1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>Database administration — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> 13 <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> 14 <script src="../_static/jquery.js"></script> 15 <script src="../_static/underscore.js"></script> 16 <script src="../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../about.html" /> 18 <link rel="index" title="Index" href="../genindex.html" /> 19 <link rel="search" title="Search" href="../search.html" /> 20 <link rel="copyright" title="Copyright" href="../copyright.html" /> 21 <link rel="next" title="Database types" href="dbtypes.html" /> 22 <link rel="prev" title="Realm configuration decisions" href="realm_config.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="realm_config.html" title="Realm configuration decisions" 35 accesskey="P">previous</a> | 36 <a href="dbtypes.html" title="Database types" 37 accesskey="N">next</a> | 38 <a href="../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="database-administration"> 56<h1>Database administration<a class="headerlink" href="#database-administration" title="Permalink to this headline">¶</a></h1> 57<p>A Kerberos database contains all of a realm’s Kerberos principals, 58their passwords, and other administrative information about each 59principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> 60program to manipulate the Kerberos database as a whole, and the 61<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to make changes to the entries in the 62database. (One notable exception is that users will use the 63<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> program to change their own passwords.) The kadmin 64program has its own command-line interface, to which you type the 65database administrating commands.</p> 66<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> provides a means to create, delete, load, or dump 67a Kerberos database. It also contains commands to roll over the 68database master key, and to stash a copy of the key so that the 69<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemons can use the database 70without manual input.</p> 71<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> provides for the maintenance of Kerberos principals, 72password policies, and service key tables (keytabs). Normally it 73operates as a network client using Kerberos authentication to 74communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, but there is also a variant, named 75kadmin.local, which directly accesses the Kerberos database on the 76local filesystem (or through LDAP). kadmin.local is necessary to set 77up enough of the database to be able to use the remote version.</p> 78<p>kadmin can authenticate to the admin server using the service 79principal <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal notranslate"><span class="pre">kadmin/HOST</span></code> (where <em>HOST</em> is the 80hostname of the admin server). If the credentials cache contains a 81ticket for either service principal and the <strong>-c</strong> ccache option is 82specified, that ticket is used to authenticate to KADM5. Otherwise, 83the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos 84principal name used to authenticate. Once kadmin has determined the 85principal name, it requests a <code class="docutils literal notranslate"><span class="pre">kadmin/admin</span></code> Kerberos service ticket 86from the KDC, and uses that service ticket to authenticate to KADM5.</p> 87<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for the available kadmin and kadmin.local 88commands and options.</p> 89<section id="principals"> 90<span id="id1"></span><h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2> 91<p>Each entry in the Kerberos database contains a Kerberos principal and 92the attributes and policies associated with that principal.</p> 93<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> 94<strong>add_principal</strong> command. User principals should usually be created 95with the <code class="docutils literal notranslate"><span class="pre">+requires_preauth</span> <span class="pre">-allow_svr</span></code> options to help mitigate 96dictionary attacks (see <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">Addressing dictionary attack risks</span></a>):</p> 97<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">alice</span> 98<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> 99<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> 100</pre></div> 101</div> 102<p>User principals which will authenticate with <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT configuration</span></a> should 103instead by created with the <code class="docutils literal notranslate"><span class="pre">-nokey</span></code> option:</p> 104<blockquote> 105<div><p>kadmin: addprinc -nokey alice</p> 106</div></blockquote> 107<p>Service principals can be created with the <code class="docutils literal notranslate"><span class="pre">-nokey</span></code> option; 108long-term keys will be added when a keytab is generated:</p> 109<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">nokey</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 110<span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="n">foo</span><span class="o">.</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> 111<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 112<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> 113</pre></div> 114</div> 115<p>To modify attributes of an existing principal, use the kadmin 116<strong>modify_principal</strong> command:</p> 117<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">expire</span> <span class="n">tomorrow</span> <span class="n">alice</span> 118<span class="n">Principal</span> <span class="s2">"alice@KRBTEST.COM"</span> <span class="n">modified</span><span class="o">.</span> 119</pre></div> 120</div> 121<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command:</p> 122<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kadmin: delprinc alice 123Are you sure you want to delete the principal "alice@KRBTEST.COM"? (yes/no): yes 124Principal "alice@KRBTEST.COM" deleted. 125Make sure that you have removed this principal from all ACLs before reusing. 126</pre></div> 127</div> 128<p>To change a principal’s password, use the kadmin <strong>change_password</strong> 129command. Password changes made through kadmin are subject to the same 130password policies as would apply to password changes made through 131<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>.</p> 132<p>To view the attributes of a principal, use the kadmin` 133<strong>get_principal</strong> command.</p> 134<p>To generate a listing of principals, use the kadmin 135<strong>list_principals</strong> command.</p> 136</section> 137<section id="policies"> 138<span id="id2"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2> 139<p>A policy is a set of rules governing passwords. Policies can dictate 140minimum and maximum password lifetimes, minimum number of characters 141and character classes a password must contain, and the number of old 142passwords kept in the database.</p> 143<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>add_policy</strong> command:</p> 144<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"1 year"</span> <span class="o">-</span><span class="n">history</span> <span class="mi">3</span> <span class="n">stduser</span> 145</pre></div> 146</div> 147<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong> 148command. To delete a policy, use the kadmin <strong>delete_policy</strong> 149command.</p> 150<p>To associate a policy with a principal, use the kadmin 151<strong>modify_principal</strong> command with the <strong>-policy</strong> option:</p> 152<blockquote> 153<div><p>kadmin: modprinc -policy stduser alice 154Principal “<a class="reference external" href="mailto:alice%40KRBTEST.COM">alice<span>@</span>KRBTEST<span>.</span>COM</a>” modified.</p> 155</div></blockquote> 156<p>A principal entry may be associated with a nonexistent policy, either 157because the policy did not exist at the time of associated or was 158deleted afterwards. kadmin will warn when associated a principal with 159a nonexistent policy, and will annotate the policy name with “[does 160not exist]” in the <strong>get_principal</strong> output.</p> 161<section id="updating-the-history-key"> 162<span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3> 163<p>If a policy specifies a number of old keys kept of two or more, the 164stored old keys are encrypted in a history key, which is found in the 165key data of the <code class="docutils literal notranslate"><span class="pre">kadmin/history</span></code> principal.</p> 166<p>Currently there is no support for proper rollover of the history key, 167but you can change the history key (for example, to use a better 168encryption type) at the cost of invalidating currently stored old 169keys. To change the history key, run:</p> 170<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">history</span> 171</pre></div> 172</div> 173<p>This command will fail if you specify the <strong>-keepold</strong> flag. Only one 174new history key will be created, even if you specify multiple key/salt 175combinations.</p> 176<p>In the future, we plan to migrate towards encrypting old keys in the 177master key instead of the history key, and implementing proper 178rollover support for stored old keys.</p> 179</section> 180</section> 181<section id="privileges"> 182<span id="id3"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2> 183<p>Administrative privileges for the Kerberos database are stored in the 184file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> 185<div class="admonition note"> 186<p class="admonition-title">Note</p> 187<p>A common use of an admin instance is so you can grant 188separate permissions (such as administrator access to the 189Kerberos database) to a separate Kerberos principal. For 190example, the user <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> might have a principal for 191his administrative use, called <code class="docutils literal notranslate"><span class="pre">joeadmin/admin</span></code>. This 192way, <code class="docutils literal notranslate"><span class="pre">joeadmin</span></code> would obtain <code class="docutils literal notranslate"><span class="pre">joeadmin/admin</span></code> tickets 193only when he actually needs to use those permissions.</p> 194</div> 195</section> 196<section id="operations-on-the-kerberos-database"> 197<span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Permalink to this headline">¶</a></h2> 198<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command is the primary tool for administrating 199the Kerberos database when using the DB2 or LMDB modules (see 200<a class="reference internal" href="dbtypes.html#dbtypes"><span class="std std-ref">Database types</span></a>). Creating a database is described in 201<a class="reference internal" href="install_kdc.html#create-db"><span class="std std-ref">Create the KDC database</span></a>.