\item {} 3092realm-specific subsection of {[}realms{]}: 3093 3094\fvset{hllines={, ,}}% 3095\begin{sphinxVerbatim}[commandchars=\\\{\}] 3096\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 3097 \PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{=} \PYG{p}{\PYGZob{}} 3098 \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{o}{.}\PYG{n}{crt} 3099 \PYG{p}{\PYGZcb{}} 3100\end{sphinxVerbatim} 3101 3102\item {} 3103generic value in the {[}kdcdefaults{]} section: 3104 3105\fvset{hllines={, ,}}% 3106\begin{sphinxVerbatim}[commandchars=\\\{\}] 3107\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} 3108 \PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{generic\PYGZus{}trusted\PYGZus{}cas}\PYG{o}{/} 3109\end{sphinxVerbatim} 3110 3111\end{enumerate} 3112 3113For information about the syntax of some of these options, see 3114{\hyperref[\detokenize{admin/conf_files/krb5_conf:pkinit-identity}]{\sphinxcrossref{\DUrole{std,std-ref}{Specifying PKINIT identity information}}}} in 3115{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. 3116\begin{description} 3117\item[{\sphinxstylestrong{pkinit\_anchors}}] \leavevmode 3118Specifies the location of trusted anchor (root) certificates which 3119the KDC trusts to sign client certificates. This option is 3120required if pkinit is to be supported by the KDC. This option may 3121be specified multiple times. 3122 3123\item[{\sphinxstylestrong{pkinit\_dh\_min\_bits}}] \leavevmode 3124Specifies the minimum number of bits the KDC is willing to accept 3125for a client’s Diffie-Hellman key. The default is 2048. 3126 3127\item[{\sphinxstylestrong{pkinit\_allow\_upn}}] \leavevmode 3128Specifies that the KDC is willing to accept client certificates 3129with the Microsoft UserPrincipalName (UPN) Subject Alternative 3130Name (SAN). This means the KDC accepts the binding of the UPN in 3131the certificate to the Kerberos principal name. The default value 3132is false. 3133 3134Without this option, the KDC will only accept certificates with 3135the id-pkinit-san as defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. There is currently 3136no option to disable SAN checking in the KDC. 3137 3138\item[{\sphinxstylestrong{pkinit\_eku\_checking}}] \leavevmode 3139This option specifies what Extended Key Usage (EKU) values the KDC 3140is willing to accept in client certificates. The values 3141recognized in the kdc.conf file are: 3142\begin{description} 3143\item[{\sphinxstylestrong{kpClientAuth}}] \leavevmode 3144This is the default value and specifies that client 3145certificates must have the id-pkinit-KPClientAuth EKU as 3146defined in \index{RFC!RFC 4556}\sphinxhref{https://tools.ietf.org/html/rfc4556.html}{\sphinxstylestrong{RFC 4556}}. 3147 3148\item[{\sphinxstylestrong{scLogin}}] \leavevmode 3149If scLogin is specified, client certificates with the 3150Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be 3151accepted. 3152 3153\item[{\sphinxstylestrong{none}}] \leavevmode 3154If none is specified, then client certificates will not be 3155checked to verify they have an acceptable EKU. The use of 3156this option is not recommended. 3157 3158\end{description} 3159 3160\item[{\sphinxstylestrong{pkinit\_identity}}] \leavevmode 3161Specifies the location of the KDC’s X.509 identity information. 3162This option is required if pkinit is to be supported by the KDC. 3163 3164\item[{\sphinxstylestrong{pkinit\_indicator}}] \leavevmode 3165Specifies an authentication indicator to include in the ticket if 3166pkinit is used to authenticate. This option may be specified 3167multiple times. (New in release 1.14.) 3168 3169\item[{\sphinxstylestrong{pkinit\_pool}}] \leavevmode 3170Specifies the location of intermediate certificates which may be 3171used by the KDC to complete the trust chain between a client’s 3172certificate and a trusted anchor. This option may be specified 3173multiple times. 3174 3175\item[{\sphinxstylestrong{pkinit\_revoke}}] \leavevmode 3176Specifies the location of Certificate Revocation List (CRL) 3177information to be used by the KDC when verifying the validity of 3178client certificates. This option may be specified multiple times. 3179 3180\item[{\sphinxstylestrong{pkinit\_require\_crl\_checking}}] \leavevmode 3181The default certificate verification process will always check the 3182available revocation information to see if a certificate has been 3183revoked. If a match is found for the certificate in a CRL, 3184verification fails. If the certificate being verified is not 3185listed in a CRL, or there is no CRL present for its issuing CA, 3186and \sphinxstylestrong{pkinit\_require\_crl\_checking} is false, then verification 3187succeeds. 3188 3189However, if \sphinxstylestrong{pkinit\_require\_crl\_checking} is true and there is 3190no CRL information available for the issuing CA, then verification 3191fails. 3192 3193\sphinxstylestrong{pkinit\_require\_crl\_checking} should be set to true if the 3194policy is such that up-to-date CRLs must be present for every CA. 3195 3196\item[{\sphinxstylestrong{pkinit\_require\_freshness}}] \leavevmode 3197Specifies whether to require clients to include a freshness token 3198in PKINIT requests. The default value is false. (New in release 31991.17.) 3200 3201\end{description} 3202 3203 3204\subsubsection{Encryption types} 3205\label{\detokenize{admin/conf_files/kdc_conf:id6}}\label{\detokenize{admin/conf_files/kdc_conf:encryption-types}} 3206Any tag in the configuration files which requires a list of encryption 3207types can be set to some combination of the following strings. 3208Encryption types marked as “weak” and “deprecated” are available for 3209compatibility but not recommended for use. 3210 3211 3212\begin{savenotes}\sphinxattablestart 3213\centering 3214\begin{tabulary}{\linewidth}[t]{|T|T|} 3215\hline 3216 3217des3-cbc-raw 3218& 3219Triple DES cbc mode raw (weak) 3220\\ 3221\hline 3222des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd 3223& 3224Triple DES cbc mode with HMAC/sha1 (deprecated) 3225\\ 3226\hline 3227aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 3228& 3229AES-256 CTS mode with 96-bit SHA-1 HMAC 3230\\ 3231\hline 3232aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 3233& 3234AES-128 CTS mode with 96-bit SHA-1 HMAC 3235\\ 3236\hline 3237aes256-cts-hmac-sha384-192 aes256-sha2 3238& 3239AES-256 CTS mode with 192-bit SHA-384 HMAC 3240\\ 3241\hline 3242aes128-cts-hmac-sha256-128 aes128-sha2 3243& 3244AES-128 CTS mode with 128-bit SHA-256 HMAC 3245\\ 3246\hline 3247arcfour-hmac rc4-hmac arcfour-hmac-md5 3248& 3249RC4 with HMAC/MD5 (deprecated) 3250\\ 3251\hline 3252arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp 3253& 3254Exportable RC4 with HMAC/MD5 (weak) 3255\\ 3256\hline 3257camellia256-cts-cmac camellia256-cts 3258& 3259Camellia-256 CTS mode with CMAC 3260\\ 3261\hline 3262camellia128-cts-cmac camellia128-cts 3263& 3264Camellia-128 CTS mode with CMAC 3265\\ 3266\hline 3267des3 3268& 3269The triple DES family: des3-cbc-sha1 3270\\ 3271\hline 3272aes 3273& 3274The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 3275\\ 3276\hline 3277rc4 3278& 3279The RC4 family: arcfour-hmac 3280\\ 3281\hline 3282camellia 3283& 3284The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac 3285\\ 3286\hline 3287\end{tabulary} 3288\par 3289\sphinxattableend\end{savenotes} 3290 3291The string \sphinxstylestrong{DEFAULT} can be used to refer to the default set of 3292types for the variable in question. Types or families can be removed 3293from the current list by prefixing them with a minus sign (“-“). 3294Types or families can be prefixed with a plus sign (“+”) for symmetry; 3295it has the same meaning as just listing the type or family. For 3296example, “\sphinxcode{DEFAULT -rc4}” would be the default set of encryption 3297types with RC4 types removed, and “\sphinxcode{des3 DEFAULT}” would be the 3298default set of encryption types with triple DES types moved to the 3299front. 3300 3301While \sphinxstylestrong{aes128-cts} and \sphinxstylestrong{aes256-cts} are supported for all Kerberos 3302operations, they are not supported by very old versions of our GSSAPI 3303implementation (krb5-1.3.1 and earlier). Services running versions of 3304krb5 without AES support must not be given keys of these encryption 3305types in the KDC database. 3306 3307The \sphinxstylestrong{aes128-sha2} and \sphinxstylestrong{aes256-sha2} encryption types are new in 3308release 1.15. Services running versions of krb5 without support for 3309these newer encryption types must not be given keys of these 3310encryption types in the KDC database. 3311 3312 3313\subsubsection{Keysalt lists} 3314\label{\detokenize{admin/conf_files/kdc_conf:id7}}\label{\detokenize{admin/conf_files/kdc_conf:keysalt-lists}} 3315Kerberos keys for users are usually derived from passwords. Kerberos 3316commands and configuration parameters that affect generation of keys 3317take lists of enctype-salttype (“keysalt”) pairs, known as \sphinxstyleemphasis{keysalt 3318lists}. Each keysalt pair is an enctype name followed by a salttype 3319name, in the format \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt}. Individual keysalt list members are 3320separated by comma (“,”) characters or space characters. For example: 3321 3322\fvset{hllines={, ,}}% 3323\begin{sphinxVerbatim}[commandchars=\\\{\}] 3324\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{p}{:}\PYG{n}{normal} 3325\end{sphinxVerbatim} 3326 3327would start up kadmin so that by default it would generate 3328password-derived keys for the \sphinxstylestrong{aes256-cts} and \sphinxstylestrong{aes128-cts} 3329encryption types, using a \sphinxstylestrong{normal} salt. 3330 3331To ensure that people who happen to pick the same password do not have 3332the same key, Kerberos 5 incorporates more information into the key 3333using something called a salt. The supported salt types are as 3334follows: 3335 3336 3337\begin{savenotes}\sphinxattablestart 3338\centering 3339\begin{tabulary}{\linewidth}[t]{|T|T|} 3340\hline 3341 3342normal 3343& 3344default for Kerberos Version 5 3345\\ 3346\hline 3347norealm 3348& 3349same as the default, without using realm information 3350\\ 3351\hline 3352onlyrealm 3353& 3354uses only realm information as the salt 3355\\ 3356\hline 3357special 3358& 3359generate a random salt 3360\\ 3361\hline 3362\end{tabulary} 3363\par 3364\sphinxattableend\end{savenotes} 3365 3366 3367\subsubsection{Sample kdc.conf File} 3368\label{\detokenize{admin/conf_files/kdc_conf:sample-kdc-conf-file}} 3369Here’s an example of a kdc.conf file: 3370 3371\fvset{hllines={, ,}}% 3372\begin{sphinxVerbatim}[commandchars=\\\{\}] 3373\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} 3374 \PYG{n}{kdc\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} 3375 \PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} 3376\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 3377 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 3378 \PYG{n}{kadmind\PYGZus{}port} \PYG{o}{=} \PYG{l+m+mi}{749} 3379 \PYG{n}{max\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{12}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} 3380 \PYG{n}{max\PYGZus{}renewable\PYGZus{}life} \PYG{o}{=} \PYG{l+m+mi}{7}\PYG{n}{d} \PYG{l+m+mi}{0}\PYG{n}{h} \PYG{l+m+mi}{0}\PYG{n}{m} \PYG{l+m+mi}{0}\PYG{n}{s} 3381 \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} 3382 \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} 3383 \PYG{n}{database\PYGZus{}module} \PYG{o}{=} \PYG{n}{openldap\PYGZus{}ldapconf} 3384 \PYG{p}{\PYGZcb{}} 3385 3386\PYG{p}{[}\PYG{n}{logging}\PYG{p}{]} 3387 \PYG{n}{kdc} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{log} 3388 \PYG{n}{admin\PYGZus{}server} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{log} 3389 3390\PYG{p}{[}\PYG{n}{dbdefaults}\PYG{p}{]} 3391 \PYG{n}{ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn} \PYG{o}{=} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbcontainer}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{mit}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{edu} 3392 3393\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} 3394 \PYG{n}{openldap\PYGZus{}ldapconf} \PYG{o}{=} \PYG{p}{\PYGZob{}} 3395 \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{kldap} 3396 \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true} 3397 \PYG{n}{ldap\PYGZus{}kdc\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}} 3398 \PYG{c+c1}{\PYGZsh{} this object needs to have read rights on} 3399 \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees} 3400 \PYG{n}{ldap\PYGZus{}kadmind\PYGZus{}dn} \PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=krbadmin,dc=mit,dc=edu}\PYG{l+s+s2}{\PYGZdq{}} 3401 \PYG{c+c1}{\PYGZsh{} this object needs to have read and write rights on} 3402 \PYG{c+c1}{\PYGZsh{} the realm container and principal subtrees} 3403 \PYG{n}{ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file} \PYG{o}{=} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile} 3404 \PYG{n}{ldap\PYGZus{}servers} \PYG{o}{=} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 3405 \PYG{n}{ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server} \PYG{o}{=} \PYG{l+m+mi}{5} 3406 \PYG{p}{\PYGZcb{}} 3407\end{sphinxVerbatim} 3408 3409 3410\subsubsection{FILES} 3411\label{\detokenize{admin/conf_files/kdc_conf:files}} 3412{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kdc.conf} 3413 3414 3415\subsubsection{SEE ALSO} 3416\label{\detokenize{admin/conf_files/kdc_conf:see-also}} 3417{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} 3418 3419 3420\subsection{kadm5.acl} 3421\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl}}\label{\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}}\label{\detokenize{admin/conf_files/kadm5_acl::doc}} 3422 3423\subsubsection{DESCRIPTION} 3424\label{\detokenize{admin/conf_files/kadm5_acl:description}} 3425The Kerberos {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} daemon uses an Access Control List 3426(ACL) file to manage access rights to the Kerberos database. 3427For operations that affect principals, the ACL file also controls 3428which principals can operate on which other principals. 3429 3430The default location of the Kerberos ACL file is 3431{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl} unless this is overridden by the \sphinxstyleemphasis{acl\_file} 3432variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 3433 3434 3435\subsubsection{SYNTAX} 3436\label{\detokenize{admin/conf_files/kadm5_acl:syntax}} 3437Empty lines and lines starting with the sharp sign (\sphinxcode{\#}) are 3438ignored. Lines containing ACL entries have the format: 3439 3440\fvset{hllines={, ,}}% 3441\begin{sphinxVerbatim}[commandchars=\\\{\}] 3442\PYG{n}{principal} \PYG{n}{permissions} \PYG{p}{[}\PYG{n}{target\PYGZus{}principal} \PYG{p}{[}\PYG{n}{restrictions}\PYG{p}{]} \PYG{p}{]} 3443\end{sphinxVerbatim} 3444 3445\begin{sphinxadmonition}{note}{Note:} 3446Line order in the ACL file is important. The first matching entry 3447will control access for an actor principal on a target principal. 3448\end{sphinxadmonition} 3449\begin{description} 3450\item[{\sphinxstyleemphasis{principal}}] \leavevmode 3451(Partially or fully qualified Kerberos principal name.) Specifies 3452the principal whose permissions are to be set. 3453 3454Each component of the name may be wildcarded using the \sphinxcode{*} 3455character. 3456 3457\item[{\sphinxstyleemphasis{permissions}}] \leavevmode 3458Specifies what operations may or may not be performed by a 3459\sphinxstyleemphasis{principal} matching a particular entry. This is a string of one or 3460more of the following list of characters or their upper-case 3461counterparts. If the character is \sphinxstyleemphasis{upper-case}, then the operation 3462is disallowed. If the character is \sphinxstyleemphasis{lower-case}, then the operation 3463is permitted. 3464 3465 3466\begin{savenotes}\sphinxattablestart 3467\centering 3468\begin{tabulary}{\linewidth}[t]{|T|T|} 3469\hline 3470 3471a 3472& 3473{[}Dis{]}allows the addition of principals or policies 3474\\ 3475\hline 3476c 3477& 3478{[}Dis{]}allows the changing of passwords for principals 3479\\ 3480\hline 3481d 3482& 3483{[}Dis{]}allows the deletion of principals or policies 3484\\ 3485\hline 3486e 3487& 3488{[}Dis{]}allows the extraction of principal keys 3489\\ 3490\hline 3491i 3492& 3493{[}Dis{]}allows inquiries about principals or policies 3494\\ 3495\hline 3496l 3497& 3498{[}Dis{]}allows the listing of all principals or policies 3499\\ 3500\hline 3501m 3502& 3503{[}Dis{]}allows the modification of principals or policies 3504\\ 3505\hline 3506p 3507& 3508{[}Dis{]}allows the propagation of the principal database (used in {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}}) 3509\\ 3510\hline 3511s 3512& 3513{[}Dis{]}allows the explicit setting of the key for a principal 3514\\ 3515\hline 3516x 3517& 3518Short for admcilsp. All privileges (except \sphinxcode{e}) 3519\\ 3520\hline 3521* 3522& 3523Same as x. 3524\\ 3525\hline 3526\end{tabulary} 3527\par 3528\sphinxattableend\end{savenotes} 3529 3530\end{description} 3531 3532\begin{sphinxadmonition}{note}{Note:} 3533The \sphinxcode{extract} privilege is not included in the wildcard 3534privilege; it must be explicitly assigned. This privilege 3535allows the user to extract keys from the database, and must be 3536handled with great care to avoid disclosure of important keys 3537like those of the kadmin/* or krbtgt/* principals. The 3538\sphinxstylestrong{lockdown\_keys} principal attribute can be used to prevent 3539key extraction from specific principals regardless of the 3540granted privilege. 3541\end{sphinxadmonition} 3542\begin{description} 3543\item[{\sphinxstyleemphasis{target\_principal}}] \leavevmode 3544(Optional. Partially or fully qualified Kerberos principal name.) 3545Specifies the principal on which \sphinxstyleemphasis{permissions} may be applied. 3546Each component of the name may be wildcarded using the \sphinxcode{*} 3547character. 3548 3549\sphinxstyleemphasis{target\_principal} can also include back-references to \sphinxstyleemphasis{principal}, 3550in which \sphinxcode{*number} matches the corresponding wildcard in 3551\sphinxstyleemphasis{principal}. 3552 3553\item[{\sphinxstyleemphasis{restrictions}}] \leavevmode 3554(Optional) A string of flags. Allowed restrictions are: 3555\begin{quote} 3556\begin{description} 3557\item[{\{+\textbar{}-\}\sphinxstyleemphasis{flagname}}] \leavevmode 3558flag is forced to the indicated value. The permissible flags 3559are the same as those for the \sphinxstylestrong{default\_principal\_flags} 3560variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 3561 3562\item[{\sphinxstyleemphasis{-clearpolicy}}] \leavevmode 3563policy is forced to be empty. 3564 3565\item[{\sphinxstyleemphasis{-policy pol}}] \leavevmode 3566policy is forced to be \sphinxstyleemphasis{pol}. 3567 3568\item[{-\{\sphinxstyleemphasis{expire, pwexpire, maxlife, maxrenewlife}\} \sphinxstyleemphasis{time}}] \leavevmode 3569(\DUrole{xref,std,std-ref}{getdate} string) associated value will be forced to 3570MIN(\sphinxstyleemphasis{time}, requested value). 3571 3572\end{description} 3573\end{quote} 3574 3575The above flags act as restrictions on any add or modify operation 3576which is allowed due to that ACL line. 3577 3578\end{description} 3579 3580\begin{sphinxadmonition}{warning}{Warning:} 3581If the kadmind ACL file is modified, the kadmind daemon needs to be 3582restarted for changes to take effect. 3583\end{sphinxadmonition} 3584 3585 3586\subsubsection{EXAMPLE} 3587\label{\detokenize{admin/conf_files/kadm5_acl:example}} 3588Here is an example of a kadm5.acl file: 3589 3590\fvset{hllines={, ,}}% 3591\begin{sphinxVerbatim}[commandchars=\\\{\}] 3592\PYG{o}{*}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{*} \PYG{c+c1}{\PYGZsh{} line 1} 3593\PYG{n}{joeadmin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ADMCIL} \PYG{c+c1}{\PYGZsh{} line 2} 3594\PYG{n}{joeadmin}\PYG{o}{/}\PYG{o}{*}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{i} \PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{c+c1}{\PYGZsh{} line 3} 3595\PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{ci} \PYG{o}{*}\PYG{l+m+mi}{1}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{c+c1}{\PYGZsh{} line 4} 3596\PYG{o}{*}\PYG{o}{/}\PYG{n}{root}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{l} \PYG{o}{*} \PYG{c+c1}{\PYGZsh{} line 5} 3597\PYG{n}{sms}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{x} \PYG{o}{*} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+m+mi}{9}\PYG{n}{h} \PYG{o}{\PYGZhy{}}\PYG{n}{postdateable} \PYG{c+c1}{\PYGZsh{} line 6} 3598\end{sphinxVerbatim} 3599 3600(line 1) Any principal in the \sphinxcode{ATHENA.MIT.EDU} realm with an 3601\sphinxcode{admin} instance has all administrative privileges except extracting 3602keys. 3603 3604(lines 1-3) The user \sphinxcode{joeadmin} has all permissions except 3605extracting keys with his \sphinxcode{admin} instance, 3606\sphinxcode{joeadmin/admin@ATHENA.MIT.EDU} (matches line 1). He has no 3607permissions at all with his null instance, \sphinxcode{joeadmin@ATHENA.MIT.EDU} 3608(matches line 2). His \sphinxcode{root} and other non-\sphinxcode{admin}, non-null 3609instances (e.g., \sphinxcode{extra} or \sphinxcode{dbadmin}) have inquire permissions 3610with any principal that has the instance \sphinxcode{root} (matches line 3). 3611 3612(line 4) Any \sphinxcode{root} principal in \sphinxcode{ATHENA.MIT.EDU} can inquire 3613or change the password of their null instance, but not any other 3614null instance. (Here, \sphinxcode{*1} denotes a back-reference to the 3615component matching the first wildcard in the actor principal.) 3616 3617(line 5) Any \sphinxcode{root} principal in \sphinxcode{ATHENA.MIT.EDU} can generate 3618the list of principals in the database, and the list of policies 3619in the database. This line is separate from line 4, because list 3620permission can only be granted globally, not to specific target 3621principals. 3622 3623(line 6) Finally, the Service Management System principal 3624\sphinxcode{sms@ATHENA.MIT.EDU} has all permissions except extracting keys, but 3625any principal that it creates or modifies will not be able to get 3626postdateable tickets or tickets with a life of longer than 9 hours. 3627 3628 3629\subsubsection{MODULE BEHAVIOR} 3630\label{\detokenize{admin/conf_files/kadm5_acl:module-behavior}} 3631The ACL file can coexist with other authorization modules in release 36321.16 and later, as configured in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:kadm5-auth}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5\_auth interface}}}} section of 3633{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. The ACL file will positively authorize 3634operations according to the rules above, but will never 3635authoritatively deny an operation, so other modules can authorize 3636operations in addition to those authorized by the ACL file. 3637 3638To operate without an ACL file, set the \sphinxstyleemphasis{acl\_file} variable in 3639{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to the empty string with \sphinxcode{acl\_file = ""}. 3640 3641 3642\subsubsection{SEE ALSO} 3643\label{\detokenize{admin/conf_files/kadm5_acl:see-also}} 3644{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} 3645 3646 3647\chapter{Realm configuration decisions} 3648\label{\detokenize{admin/realm_config:realm-configuration-decisions}}\label{\detokenize{admin/realm_config::doc}} 3649Before installing Kerberos V5, it is necessary to consider the 3650following issues: 3651\begin{itemize} 3652\item {} 3653The name of your Kerberos realm (or the name of each realm, if you 3654need more than one). 3655 3656\item {} 3657How you will assign your hostnames to Kerberos realms. 3658 3659\item {} 3660Which ports your KDC and and kadmind services will use, if they will 3661not be using the default ports. 3662 3663\item {} 3664How many replica KDCs you need and where they should be located. 3665 3666\item {} 3667The hostnames of your primary and replica KDCs. 3668 3669\item {} 3670How frequently you will propagate the database from the primary KDC 3671to the replica KDCs. 3672 3673\end{itemize} 3674 3675 3676\section{Realm name} 3677\label{\detokenize{admin/realm_config:realm-name}} 3678Although your Kerberos realm can be any ASCII string, convention is to 3679make it the same as your domain name, in upper-case letters. 3680 3681For example, hosts in the domain \sphinxcode{example.com} would be in the 3682Kerberos realm: 3683 3684\fvset{hllines={, ,}}% 3685\begin{sphinxVerbatim}[commandchars=\\\{\}] 3686\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} 3687\end{sphinxVerbatim} 3688 3689If you need multiple Kerberos realms, MIT recommends that you use 3690descriptive names which end with your domain name, such as: 3691 3692\fvset{hllines={, ,}}% 3693\begin{sphinxVerbatim}[commandchars=\\\{\}] 3694\PYG{n}{BOSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} 3695\PYG{n}{HOUSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} 3696\end{sphinxVerbatim} 3697 3698 3699\section{Mapping hostnames onto Kerberos realms} 3700\label{\detokenize{admin/realm_config:mapping-hostnames-onto-kerberos-realms}}\label{\detokenize{admin/realm_config:mapping-hostnames}} 3701Mapping hostnames onto Kerberos realms is done in one of three ways. 3702 3703The first mechanism works through a set of rules in the 3704{\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. You can specify 3705mappings for an entire domain or on a per-hostname basis. Typically 3706you would do this by specifying the mappings for a given domain or 3707subdomain and listing the exceptions. 3708 3709The second mechanism is to use KDC host-based service referrals. With 3710this method, the KDC’s krb5.conf has a full {[}domain\_realm{]} mapping for 3711hosts, but the clients do not, or have mappings for only a subset of 3712the hosts they might contact. When a client needs to contact a server 3713host for which it has no mapping, it will ask the client realm’s KDC 3714for the service ticket, and will receive a referral to the appropriate 3715service realm. 3716 3717To use referrals, clients must be running MIT krb5 1.6 or later, and 3718the KDC must be running MIT krb5 1.7 or later. The 3719\sphinxstylestrong{host\_based\_services} and \sphinxstylestrong{no\_host\_referral} variables in the 3720{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} can be used to 3721fine-tune referral behavior on the KDC. 3722 3723It is also possible for clients to use DNS TXT records, if 3724\sphinxstylestrong{dns\_lookup\_realm} is enabled in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Such lookups 3725are disabled by default because DNS is an insecure protocol and security 3726holes could result if DNS records are spoofed. If enabled, the client 3727will try to look up a TXT record formed by prepending the prefix 3728\sphinxcode{\_kerberos} to the hostname in question. If that record is not 3729found, the client will attempt a lookup by prepending \sphinxcode{\_kerberos} to the 3730host’s domain name, then its parent domain, up to the top-level domain. 3731For the hostname \sphinxcode{boston.engineering.example.com}, the names looked up 3732would be: 3733 3734\fvset{hllines={, ,}}% 3735\begin{sphinxVerbatim}[commandchars=\\\{\}] 3736\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{boston}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 3737\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 3738\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 3739\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{com} 3740\end{sphinxVerbatim} 3741 3742The value of the first TXT record found is taken as the realm name. 3743 3744Even if you do not choose to use this mechanism within your site, 3745you may wish to set it up anyway, for use when interacting with other sites. 3746 3747 3748\section{Ports for the KDC and admin services} 3749\label{\detokenize{admin/realm_config:ports-for-the-kdc-and-admin-services}} 3750The default ports used by Kerberos are port 88 for the KDC and port 3751749 for the admin server. You can, however, choose to run on other 3752ports, as long as they are specified in each host’s 3753{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} files or in DNS SRV records, and the 3754{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file on each KDC. For a more thorough treatment of 3755port numbers used by the Kerberos V5 programs, refer to the 3756{\hyperref[\detokenize{admin/appl_servers:conf-firewall}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring your firewall to work with Kerberos V5}}}}. 3757 3758 3759\section{Replica KDCs} 3760\label{\detokenize{admin/realm_config:replica-kdcs}} 3761Replica KDCs provide an additional source of Kerberos ticket-granting 3762services in the event of inaccessibility of the primary KDC. The 3763number of replica KDCs you need and the decision of where to place them, 3764both physically and logically, depends on the specifics of your 3765network. 3766 3767Kerberos authentication requires that each client be able to contact a 3768KDC. Therefore, you need to anticipate any likely reason a KDC might 3769be unavailable and have a replica KDC to take up the slack. 3770 3771Some considerations include: 3772\begin{itemize} 3773\item {} 3774Have at least one replica KDC as a backup, for when the primary KDC 3775is down, is being upgraded, or is otherwise unavailable. 3776 3777\item {} 3778If your network is split such that a network outage is likely to 3779cause a network partition (some segment or segments of the network 3780to become cut off or isolated from other segments), have a replica 3781KDC accessible to each segment. 3782 3783\item {} 3784If possible, have at least one replica KDC in a different building 3785from the primary, in case of power outages, fires, or other 3786localized disasters. 3787 3788\end{itemize} 3789 3790 3791\section{Hostnames for KDCs} 3792\label{\detokenize{admin/realm_config:kdc-hostnames}}\label{\detokenize{admin/realm_config:hostnames-for-kdcs}} 3793MIT recommends that your KDCs have a predefined set of CNAME records 3794(DNS hostname aliases), such as \sphinxcode{kerberos} for the primary KDC and 3795\sphinxcode{kerberos-1}, \sphinxcode{kerberos-2}, … for the replica KDCs. This way, 3796if you need to swap a machine, you only need to change a DNS entry, 3797rather than having to change hostnames. 3798 3799As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS 3800using SRV records (\index{RFC!RFC 2782}\sphinxhref{https://tools.ietf.org/html/rfc2782.html}{\sphinxstylestrong{RFC 2782}}), assuming the Kerberos realm name is 3801also a DNS domain name. These records indicate the hostname and port 3802number to contact for that service, optionally with weighting and 3803prioritization. The domain name used in the SRV record name is the 3804realm name. Several different Kerberos-related service names are 3805used: 3806\begin{description} 3807\item[{\_kerberos.\_udp}] \leavevmode 3808This is for contacting any KDC by UDP. This entry will be used 3809the most often. Normally you should list port 88 on each of your 3810KDCs. 3811 3812\item[{\_kerberos.\_tcp}] \leavevmode 3813This is for contacting any KDC by TCP. Normally you should use 3814port 88. This entry should be omitted if the KDC does not listen 3815on TCP ports, as was the default prior to release 1.13. 3816 3817\item[{\_kerberos-master.\_udp}] \leavevmode 3818This entry should refer to those KDCs, if any, that will 3819immediately see password changes to the Kerberos database. If a 3820user is logging in and the password appears to be incorrect, the 3821client will retry with the primary KDC before failing with an 3822“incorrect password” error given. 3823 3824If you have only one KDC, or for whatever reason there is no 3825accessible KDC that would get database changes faster than the 3826others, you do not need to define this entry. \_kerberos-adm.\_tcp 3827This should list port 749 on your primary KDC. Support for it is 3828not complete at this time, but it will eventually be used by the 3829{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program and related utilities. For now, you will 3830also need the \sphinxstylestrong{admin\_server} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. 3831 3832\item[{\_kerberos-master.\_tcp}] \leavevmode 3833The corresponding TCP port for \_kerberos-master.\_udp, assuming the 3834primary KDC listens on a TCP port. 3835 3836\item[{\_kpasswd.\_udp}] \leavevmode 3837This entry should list port 464 on your primary KDC. It is used 3838when a user changes her password. If this entry is not defined 3839but a \_kerberos-adm.\_tcp entry is defined, the client will use the 3840\_kerberos-adm.\_tcp entry with the port number changed to 464. 3841 3842\item[{\_kpasswd.\_tcp}] \leavevmode 3843The corresponding TCP port for \_kpasswd.\_udp. 3844 3845\end{description} 3846 3847The DNS SRV specification requires that the hostnames listed be the 3848canonical names, not aliases. So, for example, you might include the 3849following records in your (BIND-style) zone file: 3850 3851\fvset{hllines={, ,}}% 3852\begin{sphinxVerbatim}[commandchars=\\\{\}] 3853\PYGZdl{}ORIGIN foobar.com. 3854\PYGZus{}kerberos TXT \PYGZdq{}FOOBAR.COM\PYGZdq{} 3855kerberos CNAME daisy 3856kerberos\PYGZhy{}1 CNAME use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke 3857kerberos\PYGZhy{}2 CNAME bunny\PYGZhy{}rabbit 3858\PYGZus{}kerberos.\PYGZus{}udp SRV 0 0 88 daisy 3859 SRV 0 0 88 use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke 3860 SRV 0 0 88 bunny\PYGZhy{}rabbit 3861\PYGZus{}kerberos\PYGZhy{}master.\PYGZus{}udp SRV 0 0 88 daisy 3862\PYGZus{}kerberos\PYGZhy{}adm.\PYGZus{}tcp SRV 0 0 749 daisy 3863\PYGZus{}kpasswd.\PYGZus{}udp SRV 0 0 464 daisy 3864\end{sphinxVerbatim} 3865 3866Clients can also be configured with the explicit location of services 3867using the \sphinxstylestrong{kdc}, \sphinxstylestrong{master\_kdc}, \sphinxstylestrong{admin\_server}, and 3868\sphinxstylestrong{kpasswd\_server} variables in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section of 3869{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Even if some clients will be configured with 3870explicit server locations, providing SRV records will still benefit 3871unconfigured clients, and be useful for other sites. 3872 3873 3874\section{KDC Discovery} 3875\label{\detokenize{admin/realm_config:kdc-discovery}}\label{\detokenize{admin/realm_config:id1}} 3876As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI 3877records (\index{RFC!RFC 7553}\sphinxhref{https://tools.ietf.org/html/rfc7553.html}{\sphinxstylestrong{RFC 7553}}). Limitations with the SRV record format may 3878result in extra DNS queries in situations where a client must failover 3879to other transport types, or find a primary server. The URI record 3880can convey more information about a realm’s KDCs with a single query. 3881 3882The client performs a query for the following URI records: 3883\begin{itemize} 3884\item {} 3885\sphinxcode{\_kerberos.REALM} for finding KDCs. 3886 3887\item {} 3888\sphinxcode{\_kerberos-adm.REALM} for finding kadmin services. 3889 3890\item {} 3891\sphinxcode{\_kpasswd.REALM} for finding password services. 3892 3893\end{itemize} 3894 3895The URI record includes a priority, weight, and a URI string that 3896consists of case-insensitive colon separated fields, in the form 3897\sphinxcode{scheme:{[}flags{]}:transport:residual}. 3898\begin{itemize} 3899\item {} 3900\sphinxstyleemphasis{scheme} defines the registered URI type. It should always be 3901\sphinxcode{krb5srv}. 3902 3903\item {} 3904\sphinxstyleemphasis{flags} contains zero or more flag characters. Currently the only 3905valid flag is \sphinxcode{m}, which indicates that the record is for a 3906primary server. 3907 3908\item {} 3909\sphinxstyleemphasis{transport} defines the transport type of the residual URL or 3910address. Accepted values are \sphinxcode{tcp}, \sphinxcode{udp}, or \sphinxcode{kkdcp} for the 3911MS-KKDCP type. 3912 3913\item {} 3914\sphinxstyleemphasis{residual} contains the hostname, IP address, or URL to be 3915contacted using the specified transport, with an optional port 3916extension. The MS-KKDCP transport type uses a HTTPS URL, and can 3917include a port and/or path extension. 3918 3919\end{itemize} 3920 3921An example of URI records in a zone file: 3922 3923\fvset{hllines={, ,}}% 3924\begin{sphinxVerbatim}[commandchars=\\\{\}] 3925\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{URI} \PYG{l+m+mi}{10} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{tcp}\PYG{p}{:}\PYG{n}{kdc1}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} 3926 \PYG{n}{URI} \PYG{l+m+mi}{20} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{n}{m}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{n}{kdc2}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com}\PYG{p}{:}\PYG{l+m+mi}{89} 3927 \PYG{n}{URI} \PYG{l+m+mi}{40} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{udp}\PYG{p}{:}\PYG{l+m+mf}{10.10}\PYG{o}{.}\PYG{l+m+mf}{0.23} 3928 \PYG{n}{URI} \PYG{l+m+mi}{30} \PYG{l+m+mi}{1} \PYG{n}{krb5srv}\PYG{p}{:}\PYG{p}{:}\PYG{n}{kkdcp}\PYG{p}{:}\PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{proxy}\PYG{p}{:}\PYG{l+m+mi}{89}\PYG{o}{/}\PYG{n}{auth} 3929\end{sphinxVerbatim} 3930 3931URI lookups are enabled by default, and can be disabled by setting 3932\sphinxstylestrong{dns\_uri\_lookup} in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section of 3933{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} to False. When enabled, URI lookups take 3934precedence over SRV lookups, falling back to SRV lookups if no URI 3935records are found. 3936 3937 3938\section{Database propagation} 3939\label{\detokenize{admin/realm_config:database-propagation}}\label{\detokenize{admin/realm_config:db-prop}} 3940The Kerberos database resides on the primary KDC, and must be 3941propagated regularly (usually by a cron job) to the replica KDCs. In 3942deciding how frequently the propagation should happen, you will need 3943to balance the amount of time the propagation takes against the 3944maximum reasonable amount of time a user should have to wait for a 3945password change to take effect. 3946 3947If the propagation time is longer than this maximum reasonable time 3948(e.g., you have a particularly large database, you have a lot of 3949replicas, or you experience frequent network delays), you may wish to 3950cut down on your propagation delay by performing the propagation in 3951parallel. To do this, have the primary KDC propagate the database to 3952one set of replicas, and then have each of these replicas propagate 3953the database to additional replicas. 3954 3955See also {\hyperref[\detokenize{admin/database:incr-db-prop}]{\sphinxcrossref{\DUrole{std,std-ref}{Incremental database propagation}}}} 3956 3957 3958\chapter{Database administration} 3959\label{\detokenize{admin/database::doc}}\label{\detokenize{admin/database:database-administration}} 3960A Kerberos database contains all of a realm’s Kerberos principals, 3961their passwords, and other administrative information about each 3962principal. For the most part, you will use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} 3963program to manipulate the Kerberos database as a whole, and the 3964{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to make changes to the entries in the 3965database. (One notable exception is that users will use the 3966\DUrole{xref,std,std-ref}{kpasswd(1)} program to change their own passwords.) The kadmin 3967program has its own command-line interface, to which you type the 3968database administrating commands. 3969 3970{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} provides a means to create, delete, load, or dump 3971a Kerberos database. It also contains commands to roll over the 3972database master key, and to stash a copy of the key so that the 3973{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} and {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemons can use the database 3974without manual input. 3975 3976{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} provides for the maintenance of Kerberos principals, 3977password policies, and service key tables (keytabs). Normally it 3978operates as a network client using Kerberos authentication to 3979communicate with {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, but there is also a variant, named 3980kadmin.local, which directly accesses the Kerberos database on the 3981local filesystem (or through LDAP). kadmin.local is necessary to set 3982up enough of the database to be able to use the remote version. 3983 3984kadmin can authenticate to the admin server using the service 3985principal \sphinxcode{kadmin/admin} or \sphinxcode{kadmin/HOST} (where \sphinxstyleemphasis{HOST} is the 3986hostname of the admin server). If the credentials cache contains a 3987ticket for either service principal and the \sphinxstylestrong{-c} ccache option is 3988specified, that ticket is used to authenticate to KADM5. Otherwise, 3989the \sphinxstylestrong{-p} and \sphinxstylestrong{-k} options are used to specify the client Kerberos 3990principal name used to authenticate. Once kadmin has determined the 3991principal name, it requests a \sphinxcode{kadmin/admin} Kerberos service ticket 3992from the KDC, and uses that service ticket to authenticate to KADM5. 3993 3994See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for the available kadmin and kadmin.local 3995commands and options. 3996 3997 3998\section{kadmin options} 3999\label{\detokenize{admin/database:kadmin-options}} 4000You can invoke {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} or kadmin.local with any of the 4001following options: 4002 4003\sphinxstylestrong{kadmin} 4004{[}\sphinxstylestrong{-O}\textbar{}\sphinxstylestrong{-N}{]} 4005{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 4006{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}{]} 4007{[}\sphinxstylestrong{-q} \sphinxstyleemphasis{query}{]} 4008{[}{[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}\textbar{}{[}\sphinxstylestrong{-k} {[}\sphinxstylestrong{-t} \sphinxstyleemphasis{keytab}{]}{]}\textbar{}\sphinxstylestrong{-n}{]} 4009{[}\sphinxstylestrong{-w} \sphinxstyleemphasis{password}{]} 4010{[}\sphinxstylestrong{-s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}{]} 4011{[}command args…{]} 4012 4013\sphinxstylestrong{kadmin.local} 4014{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 4015{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}{]} 4016{[}\sphinxstylestrong{-q} \sphinxstyleemphasis{query}{]} 4017{[}\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}{]} 4018{[}\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …{]} 4019{[}\sphinxstylestrong{-m}{]} 4020{[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]} 4021{[}command args…{]} 4022 4023\sphinxstylestrong{OPTIONS} 4024\begin{description} 4025\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 4026Use \sphinxstyleemphasis{realm} as the default database realm. 4027 4028\item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}}] \leavevmode 4029Use \sphinxstyleemphasis{principal} to authenticate. Otherwise, kadmin will append 4030\sphinxcode{/admin} to the primary principal name of the default ccache, 4031the value of the \sphinxstylestrong{USER} environment variable, or the username as 4032obtained with getpwuid, in order of preference. 4033 4034\item[{\sphinxstylestrong{-k}}] \leavevmode 4035Use a keytab to decrypt the KDC response instead of prompting for 4036a password. In this case, the default principal will be 4037\sphinxcode{host/hostname}. If there is no keytab specified with the 4038\sphinxstylestrong{-t} option, then the default keytab will be used. 4039 4040\item[{\sphinxstylestrong{-t} \sphinxstyleemphasis{keytab}}] \leavevmode 4041Use \sphinxstyleemphasis{keytab} to decrypt the KDC response. This can only be used 4042with the \sphinxstylestrong{-k} option. 4043 4044\item[{\sphinxstylestrong{-n}}] \leavevmode 4045Requests anonymous processing. Two types of anonymous principals 4046are supported. For fully anonymous Kerberos, configure PKINIT on 4047the KDC and configure \sphinxstylestrong{pkinit\_anchors} in the client’s 4048{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Then use the \sphinxstylestrong{-n} option with a principal 4049of the form \sphinxcode{@REALM} (an empty principal name followed by the 4050at-sign and a realm name). If permitted by the KDC, an anonymous 4051ticket will be returned. A second form of anonymous tickets is 4052supported; these realm-exposed tickets hide the identity of the 4053client but not the client’s realm. For this mode, use \sphinxcode{kinit 4054-n} with a normal principal name. If supported by the KDC, the 4055principal (but not realm) will be replaced by the anonymous 4056principal. As of release 1.8, the MIT Kerberos KDC only supports 4057fully anonymous operation. 4058 4059\item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{credentials\_cache}}] \leavevmode 4060Use \sphinxstyleemphasis{credentials\_cache} as the credentials cache. The cache 4061should contain a service ticket for the \sphinxcode{kadmin/admin} or 4062\sphinxcode{kadmin/ADMINHOST} (where \sphinxstyleemphasis{ADMINHOST} is the fully-qualified 4063hostname of the admin server) service; it can be acquired with the 4064\DUrole{xref,std,std-ref}{kinit(1)} program. If this option is not specified, kadmin 4065requests a new service ticket from the KDC, and stores it in its 4066own temporary ccache. 4067 4068\item[{\sphinxstylestrong{-w} \sphinxstyleemphasis{password}}] \leavevmode 4069Use \sphinxstyleemphasis{password} instead of prompting for one. Use this option with 4070care, as it may expose the password to other users on the system 4071via the process list. 4072 4073\item[{\sphinxstylestrong{-q} \sphinxstyleemphasis{query}}] \leavevmode 4074Perform the specified query and then exit. 4075 4076\item[{\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}}] \leavevmode 4077Specifies the name of the KDC database. This option does not 4078apply to the LDAP database module. 4079 4080\item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}}] \leavevmode 4081Specifies the admin server which kadmin should contact. 4082 4083\item[{\sphinxstylestrong{-m}}] \leavevmode 4084If using kadmin.local, prompt for the database master password 4085instead of reading it from a stash file. 4086 4087\item[{\sphinxstylestrong{-e} “\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …”}] \leavevmode 4088Sets the keysalt list to be used for any new keys created. See 4089{\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible 4090values. 4091 4092\item[{\sphinxstylestrong{-O}}] \leavevmode 4093Force use of old AUTH\_GSSAPI authentication flavor. 4094 4095\item[{\sphinxstylestrong{-N}}] \leavevmode 4096Prevent fallback to AUTH\_GSSAPI authentication flavor. 4097 4098\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode 4099Specifies the database specific arguments. See the next section 4100for supported options. 4101 4102\end{description} 4103 4104 4105\section{Date Format} 4106\label{\detokenize{admin/database:date-format}} 4107For the supported date-time formats see \DUrole{xref,std,std-ref}{getdate} section 4108in \DUrole{xref,std,std-ref}{datetime}. 4109 4110 4111\section{Principals} 4112\label{\detokenize{admin/database:principals}} 4113Each entry in the Kerberos database contains a Kerberos principal and 4114the attributes and policies associated with that principal. 4115 4116 4117\subsection{Adding, modifying and deleting principals} 4118\label{\detokenize{admin/database:add-mod-del-princs}}\label{\detokenize{admin/database:adding-modifying-and-deleting-principals}} 4119To add a principal to the database, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} 4120\sphinxstylestrong{add\_principal} command. 4121 4122To modify attributes of a principal, use the kadmin 4123\sphinxstylestrong{modify\_principal} command. 4124 4125To delete a principal, use the kadmin \sphinxstylestrong{delete\_principal} command. 4126 4127 4128\subsection{add\_principal} 4129\label{\detokenize{admin/database:add-principal}}\begin{quote} 4130 4131\sphinxstylestrong{add\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{newprinc} 4132\end{quote} 4133 4134Creates the principal \sphinxstyleemphasis{newprinc}, prompting twice for a password. If 4135no password policy is specified with the \sphinxstylestrong{-policy} option, and the 4136policy named \sphinxcode{default} is assigned to the principal if it exists. 4137However, creating a policy named \sphinxcode{default} will not automatically 4138assign this policy to previously existing principals. This policy 4139assignment can be suppressed with the \sphinxstylestrong{-clearpolicy} option. 4140 4141This command requires the \sphinxstylestrong{add} privilege. 4142 4143Aliases: \sphinxstylestrong{addprinc}, \sphinxstylestrong{ank} 4144 4145Options: 4146\begin{description} 4147\item[{\sphinxstylestrong{-expire} \sphinxstyleemphasis{expdate}}] \leavevmode 4148(\DUrole{xref,std,std-ref}{getdate} string) The expiration date of the principal. 4149 4150\item[{\sphinxstylestrong{-pwexpire} \sphinxstyleemphasis{pwexpdate}}] \leavevmode 4151(\DUrole{xref,std,std-ref}{getdate} string) The password expiration date. 4152 4153\item[{\sphinxstylestrong{-maxlife} \sphinxstyleemphasis{maxlife}}] \leavevmode 4154(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum ticket life 4155for the principal. 4156 4157\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{maxrenewlife}}] \leavevmode 4158(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum renewable 4159life of tickets for the principal. 4160 4161\item[{\sphinxstylestrong{-kvno} \sphinxstyleemphasis{kvno}}] \leavevmode 4162The initial key version number. 4163 4164\item[{\sphinxstylestrong{-policy} \sphinxstyleemphasis{policy}}] \leavevmode 4165The password policy used by this principal. If not specified, the 4166policy \sphinxcode{default} is used if it exists (unless \sphinxstylestrong{-clearpolicy} 4167is specified). 4168 4169\item[{\sphinxstylestrong{-clearpolicy}}] \leavevmode 4170Prevents any policy from being assigned when \sphinxstylestrong{-policy} is not 4171specified. 4172 4173\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_postdated}}] \leavevmode 4174\sphinxstylestrong{-allow\_postdated} prohibits this principal from obtaining 4175postdated tickets. \sphinxstylestrong{+allow\_postdated} clears this flag. 4176 4177\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_forwardable}}] \leavevmode 4178\sphinxstylestrong{-allow\_forwardable} prohibits this principal from obtaining 4179forwardable tickets. \sphinxstylestrong{+allow\_forwardable} clears this flag. 4180 4181\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_renewable}}] \leavevmode 4182\sphinxstylestrong{-allow\_renewable} prohibits this principal from obtaining 4183renewable tickets. \sphinxstylestrong{+allow\_renewable} clears this flag. 4184 4185\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_proxiable}}] \leavevmode 4186\sphinxstylestrong{-allow\_proxiable} prohibits this principal from obtaining 4187proxiable tickets. \sphinxstylestrong{+allow\_proxiable} clears this flag. 4188 4189\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_dup\_skey}}] \leavevmode 4190\sphinxstylestrong{-allow\_dup\_skey} disables user-to-user authentication for this 4191principal by prohibiting others from obtaining a service ticket 4192encrypted in this principal’s TGT session key. 4193\sphinxstylestrong{+allow\_dup\_skey} clears this flag. 4194 4195\item[{\{-\textbar{}+\}\sphinxstylestrong{requires\_preauth}}] \leavevmode 4196\sphinxstylestrong{+requires\_preauth} requires this principal to preauthenticate 4197before being allowed to kinit. \sphinxstylestrong{-requires\_preauth} clears this 4198flag. When \sphinxstylestrong{+requires\_preauth} is set on a service principal, 4199the KDC will only issue service tickets for that service principal 4200if the client’s initial authentication was performed using 4201preauthentication. 4202 4203\item[{\{-\textbar{}+\}\sphinxstylestrong{requires\_hwauth}}] \leavevmode 4204\sphinxstylestrong{+requires\_hwauth} requires this principal to preauthenticate 4205using a hardware device before being allowed to kinit. 4206\sphinxstylestrong{-requires\_hwauth} clears this flag. When \sphinxstylestrong{+requires\_hwauth} is 4207set on a service principal, the KDC will only issue service tickets 4208for that service principal if the client’s initial authentication was 4209performed using a hardware device to preauthenticate. 4210 4211\item[{\{-\textbar{}+\}\sphinxstylestrong{ok\_as\_delegate}}] \leavevmode 4212\sphinxstylestrong{+ok\_as\_delegate} sets the \sphinxstylestrong{okay as delegate} flag on tickets 4213issued with this principal as the service. Clients may use this 4214flag as a hint that credentials should be delegated when 4215authenticating to the service. \sphinxstylestrong{-ok\_as\_delegate} clears this 4216flag. 4217 4218\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_svr}}] \leavevmode 4219\sphinxstylestrong{-allow\_svr} prohibits the issuance of service tickets for this 4220principal. In release 1.17 and later, user-to-user service 4221tickets are still allowed unless the \sphinxstylestrong{-allow\_dup\_skey} flag is 4222also set. \sphinxstylestrong{+allow\_svr} clears this flag. 4223 4224\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_tgs\_req}}] \leavevmode 4225\sphinxstylestrong{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS) 4226request for a service ticket for this principal is not permitted. 4227\sphinxstylestrong{+allow\_tgs\_req} clears this flag. 4228 4229\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_tix}}] \leavevmode 4230\sphinxstylestrong{-allow\_tix} forbids the issuance of any tickets for this 4231principal. \sphinxstylestrong{+allow\_tix} clears this flag. 4232 4233\item[{\{-\textbar{}+\}\sphinxstylestrong{needchange}}] \leavevmode 4234\sphinxstylestrong{+needchange} forces a password change on the next initial 4235authentication to this principal. \sphinxstylestrong{-needchange} clears this 4236flag. 4237 4238\item[{\{-\textbar{}+\}\sphinxstylestrong{password\_changing\_service}}] \leavevmode 4239\sphinxstylestrong{+password\_changing\_service} marks this principal as a password 4240change service principal. 4241 4242\item[{\{-\textbar{}+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}}] \leavevmode 4243\sphinxstylestrong{+ok\_to\_auth\_as\_delegate} allows this principal to acquire 4244forwardable tickets to itself from arbitrary users, for use with 4245constrained delegation. 4246 4247\item[{\{-\textbar{}+\}\sphinxstylestrong{no\_auth\_data\_required}}] \leavevmode 4248\sphinxstylestrong{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from 4249being added to service tickets for the principal. 4250 4251\item[{\{-\textbar{}+\}\sphinxstylestrong{lockdown\_keys}}] \leavevmode 4252\sphinxstylestrong{+lockdown\_keys} prevents keys for this principal from leaving 4253the KDC via kadmind. The chpass and extract operations are denied 4254for a principal with this attribute. The chrand operation is 4255allowed, but will not return the new keys. The delete and rename 4256operations are also denied if this attribute is set, in order to 4257prevent a malicious administrator from replacing principals like 4258krbtgt/* or kadmin/* with new principals without the attribute. 4259This attribute can be set via the network protocol, but can only 4260be removed using kadmin.local. 4261 4262\item[{\sphinxstylestrong{-randkey}}] \leavevmode 4263Sets the key of the principal to a random value. 4264 4265\item[{\sphinxstylestrong{-nokey}}] \leavevmode 4266Causes the principal to be created with no key. New in release 42671.12. 