<html lang="en">
<head>
<title>Kerberos V5 Installation Guide</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="Kerberos V5 Installation Guide">
<meta name="generator" content="makeinfo 4.13">
<link title="Top" rel="top" href="#Top">
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home" title="Texinfo Homepage">
<!--
Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.-->
<meta http-equiv="Content-Style-Type" content="text/css">
<style type="text/css"><!--
pre.display { font-family:inherit }
pre.format { font-family:inherit }
pre.smalldisplay { font-family:inherit; font-size:smaller }
pre.smallformat { font-family:inherit; font-size:smaller }
pre.smallexample { font-size:smaller }
pre.smalllisp { font-size:smaller }
span.sc { font-variant:small-caps }
span.roman { font-family:serif; font-weight:normal; }
span.sansserif { font-family:sans-serif; font-weight:normal; }
--></style>
</head>
<body>
<h1 class="settitle">Kerberos V5 Installation Guide</h1>
<div class="node">
<a name="Top"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Introduction">Introduction</a>,
Previous: <a rel="previous" accesskey="p" href="#dir">(dir)</a>,
Up: <a rel="up" accesskey="u" href="#dir">(dir)</a>
</div>
<!-- node-name, next, previous, up -->
<!-- The master menu is updated using emacs19's M-x texinfo-all-menus-update -->
<!-- function. Don't forget to run M-x texinfo-every-node-update after -->
<!-- you add a new section or subsection, or after you've rearranged the -->
<!-- order of sections or subsections. Also, don't forget to add an @node -->
<!-- comand before each @section or @subsection! All you need to enter -->
<!-- is: -->
<!-- @node New Section Name -->
<!-- @section New Section Name -->
<!-- M-x texinfo-every-node-update will take care of calculating the -->
<!-- node's forward and back pointers. -->
<!-- -->
<ul class="menu">
<li><a accesskey="1" href="#Introduction">Introduction</a>
<li><a accesskey="2" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
<li><a accesskey="3" href="#Building-Kerberos-V5">Building Kerberos V5</a>
<li><a accesskey="4" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
<li><a accesskey="5" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
<li><a accesskey="6" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>
<li><a accesskey="7" href="#Copyright">Copyright</a>
</ul>
<div class="node">
<a name="Introduction"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
Previous: <a rel="previous" accesskey="p" href="#Top">Top</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="chapter">1 Introduction</h2>
<ul class="menu">
<li><a accesskey="1" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>
<li><a accesskey="2" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>
<li><a accesskey="3" href="#Please-Read-the-Documentation">Please Read the Documentation</a>
<li><a accesskey="4" href="#Overview-of-This-Guide">Overview of This Guide</a>
</ul>
<div class="node">
<a name="What-is-Kerberos-and-How-Does-it-Work%3f"></a>
<a name="What-is-Kerberos-and-How-Does-it-Work_003f"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
</div>
<h3 class="section">1.1 What is Kerberos and How Does it Work?</h3>
<p>Kerberos V5 is based on the Kerberos authentication system developed
at MIT. Under Kerberos, a client (generally either a user or a service)
sends a request for a ticket to the Key Distribution Center (KDC). The
KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client,
encrypts it using the client's password as the key, and sends the
encrypted TGT back to the client. The client then attempts to decrypt
the TGT, using its password. If the client successfully decrypts the
TGT (<i>i.e.</i>, if the client gave the correct password), it keeps the
decrypted TGT, which indicates proof of the client's identity.
<p>The TGT, which expires at a specified time, permits the client to obtain
additional tickets, which give permission for specific services. The
requesting and granting of these additional tickets is user-transparent.
<div class="node">
<a name="Why-Should-I-use-Kerberos%3f"></a>
<a name="Why-Should-I-use-Kerberos_003f"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,
Previous: <a rel="previous" accesskey="p" href="#What-is-Kerberos-and-How-Does-it-Work_003f">What is Kerberos and How Does it Work?</a>,
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
</div>
<h3 class="section">1.2 Why Should I use Kerberos?</h3>
<p>Since Kerberos negotiates authenticated, and optionally encrypted,
communications between two points anywhere on the Internet, it provides
a layer of security that is not dependent on which side of a firewall
either client is on. Since studies have shown that half of the computer
security breaches in industry happen from <i>inside</i> firewalls,
Kerberos V5 from MIT will play a vital role in the
security of your network.
<div class="node">
<a name="Please-Read-the-Documentation"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Overview-of-This-Guide">Overview of This Guide</a>,
Previous: <a rel="previous" accesskey="p" href="#Why-Should-I-use-Kerberos_003f">Why Should I use Kerberos?</a>,
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
</div>
<h3 class="section">1.3 Please Read the Documentation</h3>
<p>As with any software package that uses a centrallized database, the
installation procedure is somewhat involved, and requires forethought
and planning. MIT has attempted to make this
Kerberos V5 Installation Guide as concise as possible, rather than
making it an exhaustive description of the details of Kerberos.
Consequently, everything in this guide appears because MIT
believes that it is important. Please read and follow these
instructions carefully.
<p>This document is one piece of the document set for Kerberos V5. The
documents, and their intended audiences, are:
<ul>
<li><b>Kerberos V5 Installation Guide</b>: a concise guide for installing
Kerberos V5. Kerberos administrators (particularly whoever will be
making site-wide decisions about the installation) and the system
administrators who will be installing the software should read this
guide.
<li><b>Kerberos V5 System Administrator's Guide</b>: a sysadmin's guide to
administering a Kerberos installation. The System Administrator's Guide
describes the administration software and suggests policies and
procedures for administering a Kerberos installation. Anyone who will
have administrative access to your Kerberos database should read this
guide.
<li><b>Kerberos V5 UNIX User's Guide</b>: a guide to using the Kerberos
UNIX client programs. All users on UNIX systems should read this guide,
particularly the “Tutorial” section.
</ul>
<div class="node">
<a name="Overview-of-This-Guide"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Please-Read-the-Documentation">Please Read the Documentation</a>,
Up: <a rel="up" accesskey="u" href="#Introduction">Introduction</a>
</div>
<h3 class="section">1.4 Overview of This Guide</h3>
<p class="noindent">The next chapter describes the decisions you need to make before
installing Kerberos V5.
<p class="noindent">Chapter three provided instructions for building the Kerberos sources.
<p class="noindent">Chapter four describes installation procedures for each class of
Kerberos machines:
<ol type=1 start=1>
<li>Key Distribution Centers (KDCs).
<ol type=A start=1>
<li>The Master KDC.
<li>Slave KDCs.
</ol>
<li>UNIX client machines
<li>UNIX application server machines
</ol>
<p class="noindent">Note that a machine can be both a client machine and an application
server.
<p class="noindent">Chapter five describes procedure for updating previous installations of
Kerberos V5.
<p class="noindent">Chapter six describes our problem reporting system.
<div class="node">
<a name="Realm-Configuration-Decisions"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
Previous: <a rel="previous" accesskey="p" href="#Introduction">Introduction</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="chapter">2 Realm Configuration Decisions</h2>
<p>Before installing Kerberos V5, it is necessary to consider the
following issues:
<ul>
<li>The name of your Kerberos realm (or the name of each realm, if you need
more than one).
<li>How you will map your hostnames onto Kerberos realms.
<li>Which ports your KDC and and kadmin (database access) services will use.
<li>How many slave KDCs you need and where they should be located.
<li>The hostnames of your master and slave KDCs.
<li>How frequently you will propagate the database from the master KDC to
the slave KDCs.
</ul>
<ul class="menu">
<li><a accesskey="1" href="#Kerberos-Realms">Kerberos Realms</a>
<li><a accesskey="2" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>
<li><a accesskey="3" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>
<li><a accesskey="4" href="#Slave-KDCs">Slave KDCs</a>
<li><a accesskey="5" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>
<li><a accesskey="6" href="#Database-Propagation">Database Propagation</a>
</ul>
<div class="node">
<a name="Kerberos-Realms"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
</div>
<h3 class="section">2.1 Kerberos Realms</h3>
<p>Although your Kerberos realm can be any ASCII string, convention is to
make it the same as your domain name, in upper-case letters. For
example, hosts in the domain example.com would be in the
Kerberos realm EXAMPLE.COM.
<p>If you need multiple Kerberos realms, MIT recommends that
you use descriptive names which end with your domain name, such as
BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM.
<div class="node">
<a name="Mapping-Hostnames-onto-Kerberos-Realms"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
Previous: <a rel="previous" accesskey="p" href="#Kerberos-Realms">Kerberos Realms</a>,
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
</div>
<h3 class="section">2.2 Mapping Hostnames onto Kerberos Realms</h3>
<p>Mapping hostnames onto Kerberos realms is done in one of two ways.
<p>The first mechanism, which has been in use for years in MIT-based
Kerberos distributions, works through a set of rules in
the <code>krb5.conf</code> configuration file. (See <a href="#krb5_002econf">krb5.conf</a>.) You can
specify mappings for an entire domain or subdomain, and/or on a
hostname-by-hostname basis. Since greater specificity takes precedence,
you would do this by specifying the mappings for a given domain or
subdomain and listing the exceptions.
<p>The second mechanism works by looking up the information in special
<code>TXT</code> records in the Domain Name Service. This is currently not
used by default because security holes could result if the DNS TXT
records were spoofed. If this mechanism is enabled on the client,
it will try to look up a <code>TXT</code> record for the DNS name formed by
putting the prefix <code>_kerberos</code> in front of the hostname in question.
If that record is not found, it will try using <code>_kerberos</code> and the
host's domain name, then its parent domain, and so forth. So for the
hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
<pre class="smallexample"> _kerberos.boston.engineering.foobar.com
_kerberos.engineering.foobar.com
_kerberos.foobar.com
_kerberos.com
</pre>
<p>The value of the first TXT record found is taken as the realm name.
(Obviously, this doesn't work all that well if a host and a subdomain
have the same name, and different realms. For example, if all the hosts
in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
another realm. In that case, you would set up TXT records for all
hosts, rather than relying on the fallback to the domain name.)
<p>Even if you do not choose to use this mechanism within your site, you
may wish to set it up anyway, for use when interacting with other sites.
<div class="node">
<a name="Ports-for-the-KDC-and-Admin-Services"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Slave-KDCs">Slave KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a>,
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
</div>
<h3 class="section">2.3 Ports for the KDC and Admin Services</h3>
<p>The default ports used by Kerberos are port 88 for the
KDC<a rel="footnote" href="#fn-1" name="fnd-1"><sup>1</sup></a> and
port 749 for the admin server. You can, however,
choose to run on other ports, as long as they are specified in each
host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the
<code>kdc.conf</code> file on each KDC. For a more thorough treatment of
port numbers used by the Kerberos V5 programs, refer to the
“Configuring Your Firewall to Work With Kerberos V5” section of
the <cite>Kerberos V5 System Administrator's Guide</cite>.
<div class="node">
<a name="Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Ports-for-the-KDC-and-Admin-Services">Ports for the KDC and Admin Services</a>,
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
</div>
<h3 class="section">2.4 Slave KDCs</h3>
<p>Slave KDCs provide an additional source of Kerberos ticket-granting
services in the event of inaccessibility of the master KDC. The number
of slave KDCs you need and the decision of where to place them, both
physically and logically, depends on the specifics of your network.
<p>All of the Kerberos authentication on your network requires that each
client be able to contact a KDC. Therefore, you need to anticipate any
likely reason a KDC might be unavailable and have a slave KDC to take up
the slack.
<p>Some considerations include:
<ul>
<li>Have at least one slave KDC as a backup, for when the master KDC is
down, is being upgraded, or is otherwise unavailable.
<li>If your network is split such that a network outage is likely to cause a
network partition (some segment or segments of the network to become cut
off or isolated from other segments), have a slave KDC accessible to
each segment.
<li>If possible, have at least one slave KDC in a different building from
the master, in case of power outages, fires, or other localized
disasters.
</ul>
<div class="node">
<a name="Hostnames-for-the-Master-and-Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Database-Propagation">Database Propagation</a>,
Previous: <a rel="previous" accesskey="p" href="#Slave-KDCs">Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
</div>
<h3 class="section">2.5 Hostnames for the Master and Slave KDCs</h3>
<p>MIT recommends that your KDCs have a predefined set of
CNAME records (DNS hostname aliases), such as <code>kerberos</code>
for the master KDC and
<code>kerberos-1</code>, <code>kerberos-2</code>, <small class="dots">...</small> for the
slave KDCs. This way, if you need to swap a machine, you only need to
change a DNS entry, rather than having to change hostnames.
<p>A new mechanism for locating KDCs of a realm through DNS has been added
to the MIT Kerberos V5 distribution. A relatively new
record type called <code>SRV</code> has been added to DNS. Looked up by a
service name and a domain name, these records indicate the hostname and
port number to contact for that service, optionally with weighting and
prioritization. (See RFC 2782 if you want more information. You can
follow the example below for straightforward cases.)
<p>The use with Kerberos is fairly straightforward. The domain name used
in the SRV record name is the domain-style Kerberos realm name. (It is
possible to have Kerberos realm names that are not DNS-style names, but
we don't recommend it for Internet use, and our code does not support it
well.) Several different Kerberos-related service names are used:
<dl>
<dt><code>_kerberos._udp</code><dd>This is for contacting any KDC by UDP. This entry will be used the most
often. Normally you should list port 88 on each of your KDCs.
<!-- Don't encourage continued use of port 750 for krb5. -->
<!-- It should be only for backwards compatibility with krb4. -->
<!-- Do the Mac/Windows krb4 libraries use this DNS entry? -->
<!-- The UNIX code does not. -->
<br><dt><code>_kerberos._tcp</code><dd>This is for contacting any KDC by TCP. The MIT KDC by default will not
listen on any TCP ports, so unless you've changed the configuration or
you're running another KDC implementation, you should leave this
unspecified. If you do enable TCP support, normally you should use
port 88.
<br><dt><code>_kerberos-master._udp</code><dd>This entry should refer to those KDCs, if any, that will immediately see
password changes to the Kerberos database. This entry is used only in
one case, when the user is logging in and the password appears to be
incorrect; the master KDC is then contacted, and the same password used
to try to decrypt the response, in case the user's password had recently
been changed and the first KDC contacted hadn't been updated. Only if
that fails is an “incorrect password” error given.
<p>If you have only one KDC, or for whatever reason there is no accessible
KDC that would get database changes faster than the others, you do not
need to define this entry.
<br><dt><code>_kerberos-adm._tcp</code><dd>This should list port 749 on your master KDC.
Support for it is not complete at this time, but it will eventually be
used by the <code>kadmin</code> program and related utilities. For now, you
will also need the <code>admin_server</code> entry in <code>krb5.conf</code>.
(See <a href="#krb5_002econf">krb5.conf</a>.)
<br><dt><code>_kpasswd._udp</code><dd>This should list port 464 on your master KDC.
It is used when a user changes her password.
</dl>
<p>Be aware, however, that the DNS SRV specification requires that the
hostnames listed be the canonical names, not aliases. So, for example,
you might include the following records in your (BIND-style) zone file:
<pre class="smallexample"> $ORIGIN foobar.com.
_kerberos TXT "FOOBAR.COM"
kerberos CNAME daisy
kerberos-1 CNAME use-the-force-luke
kerberos-2 CNAME bunny-rabbit
_kerberos._udp SRV 0 0 88 daisy
SRV 0 0 88 use-the-force-luke
SRV 0 0 88 bunny-rabbit
_kerberos-master._udp SRV 0 0 88 daisy
_kerberos-adm._tcp SRV 0 0 749 daisy
_kpasswd._udp SRV 0 0 464 daisy
</pre>
<p>As with the DNS-based mechanism for determining the Kerberos realm of a
host, we recommend distributing the information this way for use by
other sites that may want to interact with yours using Kerberos, even if
you don't immediately make use of it within your own site. If you
anticipate installing a very large number of machines on which it will
be hard to update the Kerberos configuration files, you may wish to do
all of your Kerberos service lookups via DNS and not put the information
(except for <code>admin_server</code> as noted above) in future versions of
your <code>krb5.conf</code> files at all. Eventually, we hope to phase out
the listing of server hostnames in the client-side configuration files;
making preparations now will make the transition easier in the future.
<div class="node">
<a name="Database-Propagation"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>
</div>
<h3 class="section">2.6 Database Propagation</h3>
<p>The Kerberos database resides on the master KDC, and must be propagated
regularly (usually by a cron job) to the slave KDCs. In deciding how
frequently the propagation should happen, you will need to balance the
amount of time the propagation takes against the maximum reasonable
amount of time a user should have to wait for a password change to take
effect.
<p>If the propagation time is longer than this maximum reasonable time
(<i>e.g.,</i> you have a particularly large database, you have a lot of
slaves, or you experience frequent network delays), you may wish to
cut down on your propagation delay by performing the propagation in
parallel. To do this, have the master KDC propagate the database to one
set of slaves, and then have each of these slaves propagate the database
to additional slaves.
<div class="node">
<a name="Building-Kerberos-V5"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
Previous: <a rel="previous" accesskey="p" href="#Realm-Configuration-Decisions">Realm Configuration Decisions</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="chapter">3 Building Kerberos V5</h2>
<p>Kerberos V5 uses a configuration system built using the Free
Software Foundation's ‘<samp><span class="samp">autoconf</span></samp>’ program. This system makes
Kerberos V5 much simpler to build and reduces the amount of effort
required in porting Kerberos V5 to a new platform.
<ul class="menu">
<li><a accesskey="1" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>: Description of the source tree.
<li><a accesskey="2" href="#Build-Requirements">Build Requirements</a>: How much disk space, etc. you need to
build Kerberos.
<li><a accesskey="3" href="#Unpacking-the-Sources">Unpacking the Sources</a>: Preparing the source tree.
<li><a accesskey="4" href="#Doing-the-Build">Doing the Build</a>: Compiling Kerberos.
<li><a accesskey="5" href="#Installing-the-Binaries">Installing the Binaries</a>: Installing the compiled binaries.
<li><a accesskey="6" href="#Testing-the-Build">Testing the Build</a>: Making sure Kerberos built correctly.
