diff options
Diffstat (limited to 'doc/html/admin/database.html')
| -rw-r--r-- | doc/html/admin/database.html | 1696 |
1 files changed, 280 insertions, 1416 deletions
diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html index 3b52d123088c..4ab619f37c8e 100644 --- a/doc/html/admin/database.html +++ b/doc/html/admin/database.html @@ -1,34 +1,32 @@ + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - - <title>Database administration — MIT Kerberos Documentation</title> - + <title>Database administration — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> - <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', - VERSION: '1.16', + VERSION: '1.21.1', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', - HAS_SOURCE: true + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../about.html" /> + <link rel="index" title="Index" href="../genindex.html" /> + <link rel="search" title="Search" href="../search.html" /> <link rel="copyright" title="Copyright" href="../copyright.html" /> - <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> - <link rel="up" title="For administrators" href="index.html" /> - <link rel="next" title="Account lockout" href="lockout.html" /> + <link rel="next" title="Database types" href="dbtypes.html" /> <link rel="prev" title="Realm configuration decisions" href="realm_config.html" /> </head> <body> @@ -44,7 +42,7 @@ accesskey="C">Contents</a> | <a href="realm_config.html" title="Realm configuration decisions" accesskey="P">previous</a> | - <a href="lockout.html" title="Account lockout" + <a href="dbtypes.html" title="Database types" accesskey="N">next</a> | <a href="../genindex.html" title="General Index" accesskey="I">index</a> | @@ -61,683 +59,122 @@ <div class="documentwrapper"> <div class="bodywrapper"> - <div class="body"> + <div class="body" role="main"> <div class="section" id="database-administration"> <h1>Database administration<a class="headerlink" href="#database-administration" title="Permalink to this headline">¶</a></h1> -<p>A Kerberos database contains all of a realm’s Kerberos principals, +<p>A Kerberos database contains all of a realm’s Kerberos principals, their passwords, and other administrative information about each -principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> +principal. For the most part, you will use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> program to manipulate the Kerberos database as a whole, and the -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> program to make changes to the entries in the +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> program to make changes to the entries in the database. (One notable exception is that users will use the -<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a> program to change their own passwords.) The kadmin +<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a> program to change their own passwords.) The kadmin program has its own command-line interface, to which you type the database administrating commands.</p> -<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> provides a means to create, delete, load, or dump +<p><a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the -<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> daemons can use the database +<a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> and <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><span class="std std-ref">krb5kdc</span></a> daemons can use the database without manual input.</p> -<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> provides for the maintenance of Kerberos principals, +<p><a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to -communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>, but there is also a variant, named +communicate with <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a>, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version.</p> <p>kadmin can authenticate to the admin server using the service -principal <tt class="docutils literal"><span class="pre">kadmin/HOST</span></tt> (where <em>HOST</em> is the hostname of the admin -server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt>. If the credentials cache contains a +principal <code class="docutils literal"><span class="pre">kadmin/admin</span></code> or <code class="docutils literal"><span class="pre">kadmin/HOST</span></code> (where <em>HOST</em> is the +hostname of the admin server). If the credentials cache contains a ticket for either service principal and the <strong>-c</strong> ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the -principal name, it requests a <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> Kerberos service ticket +principal name, it requests a <code class="docutils literal"><span class="pre">kadmin/admin</span></code> Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5.</p> -<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> for the available kadmin and kadmin.local +<p>See <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> for the available kadmin and kadmin.local commands and options.</p> -<div class="section" id="kadmin-options"> -<h2>kadmin options<a class="headerlink" href="#kadmin-options" title="Permalink to this headline">¶</a></h2> -<p>You can invoke <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> or kadmin.local with any of the -following options:</p> -<p><strong>kadmin</strong> -[<strong>-O</strong>|<strong>-N</strong>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-p</strong> <em>principal</em>] -[<strong>-q</strong> <em>query</em>] -[[<strong>-c</strong> <em>cache_name</em>]|[<strong>-k</strong> [<strong>-t</strong> <em>keytab</em>]]|<strong>-n</strong>] -[<strong>-w</strong> <em>password</em>] -[<strong>-s</strong> <em>admin_server</em>[:<em>port</em>]] -[command args...]