</p> 202<p>To create a stash file using the master password (because the database 203was not created with one using the <code class="docutils literal notranslate"><span class="pre">create</span> <span class="pre">-s</span></code> flag, or after 204restoring from a backup which did not contain the stash file), use the 205kdb5_util <strong>stash</strong> command:</p> 206<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util stash 207kdb5_util: Cannot find/read stored master key while reading master key 208kdb5_util: Warning: proceeding without master key 209Enter KDC database master key: <= Type the KDC database master password. 210</pre></div> 211</div> 212<p>To destroy a database, use the kdb5_util destroy command:</p> 213<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util destroy 214Deleting KDC database stored in '/var/krb5kdc/principal', are you sure? 215(type 'yes' to confirm)? yes 216OK, deleting database '/var/krb5kdc/principal'... 217** Database '/var/krb5kdc/principal' destroyed. 218</pre></div> 219</div> 220<section id="dumping-and-loading-a-kerberos-database"> 221<span id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink" href="#dumping-and-loading-a-kerberos-database" title="Permalink to this headline">¶</a></h3> 222<p>To dump a Kerberos database into a text file for backup or transfer 223purposes, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command on one of the 224KDCs:</p> 225<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util dump dumpfile 226 227$ kbd5_util dump -verbose dumpfile 228kadmin/admin@ATHENA.MIT.EDU 229krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 230kadmin/history@ATHENA.MIT.EDU 231K/M@ATHENA.MIT.EDU 232kadmin/changepw@ATHENA.MIT.EDU 233</pre></div> 234</div> 235<p>You may specify which principals to dump, using full principal names 236including realm:</p> 237<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util dump -verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU 238kadmin/admin@ATHENA.MIT.EDU 239K/M@ATHENA.MIT.EDU 240</pre></div> 241</div> 242<p>To restore a Kerberos database dump from a file, use the 243<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>load</strong> command:</p> 244<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util load dumpfile 245</pre></div> 246</div> 247<p>To update an existing database with a partial dump file containing 248only some principals, use the <code class="docutils literal notranslate"><span class="pre">-update</span></code> flag:</p> 249<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util load -update someprincs 250</pre></div> 251</div> 252<div class="admonition note"> 253<p class="admonition-title">Note</p> 254<p>If the database file exists, and the <em>-update</em> flag was not 255given, <em>kdb5_util</em> will overwrite the existing database.</p> 256</div> 257</section> 258<section id="updating-the-master-key"> 259<span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3> 260<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> allows the master key 261to be changed using a rollover process, with minimal loss of 262availability. To roll over the master key, follow these steps:</p> 263<ol class="arabic"> 264<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to view the 265current master key version number (KVNO). If you have never rolled 266over the master key before, this will likely be version 1:</p> 267<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util list_mkeys 268Master keys for Principal: K/M@KRBTEST.COM 269KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * 270</pre></div> 271</div> 272</li> 273<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></code> to ensure that a 274master key activation list is present in the database. This step 275is unnecessary in release 1.11.4 or later, or if the database was 276initially created with release 1.7 or later.</p></li> 277<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></code> to create a new 278master key and write it to the stash file. Enter a secure password 279when prompted. If this is the first time you are changing the 280master key, the new key will have version 2. The new master key 281will not be used until you make it active.</p></li> 282<li><p>Propagate the database to all replica KDCs, either manually or by 283waiting until the next scheduled propagation. If you do not have 284any replica KDCs, you can skip this and the next step.</p></li> 285<li><p>On each replica KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to verify that 286the new master key is present, and then <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">stash</span></code> to 287write the new master key to the replica KDC’s stash file.</p></li> 288<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></code> to begin using the 289new master key. Replace <code class="docutils literal notranslate"><span class="pre">2</span></code> with the version of the new master 290key, as appropriate. You can optionally specify a date for the new 291master key to become active; by default, it will become active 292immediately. Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> must be 293restarted for this change to take full effect.</p></li> 294<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></code>. 295This command will iterate over the database and re-encrypt all keys 296in the new master key. If the database is large and uses DB2, the 297primary KDC will become unavailable while this command runs, but 298clients should fail over to replica KDCs (if any are present) 299during this time period. In release 1.13 and later, you can 300instead run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></code> to 301use unlocked iteration; this variant will take longer, but will 302keep the database available to the KDC and kadmind while it runs.</p></li> 303<li><p>Wait until the above changes have propagated to all replica KDCs 304and until all running KDC and kadmind processes have serviced 305requests using updated principal entries.</p></li> 306<li><p>On the primary KDC, run <code class="docutils literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></code> to clean up the 307old master key.</p></li> 308</ol> 309</section> 310</section> 311<section id="operations-on-the-ldap-database"> 312<span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Permalink to this headline">¶</a></h2> 313<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a> command is the primary tool for 314administrating the Kerberos database when using the LDAP module. 315Creating an LDAP Kerberos database is describe in <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a>.</p> 316<p>To view a list of realms in the LDAP database, use the kdb5_ldap_util 317<strong>list</strong> command:</p> 318<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list 319KRBTEST.COM 320</pre></div> 321</div> 322<p>To modify the attributes of a realm, use the kdb5_ldap_util <strong>modify</strong> 323command. For example, to change the default realm’s maximum ticket 324life:</p> 325<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify -maxtktlife "10 hours" 326</pre></div> 327</div> 328<p>To display the attributes of a realm, use the kdb5_ldap_util <strong>view</strong> 329command:</p> 330<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view 331 Realm Name: KRBTEST.COM 332 Maximum Ticket Life: 0 days 00:10:00 333</pre></div> 334</div> 335<p>To remove a realm from the LDAP database, destroying its contents, use 336the kdb5_ldap_util <strong>destroy</strong> command:</p> 337<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy 338Deleting KDC database of 'KRBTEST.COM', are you sure? 339(type 'yes' to confirm)? yes 340OK, deleting database of 'KRBTEST.COM'... 341** Database of 'KRBTEST.COM' destroyed. 342</pre></div> 343</div> 344<section id="ticket-policy-operations"> 345<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3> 346<p>Unlike the DB2 and LMDB modules, the LDAP module supports ticket 347policy objects, which can be associated with principals to restrict 348maximum ticket lifetimes and set mandatory principal flags. Ticket 349policy objects are distinct from the password policies described 350earlier on this page, and are chiefly managed through kdb5_ldap_util 351rather than kadmin. To create a new ticket policy, use the 352kdb5_ldap_util <strong>create_policy</strong> command:</p> 353<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util create_policy -maxrenewlife "2 days" users 354</pre></div> 355</div> 356<p>To associate a ticket policy with a principal, use the 357<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>modify_principal</strong> (or <strong>add_principal</strong>) command 358with the <strong>-x tktpolicy=</strong><em>policy</em> option:</p> 359<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy=users alice 360</pre></div> 361</div> 362<p>To remove a ticket policy reference from a principal, use the same 363command with an empty <em>policy</em>:</p> 364<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy= alice 365</pre></div> 366</div> 367<p>To list the existing ticket policy objects, use the kdb5_ldap_util 368<strong>list_policy</strong> command:</p> 369<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list_policy 370users 371</pre></div> 372</div> 373<p>To modify the attributes of a ticket policy object, use the 374kdb5_ldap_util <strong>modify_policy</strong> command:</p> 375<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify_policy -allow_svr +requires_preauth users 376</pre></div> 377</div> 378<p>To view the attributes of a ticket policy object, use the 379kdb5_ldap_util <strong>view_policy</strong> command:</p> 380<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view_policy users 381 Ticket policy: users 382 Maximum renewable life: 2 days 00:00:00 383 Ticket flags: REQUIRES_PRE_AUTH DISALLOW_SVR 384</pre></div> 385</div> 386<p>To destroy an ticket policy object, use the kdb5_ldap_util 387<strong>destroy_policy</strong> command:</p> 388<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy_policy users 389This will delete the policy object 'users', are you sure? 390(type 'yes' to confirm)? yes 391** policy object 'users' deleted. 392</pre></div> 393</div> 394</section> 395</section> 396<section id="cross-realm-authentication"> 397<span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Permalink to this headline">¶</a></h2> 398<p>In order for a KDC in one realm to authenticate Kerberos users in a 399different realm, it must share a key with the KDC in the other realm. 400In both databases, there must be krbtgt service principals for both realms. 401For example, if you need to do cross-realm authentication between the realms 402<code class="docutils literal notranslate"><span class="pre">ATHENA.MIT.EDU</span></code> and <code class="docutils literal notranslate"><span class="pre">EXAMPLE.COM</span></code>, you would need to add the 403principals <code class="docutils literal notranslate"><span class="pre">krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</span></code> and 404<code class="docutils literal notranslate"><span class="pre">krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</span></code> to both databases. 405These principals must all have the same passwords, key version 406numbers, and encryption types; this may require explicitly setting 407the key version number with the <strong>-kvno</strong> option.