<li><a accesskey="7" href="#Options-to-Configure">Options to Configure</a>: Command-line options to Configure
<li><a accesskey="8" href="#osconf_002eh">osconf.h</a>: Header file-specific configurations
<li><a accesskey="9" href="#Shared-Library-Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5
<li><a href="#OS-Incompatibilities">OS Incompatibilities</a>: Special cases to watch for.
<li><a href="#Using-Autoconf">Using Autoconf</a>: Modifying Kerberos V5's
configuration scripts.
</ul>
<div class="node">
<a name="Organization-of-the-Source-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Build-Requirements">Build Requirements</a>,
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.1 Organization of the Source Directory</h3>
<p>Below is a brief overview of the organization of the complete source
directory. More detailed descriptions follow.
<dl>
<dt><b>appl</b><dd>applications with Kerberos V5 extensions
<dt><b>clients</b><dd>Kerberos V5 user programs
<dt><b>gen-manpages</b><dd>manpages for Kerberos V5 and the Kerberos V5 login program
<dt><b>include</b><dd>include files
<dt><b>kadmin</b><dd>administrative interface to the Kerberos master database
<dt><b>kdc</b><dd>the Kerberos V5 Authentication Service and Key Distribution Center
<dt><b>krb524</b><dd>utilities for converting between Kerberos 4 and Kerberos 5
<dt><b>lib</b><dd>libraries for use with/by Kerberos V5
<dt><b>mac</b><dd>source code for building Kerberos V5 on MacOS
<dt><b>prototype</b><dd>templates for source code files
<dt><b>slave</b><dd>utilities for propagating the database to slave KDCs
<dt><b>tests</b><dd>test suite
<dt><b>util</b><dd>various utilities for building/configuring the code, sending bug reports, etc.
<dt><b>windows</b><dd>source code for building Kerberos V5 on Windows (see windows/README)
</dl>
<ul class="menu">
<li><a accesskey="1" href="#The-appl-Directory">The appl Directory</a>
<li><a accesskey="2" href="#The-clients-Directory">The clients Directory</a>
<li><a accesskey="3" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>
<li><a accesskey="4" href="#The-include-Directory">The include Directory</a>
<li><a accesskey="5" href="#The-kadmin-Directory">The kadmin Directory</a>
<li><a accesskey="6" href="#The-kdc-Directory">The kdc Directory</a>
<li><a accesskey="7" href="#The-krb524-Directory">The krb524 Directory</a>
<li><a accesskey="8" href="#The-lib-Directory">The lib Directory</a>
<li><a accesskey="9" href="#The-prototype-Directory">The prototype Directory</a>
<li><a href="#The-slave-Directory">The slave Directory</a>
<li><a href="#The-util-Directory">The util Directory</a>
</ul>
<div class="node">
<a name="The-appl-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-clients-Directory">The clients Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.1 The appl Directory</h4>
<p>The <i>appl</i> directory contains sample Kerberos application client and
server programs. In previous releases, it contained Kerberized versions
of remote access daemons, but those have now been moved to a separate
project.
<div class="node">
<a name="The-clients-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-appl-Directory">The appl Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.2 The clients Directory</h4>
<p>This directory contains the code for several user-oriented programs.
<dl>
<dt><b>kdestroy</b><dd>This program destroys the user's active Kerberos authorization tickets.
MIT recommends that users <code>kdestroy</code> before logging out.
<dt><b>kinit</b><dd>This program prompts users for their Kerberos principal name and password,
and attempts to get an initial ticket-granting-ticket for that principal.
<dt><b>klist</b><dd>This program lists the Kerberos principal and Kerberos tickets held in
a credentials cache, or the keys held in a keytab file.
<dt><b>kpasswd</b><dd>This program changes a user's Kerberos password.
<dt><b>ksu</b><dd>This program is a Kerberized version of the <code>su</code> program that is
meant to securely change the real and effective user ID to that of the
target user and to create a new security context.
<dt><b>kvno</b><dd>This program acquires a service ticket for the specified Kerberos
principals and prints out the key version numbers of each.
</dl>
<div class="node">
<a name="The-gen-manpages-Directory"></a>
<a name="The-gen_002dmanpages-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-include-Directory">The include Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-clients-Directory">The clients Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.3 The gen-manpages Directory</h4>
<p>There are two manual pages in this directory. One is an introduction
to the Kerberos system. The other describes the <code>.k5login</code> file
which allows users to give access with their UID to other users
authenticated by the Kerberos system.
<div class="node">
<a name="The-include-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-kadmin-Directory">The kadmin Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-gen_002dmanpages-Directory">The gen-manpages Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.4 The include Directory</h4>
<p>This directory contains the <i>include</i> files needed to build the
Kerberos system.
<div class="node">
<a name="The-kadmin-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-kdc-Directory">The kdc Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-include-Directory">The include Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.5 The kadmin Directory</h4>
<p>In this directory is the code for the utilities <code>kadmin</code>,
<code>kadmin.local</code>, <code>kdb5_util</code>, and <code>ktutil</code>.
<code>ktutil</code> is the Kerberos keytab file maintenance utility from
which a Kerberos administrator can read, write, or edit entries in a
Kerberos V5 keytab or Kerberos V4 srvtab. <code>kadmin</code> and
<code>kadmin.local</code> are command-line interfaces to the Kerberos V5 KADM5
administration system. <code>kadmin.local</code> runs on the master KDC and
does not use Kerberos to authenticate to the database, while
<code>kadmin</code> uses Kerberos authentication and an encrypted RPC. The
two provide identical functionalities, which allow administrators to
modify the database of Kerberos principals. <code>kdb5_util</code> allows
administrators to perform low-level maintenance procedures on Kerberos
and the KADM5 database. With this utility, databases can be created,
destroyed, or dumped to and loaded from ASCII files. It can also be
used to create master key stash files.
<div class="node">
<a name="The-kdc-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-krb524-Directory">The krb524 Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-kadmin-Directory">The kadmin Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.6 The kdc Directory</h4>
<p>This directory contains the code for the <code>krb5kdc</code> daemon, the
Kerberos Authentication Service and Key Distribution Center.
<div class="node">
<a name="The-krb524-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-lib-Directory">The lib Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-kdc-Directory">The kdc Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.7 The krb524 Directory</h4>
<p>This directory contains the code for <code>krb524</code>, a service that
converts Kerberos V5 credentials into Kerberos V4 credentials suitable
for use with applications that for whatever reason do not use V5
directly.
<div class="node">
<a name="The-lib-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-prototype-Directory">The prototype Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-krb524-Directory">The krb524 Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.8 The lib Directory</h4>
<p>The <i>lib</i> directory contain 10 subdirectories as well as some
definition and glue files. The <i>crypto</i> subdirectory contains the
Kerberos V5 encryption library. The <i>des425</i> subdirectory exports
the Kerberos V4 encryption API, and translates these functions into
calls to the Kerberos V5 encryption API. The <i>gssapi</i> library
contains the Generic Security Services API, which is a library of
commands to be used in secure client-server communication. The
<i>kadm5</i> directory contains the libraries for the KADM5 administration
utilities. The Kerberos 5 database libraries are contained in
<i>kdb</i>. The directories <i>krb4</i> and <i>krb5</i> contain the Kerberos 4
and Kerberos 5 APIs, respectively. The <i>rpc</i> directory contains the
API for the Kerberos Remote Procedure Call protocol.
<div class="node">
<a name="The-prototype-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-slave-Directory">The slave Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-lib-Directory">The lib Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.9 The prototype Directory</h4>
<p>This directory contains several template files. The <code>prototype.h</code>
and <code>prototype.c</code> files contain the MIT copyright message and a
placeholder for the title and description of the file.
<code>prototype.h</code> also has a short template for writing <code>ifdef</code>
and <code>ifndef</code> preprocessor statements. The <code>getopt.c</code> file
provides a template for writing code that will parse the options with
which a program was called.
<div class="node">
<a name="The-slave-Directory"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-util-Directory">The util Directory</a>,
Previous: <a rel="previous" accesskey="p" href="#The-prototype-Directory">The prototype Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.10 The slave Directory</h4>
<p>This directory contains code which allows for the propagation of the
Kerberos principal database from the master KDC to slave KDCs over an
encrypted, secure channel. <code>kprop</code> is the program which actually
propagates the database dump file. <code>kpropd</code> is the Kerberos V5
slave KDC update server which accepts connections from the <code>kprop</code>
program. <code>kslave_update</code> is a script that takes the name of a
slave server, and propagates the database to that server if the
database has been modified since the last dump or if the database has
been dumped since the last propagation.
<div class="node">
<a name="The-util-Directory"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#The-slave-Directory">The slave Directory</a>,
Up: <a rel="up" accesskey="u" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>
</div>
<h4 class="subsection">3.1.11 The util Directory</h4>
<p>This directory contains several utility programs and libraries. The
programs used to configure and build the code, such as <code>autoconf</code>,
<code>lndir</code>, <code>kbuild</code>, <code>reconf</code>, and <code>makedepend</code>,
are in this directory. The <i>profile</i> directory contains most of the
functions which parse the Kerberos configuration files (<code>krb5.conf</code>
and <code>kdc.conf</code>). Also in this directory are the Kerberos error table
library and utilities (<i>et</i>), the Sub-system library and utilities
(<i>ss</i>), database utilities (<i>db2</i>), pseudo-terminal utilities
(<i>pty</i>), bug-reporting program <code>send-pr</code>, and a generic
support library <code>support</code> used by several of our other libraries.
<div class="node">
<a name="Build-Requirements"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
Previous: <a rel="previous" accesskey="p" href="#Organization-of-the-Source-Directory">Organization of the Source Directory</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.2 Build Requirements</h3>
<p>In order to build Kerberos V5, you will need approximately 60-70
megabytes of disk space. The exact amount will vary depending on the
platform and whether the distribution is compiled with debugging symbol
tables or not.
<p>Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”).
Some operating systems do not have an ANSI C compiler, or their
default compiler requires extra command-line options to enable ANSI C
conformance.
<p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled
<samp><span class="file">*.o</span></samp> file and executables, separate from your source tree, you
will need a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’, or
you will need to use a tool such as ‘<samp><span class="samp">lndir</span></samp>’ to produce a symbolic
link tree for your build tree.
<!-- Library support... -->
<div class="node">
<a name="Unpacking-the-Sources"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Doing-the-Build">Doing the Build</a>,
Previous: <a rel="previous" accesskey="p" href="#Build-Requirements">Build Requirements</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.3 Unpacking the Sources</h3>
<p>The first step in each of these build procedures is to unpack the
source distribution. The Kerberos V5 distribution comes in a tar file,
generally named <samp><span class="file">krb5-1.9.tar</span></samp>, which contains a
compressed tar file consisting of the sources for all of Kerberos
(generally <samp><span class="file">krb5-1.9.tar.gz</span></samp>) and a PGP signature for
this source tree (generally <samp><span class="file">krb5-1.9.tar.gz.asc</span></samp>).
MIT highly recommends that you verify the integrity of the
source code using this signature.
<p>Unpack the compressed tar file in some directory, such as
<samp><span class="file">/u1/krb5-1.9</span></samp>. (In the rest of this document, we
will assume that you have chosen to unpack the Kerberos V5 source
distribution in this directory. Note that the tarfiles will by default
all unpack into the <samp><span class="file">./krb5-1.9</span></samp> directory, so that if
your current directory is <samp><span class="file">/u1</span></samp> when you unpack the tarfiles, you
will get <samp><span class="file">/u1/krb5-1.9/src</span></samp>, etc.)
<div class="node">
<a name="Doing-the-Build"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Installing-the-Binaries">Installing the Binaries</a>,
Previous: <a rel="previous" accesskey="p" href="#Unpacking-the-Sources">Unpacking the Sources</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.4 Doing the Build</h3>
<p>You have a number of different options in how to build Kerberos. If you
only need to build Kerberos for one platform, using a single directory
tree which contains both the source files and the object files is the
simplest. However, if you need to maintain Kerberos for a large number
of platforms, you will probably want to use separate build trees for
each platform. We recommend that you look at <a href="#OS-Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating
systems.
<ul class="menu">
<li><a accesskey="1" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>
<li><a accesskey="2" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>
<li><a accesskey="3" href="#Building-using-lndir">Building using lndir</a>
</ul>
<div class="node">
<a name="Building-Within-a-Single-Tree"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
</div>
<h4 class="subsection">3.4.1 Building Within a Single Tree</h4>
<p>If you don't want separate build trees for each architecture, then
use the following abbreviated procedure.
<ol type=1 start=1>
<li> <code>cd /u1/krb5-1.9/src</code>
<li> <code>./configure</code>
<li> <code>make</code>
</ol>
<p>That's it!
<div class="node">
<a name="Building-with-Separate-Build-Directories"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Building-using-lndir">Building using lndir</a>,
Previous: <a rel="previous" accesskey="p" href="#Building-Within-a-Single-Tree">Building Within a Single Tree</a>,
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
</div>
<h4 class="subsection">3.4.2 Building with Separate Build Directories</h4>
<p>If you wish to keep separate build directories for each platform, you
can do so using the following procedure. (Note, this requires that your
‘<samp><span class="samp">make</span></samp>’ program support ‘<samp><span class="samp">VPATH</span></samp>’. GNU's make will provide this
functionality, for example.) If your ‘<samp><span class="samp">make</span></samp>’ program does not
support this, see the next section.
<p>For example, if you wish to create a build directory for <code>pmax</code> binaries
you might use the following procedure:
<ol type=1 start=1>
<li><code>mkdir /u1/krb5-1.9/pmax</code>
<li> <code>cd /u1/krb5-1.9/pmax</code>
<li> <code>../src/configure</code>
<li> <code>make</code>
</ol>
<div class="node">
<a name="Building-using-lndir"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Building-with-Separate-Build-Directories">Building with Separate Build Directories</a>,
Up: <a rel="up" accesskey="u" href="#Doing-the-Build">Doing the Build</a>
</div>
<h4 class="subsection">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</h4>
<p>If you wish to keep separate build directories for each platform, and
you do not have access to a ‘<samp><span class="samp">make</span></samp>’ program which supports ‘<samp><span class="samp">VPATH</span></samp>’,
all is not lost. You can use the ‘<samp><span class="samp">lndir</span></samp>’ program to create
symbolic link trees in your build directory.
<p>For example, if you wish to create a build directory for solaris binaries
you might use the following procedure:
<ol type=1 start=1>
<li> <code>mkdir /u1/krb5-1.9/solaris</code>
<li> <code>cd /u1/krb5-1.9/solaris</code>
<li> <code>/u1/krb5-1.9/src/util/lndir `pwd`/../src</code>
<li> <code>./configure</code>
<li> <code>make</code>
</ol>
<p>You must give an absolute pathname to ‘<samp><span class="samp">lndir</span></samp>’ because it has a bug that
makes it fail for relative pathnames. Note that this version differs
from the latest version as distributed and installed by the XConsortium
with X11R6. Either version should be acceptable.
<div class="node">
<a name="Installing-the-Binaries"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Testing-the-Build">Testing the Build</a>,
Previous: <a rel="previous" accesskey="p" href="#Doing-the-Build">Doing the Build</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.5 Installing the Binaries</h3>
<p>Once you have built Kerberos, you should install the binaries. You
can do this by running:
<pre class="example"> % make install
</pre>
<p>If you want to install the binaries into a destination directory that
is not their final destination, which may be convenient if you want to
build a binary distribution to be deployed on multiple hosts, you may
use:
<pre class="example"> % make install DESTDIR=/path/to/destdir
</pre>
<p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the
user programs will install into <code>DESTDIR/PREFIX/bin</code>, the
libraries into <code>DESTDIR/PREFIX/lib</code>, etc.
<p>Note that if you want to test the build (see <a href="#Testing-the-Build">Testing the Build</a>),
you usually do not need to do a <code>make install</code> first.
<p>Some implementations of ‘<samp><span class="samp">make</span></samp>’ allow multiple commands to be run in
parallel, for faster builds. We test our Makefiles in parallel builds with
GNU ‘<samp><span class="samp">make</span></samp>’ only; they may not be compatible with other parallel build
implementations.
<div class="node">
<a name="Testing-the-Build"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Options-to-Configure">Options to Configure</a>,
Previous: <a rel="previous" accesskey="p" href="#Installing-the-Binaries">Installing the Binaries</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.6 Testing the Build</h3>
<p>The Kerberos V5 distribution comes with built-in regression tests. To
run them, simply type the following command while in the top-level build
directory (i.e., the directory where you sent typed ‘<samp><span class="samp">make</span></samp>’ to start
building Kerberos; see <a href="#Doing-the-Build">Doing the Build</a>.):
<pre class="example"> % make check
</pre>
<p>However, there are several prerequisites that must be satisfied first:
<ul>
<li>Configure and build Kerberos with Tcl support. Tcl is used to drive the
test suite. This often means passing <code>--with-tcl</code> to configure to
tell it the location of the Tcl configuration script. (See
See <a href="#Options-to-Configure">Options to Configure</a>.)
<li>On some operating systems, you have to run ‘<samp><span class="samp">make install</span></samp>’ before
running ‘<samp><span class="samp">make check</span></samp>’, or the test suite will pick up installed
versions of Kerberos libraries rather than the newly built ones. You
can install into a prefix that isn't in the system library search path,
though. Alternatively, you can configure with <code>--disable-rpath</code>,
which renders the build tree less suitable for installation, but allows
testing without interference from previously installed libraries.
<li>In order to test the RPC layer, the local system has to be running the
<samp><span class="command">portmap</span></samp> daemon and it has to be listening to the regular
network interface (not just localhost).
</ul>
<ul class="menu">
<li><a accesskey="1" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>
<li><a accesskey="2" href="#The-KADM5-Tests">The KADM5 Tests</a>
</ul>
<div class="node">
<a name="The-DejaGnu-Tests"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#The-KADM5-Tests">The KADM5 Tests</a>,
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>
</div>
<h4 class="subsection">3.6.1 The DejaGnu Tests</h4>
<p>Some of the built-in regression tests are setup to use the DejaGnu
framework for running tests. These tests tend to be more comprehensive
than the normal built-in tests as they setup test servers and test
client/server activities.
<p>DejaGnu may be found wherever GNU software is archived.