4268 4269\item[{\sphinxstylestrong{-pw} \sphinxstyleemphasis{password}}] \leavevmode 4270Sets the password of the principal to the specified string and 4271does not prompt for a password. Note: using this option in a 4272shell script may expose the password to other users on the system 4273via the process list. 4274 4275\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode 4276Uses the specified keysalt list for setting the keys of the 4277principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a 4278list of possible values. 4279 4280\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_princ\_args}}] \leavevmode 4281Indicates database-specific options. The options for the LDAP 4282database module are: 4283\begin{description} 4284\item[{\sphinxstylestrong{-x dn=}\sphinxstyleemphasis{dn}}] \leavevmode 4285Specifies the LDAP object that will contain the Kerberos 4286principal being created. 4287 4288\item[{\sphinxstylestrong{-x linkdn=}\sphinxstyleemphasis{dn}}] \leavevmode 4289Specifies the LDAP object to which the newly created Kerberos 4290principal object will point. 4291 4292\item[{\sphinxstylestrong{-x containerdn=}\sphinxstyleemphasis{container\_dn}}] \leavevmode 4293Specifies the container object under which the Kerberos 4294principal is to be created. 4295 4296\item[{\sphinxstylestrong{-x tktpolicy=}\sphinxstyleemphasis{policy}}] \leavevmode 4297Associates a ticket policy to the Kerberos principal. 4298 4299\end{description} 4300 4301\begin{sphinxadmonition}{note}{Note:}\begin{itemize} 4302\item {} 4303The \sphinxstylestrong{containerdn} and \sphinxstylestrong{linkdn} options cannot be 4304specified with the \sphinxstylestrong{dn} option. 4305 4306\item {} 4307If the \sphinxstyleemphasis{dn} or \sphinxstyleemphasis{containerdn} options are not specified while 4308adding the principal, the principals are created under the 4309principal container configured in the realm or the realm 4310container. 4311 4312\item {} 4313\sphinxstyleemphasis{dn} and \sphinxstyleemphasis{containerdn} should be within the subtrees or 4314principal container configured in the realm. 4315 4316\end{itemize} 4317\end{sphinxadmonition} 4318 4319\end{description} 4320 4321Example: 4322 4323\fvset{hllines={, ,}}% 4324\begin{sphinxVerbatim}[commandchars=\\\{\}] 4325\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{jennifer} 4326\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} 4327\PYG{n}{defaulting} \PYG{n}{to} \PYG{n}{no} \PYG{n}{policy}\PYG{o}{.} 4328\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 4329\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 4330\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 4331\PYG{n}{kadmin}\PYG{p}{:} 4332\end{sphinxVerbatim} 4333 4334 4335\subsection{modify\_principal} 4336\label{\detokenize{admin/database:modify-principal}}\begin{quote} 4337 4338\sphinxstylestrong{modify\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} 4339\end{quote} 4340 4341Modifies the specified principal, changing the fields as specified. 4342The options to \sphinxstylestrong{add\_principal} also apply to this command, except 4343for the \sphinxstylestrong{-randkey}, \sphinxstylestrong{-pw}, and \sphinxstylestrong{-e} options. In addition, the 4344option \sphinxstylestrong{-clearpolicy} will clear the current policy of a principal. 4345 4346This command requires the \sphinxstyleemphasis{modify} privilege. 4347 4348Alias: \sphinxstylestrong{modprinc} 4349 4350Options (in addition to the \sphinxstylestrong{addprinc} options): 4351\begin{description} 4352\item[{\sphinxstylestrong{-unlock}}] \leavevmode 4353Unlocks a locked principal (one which has received too many failed 4354authentication attempts without enough time between them according 4355to its password policy) so that it can successfully authenticate. 4356 4357\end{description} 4358 4359 4360\subsection{delete\_principal} 4361\label{\detokenize{admin/database:delete-principal}}\begin{quote} 4362 4363\sphinxstylestrong{delete\_principal} {[}\sphinxstylestrong{-force}{]} \sphinxstyleemphasis{principal} 4364\end{quote} 4365 4366Deletes the specified \sphinxstyleemphasis{principal} from the database. This command 4367prompts for deletion, unless the \sphinxstylestrong{-force} option is given. 4368 4369This command requires the \sphinxstylestrong{delete} privilege. 4370 4371Alias: \sphinxstylestrong{delprinc} 4372 4373 4374\subsubsection{Examples} 4375\label{\detokenize{admin/database:examples}} 4376If you want to create a principal which is contained by a LDAP object, 4377all you need to do is: 4378 4379\fvset{hllines={, ,}}% 4380\begin{sphinxVerbatim}[commandchars=\\\{\}] 4381\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{x} \PYG{n}{dn}\PYG{o}{=}\PYG{n}{cn}\PYG{o}{=}\PYG{n}{jennifer}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com} \PYG{n}{jennifer} 4382\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} 4383\PYG{n}{defaulting} \PYG{n}{to} \PYG{n}{no} \PYG{n}{policy}\PYG{o}{.} 4384\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{password}\PYG{o}{.} 4385\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=}\PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} 4386\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 4387\PYG{n}{kadmin}\PYG{p}{:} 4388\end{sphinxVerbatim} 4389 4390If you want to create a principal under a specific LDAP container and 4391link to an existing LDAP object, all you need to do is: 4392 4393\fvset{hllines={, ,}}% 4394\begin{sphinxVerbatim}[commandchars=\\\{\}] 4395\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{x} \PYG{n}{containerdn}\PYG{o}{=}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com} \PYG{o}{\PYGZhy{}}\PYG{n}{x} \PYG{n}{linkdn}\PYG{o}{=}\PYG{n}{cn}\PYG{o}{=}\PYG{n}{david}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com} \PYG{n}{david} 4396\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{david@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} 4397\PYG{n}{defaulting} \PYG{n}{to} \PYG{n}{no} \PYG{n}{policy}\PYG{o}{.} 4398\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{david}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{password}\PYG{o}{.} 4399\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{david}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=}\PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} 4400\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{david@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 4401\PYG{n}{kadmin}\PYG{p}{:} 4402\end{sphinxVerbatim} 4403 4404If you want to associate a ticket policy to a principal, all you need 4405to do is: 4406 4407\fvset{hllines={, ,}}% 4408\begin{sphinxVerbatim}[commandchars=\\\{\}] 4409\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{x} \PYG{n}{tktpolicy}\PYG{o}{=}\PYG{n}{userpolicy} \PYG{n}{david} 4410\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{david@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{modified}\PYG{o}{.} 4411\PYG{n}{kadmin}\PYG{p}{:} 4412\end{sphinxVerbatim} 4413 4414If, on the other hand, you want to set up an account that expires on 4415January 1, 2000, that uses a policy called “stduser”, with a temporary 4416password (which you want the user to change immediately), you would 4417type the following: 4418 4419\fvset{hllines={, ,}}% 4420\begin{sphinxVerbatim}[commandchars=\\\{\}] 4421\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{david} \PYG{o}{\PYGZhy{}}\PYG{n}{expire} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1/1/2000 12:01am EST}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{policy} \PYG{n}{stduser} \PYG{o}{+}\PYG{n}{needchange} 4422\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{david}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{the} \PYG{n}{password}\PYG{o}{.} 4423\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} 4424\PYG{n}{david}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} \PYG{o}{\PYGZlt{}}\PYG{o}{=} \PYG{n}{Type} \PYG{n}{it} \PYG{n}{again}\PYG{o}{.} 4425\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{david@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 4426\PYG{n}{kadmin}\PYG{p}{:} 4427\end{sphinxVerbatim} 4428 4429If you want to delete a principal: 4430 4431\fvset{hllines={, ,}}% 4432\begin{sphinxVerbatim}[commandchars=\\\{\}] 4433kadmin: delprinc jennifer 4434Are you sure you want to delete the principal 4435\PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}? (yes/no): yes 4436Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} deleted. 4437Make sure that you have removed this principal from 4438all ACLs before reusing. 4439kadmin: 4440\end{sphinxVerbatim} 4441 4442 4443\subsection{Retrieving information about a principal} 4444\label{\detokenize{admin/database:retrieving-information-about-a-principal}} 4445To retrieve a listing of the attributes and/or policies associated 4446with a principal, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{get\_principal} command. 4447 4448To generate a listing of principals, use the kadmin 4449\sphinxstylestrong{list\_principals} command. 4450 4451 4452\subsection{get\_principal} 4453\label{\detokenize{admin/database:get-principal}}\begin{quote} 4454 4455\sphinxstylestrong{get\_principal} {[}\sphinxstylestrong{-terse}{]} \sphinxstyleemphasis{principal} 4456\end{quote} 4457 4458Gets the attributes of principal. With the \sphinxstylestrong{-terse} option, outputs 4459fields as quoted tab-separated strings. 4460 4461This command requires the \sphinxstylestrong{inquire} privilege, or that the principal 4462running the the program to be the same as the one being listed. 4463 4464Alias: \sphinxstylestrong{getprinc} 4465 4466Examples: 4467 4468\fvset{hllines={, ,}}% 4469\begin{sphinxVerbatim}[commandchars=\\\{\}] 4470\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin} 4471\PYG{n}{Principal}\PYG{p}{:} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} 4472\PYG{n}{Expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 4473\PYG{n}{Last} \PYG{n}{password} \PYG{n}{change}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} 4474\PYG{n}{Password} \PYG{n}{expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 4475\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 4476\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{7} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 4477\PYG{n}{Last} \PYG{n}{modified}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} \PYG{p}{(}\PYG{n}{bjaspan}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{)} 4478\PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 4479\PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 4480\PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{0} 4481\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} 4482\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} 4483\PYG{n}{MKey}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1} 4484\PYG{n}{Attributes}\PYG{p}{:} 4485\PYG{n}{Policy}\PYG{p}{:} \PYG{p}{[}\PYG{n}{none}\PYG{p}{]} 4486 4487\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{systest} 4488\PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{l+m+mi}{3} \PYG{l+m+mi}{86400} \PYG{l+m+mi}{604800} \PYG{l+m+mi}{1} 4489\PYG{l+m+mi}{785926535} \PYG{l+m+mi}{753241234} \PYG{l+m+mi}{785900000} 4490\PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{l+m+mi}{786100034} \PYG{l+m+mi}{0} \PYG{l+m+mi}{0} 4491\PYG{n}{kadmin}\PYG{p}{:} 4492\end{sphinxVerbatim} 4493 4494 4495\subsection{list\_principals} 4496\label{\detokenize{admin/database:list-principals}}\begin{quote} 4497 4498\sphinxstylestrong{list\_principals} {[}\sphinxstyleemphasis{expression}{]} 4499\end{quote} 4500 4501Retrieves all or some principal names. \sphinxstyleemphasis{expression} is a shell-style 4502glob expression that can contain the wild-card characters \sphinxcode{?}, 4503\sphinxcode{*}, and \sphinxcode{{[}{]}}. All principal names matching the expression are 4504printed. If no expression is provided, all principal names are 4505printed. If the expression does not contain an \sphinxcode{@} character, an 4506\sphinxcode{@} character followed by the local realm is appended to the 4507expression. 4508 4509This command requires the \sphinxstylestrong{list} privilege. 4510 4511Alias: \sphinxstylestrong{listprincs}, \sphinxstylestrong{get\_principals}, \sphinxstylestrong{getprincs} 4512 4513Example: 4514 4515\fvset{hllines={, ,}}% 4516\begin{sphinxVerbatim}[commandchars=\\\{\}] 4517\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listprincs} \PYG{n}{test}\PYG{o}{*} 4518\PYG{n}{test3}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 4519\PYG{n}{test2}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 4520\PYG{n}{test1}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 4521\PYG{n}{testuser}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 4522\PYG{n}{kadmin}\PYG{p}{:} 4523\end{sphinxVerbatim} 4524 4525 4526\subsection{Changing passwords} 4527\label{\detokenize{admin/database:changing-passwords}} 4528To change a principal’s password use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} 4529\sphinxstylestrong{change\_password} command. 4530 4531 4532\subsection{change\_password} 4533\label{\detokenize{admin/database:change-password}}\begin{quote} 4534 4535\sphinxstylestrong{change\_password} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} 4536\end{quote} 4537 4538Changes the password of \sphinxstyleemphasis{principal}. Prompts for a new password if 4539neither \sphinxstylestrong{-randkey} or \sphinxstylestrong{-pw} is specified. 4540 4541This command requires the \sphinxstylestrong{changepw} privilege, or that the 4542principal running the program is the same as the principal being 4543changed. 4544 4545Alias: \sphinxstylestrong{cpw} 4546 4547The following options are available: 4548\begin{description} 4549\item[{\sphinxstylestrong{-randkey}}] \leavevmode 4550Sets the key of the principal to a random value. 4551 4552\item[{\sphinxstylestrong{-pw} \sphinxstyleemphasis{password}}] \leavevmode 4553Set the password to the specified string. Using this option in a 4554script may expose the password to other users on the system via 4555the process list. 4556 4557\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode 4558Uses the specified keysalt list for setting the keys of the 4559principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a 4560list of possible values. 4561 4562\item[{\sphinxstylestrong{-keepold}}] \leavevmode 4563Keeps the existing keys in the database. This flag is usually not 4564necessary except perhaps for \sphinxcode{krbtgt} principals. 4565 4566\end{description} 4567 4568Example: 4569 4570\fvset{hllines={, ,}}% 4571\begin{sphinxVerbatim}[commandchars=\\\{\}] 4572\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{cpw} \PYG{n}{systest} 4573\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 4574\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 4575\PYG{n}{Password} \PYG{k}{for} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{changed}\PYG{o}{.} 4576\PYG{n}{kadmin}\PYG{p}{:} 4577\end{sphinxVerbatim} 4578 4579\begin{sphinxadmonition}{note}{Note:} 4580Password changes through kadmin are subject to the same 4581password policies as would apply to password changes through 4582\DUrole{xref,std,std-ref}{kpasswd(1)}. 4583\end{sphinxadmonition} 4584 4585 4586\section{Policies} 4587\label{\detokenize{admin/database:policies}}\label{\detokenize{admin/database:id1}} 4588A policy is a set of rules governing passwords. Policies can dictate 4589minimum and maximum password lifetimes, minimum number of characters 4590and character classes a password must contain, and the number of old 4591passwords kept in the database. 4592 4593 4594\subsection{Adding, modifying and deleting policies} 4595\label{\detokenize{admin/database:adding-modifying-and-deleting-policies}} 4596To add a new policy, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{add\_policy} command. 4597 4598To modify attributes of a principal, use the kadmin \sphinxstylestrong{modify\_policy} 4599command. 4600 4601To delete a policy, use the kadmin \sphinxstylestrong{delete\_policy} command. 4602 4603 4604\subsection{add\_policy} 4605\label{\detokenize{admin/database:add-policy}}\begin{quote} 4606 4607\sphinxstylestrong{add\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} 4608\end{quote} 4609 4610Adds a password policy named \sphinxstyleemphasis{policy} to the database. 4611 4612This command requires the \sphinxstylestrong{add} privilege. 4613 4614Alias: \sphinxstylestrong{addpol} 4615 4616The following options are available: 4617\begin{description} 4618\item[{\sphinxstylestrong{-maxlife} \sphinxstyleemphasis{time}}] \leavevmode 4619(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the maximum 4620lifetime of a password. 4621 4622\item[{\sphinxstylestrong{-minlife} \sphinxstyleemphasis{time}}] \leavevmode 4623(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the minimum 4624lifetime of a password. 4625 4626\item[{\sphinxstylestrong{-minlength} \sphinxstyleemphasis{length}}] \leavevmode 4627Sets the minimum length of a password. 4628 4629\item[{\sphinxstylestrong{-minclasses} \sphinxstyleemphasis{number}}] \leavevmode 4630Sets the minimum number of character classes required in a 4631password. The five character classes are lower case, upper case, 4632numbers, punctuation, and whitespace/unprintable characters. 4633 4634\item[{\sphinxstylestrong{-history} \sphinxstyleemphasis{number}}] \leavevmode 4635Sets the number of past keys kept for a principal. This option is 4636not supported with the LDAP KDC database module. 4637 4638\end{description} 4639\phantomsection\label{\detokenize{admin/database:policy-maxfailure}}\begin{description} 4640\item[{\sphinxstylestrong{-maxfailure} \sphinxstyleemphasis{maxnumber}}] \leavevmode 4641Sets the number of authentication failures before the principal is 4642locked. Authentication failures are only tracked for principals 4643which require preauthentication. The counter of failed attempts 4644resets to 0 after a successful attempt to authenticate. A 4645\sphinxstyleemphasis{maxnumber} value of 0 (the default) disables lockout. 4646 4647\end{description} 4648\phantomsection\label{\detokenize{admin/database:policy-failurecountinterval}}\begin{description} 4649\item[{\sphinxstylestrong{-failurecountinterval} \sphinxstyleemphasis{failuretime}}] \leavevmode 4650(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the allowable time 4651between authentication failures. If an authentication failure 4652happens after \sphinxstyleemphasis{failuretime} has elapsed since the previous 4653failure, the number of authentication failures is reset to 1. A 4654\sphinxstyleemphasis{failuretime} value of 0 (the default) means forever. 4655 4656\end{description} 4657\phantomsection\label{\detokenize{admin/database:policy-lockoutduration}}\begin{description} 4658\item[{\sphinxstylestrong{-lockoutduration} \sphinxstyleemphasis{lockouttime}}] \leavevmode 4659(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the duration for 4660which the principal is locked from authenticating if too many 4661authentication failures occur without the specified failure count 4662interval elapsing. A duration of 0 (the default) means the 4663principal remains locked out until it is administratively unlocked 4664with \sphinxcode{modprinc -unlock}. 4665 4666\item[{\sphinxstylestrong{-allowedkeysalts}}] \leavevmode 4667Specifies the key/salt tuples supported for long-term keys when 4668setting or changing a principal’s password/keys. See 4669{\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the 4670accepted values, but note that key/salt tuples must be separated 4671with commas (‘,’) only. To clear the allowed key/salt policy use 4672a value of ‘-‘. 4673 4674\end{description} 4675 4676Example: 4677 4678\fvset{hllines={, ,}}% 4679\begin{sphinxVerbatim}[commandchars=\\\{\}] 4680\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{2 days}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{minlength} \PYG{l+m+mi}{5} \PYG{n}{guests} 4681\PYG{n}{kadmin}\PYG{p}{:} 4682\end{sphinxVerbatim} 4683 4684 4685\subsection{modify\_policy} 4686\label{\detokenize{admin/database:modify-policy}}\begin{quote} 4687 4688\sphinxstylestrong{modify\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} 4689\end{quote} 4690 4691Modifies the password policy named \sphinxstyleemphasis{policy}. Options are as described 4692for \sphinxstylestrong{add\_policy}. 4693 4694This command requires the \sphinxstylestrong{modify} privilege. 4695 4696Alias: \sphinxstylestrong{modpol} 4697 4698 4699\subsection{delete\_policy} 4700\label{\detokenize{admin/database:delete-policy}}\begin{quote} 4701 4702\sphinxstylestrong{delete\_policy} {[}\sphinxstylestrong{-force}{]} \sphinxstyleemphasis{policy} 4703\end{quote} 4704 4705Deletes the password policy named \sphinxstyleemphasis{policy}. Prompts for confirmation 4706before deletion. The command will fail if the policy is in use by any 4707principals. 4708 4709This command requires the \sphinxstylestrong{delete} privilege. 4710 4711Alias: \sphinxstylestrong{delpol} 4712 4713Example: 4714 4715\fvset{hllines={, ,}}% 4716\begin{sphinxVerbatim}[commandchars=\\\{\}] 4717kadmin: del\PYGZus{}policy guests 4718Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? 4719(yes/no): yes 4720kadmin: 4721\end{sphinxVerbatim} 4722 4723\begin{sphinxadmonition}{note}{Note:} 4724You must cancel the policy from \sphinxstyleemphasis{all} principals before 4725deleting it. The \sphinxstyleemphasis{delete\_policy} command will fail if the policy 4726is in use by any principals. 4727\end{sphinxadmonition} 4728 4729 4730\subsection{Retrieving policies} 4731\label{\detokenize{admin/database:retrieving-policies}} 4732To retrieve a policy, use the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{get\_policy} command. 4733 4734You can retrieve the list of policies with the kadmin 4735\sphinxstylestrong{list\_policies} command. 4736 4737 4738\subsection{get\_policy} 4739\label{\detokenize{admin/database:get-policy}}\begin{quote} 4740 4741\sphinxstylestrong{get\_policy} {[} \sphinxstylestrong{-terse} {]} \sphinxstyleemphasis{policy} 4742\end{quote} 4743 4744Displays the values of the password policy named \sphinxstyleemphasis{policy}. With the 4745\sphinxstylestrong{-terse} flag, outputs the fields as quoted strings separated by 4746tabs. 4747 4748This command requires the \sphinxstylestrong{inquire} privilege. 4749 4750Alias: \sphinxstylestrong{getpol} 4751 4752Examples: 4753 4754\fvset{hllines={, ,}}% 4755\begin{sphinxVerbatim}[commandchars=\\\{\}] 4756\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{n}{admin} 4757\PYG{n}{Policy}\PYG{p}{:} \PYG{n}{admin} 4758\PYG{n}{Maximum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{180} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 4759\PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 4760\PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{length}\PYG{p}{:} \PYG{l+m+mi}{6} 4761\PYG{n}{Minimum} \PYG{n}{number} \PYG{n}{of} \PYG{n}{password} \PYG{n}{character} \PYG{n}{classes}\PYG{p}{:} \PYG{l+m+mi}{2} 4762\PYG{n}{Number} \PYG{n}{of} \PYG{n}{old} \PYG{n}{keys} \PYG{n}{kept}\PYG{p}{:} \PYG{l+m+mi}{5} 4763\PYG{n}{Reference} \PYG{n}{count}\PYG{p}{:} \PYG{l+m+mi}{17} 4764 4765\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{admin} 4766\PYG{n}{admin} \PYG{l+m+mi}{15552000} \PYG{l+m+mi}{0} \PYG{l+m+mi}{6} \PYG{l+m+mi}{2} \PYG{l+m+mi}{5} \PYG{l+m+mi}{17} 4767\PYG{n}{kadmin}\PYG{p}{:} 4768\end{sphinxVerbatim} 4769 4770The “Reference count” is the number of principals using that policy. 4771With the LDAP KDC database module, the reference count field is not 4772meaningful. 4773 4774 4775\subsection{list\_policies} 4776\label{\detokenize{admin/database:list-policies}}\begin{quote} 4777 4778\sphinxstylestrong{list\_policies} {[}\sphinxstyleemphasis{expression}{]} 4779\end{quote} 4780 4781Retrieves all or some policy names. \sphinxstyleemphasis{expression} is a shell-style 4782glob expression that can contain the wild-card characters \sphinxcode{?}, 4783\sphinxcode{*}, and \sphinxcode{{[}{]}}. All policy names matching the expression are 4784printed. If no expression is provided, all existing policy names are 4785printed. 4786 4787This command requires the \sphinxstylestrong{list} privilege. 4788 4789Aliases: \sphinxstylestrong{listpols}, \sphinxstylestrong{get\_policies}, \sphinxstylestrong{getpols}. 4790 4791Examples: 4792 4793\fvset{hllines={, ,}}% 4794\begin{sphinxVerbatim}[commandchars=\\\{\}] 4795\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listpols} 4796\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol} 4797\PYG{n+nb}{dict}\PYG{o}{\PYGZhy{}}\PYG{n}{only} 4798\PYG{n}{once}\PYG{o}{\PYGZhy{}}\PYG{n}{a}\PYG{o}{\PYGZhy{}}\PYG{n+nb}{min} 4799\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw} 4800 4801\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listpols} \PYG{n}{t}\PYG{o}{*} 4802\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol} 4803\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw} 4804\PYG{n}{kadmin}\PYG{p}{:} 4805\end{sphinxVerbatim} 4806 4807 4808\subsection{Policies and principals} 4809\label{\detokenize{admin/database:policies-and-principals}} 4810Policies can be applied to principals as they are created by using 4811the \sphinxstylestrong{-policy} flag to {\hyperref[\detokenize{admin/admin_commands/kadmin_local:add-principal}]{\sphinxcrossref{\DUrole{std,std-ref}{add\_principal}}}}. Existing principals can 4812be modified by using the \sphinxstylestrong{-policy} or \sphinxstylestrong{-clearpolicy} flag to 4813{\hyperref[\detokenize{admin/admin_commands/kadmin_local:modify-principal}]{\sphinxcrossref{\DUrole{std,std-ref}{modify\_principal}}}}. 4814 4815 4816\subsection{Updating the history key} 4817\label{\detokenize{admin/database:updating-history-key}}\label{\detokenize{admin/database:updating-the-history-key}} 4818If a policy specifies a number of old keys kept of two or more, the 4819stored old keys are encrypted in a history key, which is found in the 4820key data of the \sphinxcode{kadmin/history} principal. 4821 4822Currently there is no support for proper rollover of the history key, 4823but you can change the history key (for example, to use a better 4824encryption type) at the cost of invalidating currently stored old 4825keys. To change the history key, run: 4826 4827\fvset{hllines={, ,}}% 4828\begin{sphinxVerbatim}[commandchars=\\\{\}] 4829\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{change\PYGZus{}password} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{history} 4830\end{sphinxVerbatim} 4831 4832This command will fail if you specify the \sphinxstylestrong{-keepold} flag. Only one 4833new history key will be created, even if you specify multiple key/salt 4834combinations. 4835 4836In the future, we plan to migrate towards encrypting old keys in the 4837master key instead of the history key, and implementing proper 4838rollover support for stored old keys. 4839 4840 4841\section{Privileges} 4842\label{\detokenize{admin/database:privileges}}\label{\detokenize{admin/database:id2}} 4843Administrative privileges for the Kerberos database are stored in the 4844file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}. 4845 4846\begin{sphinxadmonition}{note}{Note:} 4847A common use of an admin instance is so you can grant 4848separate permissions (such as administrator access to the 4849Kerberos database) to a separate Kerberos principal. For 4850example, the user \sphinxcode{joeadmin} might have a principal for 4851his administrative use, called \sphinxcode{joeadmin/admin}. This 4852way, \sphinxcode{joeadmin} would obtain \sphinxcode{joeadmin/admin} tickets 4853only when he actually needs to use those permissions. 4854\end{sphinxadmonition} 4855 4856 4857\section{Operations on the Kerberos database} 4858\label{\detokenize{admin/database:db-operations}}\label{\detokenize{admin/database:operations-on-the-kerberos-database}} 4859The {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} command is the primary tool for administrating 4860the Kerberos database. 4861 4862\sphinxstylestrong{kdb5\_util} 4863{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 4864{[}\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}{]} 4865{[}\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}{]} 4866{[}\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}{]} 4867{[}\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}{]} 4868{[}\sphinxstylestrong{-m}{]} 4869{[}\sphinxstylestrong{-sf} \sphinxstyleemphasis{stashfilename}{]} 4870{[}\sphinxstylestrong{-P} \sphinxstyleemphasis{password}{]} 4871{[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]} 4872\sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{command\_options}{]} 4873 4874\sphinxstylestrong{OPTIONS} 4875\begin{description} 4876\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 4877specifies the Kerberos realm of the database. 4878 4879\item[{\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}}] \leavevmode 4880specifies the name under which the principal database is stored; 4881by default the database is that listed in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. The 4882password policy database and lock files are also derived from this 4883value. 4884 4885\item[{\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}}] \leavevmode 4886specifies the key type of the master key in the database. The 4887default is given by the \sphinxstylestrong{master\_key\_type} variable in 4888{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 4889 4890\item[{\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode 4891Specifies the version number of the master key in the database; 4892the default is 1. Note that 0 is not allowed. 4893 4894\item[{\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}}] \leavevmode 4895principal name for the master key in the database. If not 4896specified, the name is determined by the \sphinxstylestrong{master\_key\_name} 4897variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 4898 4899\item[{\sphinxstylestrong{-m}}] \leavevmode 4900specifies that the master database password should be read from 4901the keyboard rather than fetched from a file on disk. 4902 4903\item[{\sphinxstylestrong{-sf} \sphinxstyleemphasis{stash\_file}}] \leavevmode 4904specifies the stash filename of the master database password. If 4905not specified, the filename is determined by the 4906\sphinxstylestrong{key\_stash\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 4907 4908\item[{\sphinxstylestrong{-P} \sphinxstyleemphasis{password}}] \leavevmode 4909specifies the master database password. Using this option may 4910expose the password to other users on the system via the process 4911list. 4912 4913\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode 4914specifies database-specific options. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for 4915supported options. 4916 4917\end{description} 4918 4919 4920\subsection{Dumping a Kerberos database to a file} 4921\label{\detokenize{admin/database:dumping-a-kerberos-database-to-a-file}} 4922To dump a Kerberos database into a file, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} 4923\sphinxstylestrong{dump} command on one of the KDCs. 4924\begin{quote} 4925 4926\sphinxstylestrong{dump} {[}\sphinxstylestrong{-b7}\textbar{}\sphinxstylestrong{-r13}\textbar{}\sphinxstylestrong{-r18}{]} 4927{[}\sphinxstylestrong{-verbose}{]} {[}\sphinxstylestrong{-mkey\_convert}{]} {[}\sphinxstylestrong{-new\_mkey\_file} 4928\sphinxstyleemphasis{mkey\_file}{]} {[}\sphinxstylestrong{-rev}{]} {[}\sphinxstylestrong{-recurse}{]} {[}\sphinxstyleemphasis{filename} 4929{[}\sphinxstyleemphasis{principals}…{]}{]} 4930\end{quote} 4931 4932Dumps the current Kerberos and KADM5 database into an ASCII file. By 4933default, the database is dumped in current format, “kdb5\_util 4934load\_dump version 7”. If filename is not specified, or is the string 4935“-“, the dump is sent to standard output. Options: 4936\begin{description} 4937\item[{\sphinxstylestrong{-b7}}] \leavevmode 4938causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5\_util 4939load\_dump version 4”). This was the dump format produced on 4940releases prior to 1.2.2. 4941 4942\item[{\sphinxstylestrong{-r13}}] \leavevmode 4943causes the dump to be in the Kerberos 5 1.3 format (“kdb5\_util 4944load\_dump version 5”). This was the dump format produced on 4945releases prior to 1.8. 4946 4947\item[{\sphinxstylestrong{-r18}}] \leavevmode 4948causes the dump to be in the Kerberos 5 1.8 format (“kdb5\_util 4949load\_dump version 6”). This was the dump format produced on 4950releases prior to 1.11. 4951 4952\item[{\sphinxstylestrong{-verbose}}] \leavevmode 4953causes the name of each principal and policy to be printed as it 4954is dumped. 4955 4956\item[{\sphinxstylestrong{-mkey\_convert}}] \leavevmode 4957prompts for a new master key. This new master key will be used to 4958re-encrypt principal key data in the dumpfile. The principal keys 4959themselves will not be changed. 4960 4961\item[{\sphinxstylestrong{-new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}}] \leavevmode 4962the filename of a stash file. The master key in this stash file 4963will be used to re-encrypt the key data in the dumpfile. The key 4964data in the database will not be changed. 4965 4966\item[{\sphinxstylestrong{-rev}}] \leavevmode 4967dumps in reverse order. This may recover principals that do not 4968dump normally, in cases where database corruption has occurred. 4969 4970\item[{\sphinxstylestrong{-recurse}}] \leavevmode 4971causes the dump to walk the database recursively (btree only). 4972This may recover principals that do not dump normally, in cases 4973where database corruption has occurred. In cases of such 4974corruption, this option will probably retrieve more principals 4975than the \sphinxstylestrong{-rev} option will. 4976 4977\DUrole{versionmodified}{Changed in version 1.15: }Release 1.15 restored the functionality of the \sphinxstylestrong{-recurse} 4978option. 4979 4980\DUrole{versionmodified}{Changed in version 1.5: }The \sphinxstylestrong{-recurse} option ceased working until release 1.15, 4981doing a normal dump instead of a recursive traversal. 4982 4983\end{description} 4984 4985 4986\subsubsection{Examples} 4987\label{\detokenize{admin/database:id3}} 4988\fvset{hllines={, ,}}% 4989\begin{sphinxVerbatim}[commandchars=\\\{\}] 4990\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{n}{dumpfile} 4991\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 4992 4993\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kbd5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{\PYGZhy{}}\PYG{n}{verbose} \PYG{n}{dumpfile} 4994\PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 4995\PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 4996\PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{history}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 4997\PYG{n}{K}\PYG{o}{/}\PYG{n}{M}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 4998\PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{changepw}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 4999\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5000\end{sphinxVerbatim} 5001 5002If you specify which principals to dump, you must use the full 5003principal, as in the following example: 5004 5005\fvset{hllines={, ,}}% 5006\begin{sphinxVerbatim}[commandchars=\\\{\}] 5007\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{\PYGZhy{}}\PYG{n}{verbose} \PYG{n}{dumpfile} \PYG{n}{K}\PYG{o}{/}\PYG{n}{M}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5008\PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5009\PYG{n}{K}\PYG{o}{/}\PYG{n}{M}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5010\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5011\end{sphinxVerbatim} 5012 5013Otherwise, the principals will not match those in the database and 5014will not be dumped: 5015 5016\fvset{hllines={, ,}}% 5017\begin{sphinxVerbatim}[commandchars=\\\{\}] 5018\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{o}{\PYGZhy{}}\PYG{n}{verbose} \PYG{n}{dumpfile} \PYG{n}{K}\PYG{o}{/}\PYG{n}{M} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} 5019\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5020\end{sphinxVerbatim} 5021 5022If you do not specify a dump file, kdb5\_util will dump the database to 5023the standard output. 5024 5025 5026\subsection{Restoring a Kerberos database from a dump file} 5027\label{\detokenize{admin/database:restore-from-dump}}\label{\detokenize{admin/database:restoring-a-kerberos-database-from-a-dump-file}} 5028To restore a Kerberos database dump from a file, use the 5029{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{load} command on one of the KDCs. 5030\begin{quote} 5031 5032\sphinxstylestrong{load} {[}\sphinxstylestrong{-b7}\textbar{}\sphinxstylestrong{-r13}\textbar{}\sphinxstylestrong{-r18}{]} {[}\sphinxstylestrong{-hash}{]} 5033{[}\sphinxstylestrong{-verbose}{]} {[}\sphinxstylestrong{-update}{]} \sphinxstyleemphasis{filename} 5034\end{quote} 5035 5036Loads a database dump from the named file into the named database. If 5037no option is given to determine the format of the dump file, the 5038format is detected automatically and handled as appropriate. Unless 5039the \sphinxstylestrong{-update} option is given, \sphinxstylestrong{load} creates a new database 5040containing only the data in the dump file, overwriting the contents of 5041any previously existing database. Note that when using the LDAP KDC 5042database module, the \sphinxstylestrong{-update} flag is required. 5043 5044Options: 5045\begin{description} 5046\item[{\sphinxstylestrong{-b7}}] \leavevmode 5047requires the database to be in the Kerberos 5 Beta 7 format 5048(“kdb5\_util load\_dump version 4”). This was the dump format 5049produced on releases prior to 1.2.2. 5050 5051\item[{\sphinxstylestrong{-r13}}] \leavevmode 5052requires the database to be in Kerberos 5 1.3 format (“kdb5\_util 5053load\_dump version 5”). This was the dump format produced on 5054releases prior to 1.8. 5055 5056\item[{\sphinxstylestrong{-r18}}] \leavevmode 5057requires the database to be in Kerberos 5 1.8 format (“kdb5\_util 5058load\_dump version 6”). This was the dump format produced on 5059releases prior to 1.11. 5060 5061\item[{\sphinxstylestrong{-hash}}] \leavevmode 5062stores the database in hash format, if using the DB2 database 5063type. If this option is not specified, the database will be 5064stored in btree format. This option is not recommended, as 5065databases stored in hash format are known to corrupt data and lose 5066principals. 5067 5068\item[{\sphinxstylestrong{-verbose}}] \leavevmode 5069causes the name of each principal and policy to be printed as it 5070is dumped. 5071 5072\item[{\sphinxstylestrong{-update}}] \leavevmode 5073records from the dump file are added to or updated in the existing 5074database. Otherwise, a new database is created containing only 5075what is in the dump file and the old one destroyed upon successful 5076completion. 5077 5078\end{description} 5079 5080 5081\subsubsection{Examples} 5082\label{\detokenize{admin/database:id4}} 5083To dump a single principal and later load it, updating the database: 5084 5085\fvset{hllines={, ,}}% 5086\begin{sphinxVerbatim}[commandchars=\\\{\}] 5087\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{dump} \PYG{n}{dumpfile} \PYG{n}{principal}\PYG{n+nd}{@REALM} 5088\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5089 5090\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}util} \PYG{n}{load} \PYG{o}{\PYGZhy{}}\PYG{n}{update} \PYG{n}{dumpfile} 5091\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5092\end{sphinxVerbatim} 5093 5094\begin{sphinxadmonition}{note}{Note:} 5095If the database file exists, and the \sphinxstyleemphasis{-update} flag was not 5096given, \sphinxstyleemphasis{kdb5\_util} will overwrite the existing database. 5097\end{sphinxadmonition} 5098 5099\begin{sphinxadmonition}{note}{Note:} 5100Using kdb5\_util to dump and reload the principal database is 5101only necessary when upgrading from versions of krb5 prior 5102to 1.2.0—newer versions will use the existing database as-is. 5103\end{sphinxadmonition} 5104 5105 5106\subsection{Creating a stash file} 5107\label{\detokenize{admin/database:create-stash}}\label{\detokenize{admin/database:creating-a-stash-file}} 5108A stash file allows a KDC to authenticate itself to the database 5109utilities, such as {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, and 5110{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}. 5111 5112To create a stash file, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{stash} command. 5113\begin{quote} 5114 5115\sphinxstylestrong{stash} {[}\sphinxstylestrong{-f} \sphinxstyleemphasis{keyfile}{]} 5116\end{quote} 5117 5118Stores the master principal’s keys in a stash file. The \sphinxstylestrong{-f} 5119argument can be used to override the \sphinxstyleemphasis{keyfile} specified in 5120{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 5121 5122 5123\subsubsection{Example} 5124\label{\detokenize{admin/database:example}}\begin{quote} 5125 5126shell\% kdb5\_util stash 5127kdb5\_util: Cannot find/read stored master key while reading master key 5128kdb5\_util: Warning: proceeding without master key 5129Enter KDC database master key: \textless{}= Type the KDC database master password. 5130shell\% 5131\end{quote} 5132 5133If you do not specify a stash file, kdb5\_util will stash the key in 5134the file specified in your {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. 5135 5136 5137\subsection{Creating and destroying a Kerberos database} 5138\label{\detokenize{admin/database:creating-and-destroying-a-kerberos-database}} 5139If you need to create a new Kerberos database, use the 5140{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{create} command. 5141\begin{quote} 5142 5143\sphinxstylestrong{create} {[}\sphinxstylestrong{-s}{]} 5144\end{quote} 5145 5146Creates a new database. If the \sphinxstylestrong{-s} option is specified, the stash 5147file is also created. This command fails if the database already 5148exists. If the command is successful, the database is opened just as 5149if it had already existed when the program was first run. 5150 5151If you need to destroy the current Kerberos database, use the 5152{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{destroy} command. 5153\begin{quote} 5154 5155\sphinxstylestrong{destroy} {[}\sphinxstylestrong{-f}{]} 5156\end{quote} 5157 5158Destroys the database, first overwriting the disk sectors and then 5159unlinking the files, after prompting the user for confirmation. With 5160the \sphinxstylestrong{-f} argument, does not prompt the user. 5161 5162 5163\subsubsection{Examples} 5164\label{\detokenize{admin/database:id5}} 5165\fvset{hllines={, ,}}% 5166\begin{sphinxVerbatim}[commandchars=\\\{\}] 5167shell\PYGZpc{} kdb5\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU create \PYGZhy{}s 5168Loading random data 5169Initializing database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, 5170master key name \PYGZsq{}K/M@ATHENA.MIT.EDU\PYGZsq{} 5171You will be prompted for the database Master Password. 5172It is important that you NOT FORGET this password. 5173Enter KDC database master key: \PYGZlt{}= Type the master password. 5174Re\PYGZhy{}enter KDC database master key to verify: \PYGZlt{}= Type it again. 5175shell\PYGZpc{} 5176 5177shell\PYGZpc{} kdb5\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU destroy 5178Deleting KDC database stored in \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{}, are you sure? 5179(type \PYGZsq{}yes\PYGZsq{} to confirm)? \PYGZlt{}= yes 5180OK, deleting database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{}... 5181** Database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} destroyed. 5182shell\PYGZpc{} 5183\end{sphinxVerbatim} 5184 5185 5186\subsection{Updating the master key} 5187\label{\detokenize{admin/database:updating-master-key}}\label{\detokenize{admin/database:updating-the-master-key}} 5188Starting with release 1.7, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} allows the master key 5189to be changed using a rollover process, with minimal loss of 5190availability. To roll over the master key, follow these steps: 5191\begin{enumerate} 5192\item {} 5193On the primary KDC, run \sphinxcode{kdb5\_util list\_mkeys} to view the 5194current master key version number (KVNO). If you have never rolled 5195over the master key before, this will likely be version 1: 5196 5197\fvset{hllines={, ,}}% 5198\begin{sphinxVerbatim}[commandchars=\\\{\}] 5199\PYGZdl{} kdb5\PYGZus{}util list\PYGZus{}mkeys 5200Master keys for Principal: K/M@KRBTEST.COM 5201KVNO: 1, Enctype: aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192, Active on: Thu Jan 01 00:00:00 UTC 1970 * 5202\end{sphinxVerbatim} 5203 5204\item {} 5205On the primary KDC, run \sphinxcode{kdb5\_util use\_mkey 1} to ensure that a 5206master key activation list is present in the database. This step 5207is unnecessary in release 1.11.4 or later, or if the database was 5208initially created with release 1.7 or later. 5209 5210\item {} 5211On the primary KDC, run \sphinxcode{kdb5\_util add\_mkey -s} to create a new 5212master key and write it to the stash file. Enter a secure password 5213when prompted. If this is the first time you are changing the 5214master key, the new key will have version 2. The new master key 5215will not be used until you make it active. 5216 5217\item {} 5218Propagate the database to all replica KDCs, either manually or by 5219waiting until the next scheduled propagation. If you do not have 5220any replica KDCs, you can skip this and the next step. 5221 5222\item {} 5223On each replica KDC, run \sphinxcode{kdb5\_util list\_mkeys} to verify that 5224the new master key is present, and then \sphinxcode{kdb5\_util stash} to 5225write the new master key to the replica KDC’s stash file. 5226 5227\item {} 5228On the primary KDC, run \sphinxcode{kdb5\_util use\_mkey 2} to begin using the 5229new master key. Replace \sphinxcode{2} with the version of the new master 5230key, as appropriate. You can optionally specify a date for the new 5231master key to become active; by default, it will become active 5232immediately. Prior to release 1.12, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} must be 5233restarted for this change to take full effect. 5234 5235\item {} 5236On the primary KDC, run \sphinxcode{kdb5\_util update\_princ\_encryption}. 5237This command will iterate over the database and re-encrypt all keys 5238in the new master key. If the database is large and uses DB2, the 5239primary KDC will become unavailable while this command runs, but 5240clients should fail over to replica KDCs (if any are present) 5241during this time period. In release 1.13 and later, you can 5242instead run \sphinxcode{kdb5\_util -x unlockiter update\_princ\_encryption} to 5243use unlocked iteration; this variant will take longer, but will 5244keep the database available to the KDC and kadmind while it runs. 5245 5246\item {} 5247Wait until the above changes have propagated to all replica KDCs 5248and until all running KDC and kadmind processes have serviced 5249requests using updated principal entries. 5250 5251\item {} 5252On the primary KDC, run \sphinxcode{kdb5\_util purge\_mkeys} to clean up the 5253old master key. 5254 5255\end{enumerate} 5256 5257 5258\section{Operations on the LDAP database} 5259\label{\detokenize{admin/database:operations-on-the-ldap-database}}\label{\detokenize{admin/database:ops-on-ldap}} 5260The {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} is the primary tool for administrating 5261the Kerberos LDAP database. It allows an administrator to manage 5262realms, Kerberos services (KDC and Admin Server) and ticket policies. 5263 5264\sphinxstylestrong{kdb5\_ldap\_util} 5265{[}\sphinxstylestrong{-D} \sphinxstyleemphasis{user\_dn} {[}\sphinxstylestrong{-w} \sphinxstyleemphasis{passwd}{]}{]} 5266{[}\sphinxstylestrong{-H} \sphinxstyleemphasis{ldapuri}{]} 5267\sphinxstylestrong{command} 5268{[}\sphinxstyleemphasis{command\_options}{]} 5269 5270\sphinxstylestrong{OPTIONS} 5271\begin{description} 5272\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 5273Specifies the realm to be operated on. 5274 5275\item[{\sphinxstylestrong{-D} \sphinxstyleemphasis{user\_dn}}] \leavevmode 5276Specifies the Distinguished Name (DN) of the user who has 5277sufficient rights to perform the operation on the LDAP server. 5278 5279\item[{\sphinxstylestrong{-w} \sphinxstyleemphasis{passwd}}] \leavevmode 5280Specifies the password of \sphinxstyleemphasis{user\_dn}. This option is not 5281recommended. 5282 5283\item[{\sphinxstylestrong{-H} \sphinxstyleemphasis{ldapuri}}] \leavevmode 5284Specifies the URI of the LDAP server. 5285 5286\end{description} 5287 5288By default, kdb5\_ldap\_util operates on the default realm (as specified 5289in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) and connects and authenticates to the LDAP 5290server in the same manner as :ref:kadmind(8){}` would given the 5291parameters in {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 5292 5293 5294\subsection{Creating a Kerberos realm} 5295\label{\detokenize{admin/database:creating-a-kerberos-realm}}\label{\detokenize{admin/database:ldap-create-realm}} 5296If you need to create a new realm, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} 5297\sphinxstylestrong{create} command as follows. 5298\begin{quote} 5299 5300\sphinxstylestrong{create} 5301{[}\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]} 5302{[}\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}{]} 5303{[}\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn}{]} 5304{[}\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}{]} 5305{[}\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}{]} 5306{[}\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}{]} 5307{[}\sphinxstylestrong{-m\textbar{}-P} \sphinxstyleemphasis{password}\textbar{}\sphinxstylestrong{-sf} \sphinxstyleemphasis{stashfilename}{]} 5308{[}\sphinxstylestrong{-s}{]} 5309{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 5310{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 5311{[}\sphinxstyleemphasis{ticket\_flags}{]} 5312\end{quote} 5313 5314Creates realm in directory. Options: 5315\begin{description} 5316\item[{\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode 5317Specifies the list of subtrees containing the principals of a 5318realm. The list contains the DNs of the subtree objects separated 5319by colon (\sphinxcode{:}). 5320 5321\item[{\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode 5322Specifies the scope for searching the principals under the 5323subtree. The possible values are 1 or one (one level), 2 or sub 5324(subtrees). 5325 5326\item[{\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn}}] \leavevmode 5327Specifies the DN of the container object in which the principals 5328of a realm will be created. If the container reference is not 5329configured for a realm, the principals will be created in the 5330realm container. 5331 5332\item[{\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}}] \leavevmode 5333Specifies the key type of the master key in the database. The 5334default is given by the \sphinxstylestrong{master\_key\_type} variable in 5335{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 5336 5337\item[{\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode 5338Specifies the version number of the master key in the database; 5339the default is 1. Note that 0 is not allowed. 5340 5341\item[{\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}}] \leavevmode 5342Specifies the principal name for the master key in the database. 5343If not specified, the name is determined by the 5344\sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 5345 5346\item[{\sphinxstylestrong{-m}}] \leavevmode 5347Specifies that the master database password should be read from 5348the TTY rather than fetched from a file on the disk. 5349 5350\item[{\sphinxstylestrong{-P} \sphinxstyleemphasis{password}}] \leavevmode 5351Specifies the master database password. This option is not 5352recommended. 5353 5354\item[{\sphinxstylestrong{-sf} \sphinxstyleemphasis{stashfilename}}] \leavevmode 5355Specifies the stash file of the master database password. 5356 5357\item[{\sphinxstylestrong{-s}}] \leavevmode 5358Specifies that the stash file is to be created. 5359 5360\item[{\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode 5361(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for 5362principals in this realm. 5363 5364\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode 5365(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of 5366tickets for principals in this realm. 5367 5368\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode 5369Specifies global ticket flags for the realm. Allowable flags are 5370documented in the description of the \sphinxstylestrong{add\_principal} command in 5371{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 5372 5373\end{description} 5374 5375Example: 5376 5377\fvset{hllines={, ,}}% 5378\begin{sphinxVerbatim}[commandchars=\\\{\}] 5379\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 5380 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{subtrees} \PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{sscope} \PYG{n}{SUB} 5381\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5382\PYG{n}{Initializing} \PYG{n}{database} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}} 5383\PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.} 5384\PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.} 5385\PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:} 5386\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:} 5387\end{sphinxVerbatim} 5388 5389 5390\subsection{Modifying a Kerberos realm} 5391\label{\detokenize{admin/database:ldap-mod-realm}}\label{\detokenize{admin/database:modifying-a-kerberos-realm}} 5392If you need to modify a realm, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} 5393\sphinxstylestrong{modify} command as follows. 5394\begin{quote} 5395 5396\sphinxstylestrong{modify} 5397{[}\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]} 5398{[}\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}{]} 5399{[}\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn}{]} 5400{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 5401{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 5402{[}\sphinxstyleemphasis{ticket\_flags}{]} 5403\end{quote} 5404 5405Modifies the attributes of a realm. Options: 5406\begin{description} 5407\item[{\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode 5408Specifies the list of subtrees containing the principals of a 5409realm. The list contains the DNs of the subtree objects separated 5410by colon (\sphinxcode{:}). This list replaces the existing list. 5411 5412\item[{\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode 5413Specifies the scope for searching the principals under the 5414subtrees. The possible values are 1 or one (one level), 2 or sub 5415(subtrees). 5416 5417\item[{\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn} Specifies the DN of the}] \leavevmode 5418container object in which the principals of a realm will be 5419created. 5420 5421\item[{\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode 5422(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for 5423principals in this realm. 5424 5425\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode 5426(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of 5427tickets for principals in this realm. 