Lines Matching +full:embedded +full:- +full:trace +full:- +full:extension
26 * Credential cache server - KCM::
32 * Setting up PK-INIT::
48 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
51 @samp{@{} as the first non-whitespace character after the equal sign. All
57 a-subsection = @{
59 other-var = value with @{@}
60 sub-sub-section = @{
70 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
71 be @samp{section1/a-subsection/other-var}.
73 For in-depth information about the contents of the configuration file, refer to
106 SRV-record for your realm, or your Kerberos server has DNS CNAME
131 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
137 Verifying password - Master key:
141 @kbd{--random-key} flag to kstash. This will make sure you have a good key
148 @kbd{-l} option (to enable local database mode). First issue a
162 # kadmin -l
171 Verifying password - Password:
195 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
196 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
197 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
198 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
210 Both interactive editing and command line flags can be used (use --help
221 Attributes are removed from the list by prefixing them with @samp{-}.
229 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
233 Attributes: requires-pre-auth
243 YYYY-mm-dd
244 YYYY-mm-dd HH:MM:SS
281 kadmin -l check REALM.EXAMPLE.ORG
289 (using the @kbd{--random-key} flag to get a random key) and then
293 kadmin> add --random-key host/my.host.name
301 1 des-cbc-md5 host/my.host.name@@MY.REALM
302 1 des-cbc-md4 host/my.host.name@@MY.REALM
303 1 des-cbc-crc host/my.host.name@@MY.REALM
304 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
316 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
319 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
326 principal [priv1,priv2,...] [glob-pattern]
330 glob-pattern). When there is a match, the access rights of that line are
334 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
339 If a @var{glob-pattern} is given on a line, it restricts the access
355 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
380 to guess them and to avoid off-line attacks (although
381 pre-authentication provides some defence against off-line attacks).
391 policies = external-check builtin:minimum-length modulename:policyname
398 @samp{policy_libraries}). All built-in policies can be qualified with
399 a module name of @samp{builtin} to unambiguously specify the built-in
402 The built-in policies are
406 @item external-check
415 new-password: @var{password}
426 error and exit with a non-zero error code.
428 @item minimum-length
434 @item character-class
436 The character-class password quality check reads the configuration
456 @file{lib/kadm5/check-cracklib.pl}.
462 @command{verify-password-quality} in @command{kadmin} program. The password
498 slave# ktutil get -p foo/admin hprop/`hostname`
504 the slaves. This principal should be added when running @kbd{kadmin -l
506 please add it with @kbd{kadmin -l add}.
516 This was just an hands-on example to make sure that everything was
539 Protocol-wise, all the slaves connect to the master and as a greeting
544 also a keep-alive protocol that makes sure all slaves are up and running.
547 slaves, the ipropd-master also listens on a status unix
550 ipropd-master to check for new version in the log file. As a fallback in
556 The program that runs on the master is @command{ipropd-master} and all
557 clients run @command{ipropd-slave}.
566 for some peculiar reason, you can use the @kbd{--port} option. This is
583 The next step is to start the @command{ipropd-master} process on the master
584 server. The @command{ipropd-master} listens on the UNIX domain socket
589 this signal. Then, start @command{ipropd-slave} on all the slaves:
592 master# /usr/heimdal/libexec/ipropd-master &
593 slave# /usr/heimdal/libexec/ipropd-slave master &
596 To manage the iprop log file you should use the @command{iprop-log}
599 @node Encryption types and salting, Credential cache server - KCM, Incremental propagation, Setting…
609 Salting is used to make it harder to pre-calculate all possible
611 impossible to pre-calculate all keys. Salting is the process of mixing a
613 encryption type specific string-to-key function that will output the
620 (none at all) or the afs-salt (using the cell (realm in
631 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
632 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
633 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
634 salt-string is the string that will be used as salt (remember that if
641 @item @code{v4} (or @code{des:pw-salt:})
647 @item @code{v5} (or @code{pw-salt})
649 @code{pw-salt} uses the default salt for each encryption type is
653 @item @code{afs3-salt}
655 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
660 @node Credential cache server - KCM, Cross realm, Encryption types and salting, Setting up a realm
661 @section Credential cache server - KCM
683 credentials. @command{klist -l} lists the credentials and the star
689 $ klist -l
698 $ kswitch -i
708 $ klist -l
721 -o GSSAPIAuthentication=yes \
722 -o GSSAPIKeyExchange=yes \
723 -o GSSAPIClientIdentity=lha@@KTH.SE \
729 @node Cross realm, Transit policy, Credential cache server - KCM, Setting up a realm
770 vr$ telnet -l lha hummel.it.su.se
797 cross-realm trust with every realm to which you wish to authenticate
799 multi-hop cross-realm trust where a client principal in realm A
801 both A and C have cross-realm trust relationships. In this situation,
802 A and C need not set up cross-realm principals between each other.
804 If you want to use cross-realm authentication through an intermediate
814 @subsection Allowing cross-realm transits
817 destination realm adds its peer to the "transited-realms" field in the
819 if one of the transited-realms changed the order of the list. For the
829 CLIENT-REALM = @{
830 SERVER-REALM = PERMITTED-CROSS-REALMS ...
835 direct cross-realm set up with @code{KTH.SE}. @code{KTH.SE} has
836 direct cross-realm set up with @code{STACKEN.KTH.SE} and @code{SU.SE}.