<div class="node">
<a name="The-KADM5-Tests"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#The-DejaGnu-Tests">The DejaGnu Tests</a>,
Up: <a rel="up" accesskey="u" href="#Testing-the-Build">Testing the Build</a>
</div>
<h4 class="subsection">3.6.2 The KADM5 Tests</h4>
<p>Regression tests for the KADM5 system, including the GSS-RPC, KADM5
client and server libraries, and kpasswd, are also included in this
release. Each set of KADM5 tests is contained in a sub-directory called
<code>unit-test</code> directly below the system being tested. For example,
lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all
based on DejaGnu (but they are not actually called part of "The DejaGnu
tests," whose naming predates the inclusion of the KADM5 system). In
addition, they require the Tool Command Language (TCL) header files and
libraries to be available during compilation and some of the tests also
require Perl in order to operate. If all of these resources are not
available during configuration, the KADM5 tests will not run. The TCL
installation directory can be specified with the <code>--with-tcl</code>
configure option. (See See <a href="#Options-to-Configure">Options to Configure</a>.) The runtest and
perl programs must be in the current execution path.
<p>If you install DejaGnu, TCL, or Perl after configuring and building
Kerberos and then want to run the KADM5 tests, you will need to
re-configure the tree and run <code>make</code> at the top level again to make
sure all the proper programs are built. To save time, you actually only
need to reconfigure and build in the directories src/kadmin/testing,
src/lib/rpc, src/lib/kadm5.
<div class="node">
<a name="Options-to-Configure"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#osconf_002eh">osconf.h</a>,
Previous: <a rel="previous" accesskey="p" href="#Testing-the-Build">Testing the Build</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.7 Options to Configure</h3>
<p>There are a number of options to ‘<samp><span class="samp">configure</span></samp>’ which you can use to
control how the Kerberos distribution is built. The following table
lists the most commonly used options to Kerberos V5's ‘<samp><span class="samp">configure</span></samp>’
program.
<dl>
<dt><code>--help</code><dd>
Provides help to configure. This will list the set of commonly used
options for building Kerberos.
<br><dt><code>--prefix=PREFIX</code><dd>
By default, Kerberos will install the package's files rooted at
`/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you
desire a different location, use this option.
<br><dt><code>--exec-prefix=EXECPREFIX</code><dd>
This option allows one to separate the architecture independent programs
from the configuration files and manual pages.
<br><dt><code>--localstatedir=LOCALSTATEDIR</code><dd>
This option sets the directory for locally modifiable single-machine
data. In Kerberos, this mostly is useful for setting a location for the
KDC data files, as they will be installed in
<code>LOCALSTATEDIR/krb5kdc</code>, which is by default
<code>PREFIX/var/krb5kdc</code>.
<br><dt><code>CC=COMPILER</code><dd>
Use <code>COMPILER</code> as the C compiler.
<br><dt><code>CFLAGS=FLAGS</code><dd>
Use <code>FLAGS</code> as the default set of C compiler flags.
<p>Note that if you use the native Ultrix compiler on a
DECstation you are likely to lose if you pass no flags to cc; md4.c
takes an estimated 3,469 billion years to compile if you provide neither
the ‘<samp><span class="samp">-g</span></samp>’ flag nor the ‘<samp><span class="samp">-O</span></samp>’ flag to ‘<samp><span class="samp">cc</span></samp>’.
<br><dt><code>CPPFLAGS=CPPOPTS</code><dd>
Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most
common use of this option is to select certain <code>#define</code>'s for use
with the operating system's include files.
<br><dt><code>LD=LINKER</code><dd>
Use <code>LINKER</code> as the default loader if it should be different from C
compiler as specified above.
<br><dt><code>LDFLAGS=LDOPTS</code><dd>
This option allows one to specify optional arguments to be passed to the
linker. This might be used to specify optional library paths.
<br><dt><code>--with-krb4</code><dd>
This option enables Kerberos V4 backwards compatibility using the
builtin Kerberos V4 library.
<br><dt><code>--with-krb4=KRB4DIR</code><dd>
This option enables Kerberos V4 backwards compatibility using a
pre-existing Kerberos V4 installation. The directory specified by
<code>KRB4DIR</code> specifies where the V4 header files should be found
(<samp><span class="file">KRB4DIR/include</span></samp>) as well as where the V4 Kerberos library should
be found (<samp><span class="file">KRB4DIR/lib</span></samp>).
<br><dt><code>--without-krb4</code><dd>
Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4
clients from using the V5 services including the KDC. This would be
useful if you know you will never install or need to interact with V4
clients.
<br><dt><code>--with-netlib[=libs]</code><dd>
Allows for suppression of or replacement of network libraries. By
default, Kerberos V5 configuration will look for <code>-lnsl</code> and
<code>-lsocket</code>. If your operating system has a broken resolver library
(see <a href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in
<samp><span class="file">src/tests/resolv</span></samp> you will need to use this option.
<br><dt><code>--with-tcl=TCLPATH</code><dd>
Some of the unit-tests in the build tree rely upon using a program in
Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl
header file (<samp><span class="file">TCLPATH/include/tcl.h</span></samp> as well as where the Tcl
library should be found (<samp><span class="file">TCLPATH/lib</span></samp>).
<br><dt><code>--enable-shared</code><dd>
This option will turn on the building and use of shared library objects
in the Kerberos build. This option is only supported on certain
platforms.
<br><dt><code>--enable-dns</code><br><dt><code>--enable-dns-for-kdc</code><br><dt><code>--enable-dns-for-realm</code><dd>
Enable the use of DNS to look up a host's Kerberos realm, or a realm's
KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames-for-the-Master-and-Slave-KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to
locate the KDCs, and <a href="#Mapping-Hostnames-onto-Kerberos-Realms">Mapping Hostnames onto Kerberos Realms</a> for
information about using DNS to determine the default realm. By default,
DNS lookups are enabled for the former but not for the latter.
<br><dt><code>--disable-kdc-lookaside-cache</code><dd>
Disables the cache in the KDC which detects retransmitted client
requests and resends the previous responses to them.
<br><dt><code>--with-system-et</code><dd>
Use an installed version of the error-table support software, the
‘<samp><span class="samp">compile_et</span></samp>’ program, the <samp><span class="file">com_err.h</span></samp> header file and the
<samp><span class="file">com_err</span></samp> library. If these are not in the default locations,
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
well.
<p>If this option is not given, a version supplied with the Kerberos
sources will be built and installed along with the rest of the
Kerberos tree, for Kerberos applications to link against.
<br><dt><code>--with-system-ss</code><dd>
Use an installed version of the subsystem command-line interface
software, the ‘<samp><span class="samp">mk_cmds</span></samp>’ program, the <samp><span class="file">ss/ss.h</span></samp> header file
and the <samp><span class="file">ss</span></samp> library. If these are not in the default locations,
you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and
<code>LDFLAGS=-L/some/other/dir</code> options at configuration time as
well. See also the ‘<samp><span class="samp">SS_LIB</span></samp>’ option.
<p>If this option is not given, the <samp><span class="file">ss</span></samp> library supplied with the
Kerberos sources will be compiled and linked into those programs that
need it; it will not be installed separately.
<br><dt><code>SS_LIB=libs...</code><dd>
If ‘<samp><span class="samp">-lss</span></samp>’ is not the correct way to link in your installed
<samp><span class="file">ss</span></samp> library, for example if additional support libraries are
needed, specify the correct link options here. Some variants of this
library are around which allow for Emacs-like line editing, but
different versions require different support libraries to be
explicitly specified.
<p>This option is ignored if ‘<samp><span class="samp">--with-system-ss</span></samp>’ is not specified.
<br><dt><code>--with-system-db</code><dd>
Use an installed version of the Berkeley DB package, which must
provide an API compatible with version 1.85. This option is
<em>unsupported</em> and untested. In particular, we do not know if the
database-rename code used in the dumpfile load operation will behave
properly.
<p>If this option is not given, a version supplied with the Kerberos
sources will be built and installed. (We are not updating this
version at this time because of licensing issues with newer versions
that we haven't investigated sufficiently yet.)
<br><dt><code>DB_HEADER=headername.h</code><dd>
If ‘<samp><span class="samp">db.h</span></samp>’ is not the correct header file to include to compile
against the Berkeley DB 1.85 API, specify the correct header file name
with this option. For example, ‘<samp><span class="samp">DB_HEADER=db3/db_185.h</span></samp>’.
<br><dt><code>DB_LIB=libs...</code><dd>
If ‘<samp><span class="samp">-ldb</span></samp>’ is not the correct library specification for the
Berkeley DB library version to be used, override it with this option.
For example, ‘<samp><span class="samp">DB_LIB=-ldb-3.3</span></samp>’.
<br><dt><code>--with-crypto-impl=IMPL</code><dd>
Use specified crypto implementation in lieu of the default builtin.
Currently only one alternative crypto-system openssl is available and
it requires version 1.0.0 or higher of OpenSSL.
</dl>
<p>For example, in order to configure Kerberos on a Solaris machine using
the ‘<samp><span class="samp">suncc</span></samp>’ compiler with the optimizer turned on, run the configure
script with the following options:
<pre class="example"> % ./configure CC=suncc CFLAGS=-O
</pre>
<p>For a slightly more complicated example, consider a system where
several packages to be used by Kerberos are installed in
‘<samp><span class="samp">/usr/foobar</span></samp>’, including Berkeley DB 3.3, and an ‘<samp><span class="samp">ss</span></samp>’
library that needs to link against the ‘<samp><span class="samp">curses</span></samp>’ library. The
configuration of Kerberos might be done thus:
<pre class="example"> % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
--with-system-et --with-system-ss --with-system-db \
SS_LIB='-lss -lcurses' \
DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
</pre>
<p>In previous releases, <code>--with-</code> options were used to specify the
compiler and linker and their options.
<div class="node">
<a name="osconf.h"></a>
<a name="osconf_002eh"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Shared-Library-Support">Shared Library Support</a>,
Previous: <a rel="previous" accesskey="p" href="#Options-to-Configure">Options to Configure</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.8 <samp><span class="file">osconf.h</span></samp></h3>
<p>There is one configuration file which you may wish to edit to control
various compile-time parameters in the Kerberos distribution:
<samp><span class="file">include/stock/osconf.h</span></samp>. The list that follows is by no means
complete, just some of the more interesting variables.
<p>Please note: The former configuration file <samp><span class="file">config.h</span></samp> no longer
exists as its functionality has been merged into the auto-configuration
process. See <a href="#Options-to-Configure">Options to Configure</a>.
<dl>
<dt><code>DEFAULT_PROFILE_PATH</code><dd>
The pathname to the file which contains the profiles for the known realms,
their KDCs, etc. The default value is /etc/krb5.conf.
<p>The profile file format is no longer the same format as Kerberos V4's
<samp><span class="file">krb.conf</span></samp> file.
<br><dt><code>DEFAULT_KEYTAB_NAME</code><dd>
The type and pathname to the default server keytab file (the
equivalent of Kerberos V4's <samp><span class="file">/etc/srvtab</span></samp>). The default is
/etc/krb5.keytab.
<br><dt><code>DEFAULT_KDC_ENCTYPE</code><dd>
The default encryption type for the KDC. The default value is
des3-cbc-sha1.
<br><dt><code>KDCRCACHE</code><dd>
The name of the replay cache used by the KDC. The default value is
krb5kdc_rcache.
<br><dt><code>RCTMPDIR</code><dd>
The directory which stores replay caches. The default is to try
/var/tmp, /usr/tmp, /var/usr/tmp, and /tmp.
<br><dt><code>DEFAULT_KDB_FILE</code><dd>
The location of the default database. The default value is
/usr/local/var/krb5kdc/principal.
</dl>
<div class="node">
<a name="Shared-Library-Support"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#OS-Incompatibilities">OS Incompatibilities</a>,
Previous: <a rel="previous" accesskey="p" href="#osconf_002eh">osconf.h</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.9 Shared Library Support</h3>
<p>Shared library support is provided for a few operating systems. There
are restrictions as to which compiler to use when using shared
libraries. In all cases, executables linked with the shared libraries in
this build process will have built in the location of the libraries,
therefore obliterating the need for special LD_LIBRARY_PATH, et al environment
variables when using the programs. Except where noted, multiple versions
of the libraries may be installed on the same system and continue to
work.
<p>Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS
5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows
(using DLLs).
<p>Shared library support has been tested on the following platforms but
not exhaustively (they have been built but not necessarily tested in an
installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and
HP/UX 10.20.
<p>Platforms for which there is shared library support but not significant
testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x
(i386).
<p>To enable shared libraries on the above platforms, run the configure
script with the option ‘<samp><span class="samp">--enable-shared</span></samp>’.
<div class="node">
<a name="OS-Incompatibilities"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Using-Autoconf">Using Autoconf</a>,
Previous: <a rel="previous" accesskey="p" href="#Shared-Library-Support">Shared Library Support</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.10 Operating System Incompatibilities</h3>
<p>This section details operating system incompatibilities with Kerberos V5
which have been reported to the developers at MIT. If you find
additional incompatibilities, and/or discover workarounds to such
problems, please send a report via the <code>krb5-send-pr</code> program.
Thanks!
<ul class="menu">
<li><a accesskey="1" href="#AIX">AIX</a>
<li><a accesskey="2" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>
<li><a accesskey="3" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>
<li><a accesskey="4" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>
<li><a accesskey="5" href="#BSDI">BSDI</a>
<li><a accesskey="6" href="#HPUX">HPUX</a>
<li><a accesskey="7" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>
<li><a accesskey="8" href="#Solaris-2_002eX">Solaris 2.X</a>
<li><a accesskey="9" href="#Solaris-9">Solaris 9</a>
<li><a href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>
<li><a href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>
</ul>
<div class="node">
<a name="AIX"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.1 AIX</h4>
<p>The AIX 3.2.5 linker dumps core trying to build a shared
‘<samp><span class="samp">libkrb5.a</span></samp>’ produced with the GNU C compiler. The native AIX
compiler works fine. This problem is fixed using the AIX 4.1 linker.
<div class="node">
<a name="Alpha-OSF%2f1-V1.3"></a>
<a name="Alpha-OSF_002f1-V1_002e3"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
Previous: <a rel="previous" accesskey="p" href="#AIX">AIX</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.2 Alpha OSF/1 V1.3</h4>
<p>Using the native compiler, compiling with the ‘<samp><span class="samp">-O</span></samp>’ compiler flag
causes the <code>asn.1</code> library to be compiled incorrectly.
<p>Using GCC version 2.6.3 or later instead of the native compiler will also work
fine, both with or without optimization.
<div class="node">
<a name="Alpha-OSF%2f1-V2.0"></a>
<a name="Alpha-OSF_002f1-V2_002e0"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V1_002e3">Alpha OSF/1 V1.3</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.3 Alpha OSF/1 V2.0</h4>
<p>There used to be a bug when using the native compiler in compiling
<samp><span class="file">md4.c</span></samp> when compiled without either the ‘<samp><span class="samp">-O</span></samp>’ or ‘<samp><span class="samp">-g</span></samp>’
compiler options. We have changed the code and there is no problem
under V2.1, but we do not have access to V2.0 to test and see if the
problem would exist there. (We welcome feedback on this issue). There
was never a problem in using GCC version 2.6.3.
<p>In version 3.2 and beyond of the operating system, we have not seen
this sort of problem with the native compiler.
<div class="node">
<a name="Alpha-OSF%2f1-V4.0"></a>
<a name="Alpha-OSF_002f1-V4_002e0"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#BSDI">BSDI</a>,
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V2_002e0">Alpha OSF/1 V2.0</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</h4>
<p>The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX)
defaults to an extended K&R C mode, not ANSI C. You need to provide
the ‘<samp><span class="samp">-std</span></samp>’ argument to the compiler (i.e., ‘<samp><span class="samp">./configure
CC='cc -std'</span></samp>’) to enable extended ANSI C mode. More recent versions
of the operating system, such as 5.0, seem to have C compilers which
default to ‘<samp><span class="samp">-std</span></samp>’.
<!-- @node Alpha Tru64 UNIX 5.0 -->
<!-- @subsection Alpha Tru64 UNIX 5.0 -->
<!-- ... login.krb5 problems -->
<div class="node">
<a name="BSDI"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#HPUX">HPUX</a>,
Previous: <a rel="previous" accesskey="p" href="#Alpha-OSF_002f1-V4_002e0">Alpha OSF/1 V4.0</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.5 BSDI</h4>
<p>BSDI versions 1.0 and 1.1 reportedly has a bad ‘<samp><span class="samp">sed</span></samp>’ which causes
it to go into an infinite loop during the build. The work around is
to use a ‘<samp><span class="samp">sed</span></samp>’ from somewhere else, such as GNU. (This may be
true for some versions of other systems derived from BSD 4.4, such as
NetBSD and FreeBSD.)
<div class="node">
<a name="HPUX"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
Previous: <a rel="previous" accesskey="p" href="#BSDI">BSDI</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.6 HPUX</h4>
<p>The native (bundled) compiler for HPUX currently will not work,
because it is not a full ANSI C compiler. The optional ANSI C
compiler should work as long as you give it the ‘<samp><span class="samp">-Ae</span></samp>’ flag
(i.e. ‘<samp><span class="samp">./configure CC='cc -Ae'</span></samp>’). This is equivalent to
‘<samp><span class="samp">./configure CC='c89 -D_HPUX_SOURCE'</span></samp>’, which was the previous
recommendation. This has only been tested recently for HPUX 10.20.
<p>You will need to configure with ‘<samp><span class="samp">--disable-shared
--enable-static</span></samp>’, because as of 1.4 we don't have support for HPUX
shared library finalization routines, nor the option (yet) to ignore
that lack of support (which means repeated
<code>dlopen</code>/<code>dlclose</code> cycles on the Kerberos libraries may not
be safe) and build the shared libraries anyways.
<p>You will also need to configure the build tree with
‘<samp><span class="samp">--disable-thread-support</span></samp>’ if you are on HPUX 10 and do not have
the DCE development package installed, because that's where the
<code>pthread.h</code> header file is found. (We don't know if our code
will work with such a package installed, because according to some HP
documentation, their <code>pthread.h</code> has to be included before any
other header files, and our code doesn't do that.)
<p>If you use GCC, it may work, but some versions of GCC have omitted
certain important preprocessor defines, like <code>__STDC_EXT__</code> and
<code>__hpux</code>.