5428 5429\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode 5430Specifies global ticket flags for the realm. Allowable flags are 5431documented in the description of the \sphinxstylestrong{add\_principal} command in 5432{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 5433 5434\end{description} 5435 5436Example: 5437 5438\fvset{hllines={, ,}}% 5439\begin{sphinxVerbatim}[commandchars=\\\{\}] 5440\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} 5441 \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{modify} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} 5442\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5443\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5444\end{sphinxVerbatim} 5445 5446 5447\subsection{Destroying a Kerberos realm} 5448\label{\detokenize{admin/database:destroying-a-kerberos-realm}} 5449If you need to destroy a Kerberos realm, use the 5450{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{destroy} command as follows. 5451\begin{quote} 5452 5453\sphinxstylestrong{destroy} {[}\sphinxstylestrong{-f}{]} 5454\end{quote} 5455 5456Destroys an existing realm. Options: 5457\begin{description} 5458\item[{\sphinxstylestrong{-f}}] \leavevmode 5459If specified, will not prompt the user for confirmation. 5460 5461\end{description} 5462 5463Example: 5464 5465\fvset{hllines={, ,}}% 5466\begin{sphinxVerbatim}[commandchars=\\\{\}] 5467shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}D cn=admin,o=org \PYGZhy{}H 5468 ldaps://ldap\PYGZhy{}server1.mit.edu destroy 5469Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: 5470Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? 5471(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes 5472OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... 5473shell\PYGZpc{} 5474\end{sphinxVerbatim} 5475 5476 5477\subsection{Retrieving information about a Kerberos realm} 5478\label{\detokenize{admin/database:retrieving-information-about-a-kerberos-realm}} 5479If you need to display the attributes of a realm, use the 5480{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{view} command as follows. 5481\begin{quote} 5482 5483\sphinxstylestrong{view} 5484\end{quote} 5485 5486Displays the attributes of a realm. 5487 5488Example: 5489 5490\fvset{hllines={, ,}}% 5491\begin{sphinxVerbatim}[commandchars=\\\{\}] 5492\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 5493 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view} 5494\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5495\PYG{n}{Realm} \PYG{n}{Name}\PYG{p}{:} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5496\PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{users}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} 5497\PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{servers}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} 5498\PYG{n}{SearchScope}\PYG{p}{:} \PYG{n}{ONE} 5499\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 5500\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 5501\PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE} 5502\end{sphinxVerbatim} 5503 5504 5505\subsection{Listing available Kerberos realms} 5506\label{\detokenize{admin/database:listing-available-kerberos-realms}} 5507If you need to display the list of the realms, use the 5508{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{list} command as follows. 5509\begin{quote} 5510 5511\sphinxstylestrong{list} 5512\end{quote} 5513 5514Lists the names of realms under the container. 5515 5516Example: 5517 5518\fvset{hllines={, ,}}% 5519\begin{sphinxVerbatim}[commandchars=\\\{\}] 5520\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} 5521 \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n+nb}{list} 5522\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5523\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5524\PYG{n}{OPENLDAP}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5525\PYG{n}{MEDIA}\PYG{o}{\PYGZhy{}}\PYG{n}{LAB}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5526\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 5527\end{sphinxVerbatim} 5528 5529 5530\subsection{Stashing service object’s password} 5531\label{\detokenize{admin/database:stashing-service-object-s-password}}\label{\detokenize{admin/database:stash-ldap}} 5532The {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{stashsrvpw} command allows an 5533administrator to store the password of service object in a file. The 5534KDC and Administration server uses this password to authenticate to 5535the LDAP server. 5536\begin{quote} 5537 5538\sphinxstylestrong{stashsrvpw} 5539{[}\sphinxstylestrong{-f} \sphinxstyleemphasis{filename}{]} 5540\sphinxstyleemphasis{name} 5541\end{quote} 5542 5543Allows an administrator to store the password for service object in a 5544file so that KDC and Administration server can use it to authenticate 5545to the LDAP server. Options: 5546\begin{description} 5547\item[{\sphinxstylestrong{-f} \sphinxstyleemphasis{filename}}] \leavevmode 5548Specifies the complete path of the service password file. By 5549default, \sphinxcode{/usr/local/var/service\_passwd} is used. 5550 5551\item[{\sphinxstyleemphasis{name}}] \leavevmode 5552Specifies the name of the object whose password is to be stored. 5553If {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} or {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} are configured for 5554simple binding, this should be the distinguished name it will 5555use as given by the \sphinxstylestrong{ldap\_kdc\_dn} or \sphinxstylestrong{ldap\_kadmind\_dn} 5556variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. If the KDC or kadmind is 5557configured for SASL binding, this should be the authentication 5558name it will use as given by the \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or 5559\sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} variable. 5560 5561\end{description} 5562 5563Example: 5564 5565\fvset{hllines={, ,}}% 5566\begin{sphinxVerbatim}[commandchars=\\\{\}] 5567\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{home}\PYG{o}{/}\PYG{n}{andrew}\PYG{o}{/}\PYG{n}{conf\PYGZus{}keyfile} 5568 \PYG{n}{cn}\PYG{o}{=}\PYG{n}{service}\PYG{o}{\PYGZhy{}}\PYG{n}{kdc}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} 5569\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5570\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5571\end{sphinxVerbatim} 5572 5573 5574\subsection{Ticket Policy operations} 5575\label{\detokenize{admin/database:ticket-policy-operations}} 5576 5577\subsubsection{Creating a Ticket Policy} 5578\label{\detokenize{admin/database:creating-a-ticket-policy}} 5579To create a new ticket policy in directory , use the 5580{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{create\_policy} command. Ticket policy 5581objects are created under the realm container. 5582\begin{quote} 5583 5584\sphinxstylestrong{create\_policy} 5585{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 5586{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 5587{[}\sphinxstyleemphasis{ticket\_flags}{]} 5588\sphinxstyleemphasis{policy\_name} 5589\end{quote} 5590 5591Creates a ticket policy in the directory. Options: 5592\begin{description} 5593\item[{\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode 5594(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for 5595principals. 5596 5597\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode 5598(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of 5599tickets for principals. 5600 5601\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode 5602Specifies the ticket flags. If this option is not specified, by 5603default, no restriction will be set by the policy. Allowable 5604flags are documented in the description of the \sphinxstylestrong{add\_principal} 5605command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 5606 5607\item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode 5608Specifies the name of the ticket policy. 5609 5610\end{description} 5611 5612Example: 5613 5614\fvset{hllines={, ,}}% 5615\begin{sphinxVerbatim}[commandchars=\\\{\}] 5616\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 5617 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 day}\PYG{l+s+s2}{\PYGZdq{}} 5618 \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 week}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{+}\PYG{n}{needchange} 5619 \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}forwardable} \PYG{n}{tktpolicy} 5620\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5621\end{sphinxVerbatim} 5622 5623 5624\subsubsection{Modifying a Ticket Policy} 5625\label{\detokenize{admin/database:modifying-a-ticket-policy}} 5626To modify a ticket policy in directory, use the 5627{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{modify\_policy} command. 5628\begin{quote} 5629 5630\sphinxstylestrong{modify\_policy} 5631{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 5632{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 5633{[}\sphinxstyleemphasis{ticket\_flags}{]} 5634\sphinxstyleemphasis{policy\_name} 5635\end{quote} 5636 5637Modifies the attributes of a ticket policy. Options are same as for 5638\sphinxstylestrong{create\_policy}. 5639 5640Example: 5641 5642\fvset{hllines={, ,}}% 5643\begin{sphinxVerbatim}[commandchars=\\\{\}] 5644\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} 5645 \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{modify\PYGZus{}policy} 5646 \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{60 minutes}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10 hours}\PYG{l+s+s2}{\PYGZdq{}} 5647 \PYG{o}{+}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{tktpolicy} 5648\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5649\end{sphinxVerbatim} 5650 5651 5652\subsubsection{Retrieving Information About a Ticket Policy} 5653\label{\detokenize{admin/database:retrieving-information-about-a-ticket-policy}} 5654To display the attributes of a ticket policy, use the 5655{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{view\_policy} command. 5656\begin{quote} 5657 5658\sphinxstylestrong{view\_policy} 5659\sphinxstyleemphasis{policy\_name} 5660\end{quote} 5661 5662Displays the attributes of the named ticket policy. 5663 5664Example: 5665 5666\fvset{hllines={, ,}}% 5667\begin{sphinxVerbatim}[commandchars=\\\{\}] 5668\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 5669 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view\PYGZus{}policy} \PYG{n}{tktpolicy} 5670\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5671\PYG{n}{Ticket} \PYG{n}{policy}\PYG{p}{:} \PYG{n}{tktpolicy} 5672\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 5673\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 5674\PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE} 5675\end{sphinxVerbatim} 5676 5677 5678\subsubsection{Destroying a Ticket Policy} 5679\label{\detokenize{admin/database:destroying-a-ticket-policy}} 5680To destroy an existing ticket policy, use the {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} 5681\sphinxstylestrong{destroy\_policy} command. 5682\begin{quote} 5683 5684\sphinxstylestrong{destroy\_policy} 5685{[}\sphinxstylestrong{-force}{]} 5686\sphinxstyleemphasis{policy\_name} 5687\end{quote} 5688 5689Destroys an existing ticket policy. Options: 5690\begin{description} 5691\item[{\sphinxstylestrong{-force}}] \leavevmode 5692Forces the deletion of the policy object. If not specified, the 5693user will be prompted for confirmation before deleting the policy. 5694 5695\item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode 5696Specifies the name of the ticket policy. 5697 5698\end{description} 5699 5700Example: 5701 5702\fvset{hllines={, ,}}% 5703\begin{sphinxVerbatim}[commandchars=\\\{\}] 5704kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu 5705 \PYGZhy{}r ATHENA.MIT.EDU destroy\PYGZus{}policy tktpolicy 5706Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: 5707This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? 5708(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes 5709** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. 5710\end{sphinxVerbatim} 5711 5712 5713\subsubsection{Listing available Ticket Policies} 5714\label{\detokenize{admin/database:listing-available-ticket-policies}} 5715To list the name of ticket policies in a realm, use the 5716{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} \sphinxstylestrong{list\_policy} command. 5717\begin{quote} 5718 5719\sphinxstylestrong{list\_policy} 5720\end{quote} 5721 5722Lists ticket policies. 5723 5724Example: 5725 5726\fvset{hllines={, ,}}% 5727\begin{sphinxVerbatim}[commandchars=\\\{\}] 5728\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 5729 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{list\PYGZus{}policy} 5730\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 5731\PYG{n}{tktpolicy} 5732\PYG{n}{tmppolicy} 5733\PYG{n}{userpolicy} 5734\end{sphinxVerbatim} 5735 5736 5737\section{Cross-realm authentication} 5738\label{\detokenize{admin/database:cross-realm-authentication}}\label{\detokenize{admin/database:xrealm-authn}} 5739In order for a KDC in one realm to authenticate Kerberos users in a 5740different realm, it must share a key with the KDC in the other realm. 5741In both databases, there must be krbtgt service principals for both realms. 5742For example, if you need to do cross-realm authentication between the realms 5743\sphinxcode{ATHENA.MIT.EDU} and \sphinxcode{EXAMPLE.COM}, you would need to add the 5744principals \sphinxcode{krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU} and 5745\sphinxcode{krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM} to both databases. 5746These principals must all have the same passwords, key version 5747numbers, and encryption types; this may require explicitly setting 5748the key version number with the \sphinxstylestrong{-kvno} option. 5749 5750In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators 5751would run the following commands on the KDCs in both realms: 5752 5753\fvset{hllines={, ,}}% 5754\begin{sphinxVerbatim}[commandchars=\\\{\}] 5755\PYG{n}{shell}\PYG{o}{\PYGZpc{}}\PYG{p}{:} \PYG{n}{kadmin}\PYG{o}{.}\PYG{n}{local} \PYG{o}{\PYGZhy{}}\PYG{n}{e} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{aes256\PYGZhy{}cts:normal}\PYG{l+s+s2}{\PYGZdq{}} 5756\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} 5757\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 5758\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 5759\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5760\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 5761\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 5762\PYG{n}{kadmin}\PYG{p}{:} 5763\end{sphinxVerbatim} 5764 5765\begin{sphinxadmonition}{note}{Note:} 5766Even if most principals in a realm are generally created 5767with the \sphinxstylestrong{requires\_preauth} flag enabled, this flag is not 5768desirable on cross-realm authentication keys because doing 5769so makes it impossible to disable preauthentication on a 5770service-by-service basis. Disabling it as in the example 5771above is recommended. 5772\end{sphinxadmonition} 5773 5774\begin{sphinxadmonition}{note}{Note:} 5775It is very important that these principals have good 5776passwords. MIT recommends that TGT principal passwords be 5777at least 26 characters of random ASCII text. 5778\end{sphinxadmonition} 5779 5780 5781\section{Changing the krbtgt key} 5782\label{\detokenize{admin/database:changing-krbtgt-key}}\label{\detokenize{admin/database:changing-the-krbtgt-key}} 5783A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the 5784principal \sphinxcode{krbtgt/REALM}. The key for this principal is created 5785when the Kerberos database is initialized and need not be changed. 5786However, it will only have the encryption types supported by the KDC 5787at the time of the initial database creation. To allow use of newer 5788encryption types for the TGT, this key has to be changed. 5789 5790Changing this key using the normal {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} 5791\sphinxstylestrong{change\_password} command would invalidate any previously issued 5792TGTs. Therefore, when changing this key, normally one should use the 5793\sphinxstylestrong{-keepold} flag to change\_password to retain the previous key in the 5794database as well as the new key. For example: 5795 5796\fvset{hllines={, ,}}% 5797\begin{sphinxVerbatim}[commandchars=\\\{\}] 5798\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{change\PYGZus{}password} \PYG{o}{\PYGZhy{}}\PYG{n}{randkey} \PYG{o}{\PYGZhy{}}\PYG{n}{keepold} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 5799\end{sphinxVerbatim} 5800 5801\begin{sphinxadmonition}{warning}{Warning:} 5802After issuing this command, the old key is still valid 5803and is still vulnerable to (for instance) brute force 5804attacks. To completely retire an old key or encryption 5805type, run the kadmin \sphinxstylestrong{purgekeys} command to delete keys 5806with older kvnos, ideally first making sure that all 5807tickets issued with the old keys have expired. 5808\end{sphinxadmonition} 5809 5810Only the first krbtgt key of the newest key version is used to encrypt 5811ticket-granting tickets. However, the set of encryption types present 5812in the krbtgt keys is used by default to determine the session key 5813types supported by the krbtgt service (see 5814{\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}). Because non-MIT Kerberos clients 5815sometimes send a limited set of encryption types when making AS 5816requests, it can be important for the krbtgt service to support 5817multiple encryption types. This can be accomplished by giving the 5818krbtgt principal multiple keys, which is usually as simple as not 5819specifying any \sphinxstylestrong{-e} option when changing the krbtgt key, or by 5820setting the \sphinxstylestrong{session\_enctypes} string attribute on the krbtgt 5821principal (see {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}}). 5822 5823Due to a bug in releases 1.8 through 1.13, renewed and forwarded 5824tickets may not work if the original ticket was obtained prior to a 5825krbtgt key change and the modified ticket is obtained afterwards. 5826Upgrading the KDC to release 1.14 or later will correct this bug. 5827 5828 5829\section{Incremental database propagation} 5830\label{\detokenize{admin/database:incremental-database-propagation}}\label{\detokenize{admin/database:incr-db-prop}} 5831 5832\subsection{Overview} 5833\label{\detokenize{admin/database:overview}} 5834At some very large sites, dumping and transmitting the database can 5835take more time than is desirable for changes to propagate from the 5836primary KDC to the replica KDCs. The incremental propagation support 5837added in the 1.7 release is intended to address this. 5838 5839With incremental propagation enabled, all programs on the primary KDC 5840that change the database also write information about the changes to 5841an “update log” file, maintained as a circular buffer of a certain 5842size. A process on each replica KDC connects to a service on the 5843primary KDC (currently implemented in the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} server) and 5844periodically requests the changes that have been made since the last 5845check. By default, this check is done every two minutes. 5846 5847Incremental propagation uses the following entries in the per-realm 5848data in the KDC config file (See {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}): 5849 5850 5851\begin{savenotes}\sphinxattablestart 5852\centering 5853\begin{tabulary}{\linewidth}[t]{|T|T|T|} 5854\hline 5855 5856iprop\_enable 5857& 5858\sphinxstyleemphasis{boolean} 5859& 5860If \sphinxstyleemphasis{true}, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is \sphinxstyleemphasis{false}. 5861\\ 5862\hline 5863iprop\_master\_ulogsize 5864& 5865\sphinxstyleemphasis{integer} 5866& 5867Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. 5868\\ 5869\hline 5870iprop\_replica\_poll 5871& 5872\sphinxstyleemphasis{time interval} 5873& 5874Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. 5875\\ 5876\hline 5877iprop\_port 5878& 5879\sphinxstyleemphasis{integer} 5880& 5881Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. 5882\\ 5883\hline 5884iprop\_resync\_timeout 5885& 5886\sphinxstyleemphasis{integer} 5887& 5888Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). 5889\\ 5890\hline 5891iprop\_logfile 5892& 5893\sphinxstyleemphasis{file name} 5894& 5895Specifies where the update log file for the realm database is to be stored. The default is to use the \sphinxstyleemphasis{database\_name} entry from the realms section of the config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, with \sphinxstyleemphasis{.ulog} appended. (NOTE: If database\_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \sphinxstyleemphasis{dbmodules} section, then the hard-coded default for \sphinxstyleemphasis{database\_name} is used. Determination of the \sphinxstyleemphasis{iprop\_logfile} default value will not use values from the \sphinxstyleemphasis{dbmodules} section.) 5896\\ 5897\hline 5898\end{tabulary} 5899\par 5900\sphinxattableend\end{savenotes} 5901 5902Both primary and replica sides must have a principal named 5903\sphinxcode{kiprop/hostname} (where \sphinxstyleemphasis{hostname} is the lowercase, 5904fully-qualified, canonical name for the host) registered in the 5905Kerberos database, and have keys for that principal stored in the 5906default keytab file ({\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}). The \sphinxcode{kiprop/hostname} principal may 5907have been created automatically for the primary KDC, but it must 5908always be created for replica KDCs. 5909 5910On the primary KDC side, the \sphinxcode{kiprop/hostname} principal must be 5911listed in the kadmind ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, and given the 5912\sphinxstylestrong{p} privilege (see {\hyperref[\detokenize{admin/database:privileges}]{\sphinxcrossref{\DUrole{std,std-ref}{Privileges}}}}). 5913 5914On the replica KDC side, {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} should be run. When 5915incremental propagation is enabled, it will connect to the kadmind on 5916the primary KDC and start requesting updates. 5917 5918The normal kprop mechanism is disabled by the incremental propagation 5919support. However, if the replica has been unable to fetch changes 5920from the primary KDC for too long (network problems, perhaps), the log 5921on the primary may wrap around and overwrite some of the updates that 5922the replica has not yet retrieved. In this case, the replica will 5923instruct the primary KDC to dump the current database out to a file 5924and invoke a one-time kprop propagation, with special options to also 5925convey the point in the update log at which the replica should resume 5926fetching incremental updates. Thus, all the keytab and ACL setup 5927previously described for kprop propagation is still needed. 5928 5929If an environment has a large number of replicas, it may be desirable 5930to arrange them in a hierarchy instead of having the primary serve 5931updates to every replica. To do this, run \sphinxcode{kadmind -proponly} on 5932each intermediate replica, and \sphinxcode{kpropd -A upstreamhostname} on 5933downstream replicas to direct each one to the appropriate upstream 5934replica. 5935 5936There are several known restrictions in the current implementation: 5937\begin{itemize} 5938\item {} 5939The incremental update protocol does not transport changes to policy 5940objects. Any policy changes on the primary will result in full 5941resyncs to all replicas. 5942 5943\item {} 5944The replica’s KDB module must support locking; it cannot be using the 5945LDAP KDB module. 5946 5947\item {} 5948The primary and replica must be able to initiate TCP connections in 5949both directions, without an intervening NAT. 5950 5951\end{itemize} 5952 5953 5954\subsection{Sun/MIT incremental propagation differences} 5955\label{\detokenize{admin/database:sun-mit-incremental-propagation-differences}} 5956Sun donated the original code for supporting incremental database 5957propagation to MIT. Some changes have been made in the MIT source 5958tree that will be visible to administrators. (These notes are based 5959on Sun’s patches. Changes to Sun’s implementation since then may not 5960be reflected here.) 5961 5962The Sun config file support looks for \sphinxcode{sunw\_dbprop\_enable}, 5963\sphinxcode{sunw\_dbprop\_master\_ulogsize}, and \sphinxcode{sunw\_dbprop\_slave\_poll}. 5964 5965The incremental propagation service is implemented as an ONC RPC 5966service. In the Sun implementation, the service is registered with 5967rpcbind (also known as portmapper) and the client looks up the port 5968number to contact. In the MIT implementation, where interaction with 5969some modern versions of rpcbind doesn’t always work well, the port 5970number must be specified in the config file on both the primary and 5971replica sides. 5972 5973The Sun implementation hard-codes pathnames in \sphinxcode{/var/krb5} for the 5974update log and the per-replica kprop dump files. In the MIT 5975implementation, the pathname for the update log is specified in the 5976config file, and the per-replica dump files are stored in 5977{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/replica\_datatrans\_hostname}. 5978 5979 5980\chapter{Database types} 5981\label{\detokenize{admin/dbtypes::doc}}\label{\detokenize{admin/dbtypes:database-types}} 5982A Kerberos database can be implemented with one of three built-in 5983database providers, called KDB modules. Software which incorporates 5984the MIT krb5 KDC may also provide its own KDB module. The following 5985subsections describe the three built-in KDB modules and the 5986configuration specific to them. 5987 5988The database type can be configured with the \sphinxstylestrong{db\_library} variable 5989in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm. For example: 5990 5991\fvset{hllines={, ,}}% 5992\begin{sphinxVerbatim}[commandchars=\\\{\}] 5993\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} 5994 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 5995 \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{db2} 5996 \PYG{p}{\PYGZcb{}} 5997\end{sphinxVerbatim} 5998 5999If the \sphinxcode{ATHENA.MIT.EDU} realm subsection contains a 6000\sphinxstylestrong{database\_module} setting, then the subsection within 6001\sphinxcode{{[}dbmodules{]}} should use that name instead of \sphinxcode{ATHENA.MIT.EDU}. 6002 6003To transition from one database type to another, stop the 6004{\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} service, use \sphinxcode{kdb5\_util dump} to create a dump 6005file, change the \sphinxstylestrong{db\_library} value and set any appropriate 6006configuration for the new database type, and use \sphinxcode{kdb5\_util load} to 6007create and populate the new database. If the new database type is 6008LDAP, create the new database using \sphinxcode{kdb5\_ldap\_util} and populate it 6009from the dump file using \sphinxcode{kdb5\_util load -update}. Then restart the 6010{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} services. 6011 6012 6013\section{Berkeley database module (db2)} 6014\label{\detokenize{admin/dbtypes:berkeley-database-module-db2}} 6015The default KDB module is \sphinxcode{db2}, which uses a version of the 6016Berkeley DB library. It creates four files based on the database 6017pathname. If the pathname ends with \sphinxcode{principal} then the four files 6018are: 6019\begin{itemize} 6020\item {} 6021\sphinxcode{principal}, containing principal entry data 6022 6023\item {} 6024\sphinxcode{principal.ok}, a lock file for the principal database 6025 6026\item {} 6027\sphinxcode{principal.kadm5}, containing policy object data 6028 6029\item {} 6030\sphinxcode{principal.kadm5.lock}, a lock file for the policy database 6031 6032\end{itemize} 6033 6034For large databases, the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{dump} command (perhaps 6035invoked by {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} or by {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} for incremental 6036propagation) may cause {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} to stop for a noticeable 6037period of time while it iterates over the database. This delay can be 6038avoided by disabling account lockout features so that the KDC does not 6039perform database writes (see {\hyperref[\detokenize{admin/lockout:disable-lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC performance and account lockout}}}}). Alternatively, 6040a slower form of iteration can be enabled by setting the 6041\sphinxstylestrong{unlockiter} variable to \sphinxcode{true}. For example: 6042 6043\fvset{hllines={, ,}}% 6044\begin{sphinxVerbatim}[commandchars=\\\{\}] 6045\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} 6046 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6047 \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{db2} 6048 \PYG{n}{unlockiter} \PYG{o}{=} \PYG{n}{true} 6049 \PYG{p}{\PYGZcb{}} 6050\end{sphinxVerbatim} 6051 6052In rare cases, a power failure or other unclean system shutdown may 6053cause inconsistencies in the internal pointers within a database file, 6054such that \sphinxcode{kdb5\_util dump} cannot retrieve all principal entries in 6055the database. In this situation, it may be possible to retrieve all 6056of the principal data by running \sphinxcode{kdb5\_util dump -recurse} to 6057iterate over the database using the tree pointers instead of the 6058iteration pointers. Running \sphinxcode{kdb5\_util dump -rev} to iterate over 6059the database backwards may also retrieve some of the data which is not 6060retrieved by a normal dump operation. 6061 6062 6063\section{Lightning Memory-Mapped Database module (klmdb)} 6064\label{\detokenize{admin/dbtypes:lightning-memory-mapped-database-module-klmdb}} 6065The klmdb module was added in release 1.17. It uses the LMDB library, 6066and may offer better performance and reliability than the db2 module. 6067It creates four files based on the database pathname. If the pathname 6068ends with \sphinxcode{principal}, then the four files are: 6069\begin{itemize} 6070\item {} 6071\sphinxcode{principal.mdb}, containing policy object data and most principal 6072entry data 6073 6074\item {} 6075\sphinxcode{principal.mdb-lock}, a lock file for the primary database 6076 6077\item {} 6078\sphinxcode{principal.lockout.mdb}, containing the account lockout attributes 6079(last successful authentication time, last failed authentication 6080time, and number of failed attempts) for each principal entry 6081 6082\item {} 6083\sphinxcode{principal.lockout.mdb-lock}, a lock file for the lockout database 6084 6085\end{itemize} 6086 6087Separating out the lockout attributes ensures that the KDC will never 6088block on an administrative operation such as a database dump or load. 6089It also allows the KDC to operate without write access to the primary 6090database. If both account lockout features are disabled (see 6091{\hyperref[\detokenize{admin/lockout:disable-lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC performance and account lockout}}}}), the lockout database files will be created 6092but will not subsequently be opened, and the account lockout 6093attributes will always have zero values. 6094 6095Because LMDB creates a memory map to the database files, it requires a 6096configured memory map size which also determines the maximum size of 6097the database. This size is applied equally to the two databases, so 6098twice the configured size will be consumed in the process address 6099space; this is primarily a limitation on 32-bit platforms. The 6100default value of 128 megabytes should be sufficient for several 6101hundred thousand principal entries. If the limit is reached, kadmin 6102operations will fail and the error message “Environment mapsize limit 6103reached” will appear in the kadmind log file. In this case, the 6104\sphinxstylestrong{mapsize} variable can be used to increase the map size. The 6105following example sets the map size to 512 megabytes: 6106 6107\fvset{hllines={, ,}}% 6108\begin{sphinxVerbatim}[commandchars=\\\{\}] 6109\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} 6110 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6111 \PYG{n}{db\PYGZus{}library} \PYG{o}{=} \PYG{n}{klmdb} 6112 \PYG{n}{mapsize} \PYG{o}{=} \PYG{l+m+mi}{512} 6113 \PYG{p}{\PYGZcb{}} 6114\end{sphinxVerbatim} 6115 6116LMDB has a configurable maximum number of readers. The default value 6117of 128 should be sufficient for most deployments. If you are going to 6118use a large number of KDC worker processes, it may be necessary to set 6119the \sphinxstylestrong{max\_readers} variable to a larger number. 6120 6121By default, LMDB synchronizes database files to disk after each write 6122transaction to ensure durability in the case of an unclean system 6123shutdown. The klmdb module always turns synchronization off for the 6124lockout database to ensure reasonable KDC performance, but leaves it 6125on for the primary database. If high throughput for administrative 6126operations (including password changes) is required, the \sphinxstylestrong{nosync} 6127variable can be set to “true” to disable synchronization for the 6128primary database. 6129 6130The klmdb module does not support explicit locking with the 6131{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command. 6132 6133 6134\section{LDAP module (kldap)} 6135\label{\detokenize{admin/dbtypes:ldap-module-kldap}} 6136The kldap module stores principal and policy data using an LDAP 6137server. To use it you must configure an LDAP server to use the 6138Kerberos schema. See {\hyperref[\detokenize{admin/conf_ldap:conf-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Configuring Kerberos with OpenLDAP back-end}}}} for details. 6139 6140Because {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} is single-threaded, latency in LDAP database 6141accesses may limit KDC operation throughput. If the LDAP server is 6142located on the same server host as the KDC and accessed through an 6143\sphinxcode{ldapi://} URL, latency should be minimal. If this is not possible, 6144consider starting multiple KDC worker processes with the 6145{\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} \sphinxstylestrong{-w} option to enable concurrent processing of KDC 6146requests. 6147 6148The kldap module does not support explicit locking with the 6149{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{lock} command. 6150 6151 6152\chapter{Account lockout} 6153\label{\detokenize{admin/lockout:lockout}}\label{\detokenize{admin/lockout::doc}}\label{\detokenize{admin/lockout:account-lockout}} 6154As of release 1.8, the KDC can be configured to lock out principals 6155after a number of failed authentication attempts within a period of 6156time. Account lockout can make it more difficult to attack a 6157principal’s password by brute force, but also makes it easy for an 6158attacker to deny access to a principal. 6159 6160 6161\section{Configuring account lockout} 6162\label{\detokenize{admin/lockout:configuring-account-lockout}} 6163Account lockout only works for principals with the 6164\sphinxstylestrong{+requires\_preauth} flag set. Without this flag, the KDC cannot 6165know whether or not a client successfully decrypted the ticket it 6166issued. It is also important to set the \sphinxstylestrong{-allow\_svr} flag on a 6167principal to protect its password from an off-line dictionary attack 6168through a TGS request. You can set these flags on a principal with 6169{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} as follows: 6170 6171\fvset{hllines={, ,}}% 6172\begin{sphinxVerbatim}[commandchars=\\\{\}] 6173\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{PRINCNAME} 6174\end{sphinxVerbatim} 6175 6176Account lockout parameters are configured via {\hyperref[\detokenize{admin/database:policies}]{\sphinxcrossref{\DUrole{std,std-ref}{policy objects}}}}. There may be an existing policy associated with user 6177principals (such as the “default” policy), or you may need to create a 6178new one and associate it with each user principal. 6179 6180The policy parameters related to account lockout are: 6181\begin{itemize} 6182\item {} 6183{\hyperref[\detokenize{admin/database:policy-maxfailure}]{\sphinxcrossref{\DUrole{std,std-ref}{maxfailure}}}}: the number of failed attempts 6184before the principal is locked out 6185 6186\item {} 6187{\hyperref[\detokenize{admin/database:policy-failurecountinterval}]{\sphinxcrossref{\DUrole{std,std-ref}{failurecountinterval}}}}: the 6188allowable interval between failed attempts 6189 6190\item {} 6191{\hyperref[\detokenize{admin/database:policy-lockoutduration}]{\sphinxcrossref{\DUrole{std,std-ref}{lockoutduration}}}}: the amount of time 6192a principal is locked out for 6193 6194\end{itemize} 6195 6196Here is an example of setting these parameters on a new policy and 6197associating it with a principal: 6198 6199\fvset{hllines={, ,}}% 6200\begin{sphinxVerbatim}[commandchars=\\\{\}] 6201\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addpol} \PYG{o}{\PYGZhy{}}\PYG{n}{maxfailure} \PYG{l+m+mi}{10} \PYG{o}{\PYGZhy{}}\PYG{n}{failurecountinterval} \PYG{l+m+mi}{180} 6202 \PYG{o}{\PYGZhy{}}\PYG{n}{lockoutduration} \PYG{l+m+mi}{60} \PYG{n}{lockout\PYGZus{}policy} 6203\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{policy} \PYG{n}{lockout\PYGZus{}policy} \PYG{n}{PRINCNAME} 6204\end{sphinxVerbatim} 6205 6206 6207\section{Testing account lockout} 6208\label{\detokenize{admin/lockout:testing-account-lockout}} 6209To test that account lockout is working, try authenticating as the 6210principal (hopefully not one that might be in use) multiple times with 6211the wrong password. For instance, if \sphinxstylestrong{maxfailure} is set to 2, you 6212might see: 6213 6214\fvset{hllines={, ,}}% 6215\begin{sphinxVerbatim}[commandchars=\\\{\}] 6216\PYGZdl{} kinit user 6217Password for user@KRBTEST.COM: 6218kinit: Password incorrect while getting initial credentials 6219\PYGZdl{} kinit user 6220Password for user@KRBTEST.COM: 6221kinit: Password incorrect while getting initial credentials 6222\PYGZdl{} kinit user 6223kinit: Client\PYGZsq{}s credentials have been revoked while getting initial credentials 6224\end{sphinxVerbatim} 6225 6226 6227\section{Account lockout principal state} 6228\label{\detokenize{admin/lockout:account-lockout-principal-state}} 6229A principal entry keeps three pieces of state related to account 6230lockout: 6231\begin{itemize} 6232\item {} 6233The time of last successful authentication 6234 6235\item {} 6236The time of last failed authentication 6237 6238\item {} 6239A counter of failed attempts 6240 6241\end{itemize} 6242 6243The time of last successful authentication is not actually needed for 6244the account lockout system to function, but may be of administrative 6245interest. These fields can be observed with the \sphinxstylestrong{getprinc} kadmin 6246command. For example: 6247 6248\fvset{hllines={, ,}}% 6249\begin{sphinxVerbatim}[commandchars=\\\{\}] 6250\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{user} 6251\PYG{n}{Principal}\PYG{p}{:} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} 6252\PYG{o}{.}\PYG{o}{.}\PYG{o}{.} 6253\PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 6254\PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Dec} \PYG{l+m+mi}{03} \PYG{l+m+mi}{12}\PYG{p}{:}\PYG{l+m+mi}{30}\PYG{p}{:}\PYG{l+m+mi}{33} \PYG{n}{EST} \PYG{l+m+mi}{2012} 6255\PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{2} 6256\PYG{o}{.}\PYG{o}{.}\PYG{o}{.} 6257\end{sphinxVerbatim} 6258 6259A principal which has been locked out can be administratively unlocked 6260with the \sphinxstylestrong{-unlock} option to the \sphinxstylestrong{modprinc} kadmin command: 6261 6262\fvset{hllines={, ,}}% 6263\begin{sphinxVerbatim}[commandchars=\\\{\}] 6264\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{unlock} \PYG{n}{PRINCNAME} 6265\end{sphinxVerbatim} 6266 6267This command will reset the number of failed attempts to 0. 6268 6269 6270\section{KDC replication and account lockout} 6271\label{\detokenize{admin/lockout:kdc-replication-and-account-lockout}} 6272The account lockout state of a principal is not replicated by either 6273traditional {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} or incremental propagation. Because of 6274this, the number of attempts an attacker can make within a time period 6275is multiplied by the number of KDCs. For instance, if the 6276\sphinxstylestrong{maxfailure} parameter on a policy is 10 and there are four KDCs in 6277the environment (a primary and three replicas), an attacker could make 6278as many as 40 attempts before the principal is locked out on all four 6279KDCs. 6280 6281An administrative unlock is propagated from the primary to the replica 6282KDCs during the next propagation. Propagation of an administrative 6283unlock will cause the counter of failed attempts on each replica to 6284reset to 1 on the next failure. 6285 6286If a KDC environment uses a replication strategy other than kprop or 6287incremental propagation, such as the LDAP KDB module with multi-master 6288LDAP replication, then account lockout state may be replicated between 6289KDCs and the concerns of this section may not apply. 6290 6291 6292\section{KDC performance and account lockout} 6293\label{\detokenize{admin/lockout:kdc-performance-and-account-lockout}}\label{\detokenize{admin/lockout:disable-lockout}} 6294In order to fully track account lockout state, the KDC must write to 6295the the database on each successful and failed authentication. 6296Writing to the database is generally more expensive than reading from 6297it, so these writes may have a significant impact on KDC performance. 6298As of release 1.9, it is possible to turn off account lockout state 6299tracking in order to improve performance, by setting the 6300\sphinxstylestrong{disable\_last\_success} and \sphinxstylestrong{disable\_lockout} variables in the 6301database module subsection of {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. For example: 6302 6303\fvset{hllines={, ,}}% 6304\begin{sphinxVerbatim}[commandchars=\\\{\}] 6305\PYG{p}{[}\PYG{n}{dbmodules}\PYG{p}{]} 6306 \PYG{n}{DB} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6307 \PYG{n}{disable\PYGZus{}last\PYGZus{}success} \PYG{o}{=} \PYG{n}{true} 6308 \PYG{n}{disable\PYGZus{}lockout} \PYG{o}{=} \PYG{n}{true} 6309 \PYG{p}{\PYGZcb{}} 6310\end{sphinxVerbatim} 6311 6312Of the two variables, setting \sphinxstylestrong{disable\_last\_success} will usually 6313have the largest positive impact on performance, and will still allow 6314account lockout policies to operate. However, it will make it 6315impossible to observe the last successful authentication time with 6316kadmin. 6317 6318 6319\section{KDC setup and account lockout} 6320\label{\detokenize{admin/lockout:kdc-setup-and-account-lockout}} 6321To update the account lockout state on principals, the KDC must be 6322able to write to the principal database. For the DB2 module, no 6323special setup is required. For the LDAP module, the KDC DN must be 6324granted write access to the principal objects. If the KDC DN has only 6325read access, account lockout will not function. 6326 6327 6328\chapter{Configuring Kerberos with OpenLDAP back-end} 6329\label{\detokenize{admin/conf_ldap:conf-ldap}}\label{\detokenize{admin/conf_ldap::doc}}\label{\detokenize{admin/conf_ldap:configuring-kerberos-with-openldap-back-end}}\begin{enumerate} 6330\item {} 6331Make sure the LDAP server is using local authentication 6332(\sphinxcode{ldapi://}) or TLS (\sphinxcode{ldaps}). See 6333\sphinxurl{https://www.openldap.org/doc/admin24/tls.html} for instructions on 6334configuring TLS support in OpenLDAP. 6335 6336\item {} 6337Add the Kerberos schema file to the LDAP Server using the OpenLDAP 6338LDIF file from the krb5 source directory 6339(\sphinxcode{src/plugins/kdb/ldap/libkdb\_ldap/kerberos.openldap.ldif}). 6340The following example uses local authentication: 6341 6342\fvset{hllines={, ,}}% 6343\begin{sphinxVerbatim}[commandchars=\\\{\}] 6344\PYG{n}{ldapadd} \PYG{o}{\PYGZhy{}}\PYG{n}{Y} \PYG{n}{EXTERNAL} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldapi}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{o}{/} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{openldap}\PYG{o}{.}\PYG{n}{ldif} 6345\end{sphinxVerbatim} 6346 6347\item {} 6348Choose DNs for the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} and {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} servers 6349to bind to the LDAP server, and create them if necessary. Specify 6350these DNs with the \sphinxstylestrong{ldap\_kdc\_dn} and \sphinxstylestrong{ldap\_kadmind\_dn} 6351directives in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. The kadmind DN will also be 6352used for administrative commands such as {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}. 6353 6354Alternatively, you may configure krb5kdc and kadmind to use SASL 6355authentication to access the LDAP server; see the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} 6356relations \sphinxstylestrong{ldap\_kdc\_sasl\_mech} and similar. 6357 6358\item {} 6359Specify a location for the LDAP service password file by setting 6360\sphinxstylestrong{ldap\_service\_password\_file}. Use \sphinxcode{kdb5\_ldap\_util stashsrvpw} 6361to stash passwords for the KDC and kadmind DNs chosen above. For 6362example: 6363 6364\fvset{hllines={, ,}}% 6365\begin{sphinxVerbatim}[commandchars=\\\{\}] 6366\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{service}\PYG{o}{.}\PYG{n}{keyfile} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{krbadmin}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com} 6367\end{sphinxVerbatim} 6368 6369Skip this step if you are using SASL authentication and the 6370mechanism does not require a password. 6371 6372\item {} 6373Choose a DN for the global Kerberos container entry (but do not 6374create the entry at this time). Specify this DN with the 6375\sphinxstylestrong{ldap\_kerberos\_container\_dn} directive in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 6376Realm container entries will be created underneath this DN. 6377Principal entries may exist either underneath the realm container 6378(the default) or in separate trees referenced from the realm 6379container. 6380 6381\item {} 6382Configure the LDAP server ACLs to enable the KDC and kadmin server 6383DNs to read and write the Kerberos data. If 6384\sphinxstylestrong{disable\_last\_success} and \sphinxstylestrong{disable\_lockout} are both set to 6385true in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm, then the 6386KDC DN only requires read access to the Kerberos data. 6387 6388Sample access control information: 6389 6390\fvset{hllines={, ,}}% 6391\begin{sphinxVerbatim}[commandchars=\\\{\}] 6392\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{base}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}} 6393 \PYG{n}{by} \PYG{o}{*} \PYG{n}{read} 6394 6395\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{base}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=Subschema}\PYG{l+s+s2}{\PYGZdq{}} 6396 \PYG{n}{by} \PYG{o}{*} \PYG{n}{read} 6397 6398\PYG{c+c1}{\PYGZsh{} Provide access to the realm container.} 6399\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{subtree}\PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} 6400 \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=kdc\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} 6401 \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=adm\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} 6402 \PYG{n}{by} \PYG{o}{*} \PYG{n}{none} 6403 6404\PYG{c+c1}{\PYGZsh{} Provide access to principals, if not underneath the realm container.} 6405\PYG{n}{access} \PYG{n}{to} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{subtree}\PYG{o}{=} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{ou=users,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} 6406 \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=kdc\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} 6407 \PYG{n}{by} \PYG{n}{dn}\PYG{o}{.}\PYG{n}{exact}\PYG{o}{=}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=adm\PYGZhy{}service,dc=example,dc=com}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{write} 6408 \PYG{n}{by} \PYG{o}{*} \PYG{n}{none} 6409 6410\PYG{n}{access} \PYG{n}{to} \PYG{o}{*} 6411 \PYG{n}{by} \PYG{o}{*} \PYG{n}{read} 6412\end{sphinxVerbatim} 6413 6414If the locations of the container and principals or the DNs of the 6415service objects for a realm are changed then this information 6416should be updated. 6417 6418\item {} 6419In {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, make sure the following relations are set 6420in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbmodules}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbmodules{]}}}}} subsection for the realm: 6421 6422\fvset{hllines={, ,}}% 6423\begin{sphinxVerbatim}[commandchars=\\\{\}] 6424db\PYGZus{}library (set to {}`{}`kldap{}`{}`) 6425ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn 6426ldap\PYGZus{}kdc\PYGZus{}dn 6427ldap\PYGZus{}kadmind\PYGZus{}dn 6428ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file 6429ldap\PYGZus{}servers 6430\end{sphinxVerbatim} 6431 6432\item {} 6433Create the realm using {\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}} (see 6434{\hyperref[\detokenize{admin/database:ldap-create-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{Creating a Kerberos realm}}}}): 6435 6436\fvset{hllines={, ,}}% 6437\begin{sphinxVerbatim}[commandchars=\\\{\}] 6438\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{subtrees} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{users}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{example}\PYG{p}{,}\PYG{n}{dc}\PYG{o}{=}\PYG{n}{com} \PYG{o}{\PYGZhy{}}\PYG{n}{s} 6439\end{sphinxVerbatim} 6440 6441Use the \sphinxstylestrong{-subtrees} option if the principals are to exist in a 6442separate subtree from the realm container. Before executing the 6443command, make sure that the subtree mentioned above 6444\sphinxcode{(ou=users,dc=example,dc=com)} exists. If the principals will 6445exist underneath the realm container, omit the \sphinxstylestrong{-subtrees} option 6446and do not worry about creating the principal subtree. 6447 6448For more information, refer to the section {\hyperref[\detokenize{admin/database:ops-on-ldap}]{\sphinxcrossref{\DUrole{std,std-ref}{Operations on the LDAP database}}}}. 6449 6450The realm object is created under the 6451\sphinxstylestrong{ldap\_kerberos\_container\_dn} specified in the configuration 6452file. This operation will also create the Kerberos container, if 6453not present already. This container can be used to store 6454information related to multiple realms. 6455 6456\item {} 6457Add an \sphinxcode{eq} index for \sphinxcode{krbPrincipalName} to speed up principal 6458lookup operations. See 6459\sphinxurl{https://www.openldap.org/doc/admin24/tuning.html\#Indexes} for 6460details. 6461 6462\end{enumerate} 6463 6464With the LDAP back end it is possible to provide aliases for principal 6465entries. Currently we provide no administrative utilities for 6466creating aliases, so it must be done by direct manipulation of the 6467LDAP entries. 6468 6469An entry with aliases contains multiple values of the 6470\sphinxstyleemphasis{krbPrincipalName} attribute. Since LDAP attribute values are not 6471ordered, it is necessary to specify which principal name is canonical, 6472by using the \sphinxstyleemphasis{krbCanonicalName} attribute. Therefore, to create 6473aliases for an entry, first set the \sphinxstyleemphasis{krbCanonicalName} attribute of 6474the entry to the canonical principal name (which should be identical 6475to the pre-existing \sphinxstyleemphasis{krbPrincipalName} value), and then add additional 6476\sphinxstyleemphasis{krbPrincipalName} attributes for the aliases. 6477 6478Principal aliases are only returned by the KDC when the client 6479requests canonicalization. Canonicalization is normally requested for 6480service principals; for client principals, an explicit flag is often 6481required (e.g., \sphinxcode{kinit -C}) and canonicalization is only performed 6482for initial ticket requests. 6483 6484 6485\chapter{Application servers} 6486\label{\detokenize{admin/appl_servers::doc}}\label{\detokenize{admin/appl_servers:application-servers}} 6487If you need to install the Kerberos V5 programs on an application 6488server, please refer to the Kerberos V5 Installation Guide. Once you 6489have installed the software, you need to add that host to the Kerberos 6490database (see {\hyperref[\detokenize{admin/database:add-mod-del-princs}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding, modifying and deleting principals}}}}), and generate a keytab for 6491that host, that contains the host’s key. You also need to make sure 6492the host’s clock is within your maximum clock skew of the KDCs. 6493 6494 6495\section{Keytabs} 6496\label{\detokenize{admin/appl_servers:keytabs}} 6497A keytab is a host’s copy of its own keylist, which is analogous to a 6498user’s password. An application server that needs to authenticate 6499itself to the KDC has to have a keytab that contains its own principal 6500and key. Just as it is important for users to protect their 6501passwords, it is equally important for hosts to protect their keytabs. 6502You should always store keytab files on local disk, and make them 6503readable only by root, and you should never send a keytab file over a 6504network in the clear. Ideally, you should run the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} 6505command to extract a keytab on the host on which the keytab is to 6506reside. 6507 6508 6509\subsection{Adding principals to keytabs} 6510\label{\detokenize{admin/appl_servers:adding-principals-to-keytabs}}\label{\detokenize{admin/appl_servers:add-princ-kt}} 6511To generate a keytab, or to add a principal to an existing keytab, use 6512the \sphinxstylestrong{ktadd} command from kadmin. 6513 6514 6515\subsection{ktadd} 6516\label{\detokenize{admin/appl_servers:ktadd}}\begin{quote} 6517 6518\begin{DUlineblock}{0em} 6519\item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstyleemphasis{principal} 6520\item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstylestrong{-glob} \sphinxstyleemphasis{princ-exp} 6521\end{DUlineblock} 6522\end{quote} 6523 6524Adds a \sphinxstyleemphasis{principal}, or all principals matching \sphinxstyleemphasis{princ-exp}, to a 6525keytab file. Each principal’s keys are randomized in the process. 6526The rules for \sphinxstyleemphasis{princ-exp} are described in the \sphinxstylestrong{list\_principals} 6527command. 6528 6529This command requires the \sphinxstylestrong{inquire} and \sphinxstylestrong{changepw} privileges. 6530With the \sphinxstylestrong{-glob} form, it also requires the \sphinxstylestrong{list} privilege. 6531 6532The options are: 6533\begin{description} 6534\item[{\sphinxstylestrong{-k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode 6535Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is 6536used. 6537 6538\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode 6539Uses the specified keysalt list for setting the new keys of the 6540principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a 6541list of possible values. 6542 6543\item[{\sphinxstylestrong{-q}}] \leavevmode 6544Display less verbose information. 6545 6546\item[{\sphinxstylestrong{-norandkey}}] \leavevmode 6547Do not randomize the keys. The keys and their version numbers stay 6548unchanged. This option cannot be specified in combination with the 6549\sphinxstylestrong{-e} option. 6550 6551\end{description} 6552 6553An entry for each of the principal’s unique encryption types is added, 6554ignoring multiple keys with the same encryption type but different 6555salt types. 