837 @code{DSV.SU.SE} only has direct cross-realm set up with @code{SU.SE}.
854 The first entry allows cross-realm authentication from clients in
856 @code{STACKEN.KTH.SE}. The second entry allows cross-realm
867 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
870 @subsection Configuring client cross-realm transits
874 their local realm does not have cross-realm trust. This can be done
878 a referral to the client when the client requests a cross-realm ticket
882 For client configuration, the order of @code{PERMITTED-CROSS-REALMS}
891 cross-realm to the @code{KTH.SE} realm (the first realm listed in the
892 @code{PERMITTED-CROSS-REALMS} section), and then from there to
896 the first realm in @code{PERMITTED-CROSS-REALMS} is used. If, for
910 configuration is to have one top-level Active Directory realm but then
912 on organizational unit). One generally establishes cross-realm trust
913 only with the top-level realm, and then uses transit policy to permit
944 configuration are needed for bi-directional transited cross-realm
948 @c kmumble transit-check client server transit-realms ...
963 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
982 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
983 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
985 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
990 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
1033 @code{--with-openldap=/usr/local} (adjust according to where you have
1037 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
1041 see option --hdb-openldap-module to configure.
1044 Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
1047 Add the hdb schema to the LDAP server, it's included in the source-tree
1063 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
1068 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
1078 security layer quality (ssf in cyrus-sasl lingo). So that requirement
1083 sasl-secprops minssf=0
1092 slapd -h "ldapi:/// ldap:///"
1097 schema definition syntax instead of the old UMich-style, V2 syntax.
1109 hdb-ldap-structural-object = inetOrgPerson
1117 hdb-ldap-structural-object is not necessary if you do not need Samba
1128 kdc# kadmin -l
1139 Verifying password - lukeh@@EXAMPLE.COM's Password:
1147 kdc# ldapsearch -L -h localhost -D cn=manager \
1148 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1172 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sor…
1196 @node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to sto…
1212 host# ktutil -k /etc/krb5-service.keytab \
1213 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1218 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1222 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1223 --keytab=/etc/krb5-service.keytab \
1224 service-principal@@EXAMPLE.ORG
1233 the credentials when the script-to-start-service exits.
1236 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1237 --keytab=/etc/krb5-service.keytab \
1238 service-principal@@EXAMPLE.ORG \
1239 script-to-start-service argument1 argument2
1243 @node Setting up PK-INIT, Debugging Kerberos problems, Providing Kerberos credentials to servers an…
1244 @section Setting up PK-INIT
1246 PK-INIT leverages an existing PKI (public key infrastructure), using
1248 ticket-granting ticket).
1250 To use PK-INIT you must first have a PKI. If you don't have one, it is
1257 principal in the SubjectAltName extension of the certificate, or store
1263 certificates and the format used in the id-pkinit-san OtherName
1271 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
1272 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
1293 The client certificate may need to have a EKU id-pkekuoid
1307 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1316 OtherName. The OID in the type is id-pkinit-san.
1319 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1341 certificates embedded in PKCS#12 files, certificates embedded in
1378 FILE:certificate.pem,private-key.key,other-cert.pem,....
1384 soft-token, opensc, or muscle. The argument specifies a shared object
1391 PKCS11:shared-object.so
1397 the extension pfx or p12.
1414 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1427 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1443 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1459 enable-pkinit = yes
1461 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1462 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1463 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1469 @subsection Using pki-mapping file
1474 # cat /var/heimdal/pki-mapping
1489 You need to change --subject in the command below to something
1493 hxtool issue-certificate \
1494 --self-signed \
1495 --issue-ca \
1496 --generate-key=rsa \
1497 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1498 --lifetime=10years \
1499 --certificate="FILE:ca.pem"
1503 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1506 You need to change --subject and --pk-init-principal in the command
1510 hxtool issue-certificate \
1511 --ca-certificate=FILE:ca.pem \
1512 --generate-key=rsa \
1513 --type="pkinit-kdc" \
1514 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1515 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1516 --certificate="FILE:kdc.pem"
1520 generate a certificate of type ``pkinit-client''. The client doesn't
1521 need to have the PK-INIT SubjectAltName set; you can have the Subject
1522 DN in the ACL file (pki-mapping) instead.
1524 You need to change --subject and --pk-init-principal in the command
1526 --pk-init-principal if you're going to use the ACL file instead.
1529 hxtool issue-certificate \
1530 --ca-certificate=FILE:ca.pem \
1531 --generate-key=rsa \
1532 --type="pkinit-client" \
1533 --pk-init-principal="lha@@TEST.H5L.SE" \
1534 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1535 --certificate="FILE:user.pem"
1558 creating client and KDC certificates, see the test-data generation
1559 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1560 certicates it creates are used to test the PK-INIT functionality in
1561 @file{tests/kdc/check-kdc.in}.
1586 openssl x509 -extensions user_certificate
1587 openssl ca -extensions user_certificate
1591 @c --- ms certificate
1605 @section Using PK-INIT with Windows
1609 Clients using a Windows KDC with PK-INIT need configuration since
1610 windows uses pre-standard format and this can't be autodetected.
1630 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1631 Smart Card Logon with Third-Party Certification Authorities'' for a
1638 2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
1642 @node Debugging Kerberos problems, , Setting up PK-INIT, Setting up a realm
1647 trace logging is sparse at the moment, but will continue to improve.
1651 libkrb5 = 0-/SYSLOG: