<html lang="en"><head> <title>Kerberos V5 Installation Guide</title> <meta http-equiv="Content-Type" content="text/html"> <meta name=description content="Kerberos V5 Installation Guide"> <meta name=generator content="makeinfo 4.0"> <link href="http://texinfo.org/" rel=generator-home> </head><body> <p><hr> Node:<a name="Top">Top</a>, Next:<a rel=next href="#Copyright">Copyright</a>, Previous:<a rel=previous href="#(dir)">(dir)</a>, Up:<a rel=up href="#(dir)">(dir)</a> <br> <ul> <li><a href="#Copyright">Copyright</a>: <li><a href="#Introduction">Introduction</a>: <li><a href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>: <li><a href="#Building%20Kerberos%20V5">Building Kerberos V5</a>: <li><a href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>: <li><a href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>: <li><a href="#Bug%20Reports%20for%20Kerberos%20V5">Bug Reports for Kerberos V5</a>: </ul> <p><hr> Node:<a name="Copyright">Copyright</a>, Next:<a rel=next href="#Introduction">Introduction</a>, Previous:<a rel=previous href="#Top">Top</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Copyright</h1> <p>Copyright © 1985-2002 by the Massachusetts Institute of Technology. <blockquote> Export of software employing encryption from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. </blockquote> <p>WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. <p>The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: <blockquote> Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved <p>WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. <p>You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. <p>OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. <p>OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. </blockquote> <p>The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright: <blockquote> <p>Copyright 2000 by Zero-Knowledge Systems, Inc. <p>Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. <p>ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. </blockquote> <p>The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright: <blockquote> <p>Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK. All rights reserved. <p>LICENSE TERMS <p>The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: <ol type=1 start=1> </p><li>distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; <li>distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; <li>the copyright holder's name is not used to endorse products built using this software without specific written permission. </ol> <p>DISCLAIMER <p>This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose. </blockquote> Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: <p>Copyright © 1983 Regents of the University of California.<br> All rights reserved. <p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: <ol type=1 start=1> </p><li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. <li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. <li>All advertising materials mentioning features or use of this software must display the following acknowledgement: <blockquote> This product includes software developed by the University of California, Berkeley and its contributors. </blockquote> <li>Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. </ol> <p>Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies. <p>Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. <p>Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions. <p><hr> Node:<a name="Introduction">Introduction</a>, Next:<a rel=next href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>, Previous:<a rel=previous href="#Copyright">Copyright</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Introduction</h1> <ul> <li><a href="#What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a>: <li><a href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>: <li><a href="#Please%20Read%20the%20Documentation">Please Read the Documentation</a>: <li><a href="#Overview%20of%20This%20Guide">Overview of This Guide</a>: </ul> <p><hr> Node:<a name="What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a>, Next:<a rel=next href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>, Previous:<a rel=previous href="#Introduction">Introduction</a>, Up:<a rel=up href="#Introduction">Introduction</a> <br> <h2>What is Kerberos and How Does it Work?</h2> Kerberos V5 is based on the Kerberos authentication system developed at MIT. Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a <dfn>ticket-granting ticket</dfn> (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (<i>i.e.</i>, if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity. <p>The TGT, which expires at a specified time, permits the client to obtain additional tickets, which give permission for specific services. The requesting and granting of these additional tickets is user-transparent. <p><hr> Node:<a name="Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>, Next:<a rel=next href="#Please%20Read%20the%20Documentation">Please Read the Documentation</a>, Previous:<a rel=previous href="#What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a>, Up:<a rel=up href="#Introduction">Introduction</a> <br> <h2>Why Should I use Kerberos?</h2> <p>Since Kerberos negotiates authenticated, and optionally encrypted, communications between two points anywhere on the Internet, it provides a layer of security that is not dependent on which side of a firewall either client is on. Since studies have shown that half of the computer security breaches in industry happen from <i>inside</i> firewalls, Kerberos V5 from MIT will play a vital role in the security of your network. <p><hr> Node:<a name="Please%20Read%20the%20Documentation">Please Read the Documentation</a>, Next:<a rel=next href="#Overview%20of%20This%20Guide">Overview of This Guide</a>, Previous:<a rel=previous href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a>, Up:<a rel=up href="#Introduction">Introduction</a> <br> <h2>Please Read the Documentation</h2> <p>As with any software package that uses a centrallized database, the installation procedure is somewhat involved, and requires forethought and planning. MIT has attempted to make this Kerberos V5 Installation Guide as concise as possible, rather than making it an exhaustive description of the details of Kerberos. Consequently, everything in this guide appears because MIT believes that it is important. Please read and follow these instructions carefully. <p>This document is one piece of the document set for Kerberos V5. The documents, and their intended audiences, are: <ul> <li><b>Kerberos V5 Installation Guide</b>: a concise guide for installing Kerberos V5. Kerberos administrators (particularly whoever will be making site-wide decisions about the installation) and the system administrators who will be installing the software should read this guide. <li><b>Kerberos V5 System Administrator's Guide</b>: a sysadmin's guide to administering a Kerberos installation. The System Administrator's Guide describes the administration software and suggests policies and procedures for administering a Kerberos installation. Anyone who will have administrative access to your Kerberos database should read this guide. <li><b>Kerberos V5 UNIX User's Guide</b>: a guide to using the Kerberos UNIX client programs. All users on UNIX systems should read this guide, particularly the "Tutorial" section. </ul> <p><hr> Node:<a name="Overview%20of%20This%20Guide">Overview of This Guide</a>, Previous:<a rel=previous href="#Please%20Read%20the%20Documentation">Please Read the Documentation</a>, Up:<a rel=up href="#Introduction">Introduction</a> <br> <h2>Overview of This Guide</h2> <p>The next chapter describes the decisions you need to make before installing Kerberos V5. <p>Chapter three provided instructions for building the Kerberos sources. <p>Chapter four describes installation procedures for each class of Kerberos machines: <ol type=1 start=1> </p><li>Key Distribution Centers (KDCs). <ol type=A start=1> <li>The Master KDC. <li>Slave KDCs. </ol> <li>UNIX client machines <li>UNIX application server machines </ol> <p>Note that a machine can be both a client machine and an application server. <p>Chapter five describes procedure for updating previous installations of Kerberos V5. <p>Chapter six describes our problem reporting system. <p><hr> Node:<a name="Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>, Next:<a rel=next href="#Building%20Kerberos%20V5">Building Kerberos V5</a>, Previous:<a rel=previous href="#Introduction">Introduction</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Realm Configuration Decisions</h1> <p>Before installing Kerberos V5, it is necessary to consider the following issues: <ul> <li>The name of your Kerberos realm (or the name of each realm, if you need more than one). <li>How you will map your hostnames onto Kerberos realms. <li>Which ports your KDC and and kadmin (database access) services will use. <li>How many slave KDCs you need and where they should be located. <li>The hostnames of your master and slave KDCs. <li>How frequently you will propagate the database from the master KDC to the slave KDCs. <li>Whether you need backward compatibility with Kerberos V4. </ul> <ul> <li><a href="#Kerberos%20Realms">Kerberos Realms</a>: <li><a href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a>: <li><a href="#Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>: <li><a href="#Slave%20KDCs">Slave KDCs</a>: <li><a href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a>: <li><a href="#Database%20Propagation">Database Propagation</a>: </ul> <p><hr> Node:<a name="Kerberos%20Realms">Kerberos Realms</a>, Next:<a rel=next href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a>, Previous:<a rel=previous href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>, Up:<a rel=up href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <br> <h2>Kerberos Realms</h2> <p>Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters. For example, hosts in the domain example.com would be in the Kerberos realm EXAMPLE.COM. <p>If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM. <p><hr> Node:<a name="Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a>, Next:<a rel=next href="#Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>, Previous:<a rel=previous href="#Kerberos%20Realms">Kerberos Realms</a>, Up:<a rel=up href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <br> <h2>Mapping Hostnames onto Kerberos Realms</h2> <p>Mapping hostnames onto Kerberos realms is done in one of two ways. <p>The first mechanism, which has been in use for years in MIT-based Kerberos distributions, works through a set of rules in the <code>krb5.conf</code> configuration file. (See <a href="#krb5.conf">krb5.conf</a>.) You can specify mappings for an entire domain or subdomain, and/or on a hostname-by-hostname basis. Since greater specificity takes precedence, you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. <p>The second mechanism works by looking up the information in special <code>TXT</code> records in the Domain Name Service. This is currently not used by default because security holes could result if the DNS TXT records were spoofed. If this mechanism is enabled on the client, it will try to look up a <code>TXT</code> record for the DNS name formed by putting the prefix <code>_kerberos</code> in front of the hostname in question. If that record is not found, it will try using <code>_kerberos</code> and the host's domain name, then its parent domain, and so forth. So for the hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be: <pre>_kerberos.boston.engineering.foobar.com _kerberos.engineering.foobar.com _kerberos.foobar.com _kerberos.com </pre> <p>The value of the first TXT record found is taken as the realm name. (Obviously, this doesn't work all that well if a host and a subdomain have the same name, and different realms. For example, if all the hosts in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in another realm. In that case, you would set up TXT records for all hosts, rather than relying on the fallback to the domain name.) <p>Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites. <p><hr> Node:<a name="Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>, Next:<a rel=next href="#Slave%20KDCs">Slave KDCs</a>, Previous:<a rel=previous href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a>, Up:<a rel=up href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <br> <h2>Ports for the KDC and Admin Services</h2> <p>The default ports used by Kerberos are port 88 for the KDC<a rel=footnote href="#fn-1"><sup>1</sup></a> and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host's <code>/etc/services</code> and <code>krb5.conf</code> files, and the <code>kdc.conf</code> file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the "Configuring Your Firewall to Work With Kerberos V5" section of the <cite>Kerberos V5 System Administrator's Guide</cite>. <p><hr> Node:<a name="Slave%20KDCs">Slave KDCs</a>, Next:<a rel=next href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a>, Previous:<a rel=previous href="#Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a>, Up:<a rel=up href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <br> <h2>Slave KDCs</h2> <p>Slave KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the master KDC. The number of slave KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. <p>All of the Kerberos authentication on your network requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a slave KDC to take up the slack. <p>Some considerations include: <ul> <li>Have at least one slave KDC as a backup, for when the master KDC is down, is being upgraded, or is otherwise unavailable. <li>If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a slave KDC accessible to each segment. <li>If possible, have at least one slave KDC in a different building from the master, in case of power outages, fires, or other localized disasters. </ul> <p><hr> Node:<a name="Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a>, Next:<a rel=next href="#Database%20Propagation">Database Propagation</a>, Previous:<a rel=previous href="#Slave%20KDCs">Slave KDCs</a>, Up:<a rel=up href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <br> <h2>Hostnames for the Master and Slave KDCs</h2> MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as <code>kerberos</code> for the master KDC and <code>kerberos-1</code>, <code>kerberos-2</code>, <small>...