</p> -<p><strong>kadmin.local</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-p</strong> <em>principal</em>] -[<strong>-q</strong> <em>query</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-e</strong> <em>enc</em>:<em>salt</em> ...] -[<strong>-m</strong>] -[<strong>-x</strong> <em>db_args</em>] -[command args...]</p> -<p><strong>OPTIONS</strong></p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Use <em>realm</em> as the default database realm.</dd> -<dt><strong>-p</strong> <em>principal</em></dt> -<dd>Use <em>principal</em> to authenticate. Otherwise, kadmin will append -<tt class="docutils literal"><span class="pre">/admin</span></tt> to the primary principal name of the default ccache, -the value of the <strong>USER</strong> environment variable, or the username as -obtained with getpwuid, in order of preference.</dd> -<dt><strong>-k</strong></dt> -<dd>Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -<tt class="docutils literal"><span class="pre">host/hostname</span></tt>. If there is no keytab specified with the -<strong>-t</strong> option, then the default keytab will be used.</dd> -<dt><strong>-t</strong> <em>keytab</em></dt> -<dd>Use <em>keytab</em> to decrypt the KDC response. This can only be used -with the <strong>-k</strong> option.</dd> -<dt><strong>-n</strong></dt> -<dd>Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure <strong>pkinit_anchors</strong> in the client’s -<a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. Then use the <strong>-n</strong> option with a principal -of the form <tt class="docutils literal"><span class="pre">@REALM</span></tt> (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use <tt class="docutils literal"><span class="pre">kinit</span> -<span class="pre">-n</span></tt> with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation.</dd> -<dt><strong>-c</strong> <em>credentials_cache</em></dt> -<dd>Use <em>credentials_cache</em> as the credentials cache. The -cache should contain a service ticket for the <tt class="docutils literal"><span class="pre">kadmin/ADMINHOST</span></tt> -(where <em>ADMINHOST</em> is the fully-qualified hostname of the admin -server) or <tt class="docutils literal"><span class="pre">kadmin/admin</span></tt> service; it can be acquired with the -<a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><em>kinit</em></a> program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache.</dd> -<dt><strong>-w</strong> <em>password</em></dt> -<dd>Use <em>password</em> instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list.</dd> -<dt><strong>-q</strong> <em>query</em></dt> -<dd>Perform the specified query and then exit.</dd> -<dt><strong>-d</strong> <em>dbname</em></dt> -<dd>Specifies the name of the KDC database. This option does not -apply to the LDAP database module.</dd> -<dt><strong>-s</strong> <em>admin_server</em>[:<em>port</em>]</dt> -<dd>Specifies the admin server which kadmin should contact.</dd> -<dt><strong>-m</strong></dt> -<dd>If using kadmin.local, prompt for the database master password -instead of reading it from a stash file.</dd> -<dt><strong>-e</strong> “<em>enc</em>:<em>salt</em> ...”</dt> -<dd>Sets the keysalt list to be used for any new keys created. See -<a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of possible -values.</dd> -<dt><strong>-O</strong></dt> -<dd>Force use of old AUTH_GSSAPI authentication flavor.</dd> -<dt><strong>-N</strong></dt> -<dd>Prevent fallback to AUTH_GSSAPI authentication flavor.</dd> -<dt><strong>-x</strong> <em>db_args</em></dt> -<dd>Specifies the database specific arguments. See the next section -for supported options.</dd> -</dl> -</div> -<div class="section" id="date-format"> -<h2>Date Format<a class="headerlink" href="#date-format" title="Permalink to this headline">¶</a></h2> -<p>For the supported date-time formats see <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> section -in <a class="reference internal" href="../basic/date_format.html#datetime"><em>Supported date and time formats</em></a>.</p> -</div> <div class="section" id="principals"> -<h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2> +<span id="id1"></span><h2>Principals<a class="headerlink" href="#principals" title="Permalink to this headline">¶</a></h2> <p>Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal.</p> -<div class="section" id="adding-modifying-and-deleting-principals"> -<span id="add-mod-del-princs"></span><h3>Adding, modifying and deleting principals<a class="headerlink" href="#adding-modifying-and-deleting-principals" title="Permalink to this headline">¶</a></h3> -<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> -<strong>add_principal</strong> command.</p> -<p>To modify attributes of a principal, use the kadmin -<strong>modify_principal</strong> command.</p> -<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command.</p> -</div> -<div class="section" id="add-principal"> -<h3>add_principal<a class="headerlink" href="#add-principal" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>add_principal</strong> [<em>options</em>] <em>newprinc</em></div></blockquote> -<p>Creates the principal <em>newprinc</em>, prompting twice for a password. If -no password policy is specified with the <strong>-policy</strong> option, and the -policy named <tt class="docutils literal"><span class="pre">default</span></tt> is assigned to the principal if it exists. -However, creating a policy named <tt class="docutils literal"><span class="pre">default</span></tt> will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the <strong>-clearpolicy</strong> option.</p> -<p>This command requires the <strong>add</strong> privilege.</p> -<p>Aliases: <strong>addprinc</strong>, <strong>ank</strong></p> -<p>Options:</p> -<dl class="docutils"> -<dt><strong>-expire</strong> <em>expdate</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The expiration date of the principal.</dd> -<dt><strong>-pwexpire</strong> <em>pwexpdate</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The password expiration date.</dd> -<dt><strong>-maxlife</strong> <em>maxlife</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum ticket life -for the principal.</dd> -<dt><strong>-maxrenewlife</strong> <em>maxrenewlife</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) The maximum renewable -life of tickets for the principal.</dd> -<dt><strong>-kvno</strong> <em>kvno</em></dt> -<dd>The initial key version number.</dd> -<dt><strong>-policy</strong> <em>policy</em></dt> -<dd>The password policy used by this principal. If not specified, the -policy <tt class="docutils literal"><span class="pre">default</span></tt> is used if it exists (unless <strong>-clearpolicy</strong> -is specified).</dd> -<dt><strong>-clearpolicy</strong></dt> -<dd>Prevents any policy from being assigned when <strong>-policy</strong> is not -specified.</dd> -<dt>{-|+}<strong>allow_postdated</strong></dt> -<dd><strong>-allow_postdated</strong> prohibits this principal from obtaining -postdated tickets. <strong>+allow_postdated</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_forwardable</strong></dt> -<dd><strong>-allow_forwardable</strong> prohibits this principal from obtaining -forwardable tickets. <strong>+allow_forwardable</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_renewable</strong></dt> -<dd><strong>-allow_renewable</strong> prohibits this principal from obtaining -renewable tickets. <strong>+allow_renewable</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_proxiable</strong></dt> -<dd><strong>-allow_proxiable</strong> prohibits this principal from obtaining -proxiable tickets. <strong>+allow_proxiable</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_dup_skey</strong></dt> -<dd><strong>-allow_dup_skey</strong> disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. <strong>+allow_dup_skey</strong> clears this flag.</dd> -<dt>{-|+}<strong>requires_preauth</strong></dt> -<dd><strong>+requires_preauth</strong> requires this principal to preauthenticate -before being allowed to kinit. <strong>-requires_preauth</strong> clears this -flag. When <strong>+requires_preauth</strong> is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using -preauthentication.</dd> -<dt>{-|+}<strong>requires_hwauth</strong></dt> -<dd><strong>+requires_hwauth</strong> requires this principal to preauthenticate -using a hardware device before being allowed to kinit. -<strong>-requires_hwauth</strong> clears this flag. When <strong>+requires_hwauth</strong> is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was -performed using a hardware device to preauthenticate.</dd> -<dt>{-|+}<strong>ok_as_delegate</strong></dt> -<dd><strong>+ok_as_delegate</strong> sets the <strong>okay as delegate</strong> flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. <strong>-ok_as_delegate</strong> clears this -flag.</dd> -<dt>{-|+}<strong>allow_svr</strong></dt> -<dd><strong>-allow_svr</strong> prohibits the issuance of service tickets for this -principal. <strong>+allow_svr</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_tgs_req</strong></dt> -<dd><strong>-allow_tgs_req</strong> specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -<strong>+allow_tgs_req</strong> clears this flag.</dd> -<dt>{-|+}<strong>allow_tix</strong></dt> -<dd><strong>-allow_tix</strong> forbids the issuance of any tickets for this -principal. <strong>+allow_tix</strong> clears this flag.</dd> -<dt>{-|+}<strong>needchange</strong></dt> -<dd><strong>+needchange</strong> forces a password change on the next initial -authentication to this principal. <strong>-needchange</strong> clears this -flag.</dd> -<dt>{-|+}<strong>password_changing_service</strong></dt> -<dd><strong>+password_changing_service</strong> marks this principal as a password -change service principal.</dd> -<dt>{-|+}<strong>ok_to_auth_as_delegate</strong></dt> -<dd><strong>+ok_to_auth_as_delegate</strong> allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation.</dd> -<dt>{-|+}<strong>no_auth_data_required</strong></dt> -<dd><strong>+no_auth_data_required</strong> prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.</dd> -<dt>{-|+}<strong>lockdown_keys</strong></dt> -<dd><strong>+lockdown_keys</strong> prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local.</dd> -<dt><strong>-randkey</strong></dt> -<dd>Sets the key of the principal to a random value.</dd> -<dt><strong>-nokey</strong></dt> -<dd>Causes the principal to be created with no key. New in release -1.12.</dd> -<dt><strong>-pw</strong> <em>password</em></dt> -<dd>Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> -<dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a -list of possible values.