6556 6557Alias: \sphinxstylestrong{xst} 6558 6559Example: 6560 6561\fvset{hllines={, ,}}% 6562\begin{sphinxVerbatim}[commandchars=\\\{\}] 6563\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 6564\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} 6565 \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} 6566 \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} 6567\PYG{n}{kadmin}\PYG{p}{:} 6568\end{sphinxVerbatim} 6569 6570 6571\subsubsection{Examples} 6572\label{\detokenize{admin/appl_servers:examples}} 6573Here is a sample session, using configuration files that enable only 6574AES encryption: 6575 6576\fvset{hllines={, ,}}% 6577\begin{sphinxVerbatim}[commandchars=\\\{\}] 6578\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 6579\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} 6580\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} 6581\PYG{n}{kadmin}\PYG{p}{:} 6582\end{sphinxVerbatim} 6583 6584 6585\subsection{Removing principals from keytabs} 6586\label{\detokenize{admin/appl_servers:removing-principals-from-keytabs}} 6587To remove a principal from an existing keytab, use the kadmin 6588\sphinxstylestrong{ktremove} command. 6589 6590 6591\subsection{ktremove} 6592\label{\detokenize{admin/appl_servers:ktremove}}\begin{quote} 6593 6594\sphinxstylestrong{ktremove} {[}options{]} \sphinxstyleemphasis{principal} {[}\sphinxstyleemphasis{kvno} \textbar{} \sphinxstyleemphasis{all} \textbar{} \sphinxstyleemphasis{old}{]} 6595\end{quote} 6596 6597Removes entries for the specified \sphinxstyleemphasis{principal} from a keytab. Requires 6598no permissions, since this does not require database access. 6599 6600If the string “all” is specified, all entries for that principal are 6601removed; if the string “old” is specified, all entries for that 6602principal except those with the highest kvno are removed. Otherwise, 6603the value specified is parsed as an integer, and all entries whose 6604kvno match that integer are removed. 6605 6606The options are: 6607\begin{description} 6608\item[{\sphinxstylestrong{-k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode 6609Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is 6610used. 6611 6612\item[{\sphinxstylestrong{-q}}] \leavevmode 6613Display less verbose information. 6614 6615\end{description} 6616 6617Alias: \sphinxstylestrong{ktrem} 6618 6619Example: 6620 6621\fvset{hllines={, ,}}% 6622\begin{sphinxVerbatim}[commandchars=\\\{\}] 6623\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktremove} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{n+nb}{all} 6624\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} 6625 \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} 6626\PYG{n}{kadmin}\PYG{p}{:} 6627\end{sphinxVerbatim} 6628 6629 6630\subsection{Using a keytab to acquire client credentials} 6631\label{\detokenize{admin/appl_servers:using-a-keytab-to-acquire-client-credentials}} 6632While keytabs are ordinarily used to accept credentials from clients, 6633they can also be used to acquire initial credentials, allowing one 6634service to authenticate to another. 6635 6636To manually obtain credentials using a keytab, use the \DUrole{xref,std,std-ref}{kinit(1)} 6637\sphinxstylestrong{-k} option, together with the \sphinxstylestrong{-t} option if the keytab is not in 6638the default location. 6639 6640Beginning with release 1.11, GSSAPI applications can be configured to 6641automatically obtain initial credentials from a keytab as needed. The 6642recommended configuration is as follows: 6643\begin{enumerate} 6644\item {} 6645Create a keytab containing a single entry for the desired client 6646identity. 6647 6648\item {} 6649Place the keytab in a location readable by the service, and set the 6650\sphinxstylestrong{KRB5\_CLIENT\_KTNAME} environment variable to its filename. 6651Alternatively, use the \sphinxstylestrong{default\_client\_keytab\_name} profile 6652variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}, or use the default location of 6653{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}}. 6654 6655\item {} 6656Set \sphinxstylestrong{KRB5CCNAME} to a filename writable by the service, which 6657will not be used for any other purpose. Do not manually obtain 6658credentials at this location. (Another credential cache type 6659besides \sphinxstylestrong{FILE} can be used if desired, as long the cache will not 6660conflict with another use. A \sphinxstylestrong{MEMORY} cache can be used if the 6661service runs as a long-lived process. See \DUrole{xref,std,std-ref}{ccache\_definition} 6662for details.) 6663 6664\item {} 6665Start the service. When it authenticates using GSSAPI, it will 6666automatically obtain credentials from the client keytab into the 6667specified credential cache, and refresh them before they expire. 6668 6669\end{enumerate} 6670 6671 6672\section{Clock Skew} 6673\label{\detokenize{admin/appl_servers:clock-skew}} 6674A Kerberos application server host must keep its clock synchronized or 6675it will reject authentication requests from clients. Modern operating 6676systems typically provide a facility to maintain the correct time; 6677make sure it is enabled. This is especially important on virtual 6678machines, where clocks tend to drift more rapidly than normal machine 6679clocks. 6680 6681The default allowable clock skew is controlled by the \sphinxstylestrong{clockskew} 6682variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. 6683 6684 6685\section{Getting DNS information correct} 6686\label{\detokenize{admin/appl_servers:getting-dns-information-correct}} 6687Several aspects of Kerberos rely on name service. When a hostname is 6688used to name a service, clients may canonicalize the hostname using 6689forward and possibly reverse name resolution. The result of this 6690canonicalization must match the principal entry in the host’s keytab, 6691or authentication will fail. To work with all client canonicalization 6692configurations, each host’s canonical name must be the fully-qualified 6693host name (including the domain), and each host’s IP address must 6694reverse-resolve to the canonical name. 6695 6696Configuration of hostnames varies by operating system. On the 6697application server itself, canonicalization will typically use the 6698\sphinxcode{/etc/hosts} file rather than the DNS. Ensure that the line for the 6699server’s hostname is in the following form: 6700 6701\fvset{hllines={, ,}}% 6702\begin{sphinxVerbatim}[commandchars=\\\{\}] 6703\PYG{n}{IP} \PYG{n}{address} \PYG{n}{fully}\PYG{o}{\PYGZhy{}}\PYG{n}{qualified} \PYG{n}{hostname} \PYG{n}{aliases} 6704\end{sphinxVerbatim} 6705 6706Here is a sample \sphinxcode{/etc/hosts} file: 6707 6708\fvset{hllines={, ,}}% 6709\begin{sphinxVerbatim}[commandchars=\\\{\}] 6710\PYG{c+c1}{\PYGZsh{} this is a comment} 6711\PYG{l+m+mf}{127.0}\PYG{o}{.}\PYG{l+m+mf}{0.1} \PYG{n}{localhost} \PYG{n}{localhost}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 6712\PYG{l+m+mf}{10.0}\PYG{o}{.}\PYG{l+m+mf}{0.6} \PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{daffodil} \PYG{n}{trillium} \PYG{n}{wake}\PYG{o}{\PYGZhy{}}\PYG{n}{robin} 6713\end{sphinxVerbatim} 6714 6715The output of \sphinxcode{klist -k} for this example host should look like: 6716 6717\fvset{hllines={, ,}}% 6718\begin{sphinxVerbatim}[commandchars=\\\{\}] 6719\PYG{n}{viola}\PYG{c+c1}{\PYGZsh{} klist \PYGZhy{}k} 6720\PYG{n}{Keytab} \PYG{n}{name}\PYG{p}{:} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} 6721\PYG{n}{KVNO} \PYG{n}{Principal} 6722\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} 6723 \PYG{l+m+mi}{2} \PYG{n}{host}\PYG{o}{/}\PYG{n}{daffodil}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 6724\end{sphinxVerbatim} 6725 6726If you were to ssh to this host with a fresh credentials cache (ticket 6727file), and then \DUrole{xref,std,std-ref}{klist(1)}, the output should list a service 6728principal of \sphinxcode{host/daffodil.mit.edu@ATHENA.MIT.EDU}. 6729 6730 6731\section{Configuring your firewall to work with Kerberos V5} 6732\label{\detokenize{admin/appl_servers:conf-firewall}}\label{\detokenize{admin/appl_servers:configuring-your-firewall-to-work-with-kerberos-v5}} 6733If you need off-site users to be able to get Kerberos tickets in your 6734realm, they must be able to get to your KDC. This requires either 6735that you have a replica KDC outside your firewall, or that you 6736configure your firewall to allow UDP requests into at least one of 6737your KDCs, on whichever port the KDC is running. (The default is port 673888; other ports may be specified in the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} 6739file.) Similarly, if you need off-site users to be able to change 6740their passwords in your realm, they must be able to get to your 6741Kerberos admin server on the kpasswd port (which defaults to 464). If 6742you need off-site users to be able to administer your Kerberos realm, 6743they must be able to get to your Kerberos admin server on the 6744administrative port (which defaults to 749). 6745 6746If your on-site users inside your firewall will need to get to KDCs in 6747other realms, you will also need to configure your firewall to allow 6748outgoing TCP and UDP requests to port 88, and to port 464 to allow 6749password changes. If your on-site users inside your firewall will 6750need to get to Kerberos admin servers in other realms, you will also 6751need to allow outgoing TCP and UDP requests to port 749. 6752 6753If any of your KDCs are outside your firewall, you will need to allow 6754kprop requests to get through to the remote KDC. {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} uses 6755the \sphinxcode{krb5\_prop} service on port 754 (tcp). 6756 6757The book \sphinxstyleemphasis{UNIX System Security}, by David Curry, is a good starting 6758point for learning to configure firewalls. 6759 6760 6761\chapter{Host configuration} 6762\label{\detokenize{admin/host_config:host-configuration}}\label{\detokenize{admin/host_config::doc}} 6763All hosts running Kerberos software, whether they are clients, 6764application servers, or KDCs, can be configured using 6765{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Here we describe some of the behavior changes 6766you might want to make. 6767 6768 6769\section{Default realm} 6770\label{\detokenize{admin/host_config:default-realm}} 6771In the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section, the \sphinxstylestrong{default\_realm} realm 6772relation sets the default Kerberos realm. For example: 6773 6774\fvset{hllines={, ,}}% 6775\begin{sphinxVerbatim}[commandchars=\\\{\}] 6776\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 6777 \PYG{n}{default\PYGZus{}realm} \PYG{o}{=} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 6778\end{sphinxVerbatim} 6779 6780The default realm affects Kerberos behavior in the following ways: 6781\begin{itemize} 6782\item {} 6783When a principal name is parsed from text, the default realm is used 6784if no \sphinxcode{@REALM} component is specified. 6785 6786\item {} 6787The default realm affects login authorization as described below. 6788 6789\item {} 6790For programs which operate on a Kerberos database, the default realm 6791is used to determine which database to operate on, unless the \sphinxstylestrong{-r} 6792parameter is given to specify a realm. 6793 6794\item {} 6795A server program may use the default realm when looking up its key 6796in a {\hyperref[\detokenize{admin/install_appl_srv:keytab-file}]{\sphinxcrossref{\DUrole{std,std-ref}{keytab file}}}}, if its realm is not 6797determined by {\hyperref[\detokenize{admin/conf_files/krb5_conf:domain-realm}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}domain\_realm{]}}}}} configuration or by the server 6798program itself. 6799 6800\item {} 6801If \DUrole{xref,std,std-ref}{kinit(1)} is passed the \sphinxstylestrong{-n} flag, it requests anonymous 6802tickets from the default realm. 6803 6804\end{itemize} 6805 6806In some situations, these uses of the default realm might conflict. 6807For example, it might be desirable for principal name parsing to use 6808one realm by default, but for login authorization to use a second 6809realm. In this situation, the first realm can be configured as the 6810default realm, and \sphinxstylestrong{auth\_to\_local} relations can be used as 6811described below to use the second realm for login authorization. 6812 6813 6814\section{Login authorization} 6815\label{\detokenize{admin/host_config:login-authorization}}\label{\detokenize{admin/host_config:id1}} 6816If a host runs a Kerberos-enabled login service such as OpenSSH with 6817GSSAPIAuthentication enabled, login authorization rules determine 6818whether a Kerberos principal is allowed to access a local account. 6819 6820By default, a Kerberos principal is allowed access to an account if 6821its realm matches the default realm and its name matches the account 6822name. (For historical reasons, access is also granted by default if 6823the name has two components and the second component matches the 6824default realm; for instance, \sphinxcode{alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU} 6825is granted access to the \sphinxcode{alice} account if \sphinxcode{ATHENA.MIT.EDU} is 6826the default realm.) 6827 6828The simplest way to control local access is using \DUrole{xref,std,std-ref}{.k5login(5)} 6829files. To use these, place a \sphinxcode{.k5login} file in the home directory 6830of each account listing the principal names which should have login 6831access to that account. If it is not desirable to use \sphinxcode{.k5login} 6832files located in account home directories, the \sphinxstylestrong{k5login\_directory} 6833relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section can specify a directory 6834containing one file per account uname. 6835 6836By default, if a \sphinxcode{.k5login} file is present, it controls 6837authorization both positively and negatively\textendash{}any principal name 6838contained in the file is granted access and any other principal name 6839is denied access, even if it would have had access if the \sphinxcode{.k5login} 6840file didn’t exist. The \sphinxstylestrong{k5login\_authoritative} relation in the 6841{\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} section can be set to false to make \sphinxcode{.k5login} 6842files provide positive authorization only. 6843 6844The \sphinxstylestrong{auth\_to\_local} relation in the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section for the 6845default realm can specify pattern-matching rules to control login 6846authorization. For example, the following configuration allows access 6847to principals from a different realm than the default realm: 6848 6849\fvset{hllines={, ,}}% 6850\begin{sphinxVerbatim}[commandchars=\\\{\}] 6851[realms] 6852 DEFAULT.REALM = \PYGZob{} 6853 \PYGZsh{} Allow access to principals from OTHER.REALM. 6854 \PYGZsh{} 6855 \PYGZsh{} [1:\PYGZdl{}1@\PYGZdl{}0] matches single\PYGZhy{}component principal names and creates 6856 \PYGZsh{} a selection string containing the principal name and realm. 6857 \PYGZsh{} 6858 \PYGZsh{} (.*@OTHER\PYGZbs{}.REALM) matches against the selection string, so that 6859 \PYGZsh{} only principals in OTHER.REALM are matched. 6860 \PYGZsh{} 6861 \PYGZsh{} s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// removes the realm name, leaving behind the 6862 \PYGZsh{} principal name as the account name. 6863 auth\PYGZus{}to\PYGZus{}local = RULE:[1:\PYGZdl{}1@\PYGZdl{}0](.*@OTHER\PYGZbs{}.REALM)s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// 6864 6865 \PYGZsh{} Also allow principals from the default realm. Omit this line 6866 \PYGZsh{} to only allow access to principals in OTHER.REALM. 6867 auth\PYGZus{}to\PYGZus{}local = DEFAULT 6868 \PYGZcb{} 6869\end{sphinxVerbatim} 6870 6871The \sphinxstylestrong{auth\_to\_local\_names} subsection of the {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} section 6872for the default realm can specify explicit mappings from principal 6873names to local accounts. The key used in this subsection is the 6874principal name without realm, so it is only safe to use in a Kerberos 6875environment with a single realm or a tightly controlled set of realms. 6876An example use of \sphinxstylestrong{auth\_to\_local\_names} might be: 6877 6878\fvset{hllines={, ,}}% 6879\begin{sphinxVerbatim}[commandchars=\\\{\}] 6880\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 6881 \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6882 \PYG{n}{auth\PYGZus{}to\PYGZus{}local\PYGZus{}names} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6883 \PYG{c+c1}{\PYGZsh{} Careful, these match principals in any realm!} 6884 \PYG{n}{host}\PYG{o}{/}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} \PYG{o}{=} \PYG{n}{hostaccount} 6885 \PYG{n}{fred} \PYG{o}{=} \PYG{n}{localfred} 6886 \PYG{p}{\PYGZcb{}} 6887 \PYG{p}{\PYGZcb{}} 6888\end{sphinxVerbatim} 6889 6890Local authorization behavior can also be modified using plugin 6891modules; see \DUrole{xref,std,std-ref}{hostrealm\_plugin} for details. 6892 6893 6894\section{Plugin module configuration} 6895\label{\detokenize{admin/host_config:plugin-config}}\label{\detokenize{admin/host_config:plugin-module-configuration}} 6896Many aspects of Kerberos behavior, such as client preauthentication 6897and KDC service location, can be modified through the use of plugin 6898modules. For most of these behaviors, you can use the {\hyperref[\detokenize{admin/conf_files/krb5_conf:plugins}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}plugins{]}}}}} 6899section of krb5.conf to register third-party modules, and to switch 6900off registered or built-in modules. 6901 6902A plugin module takes the form of a Unix shared object 6903(\sphinxcode{modname.so}) or Windows DLL (\sphinxcode{modname.dll}). If you have 6904installed a third-party plugin module and want to register it, you do 6905so using the \sphinxstylestrong{module} relation in the appropriate subsection of the 6906{[}plugins{]} section. The value for \sphinxstylestrong{module} must give the module name 6907and the path to the module, separated by a colon. The module name 6908will often be the same as the shared object’s name, but in unusual 6909cases (such as a shared object which implements multiple modules for 6910the same interface) it might not be. For example, to register a 6911client preauthentication module named \sphinxcode{mypreauth} installed at 6912\sphinxcode{/path/to/mypreauth.so}, you could write: 6913 6914\fvset{hllines={, ,}}% 6915\begin{sphinxVerbatim}[commandchars=\\\{\}] 6916\PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]} 6917 \PYG{n}{clpreauth} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6918 \PYG{n}{module} \PYG{o}{=} \PYG{n}{mypreauth}\PYG{p}{:}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{mypreauth}\PYG{o}{.}\PYG{n}{so} 6919 \PYG{p}{\PYGZcb{}} 6920\end{sphinxVerbatim} 6921 6922Many of the pluggable behaviors in MIT krb5 contain built-in modules 6923which can be switched off. You can disable a built-in module (or one 6924you have registered) using the \sphinxstylestrong{disable} directive in the 6925appropriate subsection of the {[}plugins{]} section. For example, to 6926disable the use of .k5identity files to select credential caches, you 6927could write: 6928 6929\fvset{hllines={, ,}}% 6930\begin{sphinxVerbatim}[commandchars=\\\{\}] 6931\PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]} 6932 \PYG{n}{ccselect} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6933 \PYG{n}{disable} \PYG{o}{=} \PYG{n}{k5identity} 6934 \PYG{p}{\PYGZcb{}} 6935\end{sphinxVerbatim} 6936 6937If you want to disable multiple modules, specify the \sphinxstylestrong{disable} 6938directive multiple times, giving one module to disable each time. 6939 6940Alternatively, you can explicitly specify which modules you want to be 6941enabled for that behavior using the \sphinxstylestrong{enable\_only} directive. For 6942example, to make {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} check password quality using only a 6943module you have registered, and no other mechanism, you could write: 6944 6945\fvset{hllines={, ,}}% 6946\begin{sphinxVerbatim}[commandchars=\\\{\}] 6947\PYG{p}{[}\PYG{n}{plugins}\PYG{p}{]} 6948 \PYG{n}{pwqual} \PYG{o}{=} \PYG{p}{\PYGZob{}} 6949 \PYG{n}{module} \PYG{o}{=} \PYG{n}{mymodule}\PYG{p}{:}\PYG{o}{/}\PYG{n}{path}\PYG{o}{/}\PYG{n}{to}\PYG{o}{/}\PYG{n}{mymodule}\PYG{o}{.}\PYG{n}{so} 6950 \PYG{n}{enable\PYGZus{}only} \PYG{o}{=} \PYG{n}{mymodule} 6951 \PYG{p}{\PYGZcb{}} 6952\end{sphinxVerbatim} 6953 6954Again, if you want to specify multiple modules, specify the 6955\sphinxstylestrong{enable\_only} directive multiple times, giving one module to enable 6956each time. 6957 6958Some Kerberos interfaces use different mechanisms to register plugin 6959modules. 6960 6961 6962\subsection{KDC location modules} 6963\label{\detokenize{admin/host_config:kdc-location-modules}} 6964For historical reasons, modules to control how KDC servers are located 6965are registered simply by placing the shared object or DLL into the 6966“libkrb5” subdirectory of the krb5 plugin directory, which defaults to 6967{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{/krb5/plugins}. For example, Samba’s winbind krb5 6968locator plugin would be registered by placing its shared object in 6969{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{/krb5/plugins/libkrb5/winbind\_krb5\_locator.so}. 6970 6971 6972\subsection{GSSAPI mechanism modules} 6973\label{\detokenize{admin/host_config:gssapi-plugin-config}}\label{\detokenize{admin/host_config:gssapi-mechanism-modules}} 6974GSSAPI mechanism modules are registered using the file 6975{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{/gss/mech} or configuration files in the 6976{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{/gss/mech.d} directory with a \sphinxcode{.conf} 6977suffix. Each line in these files has the form: 6978 6979\fvset{hllines={, ,}}% 6980\begin{sphinxVerbatim}[commandchars=\\\{\}] 6981\PYG{n}{name} \PYG{n}{oid} \PYG{n}{pathname} \PYG{p}{[}\PYG{n}{options}\PYG{p}{]} \PYG{o}{\PYGZlt{}}\PYG{n+nb}{type}\PYG{o}{\PYGZgt{}} 6982\end{sphinxVerbatim} 6983 6984Only the name, oid, and pathname are required. \sphinxstyleemphasis{name} is the 6985mechanism name, which may be used for debugging or logging purposes. 6986\sphinxstyleemphasis{oid} is the object identifier of the GSSAPI mechanism to be 6987registered. \sphinxstyleemphasis{pathname} is a path to the module shared object or DLL. 6988\sphinxstyleemphasis{options} (if present) are options provided to the plugin module, 6989surrounded in square brackets. \sphinxstyleemphasis{type} (if present) can be used to 6990indicate a special type of module. Currently the only special module 6991type is “interposer”, for a module designed to intercept calls to 6992other mechanisms. 6993 6994If the environment variable \sphinxstylestrong{GSS\_MECH\_CONFIG} is set, its value is 6995used as the sole mechanism configuration filename. 6996 6997 6998\subsection{Configuration profile modules} 6999\label{\detokenize{admin/host_config:profile-plugin-config}}\label{\detokenize{admin/host_config:configuration-profile-modules}} 7000A configuration profile module replaces the information source for 7001{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} itself. To use a profile module, begin krb5.conf 7002with the line: 7003 7004\fvset{hllines={, ,}}% 7005\begin{sphinxVerbatim}[commandchars=\\\{\}] 7006\PYG{n}{module} \PYG{n}{PATHNAME}\PYG{p}{:}\PYG{n}{STRING} 7007\end{sphinxVerbatim} 7008 7009where \sphinxstyleemphasis{PATHNAME} is a path to the module shared object or DLL, and 7010\sphinxstyleemphasis{STRING} is a string to provide to the module. The module will then 7011take over, and the rest of krb5.conf will be ignored. 7012 7013 7014\chapter{Backups of secure hosts} 7015\label{\detokenize{admin/backup_host:backups-of-secure-hosts}}\label{\detokenize{admin/backup_host::doc}} 7016When you back up a secure host, you should exclude the host’s keytab 7017file from the backup. If someone obtained a copy of the keytab from a 7018backup, that person could make any host masquerade as the host whose 7019keytab was compromised. In many configurations, knowledge of the 7020host’s keytab also allows root access to the host. This could be 7021particularly dangerous if the compromised keytab was from one of your 7022KDCs. If the machine has a disk crash and the keytab file is lost, it 7023is easy to generate another keytab file. (See {\hyperref[\detokenize{admin/appl_servers:add-princ-kt}]{\sphinxcrossref{\DUrole{std,std-ref}{Adding principals to keytabs}}}}.) 7024If you are unable to exclude particular files from backups, you should 7025ensure that the backups are kept as secure as the host’s root 7026password. 7027 7028 7029\section{Backing up the Kerberos database} 7030\label{\detokenize{admin/backup_host:backing-up-the-kerberos-database}} 7031As with any file, it is possible that your Kerberos database could 7032become corrupted. If this happens on one of the replica KDCs, you 7033might never notice, since the next automatic propagation of the 7034database would install a fresh copy. However, if it happens to the 7035primary KDC, the corrupted database would be propagated to all of the 7036replicas during the next propagation. For this reason, MIT recommends 7037that you back up your Kerberos database regularly. Because the primary 7038KDC is continuously dumping the database to a file in order to 7039propagate it to the replica KDCs, it is a simple matter to have a cron 7040job periodically copy the dump file to a secure machine elsewhere on 7041your network. (Of course, it is important to make the host where 7042these backups are stored as secure as your KDCs, and to encrypt its 7043transmission across your network.) Then if your database becomes 7044corrupted, you can load the most recent dump onto the primary KDC. 7045(See {\hyperref[\detokenize{admin/database:restore-from-dump}]{\sphinxcrossref{\DUrole{std,std-ref}{Restoring a Kerberos database from a dump file}}}}.) 7046 7047 7048\chapter{PKINIT configuration} 7049\label{\detokenize{admin/pkinit:pkinit-configuration}}\label{\detokenize{admin/pkinit:pkinit}}\label{\detokenize{admin/pkinit::doc}} 7050PKINIT is a preauthentication mechanism for Kerberos 5 which uses 7051X.509 certificates to authenticate the KDC to clients and vice versa. 7052PKINIT can also be used to enable anonymity support, allowing clients 7053to communicate securely with the KDC or with application servers 7054without authenticating as a particular client principal. 7055 7056 7057\section{Creating certificates} 7058\label{\detokenize{admin/pkinit:creating-certificates}} 7059PKINIT requires an X.509 certificate for the KDC and one for each 7060client principal which will authenticate using PKINIT. For anonymous 7061PKINIT, a KDC certificate is required, but client certificates are 7062not. A commercially issued server certificate can be used for the KDC 7063certificate, but generally cannot be used for client certificates. 7064 7065The instruction in this section describe how to establish a 7066certificate authority and create standard PKINIT certificates. Skip 7067this section if you are using a commercially issued server certificate 7068as the KDC certificate for anonymous PKINIT, or if you are configuring 7069a client to use an Active Directory KDC. 7070 7071 7072\subsection{Generating a certificate authority certificate} 7073\label{\detokenize{admin/pkinit:generating-a-certificate-authority-certificate}} 7074You can establish a new certificate authority (CA) for use with a 7075PKINIT deployment with the commands: 7076 7077\fvset{hllines={, ,}}% 7078\begin{sphinxVerbatim}[commandchars=\\\{\}] 7079\PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048} 7080\PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{x509} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{3650} 7081\end{sphinxVerbatim} 7082 7083The second command will ask for the values of several certificate 7084fields. These fields can be set to any values. You can adjust the 7085expiration time of the CA certificate by changing the number after 7086\sphinxcode{-days}. Since the CA certificate must be deployed to client 7087machines each time it changes, it should normally have an expiration 7088time far in the future; however, expiration times after 2037 may cause 7089interoperability issues in rare circumstances. 7090 7091The result of these commands will be two files, cakey.pem and 7092cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which 7093must be carefully protected. cacert.pem will contain the CA 7094certificate, which must be placed in the filesystems of the KDC and 7095each client host. cakey.pem will be required to create KDC and client 7096certificates. 7097 7098 7099\subsection{Generating a KDC certificate} 7100\label{\detokenize{admin/pkinit:generating-a-kdc-certificate}} 7101A KDC certificate for use with PKINIT is required to have some unusual 7102fields, which makes generating them with OpenSSL somewhat complicated. 7103First, you will need a file containing the following: 7104 7105\fvset{hllines={, ,}}% 7106\begin{sphinxVerbatim}[commandchars=\\\{\}] 7107[kdc\PYGZus{}cert] 7108basicConstraints=CA:FALSE 7109keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement 7110extendedKeyUsage=1.3.6.1.5.2.3.5 7111subjectKeyIdentifier=hash 7112authorityKeyIdentifier=keyid,issuer 7113issuerAltName=issuer:copy 7114subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc\PYGZus{}princ\PYGZus{}name 7115 7116[kdc\PYGZus{}princ\PYGZus{}name] 7117realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} 7118principal\PYGZus{}name=EXP:1,SEQUENCE:kdc\PYGZus{}principal\PYGZus{}seq 7119 7120[kdc\PYGZus{}principal\PYGZus{}seq] 7121name\PYGZus{}type=EXP:0,INTEGER:2 7122name\PYGZus{}string=EXP:1,SEQUENCE:kdc\PYGZus{}principals 7123 7124[kdc\PYGZus{}principals] 7125princ1=GeneralString:krbtgt 7126princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} 7127\end{sphinxVerbatim} 7128 7129If the above contents are placed in extensions.kdc, you can generate 7130and sign a KDC certificate with the following commands: 7131 7132\fvset{hllines={, ,}}% 7133\begin{sphinxVerbatim}[commandchars=\\\{\}] 7134\PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048} 7135\PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} 7136\PYG{n}{env} \PYG{n}{REALM}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}REALMNAME} \PYG{n}{openssl} \PYG{n}{x509} \PYG{o}{\PYGZhy{}}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{o+ow}{in} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} \PYGZbs{} 7137 \PYG{o}{\PYGZhy{}}\PYG{n}{CAkey} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{CA} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{365} \PYGZbs{} 7138 \PYG{o}{\PYGZhy{}}\PYG{n}{extfile} \PYG{n}{extensions}\PYG{o}{.}\PYG{n}{kdc} \PYG{o}{\PYGZhy{}}\PYG{n}{extensions} \PYG{n}{kdc\PYGZus{}cert} \PYG{o}{\PYGZhy{}}\PYG{n}{CAcreateserial} 7139\PYG{n}{rm} \PYG{n}{kdc}\PYG{o}{.}\PYG{n}{req} 7140\end{sphinxVerbatim} 7141 7142The second command will ask for the values of certificate fields, 7143which can be set to any values. In the third command, substitute your 7144KDC’s realm name for YOUR\_REALMNAME. You can adjust the certificate’s 7145expiration date by changing the number after \sphinxcode{-days}. Remember to 7146create a new KDC certificate before the old one expires. 7147 7148The result of this operation will be in two files, kdckey.pem and 7149kdc.pem. Both files must be placed in the KDC’s filesystem. 7150kdckey.pem, which contains the KDC’s private key, must be carefully 7151protected. 7152 7153If you examine the KDC certificate with \sphinxcode{openssl x509 -in kdc.pem 7154-text -noout}, OpenSSL will not know how to display the KDC principal 7155name in the Subject Alternative Name extension, so it will appear as 7156\sphinxcode{othername:\textless{}unsupported\textgreater{}}. This is normal and does not mean 7157anything is wrong with the KDC certificate. 7158 7159 7160\subsection{Generating client certificates} 7161\label{\detokenize{admin/pkinit:generating-client-certificates}} 7162PKINIT client certificates also must have some unusual certificate 7163fields. To generate a client certificate with OpenSSL for a 7164single-component principal name, you will need an extensions file 7165(different from the KDC extensions file above) containing: 7166 7167\fvset{hllines={, ,}}% 7168\begin{sphinxVerbatim}[commandchars=\\\{\}] 7169[client\PYGZus{}cert] 7170basicConstraints=CA:FALSE 7171keyUsage=digitalSignature,keyEncipherment,keyAgreement 7172extendedKeyUsage=1.3.6.1.5.2.3.4 7173subjectKeyIdentifier=hash 7174authorityKeyIdentifier=keyid,issuer 7175issuerAltName=issuer:copy 7176subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ\PYGZus{}name 7177 7178[princ\PYGZus{}name] 7179realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} 7180principal\PYGZus{}name=EXP:1,SEQUENCE:principal\PYGZus{}seq 7181 7182[principal\PYGZus{}seq] 7183name\PYGZus{}type=EXP:0,INTEGER:1 7184name\PYGZus{}string=EXP:1,SEQUENCE:principals 7185 7186[principals] 7187princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT\PYGZcb{} 7188\end{sphinxVerbatim} 7189 7190If the above contents are placed in extensions.client, you can 7191generate and sign a client certificate with the following commands: 7192 7193\fvset{hllines={, ,}}% 7194\begin{sphinxVerbatim}[commandchars=\\\{\}] 7195\PYG{n}{openssl} \PYG{n}{genrsa} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \PYG{l+m+mi}{2048} 7196\PYG{n}{openssl} \PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{n}{new} \PYG{o}{\PYGZhy{}}\PYG{n}{key} \PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} 7197\PYG{n}{env} \PYG{n}{REALM}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}REALMNAME} \PYG{n}{CLIENT}\PYG{o}{=}\PYG{n}{YOUR\PYGZus{}PRINCNAME} \PYG{n}{openssl} \PYG{n}{x509} \PYGZbs{} 7198 \PYG{o}{\PYGZhy{}}\PYG{n}{CAkey} \PYG{n}{cakey}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{CA} \PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} \PYG{o}{\PYGZhy{}}\PYG{n}{req} \PYG{o}{\PYGZhy{}}\PYG{o+ow}{in} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} \PYGZbs{} 7199 \PYG{o}{\PYGZhy{}}\PYG{n}{extensions} \PYG{n}{client\PYGZus{}cert} \PYG{o}{\PYGZhy{}}\PYG{n}{extfile} \PYG{n}{extensions}\PYG{o}{.}\PYG{n}{client} \PYGZbs{} 7200 \PYG{o}{\PYGZhy{}}\PYG{n}{days} \PYG{l+m+mi}{365} \PYG{o}{\PYGZhy{}}\PYG{n}{out} \PYG{n}{client}\PYG{o}{.}\PYG{n}{pem} 7201\PYG{n}{rm} \PYG{n}{client}\PYG{o}{.}\PYG{n}{req} 7202\end{sphinxVerbatim} 7203 7204Normally, the first two commands should be run on the client host, and 7205the resulting client.req file transferred to the certificate authority 7206host for the third command. As in the previous steps, the second 7207command will ask for the values of certificate fields, which can be 7208set to any values. In the third command, substitute your realm’s name 7209for YOUR\_REALMNAME and the client’s principal name (without realm) for 7210YOUR\_PRINCNAME. You can adjust the certificate’s expiration date by 7211changing the number after \sphinxcode{-days}. 7212 7213The result of this operation will be two files, clientkey.pem and 7214client.pem. Both files must be present on the client’s host; 7215clientkey.pem, which contains the client’s private key, must be 7216protected from access by others. 7217 7218As in the KDC certificate, OpenSSL will display the client principal 7219name as \sphinxcode{othername:\textless{}unsupported\textgreater{}} in the Subject Alternative Name 7220extension of a PKINIT client certificate. 7221 7222If the client principal name contains more than one component 7223(e.g. \sphinxcode{host/example.com@REALM}), the \sphinxcode{{[}principals{]}} section of 7224\sphinxcode{extensions.client} must be altered to contain multiple entries. 7225(Simply setting \sphinxcode{CLIENT} to \sphinxcode{host/example.com} would generate a 7226certificate for \sphinxcode{host\textbackslash{}/example.com@REALM} which would not match the 7227multi-component principal name.) For a two-component principal, the 7228section should read: 7229 7230\fvset{hllines={, ,}}% 7231\begin{sphinxVerbatim}[commandchars=\\\{\}] 7232[principals] 7233princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT1\PYGZcb{} 7234princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT2\PYGZcb{} 7235\end{sphinxVerbatim} 7236 7237The environment variables \sphinxcode{CLIENT1} and \sphinxcode{CLIENT2} must then be set 7238to the first and second components when running \sphinxcode{openssl x509}. 7239 7240 7241\section{Configuring the KDC} 7242\label{\detokenize{admin/pkinit:configuring-the-kdc}} 7243The KDC must have filesystem access to the KDC certificate (kdc.pem) 7244and the KDC private key (kdckey.pem). Configure the following 7245relation in the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file, either in the 7246{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} section or in a {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with 7247appropriate pathnames): 7248 7249\fvset{hllines={, ,}}% 7250\begin{sphinxVerbatim}[commandchars=\\\{\}] 7251\PYG{n}{pkinit\PYGZus{}identity} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{pem}\PYG{p}{,}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{kdckey}\PYG{o}{.}\PYG{n}{pem} 7252\end{sphinxVerbatim} 7253 7254If any clients will authenticate using regular (as opposed to 7255anonymous) PKINIT, the KDC must also have filesystem access to the CA 7256certificate (cacert.pem), and the following configuration (with the 7257appropriate pathname): 7258 7259\fvset{hllines={, ,}}% 7260\begin{sphinxVerbatim}[commandchars=\\\{\}] 7261\PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{var}\PYG{o}{/}\PYG{n}{lib}\PYG{o}{/}\PYG{n}{krb5kdc}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} 7262\end{sphinxVerbatim} 7263 7264Because of the larger size of requests and responses using PKINIT, you 7265may also need to allow TCP access to the KDC: 7266 7267\fvset{hllines={, ,}}% 7268\begin{sphinxVerbatim}[commandchars=\\\{\}] 7269\PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} 7270\end{sphinxVerbatim} 7271 7272Restart the {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} daemon to pick up the configuration 7273changes. 7274 7275The principal entry for each PKINIT-using client must be configured to 7276require preauthentication. Ensure this with the command: 7277 7278\fvset{hllines={, ,}}% 7279\begin{sphinxVerbatim}[commandchars=\\\{\}] 7280\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{modprinc +requires\PYGZus{}preauth YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}} 7281\end{sphinxVerbatim} 7282 7283Starting with release 1.12, it is possible to remove the long-term 7284keys of a principal entry, which can save some space in the database 7285and help to clarify some PKINIT-related error conditions by not asking 7286for a password: 7287 7288\fvset{hllines={, ,}}% 7289\begin{sphinxVerbatim}[commandchars=\\\{\}] 7290\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{purgekeys \PYGZhy{}all YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}} 7291\end{sphinxVerbatim} 7292 7293These principal options can also be specified at principal creation 7294time as follows: 7295 7296\fvset{hllines={, ,}}% 7297\begin{sphinxVerbatim}[commandchars=\\\{\}] 7298\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME}\PYG{l+s+s1}{\PYGZsq{}} 7299\end{sphinxVerbatim} 7300 7301By default, the KDC requires PKINIT client certificates to have the 7302standard Extended Key Usage and Subject Alternative Name attributes 7303for PKINIT. Starting in release 1.16, it is possible to authorize 7304client certificates based on the subject or other criteria instead of 7305the standard PKINIT Subject Alternative Name, by setting the 7306\sphinxstylestrong{pkinit\_cert\_match} string attribute on each client principal entry. 7307For example: 7308 7309\fvset{hllines={, ,}}% 7310\begin{sphinxVerbatim}[commandchars=\\\{\}] 7311\PYG{n}{kadmin} \PYG{n}{set\PYGZus{}string} \PYG{n}{user}\PYG{n+nd}{@REALM} \PYG{n}{pkinit\PYGZus{}cert\PYGZus{}match} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZlt{}SUBJECT\PYGZgt{}CN=user@REALM\PYGZdl{}}\PYG{l+s+s2}{\PYGZdq{}} 7312\end{sphinxVerbatim} 7313 7314The \sphinxstylestrong{pkinit\_cert\_match} string attribute follows the syntax used by 7315the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} \sphinxstylestrong{pkinit\_cert\_match} relation. To allow the 7316use of non-PKINIT client certificates, it will also be necessary to 7317disable key usage checking using the \sphinxstylestrong{pkinit\_eku\_checking} relation; 7318for example: 7319 7320\fvset{hllines={, ,}}% 7321\begin{sphinxVerbatim}[commandchars=\\\{\}] 7322\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} 7323 \PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{none} 7324\end{sphinxVerbatim} 7325 7326 7327\section{Configuring the clients} 7328\label{\detokenize{admin/pkinit:configuring-the-clients}} 7329Client hosts must be configured to trust the issuing authority for the 7330KDC certificate. For a newly established certificate authority, the 7331client host must have filesystem access to the CA certificate 7332(cacert.pem) and the following relation in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} in the 7333appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection (with appropriate pathnames): 7334 7335\fvset{hllines={, ,}}% 7336\begin{sphinxVerbatim}[commandchars=\\\{\}] 7337\PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} 7338\end{sphinxVerbatim} 7339 7340If the KDC certificate is a commercially issued server certificate, 7341the issuing certificate is most likely included in a system directory. 7342You can specify it by filename as above, or specify the whole 7343directory like so: 7344 7345\fvset{hllines={, ,}}% 7346\begin{sphinxVerbatim}[commandchars=\\\{\}] 7347\PYG{n}{pkinit\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{DIR}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{ssl}\PYG{o}{/}\PYG{n}{certs} 7348\end{sphinxVerbatim} 7349 7350A commercially issued server certificate will usually not have the 7351standard PKINIT principal name or Extended Key Usage extensions, so 7352the following additional configuration is required: 7353 7354\fvset{hllines={, ,}}% 7355\begin{sphinxVerbatim}[commandchars=\\\{\}] 7356\PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{kpServerAuth} 7357\PYG{n}{pkinit\PYGZus{}kdc\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{hostname}\PYG{o}{.}\PYG{n}{of}\PYG{o}{.}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{certificate} 7358\end{sphinxVerbatim} 7359 7360Multiple \sphinxstylestrong{pkinit\_kdc\_hostname} relations can be configured to 7361recognize multiple KDC certificates. If the KDC is an Active 7362Directory domain controller, setting \sphinxstylestrong{pkinit\_kdc\_hostname} is 7363necessary, but it should not be necessary to set 7364\sphinxstylestrong{pkinit\_eku\_checking}. 7365 7366To perform regular (as opposed to anonymous) PKINIT authentication, a 7367client host must have filesystem access to a client certificate 7368(client.pem), and the corresponding private key (clientkey.pem). 7369Configure the following relations in the client host’s 7370{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection 7371(with appropriate pathnames): 7372 7373\fvset{hllines={, ,}}% 7374\begin{sphinxVerbatim}[commandchars=\\\{\}] 7375\PYG{n}{pkinit\PYGZus{}identities} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{client}\PYG{o}{.}\PYG{n}{pem}\PYG{p}{,}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{clientkey}\PYG{o}{.}\PYG{n}{pem} 7376\end{sphinxVerbatim} 7377 7378If the KDC and client are properly configured, it should now be 7379possible to run \sphinxcode{kinit username} without entering a password. 7380 7381 7382\section{Anonymous PKINIT} 7383\label{\detokenize{admin/pkinit:anonymous-pkinit}}\label{\detokenize{admin/pkinit:id1}} 7384Anonymity support in Kerberos allows a client to obtain a ticket 7385without authenticating as any particular principal. Such a ticket can 7386be used as a FAST armor ticket, or to securely communicate with an 7387application server anonymously. 7388 7389To configure anonymity support, you must generate or otherwise procure 7390a KDC certificate and configure the KDC host, but you do not need to 7391generate any client certificates. On the KDC, you must set the 7392\sphinxstylestrong{pkinit\_identity} variable to provide the KDC certificate, but do 7393not need to set the \sphinxstylestrong{pkinit\_anchors} variable or store the issuing 7394certificate if you won’t have any client certificates to verify. On 7395client hosts, you must set the \sphinxstylestrong{pkinit\_anchors} variable (and 7396possibly \sphinxstylestrong{pkinit\_kdc\_hostname} and \sphinxstylestrong{pkinit\_eku\_checking}) in order 7397to trust the issuing authority for the KDC certificate, but do not 7398need to set the \sphinxstylestrong{pkinit\_identities} variable. 7399 7400Anonymity support is not enabled by default. To enable it, you must 7401create the principal \sphinxcode{WELLKNOWN/ANONYMOUS} using the command: 7402 7403\fvset{hllines={, ,}}% 7404\begin{sphinxVerbatim}[commandchars=\\\{\}] 7405\PYG{n}{kadmin} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{addprinc \PYGZhy{}randkey WELLKNOWN/ANONYMOUS}\PYG{l+s+s1}{\PYGZsq{}} 7406\end{sphinxVerbatim} 7407 7408Some Kerberos deployments include application servers which lack 7409proper access control, and grant some level of access to any user who 7410can authenticate. In such an environment, enabling anonymity support 7411on the KDC would present a security issue. If you need to enable 7412anonymity support for TGTs (for use as FAST armor tickets) without 7413enabling anonymous authentication to application servers, you can set 7414the variable \sphinxstylestrong{restrict\_anonymous\_to\_tgt} to \sphinxcode{true} in the 7415appropriate {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the KDC’s 7416{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. 7417 7418To obtain anonymous credentials on a client, run \sphinxcode{kinit -n}, or 7419\sphinxcode{kinit -n @REALMNAME} to specify a realm. The resulting tickets 7420will have the client name \sphinxcode{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}. 7421 7422 7423\section{Freshness tokens} 7424\label{\detokenize{admin/pkinit:freshness-tokens}} 7425Freshness tokens can ensure that the client has recently had access to 7426its certificate private key. If freshness tokens are not required by 7427the KDC, a client program with temporary possession of the private key 7428can compose requests for future timestamps and use them later. 7429 7430In release 1.17 and later, freshness tokens are supported by the 7431client and are sent by the KDC when the client indicates support for 7432them. Because not all clients support freshness tokens yet, they are 7433not required by default. To check if freshness tokens are supported 7434by a realm’s clients, look in the KDC logs for the lines: 7435 7436\fvset{hllines={, ,}}% 7437\begin{sphinxVerbatim}[commandchars=\\\{\}] 7438\PYG{n}{PKINIT}\PYG{p}{:} \PYG{n}{freshness} \PYG{n}{token} \PYG{n}{received} \PYG{k+kn}{from} \PYG{o}{\PYGZlt{}}\PYG{n}{client} \PYG{n}{principal}\PYG{o}{\PYGZgt{}} 7439\PYG{n}{PKINIT}\PYG{p}{:} \PYG{n}{no} \PYG{n}{freshness} \PYG{n}{token} \PYG{n}{received} \PYG{k+kn}{from} \PYG{o}{\PYGZlt{}}\PYG{n}{client} \PYG{n}{principal}\PYG{o}{\PYGZgt{}} 7440\end{sphinxVerbatim} 7441 7442To require freshness tokens for all clients in a realm (except for 7443clients authenticating anonymously), set the 7444\sphinxstylestrong{pkinit\_require\_freshness} variable to \sphinxcode{true} in the appropriate 7445{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the KDC’s {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. To 7446test that this option is in effect, run \sphinxcode{kinit -X disable\_freshness} 7447and verify that authentication is unsuccessful. 7448 7449 7450\chapter{OTP Preauthentication} 7451\label{\detokenize{admin/otp::doc}}\label{\detokenize{admin/otp:otp-preauthentication}}\label{\detokenize{admin/otp:otp-preauth}} 7452OTP is a preauthentication mechanism for Kerberos 5 which uses One 7453Time Passwords (OTP) to authenticate the client to the KDC. The OTP 7454is passed to the KDC over an encrypted FAST channel in clear-text. 7455The KDC uses the password along with per-user configuration to proxy 7456the request to a third-party RADIUS system. This enables 7457out-of-the-box compatibility with a large number of already widely 7458deployed proprietary systems. 7459 7460Additionally, our implementation of the OTP system allows for the 7461passing of RADIUS requests over a UNIX domain stream socket. This 7462permits the use of a local companion daemon which can handle the 7463details of authentication. 7464 7465 7466\section{Defining token types} 7467\label{\detokenize{admin/otp:defining-token-types}} 7468Token types are defined in either {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} or 7469{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} according to the following format: 7470 7471\fvset{hllines={, ,}}% 7472\begin{sphinxVerbatim}[commandchars=\\\{\}] 7473\PYG{p}{[}\PYG{n}{otp}\PYG{p}{]} 7474 \PYG{o}{\PYGZlt{}}\PYG{n}{name}\PYG{o}{\PYGZgt{}} \PYG{o}{=} \PYG{p}{\PYGZob{}} 7475 \PYG{n}{server} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{host}\PYG{p}{:}\PYG{n}{port} \PYG{o+ow}{or} \PYG{n}{filename}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{see} \PYG{n}{below}\PYG{p}{)} 7476 \PYG{n}{secret} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{filename}\PYG{o}{\PYGZgt{}} 7477 \PYG{n}{timeout} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{integer}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{l+m+mi}{5} \PYG{p}{[}\PYG{n}{seconds}\PYG{p}{]}\PYG{p}{)} 7478 \PYG{n}{retries} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{integer}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{l+m+mi}{3}\PYG{p}{)} 7479 \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{boolean}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{true}\PYG{p}{)} 7480 \PYG{n}{indicator} \PYG{o}{=} \PYG{o}{\PYGZlt{}}\PYG{n}{string}\PYG{o}{\PYGZgt{}} \PYG{p}{(}\PYG{n}{default}\PYG{p}{:} \PYG{n}{none}\PYG{p}{)} 7481 \PYG{p}{\PYGZcb{}} 7482\end{sphinxVerbatim} 7483 7484If the server field begins with ‘/’, it will be interpreted as a UNIX 7485socket. Otherwise, it is assumed to be in the format host:port. When 7486a UNIX domain socket is specified, the secret field is optional and an 7487empty secret is used by default. If the server field is not 7488specified, it defaults to {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/\textless{}name\textgreater{}.socket}. 7489 7490When forwarding the request over RADIUS, by default the principal is 7491used in the User-Name attribute of the RADIUS packet. The strip\_realm 7492parameter controls whether the principal is forwarded with or without 7493the realm portion. 7494 7495If an indicator field is present, tickets issued using this token type 7496will be annotated with the specified authentication indicator (see 7497{\hyperref[\detokenize{admin/auth_indicator:auth-indicator}]{\sphinxcrossref{\DUrole{std,std-ref}{Authentication indicators}}}}). This key may be specified multiple times to 7498add multiple indicators. 7499 7500 7501\section{The default token type} 7502\label{\detokenize{admin/otp:the-default-token-type}} 7503A default token type is used internally when no token type is specified for a 7504given user. It is defined as follows: 7505 7506\fvset{hllines={, ,}}% 7507\begin{sphinxVerbatim}[commandchars=\\\{\}] 7508\PYG{p}{[}\PYG{n}{otp}\PYG{p}{]} 7509 \PYG{n}{DEFAULT} \PYG{o}{=} \PYG{p}{\PYGZob{}} 7510 \PYG{n}{strip\PYGZus{}realm} \PYG{o}{=} \PYG{n}{false} 7511 \PYG{p}{\PYGZcb{}} 7512\end{sphinxVerbatim} 7513 7514The administrator may override the internal \sphinxcode{DEFAULT} token type 7515simply by defining a configuration with the same name. 7516 7517 7518\section{Token instance configuration} 7519\label{\detokenize{admin/otp:token-instance-configuration}} 7520To enable OTP for a client principal, the administrator must define 7521the \sphinxstylestrong{otp} string attribute for that principal. (See 7522{\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}}.) The \sphinxstylestrong{otp} user string is a JSON string of the 7523format: 7524 7525\fvset{hllines={, ,}}% 7526\begin{sphinxVerbatim}[commandchars=\\\{\}] 7527[\PYGZob{} 7528 \PYGZdq{}type\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, 7529 \PYGZdq{}username\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, 7530 \PYGZdq{}indicators\PYGZdq{}: [\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, ...] 7531 \PYGZcb{}, ...] 7532\end{sphinxVerbatim} 7533 7534This is an array of token objects. Both fields of token objects are 7535optional. The \sphinxstylestrong{type} field names the token type of this token; if 7536not specified, it defaults to \sphinxcode{DEFAULT}. The \sphinxstylestrong{username} field 7537specifies the value to be sent in the User-Name RADIUS attribute. If 7538not specified, the principal name is sent, with or without realm as 7539defined in the token type. The \sphinxstylestrong{indicators} field specifies a list 7540of authentication indicators to annotate tickets with, overriding any 7541indicators specified in the token type. 7542 7543For ease of configuration, an empty array (\sphinxcode{{[}{]}}) is treated as 7544equivalent to one DEFAULT token (\sphinxcode{{[}\{\}{]}}). 7545 7546 7547\section{Other considerations} 7548\label{\detokenize{admin/otp:other-considerations}}\begin{enumerate} 7549\item {} 7550FAST is required for OTP to work. 7551 7552\end{enumerate} 7553 7554 7555\chapter{SPAKE Preauthentication} 7556\label{\detokenize{admin/spake::doc}}\label{\detokenize{admin/spake:spake-preauthentication}}\label{\detokenize{admin/spake:spake}} 7557SPAKE preauthentication (added in release 1.17) uses public key 7558cryptography techniques to protect against {\hyperref[\detokenize{admin/dictionary:dictionary}]{\sphinxcrossref{\DUrole{std,std-ref}{password dictionary 7559attacks}}}}. Unlike {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}}, it does not 7560require any additional infrastructure such as certificates; it simply 7561needs to be turned on. Using SPAKE preauthentication may modestly 7562increase the CPU and network load on the KDC. 7563 7564SPAKE preauthentication can use one of four elliptic curve groups for 7565its password-authenticated key exchange. The recommended group is 7566\sphinxcode{edwards25519}; three NIST curves (\sphinxcode{P-256}, \sphinxcode{P-384}, and 7567\sphinxcode{P-521}) are also supported. 7568 7569By default, SPAKE with the \sphinxcode{edwards25519} group is enabled on 7570clients, but the KDC does not offer SPAKE by default. To turn it on, 7571set the \sphinxstylestrong{spake\_preauth\_groups} variable in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} to a 7572list of allowed groups. This variable affects both the client and the 7573KDC. Simply setting it to \sphinxcode{edwards25519} is recommended: 7574 7575\fvset{hllines={, ,}}% 7576\begin{sphinxVerbatim}[commandchars=\\\{\}] 7577\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 7578 \PYG{n}{spake\PYGZus{}preauth\PYGZus{}groups} \PYG{o}{=} \PYG{n}{edwards25519} 7579\end{sphinxVerbatim} 7580 7581Set the \sphinxstylestrong{+requires\_preauth} and \sphinxstylestrong{-allow\_svr} flags on client 7582principal entries, as you would for any preauthentication mechanism: 7583 7584\fvset{hllines={, ,}}% 7585\begin{sphinxVerbatim}[commandchars=\\\{\}] 7586\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{modprinc} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{PRINCNAME} 7587\end{sphinxVerbatim} 7588 7589Clients which do not implement SPAKE preauthentication will fall back 7590to encrypted timestamp. 