<div class="node">
<a name="Solaris-versions-2.0-through-2.3"></a>
<a name="Solaris-versions-2_002e0-through-2_002e3"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Solaris-2_002eX">Solaris 2.X</a>,
Previous: <a rel="previous" accesskey="p" href="#HPUX">HPUX</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.7 Solaris versions 2.0 through 2.3</h4>
<p>The <code>gethostbyname()</code> routine is broken; it does not return a fully
qualified domain name, even if you are using the Domain Name Service
routines. Since Kerberos V5 uses the fully qualified domain name as the
second component of a service principal (i.e,
‘<samp><span class="samp">host/tsx-11.mit.edu@ATHENA.MIT.EDU</span></samp>’), this causes problems for servers
who try to figure out their own fully qualified domain name.
<p>Workarounds:
<ol type=1 start=1>
<li> Supply your own resolver library. (such as bind-4.9.3pl1 available
from ftp.vix.com)
<li> Upgrade to Solaris 2.4
<li> Make sure your /etc/nsswitch.conf has `files' before `dns' like:
<pre class="example"> hosts: files dns
</pre>
<p>and then in /etc/hosts, make sure there is a line with your
workstation's IP address and hostname, with the fully qualified domain
name first. Example:
<pre class="example"> 18.172.1.4 dcl.mit.edu dcl
</pre>
<p>Note that making this change may cause other programs in your
environment to break or behave differently.
</ol>
<div class="node">
<a name="Solaris-2.X"></a>
<a name="Solaris-2_002eX"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Solaris-9">Solaris 9</a>,
Previous: <a rel="previous" accesskey="p" href="#Solaris-versions-2_002e0-through-2_002e3">Solaris versions 2.0 through 2.3</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.8 Solaris 2.X</h4>
<p>You <b>must</b> compile Kerberos V5 without the UCB compatibility
libraries. This means that <samp><span class="file">/usr/ucblib</span></samp> must not be in the
LD_LIBRARY_PATH environment variable when you compile it. Alternatively
you can use the <code>-i</code> option to ‘<samp><span class="samp">cc</span></samp>’, by using the specifying
<code>CFLAGS=-i</code> option to ‘<samp><span class="samp">configure</span></samp>’.
<p>If you are compiling for a 64-bit execution environment, you may need
to configure with the option <code>CFLAGS="-D_XOPEN_SOURCE=500
-D__EXTENSIONS__"</code>. This is not well tested; at MIT we work primarily
with the 32-bit execution environment.
<div class="node">
<a name="Solaris-9"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
Previous: <a rel="previous" accesskey="p" href="#Solaris-2_002eX">Solaris 2.X</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.9 Solaris 9</h4>
<p>Solaris 9 has a kernel race condition which causes the final output
written to the slave side of a pty to be lost upon the final close()
of the slave device. This causes the dejagnu-based tests to fail
intermittently. A workaround exists, but requires some help from the
scheduler, and the “make check” must be executed from a shell with
elevated priority limits.
<p>Run something like
<p><code>priocntl -s -c FX -m 30 -p 30 -i pid nnnn</code>
<p>as root, where <code>nnnn</code> is the pid of the shell whose priority
limit you wish to raise.
<p>Sun has released kernel patches for this race condition. Apply patch
117171-11 for sparc, or patch 117172-11 for x86. Later revisions of
the patches should also work. It is not necessary to run “make
check” from a shell with elevated priority limits once the patch has
been applied.
<div class="node">
<a name="SGI-Irix-5.X"></a>
<a name="SGI-Irix-5_002eX"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Ultrix-4_002e2_002f3">Ultrix 4.2/3</a>,
Previous: <a rel="previous" accesskey="p" href="#Solaris-9">Solaris 9</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.10 SGI Irix 5.X</h4>
<p>If you are building in a tree separate from the source tree, the vendors
version of make does not work properly with regards to
‘<samp><span class="samp">VPATH</span></samp>’. It also has problems with standard inference rules in 5.2
(not tested yet in 5.3) so one needs to use GNU's make.
<p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code>
library in which the routine <code>gethostbyname()</code> is broken. The
system supplied version in <code>-lc</code> appears to work though so one may
simply specify <code>--with-netlib</code> option to ‘<samp><span class="samp">configure</span></samp>’.
<p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and
is no longer an issue.
<div class="node">
<a name="Ultrix-4.2%2f3"></a>
<a name="Ultrix-4_002e2_002f3"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#SGI-Irix-5_002eX">SGI Irix 5.X</a>,
Up: <a rel="up" accesskey="u" href="#OS-Incompatibilities">OS Incompatibilities</a>
</div>
<h4 class="subsection">3.10.11 Ultrix 4.2/3</h4>
<p>The DEC MIPS platform currently will not support the native compiler,
since the Ultrix compiler is not a full ANSI C compiler. You should use
GCC instead.
<div class="node">
<a name="Using-Autoconf"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#OS-Incompatibilities">OS Incompatibilities</a>,
Up: <a rel="up" accesskey="u" href="#Building-Kerberos-V5">Building Kerberos V5</a>
</div>
<h3 class="section">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</h3>
<p>(If you are not a developer, you can skip this section.)
<p>In most of the Kerberos V5 source directories, there is a
<samp><span class="file">configure</span></samp> script which automatically determines the compilation
environment and creates the proper Makefiles for a particular
platform. These <samp><span class="file">configure</span></samp> files are generated using
‘<samp><span class="samp">autoconf</span></samp>’, which can be found in the <samp><span class="file">src/util/autoconf</span></samp>
directory in the distribution.
<p>Normal users will not need to worry about running ‘<samp><span class="samp">autoconf</span></samp>’; the
distribution comes with the <samp><span class="file">configure</span></samp> files already prebuilt.
Developers who wish to modify the <samp><span class="file">configure.in</span></samp> files should see
<a href="autoconf.html#Top">Overview</a>.
<p>Note that in order to run ‘<samp><span class="samp">autoconf</span></samp>’, you must have GNU ‘<samp><span class="samp">m4</span></samp>’
in your path. Before you use the ‘<samp><span class="samp">autoconf</span></samp>’ in the Kerberos V5
source tree, you may also need to run ‘<samp><span class="samp">configure</span></samp>’, and then run
‘<samp><span class="samp">make</span></samp>’ in the <samp><span class="file">src/util/autoconf</span></samp> directory in order to
properly set up ‘<samp><span class="samp">autoconf</span></samp>’.
<p>One tool which is provided for the convenience of developers can be
found in <samp><span class="file">src/util/reconf</span></samp>. This program should be run while the
current directory is the top source directory. It will automatically
rebuild any <samp><span class="file">configure</span></samp> files which need rebuilding. If you know
that you have made a change that will require that all the
<samp><span class="file">configure</span></samp> files need to be rebuilt from scratch, specify the
<code>--force</code> option:
<pre class="example"> % cd /u1/krb5-1.9/src
% ./util/reconf --force
</pre>
<p>The developmental sources are a raw source tree (before it's been packaged
for public release), without the pre-built <samp><span class="file">configure</span></samp> files.
In order to build from such a source tree, you must do:
<pre class="example"> % cd krb5/util/autoconf
% ./configure
% make
% cd ../..
% util/reconf
</pre>
<p>Then follow the instructions for building packaged source trees (above).
To install the binaries into a binary tree, do:
<pre class="example"> % cd /u1/krb5-1.9/src
% make all
% make install DESTDIR=somewhere-else
</pre>
<div class="node">
<a name="Installing-Kerberos-V5"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
Previous: <a rel="previous" accesskey="p" href="#Building-Kerberos-V5">Building Kerberos V5</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="chapter">4 Installing Kerberos V5</h2>
<p>The sections of this chapter describe procedures for installing
Kerberos V5 on:
<ol type=1 start=1>
<li>The KDCs
<li>UNIX client machines
<li>UNIX Application Servers
</ol>
<ul class="menu">
<li><a accesskey="1" href="#Installing-KDCs">Installing KDCs</a>
<li><a accesskey="2" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
<li><a accesskey="3" href="#UNIX-Application-Servers">UNIX Application Servers</a>
</ul>
<div class="node">
<a name="Installing-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
</div>
<h3 class="section">4.1 Installing KDCs</h3>
<p>The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC
contains a copy of the Kerberos database. The master KDC contains the
master copy of the database, which it propagates to the slave KDCs at
regular intervals. All database changes (such as password changes) are
made on the master KDC.
<p>Slave KDCs provide Kerberos ticket-granting services, but not database
administration. This allows clients to continue to obtain tickets when
the master KDC is unavailable.
<p>MIT recommends that you install all of your KDCs to be able
to function as either the master or one of the slaves. This will enable
you to easily switch your master KDC with one of the slaves if
necessary. (See <a href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>.) This installation
procedure is based on that recommendation.
<ul class="menu">
<li><a accesskey="1" href="#Install-the-Master-KDC">Install the Master KDC</a>
<li><a accesskey="2" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
<li><a accesskey="3" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
<li><a accesskey="4" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
<li><a accesskey="5" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>
<li><a accesskey="6" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>
<li><a accesskey="7" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>
<li><a accesskey="8" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
</ul>
<div class="node">
<a name="Install-the-Master-KDC"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.1 Install the Master KDC</h4>
<p>This installation procedure will require you to go back and forth a
couple of times between the master KDC and each of the slave KDCs. The
first few steps must be done on the master KDC.
<ul class="menu">
<li><a accesskey="1" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>
<li><a accesskey="2" href="#krb5_002econf">krb5.conf</a>
<li><a accesskey="3" href="#kdc_002econf">kdc.conf</a>
<li><a accesskey="4" href="#Create-the-Database">Create the Database</a>
<li><a accesskey="5" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>
<li><a accesskey="6" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>
<li><a accesskey="7" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>
<li><a accesskey="8" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>
</ul>
<div class="node">
<a name="Edit-the-Configuration-Files"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#krb5_002econf">krb5.conf</a>,
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.1 Edit the Configuration Files</h5>
<p>Modify the configuration files, <code>/etc/krb5.conf</code> and
<code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct
information (such as the hostnames and realm name) for your realm.
MIT recommends that you keep <code>krb5.conf</code> in <code>/etc</code>.
<p>Most of the tags in the configuration have default values that will
work well for most sites. There are some tags in the <code>krb5.conf</code>
file whose values must be specified, and this section will explain
those as well as give an overview of all of the sections in both
configuration files. For more information on changing defaults with
the configuration files, see the Kerberos V5 System Administrator's
Guide sections on configuration files.
<div class="node">
<a name="krb5.conf"></a>
<a name="krb5_002econf"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#kdc_002econf">kdc.conf</a>,
Previous: <a rel="previous" accesskey="p" href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.2 krb5.conf</h5>
<p>The <code>krb5.conf</code> file contains Kerberos configuration information,
including the locations of KDCs and admin servers for the Kerberos
realms of interest, defaults for the current realm and for Kerberos
applications, and mappings of hostnames onto Kerberos realms. Normally,
you should install your <code>krb5.conf</code> file in the directory
<code>/etc</code>. You can override the default location by setting the
environment variable ‘<samp><span class="samp">KRB5_CONFIG</span></samp>’.
<p>The <code>krb5.conf</code> file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
section may contain zero or more relations, of the form:
<pre class="smallexample"> foo = bar
</pre>
<p class="noindent">or
<pre class="smallexample"> fubar = {
foo = bar
baz = quux
}
</pre>
<p>Placing a `*' at the end of a line indicates that this is the
<dfn>final</dfn> value for the tag. This means that neither the remainder
of this configuration file nor any other configuration file will be
checked for any other values for this tag.
<p>For example, if you have the following lines:
<pre class="smallexample"> foo = bar*
foo = baz
</pre>
<p>then the second value of foo (baz) would never be read.
<p>The <code>krb5.conf</code> file can include other files using either of the
following directives at the beginning of a line:
<pre class="smallexample"> include <var>FILENAME</var>
includedir <var>DIRNAME</var>
</pre>
<p><var>FILENAME</var> or <var>DIRNAME</var> should be an absolute path. The named
file or directory must exist and be readable. Including a directory
includes all files within the directory whose names consist solely of
alphanumeric characters, dashes, or underscores. Included profile files
are syntactically independent of their parents, so each included file
must begin with a section header.
<p>The <code>krb5.conf</code> file may contain any or all of the following
sections:
<dl>
<dt><b>libdefaults</b><dd>Contains default values used by the Kerberos V5 library.
<dt><b>login</b><dd>Contains default values used by the Kerberos V5 login program.
<dt><b>appdefaults</b><dd>Contains default values that can be used by Kerberos V5 applications.
<dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
describes realm-specific information, including where to find the
Kerberos servers for that realm.
<dt><b>domain_realm</b><dd>Contains relations which map domain names and subdomains onto Kerberos
realm names. This is used by programs to determine what realm a host
should be in, given its fully qualified domain name.
<dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
logging.
<dt><b>capaths</b><dd>Contains the authentication paths used with direct (nonhierarchical)
cross-realm authentication. Entries in this section are used by the
client to determine the intermediate realms which may be used in
cross-realm authentication. It is also used by the end-service when
checking the transited field for trusted intermediate realms.
<dt><b>plugins</b><dd>Contains tags to register dynamic plugin modules and to turn modules on
and off.
</dl>
<p>If you are not using DNS TXT records, you must specify the
<code>default_realm</code> in the <code>libdefaults</code> section. If you are not
using DNS SRV records, you must include the <code>kdc</code> tag for each
realm in the <code>realms</code> section. To communicate with the kadmin
server in each realm, the <code>admin_server</code> tag must be set in the
<code>realms</code> section. If your domain name and realm name are not the
same, you must provide a translation in <code>domain_realm</code>. It is
also higly recommeneded that you create a <code>[logging]</code> stanza if
the computer will be functioning as a KDC so that the KDC and kadmind
will generate logging output.
<p>An example <code>krb5.conf</code> file:
<pre class="smallexample"> [libdefaults]
default_realm = ATHENA.MIT.EDU
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu
admin_server = kerberos.mit.edu
{
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
</pre>
<div class="node">
<a name="kdc.conf"></a>
<a name="kdc_002econf"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Create-the-Database">Create the Database</a>,
Previous: <a rel="previous" accesskey="p" href="#krb5_002econf">krb5.conf</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.3 kdc.conf</h5>
<p>The <code>kdc.conf</code> file contains KDC configuration information,
including defaults used when issuing Kerberos tickets. Normally, you
should install your <code>kdc.conf</code> file in the directory
<code>/usr/local/var/krb5kdc</code>. You can override the default
location by setting the environment variable ‘<samp><span class="samp">KRB5_KDC_PROFILE</span></samp>’.
<p>The <code>kdc.conf</code> file is set up in the same format as the
<code>krb5.conf</code> file. (See <a href="#krb5_002econf">krb5.conf</a>.) The <code>kdc.conf</code> file
may contain any or all of the following three sections:
<dl>
<dt><b>kdcdefaults</b><dd>Contains default values for overall behavior of the KDC.
<br><dt><b>realms</b><dd>Contains subsections keyed by Kerberos realm names. Each subsection
describes realm-specific information, including where to find the
Kerberos servers for that realm.
<br><dt><b>logging</b><dd>Contains relations which determine how Kerberos programs are to perform
logging.
</dl>
<div class="node">
<a name="Create-the-Database"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
Previous: <a rel="previous" accesskey="p" href="#kdc_002econf">kdc.conf</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.4 Create the Database</h5>
<p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to
create the Kerberos database and the optional stash file. The
<dfn>stash file</dfn> is a local copy of the master key that resides in
encrypted form on the KDC's local disk. The stash file is used to
authenticate the KDC to itself automatically before starting the
<code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the
machine's boot sequence). The stash file, like the keytab file
(see See <a href="#The-Keytab-File">The Keytab File</a>, for more information) is a potential
point-of-entry for a break-in,
and if compromised, would allow unrestricted access to the Kerberos
database. If you choose to install a stash file, it should be readable
only by root, and should exist only on the KDC's local disk. The file
should not be part of any backup of the machine, unless access to the
backup data is secured as tightly as access to the master password
itself.
<p>If you choose not to install a stash file, the KDC will prompt you for
the master key each time it starts up. This means that the KDC will
not be able to start automatically, such as after a system reboot.
<p>Note that <code>kdb5_util</code> will prompt you for the master key for the
Kerberos database. This key can be any string. A good key is one you
can remember, but that no one else can guess. Examples of bad keys are
words that can be found in a dictionary, any common or popular name,
especially a famous person (or cartoon character), your username in any
form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of
the sample keys that appear in this manual. One example of a key which
might be good if it did not appear in this manual is “MITiys4K5!”,
which represents the sentence “MIT is your source for Kerberos 5!”
(It's the first letter of each word, substituting the numeral “4” for
the word “for”, and includes the punctuation mark at the end.)
<p>The following is an example of how to create a Kerberos database and
stash file on the master KDC, using the <code>kdb5_util</code> command. (The
line that begins with ⇒ is a continuation of the previous line.)
Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm.
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s
<b>Initializing database '/usr/local/var/krb5kdc/principal' for
⇒ realm 'ATHENA.MIT.EDU',
master key name 'K/M@ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.</b>
<b>Enter KDC database master key:</b> <i><= Type the master password.</i>
<b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i>
<b>shell%</b>
</pre>
<p>This will create five files in the directory specified in your
<code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>,
and <code>principal.ok</code>; the Kerberos administrative database file,
<code>principal.kadm5</code>; the administrative database lock file,
<code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The
default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not
want a stash file, run the above command without the <code>-s</code> option.
<div class="node">
<a name="Add-Administrators-to-the-Acl-File"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
Previous: <a rel="previous" accesskey="p" href="#Create-the-Database">Create the Database</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.5 Add Administrators to the Acl File</h5>
<p>Next, you need create an Access Control List (acl) file, and put the
Kerberos principal of at least one of the administrators into it. This
file is used by the <code>kadmind</code> daemon to control which principals
may view and make privileged modifications to the Kerberos database
files. The filename should match the value you have set for
“acl_file” in your <code>kdc.conf</code> file. The default file name is
‘<samp><span class="samp">/usr/local/var/krb5kdc/kadm5.acl</span></samp>’.