</p> 408<p>In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators 409would run the following commands on the KDCs in both realms:</p> 410<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span><span class="p">:</span> <span class="n">kadmin</span><span class="o">.</span><span class="n">local</span> <span class="o">-</span><span class="n">e</span> <span class="s2">"aes256-cts:normal"</span> 411<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> 412<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> 413<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> 414<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 415<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> 416<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> 417<span class="n">kadmin</span><span class="p">:</span> 418</pre></div> 419</div> 420<div class="admonition note"> 421<p class="admonition-title">Note</p> 422<p>Even if most principals in a realm are generally created 423with the <strong>requires_preauth</strong> flag enabled, this flag is not 424desirable on cross-realm authentication keys because doing 425so makes it impossible to disable preauthentication on a 426service-by-service basis. Disabling it as in the example 427above is recommended.</p> 428</div> 429<div class="admonition note"> 430<p class="admonition-title">Note</p> 431<p>It is very important that these principals have good 432passwords. MIT recommends that TGT principal passwords be 433at least 26 characters of random ASCII text.</p> 434</div> 435</section> 436<section id="changing-the-krbtgt-key"> 437<span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Permalink to this headline">¶</a></h2> 438<p>A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the 439principal <code class="docutils literal notranslate"><span class="pre">krbtgt/REALM</span></code>. The key for this principal is created 440when the Kerberos database is initialized and need not be changed. 441However, it will only have the encryption types supported by the KDC 442at the time of the initial database creation. To allow use of newer 443encryption types for the TGT, this key has to be changed.</p> 444<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> 445<strong>change_password</strong> command would invalidate any previously issued 446TGTs. Therefore, when changing this key, normally one should use the 447<strong>-keepold</strong> flag to change_password to retain the previous key in the 448database as well as the new key. For example:</p> 449<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> 450</pre></div> 451</div> 452<div class="admonition warning"> 453<p class="admonition-title">Warning</p> 454<p>After issuing this command, the old key is still valid 455and is still vulnerable to (for instance) brute force 456attacks. To completely retire an old key or encryption 457type, run the kadmin <strong>purgekeys</strong> command to delete keys 458with older kvnos, ideally first making sure that all 459tickets issued with the old keys have expired.</p> 460</div> 461<p>Only the first krbtgt key of the newest key version is used to encrypt 462ticket-granting tickets. However, the set of encryption types present 463in the krbtgt keys is used by default to determine the session key 464types supported by the krbtgt service (see 465<a class="reference internal" href="enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>). Because non-MIT Kerberos clients 466sometimes send a limited set of encryption types when making AS 467requests, it can be important for the krbtgt service to support 468multiple encryption types. This can be accomplished by giving the 469krbtgt principal multiple keys, which is usually as simple as not 470specifying any <strong>-e</strong> option when changing the krbtgt key, or by 471setting the <strong>session_enctypes</strong> string attribute on the krbtgt 472principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>).</p> 473<p>Due to a bug in releases 1.8 through 1.13, renewed and forwarded 474tickets may not work if the original ticket was obtained prior to a 475krbtgt key change and the modified ticket is obtained afterwards. 476Upgrading the KDC to release 1.14 or later will correct this bug.</p> 477</section> 478<section id="incremental-database-propagation"> 479<span id="incr-db-prop"></span><h2>Incremental database propagation<a class="headerlink" href="#incremental-database-propagation" title="Permalink to this headline">¶</a></h2> 480<section id="overview"> 481<h3>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h3> 482<p>At some very large sites, dumping and transmitting the database can 483take more time than is desirable for changes to propagate from the 484primary KDC to the replica KDCs. The incremental propagation support 485added in the 1.7 release is intended to address this.</p> 486<p>With incremental propagation enabled, all programs on the primary KDC 487that change the database also write information about the changes to 488an “update log” file, maintained as a circular buffer of a certain 489size. A process on each replica KDC connects to a service on the 490primary KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> server) and 491periodically requests the changes that have been made since the last 492check. By default, this check is done every two minutes.</p> 493<p>Incremental propagation uses the following entries in the per-realm 494data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> 495<table class="docutils align-default"> 496<colgroup> 497<col style="width: 4%" /> 498<col style="width: 3%" /> 499<col style="width: 94%" /> 500</colgroup> 501<tbody> 502<tr class="row-odd"><td><p>iprop_enable</p></td> 503<td><p><em>boolean</em></p></td> 504<td><p>If <em>true</em>, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is <em>false</em>.