7591 7592An active attacker can force a fallback to encrypted timestamp by 7593modifying the initial KDC response, defeating the protection against 7594dictionary attacks. To prevent this fallback on clients which do 7595implement SPAKE preauthentication, set the 7596\sphinxstylestrong{disable\_encrypted\_timestamp} variable to \sphinxcode{true} in the 7597{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection for realms whose KDCs offer SPAKE 7598preauthentication. 7599 7600By default, SPAKE preauthentication requires an extra network round 7601trip to the KDC during initial authentication. If most of the clients 7602in a realm support SPAKE, this extra round trip can be eliminated 7603using an optimistic challenge, by setting the 7604\sphinxstylestrong{spake\_preauth\_kdc\_challenge} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} to a 7605single group name: 7606 7607\fvset{hllines={, ,}}% 7608\begin{sphinxVerbatim}[commandchars=\\\{\}] 7609\PYG{p}{[}\PYG{n}{kdcdefaults}\PYG{p}{]} 7610 \PYG{n}{spake\PYGZus{}preauth\PYGZus{}kdc\PYGZus{}challenge} \PYG{o}{=} \PYG{n}{edwards25519} 7611\end{sphinxVerbatim} 7612 7613Using optimistic challenge will cause the KDC to do extra work for 7614initial authentication requests that do not result in SPAKE 7615preauthentication, but will save work when SPAKE preauthentication is 7616used. 7617 7618 7619\chapter{Addressing dictionary attack risks} 7620\label{\detokenize{admin/dictionary:addressing-dictionary-attack-risks}}\label{\detokenize{admin/dictionary::doc}}\label{\detokenize{admin/dictionary:dictionary}} 7621Kerberos initial authentication is normally secured using the client 7622principal’s long-term key, which for users is generally derived from a 7623password. Using a pasword-derived long-term key carries the risk of a 7624dictionary attack, where an attacker tries a sequence of possible 7625passwords, possibly requiring much less effort than would be required 7626to try all possible values of the key. Even if {\hyperref[\detokenize{admin/database:policies}]{\sphinxcrossref{\DUrole{std,std-ref}{password policy 7627objects}}}} are used to force users not to pick trivial 7628passwords, dictionary attacks can sometimes be successful against a 7629significant fraction of the users in a realm. Dictionary attacks are 7630not a concern for principals using random keys. 7631 7632A dictionary attack may be online or offline. An online dictionary 7633attack is performed by trying each password in a separate request to 7634the KDC, and is therefore visible to the KDC and also limited in speed 7635by the KDC’s processing power and the network capacity between the 7636client and the KDC. Online dictionary attacks can be mitigated using 7637{\hyperref[\detokenize{admin/lockout:lockout}]{\sphinxcrossref{\DUrole{std,std-ref}{account lockout}}}}. This measure is not totally 7638satisfactory, as it makes it easy for an attacker to deny access to a 7639client principal. 7640 7641An offline dictionary attack is performed by obtaining a ciphertext 7642generated using the password-derived key, and trying each password 7643against the ciphertext. This category of attack is invisible to the 7644KDC and can be performed much faster than an online attack. The 7645attack will generally take much longer with more recent encryption 7646types (particularly the ones based on AES), because those encryption 7647types use a much more expensive string-to-key function. However, the 7648best defense is to deny the attacker access to a useful ciphertext. 7649The required defensive measures depend on the attacker’s level of 7650network access. 7651 7652An off-path attacker has no access to packets sent between legitimate 7653users and the KDC. An off-path attacker could gain access to an 7654attackable ciphertext either by making an AS request for a client 7655principal which does not have the \sphinxstylestrong{+requires\_preauth} flag, or by 7656making a TGS request (after authenticating as a different user) for a 7657server principal which does not have the \sphinxstylestrong{-allow\_svr} flag. To 7658address off-path attackers, a KDC administrator should set those flags 7659on principals with password-derived keys: 7660 7661\fvset{hllines={, ,}}% 7662\begin{sphinxVerbatim}[commandchars=\\\{\}] 7663\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}principal} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}svr} \PYG{n}{princname} 7664\end{sphinxVerbatim} 7665 7666An attacker with passive network access (one who can monitor packets 7667sent between legitimate users and the KDC, but cannot change them or 7668insert their own packets) can gain access to an attackable ciphertext 7669by observing an authentication by a user using the most common form of 7670preauthentication, encrypted timestamp. Any of the following methods 7671can prevent dictionary attacks by attackers with passive network 7672access: 7673\begin{itemize} 7674\item {} 7675Enabling {\hyperref[\detokenize{admin/spake:spake}]{\sphinxcrossref{\DUrole{std,std-ref}{SPAKE preauthentication}}}} (added in release 76761.17) on the KDC, and ensuring that all clients are able to support 7677it. 7678 7679\item {} 7680Using an {\hyperref[\detokenize{admin/https:https}]{\sphinxcrossref{\DUrole{std,std-ref}{HTTPS proxy}}}} for communication with the KDC, 7681if the attacker cannot monitor communication between the proxy 7682server and the KDC. 7683 7684\item {} 7685Using FAST, protecting the initial authentication with either a 7686random key (such as a host key) or with {\hyperref[\detokenize{admin/pkinit:anonymous-pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{anonymous PKINIT}}}}. 7687 7688\end{itemize} 7689 7690An attacker with active network access (one who can inject or modify 7691packets sent between legitimate users and the KDC) can try to fool the 7692client software into sending an attackable ciphertext using an 7693encryption type and salt string of the attacker’s choosing. Any of the 7694following methods can prevent dictionary attacks by active attackers: 7695\begin{itemize} 7696\item {} 7697Enabling SPAKE preauthentication and setting the 7698\sphinxstylestrong{disable\_encrypted\_timestamp} variable to \sphinxcode{true} in the 7699{\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection of the client configuration. 7700 7701\item {} 7702Using an HTTPS proxy as described above, configured in the client’s 7703krb5.conf realm configuration. If {\hyperref[\detokenize{admin/realm_config:kdc-discovery}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC discovery}}}} is used to locate a proxy server, an active 7704attacker may be able to use DNS spoofing to cause the client to use 7705a different HTTPS server or to not use HTTPS. 7706 7707\item {} 7708Using FAST as described above. 7709 7710\end{itemize} 7711 7712If {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}} or {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP}}}} are used for 7713initial authentication, the principal’s long-term keys are not used 7714and dictionary attacks are usually not a concern. 7715 7716 7717\chapter{Principal names and DNS} 7718\label{\detokenize{admin/princ_dns:principal-names-and-dns}}\label{\detokenize{admin/princ_dns::doc}} 7719Kerberos clients can do DNS lookups to canonicalize service principal 7720names. This can cause difficulties when setting up Kerberos 7721application servers, especially when the client’s name for the service 7722is different from what the service thinks its name is. 7723 7724 7725\section{Service principal names} 7726\label{\detokenize{admin/princ_dns:service-principal-names}} 7727A frequently used kind of principal name is the host-based service 7728principal name. This kind of principal name has two components: a 7729service name and a hostname. For example, \sphinxcode{imap/imap.example.com} 7730is the principal name of the “imap” service on the host 7731“imap.example.com”. Other possible service names for the first 7732component include “host” (remote login services such as ssh), “HTTP”, 7733and “nfs” (Network File System). 7734 7735Service administrators often publish well-known hostname aliases that 7736they would prefer users to use instead of the canonical name of the 7737service host. This gives service administrators more flexibility in 7738deploying services. For example, a shell login server might be named 7739“long-vanity-hostname.example.com”, but users will naturally prefer to 7740type something like “login.example.com”. Hostname aliases also allow 7741for administrators to set up load balancing for some sorts of services 7742based on rotating \sphinxcode{CNAME} records in DNS. 7743 7744 7745\section{Service principal canonicalization} 7746\label{\detokenize{admin/princ_dns:service-principal-canonicalization}} 7747In the MIT krb5 client library, canonicalization of host-based service 7748principals is controlled by the \sphinxstylestrong{dns\_canonicalize\_hostname}, 7749\sphinxstylestrong{rnds}, and \sphinxstylestrong{qualify\_shortname} variables in {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}}. 7750 7751If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{true} (the default 7752value), the client performs forward resolution by looking up the IPv4 7753and/or IPv6 addresses of the hostname using \sphinxcode{getaddrinfo()}. This 7754process will typically add a domain suffix to the hostname if needed, 7755and follow CNAME records in the DNS. If \sphinxstylestrong{rdns} is also set to 7756\sphinxcode{true} (the default), the client will then perform a reverse lookup 7757of the first returned Internet address using \sphinxcode{getnameinfo()}, 7758finding the name associated with the PTR record. 7759 7760If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{false}, the hostname is 7761not canonicalized using DNS. If the hostname has only one component 7762(i.e. it contains no “.” characters), the host’s primary DNS search 7763domain will be appended, if there is one. The \sphinxstylestrong{qualify\_shortname} 7764variable can be used to override or disable this suffix. 7765 7766If \sphinxstylestrong{dns\_canonicalize\_hostname} is set to \sphinxcode{fallback} (added in 7767release 1.18), the hostname is initially treated according to the 7768rules for \sphinxcode{dns\_canonicalize\_hostname=false}. If a ticket request 7769fails because the service principal is unknown, the hostname will be 7770canonicalized according to the rules for 7771\sphinxcode{dns\_canonicalize\_hostname=true} and the request will be retried. 7772 7773In all cases, the hostname is converted to lowercase, and any trailing 7774dot is removed. 7775 7776 7777\section{Reverse DNS mismatches} 7778\label{\detokenize{admin/princ_dns:reverse-dns-mismatches}} 7779Sometimes, an enterprise will have control over its forward DNS but 7780not its reverse DNS. The reverse DNS is sometimes under the control 7781of the Internet service provider of the enterprise, and the enterprise 7782may not have much influence in setting up reverse DNS records for its 7783address space. If there are difficulties with getting forward and 7784reverse DNS to match, it is best to set \sphinxcode{rdns = false} on client 7785machines. 7786 7787 7788\section{Overriding application behavior} 7789\label{\detokenize{admin/princ_dns:overriding-application-behavior}} 7790Applications can choose to use a default hostname component in their 7791service principal name when accepting authentication, which avoids 7792some sorts of hostname mismatches. Because not all relevant 7793applications do this yet, using the {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} setting: 7794 7795\fvset{hllines={, ,}}% 7796\begin{sphinxVerbatim}[commandchars=\\\{\}] 7797\PYG{p}{[}\PYG{n}{libdefaults}\PYG{p}{]} 7798 \PYG{n}{ignore\PYGZus{}acceptor\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{true} 7799\end{sphinxVerbatim} 7800 7801will allow the Kerberos library to override the application’s choice 7802of service principal hostname and will allow a server program to 7803accept incoming authentications using any key in its keytab that 7804matches the service name and realm name (if given). This setting 7805defaults to “false” and is available in releases krb5-1.10 and later. 7806 7807 7808\section{Provisioning keytabs} 7809\label{\detokenize{admin/princ_dns:provisioning-keytabs}} 7810One service principal entry that should be in the keytab is a 7811principal whose hostname component is the canonical hostname that 7812\sphinxcode{getaddrinfo()} reports for all known aliases for the host. If the 7813reverse DNS information does not match this canonical hostname, an 7814additional service principal entry should be in the keytab for this 7815different hostname. 7816 7817 7818\section{Specific application advice} 7819\label{\detokenize{admin/princ_dns:specific-application-advice}} 7820 7821\subsection{Secure shell (ssh)} 7822\label{\detokenize{admin/princ_dns:secure-shell-ssh}} 7823Setting \sphinxcode{GSSAPIStrictAcceptorCheck = no} in the configuration file 7824of modern versions of the openssh daemon will allow the daemon to try 7825any key in its keytab when accepting a connection, rather than looking 7826for the keytab entry that matches the host’s own idea of its name 7827(typically the name that \sphinxcode{gethostname()} returns). This requires 7828krb5-1.10 or later. 7829 7830 7831\chapter{Encryption types} 7832\label{\detokenize{admin/enctypes:enctypes}}\label{\detokenize{admin/enctypes::doc}}\label{\detokenize{admin/enctypes:encryption-types}} 7833Kerberos can use a variety of cipher algorithms to protect data. A 7834Kerberos \sphinxstylestrong{encryption type} (also known as an \sphinxstylestrong{enctype}) is a 7835specific combination of a cipher algorithm with an integrity algorithm 7836to provide both confidentiality and integrity to data. 7837 7838 7839\section{Enctypes in requests} 7840\label{\detokenize{admin/enctypes:enctypes-in-requests}} 7841Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and 7842TGS-REQs. The client uses the AS-REQ to obtain initial tickets 7843(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to 7844obtain service tickets. 7845 7846The KDC uses three different keys when issuing a ticket to a client: 7847\begin{itemize} 7848\item {} 7849The long-term key of the service: the KDC uses this to encrypt the 7850actual service ticket. The KDC only uses the first long-term key in 7851the most recent kvno for this purpose. 7852 7853\item {} 7854The session key: the KDC randomly chooses this key and places one 7855copy inside the ticket and the other copy inside the encrypted part 7856of the reply. 7857 7858\item {} 7859The reply-encrypting key: the KDC uses this to encrypt the reply it 7860sends to the client. For AS replies, this is a long-term key of the 7861client principal. For TGS replies, this is either the session key of the 7862authenticating ticket, or a subsession key. 7863 7864\end{itemize} 7865 7866Each of these keys is of a specific enctype. 7867 7868Each request type allows the client to submit a list of enctypes that 7869it is willing to accept. For the AS-REQ, this list affects both the 7870session key selection and the reply-encrypting key selection. For the 7871TGS-REQ, this list only affects the session key selection. 7872 7873 7874\section{Session key selection} 7875\label{\detokenize{admin/enctypes:session-key-selection}}\label{\detokenize{admin/enctypes:id1}} 7876The KDC chooses the session key enctype by taking the intersection of 7877its \sphinxstylestrong{permitted\_enctypes} list, the list of long-term keys for the 7878most recent kvno of the service, and the client’s requested list of 7879enctypes. 7880 7881Starting in krb5-1.11, it is possible to set a string attribute on a 7882service principal to control what session key enctypes the KDC may 7883issue for service tickets for that principal. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:set-string}]{\sphinxcrossref{\DUrole{std,std-ref}{set\_string}}}} 7884in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for details. 7885 7886 7887\section{Choosing enctypes for a service} 7888\label{\detokenize{admin/enctypes:choosing-enctypes-for-a-service}} 7889Generally, a service should have a key of the strongest 7890enctype that both it and the KDC support. If the KDC is running a 7891release earlier than krb5-1.11, it is also useful to generate an 7892additional key for each enctype that the service can support. The KDC 7893will only use the first key in the list of long-term keys for encrypting 7894the service ticket, but the additional long-term keys indicate the 7895other enctypes that the service supports. 7896 7897As noted above, starting with release krb5-1.11, there are additional 7898configuration settings that control session key enctype selection 7899independently of the set of long-term keys that the KDC has stored for 7900a service principal. 7901 7902 7903\section{Configuration variables} 7904\label{\detokenize{admin/enctypes:configuration-variables}} 7905The following \sphinxcode{{[}libdefaults{]}} settings in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} will 7906affect how enctypes are chosen. 7907\begin{description} 7908\item[{\sphinxstylestrong{allow\_weak\_crypto}}] \leavevmode 7909defaults to \sphinxstyleemphasis{false} starting with krb5-1.8. When \sphinxstyleemphasis{false}, removes 7910weak enctypes from \sphinxstylestrong{permitted\_enctypes}, 7911\sphinxstylestrong{default\_tkt\_enctypes}, and \sphinxstylestrong{default\_tgs\_enctypes}. Do not 7912set this to \sphinxstyleemphasis{true} unless the use of weak enctypes is an 7913acceptable risk for your environment and the weak enctypes are 7914required for backward compatibility. 7915 7916\item[{\sphinxstylestrong{permitted\_enctypes}}] \leavevmode 7917controls the set of enctypes that a service will permit for 7918session keys and for ticket and authenticator encryption. The KDC 7919and other programs that access the Kerberos database will ignore 7920keys of non-permitted enctypes. Starting in release 1.18, this 7921setting also acts as the default for \sphinxstylestrong{default\_tkt\_enctypes} and 7922\sphinxstylestrong{default\_tgs\_enctypes}. 7923 7924\item[{\sphinxstylestrong{default\_tkt\_enctypes}}] \leavevmode 7925controls the default set of enctypes that the Kerberos client 7926library requests when making an AS-REQ. Do not set this unless 7927required for specific backward compatibility purposes; stale 7928values of this setting can prevent clients from taking advantage 7929of new stronger enctypes when the libraries are upgraded. 7930 7931\item[{\sphinxstylestrong{default\_tgs\_enctypes}}] \leavevmode 7932controls the default set of enctypes that the Kerberos client 7933library requests when making a TGS-REQ. Do not set this unless 7934required for specific backward compatibility purposes; stale 7935values of this setting can prevent clients from taking advantage 7936of new stronger enctypes when the libraries are upgraded. 7937 7938\end{description} 7939 7940The following per-realm setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} affects the 7941generation of long-term keys. 7942\begin{description} 7943\item[{\sphinxstylestrong{supported\_enctypes}}] \leavevmode 7944controls the default set of enctype-salttype pairs that {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} 7945will use for generating long-term keys, either randomly or from 7946passwords 7947 7948\end{description} 7949 7950 7951\section{Enctype compatibility} 7952\label{\detokenize{admin/enctypes:enctype-compatibility}} 7953See {\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} for additional information about enctypes. 7954 7955 7956\begin{savenotes}\sphinxattablestart 7957\centering 7958\begin{tabulary}{\linewidth}[t]{|T|T|T|T|} 7959\hline 7960\sphinxstylethead{\sphinxstyletheadfamily 7961enctype 7962\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 7963weak? 7964\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 7965krb5 7966\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 7967Windows 7968\unskip}\relax \\ 7969\hline 7970des-cbc-crc 7971& 7972weak 7973& 7974\textless{}1.18 7975& 7976\textgreater{}=2000 7977\\ 7978\hline 7979des-cbc-md4 7980& 7981weak 7982& 7983\textless{}1.18 7984& 7985? 7986\\ 7987\hline 7988des-cbc-md5 7989& 7990weak 7991& 7992\textless{}1.18 7993& 7994\textgreater{}=2000 7995\\ 7996\hline 7997des3-cbc-sha1 7998& 7999deprecated 8000& 8001\textgreater{}=1.1 8002& 8003none 8004\\ 8005\hline 8006arcfour-hmac 8007& 8008deprecated 8009& 8010\textgreater{}=1.3 8011& 8012\textgreater{}=2000 8013\\ 8014\hline 8015arcfour-hmac-exp 8016& 8017weak 8018& 8019\textgreater{}=1.3 8020& 8021\textgreater{}=2000 8022\\ 8023\hline 8024aes128-cts-hmac-sha1-96 8025&& 8026\textgreater{}=1.3 8027& 8028\textgreater{}=Vista 8029\\ 8030\hline 8031aes256-cts-hmac-sha1-96 8032&& 8033\textgreater{}=1.3 8034& 8035\textgreater{}=Vista 8036\\ 8037\hline 8038aes128-cts-hmac-sha256-128 8039&& 8040\textgreater{}=1.15 8041& 8042none 8043\\ 8044\hline 8045aes256-cts-hmac-sha384-192 8046&& 8047\textgreater{}=1.15 8048& 8049none 8050\\ 8051\hline 8052camellia128-cts-cmac 8053&& 8054\textgreater{}=1.9 8055& 8056none 8057\\ 8058\hline 8059camellia256-cts-cmac 8060&& 8061\textgreater{}=1.9 8062& 8063none 8064\\ 8065\hline 8066\end{tabulary} 8067\par 8068\sphinxattableend\end{savenotes} 8069 8070krb5 releases 1.18 and later do not support single-DES. krb5 releases 80711.8 and later disable the single-DES enctypes by default. Microsoft 8072Windows releases Windows 7 and later disable single-DES enctypes by 8073default. 8074 8075krb5 releases 1.17 and later flag deprecated encryption types 8076(including \sphinxcode{des3-cbc-sha1} and \sphinxcode{arcfour-hmac}) in KDC logs and 8077kadmin output. krb5 release 1.19 issues a warning during initial 8078authentication if \sphinxcode{des3-cbc-sha1} is used. Future releases will 8079disable \sphinxcode{des3-cbc-sha1} by default and eventually remove support for 8080it. 8081 8082 8083\section{Migrating away from older encryption types} 8084\label{\detokenize{admin/enctypes:migrating-away-from-older-encryption-types}} 8085Administrator intervention may be required to migrate a realm away 8086from legacy encryption types, especially if the realm was created 8087using krb5 release 1.2 or earlier. This migration should be performed 8088before upgrading to krb5 versions which disable or remove support for 8089legacy encryption types. 8090 8091If there is a \sphinxstylestrong{supported\_enctypes} setting in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} on 8092the KDC, make sure that it does not include weak or deprecated 8093encryption types. This will ensure that newly created keys do not use 8094those encryption types by default. 8095 8096Check the \sphinxcode{krbtgt/REALM} principal using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} 8097\sphinxstylestrong{getprinc} command. If it lists a weak or deprecated encryption 8098type as the first key, it must be migrated using the procedure in 8099{\hyperref[\detokenize{admin/database:changing-krbtgt-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Changing the krbtgt key}}}}. 8100 8101Check the \sphinxcode{kadmin/history} principal, which should have only one key 8102entry. If it uses a weak or deprecated encryption type, it should be 8103upgraded following the notes in {\hyperref[\detokenize{admin/database:updating-history-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Updating the history key}}}}. 8104 8105Check the other kadmin principals: kadmin/changepw, kadmin/admin, and 8106any kadmin/hostname principals that may exist. These principals can 8107be upgraded with \sphinxstylestrong{change\_password -randkey} in kadmin. 8108 8109Check the \sphinxcode{K/M} entry. If it uses a weak or deprecated encryption 8110type, it should be upgraded following the procedure in 8111{\hyperref[\detokenize{admin/database:updating-master-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Updating the master key}}}}. 8112 8113User and service principals using legacy encryption types can be 8114enumerated with the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} \sphinxstylestrong{tabdump keyinfo} command. 8115 8116Service principals can be migrated with a keytab rotation on the 8117service host, which can be accomplished using the {\hyperref[\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{k5srvutil}}}} 8118\sphinxstylestrong{change} and \sphinxstylestrong{delold} commands. Allow enough time for existing 8119tickets to expire between the change and delold operations. 8120 8121User principals with password-based keys can be migrated with a 8122password change. The realm administrator can set a password 8123expiration date using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{modify\_principal 8124-pwexpire} command to force a password change. 8125 8126If a legacy encryption type has not yet been disabled by default in 8127the version of krb5 running on the KDC, it can be disabled 8128administratively with the \sphinxstylestrong{permitted\_enctypes} variable. For 8129example, setting \sphinxstylestrong{permitted\_enctypes} to \sphinxcode{DEFAULT -des3 -rc4} will 8130cause any database keys of the triple-DES and RC4 encryption types to 8131be ignored. 8132 8133 8134\chapter{HTTPS proxy configuration} 8135\label{\detokenize{admin/https:https-proxy-configuration}}\label{\detokenize{admin/https::doc}}\label{\detokenize{admin/https:https}} 8136In addition to being able to use UDP or TCP to communicate directly 8137with a KDC as is outlined in RFC4120, and with kpasswd services in a 8138similar fashion, the client libraries can attempt to use an HTTPS 8139proxy server to communicate with a KDC or kpasswd service, using the 8140protocol outlined in {[}MS-KKDCP{]}. 8141 8142Communicating with a KDC through an HTTPS proxy allows clients to 8143contact servers when network firewalls might otherwise prevent them 8144from doing so. The use of TLS also encrypts all traffic between the 8145clients and the KDC, preventing observers from conducting password 8146dictionary attacks or from observing the client and server principals 8147being authenticated, at additional computational cost to both clients 8148and servers. 8149 8150An HTTPS proxy server is provided as a feature in some versions of 8151Microsoft Windows Server, and a WSGI implementation named \sphinxtitleref{kdcproxy} 8152is available in the python package index. 8153 8154 8155\section{Configuring the clients} 8156\label{\detokenize{admin/https:configuring-the-clients}} 8157To use an HTTPS proxy, a client host must trust the CA which issued 8158that proxy’s SSL certificate. If that CA’s certificate is not in the 8159system-wide default set of trusted certificates, configure the 8160following relation in the client host’s {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in 8161the appropriate {\hyperref[\detokenize{admin/conf_files/krb5_conf:realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection: 8162 8163\fvset{hllines={, ,}}% 8164\begin{sphinxVerbatim}[commandchars=\\\{\}] 8165\PYG{n}{http\PYGZus{}anchors} \PYG{o}{=} \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} 8166\end{sphinxVerbatim} 8167 8168Adjust the pathname to match the path of the file which contains a 8169copy of the CA’s certificate. The \sphinxtitleref{http\_anchors} option is documented 8170more fully in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. 8171 8172Configure the client to access the KDC and kpasswd service by 8173specifying their locations in its {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} file in the form 8174of HTTPS URLs for the proxy server: 8175 8176\fvset{hllines={, ,}}% 8177\begin{sphinxVerbatim}[commandchars=\\\{\}] 8178\PYG{n}{kdc} \PYG{o}{=} \PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{server}\PYG{o}{.}\PYG{n}{fqdn}\PYG{o}{/}\PYG{n}{KdcProxy} 8179\PYG{n}{kpasswd\PYGZus{}server} \PYG{o}{=} \PYG{n}{https}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{server}\PYG{o}{.}\PYG{n}{fqdn}\PYG{o}{/}\PYG{n}{KdcProxy} 8180\end{sphinxVerbatim} 8181 8182If the proxy and client are properly configured, client commands such 8183as \sphinxcode{kinit}, \sphinxcode{kvno}, and \sphinxcode{kpasswd} should all function normally. 8184 8185 8186\chapter{Authentication indicators} 8187\label{\detokenize{admin/auth_indicator:auth-indicator}}\label{\detokenize{admin/auth_indicator:authentication-indicators}}\label{\detokenize{admin/auth_indicator::doc}} 8188As of release 1.14, the KDC can be configured to annotate tickets if 8189the client authenticated using a stronger preauthentication mechanism 8190such as {\hyperref[\detokenize{admin/pkinit:pkinit}]{\sphinxcrossref{\DUrole{std,std-ref}{PKINIT}}}} or {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP}}}}. These 8191annotations are called “authentication indicators.” Service 8192principals can be configured to require particular authentication 8193indicators in order to authenticate to that service. An 8194authentication indicator value can be any string chosen by the KDC 8195administrator; there are no pre-set values. 8196 8197To use authentication indicators with PKINIT or OTP, first configure 8198the KDC to include an indicator when that preauthentication mechanism 8199is used. For PKINIT, use the \sphinxstylestrong{pkinit\_indicator} variable in 8200{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. For OTP, use the \sphinxstylestrong{indicator} variable in the 8201token type definition, or specify the indicators in the \sphinxstylestrong{otp} user 8202string as described in {\hyperref[\detokenize{admin/otp:otp-preauth}]{\sphinxcrossref{\DUrole{std,std-ref}{OTP Preauthentication}}}}. 8203 8204To require an indicator to be present in order to authenticate to a 8205service principal, set the \sphinxstylestrong{require\_auth} string attribute on the 8206principal to the indicator value to be required. If you wish to allow 8207one of several indicators to be accepted, you can specify multiple 8208indicator values separated by spaces. 8209 8210For example, a realm could be configured to set the authentication 8211indicator value “strong” when PKINIT is used to authenticate, using a 8212setting in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-realms}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}realms{]}}}}} subsection: 8213 8214\fvset{hllines={, ,}}% 8215\begin{sphinxVerbatim}[commandchars=\\\{\}] 8216\PYG{n}{pkinit\PYGZus{}indicator} \PYG{o}{=} \PYG{n}{strong} 8217\end{sphinxVerbatim} 8218 8219A service principal could be configured to require the “strong” 8220authentication indicator value: 8221 8222\fvset{hllines={, ,}}% 8223\begin{sphinxVerbatim}[commandchars=\\\{\}] 8224\PYGZdl{} kadmin setstr host/high.value.server require\PYGZus{}auth strong 8225Password for user/admin@KRBTEST.COM: 8226\end{sphinxVerbatim} 8227 8228A user who authenticates with PKINIT would be able to obtain a ticket 8229for the service principal: 8230 8231\fvset{hllines={, ,}}% 8232\begin{sphinxVerbatim}[commandchars=\\\{\}] 8233\PYGZdl{} kinit \PYGZhy{}X X509\PYGZus{}user\PYGZus{}identity=FILE:/my/cert.pem,/my/key.pem user 8234\PYGZdl{} kvno host/high.value.server 8235host/high.value.server@KRBTEST.COM: kvno = 1 8236\end{sphinxVerbatim} 8237 8238but a user who authenticates with a password would not: 8239 8240\fvset{hllines={, ,}}% 8241\begin{sphinxVerbatim}[commandchars=\\\{\}] 8242\PYGZdl{} kinit user 8243Password for user@KRBTEST.COM: 8244\PYGZdl{} kvno host/high.value.server 8245kvno: KDC policy rejects request while getting credentials for 8246 host/high.value.server@KRBTEST.COM 8247\end{sphinxVerbatim} 8248 8249GSSAPI server applications can inspect authentication indicators 8250through the \DUrole{xref,std,std-ref}{auth-indicators} name 8251attribute. 8252 8253 8254\chapter{Administration programs} 8255\label{\detokenize{admin/admin_commands/index:administration-programs}}\label{\detokenize{admin/admin_commands/index::doc}} 8256 8257\section{kadmin} 8258\label{\detokenize{admin/admin_commands/kadmin_local::doc}}\label{\detokenize{admin/admin_commands/kadmin_local:kadmin}}\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-1}} 8259 8260\subsection{SYNOPSIS} 8261\label{\detokenize{admin/admin_commands/kadmin_local:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-synopsis}} 8262\sphinxstylestrong{kadmin} 8263{[}\sphinxstylestrong{-O}\textbar{}\sphinxstylestrong{-N}{]} 8264{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 8265{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}{]} 8266{[}\sphinxstylestrong{-q} \sphinxstyleemphasis{query}{]} 8267{[}{[}\sphinxstylestrong{-c} \sphinxstyleemphasis{cache\_name}{]}\textbar{}{[}\sphinxstylestrong{-k} {[}\sphinxstylestrong{-t} \sphinxstyleemphasis{keytab}{]}{]}\textbar{}\sphinxstylestrong{-n}{]} 8268{[}\sphinxstylestrong{-w} \sphinxstyleemphasis{password}{]} 8269{[}\sphinxstylestrong{-s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}{]} 8270{[}command args…{]} 8271 8272\sphinxstylestrong{kadmin.local} 8273{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 8274{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}{]} 8275{[}\sphinxstylestrong{-q} \sphinxstyleemphasis{query}{]} 8276{[}\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}{]} 8277{[}\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …{]} 8278{[}\sphinxstylestrong{-m}{]} 8279{[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]} 8280{[}command args…{]} 8281 8282 8283\subsection{DESCRIPTION} 8284\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-synopsis-end}}\label{\detokenize{admin/admin_commands/kadmin_local:description}} 8285kadmin and kadmin.local are command-line interfaces to the Kerberos V5 8286administration system. They provide nearly identical functionalities; 8287the difference is that kadmin.local directly accesses the KDC 8288database, while kadmin performs operations using {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}. 8289Except as explicitly noted otherwise, this man page will use “kadmin” 8290to refer to both versions. kadmin provides for the maintenance of 8291Kerberos principals, password policies, and service key tables 8292(keytabs). 8293 8294The remote kadmin client uses Kerberos to authenticate to kadmind 8295using the service principal \sphinxcode{kadmin/admin} or \sphinxcode{kadmin/ADMINHOST} 8296(where \sphinxstyleemphasis{ADMINHOST} is the fully-qualified hostname of the admin 8297server). If the credentials cache contains a ticket for one of these 8298principals, and the \sphinxstylestrong{-c} credentials\_cache option is specified, that 8299ticket is used to authenticate to kadmind. Otherwise, the \sphinxstylestrong{-p} and 8300\sphinxstylestrong{-k} options are used to specify the client Kerberos principal name 8301used to authenticate. Once kadmin has determined the principal name, 8302it requests a service ticket from the KDC, and uses that service 8303ticket to authenticate to kadmind. 8304 8305Since kadmin.local directly accesses the KDC database, it usually must 8306be run directly on the primary KDC with sufficient permissions to read 8307the KDC database. If the KDC database uses the LDAP database module, 8308kadmin.local can be run on any host which can access the LDAP server. 8309 8310 8311\subsection{OPTIONS} 8312\label{\detokenize{admin/admin_commands/kadmin_local:options}}\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-options}}\begin{description} 8313\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 8314Use \sphinxstyleemphasis{realm} as the default database realm. 8315 8316\item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{principal}}] \leavevmode 8317Use \sphinxstyleemphasis{principal} to authenticate. Otherwise, kadmin will append 8318\sphinxcode{/admin} to the primary principal name of the default ccache, 8319the value of the \sphinxstylestrong{USER} environment variable, or the username as 8320obtained with getpwuid, in order of preference. 8321 8322\item[{\sphinxstylestrong{-k}}] \leavevmode 8323Use a keytab to decrypt the KDC response instead of prompting for 8324a password. In this case, the default principal will be 8325\sphinxcode{host/hostname}. If there is no keytab specified with the 8326\sphinxstylestrong{-t} option, then the default keytab will be used. 8327 8328\item[{\sphinxstylestrong{-t} \sphinxstyleemphasis{keytab}}] \leavevmode 8329Use \sphinxstyleemphasis{keytab} to decrypt the KDC response. This can only be used 8330with the \sphinxstylestrong{-k} option. 8331 8332\item[{\sphinxstylestrong{-n}}] \leavevmode 8333Requests anonymous processing. Two types of anonymous principals 8334are supported. For fully anonymous Kerberos, configure PKINIT on 8335the KDC and configure \sphinxstylestrong{pkinit\_anchors} in the client’s 8336{\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. Then use the \sphinxstylestrong{-n} option with a principal 8337of the form \sphinxcode{@REALM} (an empty principal name followed by the 8338at-sign and a realm name). If permitted by the KDC, an anonymous 8339ticket will be returned. A second form of anonymous tickets is 8340supported; these realm-exposed tickets hide the identity of the 8341client but not the client’s realm. For this mode, use \sphinxcode{kinit 8342-n} with a normal principal name. If supported by the KDC, the 8343principal (but not realm) will be replaced by the anonymous 8344principal. As of release 1.8, the MIT Kerberos KDC only supports 8345fully anonymous operation. 8346 8347\item[{\sphinxstylestrong{-c} \sphinxstyleemphasis{credentials\_cache}}] \leavevmode 8348Use \sphinxstyleemphasis{credentials\_cache} as the credentials cache. The cache 8349should contain a service ticket for the \sphinxcode{kadmin/admin} or 8350\sphinxcode{kadmin/ADMINHOST} (where \sphinxstyleemphasis{ADMINHOST} is the fully-qualified 8351hostname of the admin server) service; it can be acquired with the 8352\DUrole{xref,std,std-ref}{kinit(1)} program. If this option is not specified, kadmin 8353requests a new service ticket from the KDC, and stores it in its 8354own temporary ccache. 8355 8356\item[{\sphinxstylestrong{-w} \sphinxstyleemphasis{password}}] \leavevmode 8357Use \sphinxstyleemphasis{password} instead of prompting for one. Use this option with 8358care, as it may expose the password to other users on the system 8359via the process list. 8360 8361\item[{\sphinxstylestrong{-q} \sphinxstyleemphasis{query}}] \leavevmode 8362Perform the specified query and then exit. 8363 8364\item[{\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}}] \leavevmode 8365Specifies the name of the KDC database. This option does not 8366apply to the LDAP database module. 8367 8368\item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{admin\_server}{[}:\sphinxstyleemphasis{port}{]}}] \leavevmode 8369Specifies the admin server which kadmin should contact. 8370 8371\item[{\sphinxstylestrong{-m}}] \leavevmode 8372If using kadmin.local, prompt for the database master password 8373instead of reading it from a stash file. 8374 8375\item[{\sphinxstylestrong{-e} “\sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt} …”}] \leavevmode 8376Sets the keysalt list to be used for any new keys created. See 8377{\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible 8378values. 8379 8380\item[{\sphinxstylestrong{-O}}] \leavevmode 8381Force use of old AUTH\_GSSAPI authentication flavor. 8382 8383\item[{\sphinxstylestrong{-N}}] \leavevmode 8384Prevent fallback to AUTH\_GSSAPI authentication flavor. 8385 8386\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode 8387Specifies the database specific arguments. See the next section 8388for supported options. 8389 8390\end{description} 8391\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:kadmin-options-end}} 8392Starting with release 1.14, if any command-line arguments remain after 8393the options, they will be treated as a single query to be executed. 8394This mode of operation is intended for scripts and behaves differently 8395from the interactive mode in several respects: 8396\begin{itemize} 8397\item {} 8398Query arguments are split by the shell, not by kadmin. 8399 8400\item {} 8401Informational and warning messages are suppressed. Error messages 8402and query output (e.g. for \sphinxstylestrong{get\_principal}) will still be 8403displayed. 8404 8405\item {} 8406Confirmation prompts are disabled (as if \sphinxstylestrong{-force} was given). 8407Password prompts will still be issued as required. 8408 8409\item {} 8410The exit status will be non-zero if the query fails. 8411 8412\end{itemize} 8413 8414The \sphinxstylestrong{-q} option does not carry these behavior differences; the query 8415will be processed as if it was entered interactively. The \sphinxstylestrong{-q} 8416option cannot be used in combination with a query in the remaining 8417arguments. 8418 8419 8420\subsection{DATABASE OPTIONS} 8421\label{\detokenize{admin/admin_commands/kadmin_local:database-options}}\label{\detokenize{admin/admin_commands/kadmin_local:dboptions}} 8422Database options can be used to override database-specific defaults. 8423Supported options for the DB2 module are: 8424\begin{quote} 8425\begin{description} 8426\item[{\sphinxstylestrong{-x dbname=}*filename*}] \leavevmode 8427Specifies the base filename of the DB2 database. 8428 8429\item[{\sphinxstylestrong{-x lockiter}}] \leavevmode 8430Make iteration operations hold the lock for the duration of 8431the entire operation, rather than temporarily releasing the 8432lock while handling each principal. This is the default 8433behavior, but this option exists to allow command line 8434override of a {[}dbmodules{]} setting. First introduced in 8435release 1.13. 8436 8437\item[{\sphinxstylestrong{-x unlockiter}}] \leavevmode 8438Make iteration operations unlock the database for each 8439principal, instead of holding the lock for the duration of the 8440entire operation. First introduced in release 1.13. 8441 8442\end{description} 8443\end{quote} 8444 8445Supported options for the LDAP module are: 8446\begin{quote} 8447\begin{description} 8448\item[{\sphinxstylestrong{-x host=}\sphinxstyleemphasis{ldapuri}}] \leavevmode 8449Specifies the LDAP server to connect to by a LDAP URI. 8450 8451\item[{\sphinxstylestrong{-x binddn=}\sphinxstyleemphasis{bind\_dn}}] \leavevmode 8452Specifies the DN used to bind to the LDAP server. 8453 8454\item[{\sphinxstylestrong{-x bindpwd=}\sphinxstyleemphasis{password}}] \leavevmode 8455Specifies the password or SASL secret used to bind to the LDAP 8456server. Using this option may expose the password to other 8457users on the system via the process list; to avoid this, 8458instead stash the password using the \sphinxstylestrong{stashsrvpw} command of 8459{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}. 8460 8461\item[{\sphinxstylestrong{-x sasl\_mech=}\sphinxstyleemphasis{mechanism}}] \leavevmode 8462Specifies the SASL mechanism used to bind to the LDAP server. 8463The bind DN is ignored if a SASL mechanism is used. New in 8464release 1.13. 8465 8466\item[{\sphinxstylestrong{-x sasl\_authcid=}\sphinxstyleemphasis{name}}] \leavevmode 8467Specifies the authentication name used when binding to the 8468LDAP server with a SASL mechanism, if the mechanism requires 8469one. New in release 1.13. 8470 8471\item[{\sphinxstylestrong{-x sasl\_authzid=}\sphinxstyleemphasis{name}}] \leavevmode 8472Specifies the authorization name used when binding to the LDAP 8473server with a SASL mechanism. New in release 1.13. 8474 8475\item[{\sphinxstylestrong{-x sasl\_realm=}\sphinxstyleemphasis{realm}}] \leavevmode 8476Specifies the realm used when binding to the LDAP server with 8477a SASL mechanism, if the mechanism uses one. New in release 84781.13. 8479 8480\item[{\sphinxstylestrong{-x debug=}\sphinxstyleemphasis{level}}] \leavevmode 8481sets the OpenLDAP client library debug level. \sphinxstyleemphasis{level} is an 8482integer to be interpreted by the library. Debugging messages 8483are printed to standard error. New in release 1.12. 8484 8485\end{description} 8486\end{quote} 8487 8488 8489\subsection{COMMANDS} 8490\label{\detokenize{admin/admin_commands/kadmin_local:commands}} 8491When using the remote client, available commands may be restricted 8492according to the privileges specified in the {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} file 8493on the admin server. 8494 8495 8496\subsubsection{add\_principal} 8497\label{\detokenize{admin/admin_commands/kadmin_local:add-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id1}}\begin{quote} 8498 8499\sphinxstylestrong{add\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{newprinc} 8500\end{quote} 8501 8502Creates the principal \sphinxstyleemphasis{newprinc}, prompting twice for a password. If 8503no password policy is specified with the \sphinxstylestrong{-policy} option, and the 8504policy named \sphinxcode{default} is assigned to the principal if it exists. 8505However, creating a policy named \sphinxcode{default} will not automatically 8506assign this policy to previously existing principals. This policy 8507assignment can be suppressed with the \sphinxstylestrong{-clearpolicy} option. 8508 8509This command requires the \sphinxstylestrong{add} privilege. 8510 8511Aliases: \sphinxstylestrong{addprinc}, \sphinxstylestrong{ank} 8512 8513Options: 8514\begin{description} 8515\item[{\sphinxstylestrong{-expire} \sphinxstyleemphasis{expdate}}] \leavevmode 8516(\DUrole{xref,std,std-ref}{getdate} string) The expiration date of the principal. 8517 8518\item[{\sphinxstylestrong{-pwexpire} \sphinxstyleemphasis{pwexpdate}}] \leavevmode 8519(\DUrole{xref,std,std-ref}{getdate} string) The password expiration date. 8520 8521\item[{\sphinxstylestrong{-maxlife} \sphinxstyleemphasis{maxlife}}] \leavevmode 8522(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum ticket life 8523for the principal. 8524 8525\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{maxrenewlife}}] \leavevmode 8526(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) The maximum renewable 8527life of tickets for the principal. 8528 8529\item[{\sphinxstylestrong{-kvno} \sphinxstyleemphasis{kvno}}] \leavevmode 8530The initial key version number. 8531 8532\item[{\sphinxstylestrong{-policy} \sphinxstyleemphasis{policy}}] \leavevmode 8533The password policy used by this principal. If not specified, the 8534policy \sphinxcode{default} is used if it exists (unless \sphinxstylestrong{-clearpolicy} 8535is specified). 8536 8537\item[{\sphinxstylestrong{-clearpolicy}}] \leavevmode 8538Prevents any policy from being assigned when \sphinxstylestrong{-policy} is not 8539specified. 8540 8541\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_postdated}}] \leavevmode 8542\sphinxstylestrong{-allow\_postdated} prohibits this principal from obtaining 8543postdated tickets. \sphinxstylestrong{+allow\_postdated} clears this flag. 8544 8545\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_forwardable}}] \leavevmode 8546\sphinxstylestrong{-allow\_forwardable} prohibits this principal from obtaining 8547forwardable tickets. \sphinxstylestrong{+allow\_forwardable} clears this flag. 8548 8549\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_renewable}}] \leavevmode 8550\sphinxstylestrong{-allow\_renewable} prohibits this principal from obtaining 8551renewable tickets. \sphinxstylestrong{+allow\_renewable} clears this flag. 8552 8553\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_proxiable}}] \leavevmode 8554\sphinxstylestrong{-allow\_proxiable} prohibits this principal from obtaining 8555proxiable tickets. \sphinxstylestrong{+allow\_proxiable} clears this flag. 8556 8557\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_dup\_skey}}] \leavevmode 8558\sphinxstylestrong{-allow\_dup\_skey} disables user-to-user authentication for this 8559principal by prohibiting others from obtaining a service ticket 8560encrypted in this principal’s TGT session key. 8561\sphinxstylestrong{+allow\_dup\_skey} clears this flag. 8562 8563\item[{\{-\textbar{}+\}\sphinxstylestrong{requires\_preauth}}] \leavevmode 8564\sphinxstylestrong{+requires\_preauth} requires this principal to preauthenticate 8565before being allowed to kinit. \sphinxstylestrong{-requires\_preauth} clears this 8566flag. When \sphinxstylestrong{+requires\_preauth} is set on a service principal, 8567the KDC will only issue service tickets for that service principal 8568if the client’s initial authentication was performed using 8569preauthentication. 8570 8571\item[{\{-\textbar{}+\}\sphinxstylestrong{requires\_hwauth}}] \leavevmode 8572\sphinxstylestrong{+requires\_hwauth} requires this principal to preauthenticate 8573using a hardware device before being allowed to kinit. 8574\sphinxstylestrong{-requires\_hwauth} clears this flag. When \sphinxstylestrong{+requires\_hwauth} is 8575set on a service principal, the KDC will only issue service tickets 8576for that service principal if the client’s initial authentication was 8577performed using a hardware device to preauthenticate. 8578 8579\item[{\{-\textbar{}+\}\sphinxstylestrong{ok\_as\_delegate}}] \leavevmode 8580\sphinxstylestrong{+ok\_as\_delegate} sets the \sphinxstylestrong{okay as delegate} flag on tickets 8581issued with this principal as the service. Clients may use this 8582flag as a hint that credentials should be delegated when 8583authenticating to the service. \sphinxstylestrong{-ok\_as\_delegate} clears this 8584flag. 8585 8586\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_svr}}] \leavevmode 8587\sphinxstylestrong{-allow\_svr} prohibits the issuance of service tickets for this 8588principal. In release 1.17 and later, user-to-user service 8589tickets are still allowed unless the \sphinxstylestrong{-allow\_dup\_skey} flag is 8590also set. \sphinxstylestrong{+allow\_svr} clears this flag. 8591 8592\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_tgs\_req}}] \leavevmode 8593\sphinxstylestrong{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS) 8594request for a service ticket for this principal is not permitted. 8595\sphinxstylestrong{+allow\_tgs\_req} clears this flag. 8596 8597\item[{\{-\textbar{}+\}\sphinxstylestrong{allow\_tix}}] \leavevmode 8598\sphinxstylestrong{-allow\_tix} forbids the issuance of any tickets for this 8599principal. \sphinxstylestrong{+allow\_tix} clears this flag. 8600 8601\item[{\{-\textbar{}+\}\sphinxstylestrong{needchange}}] \leavevmode 8602\sphinxstylestrong{+needchange} forces a password change on the next initial 8603authentication to this principal. \sphinxstylestrong{-needchange} clears this 8604flag. 8605 8606\item[{\{-\textbar{}+\}\sphinxstylestrong{password\_changing\_service}}] \leavevmode 8607\sphinxstylestrong{+password\_changing\_service} marks this principal as a password 8608change service principal. 8609 8610\item[{\{-\textbar{}+\}\sphinxstylestrong{ok\_to\_auth\_as\_delegate}}] \leavevmode 8611\sphinxstylestrong{+ok\_to\_auth\_as\_delegate} allows this principal to acquire 8612forwardable tickets to itself from arbitrary users, for use with 8613constrained delegation. 8614 8615\item[{\{-\textbar{}+\}\sphinxstylestrong{no\_auth\_data\_required}}] \leavevmode 8616\sphinxstylestrong{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from 8617being added to service tickets for the principal. 8618 8619\item[{\{-\textbar{}+\}\sphinxstylestrong{lockdown\_keys}}] \leavevmode 8620\sphinxstylestrong{+lockdown\_keys} prevents keys for this principal from leaving 8621the KDC via kadmind. The chpass and extract operations are denied 8622for a principal with this attribute. The chrand operation is 8623allowed, but will not return the new keys. The delete and rename 8624operations are also denied if this attribute is set, in order to 8625prevent a malicious administrator from replacing principals like 8626krbtgt/* or kadmin/* with new principals without the attribute. 8627This attribute can be set via the network protocol, but can only 8628be removed using kadmin.local. 8629 8630\item[{\sphinxstylestrong{-randkey}}] \leavevmode 8631Sets the key of the principal to a random value. 8632 8633\item[{\sphinxstylestrong{-nokey}}] \leavevmode 8634Causes the principal to be created with no key. New in release 86351.12. 8636 8637\item[{\sphinxstylestrong{-pw} \sphinxstyleemphasis{password}}] \leavevmode 8638Sets the password of the principal to the specified string and 8639does not prompt for a password. Note: using this option in a 8640shell script may expose the password to other users on the system 8641via the process list. 8642 8643\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode 8644Uses the specified keysalt list for setting the keys of the 8645principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a 8646list of possible values. 8647 8648\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_princ\_args}}] \leavevmode 8649Indicates database-specific options. The options for the LDAP 8650database module are: 8651\begin{description} 8652\item[{\sphinxstylestrong{-x dn=}\sphinxstyleemphasis{dn}}] \leavevmode 8653Specifies the LDAP object that will contain the Kerberos 8654principal being created. 8655 8656\item[{\sphinxstylestrong{-x linkdn=}\sphinxstyleemphasis{dn}}] \leavevmode 8657Specifies the LDAP object to which the newly created Kerberos 8658principal object will point. 8659 8660\item[{\sphinxstylestrong{-x containerdn=}\sphinxstyleemphasis{container\_dn}}] \leavevmode 8661Specifies the container object under which the Kerberos 8662principal is to be created. 8663 8664\item[{\sphinxstylestrong{-x tktpolicy=}\sphinxstyleemphasis{policy}}] \leavevmode 8665Associates a ticket policy to the Kerberos principal. 8666 8667\end{description} 8668 8669\begin{sphinxadmonition}{note}{Note:}\begin{itemize} 8670\item {} 8671The \sphinxstylestrong{containerdn} and \sphinxstylestrong{linkdn} options cannot be 8672specified with the \sphinxstylestrong{dn} option. 8673 8674\item {} 8675If the \sphinxstyleemphasis{dn} or \sphinxstyleemphasis{containerdn} options are not specified while 8676adding the principal, the principals are created under the 8677principal container configured in the realm or the realm 8678container. 8679 8680\item {} 8681\sphinxstyleemphasis{dn} and \sphinxstyleemphasis{containerdn} should be within the subtrees or 8682principal container configured in the realm. 8683 8684\end{itemize} 8685\end{sphinxadmonition} 8686 8687\end{description} 8688 8689Example: 8690 8691\fvset{hllines={, ,}}% 8692\begin{sphinxVerbatim}[commandchars=\\\{\}] 8693\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{addprinc} \PYG{n}{jennifer} 8694\PYG{n}{No} \PYG{n}{policy} \PYG{n}{specified} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{;} 8695\PYG{n}{defaulting} \PYG{n}{to} \PYG{n}{no} \PYG{n}{policy}\PYG{o}{.} 8696\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 8697\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{jennifer}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{p}{:} 8698\PYG{n}{Principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{jennifer@ATHENA.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{created}\PYG{o}{.} 8699\PYG{n}{kadmin}\PYG{p}{:} 8700\end{sphinxVerbatim} 8701\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:add-principal-end}} 8702 8703\subsubsection{modify\_principal} 8704\label{\detokenize{admin/admin_commands/kadmin_local:add-principal-end}}\label{\detokenize{admin/admin_commands/kadmin_local:id2}}\label{\detokenize{admin/admin_commands/kadmin_local:modify-principal}}\begin{quote} 8705 8706\sphinxstylestrong{modify\_principal} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} 8707\end{quote} 8708 8709Modifies the specified principal, changing the fields as specified. 8710The options to \sphinxstylestrong{add\_principal} also apply to this command, except 8711for the \sphinxstylestrong{-randkey}, \sphinxstylestrong{-pw}, and \sphinxstylestrong{-e} options. In addition, the 8712option \sphinxstylestrong{-clearpolicy} will clear the current policy of a principal. 8713 8714This command requires the \sphinxstyleemphasis{modify} privilege. 