<p>The format of the file is:
<pre class="smallexample"> Kerberos_principal permissions [target_principal] [restrictions]
</pre>
<p>The Kerberos principal (and optional target principal) can include the
“<b>*</b>” wildcard, so if you want any principal with the instance
“admin” to have full permissions on the database, you could use the
principal “<code>*/admin@REALM</code>” where “REALM” is your Kerberos
realm. <code>target_principal</code> can also include backreferences to
<code>Kerberos_principal</code>, in which "<b>*</b><i>number</i>" matches the
component <i>number</i> in the <code>Kerberos_principal</code>.
<p>Note: a common use of an <i>admin</i> instance is so you can grant
separate permissions (such as administrator access to the Kerberos
database) to a separate Kerberos principal. For example, the user
<code>joeadmin</code> might have a principal for his administrative
use, called <code>joeadmin/admin</code>. This way,
<code>joeadmin</code> would obtain <code>joeadmin/admin</code>
tickets only when he actually needs to use those permissions.
<p>The permissions are represented by single letters; UPPER-CASE letters
represent negative permissions. The permissions are:
<dl>
<dt><b>a</b><dd>allows the addition of principals or policies in the database.
<dt><b>A</b><dd>disallows the addition of principals or policies in the database.
<dt><b>d</b><dd>allows the deletion of principals or policies in the database.
<dt><b>D</b><dd>disallows the deletion of principals or policies in the database.
<dt><b>m</b><dd>allows the modification of principals or policies in the database.
<dt><b>M</b><dd>disallows the modification of principals or policies in the database.
<dt><b>c</b><dd>allows the changing of passwords for principals in the database.
<dt><b>C</b><dd>disallows the changing of passwords for principals in the database.
<dt><b>i</b><dd>allows inquiries to the database.
<dt><b>I</b><dd>disallows inquiries to the database.
<dt><b>l</b><dd>allows the listing of principals or policies in the database.
<dt><b>L</b><dd>disallows the listing of principals or policies in the database.
<dt><b>s</b><dd>allows the explicit setting of the key for a principal
<dt><b>S</b><dd>disallows the explicit setting of the key for a principal
<dt><b>*</b><dd>All privileges (admcil).
<dt><b>x</b><dd>All privileges (admcil); identical to “*”.
</dl>
<p>The restrictions are a string of flags. Allowed restrictions are:
<dl>
<dt><b>[+ -]</b><i>flagname</i><dd>flag is forced to indicated value. The permissible flags are the same
as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and
<code>modprinc</code> commands.
<dt><b>-clearpolicy</b><dd>policy is forced to clear
<dt><b>-policy </b><i>pol</i><dd>policy is forced to be <i>pol</i>
<dt><b>expire </b><i>time</i><dt><b>pwexpire </b><i>time</i><dt><b>maxlife </b><i>time</i><dt><b>maxrenewlife </b><i>time</i><dd>associated value will be forced to MIN(<i>time</i>, requested value)
</dl>
<p>The above flags act as restrictions on any add or modify operation
which is allowed due to that ACL line.
<p>Here is an example of a <code>kadm5.acl</code> file. Note that order is
important; permissions are determined by the first matching entry.
<pre class="smallexample"> */admin@ATHENA.MIT.EDU *
joeadmin@ATHENA.MIT.EDU ADMCIL
joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU
*@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU
*/*@ATHENA.MIT.EDU i
*/admin@EXAMPLE.COM * -maxlife 9h -postdateable
</pre>
<p class="noindent">In the above file, any principal in the
ATHENA.MIT.EDU realm with an <code>admin</code> instance has all
administrative privileges. The user <code>joeadmin</code>
has all permissions with his <code>admin</code> instance,
<code>joeadmin/admin@ATHENA.MIT.EDU</code> (matches the first
line). He has no permissions at all with his <code>null</code> instance,
<code>joeadmin@ATHENA.MIT.EDU</code> (matches the second line).
His root instance has <i>inquire</i> and <i>list</i> permissions with any
other principal that has the instance <code>root</code>. Any principal
in ATHENA.MIT.EDU can inquire, list, or change the password of
their <code>admin</code> instance, but not any other <code>admin</code> instance.
Any principal in the realm <code>ATHENA.MIT.EDU</code> (except for
<code>joeadmin@ATHENA.MIT.EDU</code>, as mentioned above) has
<i>inquire</i> privileges. Finally, any principal with an admin instance
in EXAMPLE.COM has all permissions, but any principal that they
create or modify will not be able to get postdateable tickets or tickets
with a life of longer than 9 hours.
<div class="node">
<a name="Add-Administrators-to-the-Kerberos-Database"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.6 Add Administrators to the Kerberos Database</h5>
<p>Next you need to add administrative principals to the Kerberos database.
(You must add at least one now.) To do this, use <code>kadmin.local</code>
<em>on the master KDC</em>. The administrative principals you create
should be the ones you added to the ACL file. (See See <a href="#Add-Administrators-to-the-Acl-File">Add Administrators to the Acl File</a>.) In the following example, the
administration principal <code>admin/admin</code> is created:
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local
<b>kadmin.local:</b> addprinc admin/admin@ATHENA.MIT.EDU
<b>NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU";
assigning "default".</b>
<b>Enter password for principal admin/admin@ATHENA.MIT.EDU:</b> <i><= Enter a password.</i>
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <i><= Type it again.</i>
<b>Principal "admin/admin@ATHENA.MIT.EDU" created.
kadmin.local:</b>
</pre>
<div class="node">
<a name="Create-a-kadmind-Keytab-(optional)"></a>
<a name="Create-a-kadmind-Keytab-_0028optional_0029"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>,
Previous: <a rel="previous" accesskey="p" href="#Add-Administrators-to-the-Kerberos-Database">Add Administrators to the Kerberos Database</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.7 Create a kadmind Keytab (optional)</h5>
<p>The kadmind keytab is the key that the legacy admininstration daemons
<code>kadmind4</code> and <code>v5passwdd</code> will use to decrypt
administrators' or clients' Kerberos tickets to determine whether or
not they should have access to the database. You need to create the
kadmin keytab with entries for the principals <code>kadmin/admin</code> and
<code>kadmin/changepw</code>. (These principals are placed in the Kerberos
database automatically when you create it.) To create the kadmin
keytab, run <code>kadmin.local</code> and use the <code>ktadd</code> command, as
in the following example. (The line beginning with ⇒ is a
continuation of the previous line.):
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin.local
<b>kadmin.local:</b> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
⇒ kadmin/admin kadmin/changepw
<b> Entry for principal kadmin/admin with kvno 5, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode
with CRC-32 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5, encryption
type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 5,
encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
kadmin.local:</b> quit
<b>shell%</b>
</pre>
<p class="noindent">As specified in the ‘<samp><span class="samp">-k</span></samp>’ argument, <code>ktadd</code> will save the
extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>.
The filename you use must be the one specified in your <code>kdc.conf</code>
file.
<div class="node">
<a name="Start-the-Kerberos-Daemons"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Master-KDC">Install the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.1.8 Start the Kerberos Daemons on the Master KDC</h5>
<p>At this point, you are ready to start the Kerberos daemons on the Master
KDC. To do so, type:
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
<b>shell%</b> /usr/local/sbin/kadmind
</pre>
<p class="noindent">Each daemon will fork and run in the background. Assuming you want
these daemons to start up automatically at boot time, you can add them
to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to
have a stash file in order to do this.
<p>You can verify that they started properly by checking for their startup
messages in the logging locations you defined in <code>/etc/krb5.conf</code>.
(See <a href="#Edit-the-Configuration-Files">Edit the Configuration Files</a>.) For example:
<pre class="smallexample"> <b>shell%</b> tail /var/log/krb5kdc.log
Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
<b>shell%</b> tail /var/log/kadmin.log
Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
</pre>
<p>Any errors the daemons encounter while starting will also be listed in
the logging output.
<div class="node">
<a name="Install-the-Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
Previous: <a rel="previous" accesskey="p" href="#Install-the-Master-KDC">Install the Master KDC</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.2 Install the Slave KDCs</h4>
<p>You are now ready to start configuring the slave KDCs. Assuming you are
setting the KDCs up so that you can easily switch the master KDC with
one of the slaves, you should perform each of these steps on the master
KDC as well as the slave KDCs, unless these instructions specify
otherwise.
<ul class="menu">
<li><a accesskey="1" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>
<li><a accesskey="2" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>
<li><a accesskey="3" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>
</ul>
<div class="node">
<a name="Create-Host-Keys-for-the-Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
</div>
<h5 class="subsubsection">4.1.2.1 Create Host Keys for the Slave KDCs</h5>
<p>Each KDC needs a host principal in the Kerberos database. You can enter
these from any host, once the <code>kadmind</code> daemon is running. For
example, if your master KDC were called
kerberos.mit.edu, and you had two KDC slaves
named kerberos-1.mit.edu and
kerberos-2.mit.edu, you would type the following:
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kadmin
<b>kadmin:</b> addprinc -randkey host/kerberos.mit.edu
<b>NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU";
assigning "default"
Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
kadmin:</b> addprinc -randkey host/kerberos-1.mit.edu
<b>NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU";
assigning "default"
Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</b>
<b>kadmin:</b> addprinc -randkey host/kerberos-2.mit.edu
<b>NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU";
assigning "default"
Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created.
kadmin:</b>
</pre>
<p class="noindent">It is not actually necessary to have the master KDC server in the
Kerberos database, but it can be handy if:
<ul>
<li>anyone will be logging into the machine as something other than root
<li>you want to be able to swap the master KDC with one of the slaves if
necessary.
</ul>
<div class="node">
<a name="Extract-Host-Keytabs-for-the-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">Set Up the Slave KDCs for Database Propagation</a>,
Previous: <a rel="previous" accesskey="p" href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
</div>
<h5 class="subsubsection">4.1.2.2 Extract Host Keytabs for the KDCs</h5>
<p>Each KDC (including the master) needs a keytab to decrypt tickets.
Ideally, you should extract each keytab locally on its own KDC. If this
is not feasible, you should use an encrypted session to send them across
the network. To extract a keytab on a KDC called
kerberos.mit.edu, you would execute the following
command:
<pre class="smallexample"> <b>kadmin:</b> ktadd host/kerberos.mit.edu
<b>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with
kvno 1, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin:</b>
</pre>
<p class="noindent">Note that the principal must exist in the Kerberos database in order to
extract the keytab.
<div class="node">
<a name="Set-Up-the-Slave-KDCs-for-Database-Propagation"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Extract-Host-Keytabs-for-the-KDCs">Extract Host Keytabs for the KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>
</div>
<h5 class="subsubsection">4.1.2.3 Set Up the Slave KDCs for Database Propagation</h5>
<p>The database is propagated from the master KDC to the slave KDCs via the
<code>kpropd</code> daemon. To set up propagation, create a file on each KDC,
named <code>/usr/local/var/krb5kdc/kpropd.acl</code>, containing the
principals for each of the KDCs.
For example, if the master KDC were
<code>kerberos.mit.edu</code>, the slave KDCs were
<code>kerberos-1.mit.edu</code> and
<code>kerberos-2.mit.edu</code>, and the realm were
<code>ATHENA.MIT.EDU</code>, then the file's contents would be:
<pre class="smallexample"> host/kerberos.mit.edu@ATHENA.MIT.EDU
host/kerberos-1.mit.edu@ATHENA.MIT.EDU
host/kerberos-2.mit.edu@ATHENA.MIT.EDU
</pre>
<p>Then, add the following line to <code>/etc/inetd.conf</code> file on each KDC:
<pre class="smallexample"> krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
</pre>
<p class="noindent">You also need to add the following lines to <code>/etc/services</code> on each
KDC:
<pre class="smallexample"> kerberos 88/udp kdc # Kerberos authentication (udp)
kerberos 88/tcp kdc # Kerberos authentication (tcp)
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
</pre>
<div class="node">
<a name="Back-on-the-Master-KDC"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Install-the-Slave-KDCs">Install the Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.3 Back on the Master KDC</h4>
<p>Now that the slave KDCs are able to accept database propagation, you'll
need to propagate the database to each of them.
<ul class="menu">
<li><a accesskey="1" href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>
</ul>
<div class="node">
<a name="Propagate-the-Database-to-Each-Slave-KDC"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
Up: <a rel="up" accesskey="u" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>
</div>
<h5 class="subsubsection">4.1.3.1 Propagate the Database to Each Slave KDC</h5>
<p>First, create a dump of the database on the master KDC, as follows:
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
<b>shell%</b>
</pre>
<p>Next, you need to manually propagate the database to each slave KDC, as
in the following example. (The lines beginning with ⇒ are
continuations of the previous line.):
<pre class="smallexample"> /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
⇒ kerberos-1.mit.edu
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans
⇒ kerberos-2.mit.edu
</pre>
<p>You will need a script to dump and propagate the database. The
following is an example of a bourne shell script that will do this.
(Note that the line that begins with ⇒ is a continuation of the
previous line. Remember that you need to replace /usr/local with
the name of the directory in which you installed Kerberos V5.)
<pre class="smallexample"> #!/bin/sh
kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
/usr/local/sbin/kdb5_util "dump
⇒ /usr/local/var/krb5kdc/slave_datatrans"
for kdc in $kdclist
do
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
done
</pre>
<p class="noindent">You will need to set up a cron job to run this script at the intervals
you decided on earlier (See <a href="#Database-Propagation">Database Propagation</a>.)
<div class="node">
<a name="Finish-Installing-the-Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
Previous: <a rel="previous" accesskey="p" href="#Back-on-the-Master-KDC">Back on the Master KDC</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.4 Finish Installing the Slave KDCs</h4>
<p>Now that the slave KDCs have copies of the Kerberos database, you can
create stash files for them and start the <code>krb5kdc</code> daemon.
<ul class="menu">
<li><a accesskey="1" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>
<li><a accesskey="2" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>
</ul>
<div class="node">
<a name="Create-Stash-Files-on-the-Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Start-the-krb5kdc-Daemon-on-Each-KDC">Start the krb5kdc Daemon on Each KDC</a>,
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
</div>
<h5 class="subsubsection">4.1.4.1 Create Stash Files on the Slave KDCs</h5>
<p>Create stash files, by issuing the following commands on each slave KDC:
<pre class="smallexample"> <b>shell%</b> kdb5_util stash
<b>kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key</b>
<b>Enter KDC database master key:</b> <i><= Enter the database master key.</i>
<b>shell%</b>
</pre>
<p>As mentioned above, the stash file is necessary for your KDCs to be able
authenticate to themselves, such as when they reboot. You could run
your KDCs without stash files, but you would then need to type in the
Kerberos database master key by hand every time you start a KDC daemon.
<div class="node">
<a name="Start-the-krb5kdc-Daemon-on-Each-KDC"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Create-Stash-Files-on-the-Slave-KDCs">Create Stash Files on the Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>
</div>
<h5 class="subsubsection">4.1.4.2 Start the krb5kdc Daemon on Each KDC</h5>
<p>The final step in configuing your slave KDCs is to run the KDC daemon:
<pre class="smallexample"> <b>shell%</b> /usr/local/sbin/krb5kdc
</pre>
<p>As with the master KDC, you will probably want to add this command to
the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will
start the krb5kdc daemon automatically at boot time.
<div class="node">
<a name="Add-Kerberos-Principals-to-the-Database"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Finish-Installing-the-Slave-KDCs">Finish Installing the Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.5 Add Kerberos Principals to the Database</h4>
<p>Once your KDCs are set up and running, you are ready to use
<code>kadmin</code> to load principals for your users, hosts, and other
services into the Kerberos database. This procedure is described fully in the
“Adding or Modifying Principals” section of the Kerberos V5 System
Administrator's Guide. (See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>, for a
brief description.) The keytab is generated by running <code>kadmin</code>
and issuing the <code>ktadd</code> command.
<div class="node">
<a name="Limit-Access-to-the-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
Previous: <a rel="previous" accesskey="p" href="#Add-Kerberos-Principals-to-the-Database">Add Kerberos Principals to the Database</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.6 Limit Access to the KDCs</h4>
<p>To limit the possibility that your Kerberos database could be
compromised, MIT recommends that each KDC be a dedicated
host, with limited access. If your KDC is also a file server, FTP
server, Web server, or even just a client machine, someone who obtained
root access through a security hole in any of those areas could gain
access to the Kerberos database.
<div class="node">
<a name="Switching-Master-and-Slave-KDCs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
Previous: <a rel="previous" accesskey="p" href="#Limit-Access-to-the-KDCs">Limit Access to the KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.7 Switching Master and Slave KDCs</h4>
<p>You may occasionally want to use one of your slave KDCs as the master.
This might happen if you are upgrading the master KDC, or if your master
KDC has a disk crash.
<p>Assuming you have configured all of your KDCs to be able to function as
either the master KDC or a slave KDC (as this document recommends), all
you need to do to make the changeover is:
<p>If the master KDC is still running, do the following on the <em>old</em>
master KDC:
<ol type=1 start=1>
<li>Kill the <code>kadmind</code> process.
<li>Disable the cron job that propagates the database.
<li>Run your database propagation script manually, to ensure that the slaves
all have the latest copy of the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.) If there is a need to preserve per-principal
policy information from the database, you should do a “kdb5_util dump
-ov” in order to preserve that information and propogate that dump file
securely by some means to the slave so that its database has the correct
state of the per-principal policy information.
</ol>
<p>On the <em>new</em> master KDC:
<ol type=1 start=1>
<li>Create a database keytab. (See <a href="#Create-a-kadmind-Keytab-_0028optional_0029">Create a kadmind Keytab (optional)</a>.)
<li>Start the <code>kadmind</code> daemon. (See <a href="#Start-the-Kerberos-Daemons">Start the Kerberos Daemons</a>.)
<li>Set up the cron job to propagate the database. (See <a href="#Propagate-the-Database-to-Each-Slave-KDC">Propagate the Database to Each Slave KDC</a>.)
<li>Switch the CNAMEs of the old and new master KDCs. (If you don't do
this, you'll need to change the <code>krb5.conf</code> file on every client
machine in your Kerberos realm.)
</ol>
<div class="node">
<a name="Incremental-Database-Propagation"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Switching-Master-and-Slave-KDCs">Switching Master and Slave KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-KDCs">Installing KDCs</a>
</div>
<h4 class="subsection">4.1.8 Incremental Database Propagation</h4>
<p>At some very large sites, dumping and transmitting the database can
take more time than is desirable for changes to propagate from the
master KDC to the slave KDCs. The incremental propagation support
added in the 1.7 release is intended to address this.