</dd> -<dt><strong>-x</strong> <em>db_princ_args</em></dt> -<dd><p class="first">Indicates database-specific options. The options for the LDAP -database module are:</p> -<dl class="docutils"> -<dt><strong>-x dn=</strong><em>dn</em></dt> -<dd>Specifies the LDAP object that will contain the Kerberos -principal being created.</dd> -<dt><strong>-x linkdn=</strong><em>dn</em></dt> -<dd>Specifies the LDAP object to which the newly created Kerberos -principal object will point.</dd> -<dt><strong>-x containerdn=</strong><em>container_dn</em></dt> -<dd>Specifies the container object under which the Kerberos -principal is to be created.</dd> -<dt><strong>-x tktpolicy=</strong><em>policy</em></dt> -<dd>Associates a ticket policy to the Kerberos principal.</dd> -</dl> -<div class="last admonition note"> -<p class="first admonition-title">Note</p> -<ul class="last simple"> -<li>The <strong>containerdn</strong> and <strong>linkdn</strong> options cannot be -specified with the <strong>dn</strong> option.</li> -<li>If the <em>dn</em> or <em>containerdn</em> options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container.</li> -<li><em>dn</em> and <em>containerdn</em> should be within the subtrees or -principal container configured in the realm.</li> -</ul> -</div> -</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: -Re-enter password for principal jennifer@ATHENA.MIT.EDU: -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: +<p>To add a principal to the database, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> +<strong>add_principal</strong> command. User principals should usually be created +with the <code class="docutils literal"><span class="pre">+requires_preauth</span> <span class="pre">-allow_svr</span></code> options to help mitigate +dictionary attacks (see <a class="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">Addressing dictionary attack risks</span></a>):</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">alice</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="s2">"alice@KRBTEST.COM"</span><span class="p">:</span> </pre></div> </div> -</div> -<div class="section" id="modify-principal"> -<h3>modify_principal<a class="headerlink" href="#modify-principal" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>modify_principal</strong> [<em>options</em>] <em>principal</em></div></blockquote> -<p>Modifies the specified principal, changing the fields as specified. -The options to <strong>add_principal</strong> also apply to this command, except -for the <strong>-randkey</strong>, <strong>-pw</strong>, and <strong>-e</strong> options. In addition, the -option <strong>-clearpolicy</strong> will clear the current policy of a principal.</p> -<p>This command requires the <em>modify</em> privilege.</p> -<p>Alias: <strong>modprinc</strong></p> -<p>Options (in addition to the <strong>addprinc</strong> options):</p> -<dl class="docutils"> -<dt><strong>-unlock</strong></dt> -<dd>Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate.</dd> -</dl> -</div> -<div class="section" id="delete-principal"> -<h3>delete_principal<a class="headerlink" href="#delete-principal" title="Permalink to this headline">¶</a></h3> +<p>User principals which will authenticate with <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT configuration</span></a> should +instead by created with the <code class="docutils literal"><span class="pre">-nokey</span></code> option:</p> <blockquote> -<div><strong>delete_principal</strong> [<strong>-force</strong>] <em>principal</em></div></blockquote> -<p>Deletes the specified <em>principal</em> from the database. This command -prompts for deletion, unless the <strong>-force</strong> option is given.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delprinc</strong></p> -<div class="section" id="examples"> -<h4>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h4> -<p>If you want to create a principal which is contained by a LDAP object, -all you need to do is:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. -Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: -</pre></div> -</div> -<p>If you want to create a principal under a specific LDAP container and -link to an existing LDAP object, all you need to do is:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david -WARNING: no policy specified for "david@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. -Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again. -Principal "david@ATHENA.MIT.EDU" created. -kadmin: +<div>kadmin: addprinc -nokey alice</div></blockquote> +<p>Service principals can be created with the <code class="docutils literal"><span class="pre">-nokey</span></code> option; +long-term keys will be added when a keytab is generated:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">nokey</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n">k</span> <span class="n">foo</span><span class="o">.</span><span class="n">keytab</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes256</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> +<span class="n">Entry</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">host</span><span class="o">/</span><span class="n">foo</span><span class="o">.</span><span class="n">mit</span><span class="o">.</span><span class="n">edu</span> <span class="k">with</span> <span class="n">kvno</span> <span class="mi">1</span><span class="p">,</span> <span class="n">encryption</span> <span class="nb">type</span> <span class="n">aes128</span><span class="o">-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="o">-</span><span class="n">sha1</span><span class="o">-</span><span class="mi">96</span> <span class="n">added</span> <span class="n">to</span> <span class="n">keytab</span> <span class="n">WRFILE</span><span class="p">:</span><span class="n">foo</span><span class="o">.