8715 8716Alias: \sphinxstylestrong{modprinc} 8717 8718Options (in addition to the \sphinxstylestrong{addprinc} options): 8719\begin{description} 8720\item[{\sphinxstylestrong{-unlock}}] \leavevmode 8721Unlocks a locked principal (one which has received too many failed 8722authentication attempts without enough time between them according 8723to its password policy) so that it can successfully authenticate. 8724 8725\end{description} 8726\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:modify-principal-end}} 8727 8728\subsubsection{rename\_principal} 8729\label{\detokenize{admin/admin_commands/kadmin_local:modify-principal-end}}\label{\detokenize{admin/admin_commands/kadmin_local:rename-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id3}}\begin{quote} 8730 8731\sphinxstylestrong{rename\_principal} {[}\sphinxstylestrong{-force}{]} \sphinxstyleemphasis{old\_principal} \sphinxstyleemphasis{new\_principal} 8732\end{quote} 8733 8734Renames the specified \sphinxstyleemphasis{old\_principal} to \sphinxstyleemphasis{new\_principal}. This 8735command prompts for confirmation, unless the \sphinxstylestrong{-force} option is 8736given. 8737 8738This command requires the \sphinxstylestrong{add} and \sphinxstylestrong{delete} privileges. 8739 8740Alias: \sphinxstylestrong{renprinc} 8741 8742\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:rename-principal-end}} 8743 8744\subsubsection{delete\_principal} 8745\label{\detokenize{admin/admin_commands/kadmin_local:id4}}\label{\detokenize{admin/admin_commands/kadmin_local:delete-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:rename-principal-end}}\begin{quote} 8746 8747\sphinxstylestrong{delete\_principal} {[}\sphinxstylestrong{-force}{]} \sphinxstyleemphasis{principal} 8748\end{quote} 8749 8750Deletes the specified \sphinxstyleemphasis{principal} from the database. This command 8751prompts for deletion, unless the \sphinxstylestrong{-force} option is given. 8752 8753This command requires the \sphinxstylestrong{delete} privilege. 8754 8755Alias: \sphinxstylestrong{delprinc} 8756 8757\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:delete-principal-end}} 8758 8759\subsubsection{change\_password} 8760\label{\detokenize{admin/admin_commands/kadmin_local:id5}}\label{\detokenize{admin/admin_commands/kadmin_local:delete-principal-end}}\label{\detokenize{admin/admin_commands/kadmin_local:change-password}}\begin{quote} 8761 8762\sphinxstylestrong{change\_password} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{principal} 8763\end{quote} 8764 8765Changes the password of \sphinxstyleemphasis{principal}. Prompts for a new password if 8766neither \sphinxstylestrong{-randkey} or \sphinxstylestrong{-pw} is specified. 8767 8768This command requires the \sphinxstylestrong{changepw} privilege, or that the 8769principal running the program is the same as the principal being 8770changed. 8771 8772Alias: \sphinxstylestrong{cpw} 8773 8774The following options are available: 8775\begin{description} 8776\item[{\sphinxstylestrong{-randkey}}] \leavevmode 8777Sets the key of the principal to a random value. 8778 8779\item[{\sphinxstylestrong{-pw} \sphinxstyleemphasis{password}}] \leavevmode 8780Set the password to the specified string. Using this option in a 8781script may expose the password to other users on the system via 8782the process list. 8783 8784\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode 8785Uses the specified keysalt list for setting the keys of the 8786principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a 8787list of possible values. 8788 8789\item[{\sphinxstylestrong{-keepold}}] \leavevmode 8790Keeps the existing keys in the database. This flag is usually not 8791necessary except perhaps for \sphinxcode{krbtgt} principals. 8792 8793\end{description} 8794 8795Example: 8796 8797\fvset{hllines={, ,}}% 8798\begin{sphinxVerbatim}[commandchars=\\\{\}] 8799\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{cpw} \PYG{n}{systest} 8800\PYG{n}{Enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 8801\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 8802\PYG{n}{Password} \PYG{k}{for} \PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{changed}\PYG{o}{.} 8803\PYG{n}{kadmin}\PYG{p}{:} 8804\end{sphinxVerbatim} 8805\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:change-password-end}} 8806 8807\subsubsection{purgekeys} 8808\label{\detokenize{admin/admin_commands/kadmin_local:id6}}\label{\detokenize{admin/admin_commands/kadmin_local:change-password-end}}\label{\detokenize{admin/admin_commands/kadmin_local:purgekeys}}\begin{quote} 8809 8810\sphinxstylestrong{purgekeys} {[}\sphinxstylestrong{-all}\textbar{}\sphinxstylestrong{-keepkvno} \sphinxstyleemphasis{oldest\_kvno\_to\_keep}{]} \sphinxstyleemphasis{principal} 8811\end{quote} 8812 8813Purges previously retained old keys (e.g., from \sphinxstylestrong{change\_password 8814-keepold}) from \sphinxstyleemphasis{principal}. If \sphinxstylestrong{-keepkvno} is specified, then 8815only purges keys with kvnos lower than \sphinxstyleemphasis{oldest\_kvno\_to\_keep}. If 8816\sphinxstylestrong{-all} is specified, then all keys are purged. The \sphinxstylestrong{-all} option 8817is new in release 1.12. 8818 8819This command requires the \sphinxstylestrong{modify} privilege. 8820 8821\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:purgekeys-end}} 8822 8823\subsubsection{get\_principal} 8824\label{\detokenize{admin/admin_commands/kadmin_local:get-principal}}\label{\detokenize{admin/admin_commands/kadmin_local:id7}}\label{\detokenize{admin/admin_commands/kadmin_local:purgekeys-end}}\begin{quote} 8825 8826\sphinxstylestrong{get\_principal} {[}\sphinxstylestrong{-terse}{]} \sphinxstyleemphasis{principal} 8827\end{quote} 8828 8829Gets the attributes of principal. With the \sphinxstylestrong{-terse} option, outputs 8830fields as quoted tab-separated strings. 8831 8832This command requires the \sphinxstylestrong{inquire} privilege, or that the principal 8833running the the program to be the same as the one being listed. 8834 8835Alias: \sphinxstylestrong{getprinc} 8836 8837Examples: 8838 8839\fvset{hllines={, ,}}% 8840\begin{sphinxVerbatim}[commandchars=\\\{\}] 8841\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin} 8842\PYG{n}{Principal}\PYG{p}{:} \PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} 8843\PYG{n}{Expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 8844\PYG{n}{Last} \PYG{n}{password} \PYG{n}{change}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} 8845\PYG{n}{Password} \PYG{n}{expiration} \PYG{n}{date}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 8846\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 8847\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{7} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 8848\PYG{n}{Last} \PYG{n}{modified}\PYG{p}{:} \PYG{n}{Mon} \PYG{n}{Aug} \PYG{l+m+mi}{12} \PYG{l+m+mi}{14}\PYG{p}{:}\PYG{l+m+mi}{16}\PYG{p}{:}\PYG{l+m+mi}{47} \PYG{n}{EDT} \PYG{l+m+mi}{1996} \PYG{p}{(}\PYG{n}{bjaspan}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{)} 8849\PYG{n}{Last} \PYG{n}{successful} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 8850\PYG{n}{Last} \PYG{n}{failed} \PYG{n}{authentication}\PYG{p}{:} \PYG{p}{[}\PYG{n}{never}\PYG{p}{]} 8851\PYG{n}{Failed} \PYG{n}{password} \PYG{n}{attempts}\PYG{p}{:} \PYG{l+m+mi}{0} 8852\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} 8853\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha384}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{192} 8854\PYG{n}{MKey}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1} 8855\PYG{n}{Attributes}\PYG{p}{:} 8856\PYG{n}{Policy}\PYG{p}{:} \PYG{p}{[}\PYG{n}{none}\PYG{p}{]} 8857 8858\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{getprinc} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{systest} 8859\PYG{n}{systest}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{l+m+mi}{3} \PYG{l+m+mi}{86400} \PYG{l+m+mi}{604800} \PYG{l+m+mi}{1} 8860\PYG{l+m+mi}{785926535} \PYG{l+m+mi}{753241234} \PYG{l+m+mi}{785900000} 8861\PYG{n}{tlyu}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{l+m+mi}{786100034} \PYG{l+m+mi}{0} \PYG{l+m+mi}{0} 8862\PYG{n}{kadmin}\PYG{p}{:} 8863\end{sphinxVerbatim} 8864\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:get-principal-end}} 8865 8866\subsubsection{list\_principals} 8867\label{\detokenize{admin/admin_commands/kadmin_local:get-principal-end}}\label{\detokenize{admin/admin_commands/kadmin_local:id8}}\label{\detokenize{admin/admin_commands/kadmin_local:list-principals}}\begin{quote} 8868 8869\sphinxstylestrong{list\_principals} {[}\sphinxstyleemphasis{expression}{]} 8870\end{quote} 8871 8872Retrieves all or some principal names. \sphinxstyleemphasis{expression} is a shell-style 8873glob expression that can contain the wild-card characters \sphinxcode{?}, 8874\sphinxcode{*}, and \sphinxcode{{[}{]}}. All principal names matching the expression are 8875printed. If no expression is provided, all principal names are 8876printed. If the expression does not contain an \sphinxcode{@} character, an 8877\sphinxcode{@} character followed by the local realm is appended to the 8878expression. 8879 8880This command requires the \sphinxstylestrong{list} privilege. 8881 8882Alias: \sphinxstylestrong{listprincs}, \sphinxstylestrong{get\_principals}, \sphinxstylestrong{getprincs} 8883 8884Example: 8885 8886\fvset{hllines={, ,}}% 8887\begin{sphinxVerbatim}[commandchars=\\\{\}] 8888\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listprincs} \PYG{n}{test}\PYG{o}{*} 8889\PYG{n}{test3}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 8890\PYG{n}{test2}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 8891\PYG{n}{test1}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 8892\PYG{n}{testuser}\PYG{n+nd}{@SECURE}\PYG{o}{\PYGZhy{}}\PYG{n}{TEST}\PYG{o}{.}\PYG{n}{OV}\PYG{o}{.}\PYG{n}{COM} 8893\PYG{n}{kadmin}\PYG{p}{:} 8894\end{sphinxVerbatim} 8895\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:list-principals-end}} 8896 8897\subsubsection{get\_strings} 8898\label{\detokenize{admin/admin_commands/kadmin_local:id9}}\label{\detokenize{admin/admin_commands/kadmin_local:get-strings}}\label{\detokenize{admin/admin_commands/kadmin_local:list-principals-end}}\begin{quote} 8899 8900\sphinxstylestrong{get\_strings} \sphinxstyleemphasis{principal} 8901\end{quote} 8902 8903Displays string attributes on \sphinxstyleemphasis{principal}. 8904 8905This command requires the \sphinxstylestrong{inquire} privilege. 8906 8907Alias: \sphinxstylestrong{getstrs} 8908 8909\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:get-strings-end}} 8910 8911\subsubsection{set\_string} 8912\label{\detokenize{admin/admin_commands/kadmin_local:id10}}\label{\detokenize{admin/admin_commands/kadmin_local:set-string}}\label{\detokenize{admin/admin_commands/kadmin_local:get-strings-end}}\begin{quote} 8913 8914\sphinxstylestrong{set\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{name} \sphinxstyleemphasis{value} 8915\end{quote} 8916 8917Sets a string attribute on \sphinxstyleemphasis{principal}. String attributes are used to 8918supply per-principal configuration to the KDC and some KDC plugin 8919modules. The following string attribute names are recognized by the 8920KDC: 8921\begin{description} 8922\item[{\sphinxstylestrong{require\_auth}}] \leavevmode 8923Specifies an authentication indicator which is required to 8924authenticate to the principal as a service. Multiple indicators 8925can be specified, separated by spaces; in this case any of the 8926specified indicators will be accepted. (New in release 1.14.) 8927 8928\item[{\sphinxstylestrong{session\_enctypes}}] \leavevmode 8929Specifies the encryption types supported for session keys when the 8930principal is authenticated to as a server. See 8931{\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the 8932accepted values. 8933 8934\item[{\sphinxstylestrong{otp}}] \leavevmode 8935Enables One Time Passwords (OTP) preauthentication for a client 8936\sphinxstyleemphasis{principal}. The \sphinxstyleemphasis{value} is a JSON string representing an array 8937of objects, each having optional \sphinxcode{type} and \sphinxcode{username} fields. 8938 8939\item[{\sphinxstylestrong{pkinit\_cert\_match}}] \leavevmode 8940Specifies a matching expression that defines the certificate 8941attributes required for the client certificate used by the 8942principal during PKINIT authentication. The matching expression 8943is in the same format as those used by the \sphinxstylestrong{pkinit\_cert\_match} 8944option in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. (New in release 1.16.) 8945 8946\end{description} 8947 8948This command requires the \sphinxstylestrong{modify} privilege. 8949 8950Alias: \sphinxstylestrong{setstr} 8951 8952Example: 8953 8954\fvset{hllines={, ,}}% 8955\begin{sphinxVerbatim}[commandchars=\\\{\}] 8956\PYG{n}{set\PYGZus{}string} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{session\PYGZus{}enctypes} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts} 8957\PYG{n}{set\PYGZus{}string} \PYG{n}{user}\PYG{n+nd}{@FOO}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{otp} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{[}\PYG{l+s+s2}{\PYGZob{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{type}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{:}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{hotp}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{,}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{username}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{:}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{al}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{\PYGZcb{}]}\PYG{l+s+s2}{\PYGZdq{}} 8958\end{sphinxVerbatim} 8959\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:set-string-end}} 8960 8961\subsubsection{del\_string} 8962\label{\detokenize{admin/admin_commands/kadmin_local:set-string-end}}\label{\detokenize{admin/admin_commands/kadmin_local:del-string}}\label{\detokenize{admin/admin_commands/kadmin_local:id11}}\begin{quote} 8963 8964\sphinxstylestrong{del\_string} \sphinxstyleemphasis{principal} \sphinxstyleemphasis{key} 8965\end{quote} 8966 8967Deletes a string attribute from \sphinxstyleemphasis{principal}. 8968 8969This command requires the \sphinxstylestrong{delete} privilege. 8970 8971Alias: \sphinxstylestrong{delstr} 8972 8973\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:del-string-end}} 8974 8975\subsubsection{add\_policy} 8976\label{\detokenize{admin/admin_commands/kadmin_local:id12}}\label{\detokenize{admin/admin_commands/kadmin_local:del-string-end}}\label{\detokenize{admin/admin_commands/kadmin_local:add-policy}}\begin{quote} 8977 8978\sphinxstylestrong{add\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} 8979\end{quote} 8980 8981Adds a password policy named \sphinxstyleemphasis{policy} to the database. 8982 8983This command requires the \sphinxstylestrong{add} privilege. 8984 8985Alias: \sphinxstylestrong{addpol} 8986 8987The following options are available: 8988\begin{description} 8989\item[{\sphinxstylestrong{-maxlife} \sphinxstyleemphasis{time}}] \leavevmode 8990(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the maximum 8991lifetime of a password. 8992 8993\item[{\sphinxstylestrong{-minlife} \sphinxstyleemphasis{time}}] \leavevmode 8994(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the minimum 8995lifetime of a password. 8996 8997\item[{\sphinxstylestrong{-minlength} \sphinxstyleemphasis{length}}] \leavevmode 8998Sets the minimum length of a password. 8999 9000\item[{\sphinxstylestrong{-minclasses} \sphinxstyleemphasis{number}}] \leavevmode 9001Sets the minimum number of character classes required in a 9002password. The five character classes are lower case, upper case, 9003numbers, punctuation, and whitespace/unprintable characters. 9004 9005\item[{\sphinxstylestrong{-history} \sphinxstyleemphasis{number}}] \leavevmode 9006Sets the number of past keys kept for a principal. This option is 9007not supported with the LDAP KDC database module. 9008 9009\end{description} 9010\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-maxfailure}}\begin{description} 9011\item[{\sphinxstylestrong{-maxfailure} \sphinxstyleemphasis{maxnumber}}] \leavevmode 9012Sets the number of authentication failures before the principal is 9013locked. Authentication failures are only tracked for principals 9014which require preauthentication. The counter of failed attempts 9015resets to 0 after a successful attempt to authenticate. A 9016\sphinxstyleemphasis{maxnumber} value of 0 (the default) disables lockout. 9017 9018\end{description} 9019\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-failurecountinterval}}\begin{description} 9020\item[{\sphinxstylestrong{-failurecountinterval} \sphinxstyleemphasis{failuretime}}] \leavevmode 9021(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the allowable time 9022between authentication failures. If an authentication failure 9023happens after \sphinxstyleemphasis{failuretime} has elapsed since the previous 9024failure, the number of authentication failures is reset to 1. A 9025\sphinxstyleemphasis{failuretime} value of 0 (the default) means forever. 9026 9027\end{description} 9028\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:policy-lockoutduration}}\begin{description} 9029\item[{\sphinxstylestrong{-lockoutduration} \sphinxstyleemphasis{lockouttime}}] \leavevmode 9030(\DUrole{xref,std,std-ref}{duration} or \DUrole{xref,std,std-ref}{getdate} string) Sets the duration for 9031which the principal is locked from authenticating if too many 9032authentication failures occur without the specified failure count 9033interval elapsing. A duration of 0 (the default) means the 9034principal remains locked out until it is administratively unlocked 9035with \sphinxcode{modprinc -unlock}. 9036 9037\item[{\sphinxstylestrong{-allowedkeysalts}}] \leavevmode 9038Specifies the key/salt tuples supported for long-term keys when 9039setting or changing a principal’s password/keys. See 9040{\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of the 9041accepted values, but note that key/salt tuples must be separated 9042with commas (‘,’) only. To clear the allowed key/salt policy use 9043a value of ‘-‘. 9044 9045\end{description} 9046 9047Example: 9048 9049\fvset{hllines={, ,}}% 9050\begin{sphinxVerbatim}[commandchars=\\\{\}] 9051\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{add\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{2 days}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{minlength} \PYG{l+m+mi}{5} \PYG{n}{guests} 9052\PYG{n}{kadmin}\PYG{p}{:} 9053\end{sphinxVerbatim} 9054\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:add-policy-end}} 9055 9056\subsubsection{modify\_policy} 9057\label{\detokenize{admin/admin_commands/kadmin_local:id13}}\label{\detokenize{admin/admin_commands/kadmin_local:modify-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:add-policy-end}}\begin{quote} 9058 9059\sphinxstylestrong{modify\_policy} {[}\sphinxstyleemphasis{options}{]} \sphinxstyleemphasis{policy} 9060\end{quote} 9061 9062Modifies the password policy named \sphinxstyleemphasis{policy}. Options are as described 9063for \sphinxstylestrong{add\_policy}. 9064 9065This command requires the \sphinxstylestrong{modify} privilege. 9066 9067Alias: \sphinxstylestrong{modpol} 9068 9069\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:modify-policy-end}} 9070 9071\subsubsection{delete\_policy} 9072\label{\detokenize{admin/admin_commands/kadmin_local:delete-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:modify-policy-end}}\label{\detokenize{admin/admin_commands/kadmin_local:id14}}\begin{quote} 9073 9074\sphinxstylestrong{delete\_policy} {[}\sphinxstylestrong{-force}{]} \sphinxstyleemphasis{policy} 9075\end{quote} 9076 9077Deletes the password policy named \sphinxstyleemphasis{policy}. Prompts for confirmation 9078before deletion. The command will fail if the policy is in use by any 9079principals. 9080 9081This command requires the \sphinxstylestrong{delete} privilege. 9082 9083Alias: \sphinxstylestrong{delpol} 9084 9085Example: 9086 9087\fvset{hllines={, ,}}% 9088\begin{sphinxVerbatim}[commandchars=\\\{\}] 9089kadmin: del\PYGZus{}policy guests 9090Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? 9091(yes/no): yes 9092kadmin: 9093\end{sphinxVerbatim} 9094\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:delete-policy-end}} 9095 9096\subsubsection{get\_policy} 9097\label{\detokenize{admin/admin_commands/kadmin_local:delete-policy-end}}\label{\detokenize{admin/admin_commands/kadmin_local:get-policy}}\label{\detokenize{admin/admin_commands/kadmin_local:id15}}\begin{quote} 9098 9099\sphinxstylestrong{get\_policy} {[} \sphinxstylestrong{-terse} {]} \sphinxstyleemphasis{policy} 9100\end{quote} 9101 9102Displays the values of the password policy named \sphinxstyleemphasis{policy}. With the 9103\sphinxstylestrong{-terse} flag, outputs the fields as quoted strings separated by 9104tabs. 9105 9106This command requires the \sphinxstylestrong{inquire} privilege. 9107 9108Alias: \sphinxstylestrong{getpol} 9109 9110Examples: 9111 9112\fvset{hllines={, ,}}% 9113\begin{sphinxVerbatim}[commandchars=\\\{\}] 9114\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{n}{admin} 9115\PYG{n}{Policy}\PYG{p}{:} \PYG{n}{admin} 9116\PYG{n}{Maximum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{180} \PYG{n}{days} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 9117\PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 9118\PYG{n}{Minimum} \PYG{n}{password} \PYG{n}{length}\PYG{p}{:} \PYG{l+m+mi}{6} 9119\PYG{n}{Minimum} \PYG{n}{number} \PYG{n}{of} \PYG{n}{password} \PYG{n}{character} \PYG{n}{classes}\PYG{p}{:} \PYG{l+m+mi}{2} 9120\PYG{n}{Number} \PYG{n}{of} \PYG{n}{old} \PYG{n}{keys} \PYG{n}{kept}\PYG{p}{:} \PYG{l+m+mi}{5} 9121\PYG{n}{Reference} \PYG{n}{count}\PYG{p}{:} \PYG{l+m+mi}{17} 9122 9123\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{get\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{terse} \PYG{n}{admin} 9124\PYG{n}{admin} \PYG{l+m+mi}{15552000} \PYG{l+m+mi}{0} \PYG{l+m+mi}{6} \PYG{l+m+mi}{2} \PYG{l+m+mi}{5} \PYG{l+m+mi}{17} 9125\PYG{n}{kadmin}\PYG{p}{:} 9126\end{sphinxVerbatim} 9127 9128The “Reference count” is the number of principals using that policy. 9129With the LDAP KDC database module, the reference count field is not 9130meaningful. 9131 9132\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:get-policy-end}} 9133 9134\subsubsection{list\_policies} 9135\label{\detokenize{admin/admin_commands/kadmin_local:get-policy-end}}\label{\detokenize{admin/admin_commands/kadmin_local:list-policies}}\label{\detokenize{admin/admin_commands/kadmin_local:id16}}\begin{quote} 9136 9137\sphinxstylestrong{list\_policies} {[}\sphinxstyleemphasis{expression}{]} 9138\end{quote} 9139 9140Retrieves all or some policy names. \sphinxstyleemphasis{expression} is a shell-style 9141glob expression that can contain the wild-card characters \sphinxcode{?}, 9142\sphinxcode{*}, and \sphinxcode{{[}{]}}. All policy names matching the expression are 9143printed. If no expression is provided, all existing policy names are 9144printed. 9145 9146This command requires the \sphinxstylestrong{list} privilege. 9147 9148Aliases: \sphinxstylestrong{listpols}, \sphinxstylestrong{get\_policies}, \sphinxstylestrong{getpols}. 9149 9150Examples: 9151 9152\fvset{hllines={, ,}}% 9153\begin{sphinxVerbatim}[commandchars=\\\{\}] 9154\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listpols} 9155\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol} 9156\PYG{n+nb}{dict}\PYG{o}{\PYGZhy{}}\PYG{n}{only} 9157\PYG{n}{once}\PYG{o}{\PYGZhy{}}\PYG{n}{a}\PYG{o}{\PYGZhy{}}\PYG{n+nb}{min} 9158\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw} 9159 9160\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{listpols} \PYG{n}{t}\PYG{o}{*} 9161\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol} 9162\PYG{n}{test}\PYG{o}{\PYGZhy{}}\PYG{n}{pol}\PYG{o}{\PYGZhy{}}\PYG{n}{nopw} 9163\PYG{n}{kadmin}\PYG{p}{:} 9164\end{sphinxVerbatim} 9165\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:list-policies-end}} 9166 9167\subsubsection{ktadd} 9168\label{\detokenize{admin/admin_commands/kadmin_local:ktadd}}\label{\detokenize{admin/admin_commands/kadmin_local:list-policies-end}}\label{\detokenize{admin/admin_commands/kadmin_local:id17}}\begin{quote} 9169 9170\begin{DUlineblock}{0em} 9171\item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstyleemphasis{principal} 9172\item[] \sphinxstylestrong{ktadd} {[}options{]} \sphinxstylestrong{-glob} \sphinxstyleemphasis{princ-exp} 9173\end{DUlineblock} 9174\end{quote} 9175 9176Adds a \sphinxstyleemphasis{principal}, or all principals matching \sphinxstyleemphasis{princ-exp}, to a 9177keytab file. Each principal’s keys are randomized in the process. 9178The rules for \sphinxstyleemphasis{princ-exp} are described in the \sphinxstylestrong{list\_principals} 9179command. 9180 9181This command requires the \sphinxstylestrong{inquire} and \sphinxstylestrong{changepw} privileges. 9182With the \sphinxstylestrong{-glob} form, it also requires the \sphinxstylestrong{list} privilege. 9183 9184The options are: 9185\begin{description} 9186\item[{\sphinxstylestrong{-k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode 9187Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is 9188used. 9189 9190\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…}] \leavevmode 9191Uses the specified keysalt list for setting the new keys of the 9192principal. See {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{Keysalt lists}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a 9193list of possible values. 9194 9195\item[{\sphinxstylestrong{-q}}] \leavevmode 9196Display less verbose information. 9197 9198\item[{\sphinxstylestrong{-norandkey}}] \leavevmode 9199Do not randomize the keys. The keys and their version numbers stay 9200unchanged. This option cannot be specified in combination with the 9201\sphinxstylestrong{-e} option. 9202 9203\end{description} 9204 9205An entry for each of the principal’s unique encryption types is added, 9206ignoring multiple keys with the same encryption type but different 9207salt types. 9208 9209Alias: \sphinxstylestrong{xst} 9210 9211Example: 9212 9213\fvset{hllines={, ,}}% 9214\begin{sphinxVerbatim}[commandchars=\\\{\}] 9215\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktadd} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 9216\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} 9217 \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} 9218 \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{foo}\PYG{o}{\PYGZhy{}}\PYG{n}{new}\PYG{o}{\PYGZhy{}}\PYG{n}{keytab} 9219\PYG{n}{kadmin}\PYG{p}{:} 9220\end{sphinxVerbatim} 9221\phantomsection\label{\detokenize{admin/admin_commands/kadmin_local:ktadd-end}} 9222 9223\subsubsection{ktremove} 9224\label{\detokenize{admin/admin_commands/kadmin_local:id18}}\label{\detokenize{admin/admin_commands/kadmin_local:ktremove}}\label{\detokenize{admin/admin_commands/kadmin_local:ktadd-end}}\begin{quote} 9225 9226\sphinxstylestrong{ktremove} {[}options{]} \sphinxstyleemphasis{principal} {[}\sphinxstyleemphasis{kvno} \textbar{} \sphinxstyleemphasis{all} \textbar{} \sphinxstyleemphasis{old}{]} 9227\end{quote} 9228 9229Removes entries for the specified \sphinxstyleemphasis{principal} from a keytab. Requires 9230no permissions, since this does not require database access. 9231 9232If the string “all” is specified, all entries for that principal are 9233removed; if the string “old” is specified, all entries for that 9234principal except those with the highest kvno are removed. Otherwise, 9235the value specified is parsed as an integer, and all entries whose 9236kvno match that integer are removed. 9237 9238The options are: 9239\begin{description} 9240\item[{\sphinxstylestrong{-k{[}eytab{]}} \sphinxstyleemphasis{keytab}}] \leavevmode 9241Use \sphinxstyleemphasis{keytab} as the keytab file. Otherwise, the default keytab is 9242used. 9243 9244\item[{\sphinxstylestrong{-q}}] \leavevmode 9245Display less verbose information. 9246 9247\end{description} 9248 9249Alias: \sphinxstylestrong{ktrem} 9250 9251Example: 9252 9253\fvset{hllines={, ,}}% 9254\begin{sphinxVerbatim}[commandchars=\\\{\}] 9255\PYG{n}{kadmin}\PYG{p}{:} \PYG{n}{ktremove} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{n+nb}{all} 9256\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} 9257 \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} 9258\PYG{n}{kadmin}\PYG{p}{:} 9259\end{sphinxVerbatim} 9260 9261 9262\subsubsection{lock} 9263\label{\detokenize{admin/admin_commands/kadmin_local:ktremove-end}}\label{\detokenize{admin/admin_commands/kadmin_local:lock}} 9264Lock database exclusively. Use with extreme caution! This command 9265only works with the DB2 KDC database module. 9266 9267 9268\subsubsection{unlock} 9269\label{\detokenize{admin/admin_commands/kadmin_local:unlock}} 9270Release the exclusive database lock. 9271 9272 9273\subsubsection{list\_requests} 9274\label{\detokenize{admin/admin_commands/kadmin_local:list-requests}} 9275Lists available for kadmin requests. 9276 9277Aliases: \sphinxstylestrong{lr}, \sphinxstylestrong{?} 9278 9279 9280\subsubsection{quit} 9281\label{\detokenize{admin/admin_commands/kadmin_local:quit}} 9282Exit program. If the database was locked, the lock is released. 9283 9284Aliases: \sphinxstylestrong{exit}, \sphinxstylestrong{q} 9285 9286 9287\subsection{HISTORY} 9288\label{\detokenize{admin/admin_commands/kadmin_local:history}} 9289The kadmin program was originally written by Tom Yu at MIT, as an 9290interface to the OpenVision Kerberos administration program. 9291 9292 9293\subsection{ENVIRONMENT} 9294\label{\detokenize{admin/admin_commands/kadmin_local:environment}} 9295See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 9296variables. 9297 9298 9299\subsection{SEE ALSO} 9300\label{\detokenize{admin/admin_commands/kadmin_local:see-also}} 9301\DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 9302 9303 9304\section{kadmind} 9305\label{\detokenize{admin/admin_commands/kadmind:kadmind-8}}\label{\detokenize{admin/admin_commands/kadmind:kadmind}}\label{\detokenize{admin/admin_commands/kadmind::doc}} 9306 9307\subsection{SYNOPSIS} 9308\label{\detokenize{admin/admin_commands/kadmind:synopsis}} 9309\sphinxstylestrong{kadmind} 9310{[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]} 9311{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 9312{[}\sphinxstylestrong{-m}{]} 9313{[}\sphinxstylestrong{-nofork}{]} 9314{[}\sphinxstylestrong{-proponly}{]} 9315{[}\sphinxstylestrong{-port} \sphinxstyleemphasis{port-number}{]} 9316{[}\sphinxstylestrong{-P} \sphinxstyleemphasis{pid\_file}{]} 9317{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{kdb5\_util\_path}{]} 9318{[}\sphinxstylestrong{-K} \sphinxstyleemphasis{kprop\_path}{]} 9319{[}\sphinxstylestrong{-k} \sphinxstyleemphasis{kprop\_port}{]} 9320{[}\sphinxstylestrong{-F} \sphinxstyleemphasis{dump\_file}{]} 9321 9322 9323\subsection{DESCRIPTION} 9324\label{\detokenize{admin/admin_commands/kadmind:description}} 9325kadmind starts the Kerberos administration server. kadmind typically 9326runs on the primary Kerberos server, which stores the KDC database. 9327If the KDC database uses the LDAP module, the administration server 9328and the KDC server need not run on the same machine. kadmind accepts 9329remote requests from programs such as {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} and 9330\DUrole{xref,std,std-ref}{kpasswd(1)} to administer the information in these database. 9331 9332kadmind requires a number of configuration files to be set up in order 9333for it to work: 9334\begin{description} 9335\item[{{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}}] \leavevmode 9336The KDC configuration file contains configuration information for 9337the KDC and admin servers. kadmind uses settings in this file to 9338locate the Kerberos database, and is also affected by the 9339\sphinxstylestrong{acl\_file}, \sphinxstylestrong{dict\_file}, \sphinxstylestrong{kadmind\_port}, and iprop-related 9340settings. 9341 9342\item[{{\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}}] \leavevmode 9343kadmind’s ACL (access control list) tells it which principals are 9344allowed to perform administration actions. The pathname to the 9345ACL file can be specified with the \sphinxstylestrong{acl\_file} {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} 9346variable; by default, it is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl}. 9347 9348\end{description} 9349 9350After the server begins running, it puts itself in the background and 9351disassociates itself from its controlling terminal. 9352 9353kadmind can be configured for incremental database propagation. 9354Incremental propagation allows replica KDC servers to receive 9355principal and policy updates incrementally instead of receiving full 9356dumps of the database. This facility can be enabled in the 9357{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file with the \sphinxstylestrong{iprop\_enable} option. Incremental 9358propagation requires the principal \sphinxcode{kiprop/PRIMARY\textbackslash{}@REALM} (where 9359PRIMARY is the primary KDC’s canonical host name, and REALM the realm 9360name). In release 1.13, this principal is automatically created and 9361registered into the datebase. 9362 9363 9364\subsection{OPTIONS} 9365\label{\detokenize{admin/admin_commands/kadmind:options}}\begin{description} 9366\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 9367specifies the realm that kadmind will serve; if it is not 9368specified, the default realm of the host is used. 9369 9370\item[{\sphinxstylestrong{-m}}] \leavevmode 9371causes the master database password to be fetched from the 9372keyboard (before the server puts itself in the background, if not 9373invoked with the \sphinxstylestrong{-nofork} option) rather than from a file on 9374disk. 9375 9376\item[{\sphinxstylestrong{-nofork}}] \leavevmode 9377causes the server to remain in the foreground and remain 9378associated to the terminal. 9379 9380\item[{\sphinxstylestrong{-proponly}}] \leavevmode 9381causes the server to only listen and respond to Kerberos replica 9382incremental propagation polling requests. This option can be used 9383to set up a hierarchical propagation topology where a replica KDC 9384provides incremental updates to other Kerberos replicas. 9385 9386\item[{\sphinxstylestrong{-port} \sphinxstyleemphasis{port-number}}] \leavevmode 9387specifies the port on which the administration server listens for 9388connections. The default port is determined by the 9389\sphinxstylestrong{kadmind\_port} configuration variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 9390 9391\item[{\sphinxstylestrong{-P} \sphinxstyleemphasis{pid\_file}}] \leavevmode 9392specifies the file to which the PID of kadmind process should be 9393written after it starts up. This file can be used to identify 9394whether kadmind is still running and to allow init scripts to stop 9395the correct process. 9396 9397\item[{\sphinxstylestrong{-p} \sphinxstyleemphasis{kdb5\_util\_path}}] \leavevmode 9398specifies the path to the kdb5\_util command to use when dumping the 9399KDB in response to full resync requests when iprop is enabled. 9400 9401\item[{\sphinxstylestrong{-K} \sphinxstyleemphasis{kprop\_path}}] \leavevmode 9402specifies the path to the kprop command to use to send full dumps 9403to replicas in response to full resync requests. 9404 9405\item[{\sphinxstylestrong{-k} \sphinxstyleemphasis{kprop\_port}}] \leavevmode 9406specifies the port by which the kprop process that is spawned by 9407kadmind connects to the replica kpropd, in order to transfer the 9408dump file during an iprop full resync request. 9409 9410\item[{\sphinxstylestrong{-F} \sphinxstyleemphasis{dump\_file}}] \leavevmode 9411specifies the file path to be used for dumping the KDB in response 9412to full resync requests when iprop is enabled. 9413 9414\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode 9415specifies database-specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. 9416 9417\end{description} 9418 9419 9420\subsection{ENVIRONMENT} 9421\label{\detokenize{admin/admin_commands/kadmind:environment}} 9422See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 9423variables. 9424 9425 9426\subsection{SEE ALSO} 9427\label{\detokenize{admin/admin_commands/kadmind:see-also}} 9428\DUrole{xref,std,std-ref}{kpasswd(1)}, {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, 9429{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 9430 9431 9432\section{kdb5\_util} 9433\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}}\label{\detokenize{admin/admin_commands/kdb5_util::doc}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util}} 9434 9435\subsection{SYNOPSIS} 9436\label{\detokenize{admin/admin_commands/kdb5_util:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-synopsis}} 9437\sphinxstylestrong{kdb5\_util} 9438{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 9439{[}\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}{]} 9440{[}\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}{]} 9441{[}\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}{]} 9442{[}\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}{]} 9443{[}\sphinxstylestrong{-m}{]} 9444{[}\sphinxstylestrong{-sf} \sphinxstyleemphasis{stashfilename}{]} 9445{[}\sphinxstylestrong{-P} \sphinxstyleemphasis{password}{]} 9446{[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]} 9447\sphinxstyleemphasis{command} {[}\sphinxstyleemphasis{command\_options}{]} 9448 9449 9450\subsection{DESCRIPTION} 9451\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-synopsis-end}}\label{\detokenize{admin/admin_commands/kdb5_util:description}} 9452kdb5\_util allows an administrator to perform maintenance procedures on 9453the KDC database. Databases can be created, destroyed, and dumped to 9454or loaded from ASCII files. kdb5\_util can create a Kerberos master 9455key stash file or perform live rollover of the master key. 9456 9457When kdb5\_util is run, it attempts to acquire the master key and open 9458the database. However, execution continues regardless of whether or 9459not kdb5\_util successfully opens the database, because the database 9460may not exist yet or the stash file may be corrupt. 9461 9462Note that some KDC database modules may not support all kdb5\_util 9463commands. 9464 9465 9466\subsection{COMMAND-LINE OPTIONS} 9467\label{\detokenize{admin/admin_commands/kdb5_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options}}\begin{description} 9468\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 9469specifies the Kerberos realm of the database. 9470 9471\item[{\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}}] \leavevmode 9472specifies the name under which the principal database is stored; 9473by default the database is that listed in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. The 9474password policy database and lock files are also derived from this 9475value. 9476 9477\item[{\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}}] \leavevmode 9478specifies the key type of the master key in the database. The 9479default is given by the \sphinxstylestrong{master\_key\_type} variable in 9480{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 9481 9482\item[{\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode 9483Specifies the version number of the master key in the database; 9484the default is 1. Note that 0 is not allowed. 9485 9486\item[{\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}}] \leavevmode 9487principal name for the master key in the database. If not 9488specified, the name is determined by the \sphinxstylestrong{master\_key\_name} 9489variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 9490 9491\item[{\sphinxstylestrong{-m}}] \leavevmode 9492specifies that the master database password should be read from 9493the keyboard rather than fetched from a file on disk. 9494 9495\item[{\sphinxstylestrong{-sf} \sphinxstyleemphasis{stash\_file}}] \leavevmode 9496specifies the stash filename of the master database password. If 9497not specified, the filename is determined by the 9498\sphinxstylestrong{key\_stash\_file} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 9499 9500\item[{\sphinxstylestrong{-P} \sphinxstyleemphasis{password}}] \leavevmode 9501specifies the master database password. Using this option may 9502expose the password to other users on the system via the process 9503list. 9504 9505\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode 9506specifies database-specific options. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for 9507supported options. 9508 9509\end{description} 9510 9511 9512\subsection{COMMANDS} 9513\label{\detokenize{admin/admin_commands/kdb5_util:commands}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-options-end}} 9514 9515\subsubsection{create} 9516\label{\detokenize{admin/admin_commands/kdb5_util:create}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-create}}\begin{quote} 9517 9518\sphinxstylestrong{create} {[}\sphinxstylestrong{-s}{]} 9519\end{quote} 9520 9521Creates a new database. If the \sphinxstylestrong{-s} option is specified, the stash 9522file is also created. This command fails if the database already 9523exists. If the command is successful, the database is opened just as 9524if it had already existed when the program was first run. 9525 9526 9527\subsubsection{destroy} 9528\label{\detokenize{admin/admin_commands/kdb5_util:destroy}}\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-create-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-destroy}}\begin{quote} 9529 9530\sphinxstylestrong{destroy} {[}\sphinxstylestrong{-f}{]} 9531\end{quote} 9532 9533Destroys the database, first overwriting the disk sectors and then 9534unlinking the files, after prompting the user for confirmation. With 9535the \sphinxstylestrong{-f} argument, does not prompt the user. 9536 9537 9538\subsubsection{stash} 9539\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-destroy-end}}\label{\detokenize{admin/admin_commands/kdb5_util:stash}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-stash}}\begin{quote} 9540 9541\sphinxstylestrong{stash} {[}\sphinxstylestrong{-f} \sphinxstyleemphasis{keyfile}{]} 9542\end{quote} 9543 9544Stores the master principal’s keys in a stash file. The \sphinxstylestrong{-f} 9545argument can be used to override the \sphinxstyleemphasis{keyfile} specified in 9546{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 9547 9548 9549\subsubsection{dump} 9550\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-stash-end}}\label{\detokenize{admin/admin_commands/kdb5_util:dump}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-dump}}\begin{quote} 9551 9552\sphinxstylestrong{dump} {[}\sphinxstylestrong{-b7}\textbar{}\sphinxstylestrong{-r13}\textbar{}\sphinxstylestrong{-r18}{]} 9553{[}\sphinxstylestrong{-verbose}{]} {[}\sphinxstylestrong{-mkey\_convert}{]} {[}\sphinxstylestrong{-new\_mkey\_file} 9554\sphinxstyleemphasis{mkey\_file}{]} {[}\sphinxstylestrong{-rev}{]} {[}\sphinxstylestrong{-recurse}{]} {[}\sphinxstyleemphasis{filename} 9555{[}\sphinxstyleemphasis{principals}…{]}{]} 9556\end{quote} 9557 9558Dumps the current Kerberos and KADM5 database into an ASCII file. By 9559default, the database is dumped in current format, “kdb5\_util 9560load\_dump version 7”. If filename is not specified, or is the string 9561“-“, the dump is sent to standard output. Options: 9562\begin{description} 9563\item[{\sphinxstylestrong{-b7}}] \leavevmode 9564causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5\_util 9565load\_dump version 4”). This was the dump format produced on 9566releases prior to 1.2.2. 9567 9568\item[{\sphinxstylestrong{-r13}}] \leavevmode 9569causes the dump to be in the Kerberos 5 1.3 format (“kdb5\_util 9570load\_dump version 5”). This was the dump format produced on 9571releases prior to 1.8. 9572 9573\item[{\sphinxstylestrong{-r18}}] \leavevmode 9574causes the dump to be in the Kerberos 5 1.8 format (“kdb5\_util 9575load\_dump version 6”). This was the dump format produced on 9576releases prior to 1.11. 9577 9578\item[{\sphinxstylestrong{-verbose}}] \leavevmode 9579causes the name of each principal and policy to be printed as it 9580is dumped. 9581 9582\item[{\sphinxstylestrong{-mkey\_convert}}] \leavevmode 9583prompts for a new master key. This new master key will be used to 9584re-encrypt principal key data in the dumpfile. The principal keys 9585themselves will not be changed. 9586 9587\item[{\sphinxstylestrong{-new\_mkey\_file} \sphinxstyleemphasis{mkey\_file}}] \leavevmode 9588the filename of a stash file. The master key in this stash file 9589will be used to re-encrypt the key data in the dumpfile. The key 9590data in the database will not be changed. 9591 9592\item[{\sphinxstylestrong{-rev}}] \leavevmode 9593dumps in reverse order. This may recover principals that do not 9594dump normally, in cases where database corruption has occurred. 9595 9596\item[{\sphinxstylestrong{-recurse}}] \leavevmode 9597causes the dump to walk the database recursively (btree only). 9598This may recover principals that do not dump normally, in cases 9599where database corruption has occurred. In cases of such 9600corruption, this option will probably retrieve more principals 9601than the \sphinxstylestrong{-rev} option will. 9602 9603\DUrole{versionmodified}{Changed in version 1.15: }Release 1.15 restored the functionality of the \sphinxstylestrong{-recurse} 9604option. 9605 9606\DUrole{versionmodified}{Changed in version 1.5: }The \sphinxstylestrong{-recurse} option ceased working until release 1.15, 9607doing a normal dump instead of a recursive traversal. 9608 9609\end{description} 9610 9611 9612\subsubsection{load} 9613\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-dump-end}}\label{\detokenize{admin/admin_commands/kdb5_util:load}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-load}}\begin{quote} 9614 9615\sphinxstylestrong{load} {[}\sphinxstylestrong{-b7}\textbar{}\sphinxstylestrong{-r13}\textbar{}\sphinxstylestrong{-r18}{]} {[}\sphinxstylestrong{-hash}{]} 9616{[}\sphinxstylestrong{-verbose}{]} {[}\sphinxstylestrong{-update}{]} \sphinxstyleemphasis{filename} 9617\end{quote} 9618 9619Loads a database dump from the named file into the named database. If 9620no option is given to determine the format of the dump file, the 9621format is detected automatically and handled as appropriate. Unless 9622the \sphinxstylestrong{-update} option is given, \sphinxstylestrong{load} creates a new database 9623containing only the data in the dump file, overwriting the contents of 9624any previously existing database. Note that when using the LDAP KDC 9625database module, the \sphinxstylestrong{-update} flag is required. 9626 9627Options: 9628\begin{description} 9629\item[{\sphinxstylestrong{-b7}}] \leavevmode 9630requires the database to be in the Kerberos 5 Beta 7 format 9631(“kdb5\_util load\_dump version 4”). This was the dump format 9632produced on releases prior to 1.2.2. 9633 9634\item[{\sphinxstylestrong{-r13}}] \leavevmode 9635requires the database to be in Kerberos 5 1.3 format (“kdb5\_util 9636load\_dump version 5”). This was the dump format produced on 9637releases prior to 1.8. 9638 9639\item[{\sphinxstylestrong{-r18}}] \leavevmode 9640requires the database to be in Kerberos 5 1.8 format (“kdb5\_util 9641load\_dump version 6”). This was the dump format produced on 9642releases prior to 1.11. 9643 9644\item[{\sphinxstylestrong{-hash}}] \leavevmode 9645stores the database in hash format, if using the DB2 database 9646type. If this option is not specified, the database will be 9647stored in btree format. This option is not recommended, as 9648databases stored in hash format are known to corrupt data and lose 9649principals. 9650 9651\item[{\sphinxstylestrong{-verbose}}] \leavevmode 9652causes the name of each principal and policy to be printed as it 9653is dumped. 9654 9655\item[{\sphinxstylestrong{-update}}] \leavevmode 9656records from the dump file are added to or updated in the existing 9657database. Otherwise, a new database is created containing only 9658what is in the dump file and the old one destroyed upon successful 9659completion. 9660 9661\end{description} 9662 9663 9664\subsubsection{ark} 9665\label{\detokenize{admin/admin_commands/kdb5_util:kdb5-util-load-end}}\label{\detokenize{admin/admin_commands/kdb5_util:ark}}\begin{quote} 9666 9667\sphinxstylestrong{ark} {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{enc}:\sphinxstyleemphasis{salt},…{]} \sphinxstyleemphasis{principal} 9668\end{quote} 9669 9670Adds new random keys to \sphinxstyleemphasis{principal} at the next available key version 9671number. Keys for the current highest key version number will be 9672preserved. The \sphinxstylestrong{-e} option specifies the list of encryption and 9673salt types to be used for the new keys. 9674 9675 9676\subsubsection{add\_mkey} 9677\label{\detokenize{admin/admin_commands/kdb5_util:add-mkey}}\begin{quote} 9678 9679\sphinxstylestrong{add\_mkey} {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{etype}{]} {[}\sphinxstylestrong{-s}{]} 9680\end{quote} 9681 9682Adds a new master key to the master key principal, but does not mark 9683it as active. Existing master keys will remain. The \sphinxstylestrong{-e} option 9684specifies the encryption type of the new master key; see 9685{\hyperref[\detokenize{admin/conf_files/kdc_conf:encryption-types}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} for a list of possible 9686values. The \sphinxstylestrong{-s} option stashes the new master key in the stash 9687file, which will be created if it doesn’t already exist. 9688 9689After a new master key is added, it should be propagated to replica 9690servers via a manual or periodic invocation of {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}. Then, 9691the stash files on the replica servers should be updated with the 9692kdb5\_util \sphinxstylestrong{stash} command. Once those steps are complete, the key 9693is ready to be marked active with the kdb5\_util \sphinxstylestrong{use\_mkey} command. 9694 9695 9696\subsubsection{use\_mkey} 9697\label{\detokenize{admin/admin_commands/kdb5_util:use-mkey}}\begin{quote} 9698 9699\sphinxstylestrong{use\_mkey} \sphinxstyleemphasis{mkeyVNO} {[}\sphinxstyleemphasis{time}{]} 9700\end{quote} 9701 9702Sets the activation time of the master key specified by \sphinxstyleemphasis{mkeyVNO}. 9703Once a master key becomes active, it will be used to encrypt newly 9704created principal keys. If no \sphinxstyleemphasis{time} argument is given, the current 9705time is used, causing the specified master key version to become 9706active immediately. The format for \sphinxstyleemphasis{time} is \DUrole{xref,std,std-ref}{getdate} string. 9707 9708After a new master key becomes active, the kdb5\_util 9709\sphinxstylestrong{update\_princ\_encryption} command can be used to update all 9710principal keys to be encrypted in the new master key. 9711 9712 9713\subsubsection{list\_mkeys} 9714\label{\detokenize{admin/admin_commands/kdb5_util:list-mkeys}}\begin{quote} 9715 9716\sphinxstylestrong{list\_mkeys} 9717\end{quote} 9718 9719List all master keys, from most recent to earliest, in the master key 9720principal. The output will show the kvno, enctype, and salt type for 9721each mkey, similar to the output of {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} \sphinxstylestrong{getprinc}. A 9722\sphinxcode{*} following an mkey denotes the currently active master key. 9723 9724 9725\subsubsection{purge\_mkeys} 9726\label{\detokenize{admin/admin_commands/kdb5_util:purge-mkeys}}\begin{quote} 9727 9728\sphinxstylestrong{purge\_mkeys} {[}\sphinxstylestrong{-f}{]} {[}\sphinxstylestrong{-n}{]} {[}\sphinxstylestrong{-v}{]} 9729\end{quote} 9730 9731Delete master keys from the master key principal that are not used to 9732protect any principals. This command can be used to remove old master 9733keys all principal keys are protected by a newer master key. 9734\begin{description} 9735\item[{\sphinxstylestrong{-f}}] \leavevmode 9736does not prompt for confirmation. 9737 9738\item[{\sphinxstylestrong{-n}}] \leavevmode 9739performs a dry run, showing master keys that would be purged, but 9740not actually purging any keys. 9741 9742\item[{\sphinxstylestrong{-v}}] \leavevmode 9743gives more verbose output. 9744 9745\end{description} 9746 9747 9748\subsubsection{update\_princ\_encryption} 9749\label{\detokenize{admin/admin_commands/kdb5_util:update-princ-encryption}}\begin{quote} 9750 9751\sphinxstylestrong{update\_princ\_encryption} {[}\sphinxstylestrong{-f}{]} {[}\sphinxstylestrong{-n}{]} {[}\sphinxstylestrong{-v}{]} 9752{[}\sphinxstyleemphasis{princ-pattern}{]} 9753\end{quote} 9754 9755Update all principal records (or only those matching the 9756\sphinxstyleemphasis{princ-pattern} glob pattern) to re-encrypt the key data using the 9757active database master key, if they are encrypted using a different 9758version, and give a count at the end of the number of principals 9759updated. If the \sphinxstylestrong{-f} option is not given, ask for confirmation 9760before starting to make changes. The \sphinxstylestrong{-v} option causes each 9761principal processed to be listed, with an indication as to whether it 9762needed updating or not. The \sphinxstylestrong{-n} option performs a dry run, only 9763showing the actions which would have been taken. 9764 9765 9766\subsubsection{tabdump} 9767\label{\detokenize{admin/admin_commands/kdb5_util:tabdump}}\begin{quote} 9768 9769\sphinxstylestrong{tabdump} {[}\sphinxstylestrong{-H}{]} {[}\sphinxstylestrong{-c}{]} {[}\sphinxstylestrong{-e}{]} {[}\sphinxstylestrong{-n}{]} {[}\sphinxstylestrong{-o} \sphinxstyleemphasis{outfile}{]} 9770\sphinxstyleemphasis{dumptype} 9771\end{quote} 9772 9773Dump selected fields of the database in a tabular format suitable for 9774reporting (e.g., using traditional Unix text processing tools) or 9775importing into relational databases. The data format is tab-separated 9776(default), or optionally comma-separated (CSV), with a fixed number of 9777columns. The output begins with a header line containing field names, 9778unless suppression is requested using the \sphinxstylestrong{-H} option. 9779 9780The \sphinxstyleemphasis{dumptype} parameter specifies the name of an output table (see 9781below). 9782 9783Options: 9784\begin{description} 9785\item[{\sphinxstylestrong{-H}}] \leavevmode 9786suppress writing the field names in a header line 9787 9788\item[{\sphinxstylestrong{-c}}] \leavevmode 9789use comma separated values (CSV) format, with minimal quoting, 9790instead of the default tab-separated (unquoted, unescaped) format 9791 9792\item[{\sphinxstylestrong{-e}}] \leavevmode 9793write empty hexadecimal string fields as empty fields instead of 9794as “-1”. 9795 9796\item[{\sphinxstylestrong{-n}}] \leavevmode 9797produce numeric output for fields that normally have symbolic 9798output, such as enctypes and flag names. Also requests output of 9799time stamps as decimal POSIX time\_t values. 