<p>With incremental propagation enabled, all programs on the master KDC
that change the database also write information about the changes to
an “update log” file, maintained as a circular buffer of a certain
size. A process on each slave KDC connects to a service on the master
KDC (currently implmented in the <code>kadmind</code> server) and
periodically requests the changes that have been made since the last
check. By default, this check is done every two minutes. If the
database has just been modified in the previous several seconds
(currently the threshold is hard-coded at 10 seconds), the slave will
not retrieve updates, but instead will pause and try again soon after.
This reduces the likelihood that incremental update queries will cause
delays for an administrator trying to make a bunch of changes to the
database at the same time.
<p>Incremental propagation uses the following entries in the per-realm
data in the KDC config file:
<dl>
<dt><code>iprop_enable</code> (boolean)<dd>If this is set to <code>true</code>, then incremental propagation is
enabled, and (as noted below) normal <code>kprop</code> propagation is
disabled. The default is <code>false</code>.
<br><dt><code>iprop_master_ulogsize</code> (integer)<dd>This indicates the number of entries that should be retained in the
update log. The default is 1000; the maximum number is 2500.
<br><dt><code>iprop_slave_poll</code> (time interval)<dd>This indicates how often the slave should poll the master KDC for
changes to the database. The default is two minutes.
<br><dt><code>iprop_port</code> (integer)<dd>This specifies the port number to be used for incremental
propagation. This is required in both master and slave configuration
files.
<br><dt><code>iprop_logfile</code> (file name)<dd>This specifies where the update log file for the realm database is to
be stored. The default is to use the <code>database_name</code> entry from
the <code>realms</code> section of the config file, with <samp><span class="file">.ulog</span></samp> appended.
(NOTE: If <code>database_name</code> isn't specified in the <code>realms</code>
section, perhaps because the LDAP database back end is being used, or
the file name is specified in the <code>dbmodules</code> section, then the
hard-coded default for <code>database_name</code> is used. Determination of
the <code>iprop_logfile</code> default value will not use values from the
<code>dbmodules</code> section.)
</dl>
<p>Both master and slave sides must have principals named
<code>kiprop/</code><var>hostname</var> (where <var>hostname</var> is, as usual, the
lower-case, fully-qualified, canonical name for the host) registered
and keys stored in the default keytab file (<samp><span class="file">/etc/krb5.keytab</span></samp>).
<!-- XXX: I think the master side, at least, might be able to read the -->
<!-- key out of the database. Test and document this. -->
<p>On the master KDC side, the <code>kiprop/</code><var>hostname</var> principal
must be listed in the <code>kadmind</code> ACL file <code>kadm5.acl</code>, and
given the <code>p</code> privilege.
<p>On the slave KDC side, <code>kpropd</code> should be run. When incremental
propagation is enabled, it will connect to the <code>kadmind</code> on the
master KDC and start requesting updates.
<p>The normal <code>kprop</code> mechanism is disabled by the incremental
propagation support. However, if the slave has been unable to fetch
changes from the master KDC for too long (network problems, perhaps),
the log on the master may wrap around and overwrite some of the
updates that the slave has not yet retrieved. In this case, the slave
will instruct the master KDC to dump the current database out to a
file and invoke a one-time <code>kprop</code> propagation, with special
options to also convey the point in the update log at which the slave
should resume fetching incremental updates. Thus, all the keytab and
ACL setup previously described for <code>kprop</code> propagation is still
needed.
<p>There are several known bugs and restrictions in the current
implementation:
<ul>
<li>The “call out to <code>kprop</code>” mechanism is a bit fragile; if the
<code>kprop</code> propagation fails to connect for some reason, the process
on the slave may hang waiting for it, and will need to be restarted.
<li>The master and slave must be able to initiate TCP connections in both
directions, without an intervening NAT. They must also be able to
communicate over IPv4, since MIT's kprop and RPC code does not
currently support IPv6.
</ul>
<ul class="menu">
<li><a accesskey="1" href="#Sun_002fMIT-Incremental-Propagation-Differences">Sun/MIT Incremental Propagation Differences</a>
</ul>
<div class="node">
<a name="Sun%2fMIT-Incremental-Propagation-Differences"></a>
<a name="Sun_002fMIT-Incremental-Propagation-Differences"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>,
Up: <a rel="up" accesskey="u" href="#Incremental-Database-Propagation">Incremental Database Propagation</a>
</div>
<h5 class="subsubsection">4.1.8.1 Sun/MIT Incremental Propagation Differences</h5>
<p>Sun donated the original code for supporting incremental database
propagation to MIT. Some changes have been made in the MIT source
tree that will be visible to administrators. (These notes are based
on Sun's patches. Changes to Sun's implementation since then may not
be reflected here.)
<p>The Sun config file support looks for <code>sunw_dbprop_enable</code>,
<code>sunw_dbprop_master_ulogsize</code>, and <code>sunw_dbprop_slave_poll</code>.
<p>The incremental propagation service is implemented as an ONC RPC
service. In the Sun implementation, the service is registered with
<code>rpcbind</code> (also known as <code>portmapper</code>) and the client looks
up the port number to contact. In the MIT implementation, where
interaction with some modern versions of <code>rpcbind</code> doesn't always
work well, the port number must be specified in the config file on
both the master and slave sides.
<p>The Sun implementation hard-codes pathnames in <samp><span class="file">/var/krb5</span></samp> for
the update log and the per-slave <code>kprop</code> dump files. In the MIT
implementation, the pathname for the update log is specified in the
config file, and the per-slave dump files are stored in
<code>/usr/local/var/krb5kdc/slave_datatrans_</code><var>hostname</var>.
<div class="node">
<a name="Installing-and-Configuring-UNIX-Client-Machines"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
Previous: <a rel="previous" accesskey="p" href="#Installing-KDCs">Installing KDCs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
</div>
<h3 class="section">4.2 Installing and Configuring UNIX Client Machines</h3>
<p>Client machine installation is much more straightforward than
installation of the KDCs.
<ul class="menu">
<li><a accesskey="1" href="#Client-Programs">Client Programs</a>
<li><a accesskey="2" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
</ul>
<div class="node">
<a name="Client-Programs"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
</div>
<h4 class="subsection">4.2.1 Client Programs</h4>
<p>The Kerberized client programs are <code>kinit</code>, <code>klist</code>,
<code>kdestroy</code>, <code>kpasswd</code>, and <code>ksu</code>. All of these programs
are in the directory <code>/usr/local/bin</code>.
<p>MIT recommends that you use <code>login.krb5</code> in place of
<code>/bin/login</code> to give your users a single-sign-on system. You will
need to make sure your users know to use their Kerberos passwords when
they log in.
<p>You will also need to educate your users to use the ticket management
programs <code>kinit</code>, <code>klist</code>, <code>kdestroy</code>, and to use the
Kerberos programs <code>ksu</code> and <code>kpasswd</code> in place of their
non-Kerberos counterparts <code>su</code> and <code>passwd</code>.
<div class="node">
<a name="Client-Machine-Configuration-Files"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Client-Programs">Client Programs</a>,
Up: <a rel="up" accesskey="u" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>
</div>
<h4 class="subsection">4.2.2 Client Machine Configuration Files</h4>
<p>Each machine running Kerberos must have a <code>/etc/krb5.conf</code> file.
(See <a href="#krb5_002econf">krb5.conf</a>.)
<p>Also, for most UNIX systems, you must add the appropriate Kerberos
services to each client machine's <code>/etc/services</code> file. If you are
using the default configuration for Kerberos V5, you should be able
to just insert the following code:
<pre class="smallexample"> kerberos 88/udp kdc # Kerberos V5 KDC
kerberos 88/tcp kdc # Kerberos V5 KDC
kerberos-adm 749/tcp # Kerberos 5 admin/changepw
kerberos-adm 749/udp # Kerberos 5 admin/changepw
krb5_prop 754/tcp # Kerberos slave propagation
krb524 4444/tcp # Kerberos 5 to 4 ticket translator
</pre>
<ul class="menu">
<li><a accesskey="1" href="#Mac-OS-X-Configuration">Mac OS X Configuration</a>
</ul>
<div class="node">
<a name="Mac-OS-X-Configuration"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>,
Up: <a rel="up" accesskey="u" href="#Client-Machine-Configuration-Files">Client Machine Configuration Files</a>
</div>
<h5 class="subsubsection">4.2.2.1 Mac OS X Configuration</h5>
<p>To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the
directions for generic Unix-based OS's, except for the
<code>/etc/services</code> updates described above.
<p>Mac OS X and Mac OS X Server use a database called NetInfo to store
the contents of files normally found in <code>/etc</code>. Instead of
modifying <code>/etc/services</code>, you should run the following commands
to add the Kerberos service entries to NetInfo:
<pre class="smallexample"> $ niutil -create . /services/kerberos
$ niutil -createprop . /services/kerberos name kerberos kdc
$ niutil -createprop . /services/kerberos port 750
$ niutil -createprop . /services/kerberos protocol tcp udp
$ niutil -create . /services/krbupdate
$ niutil -createprop . /services/krbupdate name krbupdate kreg
$ niutil -createprop . /services/krbupdate port 760
$ niutil -createprop . /services/krbupdate protocol tcp
$ niutil -create . /services/kpasswd
$ niutil -createprop . /services/kpasswd name kpasswd kpwd
$ niutil -createprop . /services/kpasswd port 761
$ niutil -createprop . /services/kpasswd protocol tcp
$ niutil -create . /services/klogin
$ niutil -createprop . /services/klogin port 543
$ niutil -createprop . /services/klogin protocol tcp
$ niutil -create . /services/eklogin
$ niutil -createprop . /services/eklogin port 2105
$ niutil -createprop . /services/eklogin protocol tcp
$ niutil -create . /services/kshell
$ niutil -createprop . /services/kshell name kshell krcmd
$ niutil -createprop . /services/kshell port 544
$ niutil -createprop . /services/kshell protocol tcp
</pre>
<p>In addition to adding services to NetInfo, you must also modify the
resolver configuration in NetInfo so that the machine resolves its own
hostname as a FQDN (fully qualified domain name). By default, Mac OS X
and Mac OS X Server machines query NetInfo to resolve hostnames before
falling back to DNS. Because NetInfo has an unqualified name for all
the machines in the NetInfo database, the machine's own hostname will
resolve to an unqualified name. Kerberos needs a FQDN to look up keys
in the machine's keytab file.
<p>Fortunately, you can change the <code>lookupd</code> caching order to query
DNS first. Run the following NetInfo commands and reboot the machine:
<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts
$ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent
NIAgent NILAgent
</pre>
<p>Once you have rebooted, you can verify that the resolver now behaves
correctly. Compile the Kerberos 5 distribution and run:
<pre class="smallexample"> $ cd .../src/tests/resolve
$ ./resolve
</pre>
<p>This will tell you whether or not your machine returns FQDNs on name
lookups. If the test still fails, you can also try turning off DNS
caching. Run the following commands and reboot:
<pre class="smallexample"> $ niutil -create . /locations/lookupd/hosts
$ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent
CacheAgent NIAgent NILAgent
</pre>
<p>The remainder of the setup of a Mac OS X client machine or application
server should be the same as for other UNIX-based systems.
<div class="node">
<a name="UNIX-Application-Servers"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Installing-and-Configuring-UNIX-Client-Machines">Installing and Configuring UNIX Client Machines</a>,
Up: <a rel="up" accesskey="u" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>
</div>
<h3 class="section">4.3 UNIX Application Servers</h3>
<p>An application server is a host that provides one or more services over
the network. Application servers can be “secure” or “insecure.” A
“secure” host is set up to require authentication from every client
connecting to it. An “insecure” host will still provide Kerberos
authentication, but will also allow unauthenticated clients to connect.
<p>If you have Kerberos V5 installed on all of your client machines,
MIT recommends that you make your hosts secure, to take
advantage of the security that Kerberos authentication affords.
However, if you have some clients that do not have Kerberos V5
installed, you can run an insecure server, and still take advantage of
Kerberos V5's single sign-on capability.
<ul class="menu">
<li><a accesskey="1" href="#The-Keytab-File">The Keytab File</a>
<li><a accesskey="2" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>
</ul>
<div class="node">
<a name="The-Keytab-File"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Some-Advice-about-Secure-Hosts">Some Advice about Secure Hosts</a>,
Previous: <a rel="previous" accesskey="p" href="#UNIX-Application-Servers">UNIX Application Servers</a>,
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
</div>
<h4 class="subsection">4.3.1 The Keytab File</h4>
<p>All Kerberos server machines need a <dfn>keytab</dfn> file, called
<code>/etc/krb5.keytab</code>, to authenticate to the KDC. The keytab file is
an encrypted, local, on-disk copy of the host's key. The keytab file,
like the stash file (<a href="#Create-the-Database">Create the Database</a>) is a potential
point-of-entry for a break-in, and if compromised, would allow
unrestricted access to its host. The keytab file should be readable
only by root, and should exist only on the machine's local disk. The
file should not be part of any backup of the machine, unless access to
the backup data is secured as tightly as access to the machine's root
password itself.
<p>In order to generate a keytab for a host, the host must have a principal
in the Kerberos database. The procedure for adding hosts to the
database is described fully in the “Adding or Modifying Principals”
section of the <cite>Kerberos V5 System Administrator's Guide</cite>.
See <a href="#Create-Host-Keys-for-the-Slave-KDCs">Create Host Keys for the Slave KDCs</a>. for a brief description.)
The keytab is generated by running <code>kadmin</code> and issuing the
<code>ktadd</code> command.
<p>For example, to generate a keytab file to allow the host
trillium.mit.edu to authenticate for the services
<code>host</code>, <code>ftp</code>, and <code>pop</code>, the administrator
<code>joeadmin</code> would issue the command (on
trillium.mit.edu):
<pre class="smallexample"> <b>trillium%</b> /usr/local/sbin/kadmin
<b>kadmin5:</b> ktadd host/trillium.mit.edu ftp/trillium.mit.edu
⇒ pop/trillium.mit.edu
<b>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/etc/krb5.keytab.
kadmin5:</b> quit
<b>trillium%</b>
</pre>
<p>If you generate the keytab file on another host, you need to get a copy
of the keytab file onto the destination host (<code>trillium</code>, in the
above example) without sending it unencrypted over the network.
<div class="node">
<a name="Some-Advice-about-Secure-Hosts"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#The-Keytab-File">The Keytab File</a>,
Up: <a rel="up" accesskey="u" href="#UNIX-Application-Servers">UNIX Application Servers</a>
</div>
<h4 class="subsection">4.3.2 Some Advice about Secure Hosts</h4>
<p>Kerberos V5 can protect your host from certain types of break-ins,
but it is possible to install Kerberos V5 and still leave your host
vulnerable to attack. Obviously an installation guide is not the place
to try to include an exhaustive list of countermeasures for every
possible attack, but it is worth noting some of the larger holes and how
to close them.
<p>We recommend that backups of secure machines exclude the keytab file
(<code>/etc/krb5.keytab</code>). If this is not possible, the backups should
at least be done locally, rather than over a network, and the backup
tapes should be physically secured.
<p>The keytab file and any programs run by root, including the
Kerberos V5 binaries, should be kept on local disk. The keytab file
should be readable only by root.
<div class="node">
<a name="Upgrading-Existing-Kerberos-V5-Installations"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,
Previous: <a rel="previous" accesskey="p" href="#Installing-Kerberos-V5">Installing Kerberos V5</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="chapter">5 Upgrading Existing Kerberos V5 Installations</h2>
<p>If you already have an existing Kerberos database that you created with
a prior release of Kerberos 5, you can upgrade it to work with the
current release with the <code>kdb5_util</code> command. It is only
necessary to perform this dump/undump procedure if you were running a
krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you
were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer
KDC. The process for upgrading a Master KDC involves the following
steps:
<ol type=1 start=1>
<li>Stop your current KDC and administration
server processes, if any.
<li>Dump your existing Kerberos database to an ASCII file with
<code>kdb5_util</code>'s “dump” command:
<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc
<b>shell%</b> kdb5_util dump old-kdb-dump
<b>shell%</b> kdb5_util dump -ov old-kdb-dump.ov
<b>shell%</b>
</pre>
<li>Create a new Master KDC installation (See <a href="#Install-the-Master-KDC">Install the Master KDC</a>.). If you have a stash file for your current database, choose any
new master password but then copy your existing stash file to the
location specified by your kdc.conf; if you do not have a stash file for
your current database, you must choose the same master password.
<li>Load your old Kerberos database into the new system with
<code>kdb5_util</code>'s “load” command:
<pre class="smallexample"> <b>shell%</b> cd /usr/local/var/krb5kdc
<b>shell%</b> kdb5_util load old-kdb-dump
<b>shell%</b> kdb5_util load -update old-kdb-dump.ov
<b>shell%</b>
</pre>
</ol>
<p>The “dump -ov” and “load -update” commands are necessary in order to
preserve per-principal policy information, since the default dump format
filters out that information. If you omit those steps, the loaded
database database will lose the policy information for each principal
that has a policy.
<p>To update a Slave KDC, you must stop the old server processes on the
Slave KDC, install the new server binaries, reload the most recent slave
dump file, and re-start the server processes.
<ul class="menu">
<li><a accesskey="1" href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>
</ul>
<div class="node">
<a name="Upgrading-to-Triple-DES-and-RC4-Encryption-Keys"></a>
<a name="Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
Up: <a rel="up" accesskey="u" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>
</div>
<h3 class="section">5.1 Upgrading to Triple-DES Encryption Keys</h3>
<p>Beginning with the 1.2 release from MIT, Kerberos includes
a stronger encryption algorithm called “triple DES” – essentially,
three applications of the basic DES encryption algorithm, greatly
increasing the resistance to a brute-force search for the key by an
attacker. This algorithm is more secure, but encryption is much
slower.
<p>Release 1.1 had some support for triple-DES service keys, but with
release 1.2 we have added support for user keys and session keys as
well. Release 1.0 had very little support for multiple cryptosystems,
and some of that software may not function properly in an environment
using triple-DES as well as plain DES.
<p>In the 1.3 release from MIT, Kerberos also includes the RC4
encryption alogorithm, a stream cipher symmetric key algorithm
developed in 1987 by Ronald Rivest at RSA Data Security. Please note
that RC4 is not part of the IETF standard.