</span><span class="n">keytab</span><span class="o">.</span> </pre></div> </div> -<p>If you want to associate a ticket policy to a principal, all you need -to do is:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: modprinc -x tktpolicy=userpolicy david -Principal "david@ATHENA.MIT.EDU" modified. -kadmin: +<p>To modify attributes of an existing principal, use the kadmin +<strong>modify_principal</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">modprinc</span> <span class="o">-</span><span class="n">expire</span> <span class="n">tomorrow</span> <span class="n">alice</span> +<span class="n">Principal</span> <span class="s2">"alice@KRBTEST.COM"</span> <span class="n">modified</span><span class="o">.</span> </pre></div> </div> -<p>If, on the other hand, you want to set up an account that expires on -January 1, 2000, that uses a policy called “stduser”, with a temporary -password (which you want the user to change immediately), you would -type the following:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange -Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. -Re-enter password for principal -david@ATHENA.MIT.EDU: <= Type it again. -Principal "david@ATHENA.MIT.EDU" created. -kadmin: +<p>To delete a principal, use the kadmin <strong>delete_principal</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>kadmin: delprinc alice +Are you sure you want to delete the principal "alice@KRBTEST.COM"? (yes/no): yes +Principal "alice@KRBTEST.COM" deleted. +Make sure that you have removed this principal from all ACLs before reusing. </pre></div> </div> -<p>If you want to delete a principal:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: delprinc jennifer -Are you sure you want to delete the principal -"jennifer@ATHENA.MIT.EDU"? (yes/no): yes -Principal "jennifer@ATHENA.MIT.EDU" deleted. -Make sure that you have removed this principal from -all ACLs before reusing. -kadmin: -</pre></div> -</div> -</div> -</div> -<div class="section" id="retrieving-information-about-a-principal"> -<h3>Retrieving information about a principal<a class="headerlink" href="#retrieving-information-about-a-principal" title="Permalink to this headline">¶</a></h3> -<p>To retrieve a listing of the attributes and/or policies associated -with a principal, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>get_principal</strong> command.</p> +<p>To change a principal’s password, use the kadmin <strong>change_password</strong> +command. Password changes made through kadmin are subject to the same +password policies as would apply to password changes made through +<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>.</p> +<p>To view the attributes of a principal, use the kadmin` +<strong>get_principal</strong> command.</p> <p>To generate a listing of principals, use the kadmin <strong>list_principals</strong> command.</p> </div> -<div class="section" id="get-principal"> -<h3>get_principal<a class="headerlink" href="#get-principal" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>get_principal</strong> [<strong>-terse</strong>] <em>principal</em></div></blockquote> -<p>Gets the attributes of principal. With the <strong>-terse</strong> option, outputs -fields as quoted tab-separated strings.</p> -<p>This command requires the <strong>inquire</strong> privilege, or that the principal -running the the program to be the same as the one being listed.</p> -<p>Alias: <strong>getprinc</strong></p> -<p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des-cbc-crc -Key: vno 1, des-cbc-crc:v4 -Attributes: -Policy: [none] - -kadmin: getprinc -terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="list-principals"> -<h3>list_principals<a class="headerlink" href="#list-principals" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>list_principals</strong> [<em>expression</em>]</div></blockquote> -<p>Retrieves all or some principal names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an <tt class="docutils literal"><span class="pre">@</span></tt> character, an -<tt class="docutils literal"><span class="pre">@</span></tt> character followed by the local realm is appended to the -expression.</p> -<p>This command requires the <strong>list</strong> privilege.</p> -<p>Alias: <strong>listprincs</strong>, <strong>get_principals</strong>, <strong>get_princs</strong></p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listprincs test* -test3@SECURE-TEST.OV.COM -test2@SECURE-TEST.OV.COM -test1@SECURE-TEST.OV.COM -testuser@SECURE-TEST.OV.COM -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="changing-passwords"> -<h3>Changing passwords<a class="headerlink" href="#changing-passwords" title="Permalink to this headline">¶</a></h3> -<p>To change a principal’s password use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> -<strong>change_password</strong> command.</p> -</div> -<div class="section" id="change-password"> -<h3>change_password<a class="headerlink" href="#change-password" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>change_password</strong> [<em>options</em>] <em>principal</em></div></blockquote> -<p>Changes the password of <em>principal</em>. Prompts for a new password if -neither <strong>-randkey</strong> or <strong>-pw</strong> is specified.</p> -<p>This command requires the <strong>changepw</strong> privilege, or that the -principal running the program is the same as the principal being -changed.</p> -<p>Alias: <strong>cpw</strong></p> -<p>The following options are available:</p> -<dl class="docutils"> -<dt><strong>-randkey</strong></dt> -<dd>Sets the key of the principal to a random value.</dd> -<dt><strong>-pw</strong> <em>password</em></dt> -<dd>Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list.</dd> -<dt><strong>-e</strong> <em>enc</em>:<em>salt</em>,...</dt> -<dd>Uses the specified keysalt list for setting the keys of the -principal. See <a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a -list of possible values.</dd> -<dt><strong>-keepold</strong></dt> -<dd>Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for <tt class="docutils literal"><span class="pre">krbtgt</span></tt> principals.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re-enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: -</pre></div> -</div> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">Password changes through kadmin are subject to the same -password policies as would apply to password changes through -<a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><em>kpasswd</em></a>.</p> -</div> -</div> -</div> <div class="section" id="policies"> -<span id="id1"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2> +<span id="id2"></span><h2>Policies<a class="headerlink" href="#policies" title="Permalink to this headline">¶</a></h2> <p>A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database.</p> -<div class="section" id="adding-modifying-and-deleting-policies"> -<h3>Adding, modifying and deleting policies<a class="headerlink" href="#adding-modifying-and-deleting-policies" title="Permalink to this headline">¶</a></h3> -<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>add_policy</strong> command.</p> -<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong> -command.</p> -<p>To delete a policy, use the kadmin <strong>delete_policy</strong> command.</p> -</div> -<div class="section" id="add-policy"> -<h3>add_policy<a class="headerlink" href="#add-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>add_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> -<p>Adds a password policy named <em>policy</em> to the database.</p> -<p>This command requires the <strong>add</strong> privilege.</p> -<p>Alias: <strong>addpol</strong></p> -<p>The following options are available:</p> -<dl class="docutils"> -<dt><strong>-maxlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the maximum -lifetime of a password.</dd> -<dt><strong>-minlife</strong> <em>time</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the minimum -lifetime of a password.</dd> -<dt><strong>-minlength</strong> <em>length</em></dt> -<dd>Sets the minimum length of a password.</dd> -<dt><strong>-minclasses</strong> <em>number</em></dt> -<dd>Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters.</dd> -<dt><strong>-history</strong> <em>number</em></dt> -<dd>Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module.</dd> -</dl> -<dl class="docutils" id="policy-maxfailure"> -<dt><strong>-maxfailure</strong> <em>maxnumber</em></dt> -<dd>Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -<em>maxnumber</em> value of 0 (the default) disables lockout.</dd> -</dl> -<dl class="docutils" id="policy-failurecountinterval"> -<dt><strong>-failurecountinterval</strong> <em>failuretime</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the allowable time -between authentication failures. If an authentication failure -happens after <em>failuretime</em> has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -<em>failuretime</em> value of 0 (the default) means forever.</dd> -</dl> -<dl class="docutils" id="policy-lockoutduration"> -<dt><strong>-lockoutduration</strong> <em>lockouttime</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#duration"><em>Time duration</em></a> or <a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with <tt class="docutils literal"><span class="pre">modprinc</span> <span class="pre">-unlock</span></tt>.</dd> -<dt><strong>-allowedkeysalts</strong></dt> -<dd>Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -<a class="reference internal" href="conf_files/kdc_conf.html#keysalt-lists"><em>Keysalt lists</em></a> in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: add_policy -maxlife "2 days" -minlength 5 guests -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="modify-policy"> -<h3>modify_policy<a class="headerlink" href="#modify-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>modify_policy</strong> [<em>options</em>] <em>policy</em></div></blockquote> -<p>Modifies the password policy named <em>policy</em>. Options are as described -for <strong>add_policy</strong>.</p> -<p>This command requires the <strong>modify</strong> privilege.</p> -<p>Alias: <strong>modpol</strong></p> -</div> -<div class="section" id="delete-policy"> -<h3>delete_policy<a class="headerlink" href="#delete-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>delete_policy</strong> [<strong>-force</strong>] <em>policy</em></div></blockquote> -<p>Deletes the password policy named <em>policy</em>. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals.</p> -<p>This command requires the <strong>delete</strong> privilege.