9800 9801\item[{\sphinxstylestrong{-o} \sphinxstyleemphasis{outfile}}] \leavevmode 9802write the dump to the specified output file instead of to standard 9803output 9804 9805\end{description} 9806 9807Dump types: 9808\begin{description} 9809\item[{\sphinxstylestrong{keydata}}] \leavevmode 9810principal encryption key information, including actual key data 9811(which is still encrypted in the master key) 9812\begin{description} 9813\item[{\sphinxstylestrong{name}}] \leavevmode 9814principal name 9815 9816\item[{\sphinxstylestrong{keyindex}}] \leavevmode 9817index of this key in the principal’s key list 9818 9819\item[{\sphinxstylestrong{kvno}}] \leavevmode 9820key version number 9821 9822\item[{\sphinxstylestrong{enctype}}] \leavevmode 9823encryption type 9824 9825\item[{\sphinxstylestrong{key}}] \leavevmode 9826key data as a hexadecimal string 9827 9828\item[{\sphinxstylestrong{salttype}}] \leavevmode 9829salt type 9830 9831\item[{\sphinxstylestrong{salt}}] \leavevmode 9832salt data as a hexadecimal string 9833 9834\end{description} 9835 9836\item[{\sphinxstylestrong{keyinfo}}] \leavevmode 9837principal encryption key information (as in \sphinxstylestrong{keydata} above), 9838excluding actual key data 9839 9840\item[{\sphinxstylestrong{princ\_flags}}] \leavevmode 9841principal boolean attributes. Flag names print as hexadecimal 9842numbers if the \sphinxstylestrong{-n} option is specified, and all flag positions 9843are printed regardless of whether or not they are set. If \sphinxstylestrong{-n} 9844is not specified, print all known flag names for each principal, 9845but only print hexadecimal flag names if the corresponding flag is 9846set. 9847\begin{description} 9848\item[{\sphinxstylestrong{name}}] \leavevmode 9849principal name 9850 9851\item[{\sphinxstylestrong{flag}}] \leavevmode 9852flag name 9853 9854\item[{\sphinxstylestrong{value}}] \leavevmode 9855boolean value (0 for clear, or 1 for set) 9856 9857\end{description} 9858 9859\item[{\sphinxstylestrong{princ\_lockout}}] \leavevmode 9860state information used for tracking repeated password failures 9861\begin{description} 9862\item[{\sphinxstylestrong{name}}] \leavevmode 9863principal name 9864 9865\item[{\sphinxstylestrong{last\_success}}] \leavevmode 9866time stamp of most recent successful authentication 9867 9868\item[{\sphinxstylestrong{last\_failed}}] \leavevmode 9869time stamp of most recent failed authentication 9870 9871\item[{\sphinxstylestrong{fail\_count}}] \leavevmode 9872count of failed attempts 9873 9874\end{description} 9875 9876\item[{\sphinxstylestrong{princ\_meta}}] \leavevmode 9877principal metadata 9878\begin{description} 9879\item[{\sphinxstylestrong{name}}] \leavevmode 9880principal name 9881 9882\item[{\sphinxstylestrong{modby}}] \leavevmode 9883name of last principal to modify this principal 9884 9885\item[{\sphinxstylestrong{modtime}}] \leavevmode 9886timestamp of last modification 9887 9888\item[{\sphinxstylestrong{lastpwd}}] \leavevmode 9889timestamp of last password change 9890 9891\item[{\sphinxstylestrong{policy}}] \leavevmode 9892policy object name 9893 9894\item[{\sphinxstylestrong{mkvno}}] \leavevmode 9895key version number of the master key that encrypts this 9896principal’s key data 9897 9898\item[{\sphinxstylestrong{hist\_kvno}}] \leavevmode 9899key version number of the history key that encrypts the key 9900history data for this principal 9901 9902\end{description} 9903 9904\item[{\sphinxstylestrong{princ\_stringattrs}}] \leavevmode 9905string attributes (key/value pairs) 9906\begin{description} 9907\item[{\sphinxstylestrong{name}}] \leavevmode 9908principal name 9909 9910\item[{\sphinxstylestrong{key}}] \leavevmode 9911attribute name 9912 9913\item[{\sphinxstylestrong{value}}] \leavevmode 9914attribute value 9915 9916\end{description} 9917 9918\item[{\sphinxstylestrong{princ\_tktpolicy}}] \leavevmode 9919per-principal ticket policy data, including maximum ticket 9920lifetimes 9921\begin{description} 9922\item[{\sphinxstylestrong{name}}] \leavevmode 9923principal name 9924 9925\item[{\sphinxstylestrong{expiration}}] \leavevmode 9926principal expiration date 9927 9928\item[{\sphinxstylestrong{pw\_expiration}}] \leavevmode 9929password expiration date 9930 9931\item[{\sphinxstylestrong{max\_life}}] \leavevmode 9932maximum ticket lifetime 9933 9934\item[{\sphinxstylestrong{max\_renew\_life}}] \leavevmode 9935maximum renewable ticket lifetime 9936 9937\end{description} 9938 9939\end{description} 9940 9941Examples: 9942 9943\fvset{hllines={, ,}}% 9944\begin{sphinxVerbatim}[commandchars=\\\{\}] 9945\PYGZdl{} kdb5\PYGZus{}util tabdump \PYGZhy{}o keyinfo.txt keyinfo 9946\PYGZdl{} cat keyinfo.txt 9947name keyindex kvno enctype salttype salt 9948K/M@EXAMPLE.COM 0 1 aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192 normal \PYGZhy{}1 9949foo@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 9950bar@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 9951\PYGZdl{} sqlite3 9952sqlite\PYGZgt{} .mode tabs 9953sqlite\PYGZgt{} .import keyinfo.txt keyinfo 9954sqlite\PYGZgt{} select * from keyinfo where enctype like \PYGZsq{}aes256\PYGZhy{}\PYGZpc{}\PYGZsq{}; 9955K/M@EXAMPLE.COM 1 1 aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192 normal \PYGZhy{}1 9956sqlite\PYGZgt{} .quit 9957\PYGZdl{} awk \PYGZhy{}F\PYGZsq{}\PYGZbs{}t\PYGZsq{} \PYGZsq{}\PYGZdl{}4 \PYGZti{} /aes256\PYGZhy{}/ \PYGZob{} print \PYGZcb{}\PYGZsq{} keyinfo.txt 9958K/M@EXAMPLE.COM 1 1 aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha384\PYGZhy{}192 normal \PYGZhy{}1 9959\end{sphinxVerbatim} 9960 9961 9962\subsection{ENVIRONMENT} 9963\label{\detokenize{admin/admin_commands/kdb5_util:environment}} 9964See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 9965variables. 9966 9967 9968\subsection{SEE ALSO} 9969\label{\detokenize{admin/admin_commands/kdb5_util:see-also}} 9970{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 9971 9972 9973\section{kdb5\_ldap\_util} 9974\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util::doc}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util}} 9975 9976\subsection{SYNOPSIS} 9977\label{\detokenize{admin/admin_commands/kdb5_ldap_util:synopsis}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis}} 9978\sphinxstylestrong{kdb5\_ldap\_util} 9979{[}\sphinxstylestrong{-D} \sphinxstyleemphasis{user\_dn} {[}\sphinxstylestrong{-w} \sphinxstyleemphasis{passwd}{]}{]} 9980{[}\sphinxstylestrong{-H} \sphinxstyleemphasis{ldapuri}{]} 9981\sphinxstylestrong{command} 9982{[}\sphinxstyleemphasis{command\_options}{]} 9983 9984 9985\subsection{DESCRIPTION} 9986\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis-end}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:description}} 9987kdb5\_ldap\_util allows an administrator to manage realms, Kerberos 9988services and ticket policies. 9989 9990 9991\subsection{COMMAND-LINE OPTIONS} 9992\label{\detokenize{admin/admin_commands/kdb5_ldap_util:command-line-options}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options}}\begin{description} 9993\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 9994Specifies the realm to be operated on. 9995 9996\item[{\sphinxstylestrong{-D} \sphinxstyleemphasis{user\_dn}}] \leavevmode 9997Specifies the Distinguished Name (DN) of the user who has 9998sufficient rights to perform the operation on the LDAP server. 9999 10000\item[{\sphinxstylestrong{-w} \sphinxstyleemphasis{passwd}}] \leavevmode 10001Specifies the password of \sphinxstyleemphasis{user\_dn}. This option is not 10002recommended. 10003 10004\item[{\sphinxstylestrong{-H} \sphinxstyleemphasis{ldapuri}}] \leavevmode 10005Specifies the URI of the LDAP server. 10006 10007\end{description} 10008 10009By default, kdb5\_ldap\_util operates on the default realm (as specified 10010in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) and connects and authenticates to the LDAP 10011server in the same manner as :ref:kadmind(8){}` would given the 10012parameters in {\hyperref[\detokenize{admin/conf_files/kdc_conf:dbdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}dbdefaults{]}}}}} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 10013 10014 10015\subsection{COMMANDS} 10016\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options-end}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:commands}} 10017 10018\subsubsection{create} 10019\label{\detokenize{admin/admin_commands/kdb5_ldap_util:create}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create}}\begin{quote} 10020 10021\sphinxstylestrong{create} 10022{[}\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]} 10023{[}\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}{]} 10024{[}\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn}{]} 10025{[}\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}{]} 10026{[}\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}{]} 10027{[}\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}{]} 10028{[}\sphinxstylestrong{-m\textbar{}-P} \sphinxstyleemphasis{password}\textbar{}\sphinxstylestrong{-sf} \sphinxstyleemphasis{stashfilename}{]} 10029{[}\sphinxstylestrong{-s}{]} 10030{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 10031{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 10032{[}\sphinxstyleemphasis{ticket\_flags}{]} 10033\end{quote} 10034 10035Creates realm in directory. Options: 10036\begin{description} 10037\item[{\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode 10038Specifies the list of subtrees containing the principals of a 10039realm. The list contains the DNs of the subtree objects separated 10040by colon (\sphinxcode{:}). 10041 10042\item[{\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode 10043Specifies the scope for searching the principals under the 10044subtree. The possible values are 1 or one (one level), 2 or sub 10045(subtrees). 10046 10047\item[{\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn}}] \leavevmode 10048Specifies the DN of the container object in which the principals 10049of a realm will be created. If the container reference is not 10050configured for a realm, the principals will be created in the 10051realm container. 10052 10053\item[{\sphinxstylestrong{-k} \sphinxstyleemphasis{mkeytype}}] \leavevmode 10054Specifies the key type of the master key in the database. The 10055default is given by the \sphinxstylestrong{master\_key\_type} variable in 10056{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 10057 10058\item[{\sphinxstylestrong{-kv} \sphinxstyleemphasis{mkeyVNO}}] \leavevmode 10059Specifies the version number of the master key in the database; 10060the default is 1. Note that 0 is not allowed. 10061 10062\item[{\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}}] \leavevmode 10063Specifies the principal name for the master key in the database. 10064If not specified, the name is determined by the 10065\sphinxstylestrong{master\_key\_name} variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. 10066 10067\item[{\sphinxstylestrong{-m}}] \leavevmode 10068Specifies that the master database password should be read from 10069the TTY rather than fetched from a file on the disk. 10070 10071\item[{\sphinxstylestrong{-P} \sphinxstyleemphasis{password}}] \leavevmode 10072Specifies the master database password. This option is not 10073recommended. 10074 10075\item[{\sphinxstylestrong{-sf} \sphinxstyleemphasis{stashfilename}}] \leavevmode 10076Specifies the stash file of the master database password. 10077 10078\item[{\sphinxstylestrong{-s}}] \leavevmode 10079Specifies that the stash file is to be created. 10080 10081\item[{\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode 10082(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for 10083principals in this realm. 10084 10085\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode 10086(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of 10087tickets for principals in this realm. 10088 10089\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode 10090Specifies global ticket flags for the realm. Allowable flags are 10091documented in the description of the \sphinxstylestrong{add\_principal} command in 10092{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 10093 10094\end{description} 10095 10096Example: 10097 10098\fvset{hllines={, ,}}% 10099\begin{sphinxVerbatim}[commandchars=\\\{\}] 10100\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 10101 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create} \PYG{o}{\PYGZhy{}}\PYG{n}{subtrees} \PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{sscope} \PYG{n}{SUB} 10102\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10103\PYG{n}{Initializing} \PYG{n}{database} \PYG{k}{for} \PYG{n}{realm} \PYG{l+s+s1}{\PYGZsq{}}\PYG{l+s+s1}{ATHENA.MIT.EDU}\PYG{l+s+s1}{\PYGZsq{}} 10104\PYG{n}{You} \PYG{n}{will} \PYG{n}{be} \PYG{n}{prompted} \PYG{k}{for} \PYG{n}{the} \PYG{n}{database} \PYG{n}{Master} \PYG{n}{Password}\PYG{o}{.} 10105\PYG{n}{It} \PYG{o+ow}{is} \PYG{n}{important} \PYG{n}{that} \PYG{n}{you} \PYG{n}{NOT} \PYG{n}{FORGET} \PYG{n}{this} \PYG{n}{password}\PYG{o}{.} 10106\PYG{n}{Enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key}\PYG{p}{:} 10107\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{KDC} \PYG{n}{database} \PYG{n}{master} \PYG{n}{key} \PYG{n}{to} \PYG{n}{verify}\PYG{p}{:} 10108\end{sphinxVerbatim} 10109 10110 10111\subsubsection{modify} 10112\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-end}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:modify}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify}}\begin{quote} 10113 10114\sphinxstylestrong{modify} 10115{[}\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}{]} 10116{[}\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}{]} 10117{[}\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn}{]} 10118{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 10119{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 10120{[}\sphinxstyleemphasis{ticket\_flags}{]} 10121\end{quote} 10122 10123Modifies the attributes of a realm. Options: 10124\begin{description} 10125\item[{\sphinxstylestrong{-subtrees} \sphinxstyleemphasis{subtree\_dn\_list}}] \leavevmode 10126Specifies the list of subtrees containing the principals of a 10127realm. The list contains the DNs of the subtree objects separated 10128by colon (\sphinxcode{:}). This list replaces the existing list. 10129 10130\item[{\sphinxstylestrong{-sscope} \sphinxstyleemphasis{search\_scope}}] \leavevmode 10131Specifies the scope for searching the principals under the 10132subtrees. The possible values are 1 or one (one level), 2 or sub 10133(subtrees). 10134 10135\item[{\sphinxstylestrong{-containerref} \sphinxstyleemphasis{container\_reference\_dn} Specifies the DN of the}] \leavevmode 10136container object in which the principals of a realm will be 10137created. 10138 10139\item[{\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode 10140(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for 10141principals in this realm. 10142 10143\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode 10144(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of 10145tickets for principals in this realm. 10146 10147\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode 10148Specifies global ticket flags for the realm. Allowable flags are 10149documented in the description of the \sphinxstylestrong{add\_principal} command in 10150{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 10151 10152\end{description} 10153 10154Example: 10155 10156\fvset{hllines={, ,}}% 10157\begin{sphinxVerbatim}[commandchars=\\\{\}] 10158\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} 10159 \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n}{modify} \PYG{o}{+}\PYG{n}{requires\PYGZus{}preauth} 10160\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10161\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 10162\end{sphinxVerbatim} 10163 10164 10165\subsubsection{view} 10166\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-end}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:view}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view}}\begin{quote} 10167 10168\sphinxstylestrong{view} 10169\end{quote} 10170 10171Displays the attributes of a realm. 10172 10173Example: 10174 10175\fvset{hllines={, ,}}% 10176\begin{sphinxVerbatim}[commandchars=\\\{\}] 10177\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 10178 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view} 10179\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10180\PYG{n}{Realm} \PYG{n}{Name}\PYG{p}{:} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 10181\PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{users}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} 10182\PYG{n}{Subtree}\PYG{p}{:} \PYG{n}{ou}\PYG{o}{=}\PYG{n}{servers}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} 10183\PYG{n}{SearchScope}\PYG{p}{:} \PYG{n}{ONE} 10184\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 10185\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 10186\PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE} 10187\end{sphinxVerbatim} 10188 10189 10190\subsubsection{destroy} 10191\label{\detokenize{admin/admin_commands/kdb5_ldap_util:destroy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy}}\begin{quote} 10192 10193\sphinxstylestrong{destroy} {[}\sphinxstylestrong{-f}{]} 10194\end{quote} 10195 10196Destroys an existing realm. Options: 10197\begin{description} 10198\item[{\sphinxstylestrong{-f}}] \leavevmode 10199If specified, will not prompt the user for confirmation. 10200 10201\end{description} 10202 10203Example: 10204 10205\fvset{hllines={, ,}}% 10206\begin{sphinxVerbatim}[commandchars=\\\{\}] 10207shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}D cn=admin,o=org \PYGZhy{}H 10208 ldaps://ldap\PYGZhy{}server1.mit.edu destroy 10209Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: 10210Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? 10211(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes 10212OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... 10213shell\PYGZpc{} 10214\end{sphinxVerbatim} 10215 10216 10217\subsubsection{list} 10218\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-end}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:list}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list}}\begin{quote} 10219 10220\sphinxstylestrong{list} 10221\end{quote} 10222 10223Lists the names of realms under the container. 10224 10225Example: 10226 10227\fvset{hllines={, ,}}% 10228\begin{sphinxVerbatim}[commandchars=\\\{\}] 10229\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} 10230 \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{n+nb}{list} 10231\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10232\PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 10233\PYG{n}{OPENLDAP}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 10234\PYG{n}{MEDIA}\PYG{o}{\PYGZhy{}}\PYG{n}{LAB}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 10235\PYG{n}{shell}\PYG{o}{\PYGZpc{}} 10236\end{sphinxVerbatim} 10237 10238 10239\subsubsection{stashsrvpw} 10240\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-end}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:stashsrvpw}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw}}\begin{quote} 10241 10242\sphinxstylestrong{stashsrvpw} 10243{[}\sphinxstylestrong{-f} \sphinxstyleemphasis{filename}{]} 10244\sphinxstyleemphasis{name} 10245\end{quote} 10246 10247Allows an administrator to store the password for service object in a 10248file so that KDC and Administration server can use it to authenticate 10249to the LDAP server. Options: 10250\begin{description} 10251\item[{\sphinxstylestrong{-f} \sphinxstyleemphasis{filename}}] \leavevmode 10252Specifies the complete path of the service password file. By 10253default, \sphinxcode{/usr/local/var/service\_passwd} is used. 10254 10255\item[{\sphinxstyleemphasis{name}}] \leavevmode 10256Specifies the name of the object whose password is to be stored. 10257If {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}} or {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} are configured for 10258simple binding, this should be the distinguished name it will 10259use as given by the \sphinxstylestrong{ldap\_kdc\_dn} or \sphinxstylestrong{ldap\_kadmind\_dn} 10260variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. If the KDC or kadmind is 10261configured for SASL binding, this should be the authentication 10262name it will use as given by the \sphinxstylestrong{ldap\_kdc\_sasl\_authcid} or 10263\sphinxstylestrong{ldap\_kadmind\_sasl\_authcid} variable. 10264 10265\end{description} 10266 10267Example: 10268 10269\fvset{hllines={, ,}}% 10270\begin{sphinxVerbatim}[commandchars=\\\{\}] 10271\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{n}{stashsrvpw} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{home}\PYG{o}{/}\PYG{n}{andrew}\PYG{o}{/}\PYG{n}{conf\PYGZus{}keyfile} 10272 \PYG{n}{cn}\PYG{o}{=}\PYG{n}{service}\PYG{o}{\PYGZhy{}}\PYG{n}{kdc}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} 10273\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10274\PYG{n}{Re}\PYG{o}{\PYGZhy{}}\PYG{n}{enter} \PYG{n}{password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=service\PYGZhy{}kdc,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10275\end{sphinxVerbatim} 10276 10277 10278\subsubsection{create\_policy} 10279\label{\detokenize{admin/admin_commands/kdb5_ldap_util:create-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy}}\begin{quote} 10280 10281\sphinxstylestrong{create\_policy} 10282{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 10283{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 10284{[}\sphinxstyleemphasis{ticket\_flags}{]} 10285\sphinxstyleemphasis{policy\_name} 10286\end{quote} 10287 10288Creates a ticket policy in the directory. Options: 10289\begin{description} 10290\item[{\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}}] \leavevmode 10291(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum ticket life for 10292principals. 10293 10294\item[{\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}}] \leavevmode 10295(\DUrole{xref,std,std-ref}{getdate} string) Specifies maximum renewable life of 10296tickets for principals. 10297 10298\item[{\sphinxstyleemphasis{ticket\_flags}}] \leavevmode 10299Specifies the ticket flags. If this option is not specified, by 10300default, no restriction will be set by the policy. Allowable 10301flags are documented in the description of the \sphinxstylestrong{add\_principal} 10302command in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 10303 10304\item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode 10305Specifies the name of the ticket policy. 10306 10307\end{description} 10308 10309Example: 10310 10311\fvset{hllines={, ,}}% 10312\begin{sphinxVerbatim}[commandchars=\\\{\}] 10313\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 10314 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{create\PYGZus{}policy} \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 day}\PYG{l+s+s2}{\PYGZdq{}} 10315 \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{1 week}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{+}\PYG{n}{needchange} 10316 \PYG{o}{\PYGZhy{}}\PYG{n}{allow\PYGZus{}forwardable} \PYG{n}{tktpolicy} 10317\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10318\end{sphinxVerbatim} 10319 10320 10321\subsubsection{modify\_policy} 10322\label{\detokenize{admin/admin_commands/kdb5_ldap_util:modify-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy}}\begin{quote} 10323 10324\sphinxstylestrong{modify\_policy} 10325{[}\sphinxstylestrong{-maxtktlife} \sphinxstyleemphasis{max\_ticket\_life}{]} 10326{[}\sphinxstylestrong{-maxrenewlife} \sphinxstyleemphasis{max\_renewable\_ticket\_life}{]} 10327{[}\sphinxstyleemphasis{ticket\_flags}{]} 10328\sphinxstyleemphasis{policy\_name} 10329\end{quote} 10330 10331Modifies the attributes of a ticket policy. Options are same as for 10332\sphinxstylestrong{create\_policy}. 10333 10334Example: 10335 10336\fvset{hllines={, ,}}% 10337\begin{sphinxVerbatim}[commandchars=\\\{\}] 10338\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} 10339 \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{modify\PYGZus{}policy} 10340 \PYG{o}{\PYGZhy{}}\PYG{n}{maxtktlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{60 minutes}\PYG{l+s+s2}{\PYGZdq{}} \PYG{o}{\PYGZhy{}}\PYG{n}{maxrenewlife} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{10 hours}\PYG{l+s+s2}{\PYGZdq{}} 10341 \PYG{o}{+}\PYG{n}{allow\PYGZus{}postdated} \PYG{o}{\PYGZhy{}}\PYG{n}{requires\PYGZus{}preauth} \PYG{n}{tktpolicy} 10342\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10343\end{sphinxVerbatim} 10344 10345 10346\subsubsection{view\_policy} 10347\label{\detokenize{admin/admin_commands/kdb5_ldap_util:view-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy}}\begin{quote} 10348 10349\sphinxstylestrong{view\_policy} 10350\sphinxstyleemphasis{policy\_name} 10351\end{quote} 10352 10353Displays the attributes of the named ticket policy. 10354 10355Example: 10356 10357\fvset{hllines={, ,}}% 10358\begin{sphinxVerbatim}[commandchars=\\\{\}] 10359\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 10360 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{view\PYGZus{}policy} \PYG{n}{tktpolicy} 10361\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10362\PYG{n}{Ticket} \PYG{n}{policy}\PYG{p}{:} \PYG{n}{tktpolicy} 10363\PYG{n}{Maximum} \PYG{n}{ticket} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{01}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 10364\PYG{n}{Maximum} \PYG{n}{renewable} \PYG{n}{life}\PYG{p}{:} \PYG{l+m+mi}{0} \PYG{n}{days} \PYG{l+m+mi}{10}\PYG{p}{:}\PYG{l+m+mi}{00}\PYG{p}{:}\PYG{l+m+mi}{00} 10365\PYG{n}{Ticket} \PYG{n}{flags}\PYG{p}{:} \PYG{n}{DISALLOW\PYGZus{}FORWARDABLE} \PYG{n}{REQUIRES\PYGZus{}PWCHANGE} 10366\end{sphinxVerbatim} 10367 10368 10369\subsubsection{destroy\_policy} 10370\label{\detokenize{admin/admin_commands/kdb5_ldap_util:destroy-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy}}\begin{quote} 10371 10372\sphinxstylestrong{destroy\_policy} 10373{[}\sphinxstylestrong{-force}{]} 10374\sphinxstyleemphasis{policy\_name} 10375\end{quote} 10376 10377Destroys an existing ticket policy. Options: 10378\begin{description} 10379\item[{\sphinxstylestrong{-force}}] \leavevmode 10380Forces the deletion of the policy object. If not specified, the 10381user will be prompted for confirmation before deleting the policy. 10382 10383\item[{\sphinxstyleemphasis{policy\_name}}] \leavevmode 10384Specifies the name of the ticket policy. 10385 10386\end{description} 10387 10388Example: 10389 10390\fvset{hllines={, ,}}% 10391\begin{sphinxVerbatim}[commandchars=\\\{\}] 10392kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu 10393 \PYGZhy{}r ATHENA.MIT.EDU destroy\PYGZus{}policy tktpolicy 10394Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: 10395This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? 10396(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes 10397** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. 10398\end{sphinxVerbatim} 10399 10400 10401\subsubsection{list\_policy} 10402\label{\detokenize{admin/admin_commands/kdb5_ldap_util:list-policy}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy-end}}\phantomsection\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy}}\begin{quote} 10403 10404\sphinxstylestrong{list\_policy} 10405\end{quote} 10406 10407Lists ticket policies. 10408 10409Example: 10410 10411\fvset{hllines={, ,}}% 10412\begin{sphinxVerbatim}[commandchars=\\\{\}] 10413\PYG{n}{kdb5\PYGZus{}ldap\PYGZus{}util} \PYG{o}{\PYGZhy{}}\PYG{n}{D} \PYG{n}{cn}\PYG{o}{=}\PYG{n}{admin}\PYG{p}{,}\PYG{n}{o}\PYG{o}{=}\PYG{n}{org} \PYG{o}{\PYGZhy{}}\PYG{n}{H} \PYG{n}{ldaps}\PYG{p}{:}\PYG{o}{/}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{\PYGZhy{}}\PYG{n}{server1}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu} 10414 \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{n}{list\PYGZus{}policy} 10415\PYG{n}{Password} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{cn=admin,o=org}\PYG{l+s+s2}{\PYGZdq{}}\PYG{p}{:} 10416\PYG{n}{tktpolicy} 10417\PYG{n}{tmppolicy} 10418\PYG{n}{userpolicy} 10419\end{sphinxVerbatim} 10420 10421 10422\subsection{ENVIRONMENT} 10423\label{\detokenize{admin/admin_commands/kdb5_ldap_util:environment}}\label{\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy-end}} 10424See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 10425variables. 10426 10427 10428\subsection{SEE ALSO} 10429\label{\detokenize{admin/admin_commands/kdb5_ldap_util:see-also}} 10430{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 10431 10432 10433\section{krb5kdc} 10434\label{\detokenize{admin/admin_commands/krb5kdc::doc}}\label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}}\label{\detokenize{admin/admin_commands/krb5kdc:krb5kdc}} 10435 10436\subsection{SYNOPSIS} 10437\label{\detokenize{admin/admin_commands/krb5kdc:synopsis}} 10438\sphinxstylestrong{krb5kdc} 10439{[}\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}{]} 10440{[}\sphinxstylestrong{-d} \sphinxstyleemphasis{dbname}{]} 10441{[}\sphinxstylestrong{-k} \sphinxstyleemphasis{keytype}{]} 10442{[}\sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname}{]} 10443{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{portnum}{]} 10444{[}\sphinxstylestrong{-m}{]} 10445{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 10446{[}\sphinxstylestrong{-n}{]} 10447{[}\sphinxstylestrong{-w} \sphinxstyleemphasis{numworkers}{]} 10448{[}\sphinxstylestrong{-P} \sphinxstyleemphasis{pid\_file}{]} 10449{[}\sphinxstylestrong{-T} \sphinxstyleemphasis{time\_offset}{]} 10450 10451 10452\subsection{DESCRIPTION} 10453\label{\detokenize{admin/admin_commands/krb5kdc:description}} 10454krb5kdc is the Kerberos version 5 Authentication Service and Key 10455Distribution Center (AS/KDC). 10456 10457 10458\subsection{OPTIONS} 10459\label{\detokenize{admin/admin_commands/krb5kdc:options}} 10460The \sphinxstylestrong{-r} \sphinxstyleemphasis{realm} option specifies the realm for which the server 10461should provide service. This option may be specified multiple times 10462to serve multiple realms. If no \sphinxstylestrong{-r} option is given, the default 10463realm (as specified in {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}) will be served. 10464 10465The \sphinxstylestrong{-d} \sphinxstyleemphasis{dbname} option specifies the name under which the 10466principal database can be found. This option does not apply to the 10467LDAP database. 10468 10469The \sphinxstylestrong{-k} \sphinxstyleemphasis{keytype} option specifies the key type of the master key 10470to be entered manually as a password when \sphinxstylestrong{-m} is given; the default 10471is \sphinxcode{aes256-cts-hmac-sha1-96}. 10472 10473The \sphinxstylestrong{-M} \sphinxstyleemphasis{mkeyname} option specifies the principal name for the 10474master key in the database (usually \sphinxcode{K/M} in the KDC’s realm). 10475 10476The \sphinxstylestrong{-m} option specifies that the master database password should 10477be fetched from the keyboard rather than from a stash file. 10478 10479The \sphinxstylestrong{-n} option specifies that the KDC does not put itself in the 10480background and does not disassociate itself from the terminal. 10481 10482The \sphinxstylestrong{-P} \sphinxstyleemphasis{pid\_file} option tells the KDC to write its PID into 10483\sphinxstyleemphasis{pid\_file} after it starts up. This can be used to identify whether 10484the KDC is still running and to allow init scripts to stop the correct 10485process. 10486 10487The \sphinxstylestrong{-p} \sphinxstyleemphasis{portnum} option specifies the default UDP and TCP port 10488numbers which the KDC should listen on for Kerberos version 5 10489requests, as a comma-separated list. This value overrides the port 10490numbers specified in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdcdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}kdcdefaults{]}}}}} section of 10491{\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, but may be overridden by realm-specific values. 10492If no value is given from any source, the default port is 88. 10493 10494The \sphinxstylestrong{-w} \sphinxstyleemphasis{numworkers} option tells the KDC to fork \sphinxstyleemphasis{numworkers} 10495processes to listen to the KDC ports and process requests in parallel. 10496The top level KDC process (whose pid is recorded in the pid file if 10497the \sphinxstylestrong{-P} option is also given) acts as a supervisor. The supervisor 10498will relay SIGHUP signals to the worker subprocesses, and will 10499terminate the worker subprocess if the it is itself terminated or if 10500any other worker process exits. 10501 10502The \sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args} option specifies database-specific arguments. 10503See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for 10504supported arguments. 10505 10506The \sphinxstylestrong{-T} \sphinxstyleemphasis{offset} option specifies a time offset, in seconds, which 10507the KDC will operate under. It is intended only for testing purposes. 10508 10509 10510\subsection{EXAMPLE} 10511\label{\detokenize{admin/admin_commands/krb5kdc:example}} 10512The KDC may service requests for multiple realms (maximum 32 realms). 10513The realms are listed on the command line. Per-realm options that can 10514be specified on the command line pertain for each realm that follows 10515it and are superseded by subsequent definitions of the same option. 10516 10517For example: 10518 10519\fvset{hllines={, ,}}% 10520\begin{sphinxVerbatim}[commandchars=\\\{\}] 10521\PYG{n}{krb5kdc} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{l+m+mi}{2001} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM1} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{l+m+mi}{2002} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM2} \PYG{o}{\PYGZhy{}}\PYG{n}{r} \PYG{n}{REALM3} 10522\end{sphinxVerbatim} 10523 10524specifies that the KDC listen on port 2001 for REALM1 and on port 2002 10525for REALM2 and REALM3. Additionally, per-realm parameters may be 10526specified in the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} file. The location of this file 10527may be specified by the \sphinxstylestrong{KRB5\_KDC\_PROFILE} environment variable. 10528Per-realm parameters specified in this file take precedence over 10529options specified on the command line. See the {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} 10530description for further details. 10531 10532 10533\subsection{ENVIRONMENT} 10534\label{\detokenize{admin/admin_commands/krb5kdc:environment}} 10535See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 10536variables. 10537 10538 10539\subsection{SEE ALSO} 10540\label{\detokenize{admin/admin_commands/krb5kdc:see-also}} 10541{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}, {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}, 10542{\hyperref[\detokenize{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_ldap\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 10543 10544 10545\section{kprop} 10546\label{\detokenize{admin/admin_commands/kprop:kprop-8}}\label{\detokenize{admin/admin_commands/kprop::doc}}\label{\detokenize{admin/admin_commands/kprop:kprop}} 10547 10548\subsection{SYNOPSIS} 10549\label{\detokenize{admin/admin_commands/kprop:synopsis}} 10550\sphinxstylestrong{kprop} 10551{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 10552{[}\sphinxstylestrong{-f} \sphinxstyleemphasis{file}{]} 10553{[}\sphinxstylestrong{-d}{]} 10554{[}\sphinxstylestrong{-P} \sphinxstyleemphasis{port}{]} 10555{[}\sphinxstylestrong{-s} \sphinxstyleemphasis{keytab}{]} 10556\sphinxstyleemphasis{replica\_host} 10557 10558 10559\subsection{DESCRIPTION} 10560\label{\detokenize{admin/admin_commands/kprop:description}} 10561kprop is used to securely propagate a Kerberos V5 database dump file 10562from the primary Kerberos server to a replica Kerberos server, which is 10563specified by \sphinxstyleemphasis{replica\_host}. The dump file must be created by 10564{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}. 10565 10566 10567\subsection{OPTIONS} 10568\label{\detokenize{admin/admin_commands/kprop:options}}\begin{description} 10569\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 10570Specifies the realm of the primary server. 10571 10572\item[{\sphinxstylestrong{-f} \sphinxstyleemphasis{file}}] \leavevmode 10573Specifies the filename where the dumped principal database file is 10574to be found; by default the dumped database file is normally 10575{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/replica\_datatrans}. 10576 10577\item[{\sphinxstylestrong{-P} \sphinxstyleemphasis{port}}] \leavevmode 10578Specifies the port to use to contact the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} server 10579on the remote host. 10580 10581\item[{\sphinxstylestrong{-d}}] \leavevmode 10582Prints debugging information. 10583 10584\item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{keytab}}] \leavevmode 10585Specifies the location of the keytab file. 10586 10587\end{description} 10588 10589 10590\subsection{ENVIRONMENT} 10591\label{\detokenize{admin/admin_commands/kprop:environment}} 10592See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 10593variables. 10594 10595 10596\subsection{SEE ALSO} 10597\label{\detokenize{admin/admin_commands/kprop:see-also}} 10598{\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, 10599\DUrole{xref,std,std-ref}{kerberos(7)} 10600 10601 10602\section{kpropd} 10603\label{\detokenize{admin/admin_commands/kpropd::doc}}\label{\detokenize{admin/admin_commands/kpropd:kpropd}}\label{\detokenize{admin/admin_commands/kpropd:kpropd-8}} 10604 10605\subsection{SYNOPSIS} 10606\label{\detokenize{admin/admin_commands/kpropd:synopsis}} 10607\sphinxstylestrong{kpropd} 10608{[}\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}{]} 10609{[}\sphinxstylestrong{-A} \sphinxstyleemphasis{admin\_server}{]} 10610{[}\sphinxstylestrong{-a} \sphinxstyleemphasis{acl\_file}{]} 10611{[}\sphinxstylestrong{-f} \sphinxstyleemphasis{replica\_dumpfile}{]} 10612{[}\sphinxstylestrong{-F} \sphinxstyleemphasis{principal\_database}{]} 10613{[}\sphinxstylestrong{-p} \sphinxstyleemphasis{kdb5\_util\_prog}{]} 10614{[}\sphinxstylestrong{-P} \sphinxstyleemphasis{port}{]} 10615{[}\sphinxstylestrong{\textendash{}pid-file}=\sphinxstyleemphasis{pid\_file}{]} 10616{[}\sphinxstylestrong{-D}{]} 10617{[}\sphinxstylestrong{-d}{]} 10618{[}\sphinxstylestrong{-s} \sphinxstyleemphasis{keytab\_file}{]} 10619 10620 10621\subsection{DESCRIPTION} 10622\label{\detokenize{admin/admin_commands/kpropd:description}} 10623The \sphinxstyleemphasis{kpropd} command runs on the replica KDC server. It listens for 10624update requests made by the {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} program. If incremental 10625propagation is enabled, it periodically requests incremental updates 10626from the primary KDC. 10627 10628When the replica receives a kprop request from the primary, kpropd 10629accepts the dumped KDC database and places it in a file, and then runs 10630{\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} to load the dumped database into the active 10631database which is used by {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}. This allows the primary 10632Kerberos server to use {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} to propagate its database to 10633the replica servers. Upon a successful download of the KDC database 10634file, the replica Kerberos server will have an up-to-date KDC 10635database. 10636 10637Where incremental propagation is not used, kpropd is commonly invoked 10638out of inetd(8) as a nowait service. This is done by adding a line to 10639the \sphinxcode{/etc/inetd.conf} file which looks like this: 10640 10641\fvset{hllines={, ,}}% 10642\begin{sphinxVerbatim}[commandchars=\\\{\}] 10643\PYG{n}{kprop} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{kpropd} \PYG{n}{kpropd} 10644\end{sphinxVerbatim} 10645 10646kpropd can also run as a standalone daemon, backgrounding itself and 10647waiting for connections on port 754 (or the port specified with the 10648\sphinxstylestrong{-P} option if given). Standalone mode is required for incremental 10649propagation. Starting in release 1.11, kpropd automatically detects 10650whether it was run from inetd and runs in standalone mode if it is 10651not. Prior to release 1.11, the \sphinxstylestrong{-S} option is required to run 10652kpropd in standalone mode; this option is now accepted for backward 10653compatibility but does nothing. 10654 10655Incremental propagation may be enabled with the \sphinxstylestrong{iprop\_enable} 10656variable in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}}. If incremental propagation is 10657enabled, the replica periodically polls the primary KDC for updates, at 10658an interval determined by the \sphinxstylestrong{iprop\_replica\_poll} variable. If the 10659replica receives updates, kpropd updates its log file with any updates 10660from the primary. {\hyperref[\detokenize{admin/admin_commands/kproplog:kproplog-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kproplog}}}} can be used to view a summary of 10661the update entry log on the replica KDC. If incremental propagation 10662is enabled, the principal \sphinxcode{kiprop/replicahostname@REALM} (where 10663\sphinxstyleemphasis{replicahostname} is the name of the replica KDC host, and \sphinxstyleemphasis{REALM} is 10664the name of the Kerberos realm) must be present in the replica’s 10665keytab file. 10666 10667{\hyperref[\detokenize{admin/admin_commands/kproplog:kproplog-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kproplog}}}} can be used to force full replication when iprop is 10668enabled. 10669 10670 10671\subsection{OPTIONS} 10672\label{\detokenize{admin/admin_commands/kpropd:options}}\begin{description} 10673\item[{\sphinxstylestrong{-r} \sphinxstyleemphasis{realm}}] \leavevmode 10674Specifies the realm of the primary server. 10675 10676\item[{\sphinxstylestrong{-A} \sphinxstyleemphasis{admin\_server}}] \leavevmode 10677Specifies the server to be contacted for incremental updates; by 10678default, the primary admin server is contacted. 10679 10680\item[{\sphinxstylestrong{-f} \sphinxstyleemphasis{file}}] \leavevmode 10681Specifies the filename where the dumped principal database file is 10682to be stored; by default the dumped database file is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/from\_master}. 10683 10684\item[{\sphinxstylestrong{-F} \sphinxstyleemphasis{kerberos\_db}}] \leavevmode 10685Path to the Kerberos database file, if not the default. 10686 10687\item[{\sphinxstylestrong{-p}}] \leavevmode 10688Allows the user to specify the pathname to the {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}} 10689program; by default the pathname used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{/kdb5\_util}. 10690 10691\item[{\sphinxstylestrong{-D}}] \leavevmode 10692In this mode, kpropd will not detach itself from the current job 10693and run in the background. Instead, it will run in the 10694foreground. 10695 10696\item[{\sphinxstylestrong{-d}}] \leavevmode 10697Turn on debug mode. kpropd will print out debugging messages 10698during the database propogation and will run in the foreground 10699(implies \sphinxstylestrong{-D}). 10700 10701\item[{\sphinxstylestrong{-P}}] \leavevmode 10702Allow for an alternate port number for kpropd to listen on. This 10703is only useful in combination with the \sphinxstylestrong{-S} option. 10704 10705\item[{\sphinxstylestrong{-a} \sphinxstyleemphasis{acl\_file}}] \leavevmode 10706Allows the user to specify the path to the kpropd.acl file; by 10707default the path used is {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kpropd.acl}. 10708 10709\item[{\sphinxstylestrong{\textendash{}pid-file}=\sphinxstyleemphasis{pid\_file}}] \leavevmode 10710In standalone mode, write the process ID of the daemon into 10711\sphinxstyleemphasis{pid\_file}. 10712 10713\item[{\sphinxstylestrong{-s} \sphinxstyleemphasis{keytab\_file}}] \leavevmode 10714Path to a keytab to use for acquiring acceptor credentials. 10715 10716\item[{\sphinxstylestrong{-x} \sphinxstyleemphasis{db\_args}}] \leavevmode 10717Database-specific arguments. See {\hyperref[\detokenize{admin/admin_commands/kadmin_local:dboptions}]{\sphinxcrossref{\DUrole{std,std-ref}{Database Options}}}} in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} for supported arguments. 10718 10719\end{description} 10720 10721 10722\subsection{FILES} 10723\label{\detokenize{admin/admin_commands/kpropd:files}}\begin{description} 10724\item[{kpropd.acl}] \leavevmode 10725Access file for kpropd; the default location is 10726\sphinxcode{/usr/local/var/krb5kdc/kpropd.acl}. Each entry is a line 10727containing the principal of a host from which the local machine 10728will allow Kerberos database propagation via {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}. 10729 10730\end{description} 10731 10732 10733\subsection{ENVIRONMENT} 10734\label{\detokenize{admin/admin_commands/kpropd:environment}} 10735See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 10736variables. 10737 10738 10739\subsection{SEE ALSO} 10740\label{\detokenize{admin/admin_commands/kpropd:see-also}} 10741{\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, {\hyperref[\detokenize{admin/admin_commands/krb5kdc:krb5kdc-8}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5kdc}}}}, 10742\DUrole{xref,std,std-ref}{kerberos(7)}, inetd(8) 10743 10744 10745\section{kproplog} 10746\label{\detokenize{admin/admin_commands/kproplog:kproplog}}\label{\detokenize{admin/admin_commands/kproplog:kproplog-8}}\label{\detokenize{admin/admin_commands/kproplog::doc}} 10747 10748\subsection{SYNOPSIS} 10749\label{\detokenize{admin/admin_commands/kproplog:synopsis}} 10750\sphinxstylestrong{kproplog} {[}\sphinxstylestrong{-h}{]} {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{num}{]} {[}-v{]} 10751\sphinxstylestrong{kproplog} {[}-R{]} 10752 10753 10754\subsection{DESCRIPTION} 10755\label{\detokenize{admin/admin_commands/kproplog:description}} 10756The kproplog command displays the contents of the KDC database update 10757log to standard output. It can be used to keep track of incremental 10758updates to the principal database. The update log file contains the 10759update log maintained by the {\hyperref[\detokenize{admin/admin_commands/kadmind:kadmind-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmind}}}} process on the primary 10760KDC server and the {\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} process on the replica KDC 10761servers. When updates occur, they are logged to this file. 10762Subsequently any KDC replica configured for incremental updates will 10763request the current data from the primary KDC and update their log 10764file with any updates returned. 10765 10766The kproplog command requires read access to the update log file. It 10767will display update entries only for the KDC it runs on. 10768 10769If no options are specified, kproplog displays a summary of the update 10770log. If invoked on the primary, kproplog also displays all of the 10771update entries. If invoked on a replica KDC server, kproplog displays 10772only a summary of the updates, which includes the serial number of the 10773last update received and the associated time stamp of the last update. 10774 10775 10776\subsection{OPTIONS} 10777\label{\detokenize{admin/admin_commands/kproplog:options}}\begin{description} 10778\item[{\sphinxstylestrong{-R}}] \leavevmode 10779Reset the update log. This forces full resynchronization. If 10780used on a replica then that replica will request a full resync. 10781If used on the primary then all replicas will request full 10782resyncs. 10783 10784\item[{\sphinxstylestrong{-h}}] \leavevmode 10785Display a summary of the update log. This information includes 10786the database version number, state of the database, the number of 10787updates in the log, the time stamp of the first and last update, 10788and the version number of the first and last update entry. 10789 10790\item[{\sphinxstylestrong{-e} \sphinxstyleemphasis{num}}] \leavevmode 10791Display the last \sphinxstyleemphasis{num} update entries in the log. This is useful 10792when debugging synchronization between KDC servers. 10793 10794\item[{\sphinxstylestrong{-v}}] \leavevmode 10795Display individual attributes per update. An example of the 10796output generated for one entry: 10797 10798\fvset{hllines={, ,}}% 10799\begin{sphinxVerbatim}[commandchars=\\\{\}] 10800\PYG{n}{Update} \PYG{n}{Entry} 10801 \PYG{n}{Update} \PYG{n}{serial} \PYG{c+c1}{\PYGZsh{} : 4} 10802 \PYG{n}{Update} \PYG{n}{operation} \PYG{p}{:} \PYG{n}{Add} 10803 \PYG{n}{Update} \PYG{n}{principal} \PYG{p}{:} \PYG{n}{test}\PYG{n+nd}{@EXAMPLE}\PYG{o}{.}\PYG{n}{COM} 10804 \PYG{n}{Update} \PYG{n}{size} \PYG{p}{:} \PYG{l+m+mi}{424} 10805 \PYG{n}{Update} \PYG{n}{committed} \PYG{p}{:} \PYG{k+kc}{True} 10806 \PYG{n}{Update} \PYG{n}{time} \PYG{n}{stamp} \PYG{p}{:} \PYG{n}{Fri} \PYG{n}{Feb} \PYG{l+m+mi}{20} \PYG{l+m+mi}{23}\PYG{p}{:}\PYG{l+m+mi}{37}\PYG{p}{:}\PYG{l+m+mi}{42} \PYG{l+m+mi}{2004} 10807 \PYG{n}{Attributes} \PYG{n}{changed} \PYG{p}{:} \PYG{l+m+mi}{6} 10808 \PYG{n}{Principal} 10809 \PYG{n}{Key} \PYG{n}{data} 10810 \PYG{n}{Password} \PYG{n}{last} \PYG{n}{changed} 10811 \PYG{n}{Modifying} \PYG{n}{principal} 10812 \PYG{n}{Modification} \PYG{n}{time} 10813 \PYG{n}{TL} \PYG{n}{data} 10814\end{sphinxVerbatim} 10815 10816\end{description} 10817 10818 10819\subsection{ENVIRONMENT} 10820\label{\detokenize{admin/admin_commands/kproplog:environment}} 10821See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 10822variables. 10823 10824 10825\subsection{SEE ALSO} 10826\label{\detokenize{admin/admin_commands/kproplog:see-also}} 10827{\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 10828 10829 10830\section{ktutil} 10831\label{\detokenize{admin/admin_commands/ktutil:ktutil-1}}\label{\detokenize{admin/admin_commands/ktutil::doc}}\label{\detokenize{admin/admin_commands/ktutil:ktutil}} 10832 10833\subsection{SYNOPSIS} 10834\label{\detokenize{admin/admin_commands/ktutil:synopsis}} 10835\sphinxstylestrong{ktutil} 10836 10837 10838\subsection{DESCRIPTION} 10839\label{\detokenize{admin/admin_commands/ktutil:description}} 10840The ktutil command invokes a command interface from which an 10841administrator can read, write, or edit entries in a keytab. (Kerberos 10842V4 srvtab files are no longer supported.) 10843 10844 10845\subsection{COMMANDS} 10846\label{\detokenize{admin/admin_commands/ktutil:commands}} 10847 10848\subsubsection{list} 10849\label{\detokenize{admin/admin_commands/ktutil:list}}\begin{quote} 10850 10851\sphinxstylestrong{list} {[}\sphinxstylestrong{-t}{]} {[}\sphinxstylestrong{-k}{]} {[}\sphinxstylestrong{-e}{]} 10852\end{quote} 10853 10854Displays the current keylist. If \sphinxstylestrong{-t}, \sphinxstylestrong{-k}, and/or \sphinxstylestrong{-e} are 10855specified, also display the timestamp, key contents, or enctype 10856(respectively). 10857 10858Alias: \sphinxstylestrong{l} 10859 10860 10861\subsubsection{read\_kt} 10862\label{\detokenize{admin/admin_commands/ktutil:read-kt}}\begin{quote} 10863 10864\sphinxstylestrong{read\_kt} \sphinxstyleemphasis{keytab} 10865\end{quote} 10866 10867Read the Kerberos V5 keytab file \sphinxstyleemphasis{keytab} into the current keylist. 10868 10869Alias: \sphinxstylestrong{rkt} 10870 10871 10872\subsubsection{write\_kt} 10873\label{\detokenize{admin/admin_commands/ktutil:write-kt}}\begin{quote} 10874 10875\sphinxstylestrong{write\_kt} \sphinxstyleemphasis{keytab} 10876\end{quote} 10877 10878Write the current keylist into the Kerberos V5 keytab file \sphinxstyleemphasis{keytab}. 10879 10880Alias: \sphinxstylestrong{wkt} 10881 10882 10883\subsubsection{clear\_list} 10884\label{\detokenize{admin/admin_commands/ktutil:clear-list}}\begin{quote} 10885 10886\sphinxstylestrong{clear\_list} 10887\end{quote} 10888 10889Clear the current keylist. 10890 10891Alias: \sphinxstylestrong{clear} 10892 10893 10894\subsubsection{delete\_entry} 10895\label{\detokenize{admin/admin_commands/ktutil:delete-entry}}\begin{quote} 10896 10897\sphinxstylestrong{delete\_entry} \sphinxstyleemphasis{slot} 10898\end{quote} 10899 10900Delete the entry in slot number \sphinxstyleemphasis{slot} from the current keylist. 10901 10902Alias: \sphinxstylestrong{delent} 10903 10904 10905\subsubsection{add\_entry} 10906\label{\detokenize{admin/admin_commands/ktutil:add-entry}}\begin{quote} 10907 10908\sphinxstylestrong{add\_entry} \{\sphinxstylestrong{-key}\textbar{}\sphinxstylestrong{-password}\} \sphinxstylestrong{-p} \sphinxstyleemphasis{principal} 10909\sphinxstylestrong{-k} \sphinxstyleemphasis{kvno} {[}\sphinxstylestrong{-e} \sphinxstyleemphasis{enctype}{]} {[}\sphinxstylestrong{-f}\textbar{}\sphinxstylestrong{-s} \sphinxstyleemphasis{salt}{]} 10910\end{quote} 10911 10912Add \sphinxstyleemphasis{principal} to keylist using key or password. If the \sphinxstylestrong{-f} flag 10913is specified, salt information will be fetched from the KDC; in this 10914case the \sphinxstylestrong{-e} flag may be omitted, or it may be supplied to force a 10915particular enctype. If the \sphinxstylestrong{-f} flag is not specified, the \sphinxstylestrong{-e} 10916flag must be specified, and the default salt will be used unless 10917overridden with the \sphinxstylestrong{-s} option. 10918 10919Alias: \sphinxstylestrong{addent} 10920 10921 10922\subsubsection{list\_requests} 10923\label{\detokenize{admin/admin_commands/ktutil:list-requests}}\begin{quote} 10924 10925\sphinxstylestrong{list\_requests} 10926\end{quote} 10927 10928Displays a listing of available commands. 10929 10930Aliases: \sphinxstylestrong{lr}, \sphinxstylestrong{?} 10931 10932 10933\subsubsection{quit} 10934\label{\detokenize{admin/admin_commands/ktutil:quit}}\begin{quote} 10935 10936\sphinxstylestrong{quit} 10937\end{quote} 10938 10939Quits ktutil. 10940 10941Aliases: \sphinxstylestrong{exit}, \sphinxstylestrong{q} 10942 10943 10944\subsection{EXAMPLE} 10945\label{\detokenize{admin/admin_commands/ktutil:example}}\begin{quote} 10946 10947\fvset{hllines={, ,}}% 10948\begin{sphinxVerbatim}[commandchars=\\\{\}] 10949\PYG{n}{ktutil}\PYG{p}{:} \PYG{n}{add\PYGZus{}entry} \PYG{o}{\PYGZhy{}}\PYG{n}{password} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{l+m+mi}{1} \PYG{o}{\PYGZhy{}}\PYG{n}{e} 10950 \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} 10951\PYG{n}{Password} \PYG{k}{for} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 10952\PYG{n}{ktutil}\PYG{p}{:} \PYG{n}{add\PYGZus{}entry} \PYG{o}{\PYGZhy{}}\PYG{n}{password} \PYG{o}{\PYGZhy{}}\PYG{n}{p} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{n}{k} \PYG{l+m+mi}{1} \PYG{o}{\PYGZhy{}}\PYG{n}{e} 10953 \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} 10954\PYG{n}{Password} \PYG{k}{for} \PYG{n}{alice}\PYG{n+nd}{@BLEEP}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} 10955\PYG{n}{ktutil}\PYG{p}{:} \PYG{n}{write\PYGZus{}kt} \PYG{n}{keytab} 10956\PYG{n}{ktutil}\PYG{p}{:} 10957\end{sphinxVerbatim} 10958\end{quote} 10959 10960 10961\subsection{ENVIRONMENT} 10962\label{\detokenize{admin/admin_commands/ktutil:environment}} 10963See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 10964variables. 10965 10966 10967\subsection{SEE ALSO} 10968\label{\detokenize{admin/admin_commands/ktutil:see-also}} 10969{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 10970 10971 10972\section{k5srvutil} 10973\label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}}\label{\detokenize{admin/admin_commands/k5srvutil::doc}}\label{\detokenize{admin/admin_commands/k5srvutil:k5srvutil}} 10974 10975\subsection{SYNOPSIS} 10976\label{\detokenize{admin/admin_commands/k5srvutil:synopsis}} 10977\sphinxstylestrong{k5srvutil} \sphinxstyleemphasis{operation} 10978{[}\sphinxstylestrong{-i}{]} 10979{[}\sphinxstylestrong{-f} \sphinxstyleemphasis{filename}{]} 10980{[}\sphinxstylestrong{-e} \sphinxstyleemphasis{keysalts}{]} 10981 10982 10983\subsection{DESCRIPTION} 10984\label{\detokenize{admin/admin_commands/k5srvutil:description}} 10985k5srvutil allows an administrator to list keys currently in 10986a keytab, to obtain new keys for a principal currently in a keytab, 10987or to delete non-current keys from a keytab. 10988 10989\sphinxstyleemphasis{operation} must be one of the following: 10990\begin{description} 10991\item[{\sphinxstylestrong{list}}] \leavevmode 10992Lists the keys in a keytab, showing version number and principal 10993name. 10994 10995\item[{\sphinxstylestrong{change}}] \leavevmode 10996Uses the kadmin protocol to update the keys in the Kerberos 10997database to new randomly-generated keys, and updates the keys in 10998the keytab to match. If a key’s version number doesn’t match the 10999version number stored in the Kerberos server’s database, then the 11000operation will fail. If the \sphinxstylestrong{-i} flag is given, k5srvutil will 11001prompt for confirmation before changing each key. If the \sphinxstylestrong{-k} 11002option is given, the old and new keys will be displayed. 