</p></td> 505</tr> 506<tr class="row-even"><td><p>iprop_master_ulogsize</p></td> 507<td><p><em>integer</em></p></td> 508<td><p>Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.</p></td> 509</tr> 510<tr class="row-odd"><td><p>iprop_replica_poll</p></td> 511<td><p><em>time interval</em></p></td> 512<td><p>Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes.</p></td> 513</tr> 514<tr class="row-even"><td><p>iprop_port</p></td> 515<td><p><em>integer</em></p></td> 516<td><p>Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files.</p></td> 517</tr> 518<tr class="row-odd"><td><p>iprop_resync_timeout</p></td> 519<td><p><em>integer</em></p></td> 520<td><p>Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes).</p></td> 521</tr> 522<tr class="row-even"><td><p>iprop_logfile</p></td> 523<td><p><em>file name</em></p></td> 524<td><p>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em> default value will not use values from the <em>dbmodules</em> section.)</p></td> 525</tr> 526</tbody> 527</table> 528<p>Both primary and replica sides must have a principal named 529<code class="docutils literal notranslate"><span class="pre">kiprop/hostname</span></code> (where <em>hostname</em> is the lowercase, 530fully-qualified, canonical name for the host) registered in the 531Kerberos database, and have keys for that principal stored in the 532default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>). The <code class="docutils literal notranslate"><span class="pre">kiprop/hostname</span></code> principal may 533have been created automatically for the primary KDC, but it must 534always be created for replica KDCs.</p> 535<p>On the primary KDC side, the <code class="docutils literal notranslate"><span class="pre">kiprop/hostname</span></code> principal must be 536listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, and given the 537<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><span class="std std-ref">Privileges</span></a>).</p> 538<p>On the replica KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> should be run. When 539incremental propagation is enabled, it will connect to the kadmind on 540the primary KDC and start requesting updates.</p> 541<p>The normal kprop mechanism is disabled by the incremental propagation 542support. However, if the replica has been unable to fetch changes 543from the primary KDC for too long (network problems, perhaps), the log 544on the primary may wrap around and overwrite some of the updates that 545the replica has not yet retrieved. In this case, the replica will 546instruct the primary KDC to dump the current database out to a file 547and invoke a one-time kprop propagation, with special options to also 548convey the point in the update log at which the replica should resume 549fetching incremental updates. Thus, all the keytab and ACL setup 550previously described for kprop propagation is still needed.</p> 551<p>If an environment has a large number of replicas, it may be desirable 552to arrange them in a hierarchy instead of having the primary serve 553updates to every replica. To do this, run <code class="docutils literal notranslate"><span class="pre">kadmind</span> <span class="pre">-proponly</span></code> on 554each intermediate replica, and <code class="docutils literal notranslate"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></code> on 555downstream replicas to direct each one to the appropriate upstream 556replica.</p> 557<p>There are several known restrictions in the current implementation:</p> 558<ul class="simple"> 559<li><p>The incremental update protocol does not transport changes to policy 560objects. Any policy changes on the primary will result in full 561resyncs to all replicas.</p></li> 562<li><p>The replica’s KDB module must support locking; it cannot be using the 563LDAP KDB module.</p></li> 564<li><p>The primary and replica must be able to initiate TCP connections in 565both directions, without an intervening NAT.</p></li> 566</ul> 567</section> 568<section id="sun-mit-incremental-propagation-differences"> 569<h3>Sun/MIT incremental propagation differences<a class="headerlink" href="#sun-mit-incremental-propagation-differences" title="Permalink to this headline">¶</a></h3> 570<p>Sun donated the original code for supporting incremental database 571propagation to MIT. Some changes have been made in the MIT source 572tree that will be visible to administrators. (These notes are based 573on Sun’s patches. Changes to Sun’s implementation since then may not 574be reflected here.)</p> 575<p>The Sun config file support looks for <code class="docutils literal notranslate"><span class="pre">sunw_dbprop_enable</span></code>, 576<code class="docutils literal notranslate"><span class="pre">sunw_dbprop_master_ulogsize</span></code>, and <code class="docutils literal notranslate"><span class="pre">sunw_dbprop_slave_poll</span></code>.</p> 577<p>The incremental propagation service is implemented as an ONC RPC 578service. In the Sun implementation, the service is registered with 579rpcbind (also known as portmapper) and the client looks up the port 580number to contact. In the MIT implementation, where interaction with 581some modern versions of rpcbind doesn’t always work well, the port 582number must be specified in the config file on both the primary and 583replica sides.