</small> for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. <p>A new mechanism for locating KDCs of a realm through DNS has been added to the MIT Kerberos V5 distribution. A relatively new record type called <code>SRV</code> has been added to DNS. Looked up by a service name and a domain name, these records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. (See RFC 2782 if you want more information. You can follow the example below for straightforward cases.) <p>The use with Kerberos is fairly straightforward. The domain name used in the SRV record name is the domain-style Kerberos realm name. (It is possible to have Kerberos realm names that are not DNS-style names, but we don't recommend it for Internet use, and our code does not support it well.) Several different Kerberos-related service names are used: <dl> <dt><code>_kerberos._udp</code> <dd>This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. <br><dt><code>_kerberos._tcp</code> <dd>This is for contacting any KDC by TCP. The MIT KDC by default will not listen on any TCP ports, so unless you've changed the configuration or you're running another KDC implementation, you should leave this unspecified. If you do enable TCP support, normally you should use port 88. <br><dt><code>_kerberos-master._udp</code> <dd>This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. This entry is used only in one case, when the user is logging in and the password appears to be incorrect; the master KDC is then contacted, and the same password used to try to decrypt the response, in case the user's password had recently been changed and the first KDC contacted hadn't been updated. Only if that fails is an "incorrect password" error given. <p>If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. <br><dt><code>_kerberos-adm._tcp</code> <dd>This should list port 749 on your master KDC. Support for it is not complete at this time, but it will eventually be used by the <code>kadmin</code> program and related utilities. For now, you will also need the <code>admin_server</code> entry in <code>krb5.conf</code>. (See <a href="#krb5.conf">krb5.conf</a>.) <br><dt><code>_kpasswd._udp</code> <dd>This should list port 464 on your master KDC. It is used when a user changes her password. <br><dt><code>_kerberos-iv._udp</code> <dd>This should refer to your KDCs that serve Kerberos version 4 requests, if you have Kerberos v4 enabled. </dl> <p>Be aware, however, that the DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file: <pre>$ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit _kerberos._udp SRV 0 0 88 daisy SRV 0 0 88 use-the-force-luke SRV 0 0 88 bunny-rabbit _kerberos-master._udp SRV 0 0 88 daisy _kerberos-adm._tcp SRV 0 0 749 daisy _kpasswd._udp SRV 0 0 464 daisy </pre> <p>As with the DNS-based mechanism for determining the Kerberos realm of a host, we recommend distributing the information this way for use by other sites that may want to interact with yours using Kerberos, even if you don't immediately make use of it within your own site. If you anticipate installing a very large number of machines on which it will be hard to update the Kerberos configuration files, you may wish to do all of your Kerberos service lookups via DNS and not put the information (except for <code>admin_server</code> as noted above) in future versions of your <code>krb5.conf</code> files at all. Eventually, we hope to phase out the listing of server hostnames in the client-side configuration files; making preparations now will make the transition easier in the future. <p><hr> Node:<a name="Database%20Propagation">Database Propagation</a>, Previous:<a rel=previous href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a>, Up:<a rel=up href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <br> <h2>Database Propagation</h2> <p>The Kerberos database resides on the master KDC, and must be propagated regularly (usually by a cron job) to the slave KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. <p>If the propagation time is longer than this maximum reasonable time (<i>e.g.,</i> you have a particularly large database, you have a lot of slaves, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the master KDC propagate the database to one set of slaves, and then have each of these slaves propagate the database to additional slaves. <p><hr> Node:<a name="Building%20Kerberos%20V5">Building Kerberos V5</a>, Next:<a rel=next href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>, Previous:<a rel=previous href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Building Kerberos V5</h1> Kerberos V5 uses a configuration system built using the Free Software Foundation's <code>autoconf</code> program. This system makes Kerberos V5 much simpler to build and reduces the amount of effort required in porting Kerberos V5 to a new platform. <ul> <li><a href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>: Description of the source tree. <li><a href="#Build%20Requirements">Build Requirements</a>: How much disk space, etc. you need to build Kerberos. <li><a href="#Unpacking%20the%20Sources">Unpacking the Sources</a>: Preparing the source tree. <li><a href="#Doing%20the%20Build">Doing the Build</a>: Compiling Kerberos. <li><a href="#Installing%20the%20Binaries">Installing the Binaries</a>: Installing the compiled binaries. <li><a href="#Testing%20the%20Build">Testing the Build</a>: Making sure Kerberos built correctly. <li><a href="#Options%20to%20Configure">Options to Configure</a>: Command-line options to Configure <li><a href="#osconf.h">osconf.h</a>: Header file-specific configurations <li><a href="#Shared%20Library%20Support">Shared Library Support</a>: Building Shared Libraries for Kerberos V5 <li><a href="#OS%20Incompatibilities">OS Incompatibilities</a>: Special cases to watch for. <li><a href="#Using%20Autoconf">Using Autoconf</a>: Modifying Kerberos V5's configuration scripts. </ul> <p><hr> Node:<a name="Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>, Next:<a rel=next href="#Build%20Requirements">Build Requirements</a>, Previous:<a rel=previous href="#Building%20Kerberos%20V5">Building Kerberos V5</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Build Requirements</h2> <p>Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. <dl> <dt><b>appl</b> <dd>applications with Kerberos V5 extensions <dt><b>clients</b> <dd>Kerberos V5 user programs <dt><b>gen-manpages</b> <dd>manpages for Kerberos V5 and the Kerberos V5 login program <dt><b>include</b> <dd>include files <dt><b>kadmin</b> <dd>administrative interface to the Kerberos master database <dt><b>kdc</b> <dd>the Kerberos V5 Authentication Service and Key Distribution Center <dt><b>krb524</b> <dd>utilities for converting between Kerberos 4 and Kerberos 5 <dt><b>lib</b> <dd>libraries for use with/by Kerberos V5 <dt><b>mac</b> <dd>source code for building Kerberos V5 on MacOS <dt><b>prototype</b> <dd>templates for source code files <dt><b>slave</b> <dd>utilities for propagating the database to slave KDCs <dt><b>tests</b> <dd>test suite <dt><b>util</b> <dd>various utilities for building/configuring the code, sending bug reports, etc. <dt><b>windows</b> <dd>source code for building Kerberos V5 on Windows (see windows/README) </dl> <ul> <li><a href="#The%20appl%20Directory">The appl Directory</a>: <li><a href="#The%20clients%20Directory">The clients Directory</a>: <li><a href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a>: <li><a href="#The%20include%20Directory">The include Directory</a>: <li><a href="#The%20kadmin%20Directory">The kadmin Directory</a>: <li><a href="#The%20kdc%20Directory">The kdc Directory</a>: <li><a href="#The%20krb524%20Directory">The krb524 Directory</a>: <li><a href="#The%20lib%20Directory">The lib Directory</a>: <li><a href="#The%20prototype%20Directory">The prototype Directory</a>: <li><a href="#The%20slave%20Directory">The slave Directory</a>: <li><a href="#The%20util%20Directory">The util Directory</a>: </ul> <p><hr> Node:<a name="The%20appl%20Directory">The appl Directory</a>, Next:<a rel=next href="#The%20clients%20Directory">The clients Directory</a>, Previous:<a rel=previous href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The appl Directory</h3> <p>The Kerberos release provides certain UNIX utilities, modified to use Kerberos authentication. In the <i>appl/bsd</i> directory are the Berkeley utilities <i>login</i>, <i>rlogin</i>, <i>rsh</i>, and <i>rcp</i>, as well as the associated daemons <i>kshd</i> and <i>klogind</i>. The <i>login</i> program obtains ticket-granting tickets for users upon login; the other utilities provide authenticated Unix network services. <p>The <i>appl</i> directory also contains Kerberized telnet and ftp programs, as well as sample Kerberos application client and server programs. <p><hr> Node:<a name="The%20clients%20Directory">The clients Directory</a>, Next:<a rel=next href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a>, Previous:<a rel=previous href="#The%20appl%20Directory">The appl Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The clients Directory</h3> <p>This directory contains the code for several user-oriented programs. <dl> <dt><b>kdestroy</b> <dd>This program destroys the user's active Kerberos authorization tickets. MIT recommends that users <code>kdestroy</code> before logging out. <dt><b>kinit</b> <dd>This program prompts users for their Kerberos principal name and password, and attempts to get an initial ticket-granting-ticket for that principal. <dt><b>klist</b> <dd>This program lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. <dt><b>kpasswd</b> <dd>This program changes a user's Kerberos password. <dt><b>ksu</b> <dd>This program is a Kerberized verions of the <code>su</code> program that is meant to securely change the real and effective user ID to that of the target user and to create a new security context. <dt><b>kvno</b> <dd>This program acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each. </dl> <p><hr> Node:<a name="The%20gen-manpages%20Directory">The gen-manpages Directory</a>, Next:<a rel=next href="#The%20include%20Directory">The include Directory</a>, Previous:<a rel=previous href="#The%20clients%20Directory">The clients Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The gen-manpages Directory</h3> <p>There are two manual pages in this directory. One is an introduction to the Kerberos system. The other describes the <code>.k5login</code> file which allows users to give access with their UID to other users authenticated by the Kerberos system. <p><hr> Node:<a name="The%20include%20Directory">The include Directory</a>, Next:<a rel=next href="#The%20kadmin%20Directory">The kadmin Directory</a>, Previous:<a rel=previous href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The include Directory</h3> <p>This directory contains the <i>include</i> files needed to build the Kerberos system. <p><hr> Node:<a name="The%20kadmin%20Directory">The kadmin Directory</a>, Next:<a rel=next href="#The%20kdc%20Directory">The kdc Directory</a>, Previous:<a rel=previous href="#The%20include%20Directory">The include Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The kadmin Directory</h3> <p>In this directory is the code for the utilities <code>kadmin</code>, <code>kadmin.local</code>, <code>kdb5_util</code>, and <code>ktutil</code>. <code>ktutil</code> is the Kerberos keytab file maintenance utility from which a Kerberos administrator can read, write, or edit entries in a Kerberos V5 keytab or Kerberos V4 srvtab. <code>kadmin</code> and <code>kadmin.local</code> are command-line interfaces to the Kerberos V5 KADM5 administration system. <code>kadmin.local</code> runs on the master KDC and does not use Kerberos to authenticate to the database, while <code>kadmin</code> uses Kerberos authentication and an encrypted RPC. The two provide identical functionalities, which allow administrators to modify the database of Kerberos principals. <code>kdb5_util</code> allows administrators to perform low-level maintenance procedures on Kerberos and the KADM5 database. With this utility, databases can be created, destroyed, or dumped to and loaded from ASCII files. It can also be used to create master key stash files. <p><hr> Node:<a name="The%20kdc%20Directory">The kdc Directory</a>, Next:<a rel=next href="#The%20krb524%20Directory">The krb524 Directory</a>, Previous:<a rel=previous href="#The%20kadmin%20Directory">The kadmin Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The kdc Directory</h3> <p>This directory contains the code for the <code>krb5kdc</code> daemon, the Kerberos Authentication Service and Key Distribution Center. <p><hr> Node:<a name="The%20krb524%20Directory">The krb524 Directory</a>, Next:<a rel=next href="#The%20lib%20Directory">The lib Directory</a>, Previous:<a rel=previous href="#The%20kdc%20Directory">The kdc Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The krb524 Directory</h3> <p>This directory contains the code for <code>krb524</code>, a service that converts Kerberos V5 credentials into Kerberos V4 credentials suitable for use with applications that for whatever reason do not use V5 directly. <p><hr> Node:<a name="The%20lib%20Directory">The lib Directory</a>, Next:<a rel=next href="#The%20prototype%20Directory">The prototype Directory</a>, Previous:<a rel=previous href="#The%20krb524%20Directory">The krb524 Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The lib Directory</h3> <p>The <i>lib</i> directory contain 10 subdirectories as well as some definition and glue files. The <i>crypto</i> subdirectory contains the Kerberos V5 encryption library. The <i>des425</i> subdirectory exports the Kerberos V4 encryption API, and translates these functions into calls to the Kerberos V5 encryption API. The <i>gssapi</i> library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication. The <i>kadm5</i> directory contains the libraries for the KADM5 administration utilities. The Kerberos 5 database libraries are contained in <i>kdb</i>. The directories <i>krb4</i> and <i>krb5</i> contain the Kerberos 4 and Kerberos 5 APIs, respectively. The <i>rpc</i> directory contains the API for the Kerberos Remote Procedure Call protocol. <p><hr> Node:<a name="The%20prototype%20Directory">The prototype Directory</a>, Next:<a rel=next href="#The%20slave%20Directory">The slave Directory</a>, Previous:<a rel=previous href="#The%20lib%20Directory">The lib Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The prototype Directory</h3> <p>This directory contains several template files. The <code>prototype.h</code> and <code>prototype.c</code> files contain the MIT copyright message and a placeholder for the title and description of the file. <code>prototype.h</code> also has a short template for writing <code>ifdef</code> and <code>ifndef</code> preprocessor statements. The <code>getopt.c</code> file provides a template for writing code that will parse the options with which a program was called. <p><hr> Node:<a name="The%20slave%20Directory">The slave Directory</a>, Next:<a rel=next href="#The%20util%20Directory">The util Directory</a>, Previous:<a rel=previous href="#The%20prototype%20Directory">The prototype Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The slave Directory</h3> <p>This directory contains code which allows for the propagation of the Kerberos principal database from the master KDC to slave KDCs over an encrypted, secure channel. <code>kprop</code> is the program which actually propagates the database dump file. <code>kpropd</code> is the Kerberos V5 slave KDC update server which accepts connections from the <code>kprop</code> program. <code>kslave_update</code> is a script that takes the name of a slave server, and propagates the database to that server if the database has been modified since the last dump or if the database has been dumped since the last propagation. <p><hr> Node:<a name="The%20util%20Directory">The util Directory</a>, Previous:<a rel=previous href="#The%20slave%20Directory">The slave Directory</a>, Up:<a rel=up href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a> <br> <h3>The util Directory</h3> <p>This directory contains several utility programs and libraries. The programs used to configure and build the code, such as <code>autoconf</code>, <code>lndir</code>, <code>kbuild</code>, <code>reconf</code>, and <code>makedepend</code>, are in this directory. The <i>profile</i> directory contains most of the functions which parse the Kerberos configuration files (<code>krb5.conf</code> and <code>kdc.conf</code>). Also in this directory are the Kerberos error table library and utilities (<i>et</i>), the Sub-system library and utilities (<i>ss</i>), database utilities (<i>db2</i>), pseudo-terminal utilities (<i>pty</i>), and bug-reporting program <code>send-pr</code>. <p><hr> Node:<a name="Build%20Requirements">Build Requirements</a>, Next:<a rel=next href="#Unpacking%20the%20Sources">Unpacking the Sources</a>, Previous:<a rel=previous href="#Organization%20of%20the%20Source%20Directory">Organization of the Source Directory</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Organization of the Source Directory</h2> <p>In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. <p>If you wish to keep a separate <dfn>build tree</dfn>, which contains the compiled <code>*.o</code> file and executables, separate from your source tree, you will need a <code>make</code> program which supports <code>VPATH</code>, or you will need to use a tool such as <code>lndir</code> to produce a symbolic link tree for your build tree. <p><hr> Node:<a name="Unpacking%20the%20Sources">Unpacking the Sources</a>, Next:<a rel=next href="#Doing%20the%20Build">Doing the Build</a>, Previous:<a rel=previous href="#Build%20Requirements">Build Requirements</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Unpacking the Sources</h2> <p>The first step in each of these build procedures is to unpack the source distribution. The Kerberos V5 distribution comes in a tar file, generally named <code>krb5-1.3.tar</code>, which contains a compressed tar file consisting of the sources for all of Kerberos (generally <code>krb5-1.3.tar.gz</code>) and a PGP signature for this source tree (generally <code>krb5-1.3.tar.gz.asc</code>). MIT highly recommends that you verify the integrity of the source code using this signature. <p>Unpack the compressed tar file in some directory, such as <code>/u1/krb5-1.3</code>. (In the rest of this document, we will assume that you have chosen to unpack the Kerberos V5 source distribution in this directory. Note that the tarfiles will by default all unpack into the <code>./krb5-1.3</code> directory, so that if your current directory is <code>/u1</code> when you unpack the tarfiles, you will get <code>/u1/krb5-1.3/src</code>, etc.) <p><hr> Node:<a name="Doing%20the%20Build">Doing the Build</a>, Next:<a rel=next href="#Installing%20the%20Binaries">Installing the Binaries</a>, Previous:<a rel=previous href="#Unpacking%20the%20Sources">Unpacking the Sources</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Doing the Build</h2> <p>You have a number of different options in how to build Kerberos. If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at <a href="#OS%20Incompatibilities">OS Incompatibilities</a>, for notes that we have on particular operating systems. <ul> <li><a href="#Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>: <li><a href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>: <li><a href="#Building%20using%20lndir">Building using lndir</a>: </ul> <p><hr> Node:<a name="Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>, Next:<a rel=next href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>, Previous:<a rel=previous href="#Doing%20the%20Build">Doing the Build</a>, Up:<a rel=up href="#Doing%20the%20Build">Doing the Build</a> <br> <h3>Building Within a Single Tree</h3> <p>If you don't want separate build trees for each architecture, then use the following abbreviated procedure. <ol type=1 start=1> </p><li> <code>cd /u1/krb5-1.3/src</code> <li> <code>./configure</code> <li> <code>make</code> </ol> <p>That's it! <p><hr> Node:<a name="Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>, Next:<a rel=next href="#Building%20using%20lndir">Building using lndir</a>, Previous:<a rel=previous href="#Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a>, Up:<a rel=up href="#Doing%20the%20Build">Doing the Build</a> <br> <h3>Building with Separate Build Directories</h3> <p>If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your <code>make</code> program support <code>VPATH</code>. GNU's make will provide this functionality, for example.) If your <code>make</code> program does not support this, see the next section. <p>For example, if you wish to create a build directory for <code>pmax</code> binaries you might use the following procedure: <ol type=1 start=1> </p><li><code>mkdir /u1/krb5-1.3/pmax</code> <li> <code>cd /u1/krb5-1.3/pmax</code> <li> <code>../src/configure</code> <li> <code>make</code> </ol> <p><hr> Node:<a name="Building%20using%20lndir">Building using lndir</a>, Previous:<a rel=previous href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a>, Up:<a rel=up href="#Doing%20the%20Build">Doing the Build</a> <br> <h3>Building Using <code>lndir</code></h3> <p>If you wish to keep separate build directories for each platform, and you do not have access to a <code>make</code> program which supports <code>VPATH</code>, all is not lost. You can use the <code>lndir</code> program to create symbolic link trees in your build directory. <p>For example, if you wish to create a build directory for solaris binaries you might use the following procedure: <ol type=1 start=1> </p><li> <code>mkdir /u1/krb5-1.3/solaris</code> <li> <code>cd /u1/krb5-1.3/solaris</code> <li> <code>/u1/krb5-1.3/src/util/lndir `pwd`/../src</code> <li> <code>./configure</code> <li> <code>make</code> </ol> <p>You must give an absolute pathname to <code>lndir</code> because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable. <p><hr> Node:<a name="Installing%20the%20Binaries">Installing the Binaries</a>, Next:<a rel=next href="#Testing%20the%20Build">Testing the Build</a>, Previous:<a rel=previous href="#Doing%20the%20Build">Doing the Build</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Installing the Binaries</h2> <p>Once you have built Kerberos, you should install the binaries. You can do this by running: <pre>% make install </pre> <p>If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use: <pre>% make install DESTDIR=/path/to/destdir </pre> <p>This will install the binaries under <code>DESTDIR/PREFIX</code>, e.g., the user programs will install into <code>DESTDIR/PREFIX/bin</code>, the libraries into <code>DESTDIR/PREFIX/lib</code>, etc. <p>Note that if you want to test the build (see <a href="#Testing%20the%20Build">Testing the Build</a>), you usually do not need to do a <code>make install</code> first. <p><hr> Node:<a name="Testing%20the%20Build">Testing the Build</a>, Next:<a rel=next href="#Options%20to%20Configure">Options to Configure</a>, Previous:<a rel=previous href="#Installing%20the%20Binaries">Installing the Binaries</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Testing the Build</h2> <p>The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed <code>make</code> to start building Kerberos; see <a href="#Doing%20the%20Build">Doing the Build</a>.): <pre>% make check </pre> <ul> <li><a href="#The%20DejaGnu%20Tests">The DejaGnu Tests</a>: <li><a href="#The%20KADM5%20Tests">The KADM5 Tests</a>: </ul> <p><hr> Node:<a name="The%20DejaGnu%20Tests">The DejaGnu Tests</a>, Next:<a rel=next href="#The%20KADM5%20Tests">The KADM5 Tests</a>, Previous:<a rel=previous href="#Testing%20the%20Build">Testing the Build</a>, Up:<a rel=up href="#Testing%20the%20Build">Testing the Build</a> <br> <h3>The DejaGnu Tests</h3> <p>Some of the built-in regression tests are setup to use the DejaGnu framework for running tests. These tests tend to be more comprehensive than the normal built-in tests as they setup test servers and test client/server activities. <p>DejaGnu may be found wherever GNU software is archived. <p>Most of the tests are setup to run as a non-privledged user. For some of the krb-root tests to work properly, either (a) the user running the tests must not have a .k5login file in the home directory or (b) the .k5login file must contain an entry for <code><username>@KRBTEST.COM</code>. There are two series of tests (<code>rlogind</code> and <code>telnetd</code>) which require the ability to <code>rlogin</code> as root to the local machine. Admittedly, this does require the use of a <code>.rhosts</code> file or some authenticated means. <a rel=footnote href="#fn-2"><sup>2</sup></a> <p>If you cannot obtain root access to your machine, all the other tests will still run. Note however, with DejaGnu 1.2, the "untested testcases" will cause the testsuite to exit with a non-zero exit status which <code>make</code> will consider a failure of the testing process. Do not worry about this, as these tests are the last run when <code>make check</code> is executed from the top level of the build tree. This problem does not exist with DejaGnu 1.3. <p><hr> Node:<a name="The%20KADM5%20Tests">The KADM5 Tests</a>, Previous:<a rel=previous href="#The%20DejaGnu%20Tests">The DejaGnu Tests</a>, Up:<a rel=up href="#Testing%20the%20Build">Testing the Build</a> <br> <h3>The KADM5 Tests</h3> <p>Regression tests for the KADM5 system, including the GSS-RPC, KADM5 client and server libraries, and kpasswd, are also included in this release. Each set of KADM5 tests is contained in a sub-directory called <code>unit-test</code> directly below the system being tested. For example, lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all based on DejaGnu (but they are not actually called part of "The DejaGnu tests," whose naming predates the inclusion of the KADM5 system). In addition, they require the Tool Command Language (TCL) header files and libraries to be available during compilation and some of the tests also require Perl in order to operate. If all of these resources are not available during configuration, the KADM5 tests will not run. The TCL installation directory can be specified with the <code>--with-tcl</code> configure option. (See See <a href="#Options%20to%20Configure">Options to Configure</a>.) The runtest and perl programs must be in the current execution path. <p>If you install DejaGnu, TCL, or Perl after configuring and building Kerberos and then want to run the KADM5 tests, you will need to re-configure the tree and run <code>make</code> at the top level again to make sure all the proper programs are built. To save time, you actually only need to reconfigure and build in the directories src/kadmin/testing, src/lib/rpc, src/lib/kadm5. <p><hr> Node:<a name="Options%20to%20Configure">Options to Configure</a>, Next:<a rel=next href="#osconf.h">osconf.h</a>, Previous:<a rel=previous href="#Testing%20the%20Build">Testing the Build</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Options to Configure</h2> <p>There are a number of options to <code>configure</code> which you can use to control how the Kerberos distribution is built. The following table lists the most commonly used options to Kerberos V5's <code>configure</code> program. <dl> <br><dt><code>--help</code> <dd> Provides help to configure. This will list the set of commonly used options for building Kerberos. <br><dt><code>--prefix=PREFIX</code> <dd> By default, Kerberos will install the package's files rooted at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you desire a different location, use this option. <br><dt><code>--exec-prefix=EXECPREFIX</code> <dd> This option allows one to separate the architecture independent programs from the configuration files and manual pages. <br><dt><code>--localstatedir=LOCALSTATEDIR</code> <dd> This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in <code>LOCALSTATEDIR/krb5kdc</code>, which is by default <code>PREFIX/var/krb5kdc</code>. <br><dt><code>CC=COMPILER</code> <dd> Use <code>COMPILER</code> as the C compiler. <br><dt><code>CFLAGS=FLAGS</code> <dd> Use <code>FLAGS</code> as the default set of C compiler flags. <p>Note that if you use the native Ultrix compiler on a DECstation you are likely to lose if you pass no flags to cc; md4.c takes an estimated 3,469 billion years to compile if you provide neither the <code>-g</code> flag nor the <code>-O</code> flag to <code>cc</code>. <br><dt><code>CPPFLAGS=CPPOPTS</code> <dd> Use <code>CPPOPTS</code> as the default set of C preprocessor flags. The most common use of this option is to select certain <code>#define</code>'s for use with the operating system's include files. <br><dt><code>LD=LINKER</code> <dd> Use <code>LINKER</code> as the default loader if it should be different from C compiler as specified above. <br><dt><code>LDFLAGS=LDOPTS</code> <dd> This option allows one to specify optional arguments to be passed to the linker. This might be used to specify optional library paths. <br><dt><code>--with-krb4</code> <dd> This option enables Kerberos V4 backwards compatibility using the builtin Kerberos V4 library. <br><dt><code>--with-krb4=KRB4DIR</code> <dd> This option enables Kerberos V4 backwards compatibility using a pre-existing Kerberos V4 installation. The directory specified by <code>KRB4DIR</code> specifies where the V4 header files should be found (<code>KRB4DIR/include</code>) as well as where the V4 Kerberos library should be found (<code>KRB4DIR/lib</code>). <br><dt><code>--without-krb4</code> <dd> Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4 clients from using the V5 services including the KDC. This would be useful if you know you will never install or need to interact with V4 clients. <br><dt><code>--with-netlib[=libs]</code> <dd> Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for <code>-lnsl</code> and <code>-lsocket</code>. If your operating system has a broken resolver library (see <a href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>) or fails to pass the tests in <code>src/tests/resolv</code> you will need to use this option. <br><dt><code>--with-tcl=TCLPATH</code> <dd> Some of the unit-tests in the build tree rely upon using a program in Tcl. The directory specified by <code>TCLPATH</code> specifies where the Tcl header file (<code>TCLPATH/include/tcl.h</code> as well as where the Tcl library should be found (<code>TCLPATH/lib</code>). <br><dt><code>--enable-shared</code> <dd> This option will turn on the building and use of shared library objects in the Kerberos build. This option is only supported on certain platforms. <br><dt><code>--enable-dns</code> <br><dt><code>--enable-dns-for-kdc</code> <br><dt><code>--enable-dns-for-realm</code> <dd> Enable the use of DNS to look up a host's Kerberos realm, or a realm's KDCs, if the information is not provided in krb5.conf. See <a href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a> for information about using DNS to locate the KDCs, and <a href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a> for information about using DNS to determine the default realm. By default, DNS lookups are enabled for the former but not for the latter. <br><dt><code>--enable-kdc-replay-cache</code> <dd> Enable a cache in the KDC to detect retransmitted messages, and resend the previous responses to them. This protects against certain types of attempts to extract information from the KDC through some of the hardware preauthentication systems. <br><dt><code>--with-system-et</code> <dd> Use an installed version of the error-table support software, the <code>compile_et</code> program, the <code>com_err.h</code> header file and the <code>com_err</code> library. If these are not in the default locations, you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and <code>LDFLAGS=-L/some/other/dir</code> options at configuration time as well. <p>If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. <br><dt><code>--with-system-ss</code> <dd> Use an installed version of the subsystem command-line interface software, the <code>mk_cmds</code> program, the <code>ss/ss.h</code> header file and the <code>ss</code> library. If these are not in the default locations, you may wish to specify <code>CPPFLAGS=-I/some/dir</code> and <code>LDFLAGS=-L/some/other/dir</code> options at configuration time as well. See also the <code>SS_LIB</code> option. <p>If this option is not given, the <code>ss</code> library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. <br><dt><code>SS_LIB=libs...</code> <dd> If <code>-lss</code> is not the correct way to link in your installed <code>ss</code> library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified. <p>This option is ignored if <code>--with-system-ss</code> is not specified. <br><dt><code>--with-system-db</code> <dd> Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is <em>unsupported</em> and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly. <p>If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven't investigated sufficiently yet.) <br><dt><code>DB_HEADER=headername.h</code> <dd> If <code>db.h</code> is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, <code>DB_HEADER=db3/db_185.h</code>. <br><dt><code>DB_LIB=libs...</code> <dd> If <code>-ldb</code> is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, <code>DB_LIB=-ldb-3.3</code>. </dl> <p>For example, in order to configure Kerberos on a Solaris machine using the <code>suncc</code> compiler with the optimizer turned on, run the configure script with the following options: <pre>% ./configure CC=suncc CFLAGS=-O </pre> <p>For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in <code>/usr/foobar</code>, including Berkeley DB 3.3, and an <code>ss</code> library that needs to link against the <code>curses</code> library. The configuration of Kerberos might be done thus: <pre>% ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ --with-system-et --with-system-ss --with-system-db \ SS_LIB='-lss -lcurses' \ DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 </pre> <p>In previous releases, <code>--with-</code> options were used to specify the compiler and linker and their options. <p><hr> Node:<a name="osconf.h">osconf.h</a>, Next:<a rel=next href="#Shared%20Library%20Support">Shared Library Support</a>, Previous:<a rel=previous href="#Options%20to%20Configure">Options to Configure</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2><code>osconf.h</code></h2> <p>There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution: <code>include/krb5/stock/osconf.h</code>. The list that follows is by no means complete, just some of the more interesting variables. <p>Please note: The former configuration file <code>config.h</code> no longer exists as its functionality has been merged into the auto-configuration process. See <a href="#Options%20to%20Configure">Options to Configure</a>. <dl> <br><dt><code>DEFAULT_PROFILE_PATH</code> <dd> The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is /etc/krb5.conf. <p>The profile file format is no longer the same format as Kerberos V4's <code>krb.conf</code> file. <br><dt><code>DEFAULT_KEYTAB_NAME</code> <dd> The type and pathname to the default server keytab file (the equivalent of Kerberos V4's <code>/etc/srvtab</code>). The default is /etc/krb5.keytab. <br><dt><code>DEFAULT_KDC_ENCTYPE</code> <dd> The default encryption type for the KDC. The default value is des3-cbc-sha1. <br><dt><code>KDCRCACHE</code> <dd> The name of the replay cache used by the KDC. The default value is krb5kdc_rcache. <br><dt><code>RCTMPDIR</code> <dd> The directory which stores replay caches. The default is to try /var/tmp, /usr/tmp, /var/usr/tmp, and /tmp. <br><dt><code>DEFAULT_KDB_FILE</code> <dd> The location of the default database. The default value is /usr/local/var/krb5kdc/principal. </dl> <p><hr> Node:<a name="Shared%20Library%20Support">Shared Library Support</a>, Next:<a rel=next href="#OS%20Incompatibilities">OS Incompatibilities</a>, Previous:<a rel=previous href="#osconf.h">osconf.h</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Shared Library Support</h2> <p>Shared library support is provided for a few operating systems. There are restrictions as to which compiler to use when using shared libraries. In all cases, executables linked with the shared libraries in this build process will have built in the location of the libraries, therefore obliterating the need for special LD_LIBRARY_PATH, et al environment variables when using the programs. Except where noted, multiple versions of the libraries may be installed on the same system and continue to work. <p>Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS 5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows (using DLLs). <p>Shared library support has been tested on the following platforms but not exhaustively (they have been built but not necessarily tested in an installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and HP/UX 10.20. <p>Platforms for which there is shared library support but not significant testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x (i386), and SunOS 4.x. <p>To enable shared libraries on the above platforms, run the configure script with the option <code>--enable-shared</code>. <p><hr> Node:<a name="OS%20Incompatibilities">OS Incompatibilities</a>, Next:<a rel=next href="#Using%20Autoconf">Using Autoconf</a>, Previous:<a rel=previous href="#Shared%20Library%20Support">Shared Library Support</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Operating System Incompatibilities</h2> <p>This section details operating system incompatibilities with Kerberos V5 which have been reported to the developers at MIT. If you find additional incompatibilities, and/or discover work arounds to such problems, please send a report via the <code>krb5-send-pr</code> program. Thanks! <ul> <li><a href="#AIX">AIX</a>: <li><a href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>: <li><a href="#Alpha%20OSF%2f1%20(Digital%20Unix)%20V2.0++">Alpha OSF/1 (Digital Unix) V2.0++</a>: <li><a href="#BSDI">BSDI</a>: <li><a href="#HPUX">HPUX</a>: <li><a href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>: <li><a href="#Solaris%202.X">Solaris 2.X</a>: <li><a href="#SGI%20Irix%205.X">SGI Irix 5.X</a>: <li><a href="#Ultrix%204.2%2f3">Ultrix 4.2/3</a>: </ul> <p><hr> Node:<a name="AIX">AIX</a>, Next:<a rel=next href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>, Previous:<a rel=previous href="#OS%20Incompatibilities">OS Incompatibilities</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>AIX</h3> <p>The AIX 3.2.5 linker dumps core trying to build a shared <code>libkrb5.a</code> produced with the GNU C compiler. The native AIX compiler works fine. This problem is fixed using the AIX 4.1 linker. <p><hr> Node:<a name="Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>, Next:<a rel=next href="#Alpha%20OSF%2f1%20(Digital%20Unix)%20V2.0++">Alpha OSF/1 (Digital Unix) V2.0++</a>, Previous:<a rel=previous href="#AIX">AIX</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>Alpha OSF/1 V1.3</h3> <p>Using the native compiler, compiling with the <code>-O</code> compiler flag causes the <code>asn.1</code> library to be compiled incorrectly. <p>Using GCC version 2.6.3 or later instead of the native compiler will also work fine, both with or without optimization. <p><hr> Node:<a name="Alpha%20OSF%2f1%20(Digital%20Unix)%20V2.0++">Alpha OSF/1 (Digital Unix) V2.0++</a>, Next:<a rel=next href="#BSDI">BSDI</a>, Previous:<a rel=previous href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>Alpha OSF/1 V2.0++</h3> <p>There used to be a bug when using the native compiler in compiling <code>md4.c</code> when compiled without either the <code>-O</code> or <code>-g</code> compiler options. We have changed the code and there is no problem under V2.1, but we do not have access to V2.0 to test and see if the problem would exist there. (We welcome feedback on this issue). There was never a problem in using GCC version 2.6.3. <p>In version 3.2 and beyond of the operating system, we have not seen any problems with the native compiler. <p><hr> Node:<a name="BSDI">BSDI</a>, Next:<a rel=next href="#HPUX">HPUX</a>, Previous:<a rel=previous href="#Alpha%20OSF%2f1%20(Digital%20Unix)%20V2.0++">Alpha OSF/1 (Digital Unix) V2.0++</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>BSDI</h3> <p>BSDI versions 1.0 and 1.1 reportedly has a bad <code>sed</code> which causes it to go into an infinite loop during the build. The work around is to use a <code>sed</code> from somewhere else, such as GNU. (This may be true for some versions of other systems derived from BSD 4.4, such as NetBSD and FreeBSD.) <p><hr> Node:<a name="HPUX">HPUX</a>, Next:<a rel=next href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>, Previous:<a rel=previous href="#BSDI">BSDI</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>HPUX</h3> <p>The native (bundled) compiler for HPUX currently will not work, because it is not a full ANSI C compiler. The optional ANSI C compiler should work as long as you give it the <code>-Ae</code> flag (i.e. <code>./configure CC='cc -Ae'</code>). This is equivalent to <code>./configure CC='c89 -D_HPUX_SOURCE'</code>, which was the previous recommendation. This has only been tested recently for HPUX 10.20. <p><hr> Node:<a name="Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>, Next:<a rel=next href="#Solaris%202.X">Solaris 2.X</a>, Previous:<a rel=previous href="#HPUX">HPUX</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>Solaris versions 2.0 through 2.3</h3> <p>The <code>gethostbyname()</code> routine is broken; it does not return a fully qualified domain name, even if you are using the Domain Name Service routines. Since Kerberos V5 uses the fully qualified domain name as the second component of a service principal (i.e, <code>host/tsx-11.mit.edu@ATHENA.MIT.EDU</code>), this causes problems for servers who try to figure out their own fully qualified domain name. <p>Workarounds: <ol type=1 start=1> </p><li> Supply your own resolver library. (such as bind-4.9.3pl1 available from ftp.vix.com) <li> Upgrade to Solaris 2.4 <li> Make sure your /etc/nsswitch.conf has `files' before `dns' like: <pre>hosts: files dns </pre> <p>and then in /etc/hosts, make sure there is a line with your workstation's IP address and hostname, with the fully qualified domain name first. Example: <pre>18.172.1.4 dcl.mit.edu dcl </pre> <p>Note that making this change may cause other programs in your environment to break or behave differently. </ol> <p><hr> Node:<a name="Solaris%202.X">Solaris 2.X</a>, Next:<a rel=next href="#SGI%20Irix%205.X">SGI Irix 5.X</a>, Previous:<a rel=previous href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>Solaris 2.X</h3> <p>You <b>must</b> compile Kerberos V5 without the UCB compatibility libraries. This means that <code>/usr/ucblib</code> must not be in the LD_LIBRARY_PATH environment variable when you compile it. Alternatively you can use the <code>-i</code> option to <code>cc</code>, by using the specifying <code>CFLAGS=-i</code> option to <code>configure</code>. <p>If you are compiling for a 64-bit execution environment, you may need to configure with the option <code>CFLAGS="-D_XOPEN_SOURCE=500 -D__EXTENSIONS__"</code>. This is not well tested; at MIT we work primarily with the 32-bit execution environment. <p><hr> Node:<a name="SGI%20Irix%205.X">SGI Irix 5.X</a>, Next:<a rel=next href="#Ultrix%204.2%2f3">Ultrix 4.2/3</a>, Previous:<a rel=previous href="#Solaris%202.X">Solaris 2.X</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>SGI Irix 5.X</h3> <p>If you are building in a tree separate from the source tree, the vendors version of make does not work properly with regards to <code>VPATH</code>. It also has problems with standard inference rules in 5.2 (not tested yet in 5.3) so one needs to use GNU's make. <p>Under 5.2, there is a bug in the optional System V <code>-lsocket</code> library in which the routine <code>gethostbyname()</code> is broken. The system supplied version in <code>-lc</code> appears to work though so one may simply specify <code>--with-netlib</code> option to <code>configure</code>. <p>In 5.3, <code>gethostbyname()</code> is no longer present in <code>-lsocket</code> and is no longer an issue. <p><hr> Node:<a name="Ultrix%204.2%2f3">Ultrix 4.2/3</a>, Previous:<a rel=previous href="#SGI%20Irix%205.X">SGI Irix 5.X</a>, Up:<a rel=up href="#OS%20Incompatibilities">OS Incompatibilities</a> <br> <h3>Ultrix 4.2/3</h3> <p>The DEC MIPS platform currently will not support the native compiler, since the Ultrix compiler is not a full ANSI C compiler. You should use GCC instead. <p><hr> Node:<a name="Using%20Autoconf">Using Autoconf</a>, Previous:<a rel=previous href="#OS%20Incompatibilities">OS Incompatibilities</a>, Up:<a rel=up href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <br> <h2>Using <code>Autoconf</code></h2> <p>(If you are not a developer, you can skip this section.) <p>In most of the Kerberos V5 source directories, there is a <code>configure</code> script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. These <code>configure</code> files are generated using <code>autoconf</code>, which can be found in the <code>src/util/autoconf</code> directory in the distribution. <p>Normal users will not need to worry about running <code>autoconf</code>; the distribution comes with the <code>configure</code> files already prebuilt. Developers who wish to modify the <code>configure.in</code> files should see <a href="autoconf.html#Overview">Top</a>. <p>Note that in order to run <code>autoconf</code>, you must have GNU <code>m4</code> in your path. Before you use the <code>autoconf</code> in the Kerberos V5 source tree, you may also need to run <code>configure</code>, and then run <code>make</code> in the <code>src/util/autoconf</code> directory in order to properly set up <code>autoconf</code>. <p>One tool which is provided for the convenience of developers can be found in <code>src/util/reconf</code>. This program should be run while the current directory is the top source directory. It will automatically rebuild any <code>configure</code> files which need rebuilding. If you know that you have made a change that will require that all the <code>configure</code> files need to be rebuilt from scratch, specify the <code>--force</code> option: <pre>% cd /u1/krb5-1.3/src % ./util/reconf --force </pre> <p>The developmental sources are a raw source tree (before it's been packaged for public release), without the pre-built <code>configure</code> files. In order to build from such a source tree, you must do: <pre>% cd krb5/util/autoconf % ./configure % make % cd ../.. % util/reconf </pre> <p>Then follow the instructions for building packaged source trees (above). To install the binaries into a binary tree, do: <pre>% cd /u1/krb5-1.3/src % make all % make install DESTDIR=somewhere-else </pre> <p><hr> Node:<a name="Installing%20Kerberos%20V5">Installing Kerberos V5</a>, Next:<a rel=next href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>, Previous:<a rel=previous href="#Building%20Kerberos%20V5">Building Kerberos V5</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Installing Kerberos V5</h1> <p>The sections of this chapter describe procedures for installing Kerberos V5 on: <ol type=1 start=1> </p><li>The KDCs <li>UNIX client machines <li>UNIX Application Servers </ol> <ul> <li><a href="#Installing%20KDCs">Installing KDCs</a>: <li><a href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>: <li><a href="#UNIX%20Application%20Servers">UNIX Application Servers</a>: </ul> <p><hr> Node:<a name="Installing%20KDCs">Installing KDCs</a>, Next:<a rel=next href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>, Previous:<a rel=previous href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>, Up:<a rel=up href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a> <br> <h2>Installing KDCs</h2> <p>The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC contains a copy of the Kerberos database. The master KDC contains the master copy of the database, which it propagates to the slave KDCs at regular intervals. All database changes (such as password changes) are made on the master KDC. <p>Slave KDCs provide Kerberos ticket-granting services, but not database administration. This allows clients to continue to obtain tickets when the master KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the master or one of the slaves. This will enable you to easily switch your master KDC with one of the slaves if necessary. (See <a href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>.) This installation procedure is based on that recommendation. <ul> <li><a href="#Install%20the%20Master%20KDC">Install the Master KDC</a>: <li><a href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>: <li><a href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>: <li><a href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>: <li><a href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>: <li><a href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>: <li><a href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>: </ul> <p><hr> Node:<a name="Install%20the%20Master%20KDC">Install the Master KDC</a>, Next:<a rel=next href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>, Previous:<a rel=previous href="#Installing%20KDCs">Installing KDCs</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Install the Master KDC</h3> <p>This installation procedure will require you to go back and forth a couple of times between the master KDC and each of the slave KDCs. The first few steps must be done on the master KDC. <ul> <li><a href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>: <li><a href="#krb5.conf">krb5.conf</a>: <li><a href="#kdc.conf">kdc.conf</a>: <li><a href="#Create%20the%20Database">Create the Database</a>: <li><a href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>: <li><a href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>: <li><a href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>: <li><a href="#Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons</a>: </ul> <p><hr> Node:<a name="Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>, Next:<a rel=next href="#krb5.conf">krb5.conf</a>, Previous:<a rel=previous href="#Install%20the%20Master%20KDC">Install the Master KDC</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>Edit the Configuration Files</h4> <p>Modify the configuration files, <code>/etc/krb5.conf</code> and <code>/usr/local/var/krb5kdc/kdc.conf</code> to reflect the correct information (such as the hostnames and realm name) for your realm. MIT recommends that you keep <code>krb5.conf</code> in <code>/etc</code>. <p>Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the <code>krb5.conf</code> file whose values must be specified, and this section will explain those as well as give an overview of all of the sections in both configuration files. For more information on changing defaults with the configuration files, see the Kerberos V5 System Administrator's Guide sections on configuration files. <p><hr> Node:<a name="krb5.conf">krb5.conf</a>, Next:<a rel=next href="#kdc.conf">kdc.conf</a>, Previous:<a rel=previous href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>krb5.conf</h4> <p>The <code>krb5.conf</code> file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your <code>krb5.conf</code> file in the directory <code>/etc</code>. You can override the default location by setting the environment variable <code>KRB5_CONFIG</code>. <p>The <code>krb5.conf</code> file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form: <pre>foo = bar </pre> <p>or <pre>fubar = { foo = bar baz = quux } </pre> <p>Placing a `*' at the end of a line indicates that this is the <dfn>final</dfn> value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. <p>For example, if you have the following lines: <pre>foo = bar* foo = baz </pre> <p>then the second value of foo (baz) would never be read. <p>The <code>krb5.conf</code> file may contain any or all of the following sections: <dl> <dt><b>libdefaults</b> <dd>Contains default values used by the Kerberos V5 library. <dt><b>login</b> <dd>Contains default values used by the Kerberos V5 login program. <dt><b>appdefaults</b> <dd>Contains default values that can be used by Kerberos V5 applications. <dt><b>realms</b> <dd>Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. <dt><b>domain_realm</b> <dd>Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name. <dt><b>logging</b> <dd>Contains relations which determine how Kerberos programs are to perform logging. <dt><b>capaths</b> <dd>Contains the authentication paths used with direct (nonhierarchical) cross-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross-realm authentication. It is also used by the end-service when checking the transited field for trusted intermediate realms. </dl> <p>If you are not using DNS TXT records, you must specify the <code>default_realm</code> in the <code>libdefaults</code> section. If you are not using DNS SRV records, you must include the <code>kdc</code> tag for each realm in the <code>realms</code> section. To communicate with the kadmin server in each realm, the <code>admin_server</code> tag must be set in the <code>realms</code> section. If your domain name and realm name are not the same, you must provide a translation in <code>domain_realm</code>. It is also higly recommeneded that you create a <code>[logging]</code> stanza if the computer will be functioning as a KDC so that the KDC and kadmind will generate logging output. <p>An example <code>krb5.conf</code> file: <pre>[libdefaults] default_realm = ATHENA.MIT.EDU [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu { [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log </pre> <p><hr> Node:<a name="kdc.conf">kdc.conf</a>, Next:<a rel=next href="#Create%20the%20Database">Create the Database</a>, Previous:<a rel=previous href="#krb5.conf">krb5.conf</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>kdc.conf</h4> <p>The <code>kdc.conf</code> file contains KDC configuration information, including defaults used when issuing Kerberos tickets. Normally, you should install your <code>kdc.conf</code> file in the directory <code>/usr/local/var/krb5kdc</code>. You can override the default location by setting the environment variable <code>KRB5_KDC_PROFILE</code>. <p>The <code>kdc.conf</code> file is set up in the same format as the <code>krb5.conf</code> file. (See <a href="#krb5.conf">krb5.conf</a>.) The <code>kdc.conf</code> file may contain any or all of the following three sections: <dl> <dt><b>kdcdefaults</b> <dd>Contains default values for overall behavior of the KDC. <br><dt><b>realms</b> <dd>Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. <br><dt><b>logging</b> <dd>Contains relations which determine how Kerberos programs are to perform logging. </dl> <p><hr> Node:<a name="Create%20the%20Database">Create the Database</a>, Next:<a rel=next href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>, Previous:<a rel=previous href="#kdc.conf">kdc.conf</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>Create the Database</h4> <p>You will use the <code>kdb5_util</code> command <em>on the Master KDC</em> to create the Kerberos database and the optional stash file. The <dfn>stash file</dfn> is a local copy of the master key that resides in encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the <code>kadmind</code> and <code>krb5kdc</code> daemons (<i>e.g.,</i> as part of the machine's boot sequence). The stash file, like the keytab file (see See <a href="#The%20Keytab%20File">The Keytab File</a>, for more information) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. <p>Note that <code>kdb5_util</code> will prompt you for the master key for the Kerberos database. This key can be any string. A good key is one you can remember, but that no one else can guess. Examples of bad keys are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (<i>e.g.</i>, forward, backward, repeated twice, <i>etc.</i>), and any of the sample keys that appear in this manual. One example of a key which might be good if it did not appear in this manual is "MITiys4K5!", which represents the sentence "MIT is your source for Kerberos 5!" (It's the first letter of each word, substituting the numeral "4" for the word "for", and includes the punctuation mark at the end.) <p>The following is an example of how to create a Kerberos database and stash file on the master KDC, using the <code>kdb5_util</code> command. (The line that begins with => is a continuation of the previous line.) Replace <i>ATHENA.MIT.EDU</i> with the name of your Kerberos realm. <pre><b>shell%</b> /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s <b>Initializing database '/usr/local/var/krb5kdc/principal' for => realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password.</b> <b>Enter KDC database master key:</b> <i><= Type the master password.</i> <b>Re-enter KDC database master key to verify:</b> <i><= Type it again.</i> <b>shell%</b> </pre> <p>This will create five files in the directory specified in your <code>kdc.conf</code> file: two Kerberos database files, <code>principal.db</code>, and <code>principal.ok</code>; the Kerberos administrative database file, <code>principal.kadm5</code>; the administrative database lock file, <code>principal.kadm5.lock</code>; and the stash file, <code>.k5stash</code>. (The default directory is <code>/usr/local/var/krb5kdc</code>.) If you do not want a stash file, run the above command without the <code>-s</code> option. <p><hr> Node:<a name="Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>, Next:<a rel=next href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>, Previous:<a rel=previous href="#Create%20the%20Database">Create the Database</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>Add Administrators to the Acl File</h4> <p>Next, you need create an Access Control List (acl) file, and put the Kerberos principal of at least one of the administrators into it. The filename should match the value you have set for "acl_file" in your <code>kdc.conf</code> file. The default file name is <code>/usr/local/var/krb5kdc/kadm5.acl</code>. <p>The format of the file is: <pre>Kerberos_principal permissions [target_principal] [restrictions] </pre> <p>The Kerberos principal (and optional target principal) can include the "<b>*</b>" wildcard, so if you want any principal with the instance "admin" to have full permissions on the database, you could use the principal "<code>*/admin@REALM</code>" where "REALM" is your Kerberos realm. <code>target_principal</code> can also include backreferences to <code>Kerberos_principal</code>, in which "<b>*<i>number</i></b>" matches the component <i>number</i> in the <code>Kerberos_principal</code>. <p>Note: a common use of an <i>admin</i> instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user <code>joeadmin</code> might have a principal for his administrative use, called <code>joeadmin/admin</code>. This way, <code>joeadmin</code> would obtain <code>joeadmin/admin</code> tickets only when he actually needs to use those permissions. <p>The permissions are represented by single letters; UPPER-CASE letters represent negative permissions. The permissions are: <dl> <dt><b>a</b> <dd>allows the addition of principals or policies in the database. <dt><b>A</b> <dd>disallows the addition of principals or policies in the database. <dt><b>d</b> <dd>allows the deletion of principals or policies in the database. <dt><b>D</b> <dd>disallows the deletion of principals or policies in the database. <dt><b>m</b> <dd>allows the modification of principals or policies in the database. <dt><b>M</b> <dd>disallows the modification of principals or policies in the database. <dt><b>c</b> <dd>allows the changing of passwords for principals in the database. <dt><b>C</b> <dd>disallows the changing of passwords for principals in the database. <dt><b>i</b> <dd>allows inquiries to the database. <dt><b>I</b> <dd>disallows inquiries to the database. <dt><b>l</b> <dd>allows the listing of principals or policies in the database. <dt><b>L</b> <dd>disallows the listing of principals or policies in the database. <dt><b>s</b> <dd>allows the explicit setting of the key for a principal <dt><b>S</b> <dd>disallows the explicit setting of the key for a principal <dt><b>*</b> <dd>All privileges (admcil). <dt><b>x</b> <dd>All privileges (admcil); identical to "*". </dl> <p>The restrictions are a string of flags. Allowed restrictions are: <dl> <dt><b>[+ -]<i>flagname</i></b> <dd>flag is forced to indicated value. The permissible flags are the same as the <code>+</code> and <code>-</code> flags for the <code>kadmin addprinc</code> and <code>modprinc</code> commands. <dt><b>-clearpolicy</b> <dd>policy is forced to clear <dt><b>-policy <i>pol</i></b> <dd>policy is forced to be <i>pol</i> <dt><b>expire <i>time</i></b> <dt><b>pwexpire <i>time</i></b> <dt><b>maxlife <i>time</i></b> <dt><b>maxrenewlife <i>time</i></b> <dd>associated value will be forced to MIN(<i>time</i>, requested value) </dl> <p>The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. <p>Here is an example of a <code>kadm5.acl</code> file. Note that order is important; permissions are determined by the first matching entry. <pre>*/admin@ATHENA.MIT.EDU * joeadmin@ATHENA.MIT.EDU ADMCIL joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU *@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU */*@ATHENA.MIT.EDU i */admin@EXAMPLE.COM * -maxlife 9h -postdateable </pre> <p>In the above file, any principal in the ATHENA.MIT.EDU realm with an <code>admin</code> instance has all administrative privileges. The user <code>joeadmin</code> has all permissions with his <code>admin</code> instance, <code>joeadmin/admin@ATHENA.MIT.EDU</code> (matches the first line). He has no permissions at all with his <code>null</code> instance, <code>joeadmin@ATHENA.MIT.EDU</code> (matches the second line). His root instance has <i>inquire</i> and <i>list</i> permissions with any other principal that has the instance <code>root</code>. Any principal in ATHENA.MIT.EDU can inquire, list, or change the password of their <code>admin</code> instance, but not any other <code>admin</code> instance. Any principal in the realm <code>ATHENA.MIT.EDU</code> (except for <code>joeadmin@ATHENA.MIT.EDU</code>, as mentioned above) has <i>inquire</i> privileges. Finally, any principal with an admin instance in EXAMPLE.COM has all permissions, but any principal that they create or modify will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. <p><hr> Node:<a name="Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>, Next:<a rel=next href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>, Previous:<a rel=previous href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>Add Administrators to the Kerberos Database</h4> <p>Next you need to add administrative principals to the Kerberos database. (You must add at least one now.) To do this, use <code>kadmin.local</code> <em>on the master KDC</em>. The administrative principals you create should be the ones you added to the ACL file. (See See <a href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a>.) In the following example, the administration principal <code>admin/admin</code> is created: <pre><b>shell%</b> /usr/local/sbin/kadmin.local <b>kadmin.local:</b> addprinc admin/admin@ATHENA.MIT.EDU <b>NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU"; assigning "default".</b> <b>Enter password for principal admin/admin@ATHENA.MIT.EDU:</b> <i><= Enter a password.</i> Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <i><= Type it again.</i> <b>Principal "admin/admin@ATHENA.MIT.EDU" created. kadmin.local:</b> </pre> <p><hr> Node:<a name="Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>, Next:<a rel=next href="#Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons</a>, Previous:<a rel=previous href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>Create a kadmind Keytab (optional)</h4> <p>The kadmind keytab is the key that the legacy admininstration daemons <code>kadmind4</code> and <code>v5passwdd</code> will use to decrypt administrators' or clients' Kerberos tickets to determine whether or not they should have access to the database. You need to create the kadmin keytab with entries for the principals <code>kadmin/admin</code> and <code>kadmin/changepw</code>. (These principals are placed in the Kerberos database automatically when you create it.) To create the kadmin keytab, run <code>kadmin.local</code> and use the <code>ktadd</code> command, as in the following example. (The line beginning with => is a continuation of the previous line.): <pre><b>shell%</b> /usr/local/sbin/kadmin.local <b>kadmin.local:</b> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw <b> Entry for principal kadmin/admin with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. kadmin.local:</b> quit <b>shell%</b> </pre> <p>As specified in the <code>-k</code> argument, <code>ktadd</code> will save the extracted keytab as <br> <code>/usr/local/var/krb5kdc/kadm5.keytab</code>. The filename you use must be the one specified in your <code>kdc.conf</code> file. <p><hr> Node:<a name="Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons</a>, Previous:<a rel=previous href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>, Up:<a rel=up href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <br> <h4>Start the Kerberos Daemons on the Master KDC</h4> <p>At this point, you are ready to start the Kerberos daemons on the Master KDC. To do so, type: <pre><b>shell%</b> /usr/local/sbin/krb5kdc <b>shell%</b> /usr/local/sbin/kadmind </pre> <p>Each daemon will fork and run in the background. Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC's <code>/etc/rc</code> or <code>/etc/inittab</code> file. You need to have a stash file in order to do this. <p>You can verify that they started properly by checking for their startup messages in the logging locations you defined in <code>/etc/krb5.conf</code>. (See <a href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a>.) For example: <pre><b>shell%</b> tail /var/log/krb5kdc.log Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation <b>shell%</b> tail /var/log/kadmin.log Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting </pre> <p>Any errors the daemons encounter while starting will also be listed in the logging output. <p><hr> Node:<a name="Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>, Next:<a rel=next href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>, Previous:<a rel=previous href="#Install%20the%20Master%20KDC">Install the Master KDC</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Install the Slave KDCs</h3> <p>You are now ready to start configuring the slave KDCs. Assuming you are setting the KDCs up so that you can easily switch the master KDC with one of the slaves, you should perform each of these steps on the master KDC as well as the slave KDCs, unless these instructions specify otherwise. <ul> <li><a href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>: <li><a href="#Extract%20Host%20Keytabs%20for%20the%20KDCs">Extract Host Keytabs for the KDCs</a>: <li><a href="#Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation">Set Up the Slave KDCs for Database Propagation</a>: </ul> <p><hr> Node:<a name="Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>, Next:<a rel=next href="#Extract%20Host%20Keytabs%20for%20the%20KDCs">Extract Host Keytabs for the KDCs</a>, Previous:<a rel=previous href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>, Up:<a rel=up href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a> <br> <h4>Create Host Keys for the Slave KDCs</h4> <p>Each KDC needs a host principal in the Kerberos database. You can enter these from any host, once the <code>kadmind</code> daemon is running. For example, if your master KDC were called kerberos.mit.edu, and you had two KDC slaves named kerberos-1.mit.edu and kerberos-2.mit.edu, you would type the following: <pre><b>shell%</b> /usr/local/sbin/kadmin <b>kadmin:</b> addprinc -randkey host/kerberos.mit.edu <b>NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. kadmin:</b> addprinc -randkey host/kerberos-1.mit.edu <b>NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.</b> <b>kadmin:</b> addprinc -randkey host/kerberos-2.mit.edu <b>NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created. kadmin:</b> </pre> <p>It is not actually necessary to have the master KDC server in the Kerberos database, but it can be handy if: <ul> <li>anyone will be logging into the machine as something other than root <li>you want to be able to swap the master KDC with one of the slaves if necessary. </ul> <p><hr> Node:<a name="Extract%20Host%20Keytabs%20for%20the%20KDCs">Extract Host Keytabs for the KDCs</a>, Next:<a rel=next href="#Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation">Set Up the Slave KDCs for Database Propagation</a>, Previous:<a rel=previous href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>, Up:<a rel=up href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a> <br> <h4>Extract Host Keytabs for the KDCs</h4> <p>Each KDC (including the master) needs a keytab to decrypt tickets. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab on a KDC called kerberos.mit.edu, you would execute the following command: <pre><b>kadmin:</b> ktadd host/kerberos.mit.edu <b>kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with kvno 1, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin:</b> </pre> <p>Note that the principal must exist in the Kerberos database in order to extract the keytab. <p><hr> Node:<a name="Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation">Set Up the Slave KDCs for Database Propagation</a>, Previous:<a rel=previous href="#Extract%20Host%20Keytabs%20for%20the%20KDCs">Extract Host Keytabs for the KDCs</a>, Up:<a rel=up href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a> <br> <h4>Set Up the Slave KDCs for Database Propagation</h4> <p>The database is propagated from the master KDC to the slave KDCs via the <code>kpropd</code> daemon. To set up propagation, create a file on each KDC, named <code>/usr/local/var/krb5kdc/kpropd.acl</code>, containing the principals for each of the KDCs. For example, if the master KDC were <code>kerberos.mit.edu</code>, the slave KDCs were <code>kerberos-1.mit.edu</code> and <code>kerberos-2.mit.edu</code>, and the realm were <code>ATHENA.MIT.EDU</code>, then the file's contents would be: <pre>host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU host/kerberos-2.mit.edu@ATHENA.MIT.EDU </pre> <p>Then, add the following lines to <code>/etc/inetd.conf</code> file on each KDC (the line beginnng with => is a continuation of the previous line): <pre>krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c -e </pre> <p>The first line sets up the <code>kpropd</code> database propagation daemon. The second line sets up the <code>eklogin</code> daemon, allowing Kerberos-authenticated, encrypted rlogin to the KDC. <p>You also need to add the following lines to <code>/etc/services</code> on each KDC: <pre>kerberos 88/udp kdc # Kerberos authentication (udp) kerberos 88/tcp kdc # Kerberos authentication (tcp) krb5_prop 754/tcp # Kerberos slave propagation kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) eklogin 2105/tcp # Kerberos encrypted rlogin </pre> <p><hr> Node:<a name="Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>, Next:<a rel=next href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>, Previous:<a rel=previous href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Back on the Master KDC</h3> <p>Now that the slave KDCs are able to accept database propagation, you'll need to propagate the database to each of them. <ul> <li><a href="#Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>: </ul> <p><hr> Node:<a name="Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>, Previous:<a rel=previous href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>, Up:<a rel=up href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a> <br> <h4>Propagate the Database to Each Slave KDC</h4> <p>First, create a dump of the database on the master KDC, as follows: <pre><b>shell%</b> /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans <b>shell%</b> </pre> <p>Next, you need to manually propagate the database to each slave KDC, as in the following example. (The lines beginning with => are continuations of the previous line.): <pre>/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans => kerberos-1.mit.edu /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans => kerberos-2.mit.edu </pre> <p>You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this. (Note that the line that begins with => is a continuation of the previous line. Remember that you need to replace /usr/local with the name of the directory in which you installed Kerberos V5.) <pre>#!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" /usr/local/sbin/kdb5_util -R "dump => /usr/local/var/krb5kdc/slave_datatrans" for kdc in $kdclist do /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc done </pre> <p>You will need to set up a cron job to run this script at the intervals you decided on earlier (See <a href="#Database%20Propagation">Database Propagation</a>.) <p><hr> Node:<a name="Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>, Next:<a rel=next href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>, Previous:<a rel=previous href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Finish Installing the Slave KDCs</h3> <p>Now that the slave KDCs have copies of the Kerberos database, you can create stash files for them and start the <code>krb5kdc</code> daemon. <ul> <li><a href="#Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>: <li><a href="#Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>: </ul> <p><hr> Node:<a name="Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>, Next:<a rel=next href="#Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>, Previous:<a rel=previous href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>, Up:<a rel=up href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a> <br> <h4>Create Stash Files on the Slave KDCs</h4> <p>Create stash files, by issuing the following commands on each slave KDC: <pre><b>shell%</b> kdb5_util stash <b>kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key</b> <b>Enter KDC database master key:</b> <i><= Enter the database master key.</i> <b>shell%</b> </pre> <p>As mentioned above, the stash file is necessary for your KDCs to be able authenticate to themselves, such as when they reboot. You could run your KDCs without stash files, but you would then need to type in the Kerberos database master key by hand every time you start a KDC daemon. <p><hr> Node:<a name="Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a>, Previous:<a rel=previous href="#Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a>, Up:<a rel=up href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a> <br> <h4>Start the krb5kdc Daemon on Each KDC</h4> <p>The final step in configuing your slave KDCs is to run the KDC daemon: <pre><b>shell%</b> /usr/local/sbin/krb5kdc </pre> <p>As with the master KDC, you will probably want to add this command to the KDCs' <code>/etc/rc</code> or <code>/etc/inittab</code> files, so they will start the krb5kdc daemon automatically at boot time. <p><hr> Node:<a name="Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>, Next:<a rel=next href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>, Previous:<a rel=previous href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Add Kerberos Principals to the Database</h3> <p>Once your KDCs are set up and running, you are ready to use <code>kadmin</code> to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in the "Adding or Modifying Principals" section of the Kerberos V5 System Administrator's Guide. (See <a href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>, for a brief description.) The keytab is generated by running <code>kadmin</code> and issuing the <code>ktadd</code> command. <p><hr> Node:<a name="Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>, Next:<a rel=next href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>, Previous:<a rel=previous href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Limit Access to the KDCs</h3> <p>To limit the possibility that your Kerberos database could be compromised, MIT recommends that each KDC be a dedicated host, with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could gain access to the Kerberos database. MIT recommends that your KDCs use the following <code>/etc/inetd.conf</code> file. (Note: each line beginning with => is a continuation of the previous line.): <pre># # Configuration file for inetd(1M). See inetd.conf(4). # # To re-configure the running inetd process, edit this file, then # send the inetd process a SIGHUP. # # Syntax for socket-based Internet services: # <service_name> <socket_type> <proto> <flags> <user> => <server_pathname> <args> # # Syntax for TLI-based Internet services: # # <service_name> tli <proto> <flags> <user> <server_pathname> <args> # # Ftp and telnet are standard Internet services. # # This machine is a secure Kerberos Key Distribution Center (KDC). # Services are limited. # # # Time service is used for clock synchronization. # time stream tcp nowait root internal time dgram udp wait root internal # # Limited Kerberos services # krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -5 -c -e </pre> <p><hr> Node:<a name="Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a>, Previous:<a rel=previous href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a>, Up:<a rel=up href="#Installing%20KDCs">Installing KDCs</a> <br> <h3>Switching Master and Slave KDCs</h3> <p>You may occasionally want to use one of your slave KDCs as the master. This might happen if you are upgrading the master KDC, or if your master KDC has a disk crash. <p>Assuming you have configured all of your KDCs to be able to function as either the master KDC or a slave KDC (as this document recommends), all you need to do to make the changeover is: <p>If the master KDC is still running, do the following on the <em>old</em> master KDC: <ol type=1 start=1> </p><li>Kill the <code>kadmind</code> process. <li>Disable the cron job that propagates the database. <li>Run your database propagation script manually, to ensure that the slaves all have the latest copy of the database. (See <a href="#Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>.) If there is a need to preserve per-principal policy information from the database, you should do a "kdb5_util dump -ov" in order to preserve that information