<p>Because of the way the MIT Kerberos database is structured, the KDC
will assume that a service supports only those encryption types for
which keys are found in the database. Thus, if a service has only a
single-DES key in the database, the KDC will not issue tickets for that
service that use triple-DES or RC4 session keys; it will instead issue
only single-DES session keys, even if other services are already
capable of using triple-DES or RC4. So if you make sure your
application server software is updated before adding a triple-DES or
RC4 key for the service, clients should be able to talk to services at
all times during the updating process.
<p>Normally, the listed <code>supported_enctypes</code> in <code>kdc.conf</code> are
all used when a new key is generated. You can control this with
command-line flags to <code>kadmin</code> and <code>kadmin.local</code>. You may
want to exclude triple-DES and RC4 by default until you have updated a
lot of your application servers, and then change the default to include
triple-DES and RC4. We recommend that you always include
<code>des-cbc-crc</code> in the default list.
<div class="node">
<a name="Bug-Reports-for-Kerberos-V5"></a>
<p><hr>
Next: <a rel="next" accesskey="n" href="#Copyright">Copyright</a>,
Previous: <a rel="previous" accesskey="p" href="#Upgrading-Existing-Kerberos-V5-Installations">Upgrading Existing Kerberos V5 Installations</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="chapter">6 Bug Reports for Kerberos V5</h2>
<p>In any complex software, there will be bugs. If you have successfully
built and installed Kerberos V5, please use the <code>krb5-send-pr</code>
program to fill out a Problem Report should you encounter any errors in
our software.
<p>Bug reports that include proposed fixes are especially welcome. If you
do include fixes, please send them using either context diffs or unified
diffs (using ‘<samp><span class="samp">diff -c</span></samp>’ or ‘<samp><span class="samp">diff -u</span></samp>’, respectively). Please be
careful when using “cut and paste” or other such means to copy a patch
into a bug report; depending on the system being used, that can result
in converting TAB characters into spaces, which makes applying the
patches more difficult.
<p>The <code>krb5-send-pr</code> program is installed in the directory
<code>/usr/local/sbin</code>.
<p>The <code>krb5-send-pr</code> program enters the problem report into our
Problem Report Management System (PRMS), which automatically assigns it
to the engineer best able to help you with problems in the assigned
category.
<p>The <code>krb5-send-pr</code> program will try to intelligently fill in as
many fields as it can. You need to choose the <dfn>category</dfn>,
<dfn>class</dfn>, <dfn>severity</dfn>, and <dfn>priority</dfn> of the problem, as well
as giving us as much information as you can about its exact nature.
<p>The PR <b>category</b> will be one of:
<pre class="smallexample"> krb5-admin krb5-appl krb5-build krb5-clients
krb5-doc krb5-kdc krb5-libs krb5-misc
pty telnet test
</pre>
<p class="noindent">Choose the category that best describes the area under which your
problem falls.
<p>The <b>class</b> can be <dfn>sw-bug</dfn>, <dfn>doc-bug</dfn>, <dfn>change-request</dfn>,
or <dfn>support</dfn>. The first two are exactly as their names imply. Use
<i>change-request</i> when the software is behaving according to
specifications, but you want to request changes in some feature or
behavior. The <i>support</i> class is intended for more general questions
about building or using Kerberos V5.
<p>The <b>severity</b> of the problem indicates the problem's impact on the
usability of Kerberos V5. If a problem is <dfn>critical</dfn>, that
means the product, component or concept is completely non-operational,
or some essential functionality is missing, and no workaround is known.
A <dfn>serious</dfn> problem is one in which the product, component or
concept is not working properly or significant functionality is missing.
Problems that would otherwise be considered <i>critical</i> are rated
<i>serious</i> when a workaround is known. A <dfn>non-critical</dfn> problem is
one that is indeed a problem, but one that is having a minimal effect on
your ability to use Kerberos V5. <i>E.g.</i>, The product, component
or concept is working in general, but lacks features, has irritating
behavior, does something wrong, or doesn't match its documentation. The
default severity is <i>serious</i>.
<p>The <b>priority</b> indicates how urgent this particular problem is in
relation to your work. Note that low priority does not imply low
importance.
A priority of <dfn>high</dfn> means a solution is needed as soon as possible.
A priority of <dfn>medium</dfn> means the problem should be solved no later
than the next release. A priority of <dfn>low</dfn> means the problem should
be solved in a future release, but it is not important to your work how
soon this happens. The default priority is <i>medium</i>.
<p>Note that a given severity does not necessarily imply a given priority.
For example, a non-critical problem might still have a high priority if
you are faced with a hard deadline. Conversely, a serious problem might
have a low priority if the feature it is disabling is one that you do
not need.
<p>It is important that you fill in the <i>release</i> field and tell us
what changes you have made, if any.
<p>A sample filled-out form from a company named “Toasters, Inc.” might
look like this:
<pre class="smallexample"> To: krb5-bugs@mit.edu
Subject: misspelled "Kerberos" in title of installation guide
From: jcb
Reply-To: jcb
Cc:
X-send-pr-version: 3.99
>Submitter-Id: mit
>Originator: Jeffrey C. Gilman Bigler
>Organization:
mit
>Confidential: no
>Synopsis: Misspelled "Kerberos" in title of installation guide
>Severity: non-critical
>Priority: low
>Category: krb5-doc
>Class: doc-bug
>Release: 1.0-development
>Environment:
<machine, os, target, libraries (multiple lines)>
System: ULTRIX imbrium 4.2 0 RISC
Machine: mips
>Description:
Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide"
>How-To-Repeat:
N/A
>Fix:
Correct the spelling.
</pre>
<p>If the <code>krb5-send-pr</code> program does not work for you, or if you did
not get far enough in the process to have an installed and working
<code>krb5-send-pr</code>, you can generate your own form, using the above as
an example.
<div class="node">
<a name="Copyright"></a>
<p><hr>
Previous: <a rel="previous" accesskey="p" href="#Bug-Reports-for-Kerberos-V5">Bug Reports for Kerberos V5</a>,
Up: <a rel="up" accesskey="u" href="#Top">Top</a>
</div>
<h2 class="appendix">Appendix A Copyright</h2>
<p>Copyright © 1985-2011 by the Massachusetts Institute of Technology.
<p>All rights reserved.
<blockquote>
Export of software employing encryption from the United States of
America may require a specific license from the United States
Government. It is the responsibility of any person or organization
contemplating export to obtain such a license before exporting.
</blockquote>
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
this software and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice appear in all
copies and that both that copyright notice and this permission notice
appear in supporting documentation, and that the name of M.I.T. not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission. Furthermore if you
modify this software you must label your software as modified software
and not distribute it in such a fashion that it might be confused with
the original MIT software. M.I.T. makes no representations about the
suitability of this software for any purpose. It is provided “as is”
without express or implied warranty.
<p>Individual source code files are copyright MIT, Cygnus Support,
Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems,
FundsXpress, and others.
<p>Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT). No commercial use of these trademarks may be made without
prior written permission of MIT.
<p>“Commercial use” means use of a name in a product or other for-profit
manner. It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
<p><hr>
<p>The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in
<code>kadmin/create</code>, <code>kadmin/dbutil</code>, <code>kadmin/passwd</code>,
<code>kadmin/server</code>, <code>lib/kadm5</code>, and portions of
<code>lib/rpc</code>:
<blockquote>
Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved
<p>WARNING: Retrieving the OpenVision Kerberos Administration system source
code, as described below, indicates your acceptance of the following
terms. If you do not agree to the following terms, do not retrieve the
OpenVision Kerberos administration system.
<p>You may freely use and distribute the Source Code and Object Code
compiled from it, with or without modification, but this Source Code is
provided to you “AS IS” EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT
LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED.
IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS,
LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR
FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS
AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE
OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR
ANY OTHER REASON.
<p>OpenVision retains all copyrights in the donated Source Code. OpenVision
also retains copyright to derivative works of the Source Code, whether
created by OpenVision or by a third party. The OpenVision copyright
notice must be preserved if derivative works are made based on the
donated Source Code.
<p>OpenVision Technologies, Inc. has donated this Kerberos Administration
system to MIT for inclusion in the standard Kerberos 5 distribution.
This donation underscores our commitment to continuing Kerberos
technology development and our gratitude for the valuable work which has
been performed by MIT and the Kerberos community.
</blockquote>
<p><hr>
<blockquote>
Portions contributed by Matt Crawford <code><crawdad@fnal.gov></code> were work
performed at Fermi National Accelerator Laboratory, which is operated
by Universities Research Association, Inc., under contract
DE-AC02-76CHO3000 with the U.S. Department of Energy.
</blockquote>
<p><hr>
<p>Portions of <code>src/lib/crypto</code> have the following copyright:
<blockquote>
Copyright © 1998 by the FundsXpress, INC.
<p>All rights reserved.
<blockquote>
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
</blockquote>
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of FundsXpress. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. FundsXpress makes no representations about the suitability of
this software for any purpose. It is provided “as is” without express
or implied warranty.
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
</blockquote>
<p><hr>
<p>The implementation of the Yarrow pseudo-random number generator
in <code>src/lib/crypto/krb/prng/yarrow</code> has the following copyright:
<blockquote>
Copyright 2000 by Zero-Knowledge Systems, Inc.
<p>Permission to use, copy, modify, distribute, and sell this software
and its documentation for any purpose is hereby granted without fee,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of Zero-Knowledge Systems,
Inc. not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior
permission. Zero-Knowledge Systems, Inc. makes no representations
about the suitability of this software for any purpose. It is
provided “as is” without express or implied warranty.
<p>ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</blockquote>
<p><hr>
<p>The implementation of the AES encryption algorithm in
<code>src/lib/crypto/builtin/aes</code> has the following copyright:
<blockquote>
Copyright © 2001, Dr Brian Gladman <code><brg@gladman.uk.net></code>,
Worcester, UK.<br>
All rights reserved.
<p>LICENSE TERMS
<p>The free distribution and use of this software in both source and binary
form is allowed (with or without changes) provided that:
<ol type=1 start=1>
<li>distributions of this source code include the above copyright
notice, this list of conditions and the following disclaimer;
<li>distributions in binary form include the above copyright
notice, this list of conditions and the following disclaimer
in the documentation and/or other associated materials;
<li>the copyright holder's name is not used to endorse products
built using this software without specific written permission.
</ol>
<p>DISCLAIMER
<p>This software is provided 'as is' with no explcit or implied warranties
in respect of any properties, including, but not limited to, correctness
and fitness for purpose.
</blockquote>
<p><hr>
<p>Portions contributed by Red Hat, including the pre-authentication
plug-in framework and the NSS crypto implementation, contain the
following copyright:
<blockquote>
Copyright © 2006 Red Hat, Inc.<br>
Portions copyright © 2006 Massachusetts Institute of Technology<br>
All Rights Reserved.<br>
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
<ul>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>Neither the name of Red Hat, Inc., nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
</ul>
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS
IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<p>The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
<code>src/lib/gssapi</code>, including the following files:
<pre class="smallexample"> lib/gssapi/generic/gssapi_err_generic.et
lib/gssapi/mechglue/g_accept_sec_context.c
lib/gssapi/mechglue/g_acquire_cred.c
lib/gssapi/mechglue/g_canon_name.c
lib/gssapi/mechglue/g_compare_name.c
lib/gssapi/mechglue/g_context_time.c
lib/gssapi/mechglue/g_delete_sec_context.c
lib/gssapi/mechglue/g_dsp_name.c
lib/gssapi/mechglue/g_dsp_status.c
lib/gssapi/mechglue/g_dup_name.c
lib/gssapi/mechglue/g_exp_sec_context.c
lib/gssapi/mechglue/g_export_name.c
lib/gssapi/mechglue/g_glue.c
lib/gssapi/mechglue/g_imp_name.c
lib/gssapi/mechglue/g_imp_sec_context.c
lib/gssapi/mechglue/g_init_sec_context.c
lib/gssapi/mechglue/g_initialize.c
lib/gssapi/mechglue/g_inquire_context.c
lib/gssapi/mechglue/g_inquire_cred.c
lib/gssapi/mechglue/g_inquire_names.c
lib/gssapi/mechglue/g_process_context.c
lib/gssapi/mechglue/g_rel_buffer.c
lib/gssapi/mechglue/g_rel_cred.c
lib/gssapi/mechglue/g_rel_name.c
lib/gssapi/mechglue/g_rel_oid_set.c
lib/gssapi/mechglue/g_seal.c
lib/gssapi/mechglue/g_sign.c
lib/gssapi/mechglue/g_store_cred.c
lib/gssapi/mechglue/g_unseal.c
lib/gssapi/mechglue/g_userok.c
lib/gssapi/mechglue/g_utils.c
lib/gssapi/mechglue/g_verify.c
lib/gssapi/mechglue/gssd_pname_to_uid.c
lib/gssapi/mechglue/mglueP.h
lib/gssapi/mechglue/oid_ops.c
lib/gssapi/spnego/gssapiP_spnego.h
lib/gssapi/spnego/spnego_mech.c
</pre>
<p>and the initial implementation of incremental propagation, including
the following new or changed files:
<pre class="smallexample"> include/iprop_hdr.h
kadmin/server/ipropd_svc.c
lib/kdb/iprop.x
lib/kdb/kdb_convert.c
lib/kdb/kdb_log.c
lib/kdb/kdb_log.h
lib/krb5/error_tables/kdb5_err.et
slave/kpropd_rpc.c
slave/kproplog.c
</pre>
<p>are subject to the following license:
<blockquote>
Copyright © 2004 Sun Microsystems, Inc.
<p>Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
“Software”), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
<p>The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
</blockquote>
<p><hr>
<p>Kerberos V5 includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:
<blockquote>
Copyright © 1983 Regents of the University of California.<br>
All rights reserved.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
</blockquote>
<p><hr>
<p>Portions contributed by Novell, Inc., including the LDAP database
backend, are subject to the following license:
<blockquote>
Copyright © 2004-2005, Novell, Inc.<br>
All rights reserved.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
<ul>
<li>Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>The copyright holder's name is not used to endorse or promote products
derived from this software without specific prior written permission.
</ul>
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS”
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<p>Portions funded by Sandia National Laboratory
and developed by the University of Michigan's
Center for Information Technology Integration,
including the PKINIT implementation, are subject
to the following license:
<blockquote>
COPYRIGHT © 2006-2007<br>
THE REGENTS OF THE UNIVERSITY OF MICHIGAN<br>
ALL RIGHTS RESERVED
<p>Permission is granted to use, copy, create derivative works
and redistribute this software and such derivative works
for any purpose, so long as the name of The University of
Michigan is not used in any advertising or publicity
pertaining to the use of distribution of this software
without specific, written prior authorization. If the
above copyright notice or any other identification of the
University of Michigan is included in any copy of any
portion of this software, then the disclaimer below must
also be included.
<p>THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
</blockquote>
<p><hr>
<p>The pkcs11.h file included in the PKINIT code has the
following license:
<blockquote>
Copyright 2006 g10 Code GmbH<br>
Copyright 2006 Andreas Jellinghaus
<p>This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
modifications, as long as this notice is preserved.
<p>This file is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY, to the extent permitted by law; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
</blockquote>
<p><hr>
<p>Portions contributed by Apple Inc. are subject to the following license:
<blockquote>
Copyright 2004-2008 Apple Inc. All Rights Reserved.
<blockquote>
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
</blockquote>
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of Apple Inc. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. Apple Inc. makes no representations about the suitability of
this software for any purpose. It is provided “as is” without express
or implied warranty.
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
</blockquote>
<p><hr>
<p>The implementations of UTF-8 string handling in src/util/support and
src/lib/krb5/unicode are subject to the following copyright and
permission notice:
<blockquote>
The OpenLDAP Public License<br>
Version 2.8, 17 August 2003
<p>Redistribution and use of this software and associated documentation
(“Software”), with or without modification, are permitted provided
that the following conditions are met:
<ol type=1 start=1>
<li>Redistributions in source form must retain copyright statements
and notices,
<li>Redistributions in binary form must reproduce applicable copyright
statements and notices, this list of conditions, and the following
disclaimer in the documentation and/or other materials provided
with the distribution, and
<li>Redistributions must contain a verbatim copy of this document.
</ol>
<p>The OpenLDAP Foundation may revise this license from time to time.
Each revision is distinguished by a version number. You may use
this Software under terms of this license revision or under the
terms of any subsequent revision of the license.
<p>THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS
CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S)
OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
<p>The names of the authors and copyright holders must not be used in
advertising or otherwise to promote the sale, use or other dealing
in this Software without specific, written prior permission. Title
to copyright in this Software shall at all times remain with copyright
holders.
<p>OpenLDAP is a registered trademark of the OpenLDAP Foundation.
<p>Copyright 1999-2003 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
</blockquote>
<p><hr>
<p>Marked test programs in src/lib/krb5/krb have the following copyright:
<blockquote>
Copyright © 2006 Kungliga Tekniska H{No value for `odiaeresis'}gskolan<br>
(Royal Institute of Technology, Stockholm, Sweden).<br>
All rights reserved.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>Neither the name of KTH nor the names of its contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS” AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<p>Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc
have the following copyright and permission notice:
<blockquote>
Copyright © 2010, Oracle America, Inc.
<p>All rights reserved.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
<li>Neither the name of the “Oracle America, Inc.” nor the names of
its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS
IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<blockquote>
Copyright © 2006,2007,2009
NTT (Nippon Telegraph and Telephone Corporation). All rights reserved.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer as
the first lines of this file unmodified.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY NTT “AS IS” AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<blockquote>
Copyright 2000 by Carnegie Mellon University
<p>All Rights Reserved
<p>Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of Carnegie Mellon
University not be used in advertising or publicity pertaining to
distribution of the software without specific, written prior
permission.
<p>CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR
ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</blockquote>
<p><hr>
<blockquote>
Copyright © 2002 Naval Research Laboratory (NRL/CCS)
<p>Permission to use, copy, modify and distribute this software and its
documentation is hereby granted, provided that both the copyright
notice and this permission notice appear in all copies of the software,
derivative works or modified versions, and any portions thereof.
<p>NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS “AS IS” CONDITION AND
DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER
RESULTING FROM THE USE OF THIS SOFTWARE.