</p> 584<p>The Sun implementation hard-codes pathnames in <code class="docutils literal notranslate"><span class="pre">/var/krb5</span></code> for the 585update log and the per-replica kprop dump files. In the MIT 586implementation, the pathname for the update log is specified in the 587config file, and the per-replica dump files are stored in 588<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal notranslate"><span class="pre">/krb5kdc</span></code><code class="docutils literal notranslate"><span class="pre">/replica_datatrans_hostname</span></code>.</p> 589</section> 590</section> 591</section> 592 593 594 <div class="clearer"></div> 595 </div> 596 </div> 597 </div> 598 </div> 599 <div class="sidebar"> 600 601 <h2>On this page</h2> 602 <ul> 603<li><a class="reference internal" href="#">Database administration</a><ul> 604<li><a class="reference internal" href="#principals">Principals</a></li> 605<li><a class="reference internal" href="#policies">Policies</a><ul> 606<li><a class="reference internal" href="#updating-the-history-key">Updating the history key</a></li> 607</ul> 608</li> 609<li><a class="reference internal" href="#privileges">Privileges</a></li> 610<li><a class="reference internal" href="#operations-on-the-kerberos-database">Operations on the Kerberos database</a><ul> 611<li><a class="reference internal" href="#dumping-and-loading-a-kerberos-database">Dumping and loading a Kerberos database</a></li> 612<li><a class="reference internal" href="#updating-the-master-key">Updating the master key</a></li> 613</ul> 614</li> 615<li><a class="reference internal" href="#operations-on-the-ldap-database">Operations on the LDAP database</a><ul> 616<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a></li> 617</ul> 618</li> 619<li><a class="reference internal" href="#cross-realm-authentication">Cross-realm authentication</a></li> 620<li><a class="reference internal" href="#changing-the-krbtgt-key">Changing the krbtgt key</a></li> 621<li><a class="reference internal" href="#incremental-database-propagation">Incremental database propagation</a><ul> 622<li><a class="reference internal" href="#overview">Overview</a></li> 623<li><a class="reference internal" href="#sun-mit-incremental-propagation-differences">Sun/MIT incremental propagation differences</a></li> 624</ul> 625</li> 626</ul> 627</li> 628</ul> 629 630 <br/> 631 <h2>Table of contents</h2> 632 <ul class="current"> 633<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> 634<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> 635<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> 636<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> 637<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> 638<li class="toctree-l2 current"><a class="current reference internal" href="#">Database administration</a></li> 639<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> 640<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> 641<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> 642<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> 643<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> 644<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> 645<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> 646<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> 647<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> 648<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> 649<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> 650<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> 651<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> 652<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> 653<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> 654<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> 655<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> 656<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> 657<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> 658<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> 659</ul> 660</li> 661<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> 662<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> 663<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> 664<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> 665<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> 666<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> 667<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> 668<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> 669<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> 670</ul> 671 672 <br/> 673 <h4><a href="../index.html">Full Table of Contents</a></h4> 674 <h4>Search</h4> 675 <form class="search" action="../search.html" method="get"> 676 <input type="text" name="q" size="18" /> 677 <input type="submit" value="Go" /> 678 <input type="hidden" name="check_keywords" value="yes" /> 679 <input type="hidden" name="area" value="default" /> 680 </form> 681 682 </div> 683 <div class="clearer"></div> 684 </div> 685 </div> 686 687 <div class="footer-wrapper"> 688 <div class="footer" > 689 <div class="right" ><i>Release: 1.21.3</i><br /> 690 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. 691 </div> 692 <div class="left"> 693 694 <a href="../index.html" title="Full Table of Contents" 695 >Contents</a> | 696 <a href="realm_config.html" title="Realm configuration decisions" 697 >previous</a> | 698 <a href="dbtypes.html" title="Database types" 699 >next</a> | 700 <a href="../genindex.html" title="General Index" 701 >index</a> | 702 <a href="../search.html" title="Enter search criteria" 703 >Search</a> | 704 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a> 705 </div> 706 </div> 707 </div> 708 709 </body> 710</html>