and propogate that dump file securely by some means to the slave so that its database has the correct state of the per-principal policy information. </ol> <p>On the <em>new</em> master KDC: <ol type=1 start=1> </p><li>Create a database keytab. (See <a href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a>.) <li>Start the <code>kadmind</code> daemon. (See <a href="#Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons</a>.) <li>Set up the cron job to propagate the database. (See <a href="#Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a>.) <li>Switch the CNAMEs of the old and new master KDCs. (If you don't do this, you'll need to change the <code>krb5.conf</code> file on every client machine in your Kerberos realm.) </ol> <p><hr> Node:<a name="Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>, Next:<a rel=next href="#UNIX%20Application%20Servers">UNIX Application Servers</a>, Previous:<a rel=previous href="#Installing%20KDCs">Installing KDCs</a>, Up:<a rel=up href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a> <br> <h2>Installing and Configuring UNIX Client Machines</h2> <p>Client machine installation is much more straightforward than installation of the KDCs. <ul> <li><a href="#Client%20Programs">Client Programs</a>: <li><a href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>: </ul> <p><hr> Node:<a name="Client%20Programs">Client Programs</a>, Next:<a rel=next href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>, Previous:<a rel=previous href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>, Up:<a rel=up href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a> <br> <h3>Client Programs</h3> <p>The Kerberized client programs are <code>login.krb5</code>, <code>rlogin</code>, <code>telnet</code>, <code>ftp</code>, <code>rcp</code>, <code>rsh</code>, <code>kinit</code>, <code>klist</code>, <code>kdestroy</code>, <code>kpasswd</code>, <code>ksu</code>, and <code>krb524init</code>. All of these programs are in the directory <code>/usr/local/bin</code>, except for <code>login.krb5</code> which is in <code>/usr/local/sbin</code>. <p>You will probably want to have your users put <code>/usr/local/bin</code> ahead of <code>/bin</code> and <code>/usr/bin</code> in their paths, so they will by default get the Kerberos V5 versions of <code>rlogin</code>, <code>telnet</code>, <code>ftp</code>, <code>rcp</code>, and <code>rsh</code>. MIT recommends that you use <code>login.krb5</code> in place of <code>/bin/login</code> to give your users a single-sign-on system. You will need to make sure your users know to use their Kerberos passwords when they log in. <p>You will also need to educate your users to use the ticket management programs <code>kinit</code>, <code>klist</code>, <code>kdestroy</code>, and to use the Kerberos programs <code>ksu</code>, and <code>kpasswd</code> in place of their non-Kerberos counterparts <code>su</code>, <code>passwd</code>, and <code>rdist</code>. <p><hr> Node:<a name="Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>, Previous:<a rel=previous href="#Client%20Programs">Client Programs</a>, Up:<a rel=up href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a> <br> <h3>Client Machine Configuration Files</h3> <p>Each machine running Kerberos must have a <code>/etc/krb5.conf</code> file. (See <a href="#krb5.conf">krb5.conf</a>.) <p>Also, for most UNIX systems, you must add the appropriate Kerberos services to each client machine's <code>/etc/services</code> file. If you are using the default configuration for Kerberos V5, you should be able to just insert the following code: <pre># # Note --- if you are using Kerberos V4 and you either: # # (a) haven't converted all your master or slave KDCs to V5, or # # (b) are worried about inter-realm interoperability with other KDC's # that are still using V4 # # you will need to switch the "kerberos" service to port 750 and create a # "kerberos-sec" service on port 88. # kerberos 88/udp kdc # Kerberos V5 KDC kerberos 88/tcp kdc # Kerberos V5 KDC klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp cmd # and remote shell kerberos-adm 749/tcp # Kerberos 5 admin/changepw kerberos-adm 749/udp # Kerberos 5 admin/changepw krb5_prop 754/tcp # Kerberos slave propagation eklogin 2105/tcp # Kerberos auth. & encrypted rlogin krb524 4444/tcp # Kerberos 5 to 4 ticket translator </pre> <p>As described in the comments in the above code, if your master KDC or any of your slave KDCs is running Kerberos V4, (or if you will be authenticating to any Kerberos V4 KDCs in another realm) you will need to switch the port number for <code>kerberos</code> to 750 and create a <code>kerberos-sec</code> service (tcp and udp) on port 88, so the Kerberos V4 KDC(s) will continue to work properly. <ul> <li><a href="#Mac%20OS%20X%20Configuration">Mac OS X Configuration</a>: </ul> <p><hr> Node:<a name="Mac%20OS%20X%20Configuration">Mac OS X Configuration</a>, Previous:<a rel=previous href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a>, Up:<a rel=up href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a> <br> <h4>Mac OS X Configuration</h4> <p>To install Kerberos V5 on Mac OS X and Mac OS X Server, follow the directions for generic Unix-based OS's, except for the <code>/etc/services</code> updates described above. <p>Mac OS X and Mac OS X Server use a database called NetInfo to store the contents of files normally found in <code>/etc</code>. Instead of modifying <code>/etc/services</code>, you should run the following commands to add the Kerberos service entries to NetInfo: <pre>$ niutil -create . /services/kerberos $ niutil -createprop . /services/kerberos name kerberos kdc $ niutil -createprop . /services/kerberos port 750 $ niutil -createprop . /services/kerberos protocol tcp udp $ niutil -create . /services/krbupdate $ niutil -createprop . /services/krbupdate name krbupdate kreg $ niutil -createprop . /services/krbupdate port 760 $ niutil -createprop . /services/krbupdate protocol tcp $ niutil -create . /services/kpasswd $ niutil -createprop . /services/kpasswd name kpasswd kpwd $ niutil -createprop . /services/kpasswd port 761 $ niutil -createprop . /services/kpasswd protocol tcp $ niutil -create . /services/klogin $ niutil -createprop . /services/klogin port 543 $ niutil -createprop . /services/klogin protocol tcp $ niutil -create . /services/eklogin $ niutil -createprop . /services/eklogin port 2105 $ niutil -createprop . /services/eklogin protocol tcp $ niutil -create . /services/kshell $ niutil -createprop . /services/kshell name kshell krcmd $ niutil -createprop . /services/kshell port 544 $ niutil -createprop . /services/kshell protocol tcp </pre> <p>In addition to adding services to NetInfo, you must also modify the resolver configuration in NetInfo so that the machine resolves its own hostname as a FQDN (fully qualified domain name). By default, Mac OS X and Mac OS X Server machines query NetInfo to resolve hostnames before falling back to DNS. Because NetInfo has an unqualified name for all the machines in the NetInfo database, the machine's own hostname will resolve to an unqualified name. Kerberos needs a FQDN to look up keys in the machine's keytab file. <p>Fortunately, you can change the <code>lookupd</code> caching order to query DNS first. Run the following NetInfo commands and reboot the machine: <pre>$ niutil -create . /locations/lookupd/hosts $ niutil -createprop . /locations/lookupd/hosts LookupOrder CacheAgent DNSAgent NIAgent NILAgent </pre> <p>Once you have rebooted, you can verify that the resolver now behaves correctly. Compile the Kerberos 5 distribution and run: <pre>$ cd .../src/tests/resolve $ ./resolve </pre> <p>This will tell you whether or not your machine returns FQDNs on name lookups. If the test still fails, you can also try turning off DNS caching. Run the following commands and reboot: <pre>$ niutil -create . /locations/lookupd/hosts $ niutil -createprop . /locations/lookupd/hosts LookupOrder DNSAgent CacheAgent NIAgent NILAgent </pre> <p>The remainder of the setup of a Mac OS X client machine or application server should be the same as for other UNIX-based systems. <p><hr> Node:<a name="UNIX%20Application%20Servers">UNIX Application Servers</a>, Previous:<a rel=previous href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a>, Up:<a rel=up href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a> <br> <h2>UNIX Application Servers</h2> <p>An application server is a host that provides one or more services over the network. Application servers can be "secure" or "insecure." A "secure" host is set up to require authentication from every client connecting to it. An "insecure" host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect. <p>If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5's single sign-on capability. <ul> <li><a href="#Server%20Programs">Server Programs</a>: <li><a href="#Server%20Configuration%20Files">Server Configuration Files</a>: <li><a href="#The%20Keytab%20File">The Keytab File</a>: <li><a href="#Some%20Advice%20about%20Secure%20Hosts">Some Advice about Secure Hosts</a>: </ul> <p><hr> Node:<a name="Server%20Programs">Server Programs</a>, Next:<a rel=next href="#Server%20Configuration%20Files">Server Configuration Files</a>, Previous:<a rel=previous href="#UNIX%20Application%20Servers">UNIX Application Servers</a>, Up:<a rel=up href="#UNIX%20Application%20Servers">UNIX Application Servers</a> <br> <h3>Server Programs</h3> <p>Just as Kerberos V5 provided its own Kerberos-enhanced versions of client UNIX network programs, Kerberos V5 also provides Kerberos-enhanced versions of server UNIX network daemons. These are <code>ftpd</code>, <code>klogind</code>, <code>kshd</code>, and <code>telnetd</code>. These programs are installed in the directory <code>/usr/local/sbin</code>. You may want to add this directory to root's path. <p><hr> Node:<a name="Server%20Configuration%20Files">Server Configuration Files</a>, Next:<a rel=next href="#The%20Keytab%20File">The Keytab File</a>, Previous:<a rel=previous href="#Server%20Programs">Server Programs</a>, Up:<a rel=up href="#UNIX%20Application%20Servers">UNIX Application Servers</a> <br> <h3>Server Configuration Files</h3> <p>For a <em>secure</em> server, make the following changes to <code>/etc/inetd.conf</code>: <p>Find and comment out any lines for the services <code>ftp</code>, <code>telnet</code>, <code>shell</code>, <code>login</code>, and <code>exec</code>. <p>Add the following lines. (Note: each line beginning with => is a continuation of the previous line.) <pre>klogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c -e kshell stream tcp nowait root /usr/local/sbin/kshd => kshd -k -c -A ftp stream tcp nowait root /usr/local/sbin/ftpd => ftpd -a telnet stream tcp nowait root /usr/local/sbin/telnetd => telnetd -a valid </pre> <p>For an <em>insecure</em> server, make the following changes instead to <code>/etc/inetd.conf</code>: <p>Find and comment out any lines for the services <code>ftp</code> and <code>telnet</code>. <p>Add the following lines. (Note: each line beginning with => is a continuation of the previous line.) <pre>klogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c -e kshell stream tcp nowait root /usr/local/sbin/kshd => kshd -k -c -A ftp stream tcp nowait root /usr/local/sbin/ftpd => ftpd telnet stream tcp nowait root /usr/local/sbin/telnetd => telnetd -a none </pre> <p><hr> Node:<a name="The%20Keytab%20File">The Keytab File</a>, Next:<a rel=next href="#Some%20Advice%20about%20Secure%20Hosts">Some Advice about Secure Hosts</a>, Previous:<a rel=previous href="#Server%20Configuration%20Files">Server Configuration Files</a>, Up:<a rel=up href="#UNIX%20Application%20Servers">UNIX Application Servers</a> <br> <h3>The Keytab File</h3> <p>All Kerberos server machines need a <dfn>keytab</dfn> file, called <code>/etc/krb5.keytab</code>, to authenticate to the KDC. The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (<a href="#Create%20the%20Database">Create the Database</a>) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password itself. <p>In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in the "Adding or Modifying Principals" section of the <cite>Kerberos V5 System Administrator's Guide</cite>. See <a href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a>. for a brief description.) The keytab is generated by running <code>kadmin</code> and issuing the <code>ktadd</code> command. <p>For example, to generate a keytab file to allow the host trillium.mit.edu to authenticate for the services <code>host</code>, <code>ftp</code>, and <code>pop</code>, the administrator <code>joeadmin</code> would issue the command (on trillium.mit.edu): <pre><b>trillium%</b> /usr/local/sbin/kadmin <b>kadmin5:</b> ktadd host/trillium.mit.edu ftp/trillium.mit.edu => pop/trillium.mit.edu <b>kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin5:</b> quit <b>trillium%</b> </pre> <p>If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (<code>trillium</code>, in the above example) without sending it unencrypted over the network. If you have installed the Kerberos V5 client programs, you can use encrypted <code>rcp</code>. <p><hr> Node:<a name="Some%20Advice%20about%20Secure%20Hosts">Some Advice about Secure Hosts</a>, Previous:<a rel=previous href="#The%20Keytab%20File">The Keytab File</a>, Up:<a rel=up href="#UNIX%20Application%20Servers">UNIX Application Servers</a> <br> <h3>Some Advice about Secure Hosts</h3> Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them. <p>As stated earlier in this section, MIT recommends that on a secure host, you disable the standard <code>ftp</code>, <code>login</code>, <code>telnet</code>, <code>shell</code>, and <code>exec</code> services in <code>/etc/inetd.conf</code>. We also recommend that secure hosts have an empty <code>/etc/hosts.equiv</code> file and that there not be a <code>.rhosts</code> file in <code>root</code>'s home directory. You can grant Kerberos-authenticated root access to specific Kerberos principals by placing those principals in the file <code>.k5login</code> in root's home directory. <p>We recommend that backups of secure machines exclude the keytab file (<code>/etc/krb5.keytab</code>). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured. <p>Finally, the keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be readable only by root. <p><hr> Node:<a name="Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>, Next:<a rel=next href="#Bug%20Reports%20for%20Kerberos%20V5">Bug Reports for Kerberos V5</a>, Previous:<a rel=previous href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Upgrading Existing Kerberos V5 Installations</h1> <p>If you already have an existing Kerberos database that you created with a prior release of Kerberos 5, you can upgrade it to work with the current release with the <code>kdb5_util</code> command. It is only necessary to perform this dump/undump procedure if you were running a krb5-1.0.x KDC and are migrating to a krb5-1.1.x or newer KDC or if you were running a krb5-1.1.x KDC and are migrating to a krb5-1.2.x or newer KDC. The process for upgrading a Master KDC involves the following steps: <ol type=1 start=1> </p><li>Stop your current KDC and administration server processes, if any. <li>Dump your existing Kerberos database to an ASCII file with <code>kdb5_util</code>'s "dump" command: <pre><b>shell%</b> cd /usr/local/var/krb5kdc <b>shell%</b> kdb5_util dump old-kdb-dump <b>shell%</b> kdb5_util dump -ov old-kdb-dump.ov <b>shell%</b> </pre> <li>Create a new Master KDC installation (See <a href="#Install%20the%20Master%20KDC">Install the Master KDC</a>.). If you have a stash file for your current database, choose any new master password but then copy your existing stash file to the location specified by your kdc.conf; if you do not have a stash file for your current database, you must choose the same master password. <li>Load your old Kerberos database into the new system with <code>kdb5_util</code>'s "load" command: <pre><b>shell%</b> cd /usr/local/var/krb5kdc <b>shell%</b> kdb5_util load old-kdb-dump <b>shell%</b> kdb5_util load -update old-kdb-dump.ov <b>shell%</b> </pre> </ol> <p>The "dump -ov" and "load -update" commands are necessary in order to preserve per-principal policy information, since the default dump format filters out that information. If you omit those steps, the loaded database database will lose the policy information for each principal that has a policy. <p>To update a Slave KDC, you must stop the old server processes on the Slave KDC, install the new server binaries, reload the most recent slave dump file, and re-start the server processes. <ul> <li><a href="#Upgrading%20to%20Triple-DES%20and%20RC4%20Encryption%20Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>: </ul> <p><hr> Node:<a name="Upgrading%20to%20Triple-DES%20and%20RC4%20Encryption%20Keys">Upgrading to Triple-DES and RC4 Encryption Keys</a>, Previous:<a rel=previous href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>, Up:<a rel=up href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a> <br> <h2>Upgrading to Triple-DES Encryption Keys</h2> <p>Beginning with the 1.2 release from MIT, Kerberos includes a stronger encryption algorithm called "triple DES" - essentially, three applications of the basic DES encryption algorithm, greatly increasing the resistance to a brute-force search for the key by an attacker. This algorithm is more secure, but encryption is much slower. <p>Release 1.1 had some support for triple-DES service keys, but with release 1.2 we have added support for user keys and session keys as well. Release 1.0 had very little support for multiple cryptosystems, and some of that software may not function properly in an environment using triple-DES as well as plain DES. <p>In the 1.3 release from MIT, Kerberos also includes the RC4 encryption alogorithm, a stream cipher symmetric key algorithm developed in 1987 by Ronald Rivest at RSA Data Security. Please note that RC4 is not part of the IETF standard. <p>Because of the way the MIT Kerberos database is structured, the KDC will assume that a service supports only those encryption types for which keys are found in the database. Thus, if a service has only a single-DES key in the database, the KDC will not issue tickets for that service that use triple-DES or RC4 session keys; it will instead issue only single-DES session keys, even if other services are already capable of using triple-DES or RC4. So if you make sure your application server software is updated before adding a triple-DES or RC4 key for the service, clients should be able to talk to services at all times during the updating process. <p>Normally, the listed <code>supported_enctypes</code> in <code>kdc.conf</code> are all used when a new key is generated. You can control this with command-line flags to <code>kadmin</code> and <code>kadmin.local</code>. You may want to exclude triple-DES and RC4 by default until you have updated a lot of your application servers, and then change the default to include triple-DES and RC4. We recommend that you always include <code>des-cbc-crc</code> in the default list. <p><hr> Node:<a name="Bug%20Reports%20for%20Kerberos%20V5">Bug Reports for Kerberos V5</a>, Previous:<a rel=previous href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a>, Up:<a rel=up href="#Top">Top</a> <br> <h1>Bug Reports for Kerberos V5</h1> <p>In any complex software, there will be bugs. If you have successfully built and installed Kerberos V5, please use the <code>krb5-send-pr</code> program to fill out a Problem Report should you encounter any errors in our software. <p>Bug reports that include proposed fixes are especially welcome. If you do include fixes, please send them using either context diffs or unified diffs (using <code>diff -c</code> or <code>diff -u</code>, respectively). Please be careful when using "cut and paste" or other such means to copy a patch into a bug report; depending on the system being used, that can result in converting TAB characters into spaces, which makes applying the patches more difficult. <p>The <code>krb5-send-pr</code> program is installed in the directory <code>/usr/local/sbin</code>. <p>The <code>krb5-send-pr</code> program enters the problem report into our Problem Report Management System (PRMS), which automatically assigns it to the engineer best able to help you with problems in the assigned category. <p>The <code>krb5-send-pr</code> program will try to intelligently fill in as many fields as it can. You need to choose the <dfn>category</dfn>, <dfn>class</dfn>, <dfn>severity</dfn>, and <dfn>priority</dfn> of the problem, as well as giving us as much information as you can about its exact nature. <p>The PR <b>category</b> will be one of: <pre>krb5-admin krb5-appl krb5-build krb5-clients krb5-doc krb5-kdc krb5-libs krb5-misc pty telnet test </pre> <p>Choose the category that best describes the area under which your problem falls. <p>The <b>class</b> can be <dfn>sw-bug</dfn>, <dfn>doc-bug</dfn>, <dfn>change-request</dfn>, or <dfn>support</dfn>. The first two are exactly as their names imply. Use <i>change-request</i> when the software is behaving according to specifications, but you want to request changes in some feature or behavior. The <i>support</i> class is intended for more general questions about building or using Kerberos V5. <p>The <b>severity</b> of the problem indicates the problem's impact on the usability of Kerberos V5. If a problem is <dfn>critical</dfn>, that means the product, component or concept is completely non-operational, or some essential functionality is missing, and no workaround is known. A <dfn>serious</dfn> problem is one in which the product, component or concept is not working properly or significant functionality is missing. Problems that would otherwise be considered <i>critical</i> are rated <i>serious</i> when a workaround is known. A <dfn>non-critical</dfn> problem is one that is indeed a problem, but one that is having a minimal effect on your ability to use Kerberos V5. <i>E.g.</i>, The product, component or concept is working in general, but lacks features, has irritating behavior, does something wrong, or doesn't match its documentation. The default severity is <i>serious</i>. <p>The <b>priority</b> indicates how urgent this particular problem is in relation to your work. Note that low priority does not imply low importance. A priority of <dfn>high</dfn> means a solution is needed as soon as possible. A priority of <dfn>medium</dfn> means the problem should be solved no later than the next release. A priority of <dfn>low</dfn> means the problem should be solved in a future release, but it is not important to your work how soon this happens. The default priority is <i>medium</i>. <p>Note that a given severity does not necessarily imply a given priority. For example, a non-critical problem might still have a high priority if you are faced with a hard deadline. Conversely, a serious problem might have a low priority if the feature it is disabling is one that you do not need. <p>It is important that you fill in the <i>release</i> field and tell us what changes you have made, if any. <p>A sample filled-out form from a company named "Toasters, Inc." might look like this: <pre>To: krb5-bugs@mit.edu Subject: misspelled "Kerberos" in title of installation guide From: jcb Reply-To: jcb Cc: X-send-pr-version: 3.99 >Submitter-Id: mit >Originator: Jeffrey C. Gilman Bigler >Organization: mit >Confidential: no >Synopsis: Misspelled "Kerberos" in title of installation guide >Severity: non-critical >Priority: low >Category: krb5-doc >Class: doc-bug >Release: 1.0-development >Environment: <machine, os, target, libraries (multiple lines)> System: ULTRIX imbrium 4.2 0 RISC Machine: mips >Description: Misspelled "Kerberos" in title of "Kerboros V5 Installation Guide" >How-To-Repeat: N/A >Fix: Correct the spelling. </pre> <p>If the <code>krb5-send-pr</code> program does not work for you, or if you did not get far enough in the process to have an installed and working <code>krb5-send-pr</code>, you can generate your own form, using the above as an example. <h1>Table of Contents</h1> <ul> <li><a href="#Copyright">Copyright</a> <li><a href="#Introduction">Introduction</a> <ul> <li><a href="#What%20is%20Kerberos%20and%20How%20Does%20it%20Work%3f">What is Kerberos and How Does it Work?</a> <li><a href="#Why%20Should%20I%20use%20Kerberos%3f">Why Should I use Kerberos?</a> <li><a href="#Please%20Read%20the%20Documentation">Please Read the Documentation</a> <li><a href="#Overview%20of%20This%20Guide">Overview of This Guide</a> </ul> <li><a href="#Realm%20Configuration%20Decisions">Realm Configuration Decisions</a> <ul> <li><a href="#Kerberos%20Realms">Kerberos Realms</a> <li><a href="#Mapping%20Hostnames%20onto%20Kerberos%20Realms">Mapping Hostnames onto Kerberos Realms</a> <li><a href="#Ports%20for%20the%20KDC%20and%20Admin%20Services">Ports for the KDC and Admin Services</a> <li><a href="#Slave%20KDCs">Slave KDCs</a> <li><a href="#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs">Hostnames for the Master and Slave KDCs</a> <li><a href="#Database%20Propagation">Database Propagation</a> </ul> <li><a href="#Building%20Kerberos%20V5">Building Kerberos V5</a> <ul> <li><a href="#Organization%20of%20the%20Source%20Directory">Build Requirements</a> <ul> <li><a href="#The%20appl%20Directory">The appl Directory</a> <li><a href="#The%20clients%20Directory">The clients Directory</a> <li><a href="#The%20gen-manpages%20Directory">The gen-manpages Directory</a> <li><a href="#The%20include%20Directory">The include Directory</a> <li><a href="#The%20kadmin%20Directory">The kadmin Directory</a> <li><a href="#The%20kdc%20Directory">The kdc Directory</a> <li><a href="#The%20krb524%20Directory">The krb524 Directory</a> <li><a href="#The%20lib%20Directory">The lib Directory</a> <li><a href="#The%20prototype%20Directory">The prototype Directory</a> <li><a href="#The%20slave%20Directory">The slave Directory</a> <li><a href="#The%20util%20Directory">The util Directory</a> </ul> <li><a href="#Build%20Requirements">Organization of the Source Directory</a> <li><a href="#Unpacking%20the%20Sources">Unpacking the Sources</a> <li><a href="#Doing%20the%20Build">Doing the Build</a> <ul> <li><a href="#Building%20Within%20a%20Single%20Tree">Building Within a Single Tree</a> <li><a href="#Building%20with%20Separate%20Build%20Directories">Building with Separate Build Directories</a> <li><a href="#Building%20using%20lndir">Building Using <code>lndir</code></a> </ul> <li><a href="#Installing%20the%20Binaries">Installing the Binaries</a> <li><a href="#Testing%20the%20Build">Testing the Build</a> <ul> <li><a href="#The%20DejaGnu%20Tests">The DejaGnu Tests</a> <li><a href="#The%20KADM5%20Tests">The KADM5 Tests</a> </ul> <li><a href="#Options%20to%20Configure">Options to Configure</a> <li><a href="#osconf.h"><code>osconf.h</code></a> <li><a href="#Shared%20Library%20Support">Shared Library Support</a> <li><a href="#OS%20Incompatibilities">Operating System Incompatibilities</a> <ul> <li><a href="#AIX">AIX</a> <li><a href="#Alpha%20OSF%2f1%20V1.3">Alpha OSF/1 V1.3</a> <li><a href="#Alpha%20OSF%2f1%20(Digital%20Unix)%20V2.0++">Alpha OSF/1 V2.0++</a> <li><a href="#BSDI">BSDI</a> <li><a href="#HPUX">HPUX</a> <li><a href="#Solaris%20versions%202.0%20through%202.3">Solaris versions 2.0 through 2.3</a> <li><a href="#Solaris%202.X">Solaris 2.X</a> <li><a href="#SGI%20Irix%205.X">SGI Irix 5.X</a> <li><a href="#Ultrix%204.2%2f3">Ultrix 4.2/3</a> </ul> <li><a href="#Using%20Autoconf">Using <code>Autoconf</code></a> </ul> <li><a href="#Installing%20Kerberos%20V5">Installing Kerberos V5</a> <ul> <li><a href="#Installing%20KDCs">Installing KDCs</a> <ul> <li><a href="#Install%20the%20Master%20KDC">Install the Master KDC</a> <ul> <li><a href="#Edit%20the%20Configuration%20Files">Edit the Configuration Files</a> <li><a href="#krb5.conf">krb5.conf</a> <li><a href="#kdc.conf">kdc.conf</a> <li><a href="#Create%20the%20Database">Create the Database</a> <li><a href="#Add%20Administrators%20to%20the%20Acl%20File">Add Administrators to the Acl File</a> <li><a href="#Add%20Administrators%20to%20the%20Kerberos%20Database">Add Administrators to the Kerberos Database</a> <li><a href="#Create%20a%20kadmind%20Keytab%20(optional)">Create a kadmind Keytab (optional)</a> <li><a href="#Start%20the%20Kerberos%20Daemons">Start the Kerberos Daemons on the Master KDC</a> </ul> <li><a href="#Install%20the%20Slave%20KDCs">Install the Slave KDCs</a> <ul> <li><a href="#Create%20Host%20Keys%20for%20the%20Slave%20KDCs">Create Host Keys for the Slave KDCs</a> <li><a href="#Extract%20Host%20Keytabs%20for%20the%20KDCs">Extract Host Keytabs for the KDCs</a> <li><a href="#Set%20Up%20the%20Slave%20KDCs%20for%20Database%20Propagation">Set Up the Slave KDCs for Database Propagation</a> </ul> <li><a href="#Back%20on%20the%20Master%20KDC">Back on the Master KDC</a> <ul> <li><a href="#Propagate%20the%20Database%20to%20Each%20Slave%20KDC">Propagate the Database to Each Slave KDC</a> </ul> <li><a href="#Finish%20Installing%20the%20Slave%20KDCs">Finish Installing the Slave KDCs</a> <ul> <li><a href="#Create%20Stash%20Files%20on%20the%20Slave%20KDCs">Create Stash Files on the Slave KDCs</a> <li><a href="#Start%20the%20krb5kdc%20Daemon%20on%20Each%20KDC">Start the krb5kdc Daemon on Each KDC</a> </ul> <li><a href="#Add%20Kerberos%20Principals%20to%20the%20Database">Add Kerberos Principals to the Database</a> <li><a href="#Limit%20Access%20to%20the%20KDCs">Limit Access to the KDCs</a> <li><a href="#Switching%20Master%20and%20Slave%20KDCs">Switching Master and Slave KDCs</a> </ul> <li><a href="#Installing%20and%20Configuring%20UNIX%20Client%20Machines">Installing and Configuring UNIX Client Machines</a> <ul> <li><a href="#Client%20Programs">Client Programs</a> <li><a href="#Client%20Machine%20Configuration%20Files">Client Machine Configuration Files</a> <ul> <li><a href="#Mac%20OS%20X%20Configuration">Mac OS X Configuration</a> </ul> </ul> <li><a href="#UNIX%20Application%20Servers">UNIX Application Servers</a> <ul> <li><a href="#Server%20Programs">Server Programs</a> <li><a href="#Server%20Configuration%20Files">Server Configuration Files</a> <li><a href="#The%20Keytab%20File">The Keytab File</a> <li><a href="#Some%20Advice%20about%20Secure%20Hosts">Some Advice about Secure Hosts</a> </ul> </ul> <li><a href="#Upgrading%20Existing%20Kerberos%20V5%20Installations">Upgrading Existing Kerberos V5 Installations</a> <ul> <li><a href="#Upgrading%20to%20Triple-DES%20and%20RC4%20Encryption%20Keys">Upgrading to Triple-DES Encryption Keys</a> </ul> <li><a href="#Bug%20Reports%20for%20Kerberos%20V5">Bug Reports for Kerberos V5</a> </ul> <hr><h4>Footnotes</h4> <ol type="1"> <li><a name="fn-1"></a> <p>Kerberos V4 used port 750. If necessary, you can run on both ports for backward compatibility.</p> <li><a name="fn-2"></a> <p>If you are fortunate enough to have a previous version of Kerberos V5 or V4 installed, and the Kerberos rlogin is first in your path, you can setup <code>.k5login</code> or <code>.klogin</code> respectively to allow you access.</p> </ol><hr> </body></html>