</blockquote>
<p><hr>
<p>Portions extracted from Internet RFCs have the following copyright
notice:
<blockquote>
Copyright © The Internet Society (2006).
<p>This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
<p>This document and the information contained herein are provided on an
“AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
</blockquote>
<p><hr>
<blockquote>
Copyright © 1991, 1992, 1994 by Cygnus Support.
<p>Permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation.
Cygnus Support makes no representations about the suitability of
this software for any purpose. It is provided “as is” without express
or implied warranty.
</blockquote>
<p><hr>
<blockquote>
Copyright © 2006 Secure Endpoints Inc.
<p>Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the “Software”), to deal in the Software without
restriction, including without limitation the rights to use, copy,
modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
<p>The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
</blockquote>
<p><hr>
<p>Portions of the implementation of the Fortuna-like PRNG are subject to
the following notice:
<blockquote>
Copyright © 2005 Marko Kreen<br>
All rights reserved.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
</blockquote>
<blockquote>
Copyright © 1994 by the University of Southern California
<blockquote>
EXPORT OF THIS SOFTWARE from the United States of America may
require a specific license from the United States Government.
It is the responsibility of any person or organization contemplating
export to obtain such a license before exporting.
</blockquote>
<p>WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute
this software and its documentation in source and binary forms is
hereby granted, provided that any documentation or other materials
related to such distribution or use acknowledge that the software
was developed by the University of Southern California.
<p>DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED “AS IS”. The
University of Southern California MAKES NO REPRESENTATIONS OR
WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
limitation, the University of Southern California MAKES NO
REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY
PARTICULAR PURPOSE. The University of Southern
California shall not be held liable for any liability nor for any
direct, indirect, or consequential damages with respect to any
claim by the user or distributor of the ksu software.
</blockquote>
<p><hr>
<blockquote>
Copyright © 1995<br>
The President and Fellows of Harvard University
<p>This code is derived from software contributed to Harvard by
Jeremy Rassen.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>All advertising materials mentioning features or use of this software
must display the following acknowledgement:
<blockquote>
This product includes software developed by the University of
California, Berkeley and its contributors.
</blockquote>
<li>Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
</blockquote>
<p><hr>
<blockquote>
Copyright © 2008 by the Massachusetts Institute of Technology.<br>
Copyright 1995 by Richard P. Basch. All Rights Reserved.<br>
Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.<br>
<blockquote>
Export of this software from the United States of America may
require a specific license from the United States Government.
It is the responsibility of any person or organization contemplating
export to obtain such a license before exporting.
</blockquote>
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used
in advertising or publicity pertaining to distribution of the software
without specific, written prior permission. Richard P. Basch,
Lehman Brothers and M.I.T. make no representations about the suitability
of this software for any purpose. It is provided “as is” without
express or implied warranty.
</blockquote>
<p><hr>
<p>The following notice applies to <code>src/lib/krb5/krb/strptime.c</code>:
<blockquote>
Copyright © 1997, 1998 The NetBSD Foundation, Inc.<br>
All rights reserved.
<p>This code was contributed to The NetBSD Foundation by Klaus Klein.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>All advertising materials mentioning features or use of this software
must display the following acknowledgement:
<blockquote>
This product includes software developed by the NetBSD
Foundation, Inc. and its contributors.
</blockquote>
<li>Neither the name of The NetBSD Foundation nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
</ol>
<p>THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<p>The following notice applies to Unicode library files in
<code>src/lib/krb5/unicode</code>:
<blockquote>
Copyright 1997, 1998, 1999 Computing Research Labs,<br>
New Mexico State University
<p>Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the “Software”),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
<p>The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
<p>THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
THE USE OR OTHER DEALINGS IN THE SOFTWARE.
</blockquote>
<p><hr>
<p>The following notice applies to <code>src/util/support/strlcpy.c</code>:
<blockquote>
Copyright © 1998 Todd C. Miller <Todd.Miller@courtesan.com>
<p>Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
<p>THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
</blockquote>
<p><hr>
<p>The following notice applies to <code>src/util/profile/argv_parse.c</code> and
<code>src/util/profile/argv_parse.h</code>:
<blockquote>
Copyright 1999 by Theodore Ts'o.
<p>Permission to use, copy, modify, and distribute this software for
any purpose with or without fee is hereby granted, provided that
the above copyright notice and this permission notice appear in all
copies. THE SOFTWARE IS PROVIDED “AS IS” AND THEODORE TS'O (THE
AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn't
it sick that the U.S. culture of lawsuit-happy lawyers requires
this kind of disclaimer?)
</blockquote>
<p><hr>
<p>The following notice applies to SWIG-generated code in
<code>src/util/profile/profile_tcl.c</code>:
<blockquote>
Copyright © 1999-2000, The University of Chicago
<p>This file may be freely redistributed without license or fee provided
this copyright message remains intact.
</blockquote>
<p><hr>
<p>The following notice applies to portiions of <code>src/lib/rpc</code> and
<code>src/include/gssrpc</code>:
<blockquote>
Copyright © 2000 The Regents of the University of Michigan.
All rights reserved.
<p>Copyright © 2000 Dug Song <dugsong@UMICH.EDU>.
All rights reserved, all wrongs reversed.
<p>Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
<ol type=1 start=1>
<li>Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
<li>Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
<li>Neither the name of the University nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
</ol>
<p>THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
</blockquote>
<p><hr>
<p>Implementations of the MD4 algorithm are subject to the following
notice:
<blockquote>
Copyright © 1990, RSA Data Security, Inc. All rights reserved.
<p>License to copy and use this software is granted provided that
it is identified as the “RSA Data Security, Inc. MD4 Message
Digest Algorithm” in all material mentioning or referencing this
software or this function.
<p>License is also granted to make and use derivative works
provided that such works are identified as “derived from the RSA
Data Security, Inc. MD4 Message Digest Algorithm” in all
material mentioning or referencing the derived work.
<p>RSA Data Security, Inc. makes no representations concerning
either the merchantability of this software or the suitability
of this software for any particular purpose. It is provided “as
is” without express or implied warranty of any kind.
<p>These notices must be retained in any copies of any part of this
documentation and/or software.
</blockquote>
<p><hr>
<p>Implementations of the MD5 algorithm are subject to the following
notice:
<blockquote>
Copyright © 1990, RSA Data Security, Inc. All rights reserved.
<p>License to copy and use this software is granted provided that
it is identified as the “RSA Data Security, Inc. MD5 Message-
Digest Algorithm” in all material mentioning or referencing this
software or this function.
<p>License is also granted to make and use derivative works
provided that such works are identified as “derived from the RSA
Data Security, Inc. MD5 Message-Digest Algorithm” in all
material mentioning or referencing the derived work.
<p>RSA Data Security, Inc. makes no representations concerning
either the merchantability of this software or the suitability
of this software for any particular purpose. It is provided “as
is” without express or implied warranty of any kind.
<p>These notices must be retained in any copies of any part of this
documentation and/or software.
</blockquote>
<p><hr>
<p>The following notice applies to <code>src/lib/crypto/crypto_tests/t_mddriver.c</code>:
<blockquote>
Copyright © 1990-2, RSA Data Security, Inc. Created 1990. All
rights reserved.
<p>RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided “as is”
without express or implied warranty of any kind.
<p>These notices must be retained in any copies of any part of this
documentation and/or software.
</blockquote>
<p><hr>
<p>Portions of <code>src/lib/krb5</code> are subject to the following notice:
<blockquote>
Copyright © 1994 CyberSAFE Corporation.<br>
Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.<br>
All Rights Reserved.
<blockquote>
Export of this software from the United States of America may
require a specific license from the United States Government.
It is the responsibility of any person or organization contemplating
export to obtain such a license before exporting.
</blockquote>
<p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original M.I.T. software.
Neither M.I.T., the Open Computing Security Group, nor
CyberSAFE Corporation make any representations about the suitability of
this software for any purpose. It is provided “as is” without express
or implied warranty.
</blockquote>
<p><hr>
<p>Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notices and this permission notice are
preserved on all copies.
<p>Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided also that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
<p>Permission is granted to copy and distribute translations of this manual
into another language, under the above conditions for modified versions.
<div class="contents">
<h2>Table of Contents</h2>
<ul>
<li><a name="toc_Introduction" href="#Introduction">1 Introduction</a>
<ul>
<li><a href="#What-is-Kerberos-and-How-Does-it-Work_003f">1.1 What is Kerberos and How Does it Work?</a>
<li><a href="#Why-Should-I-use-Kerberos_003f">1.2 Why Should I use Kerberos?</a>
<li><a href="#Please-Read-the-Documentation">1.3 Please Read the Documentation</a>
<li><a href="#Overview-of-This-Guide">1.4 Overview of This Guide</a>
</li></ul>
<li><a name="toc_Realm-Configuration-Decisions" href="#Realm-Configuration-Decisions">2 Realm Configuration Decisions</a>
<ul>
<li><a href="#Kerberos-Realms">2.1 Kerberos Realms</a>
<li><a href="#Mapping-Hostnames-onto-Kerberos-Realms">2.2 Mapping Hostnames onto Kerberos Realms</a>
<li><a href="#Ports-for-the-KDC-and-Admin-Services">2.3 Ports for the KDC and Admin Services</a>
<li><a href="#Slave-KDCs">2.4 Slave KDCs</a>
<li><a href="#Hostnames-for-the-Master-and-Slave-KDCs">2.5 Hostnames for the Master and Slave KDCs</a>
<li><a href="#Database-Propagation">2.6 Database Propagation</a>
</li></ul>
<li><a name="toc_Building-Kerberos-V5" href="#Building-Kerberos-V5">3 Building Kerberos V5</a>
<ul>
<li><a href="#Organization-of-the-Source-Directory">3.1 Organization of the Source Directory</a>
<ul>
<li><a href="#The-appl-Directory">3.1.1 The appl Directory</a>
<li><a href="#The-clients-Directory">3.1.2 The clients Directory</a>
<li><a href="#The-gen_002dmanpages-Directory">3.1.3 The gen-manpages Directory</a>
<li><a href="#The-include-Directory">3.1.4 The include Directory</a>
<li><a href="#The-kadmin-Directory">3.1.5 The kadmin Directory</a>
<li><a href="#The-kdc-Directory">3.1.6 The kdc Directory</a>
<li><a href="#The-krb524-Directory">3.1.7 The krb524 Directory</a>
<li><a href="#The-lib-Directory">3.1.8 The lib Directory</a>
<li><a href="#The-prototype-Directory">3.1.9 The prototype Directory</a>
<li><a href="#The-slave-Directory">3.1.10 The slave Directory</a>
<li><a href="#The-util-Directory">3.1.11 The util Directory</a>
</li></ul>
<li><a href="#Build-Requirements">3.2 Build Requirements</a>
<li><a href="#Unpacking-the-Sources">3.3 Unpacking the Sources</a>
<li><a href="#Doing-the-Build">3.4 Doing the Build</a>
<ul>
<li><a href="#Building-Within-a-Single-Tree">3.4.1 Building Within a Single Tree</a>
<li><a href="#Building-with-Separate-Build-Directories">3.4.2 Building with Separate Build Directories</a>
<li><a href="#Building-using-lndir">3.4.3 Building Using ‘<samp><span class="samp">lndir</span></samp>’</a>
</li></ul>
<li><a href="#Installing-the-Binaries">3.5 Installing the Binaries</a>
<li><a href="#Testing-the-Build">3.6 Testing the Build</a>
<ul>
<li><a href="#The-DejaGnu-Tests">3.6.1 The DejaGnu Tests</a>
<li><a href="#The-KADM5-Tests">3.6.2 The KADM5 Tests</a>
</li></ul>
<li><a href="#Options-to-Configure">3.7 Options to Configure</a>
<li><a href="#osconf_002eh">3.8 <samp><span class="file">osconf.h</span></samp></a>
<li><a href="#Shared-Library-Support">3.9 Shared Library Support</a>
<li><a href="#OS-Incompatibilities">3.10 Operating System Incompatibilities</a>
<ul>
<li><a href="#AIX">3.10.1 AIX</a>
<li><a href="#Alpha-OSF_002f1-V1_002e3">3.10.2 Alpha OSF/1 V1.3</a>
<li><a href="#Alpha-OSF_002f1-V2_002e0">3.10.3 Alpha OSF/1 V2.0</a>
<li><a href="#Alpha-OSF_002f1-V4_002e0">3.10.4 Alpha OSF/1 (Digital UNIX) V4.0</a>
<li><a href="#BSDI">3.10.5 BSDI</a>
<li><a href="#HPUX">3.10.6 HPUX</a>
<li><a href="#Solaris-versions-2_002e0-through-2_002e3">3.10.7 Solaris versions 2.0 through 2.3</a>
<li><a href="#Solaris-2_002eX">3.10.8 Solaris 2.X</a>
<li><a href="#Solaris-9">3.10.9 Solaris 9</a>
<li><a href="#SGI-Irix-5_002eX">3.10.10 SGI Irix 5.X</a>
<li><a href="#Ultrix-4_002e2_002f3">3.10.11 Ultrix 4.2/3</a>
</li></ul>
<li><a href="#Using-Autoconf">3.11 Using ‘<samp><span class="samp">Autoconf</span></samp>’</a>
</li></ul>
<li><a name="toc_Installing-Kerberos-V5" href="#Installing-Kerberos-V5">4 Installing Kerberos V5</a>
<ul>
<li><a href="#Installing-KDCs">4.1 Installing KDCs</a>
<ul>
<li><a href="#Install-the-Master-KDC">4.1.1 Install the Master KDC</a>
<ul>
<li><a href="#Edit-the-Configuration-Files">4.1.1.1 Edit the Configuration Files</a>
<li><a href="#krb5_002econf">4.1.1.2 krb5.conf</a>
<li><a href="#kdc_002econf">4.1.1.3 kdc.conf</a>
<li><a href="#Create-the-Database">4.1.1.4 Create the Database</a>
<li><a href="#Add-Administrators-to-the-Acl-File">4.1.1.5 Add Administrators to the Acl File</a>
<li><a href="#Add-Administrators-to-the-Kerberos-Database">4.1.1.6 Add Administrators to the Kerberos Database</a>
<li><a href="#Create-a-kadmind-Keytab-_0028optional_0029">4.1.1.7 Create a kadmind Keytab (optional)</a>
<li><a href="#Start-the-Kerberos-Daemons">4.1.1.8 Start the Kerberos Daemons on the Master KDC</a>
</li></ul>
<li><a href="#Install-the-Slave-KDCs">4.1.2 Install the Slave KDCs</a>
<ul>
<li><a href="#Create-Host-Keys-for-the-Slave-KDCs">4.1.2.1 Create Host Keys for the Slave KDCs</a>
<li><a href="#Extract-Host-Keytabs-for-the-KDCs">4.1.2.2 Extract Host Keytabs for the KDCs</a>
<li><a href="#Set-Up-the-Slave-KDCs-for-Database-Propagation">4.1.2.3 Set Up the Slave KDCs for Database Propagation</a>
</li></ul>
<li><a href="#Back-on-the-Master-KDC">4.1.3 Back on the Master KDC</a>
<ul>
<li><a href="#Propagate-the-Database-to-Each-Slave-KDC">4.1.3.1 Propagate the Database to Each Slave KDC</a>
</li></ul>
<li><a href="#Finish-Installing-the-Slave-KDCs">4.1.4 Finish Installing the Slave KDCs</a>
<ul>
<li><a href="#Create-Stash-Files-on-the-Slave-KDCs">4.1.4.1 Create Stash Files on the Slave KDCs</a>
<li><a href="#Start-the-krb5kdc-Daemon-on-Each-KDC">4.1.4.2 Start the krb5kdc Daemon on Each KDC</a>
</li></ul>
<li><a href="#Add-Kerberos-Principals-to-the-Database">4.1.5 Add Kerberos Principals to the Database</a>
<li><a href="#Limit-Access-to-the-KDCs">4.1.6 Limit Access to the KDCs</a>
<li><a href="#Switching-Master-and-Slave-KDCs">4.1.7 Switching Master and Slave KDCs</a>
<li><a href="#Incremental-Database-Propagation">4.1.8 Incremental Database Propagation</a>
<ul>
<li><a href="#Sun_002fMIT-Incremental-Propagation-Differences">4.1.8.1 Sun/MIT Incremental Propagation Differences</a>
</li></ul>
</li></ul>
<li><a href="#Installing-and-Configuring-UNIX-Client-Machines">4.2 Installing and Configuring UNIX Client Machines</a>
<ul>
<li><a href="#Client-Programs">4.2.1 Client Programs</a>
<li><a href="#Client-Machine-Configuration-Files">4.2.2 Client Machine Configuration Files</a>
<ul>
<li><a href="#Mac-OS-X-Configuration">4.2.2.1 Mac OS X Configuration</a>
</li></ul>
</li></ul>
<li><a href="#UNIX-Application-Servers">4.3 UNIX Application Servers</a>
<ul>
<li><a href="#The-Keytab-File">4.3.1 The Keytab File</a>
<li><a href="#Some-Advice-about-Secure-Hosts">4.3.2 Some Advice about Secure Hosts</a>
</li></ul>
</li></ul>
<li><a name="toc_Upgrading-Existing-Kerberos-V5-Installations" href="#Upgrading-Existing-Kerberos-V5-Installations">5 Upgrading Existing Kerberos V5 Installations</a>
<ul>
<li><a href="#Upgrading-to-Triple_002dDES-and-RC4-Encryption-Keys">5.1 Upgrading to Triple-DES Encryption Keys</a>
</li></ul>
<li><a name="toc_Bug-Reports-for-Kerberos-V5" href="#Bug-Reports-for-Kerberos-V5">6 Bug Reports for Kerberos V5</a>
<li><a name="toc_Copyright" href="#Copyright">Appendix A Copyright</a>
</li></ul>
</div>
<div class="footnote">
<hr>
<a name="texinfo-footnotes-in-document"></a><h4>Footnotes</h4><p class="footnote"><small>[<a name="fn-1" href="#fnd-1">1</a>]</small> Kerberos V4 used port 750. If
necessary, you can run on both ports for backward compatibility.</p>
<hr></div>
</body></html>
<!--
�
Local Variables:
coding: utf-8
End:
-->