</p> -<p>Alias: <strong>delpol</strong></p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: del_policy guests -Are you sure you want to delete the policy "guests"? -(yes/no): yes -kadmin: -</pre></div> -</div> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">You must cancel the policy from <em>all</em> principals before -deleting it. The <em>delete_policy</em> command will fail if the policy -is in use by any principals.</p> -</div> -</div> -<div class="section" id="retrieving-policies"> -<h3>Retrieving policies<a class="headerlink" href="#retrieving-policies" title="Permalink to this headline">¶</a></h3> -<p>To retrieve a policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> <strong>get_policy</strong> command.</p> -<p>You can retrieve the list of policies with the kadmin -<strong>list_policies</strong> command.</p> -</div> -<div class="section" id="get-policy"> -<h3>get_policy<a class="headerlink" href="#get-policy" title="Permalink to this headline">¶</a></h3> -<blockquote> -<div><strong>get_policy</strong> [ <strong>-terse</strong> ] <em>policy</em></div></blockquote> -<p>Displays the values of the password policy named <em>policy</em>. With the -<strong>-terse</strong> flag, outputs the fields as quoted strings separated by -tabs.</p> -<p>This command requires the <strong>inquire</strong> privilege.</p> -<p>Alias: getpol</p> -<p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: get_policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 - -kadmin: get_policy -terse admin -admin 15552000 0 6 2 5 17 -kadmin: +<p>To add a new policy, use the <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>add_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">addpol</span> <span class="o">-</span><span class="n">maxlife</span> <span class="s2">"1 year"</span> <span class="o">-</span><span class="n">history</span> <span class="mi">3</span> <span class="n">stduser</span> </pre></div> </div> -<p>The “Reference count” is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful.</p> -</div> -<div class="section" id="list-policies"> -<h3>list_policies<a class="headerlink" href="#list-policies" title="Permalink to this headline">¶</a></h3> +<p>To modify attributes of a principal, use the kadmin <strong>modify_policy</strong> +command. To delete a policy, use the kadmin <strong>delete_policy</strong> +command.</p> +<p>To associate a policy with a principal, use the kadmin +<strong>modify_principal</strong> command with the <strong>-policy</strong> option:</p> <blockquote> -<div><strong>list_policies</strong> [<em>expression</em>]</div></blockquote> -<p>Retrieves all or some policy names. <em>expression</em> is a shell-style -glob expression that can contain the wild-card characters <tt class="docutils literal"><span class="pre">?</span></tt>, -<tt class="docutils literal"><span class="pre">*</span></tt>, and <tt class="docutils literal"><span class="pre">[]</span></tt>. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed.</p> -<p>This command requires the <strong>list</strong> privilege.</p> -<p>Aliases: <strong>listpols</strong>, <strong>get_policies</strong>, <strong>getpols</strong>.</p> -<p>Examples:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: listpols -test-pol -dict-only -once-a-min -test-pol-nopw - -kadmin: listpols t* -test-pol -test-pol-nopw -kadmin: -</pre></div> -</div> -</div> -<div class="section" id="policies-and-principals"> -<h3>Policies and principals<a class="headerlink" href="#policies-and-principals" title="Permalink to this headline">¶</a></h3> -<p>Policies can be applied to principals as they are created by using -the <strong>-policy</strong> flag to <a class="reference internal" href="admin_commands/kadmin_local.html#add-principal"><em>add_principal</em></a>. Existing principals can -be modified by using the <strong>-policy</strong> or <strong>-clearpolicy</strong> flag to -<a class="reference internal" href="admin_commands/kadmin_local.html#modify-principal"><em>modify_principal</em></a>.</p> -</div> +<div>kadmin: modprinc -policy stduser alice +Principal “<a class="reference external" href="mailto:alice%40KRBTEST.COM">alice<span>@</span>KRBTEST<span>.</span>COM</a>” modified.</div></blockquote> +<p>A principal entry may be associated with a nonexistent policy, either +because the policy did not exist at the time of associated or was +deleted afterwards. kadmin will warn when associated a principal with +a nonexistent policy, and will annotate the policy name with “[does +not exist]” in the <strong>get_principal</strong> output.</p> <div class="section" id="updating-the-history-key"> -<h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3> +<span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#updating-the-history-key" title="Permalink to this headline">¶</a></h3> <p>If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the -key data of the <tt class="docutils literal"><span class="pre">kadmin/history</span></tt> principal.</p> +key data of the <code class="docutils literal"><span class="pre">kadmin/history</span></code> principal.</p> <p>Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: change_password -randkey kadmin/history +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="n">kadmin</span><span class="o">/</span><span class="n">history</span> </pre></div> </div> <p>This command will fail if you specify the <strong>-keepold</strong> flag. Only one @@ -749,213 +186,74 @@ rollover support for stored old keys.</p> </div> </div> <div class="section" id="privileges"> -<span id="id2"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2> +<span id="id3"></span><h2>Privileges<a class="headerlink" href="#privileges" title="Permalink to this headline">¶</a></h2> <p>Administrative privileges for the Kerberos database are stored in the -file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>.