11003Ordinarily, keys will be generated with the default encryption 11004types and key salts. This can be overridden with the \sphinxstylestrong{-e} 11005option. Old keys are retained in the keytab so that existing 11006tickets continue to work, but \sphinxstylestrong{delold} should be used after 11007such tickets expire, to prevent attacks against the old keys. 11008 11009\item[{\sphinxstylestrong{delold}}] \leavevmode 11010Deletes keys that are not the most recent version from the keytab. 11011This operation should be used some time after a change operation 11012to remove old keys, after existing tickets issued for the service 11013have expired. If the \sphinxstylestrong{-i} flag is given, then k5srvutil will 11014prompt for confirmation for each principal. 11015 11016\item[{\sphinxstylestrong{delete}}] \leavevmode 11017Deletes particular keys in the keytab, interactively prompting for 11018each key. 11019 11020\end{description} 11021 11022In all cases, the default keytab is used unless this is overridden by 11023the \sphinxstylestrong{-f} option. 11024 11025k5srvutil uses the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program to edit the keytab in 11026place. 11027 11028 11029\subsection{ENVIRONMENT} 11030\label{\detokenize{admin/admin_commands/k5srvutil:environment}} 11031See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 11032variables. 11033 11034 11035\subsection{SEE ALSO} 11036\label{\detokenize{admin/admin_commands/k5srvutil:see-also}} 11037{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, {\hyperref[\detokenize{admin/admin_commands/ktutil:ktutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{ktutil}}}}, \DUrole{xref,std,std-ref}{kerberos(7)} 11038 11039 11040\section{sserver} 11041\label{\detokenize{admin/admin_commands/sserver:sserver-8}}\label{\detokenize{admin/admin_commands/sserver::doc}}\label{\detokenize{admin/admin_commands/sserver:sserver}} 11042 11043\subsection{SYNOPSIS} 11044\label{\detokenize{admin/admin_commands/sserver:synopsis}} 11045\sphinxstylestrong{sserver} 11046{[} \sphinxstylestrong{-p} \sphinxstyleemphasis{port} {]} 11047{[} \sphinxstylestrong{-S} \sphinxstyleemphasis{keytab} {]} 11048{[} \sphinxstyleemphasis{server\_port} {]} 11049 11050 11051\subsection{DESCRIPTION} 11052\label{\detokenize{admin/admin_commands/sserver:description}} 11053sserver and \DUrole{xref,std,std-ref}{sclient(1)} are a simple demonstration client/server 11054application. When sclient connects to sserver, it performs a Kerberos 11055authentication, and then sserver returns to sclient the Kerberos 11056principal which was used for the Kerberos authentication. It makes a 11057good test that Kerberos has been successfully installed on a machine. 11058 11059The service name used by sserver and sclient is sample. Hence, 11060sserver will require that there be a keytab entry for the service 11061\sphinxcode{sample/hostname.domain.name@REALM.NAME}. This keytab is generated 11062using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} program. The keytab file is usually 11063installed as {\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}}. 11064 11065The \sphinxstylestrong{-S} option allows for a different keytab than the default. 11066 11067sserver is normally invoked out of inetd(8), using a line in 11068\sphinxcode{/etc/inetd.conf} that looks like this: 11069 11070\fvset{hllines={, ,}}% 11071\begin{sphinxVerbatim}[commandchars=\\\{\}] 11072\PYG{n}{sample} \PYG{n}{stream} \PYG{n}{tcp} \PYG{n}{nowait} \PYG{n}{root} \PYG{o}{/}\PYG{n}{usr}\PYG{o}{/}\PYG{n}{local}\PYG{o}{/}\PYG{n}{sbin}\PYG{o}{/}\PYG{n}{sserver} \PYG{n}{sserver} 11073\end{sphinxVerbatim} 11074 11075Since \sphinxcode{sample} is normally not a port defined in \sphinxcode{/etc/services}, 11076you will usually have to add a line to \sphinxcode{/etc/services} which looks 11077like this: 11078 11079\fvset{hllines={, ,}}% 11080\begin{sphinxVerbatim}[commandchars=\\\{\}] 11081\PYG{n}{sample} \PYG{l+m+mi}{13135}\PYG{o}{/}\PYG{n}{tcp} 11082\end{sphinxVerbatim} 11083 11084When using sclient, you will first have to have an entry in the 11085Kerberos database, by using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, and then you have to get 11086Kerberos tickets, by using \DUrole{xref,std,std-ref}{kinit(1)}. Also, if you are running 11087the sclient program on a different host than the sserver it will be 11088connecting to, be sure that both hosts have an entry in /etc/services 11089for the sample tcp port, and that the same port number is in both 11090files. 11091 11092When you run sclient you should see something like this: 11093 11094\fvset{hllines={, ,}}% 11095\begin{sphinxVerbatim}[commandchars=\\\{\}] 11096\PYG{n}{sendauth} \PYG{n}{succeeded}\PYG{p}{,} \PYG{n}{reply} \PYG{o+ow}{is}\PYG{p}{:} 11097\PYG{n}{reply} \PYG{n+nb}{len} \PYG{l+m+mi}{32}\PYG{p}{,} \PYG{n}{contents}\PYG{p}{:} 11098\PYG{n}{You} \PYG{n}{are} \PYG{n}{nlgilman}\PYG{n+nd}{@JIMI}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} 11099\end{sphinxVerbatim} 11100 11101 11102\subsection{COMMON ERROR MESSAGES} 11103\label{\detokenize{admin/admin_commands/sserver:common-error-messages}}\begin{enumerate} 11104\item {} 11105kinit returns the error: 11106 11107\fvset{hllines={, ,}}% 11108\begin{sphinxVerbatim}[commandchars=\\\{\}] 11109\PYG{n}{kinit}\PYG{p}{:} \PYG{n}{Client} \PYG{o+ow}{not} \PYG{n}{found} \PYG{o+ow}{in} \PYG{n}{Kerberos} \PYG{n}{database} \PYG{k}{while} \PYG{n}{getting} 11110 \PYG{n}{initial} \PYG{n}{credentials} 11111\end{sphinxVerbatim} 11112 11113This means that you didn’t create an entry for your username in the 11114Kerberos database. 11115 11116\item {} 11117sclient returns the error: 11118 11119\fvset{hllines={, ,}}% 11120\begin{sphinxVerbatim}[commandchars=\\\{\}] 11121\PYG{n}{unknown} \PYG{n}{service} \PYG{n}{sample}\PYG{o}{/}\PYG{n}{tcp}\PYG{p}{;} \PYG{n}{check} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{services} 11122\end{sphinxVerbatim} 11123 11124This means that you don’t have an entry in /etc/services for the 11125sample tcp port. 11126 11127\item {} 11128sclient returns the error: 11129 11130\fvset{hllines={, ,}}% 11131\begin{sphinxVerbatim}[commandchars=\\\{\}] 11132\PYG{n}{connect}\PYG{p}{:} \PYG{n}{Connection} \PYG{n}{refused} 11133\end{sphinxVerbatim} 11134 11135This probably means you didn’t edit /etc/inetd.conf correctly, or 11136you didn’t restart inetd after editing inetd.conf. 11137 11138\item {} 11139sclient returns the error: 11140 11141\fvset{hllines={, ,}}% 11142\begin{sphinxVerbatim}[commandchars=\\\{\}] 11143\PYG{n}{sclient}\PYG{p}{:} \PYG{n}{Server} \PYG{o+ow}{not} \PYG{n}{found} \PYG{o+ow}{in} \PYG{n}{Kerberos} \PYG{n}{database} \PYG{k}{while} \PYG{n}{using} 11144 \PYG{n}{sendauth} 11145\end{sphinxVerbatim} 11146 11147This means that the \sphinxcode{sample/hostname@LOCAL.REALM} service was not 11148defined in the Kerberos database; it should be created using 11149{\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}, and a keytab file needs to be generated to make 11150the key for that service principal available for sclient. 11151 11152\item {} 11153sclient returns the error: 11154 11155\fvset{hllines={, ,}}% 11156\begin{sphinxVerbatim}[commandchars=\\\{\}] 11157\PYG{n}{sendauth} \PYG{n}{rejected}\PYG{p}{,} \PYG{n}{error} \PYG{n}{reply} \PYG{o+ow}{is}\PYG{p}{:} 11158 \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{No such file or directory}\PYG{l+s+s2}{\PYGZdq{}} 11159\end{sphinxVerbatim} 11160 11161This probably means sserver couldn’t find the keytab file. It was 11162probably not installed in the proper directory. 11163 11164\end{enumerate} 11165 11166 11167\subsection{ENVIRONMENT} 11168\label{\detokenize{admin/admin_commands/sserver:environment}} 11169See \DUrole{xref,std,std-ref}{kerberos(7)} for a description of Kerberos environment 11170variables. 11171 11172 11173\subsection{SEE ALSO} 11174\label{\detokenize{admin/admin_commands/sserver:see-also}} 11175\DUrole{xref,std,std-ref}{sclient(1)}, \DUrole{xref,std,std-ref}{kerberos(7)}, services(5), inetd(8) 11176 11177 11178\chapter{MIT Kerberos defaults} 11179\label{\detokenize{mitK5defaults:mitk5defaults}}\label{\detokenize{mitK5defaults::doc}}\label{\detokenize{mitK5defaults:mit-kerberos-defaults}} 11180 11181\section{General defaults} 11182\label{\detokenize{mitK5defaults:general-defaults}} 11183 11184\begin{savenotes}\sphinxattablestart 11185\centering 11186\begin{tabulary}{\linewidth}[t]{|T|T|T|} 11187\hline 11188\sphinxstylethead{\sphinxstyletheadfamily 11189Description 11190\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11191Default 11192\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11193Environment 11194\unskip}\relax \\ 11195\hline 11196\DUrole{xref,std,std-ref}{keytab\_definition} file 11197& 11198{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFKTNAME}}}} 11199& 11200\sphinxstylestrong{KRB5\_KTNAME} 11201\\ 11202\hline 11203Client \DUrole{xref,std,std-ref}{keytab\_definition} file 11204& 11205{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{DEFCKTNAME}}}} 11206& 11207\sphinxstylestrong{KRB5\_CLIENT\_KTNAME} 11208\\ 11209\hline 11210Kerberos config file {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} 11211& 11212\sphinxcode{/etc/krb5.conf}\sphinxcode{:}{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{/krb5.conf} 11213& 11214\sphinxstylestrong{KRB5\_CONFIG} 11215\\ 11216\hline 11217KDC config file {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} 11218& 11219{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kdc.conf} 11220& 11221\sphinxstylestrong{KRB5\_KDC\_PROFILE} 11222\\ 11223\hline 11224GSS mechanism config file 11225& 11226{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SYSCONFDIR}}}}\sphinxcode{/gss/mech} 11227& 11228\sphinxstylestrong{GSS\_MECH\_CONFIG} 11229\\ 11230\hline 11231KDC database path (DB2) 11232& 11233{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/principal} 11234&\\ 11235\hline 11236Master key \DUrole{xref,std,std-ref}{stash\_definition} 11237& 11238{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/.k5.}\sphinxstyleemphasis{realm} 11239&\\ 11240\hline 11241Admin server ACL file {\hyperref[\detokenize{admin/conf_files/kadm5_acl:kadm5-acl-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kadm5.acl}}}} 11242& 11243{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kadm5.acl} 11244&\\ 11245\hline 11246OTP socket directory 11247& 11248{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{RUNSTATEDIR}}}}\sphinxcode{/krb5kdc} 11249&\\ 11250\hline 11251Plugin base directory 11252& 11253{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LIBDIR}}}}\sphinxcode{/krb5/plugins} 11254&\\ 11255\hline 11256\DUrole{xref,std,std-ref}{rcache\_definition} directory 11257& 11258\sphinxcode{/var/tmp} 11259& 11260\sphinxstylestrong{KRB5RCACHEDIR} 11261\\ 11262\hline 11263Master key default enctype 11264& 11265\sphinxcode{aes256-cts-hmac-sha1-96} 11266&\\ 11267\hline 11268Default {\hyperref[\detokenize{admin/conf_files/kdc_conf:keysalt-lists}]{\sphinxcrossref{\DUrole{std,std-ref}{keysalt list}}}} 11269& 11270\sphinxcode{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal} 11271&\\ 11272\hline 11273Permitted enctypes 11274& 11275\sphinxcode{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac} 11276&\\ 11277\hline 11278KDC default port 11279& 1128088 11281&\\ 11282\hline 11283Admin server port 11284& 11285749 11286&\\ 11287\hline 11288Password change port 11289& 11290464 11291&\\ 11292\hline 11293\end{tabulary} 11294\par 11295\sphinxattableend\end{savenotes} 11296 11297 11298\section{Replica KDC propagation defaults} 11299\label{\detokenize{mitK5defaults:replica-kdc-propagation-defaults}} 11300This table shows defaults used by the {\hyperref[\detokenize{admin/admin_commands/kprop:kprop-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop}}}} and 11301{\hyperref[\detokenize{admin/admin_commands/kpropd:kpropd-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kpropd}}}} programs. 11302 11303 11304\begin{savenotes}\sphinxattablestart 11305\centering 11306\begin{tabulary}{\linewidth}[t]{|T|T|T|} 11307\hline 11308\sphinxstylethead{\sphinxstyletheadfamily 11309Description 11310\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11311Default 11312\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11313Environment 11314\unskip}\relax \\ 11315\hline 11316kprop database dump file 11317& 11318{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/replica\_datatrans} 11319&\\ 11320\hline 11321kpropd temporary dump file 11322& 11323{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/from\_master} 11324&\\ 11325\hline 11326kdb5\_util location 11327& 11328{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{/kdb5\_util} 11329&\\ 11330\hline 11331kprop location 11332& 11333{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{SBINDIR}}}}\sphinxcode{/kprop} 11334&\\ 11335\hline 11336kpropd ACL file 11337& 11338{\hyperref[\detokenize{mitK5defaults:paths}]{\sphinxcrossref{\DUrole{std,std-ref}{LOCALSTATEDIR}}}}\sphinxcode{/krb5kdc}\sphinxcode{/kpropd.acl} 11339&\\ 11340\hline 11341kprop port 11342& 11343754 11344& 11345KPROP\_PORT 11346\\ 11347\hline 11348\end{tabulary} 11349\par 11350\sphinxattableend\end{savenotes} 11351 11352 11353\section{Default paths for Unix-like systems} 11354\label{\detokenize{mitK5defaults:paths}}\label{\detokenize{mitK5defaults:default-paths-for-unix-like-systems}} 11355On Unix-like systems, some paths used by MIT krb5 depend on parameters 11356chosen at build time. For a custom build, these paths default to 11357subdirectories of \sphinxcode{/usr/local}. When MIT krb5 is integrated into an 11358operating system, the paths are generally chosen to match the 11359operating system’s filesystem layout. 11360 11361 11362\begin{savenotes}\sphinxattablestart 11363\centering 11364\begin{tabulary}{\linewidth}[t]{|T|T|T|T|} 11365\hline 11366\sphinxstylethead{\sphinxstyletheadfamily 11367Description 11368\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11369Symbolic name 11370\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11371Custom build path 11372\unskip}\relax &\sphinxstylethead{\sphinxstyletheadfamily 11373Typical OS path 11374\unskip}\relax \\ 11375\hline 11376User programs 11377& 11378BINDIR 11379& 11380\sphinxcode{/usr/local/bin} 11381& 11382\sphinxcode{/usr/bin} 11383\\ 11384\hline 11385Libraries and plugins 11386& 11387LIBDIR 11388& 11389\sphinxcode{/usr/local/lib} 11390& 11391\sphinxcode{/usr/lib} 11392\\ 11393\hline 11394Parent of KDC state dir 11395& 11396LOCALSTATEDIR 11397& 11398\sphinxcode{/usr/local/var} 11399& 11400\sphinxcode{/var} 11401\\ 11402\hline 11403Parent of KDC runtime dir 11404& 11405RUNSTATEDIR 11406& 11407\sphinxcode{/usr/local/var/run} 11408& 11409\sphinxcode{/run} 11410\\ 11411\hline 11412Administrative programs 11413& 11414SBINDIR 11415& 11416\sphinxcode{/usr/local/sbin} 11417& 11418\sphinxcode{/usr/sbin} 11419\\ 11420\hline 11421Alternate krb5.conf dir 11422& 11423SYSCONFDIR 11424& 11425\sphinxcode{/usr/local/etc} 11426& 11427\sphinxcode{/etc} 11428\\ 11429\hline 11430Default ccache name 11431& 11432DEFCCNAME 11433& 11434\sphinxcode{FILE:/tmp/krb5cc\_\%\{uid\}} 11435& 11436\sphinxcode{FILE:/tmp/krb5cc\_\%\{uid\}} 11437\\ 11438\hline 11439Default keytab name 11440& 11441DEFKTNAME 11442& 11443\sphinxcode{FILE:/etc/krb5.keytab} 11444& 11445\sphinxcode{FILE:/etc/krb5.keytab} 11446\\ 11447\hline 11448\end{tabulary} 11449\par 11450\sphinxattableend\end{savenotes} 11451 11452The default client keytab name (DEFCKTNAME) typically defaults to 11453\sphinxcode{FILE:/usr/local/var/krb5/user/\%\{euid\}/client.keytab} for a custom 11454build. A native build will typically use a path which will vary 11455according to the operating system’s layout of \sphinxcode{/var}. 11456 11457 11458\chapter{Environment variables} 11459\label{\detokenize{admin/env_variables:environment-variables}}\label{\detokenize{admin/env_variables::doc}} 11460This content has moved to \DUrole{xref,std,std-ref}{kerberos(7)}. 11461 11462 11463\chapter{Troubleshooting} 11464\label{\detokenize{admin/troubleshoot:troubleshoot}}\label{\detokenize{admin/troubleshoot::doc}}\label{\detokenize{admin/troubleshoot:troubleshooting}} 11465 11466\section{Trace logging} 11467\label{\detokenize{admin/troubleshoot:trace-logging}}\label{\detokenize{admin/troubleshoot:id1}} 11468Most programs using MIT krb5 1.9 or later can be made to provide 11469information about internal krb5 library operations using trace 11470logging. To enable this, set the \sphinxstylestrong{KRB5\_TRACE} environment variable 11471to a filename before running the program. On many operating systems, 11472the filename \sphinxcode{/dev/stdout} can be used to send trace logging output 11473to standard output. 11474 11475Some programs do not honor \sphinxstylestrong{KRB5\_TRACE}, either because they use 11476secure library contexts (this generally applies to setuid programs and 11477parts of the login system) or because they take direct control of the 11478trace logging system using the API. 11479 11480Here is a short example showing trace logging output for an invocation 11481of the \DUrole{xref,std,std-ref}{kvno(1)} command: 11482 11483\fvset{hllines={, ,}}% 11484\begin{sphinxVerbatim}[commandchars=\\\{\}] 11485\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{env} \PYG{n}{KRB5\PYGZus{}TRACE}\PYG{o}{=}\PYG{o}{/}\PYG{n}{dev}\PYG{o}{/}\PYG{n}{stdout} \PYG{n}{kvno} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM} 11486\PYG{p}{[}\PYG{l+m+mi}{9138}\PYG{p}{]} \PYG{l+m+mf}{1332348778.823276}\PYG{p}{:} \PYG{n}{Getting} \PYG{n}{credentials} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZgt{}} 11487 \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{n}{using} \PYG{n}{ccache} 11488 \PYG{n}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{me}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{build}\PYG{o}{/}\PYG{n}{testdir}\PYG{o}{/}\PYG{n}{ccache} 11489\PYG{p}{[}\PYG{l+m+mi}{9138}\PYG{p}{]} \PYG{l+m+mf}{1332348778.823381}\PYG{p}{:} \PYG{n}{Retrieving} \PYG{n}{user}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZgt{}} 11490 \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM} \PYG{k+kn}{from} 11491 \PYG{n+nn}{FILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{me}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{/}\PYG{n}{build}\PYG{o}{/}\PYG{n}{testdir}\PYG{o}{/}\PYG{n}{ccache} \PYG{k}{with} \PYG{n}{result}\PYG{p}{:} \PYG{l+m+mi}{0}\PYG{o}{/}\PYG{n}{Unknown} \PYG{n}{code} \PYG{l+m+mi}{0} 11492\PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{n+nd}{@KRBTEST}\PYG{o}{.}\PYG{n}{COM}\PYG{p}{:} \PYG{n}{kvno} \PYG{o}{=} \PYG{l+m+mi}{1} 11493\end{sphinxVerbatim} 11494 11495 11496\section{List of errors} 11497\label{\detokenize{admin/troubleshoot:list-of-errors}} 11498 11499\subsection{Frequently seen errors} 11500\label{\detokenize{admin/troubleshoot:frequently-seen-errors}}\begin{enumerate} 11501\item {} 11502{\hyperref[\detokenize{admin/troubleshoot:init-creds-etype-nosupp}]{\sphinxcrossref{\DUrole{std,std-ref}{KDC has no support for encryption type while getting initial credentials}}}} 11503 11504\item {} 11505{\hyperref[\detokenize{admin/troubleshoot:cert-chain-etype-nosupp}]{\sphinxcrossref{\DUrole{std,std-ref}{credential verification failed: KDC has no support for encryption type}}}} 11506 11507\item {} 11508{\hyperref[\detokenize{admin/troubleshoot:err-cert-chain-cert-expired}]{\sphinxcrossref{\DUrole{std,std-ref}{Cannot create cert chain: certificate has expired}}}} 11509 11510\end{enumerate} 11511 11512 11513\subsection{Errors seen by admins} 11514\label{\detokenize{admin/troubleshoot:errors-seen-by-admins}}\phantomsection\label{\detokenize{admin/troubleshoot:prop-failed-start}}\begin{enumerate} 11515\item {} 11516{\hyperref[\detokenize{admin/troubleshoot:kprop-no-route}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: No route to host while connecting to server}}}} 11517 11518\item {} 11519{\hyperref[\detokenize{admin/troubleshoot:kprop-con-refused}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Connection refused while connecting to server}}}} 11520 11521\item {} 11522{\hyperref[\detokenize{admin/troubleshoot:kprop-sendauth-exchange}]{\sphinxcrossref{\DUrole{std,std-ref}{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}}} 11523 11524\end{enumerate} 11525\phantomsection\label{\detokenize{admin/troubleshoot:prop-failed-end}} 11526 11527\bigskip\hrule\bigskip 11528 11529 11530 11531\subsubsection{KDC has no support for encryption type while getting initial credentials} 11532\label{\detokenize{admin/troubleshoot:kdc-has-no-support-for-encryption-type-while-getting-initial-credentials}}\label{\detokenize{admin/troubleshoot:init-creds-etype-nosupp}} 11533 11534\subsubsection{credential verification failed: KDC has no support for encryption type} 11535\label{\detokenize{admin/troubleshoot:credential-verification-failed-kdc-has-no-support-for-encryption-type}}\label{\detokenize{admin/troubleshoot:cert-chain-etype-nosupp}} 11536This most commonly happens when trying to use a principal with only 11537DES keys, in a release (MIT krb5 1.7 or later) which disables DES by 11538default. DES encryption is considered weak due to its inadequate key 11539size. If you cannot migrate away from its use, you can re-enable DES 11540by adding \sphinxcode{allow\_weak\_crypto = true} to the {\hyperref[\detokenize{admin/conf_files/krb5_conf:libdefaults}]{\sphinxcrossref{\DUrole{std,std-ref}{{[}libdefaults{]}}}}} 11541section of {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}}. 11542 11543 11544\subsubsection{Cannot create cert chain: certificate has expired} 11545\label{\detokenize{admin/troubleshoot:cannot-create-cert-chain-certificate-has-expired}}\label{\detokenize{admin/troubleshoot:err-cert-chain-cert-expired}} 11546This error message indicates that PKINIT authentication failed because 11547the client certificate, KDC certificate, or one of the certificates in 11548the signing chain above them has expired. 11549 11550If the KDC certificate has expired, this message appears in the KDC 11551log file, and the client will receive a “Preauthentication failed” 11552error. (Prior to release 1.11, the KDC log file message erroneously 11553appears as “Out of memory”. Prior to release 1.12, the client will 11554receive a “Generic error”.) 11555 11556If the client or a signing certificate has expired, this message may 11557appear in {\hyperref[\detokenize{admin/troubleshoot:trace-logging}]{\sphinxcrossref{trace\_logging}}} output from \DUrole{xref,std,std-ref}{kinit(1)} or, starting in 11558release 1.12, as an error message from kinit or another program which 11559gets initial tickets. The error message is more likely to appear 11560properly on the client if the principal entry has no long-term keys. 11561 11562 11563\subsubsection{kprop: No route to host while connecting to server} 11564\label{\detokenize{admin/troubleshoot:kprop-no-route}}\label{\detokenize{admin/troubleshoot:kprop-no-route-to-host-while-connecting-to-server}} 11565Make sure that the hostname of the replica KDC (as given to kprop) is 11566correct, and that any firewalls between the primary and the replica 11567allow a connection on port 754. 11568 11569 11570\subsubsection{kprop: Connection refused while connecting to server} 11571\label{\detokenize{admin/troubleshoot:kprop-connection-refused-while-connecting-to-server}}\label{\detokenize{admin/troubleshoot:kprop-con-refused}} 11572If the replica KDC is intended to run kpropd out of inetd, make sure 11573that inetd is configured to accept krb5\_prop connections. inetd may 11574need to be restarted or sent a SIGHUP to recognize the new 11575configuration. If the replica is intended to run kpropd in standalone 11576mode, make sure that it is running. 11577 11578 11579\subsubsection{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server} 11580\label{\detokenize{admin/troubleshoot:kprop-sendauth-exchange}}\label{\detokenize{admin/troubleshoot:kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server}} 11581Make sure that: 11582\begin{enumerate} 11583\item {} 11584The time is synchronized between the primary and replica KDCs. 11585 11586\item {} 11587The master stash file was copied from the primary to the expected 11588location on the replica. 11589 11590\item {} 11591The replica has a keytab file in the default location containing a 11592\sphinxcode{host} principal for the replica’s hostname. 11593 11594\end{enumerate} 11595 11596 11597\chapter{Advanced topics} 11598\label{\detokenize{admin/advanced/index:advanced-topics}}\label{\detokenize{admin/advanced/index::doc}} 11599 11600\section{Retiring DES} 11601\label{\detokenize{admin/advanced/retiring-des:retiring-des}}\label{\detokenize{admin/advanced/retiring-des::doc}}\label{\detokenize{admin/advanced/retiring-des:id1}} 11602Version 5 of the Kerberos protocol was originally implemented using 11603the Data Encryption Standard (DES) as a block cipher for encryption. 11604While it was considered secure at the time, advancements in computational 11605ability have rendered DES vulnerable to brute force attacks on its 56-bit 11606keyspace. As such, it is now considered insecure and should not be 11607used (\index{RFC!RFC 6649}\sphinxhref{https://tools.ietf.org/html/rfc6649.html}{\sphinxstylestrong{RFC 6649}}). 11608 11609 11610\subsection{History} 11611\label{\detokenize{admin/advanced/retiring-des:history}} 11612DES was used in the original Kerberos implementation, and was the 11613only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was 11614added in version 1.1, with full support following in version 1.2. 11615The Advanced Encryption Standard (AES), which supersedes DES, gained 11616partial support in version 1.3.0 of krb5 and full support in version 1.3.2. 11617However, deployments of krb5 using Kerberos databases created with older 11618versions of krb5 will not necessarily start using strong crypto for 11619ordinary operation without administrator intervention. 11620 11621MIT krb5 began flagging deprecated encryption types with release 1.17, 11622and removed DES (single-DES) support in release 1.18. As a 11623consequence, a release prior to 1.18 is required to perform these 11624migrations. 11625 11626 11627\subsection{Types of keys} 11628\label{\detokenize{admin/advanced/retiring-des:types-of-keys}}\begin{itemize} 11629\item {} 11630The database master key: This key is not exposed to user requests, 11631but is used to encrypt other key material stored in the kerberos 11632database. The database master key is currently stored as \sphinxcode{K/M} 11633by default. 11634 11635\item {} 11636Password-derived keys: User principals frequently have keys 11637derived from a password. When a new password is set, the KDC 11638uses various string2key functions to generate keys in the database 11639for that principal. 11640 11641\item {} 11642Keytab keys: Application server principals generally use random 11643keys which are not derived from a password. When the database 11644entry is created, the KDC generates random keys of various enctypes 11645to enter in the database, which are conveyed to the application server 11646and stored in a keytab. 11647 11648\item {} 11649Session keys: These are short-term keys generated by the KDC while 11650processing client requests, with an enctype selected by the KDC. 11651 11652\end{itemize} 11653 11654For details on the various enctypes and how enctypes are selected by the KDC 11655for session keys and client/server long-term keys, see {\hyperref[\detokenize{admin/enctypes:enctypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}}. 11656When using the {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} interface to generate new long-term keys, 11657the \sphinxstylestrong{-e} argument can be used to force a particular set of enctypes, 11658overriding the KDC default values. 11659 11660\begin{sphinxadmonition}{note}{Note:} 11661When the KDC is selecting a session key, it has no knowledge about the 11662kerberos installation on the server which will receive the service ticket, 11663only what keys are in the database for the service principal. 11664In order to allow uninterrupted operation to 11665clients while migrating away from DES, care must be taken to ensure that 11666kerberos installations on application server machines are configured to 11667support newer encryption types before keys of those new encryption types 11668are created in the Kerberos database for those server principals. 11669\end{sphinxadmonition} 11670 11671 11672\subsection{Upgrade procedure} 11673\label{\detokenize{admin/advanced/retiring-des:upgrade-procedure}} 11674This procedure assumes that the KDC software has already been upgraded 11675to a modern version of krb5 that supports non-DES keys, so that the 11676only remaining task is to update the actual keys used to service requests. 11677The realm used for demonstrating this procedure, ZONE.MIT.EDU, 11678is an example of the worst-case scenario, where all keys in the realm 11679are DES. The realm was initially created with a very old version of krb5, 11680and \sphinxstylestrong{supported\_enctypes} in {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} was set to a value 11681appropriate when the KDC was installed, but was not updated as the KDC 11682was upgraded: 11683 11684\fvset{hllines={, ,}}% 11685\begin{sphinxVerbatim}[commandchars=\\\{\}] 11686\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 11687 \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 11688 \PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11689 \PYG{n}{master\PYGZus{}key\PYGZus{}type} \PYG{o}{=} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} 11690 \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{p}{:}\PYG{n}{v4} \PYG{n}{des}\PYG{p}{:}\PYG{n}{norealm} \PYG{n}{des}\PYG{p}{:}\PYG{n}{onlyrealm} \PYG{n}{des}\PYG{p}{:}\PYG{n}{afs3} 11691 \PYG{p}{\PYGZcb{}} 11692\end{sphinxVerbatim} 11693 11694This resulted in the keys for all principals in the realm being forced 11695to DES-only, unless specifically requested using {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}}. 11696 11697Before starting the upgrade, all KDCs were running krb5 1.11, 11698and the database entries for some “high-value” principals were: 11699 11700\fvset{hllines={, ,}}% 11701\begin{sphinxVerbatim}[commandchars=\\\{\}] 11702\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{}} 11703\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11704\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} 11705\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{v4} 11706\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11707\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/admin\PYGZsq{}} 11708\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11709\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} 11710\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{15}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} 11711\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11712\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/changepw\PYGZsq{}} 11713\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11714\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{1} 11715\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{14}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} 11716\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11717\end{sphinxVerbatim} 11718 11719The \sphinxcode{krbtgt/REALM} key appears to have never been changed since creation 11720(its kvno is 1), and all three database entries have only a des-cbc-crc key. 11721 11722 11723\subsubsection{The krbtgt key and KDC keys} 11724\label{\detokenize{admin/advanced/retiring-des:the-krbtgt-key-and-kdc-keys}} 11725Perhaps the biggest single-step improvement in the security of the cell 11726is gained by strengthening the key of the ticket-granting service principal, 11727\sphinxcode{krbtgt/REALM}—if this principal’s key is compromised, so is the 11728entire realm. Since the server that will handle service tickets 11729for this principal is the KDC itself, it is easy to guarantee that it 11730will be configured to support any encryption types which might be 11731selected. However, the default KDC behavior when creating new keys is to 11732remove the old keys, which would invalidate all existing tickets issued 11733against that principal, rendering the TGTs cached by clients useless. 11734Instead, a new key can be created with the old key retained, so that 11735existing tickets will still function until their scheduled expiry 11736(see {\hyperref[\detokenize{admin/database:changing-krbtgt-key}]{\sphinxcrossref{\DUrole{std,std-ref}{Changing the krbtgt key}}}}). 11737 11738\fvset{hllines={, ,}}% 11739\begin{sphinxVerbatim}[commandchars=\\\{\}] 11740\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}} 11741\PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} 11742\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}} 11743\PYG{o}{\PYGZgt{}} \PYG{o}{\PYGZhy{}}\PYG{n}{keepold} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{l+s+s2}{\PYGZdq{}} 11744\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} 11745\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} 11746\end{sphinxVerbatim} 11747 11748\begin{sphinxadmonition}{note}{Note:} 11749The new \sphinxcode{krbtgt@REALM} key should be propagated to replica KDCs 11750immediately so that TGTs issued by the primary KDC can be used to 11751issue service tickets on replica KDCs. Replica KDCs will refuse 11752requests using the new TGT kvno until the new krbtgt entry has 11753been propagated to them. 11754\end{sphinxadmonition} 11755 11756It is necessary to explicitly specify the enctypes for the new database 11757entry, since \sphinxstylestrong{supported\_enctypes} has not been changed. Leaving 11758\sphinxstylestrong{supported\_enctypes} unchanged makes a potential rollback operation 11759easier, since all new keys of new enctypes are the result of explicit 11760administrator action and can be easily enumerated. 11761Upgrading the krbtgt key should have minimal user-visible disruption other 11762than that described in the note above, since only clients which list the 11763new enctypes as supported will use them, per the procedure 11764in {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}}. 11765Once the krbtgt key is updated, the session and ticket keys for user 11766TGTs will be strong keys, but subsequent requests 11767for service tickets will still get DES keys until the service principals 11768have new keys generated. Application service 11769remains uninterrupted due to the key-selection procedure on the KDC. 11770 11771After the change, the database entry is now: 11772 11773\fvset{hllines={, ,}}% 11774\begin{sphinxVerbatim}[commandchars=\\\{\}] 11775\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{}} 11776\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11777\PYG{n}{Number} \PYG{n}{of} \PYG{n}{keys}\PYG{p}{:} \PYG{l+m+mi}{5} 11778\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} 11779\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} 11780\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1} 11781\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{2}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} 11782\PYG{n}{Key}\PYG{p}{:} \PYG{n}{vno} \PYG{l+m+mi}{1}\PYG{p}{,} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{v4} 11783\PYG{p}{[}\PYG{o}{.}\PYG{o}{.}\PYG{o}{.}\PYG{p}{]} 11784\end{sphinxVerbatim} 11785 11786Since the expected disruptions from rekeying the krbtgt principal are 11787minor, after a short testing period, it is 11788appropriate to rekey the other high-value principals, \sphinxcode{kadmin/admin@REALM} 11789and \sphinxcode{kadmin/changepw@REALM}. These are the service principals used for 11790changing user passwords and updating application keytabs. The kadmin 11791and password-changing services are regular kerberized services, so the 11792session-key-selection algorithm described in {\hyperref[\detokenize{admin/enctypes:session-key-selection}]{\sphinxcrossref{\DUrole{std,std-ref}{Session key selection}}}} 11793applies. It is particularly important to have strong session keys for 11794these services, since user passwords and new long-term keys are conveyed 11795over the encrypted channel. 11796 11797\fvset{hllines={, ,}}% 11798\begin{sphinxVerbatim}[commandchars=\\\{\}] 11799\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}} 11800\PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} 11801\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}} 11802\PYG{o}{\PYGZgt{}} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{admin}\PYG{l+s+s2}{\PYGZdq{}} 11803\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} 11804\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{kadmin/admin@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} 11805\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{}} 11806\PYG{o}{\PYGZgt{}} \PYG{n}{kadmin}\PYG{o}{/}\PYG{n}{changepw}\PYG{l+s+s2}{\PYGZdq{}} 11807\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} 11808\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{kadmin/changepw@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} 11809\end{sphinxVerbatim} 11810 11811It is not necessary to retain a single-DES key for these services, since 11812password changes are not part of normal daily workflow, and disruption 11813from a client failure is likely to be minimal. Furthermore, if a kerberos 11814client experiences failure changing a user password or keytab key, 11815this indicates that that client will become inoperative once services 11816are rekeyed to non-DES enctypes. Such problems can be detected early 11817at this stage, giving more time for corrective action. 11818 11819 11820\subsubsection{Adding strong keys to application servers} 11821\label{\detokenize{admin/advanced/retiring-des:adding-strong-keys-to-application-servers}} 11822Before switching the default enctypes for new keys over to strong enctypes, 11823it may be desired to test upgrading a handful of services with the 11824new configuration before flipping the switch for the defaults. This 11825still requires using the \sphinxstylestrong{-e} argument in {\hyperref[\detokenize{admin/admin_commands/kadmin_local:kadmin-1}]{\sphinxcrossref{\DUrole{std,std-ref}{kadmin}}}} to get non-default 11826enctypes: 11827 11828\fvset{hllines={, ,}}% 11829\begin{sphinxVerbatim}[commandchars=\\\{\}] 11830\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{}} 11831\PYG{o}{\PYGZgt{}} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal}\PYG{p}{,}\PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} 11832\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}p zephyr/zephyr@ZONE.MIT.EDU \PYGZhy{}k \PYGZhy{}t \PYGZbs{}} 11833\PYG{o}{\PYGZgt{}} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} \PYG{o}{\PYGZhy{}}\PYG{n}{q} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{ktadd \PYGZhy{}e \PYGZdl{}}\PYG{l+s+si}{\PYGZob{}enctypes\PYGZcb{}}\PYG{l+s+s2}{ }\PYG{l+s+se}{\PYGZbs{}} 11834\PYG{l+s+s2}{\PYGZgt{} \PYGZhy{}k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} 11835\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11836\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11837\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11838\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11839\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{4}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11840\end{sphinxVerbatim} 11841 11842Be sure to remove the old keys from the application keytab, per best 11843practice. 11844 11845\fvset{hllines={, ,}}% 11846\begin{sphinxVerbatim}[commandchars=\\\{\}] 11847\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} k5srvutil \PYGZhy{}f /etc/zephyr/krb5.keytab delold} 11848\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11849\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{zephyr}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{zephyr}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11850\end{sphinxVerbatim} 11851 11852 11853\subsubsection{Adding strong keys by default} 11854\label{\detokenize{admin/advanced/retiring-des:adding-strong-keys-by-default}} 11855Once the high-visibility services have been rekeyed, it is probably 11856appropriate to change {\hyperref[\detokenize{admin/conf_files/kdc_conf:kdc-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{kdc.conf}}}} to generate keys with the new 11857encryption types by default. This enables server administrators to generate 11858new enctypes with the \sphinxstylestrong{change} subcommand of {\hyperref[\detokenize{admin/admin_commands/k5srvutil:k5srvutil-1}]{\sphinxcrossref{\DUrole{std,std-ref}{k5srvutil}}}}, 11859and causes user password 11860changes to add new encryption types for their entries. It will probably 11861be necessary to implement administrative controls to cause all user 11862principal keys to be updated in a reasonable period of time, whether 11863by forcing password changes or a password synchronization service that 11864has access to the current password and can add the new keys. 11865 11866\fvset{hllines={, ,}}% 11867\begin{sphinxVerbatim}[commandchars=\\\{\}] 11868\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 11869 \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 11870 \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{crc}\PYG{p}{:}\PYG{n}{normal} 11871\end{sphinxVerbatim} 11872 11873\begin{sphinxadmonition}{note}{Note:} 11874The krb5kdc process must be restarted for these changes to take effect. 11875\end{sphinxadmonition} 11876 11877At this point, all service administrators can update their services and the 11878servers behind them to take advantage of strong cryptography. 11879If necessary, the server’s krb5 installation should be configured and/or 11880upgraded to a version supporting non-DES keys. See {\hyperref[\detokenize{admin/enctypes:enctypes}]{\sphinxcrossref{\DUrole{std,std-ref}{Encryption types}}}} for 11881krb5 version and configuration settings. 11882Only when the service is configured to accept non-DES keys should 11883the key version number be incremented and new keys generated 11884(\sphinxcode{k5srvutil change \&\& k5srvutil delold}). 11885 11886\fvset{hllines={, ,}}% 11887\begin{sphinxVerbatim}[commandchars=\\\{\}] 11888\PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} k5srvutil change} 11889\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11890\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{256} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11891\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{128} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11892\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{Triple} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{HMAC}\PYG{o}{/}\PYG{n}{sha1} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11893\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{3}\PYG{p}{,} \PYG{n}{encryption} \PYG{n+nb}{type} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32} \PYG{n}{added} \PYG{n}{to} \PYG{n}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11894\PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} klist \PYGZhy{}e \PYGZhy{}k \PYGZhy{}t /etc/krb5.keytab} 11895\PYG{n}{Keytab} \PYG{n}{name}\PYG{p}{:} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab} 11896\PYG{n}{KVNO} \PYG{n}{Timestamp} \PYG{n}{Principal} 11897\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}} 11898 \PYG{l+m+mi}{2} \PYG{l+m+mi}{10}\PYG{o}{/}\PYG{l+m+mi}{10}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{17}\PYG{p}{:}\PYG{l+m+mi}{03}\PYG{p}{:}\PYG{l+m+mi}{59} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32}\PYG{p}{)} 11899 \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{256} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC}\PYG{p}{)} 11900 \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{AES}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{128} \PYG{n}{CTS} \PYG{n}{mode} \PYG{k}{with} \PYG{l+m+mi}{96}\PYG{o}{\PYGZhy{}}\PYG{n}{bit} \PYG{n}{SHA}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{1} \PYG{n}{HMAC}\PYG{p}{)} 11901 \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{Triple} \PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{HMAC}\PYG{o}{/}\PYG{n}{sha1}\PYG{p}{)} 11902 \PYG{l+m+mi}{3} \PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12}\PYG{o}{/}\PYG{l+m+mi}{12} \PYG{l+m+mi}{15}\PYG{p}{:}\PYG{l+m+mi}{31}\PYG{p}{:}\PYG{l+m+mi}{19} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{p}{(}\PYG{n}{DES} \PYG{n}{cbc} \PYG{n}{mode} \PYG{k}{with} \PYG{n}{CRC}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{32}\PYG{p}{)} 11903\PYG{n}{root}\PYG{n+nd}{@dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{p}{:}\PYG{o}{\PYGZti{}}\PYG{c+c1}{\PYGZsh{} k5srvutil delold} 11904\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{keytab} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11905\PYG{n}{Entry} \PYG{k}{for} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{dr}\PYG{o}{\PYGZhy{}}\PYG{n}{willy}\PYG{o}{.}\PYG{n}{xvm}\PYG{o}{.}\PYG{n}{mit}\PYG{o}{.}\PYG{n}{edu}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{kvno} \PYG{l+m+mi}{2} \PYG{n}{removed} \PYG{k+kn}{from} \PYG{n+nn}{keytab} \PYG{n}{WRFILE}\PYG{p}{:}\PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{.}\PYG{n}{keytab}\PYG{o}{.} 11906\end{sphinxVerbatim} 11907 11908When a single service principal is shared by multiple backend servers in 11909a load-balanced environment, it may be necessary to schedule downtime 11910or adjust the population in the load-balanced pool in order to propagate 11911the updated keytab to all hosts in the pool with minimal service interruption. 11912 11913 11914\subsubsection{Removing DES keys from usage} 11915\label{\detokenize{admin/advanced/retiring-des:removing-des-keys-from-usage}} 11916This situation remains something of a testing or transitory state, 11917as new DES keys are still being generated, and will be used if requested 11918by a client. To make more progress removing DES from the realm, the KDC 11919should be configured to not generate such keys by default. 11920 11921\begin{sphinxadmonition}{note}{Note:} 11922An attacker posing as a client can implement a brute force attack against 11923a DES key for any principal, if that key is in the current (highest-kvno) 11924key list. This attack is only possible if \sphinxstylestrong{allow\_weak\_crypto = true} 11925is enabled on the KDC. Setting the \sphinxstylestrong{+requires\_preauth} flag on a 11926principal forces this attack to be an online attack, much slower than 11927the offline attack otherwise available to the attacker. However, setting 11928this flag on a service principal is not always advisable; see the entry in 11929{\hyperref[\detokenize{admin/admin_commands/kadmin_local:add-principal}]{\sphinxcrossref{\DUrole{std,std-ref}{add\_principal}}}} for details. 11930\end{sphinxadmonition} 11931 11932The following KDC configuration will not generate DES keys by default: 11933 11934\fvset{hllines={, ,}}% 11935\begin{sphinxVerbatim}[commandchars=\\\{\}] 11936\PYG{p}{[}\PYG{n}{realms}\PYG{p}{]} 11937 \PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{o}{=} \PYG{p}{\PYGZob{}} 11938 \PYG{n}{supported\PYGZus{}enctypes} \PYG{o}{=} \PYG{n}{aes256}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{aes128}\PYG{o}{\PYGZhy{}}\PYG{n}{cts}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{o}{\PYGZhy{}}\PYG{l+m+mi}{96}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{cbc}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} \PYG{n}{des3}\PYG{o}{\PYGZhy{}}\PYG{n}{hmac}\PYG{o}{\PYGZhy{}}\PYG{n}{sha1}\PYG{p}{:}\PYG{n}{normal} 11939\end{sphinxVerbatim} 11940 11941\begin{sphinxadmonition}{note}{Note:} 11942As before, the KDC process must be restarted for this change to take 11943effect. It is best practice to update kdc.conf on all KDCs, not just the 11944primary, to avoid unpleasant surprises should the primary fail and a 11945replica need to be promoted. 11946\end{sphinxadmonition} 11947 11948It is now appropriate to remove the legacy single-DES key from the 11949\sphinxcode{krbtgt/REALM} entry: 11950 11951\fvset{hllines={, ,}}% 11952\begin{sphinxVerbatim}[commandchars=\\\{\}] 11953\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}randkey \PYGZhy{}keepold \PYGZbs{}} 11954\PYG{o}{\PYGZgt{}} \PYG{n}{krbtgt}\PYG{o}{/}\PYG{n}{ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU}\PYG{l+s+s2}{\PYGZdq{}} 11955\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{host}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ATHENA}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} 11956\PYG{n}{Key} \PYG{k}{for} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{randomized}\PYG{o}{.} 11957\end{sphinxVerbatim} 11958 11959After the maximum ticket lifetime has passed, the old database entry 11960should be removed. 11961 11962\fvset{hllines={, ,}}% 11963\begin{sphinxVerbatim}[commandchars=\\\{\}] 11964\PYG{p}{[}\PYG{n}{root}\PYG{n+nd}{@casio} \PYG{n}{krb5kdc}\PYG{p}{]}\PYG{c+c1}{\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}purgekeys krbtgt/ZONE.MIT.EDU\PYGZsq{}} 11965\PYG{n}{Authenticating} \PYG{k}{as} \PYG{n}{principal} \PYG{n}{root}\PYG{o}{/}\PYG{n}{admin}\PYG{n+nd}{@ZONE}\PYG{o}{.}\PYG{n}{MIT}\PYG{o}{.}\PYG{n}{EDU} \PYG{k}{with} \PYG{n}{password}\PYG{o}{.} 11966\PYG{n}{Old} \PYG{n}{keys} \PYG{k}{for} \PYG{n}{principal} \PYG{l+s+s2}{\PYGZdq{}}\PYG{l+s+s2}{krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU}\PYG{l+s+s2}{\PYGZdq{}} \PYG{n}{purged}\PYG{o}{.} 11967\end{sphinxVerbatim} 11968 11969After the KDC is restarted with the new \sphinxstylestrong{supported\_enctypes}, 11970all user password changes and application keytab updates will not 11971generate DES keys by default. 11972 11973\fvset{hllines={, ,}}% 11974\begin{sphinxVerbatim}[commandchars=\\\{\}] 11975contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kpasswd zonetest@ZONE.MIT.EDU 11976Password for zonetest@ZONE.MIT.EDU: [enter old password] 11977Enter new password: [enter new password] 11978Enter it again: [enter new password] 11979Password changed. 11980contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc zonetest\PYGZsq{} 11981[...] 11982Number of keys: 3 11983Key: vno 9, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 11984Key: vno 9, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 11985Key: vno 9, des3\PYGZhy{}cbc\PYGZhy{}sha1 11986[...] 11987 11988[kaduk@glossolalia \PYGZti{}]\PYGZdl{} kadmin \PYGZhy{}p kaduk@ZONE.MIT.EDU \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}k \PYGZbs{} 11989\PYGZgt{} \PYGZhy{}t kaduk\PYGZhy{}zone.keytab \PYGZhy{}q \PYGZsq{}ktadd \PYGZhy{}k kaduk\PYGZhy{}zone.keytab kaduk@ZONE.MIT.EDU\PYGZsq{} 11990Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk\PYGZhy{}zone.keytab. 11991Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. 11992Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. 11993Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. 11994\end{sphinxVerbatim} 11995 11996Once all principals have been re-keyed, DES support can be disabled on the 11997KDC (\sphinxstylestrong{allow\_weak\_crypto = false}), and client machines can remove 11998\sphinxstylestrong{allow\_weak\_crypto = true} from their {\hyperref[\detokenize{admin/conf_files/krb5_conf:krb5-conf-5}]{\sphinxcrossref{\DUrole{std,std-ref}{krb5.conf}}}} configuration 11999files, completing the migration. \sphinxstylestrong{allow\_weak\_crypto} takes precedence over 12000all places where DES enctypes could be explicitly configured. DES keys will 12001not be used, even if they are present, when \sphinxstylestrong{allow\_weak\_crypto = false}. 12002 12003 12004\subsubsection{Support for legacy services} 12005\label{\detokenize{admin/advanced/retiring-des:support-for-legacy-services}} 12006If there remain legacy services which do not support non-DES enctypes 12007(such as older versions of AFS), \sphinxstylestrong{allow\_weak\_crypto} must remain 12008enabled on the KDC. Client machines need not have this setting, 12009though—applications which require DES can use API calls to allow 12010weak crypto on a per-request basis, overriding the system krb5.conf. 12011However, having \sphinxstylestrong{allow\_weak\_crypto} set on the KDC means that any 12012principals which have a DES key in the database could still use those 12013keys. To minimize the use of DES in the realm and restrict it to just 12014legacy services which require DES, it is necessary to remove all other 12015DES keys. The realm has been configured such that at password and 12016keytab change, no DES keys will be generated by default. The task 12017then reduces to requiring user password changes and having server 12018administrators update their service keytabs. Administrative outreach 12019will be necessary, and if the desire to eliminate DES is sufficiently 12020strong, the KDC administrators may choose to randkey any principals 12021which have not been rekeyed after some timeout period, forcing the 12022user to contact the helpdesk for access. 12023 12024 12025\subsection{The Database Master Key} 12026\label{\detokenize{admin/advanced/retiring-des:the-database-master-key}} 12027This procedure does not alter \sphinxcode{K/M@REALM}, the key used to encrypt key 12028material in the Kerberos database. (This is the key stored in the stash file 12029on the KDC if stash files are used.) However, the security risk of 12030a single-DES key for \sphinxcode{K/M} is minimal, given that access to material 12031encrypted in \sphinxcode{K/M} (the Kerberos database) is generally tightly controlled. 12032If an attacker can gain access to the encrypted database, they likely 12033have access to the stash file as well, rendering the weak cryptography 12034broken by non-cryptographic means. As such, upgrading \sphinxcode{K/M} to a stronger 12035encryption type is unlikely to be a high-priority task. 12036 12037Is is possible to upgrade the master key used for the database, if 12038desired. Using {\hyperref[\detokenize{admin/admin_commands/kdb5_util:kdb5-util-8}]{\sphinxcrossref{\DUrole{std,std-ref}{kdb5\_util}}}}’s \sphinxstylestrong{add\_mkey}, \sphinxstylestrong{use\_mkey}, and 12039\sphinxstylestrong{update\_princ\_encryption} commands, a new master key can be added 12040and activated for use on new key material, and the existing entries 12041converted to the new master key. 12042 12043 12044\chapter{Various links} 12045\label{\detokenize{admin/various_envs:various-links}}\label{\detokenize{admin/various_envs::doc}} 12046 12047\section{Whitepapers} 12048\label{\detokenize{admin/various_envs:whitepapers}}\begin{enumerate} 12049\item {} 12050\sphinxurl{https://kerberos.org/software/whitepapers.html} 12051 12052\end{enumerate} 12053 12054 12055\section{Tutorials} 12056\label{\detokenize{admin/various_envs:tutorials}}\begin{enumerate} 12057\item {} 12058Fulvio Ricciardi \textless{}\sphinxurl{https://www.kerberos.org/software/tutorial.html}\textgreater{}\_ 12059 12060\end{enumerate} 12061 12062 12063\section{Troubleshooting} 12064\label{\detokenize{admin/various_envs:troubleshooting}}\begin{enumerate} 12065\item {} 12066\sphinxurl{https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting} 12067 12068\item {} 12069\sphinxurl{https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html} 12070 12071\item {} 12072\sphinxurl{https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html} 12073 12074\item {} 12075\sphinxurl{https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10})\#EBAA 12076 12077\item {} 12078\sphinxurl{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528} 12079 12080\end{enumerate} 12081 12082 12083 12084\renewcommand{\indexname}{Index} 12085\printindex 12086\end{document}