</p> +file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>.</p> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For -example, the user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> might have a principal for -his administrative use, called <tt class="docutils literal"><span class="pre">joeadmin/admin</span></tt>. This -way, <tt class="docutils literal"><span class="pre">joeadmin</span></tt> would obtain <tt class="docutils literal"><span class="pre">joeadmin/admin</span></tt> tickets +example, the user <code class="docutils literal"><span class="pre">joeadmin</span></code> might have a principal for +his administrative use, called <code class="docutils literal"><span class="pre">joeadmin/admin</span></code>. This +way, <code class="docutils literal"><span class="pre">joeadmin</span></code> would obtain <code class="docutils literal"><span class="pre">joeadmin/admin</span></code> tickets only when he actually needs to use those permissions.</p> </div> </div> <div class="section" id="operations-on-the-kerberos-database"> <span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="#operations-on-the-kerberos-database" title="Permalink to this headline">¶</a></h2> -<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> command is the primary tool for administrating -the Kerberos database.</p> -<p><strong>kdb5_util</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-d</strong> <em>dbname</em>] -[<strong>-k</strong> <em>mkeytype</em>] -[<strong>-M</strong> <em>mkeyname</em>] -[<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-sf</strong> <em>stashfilename</em>] -[<strong>-m</strong>] -<em>command</em> [<em>command_options</em>]</p> -<p><strong>OPTIONS</strong></p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>specifies the Kerberos realm of the database.</dd> -<dt><strong>-d</strong> <em>dbname</em></dt> -<dd>specifies the name under which the principal database is stored; -by default the database is that listed in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. The -password policy database and lock files are also derived from this -value.</dd> -<dt><strong>-k</strong> <em>mkeytype</em></dt> -<dd>specifies the key type of the master key in the database. The -default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-kv</strong> <em>mkeyVNO</em></dt> -<dd>Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.</dd> -<dt><strong>-M</strong> <em>mkeyname</em></dt> -<dd>principal name for the master key in the database. If not -specified, the name is determined by the <strong>master_key_name</strong> -variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-m</strong></dt> -<dd>specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk.</dd> -<dt><strong>-sf</strong> <em>stash_file</em></dt> -<dd>specifies the stash filename of the master database password. If -not specified, the filename is determined by the -<strong>key_stash_file</strong> variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-P</strong> <em>password</em></dt> -<dd>specifies the master database password. Using this option may -expose the password to other users on the system via the process -list.</dd> -</dl> -<div class="toctree-wrapper compound"> -<ul class="simple"> -</ul> -</div> -<div class="section" id="dumping-a-kerberos-database-to-a-file"> -<h3>Dumping a Kerberos database to a file<a class="headerlink" href="#dumping-a-kerberos-database-to-a-file" title="Permalink to this headline">¶</a></h3> -<p>To dump a Kerberos database into a file, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> -<strong>dump</strong> command on one of the KDCs.</p> -<blockquote> -<div><strong>dump</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-verbose</strong>] -[<strong>-mkey_convert</strong>] [<strong>-new_mkey_file</strong> <em>mkey_file</em>] [<strong>-rev</strong>] -[<strong>-recurse</strong>] [<em>filename</em> [<em>principals</em>...]]</div></blockquote> -<p>Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:</p> -<dl class="docutils"> -<dt><strong>-b7</strong></dt> -<dd>causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on -releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>causes the dump to be in “ovsec_adm_export” format.</dd> -<dt><strong>-r13</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.</dd> -<dt><strong>-r18</strong></dt> -<dd>causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.</dd> -<dt><strong>-verbose</strong></dt> -<dd>causes the name of each principal and policy to be printed as it -is dumped.</dd> -<dt><strong>-mkey_convert</strong></dt> -<dd>prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed.</dd> -<dt><strong>-new_mkey_file</strong> <em>mkey_file</em></dt> -<dd>the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed.</dd> -<dt><strong>-rev</strong></dt> -<dd>dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred.</dd> -<dt><strong>-recurse</strong></dt> -<dd><p class="first">causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the <strong>-rev</strong> option will.</p> -<div class="versionchanged"> -<p><span class="versionmodified">Changed in version 1.15: </span>Release 1.15 restored the functionality of the <strong>-recurse</strong> -option.</p> +<p>The <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> command is the primary tool for administrating +the Kerberos database when using the DB2 or LMDB modules (see +<a class="reference internal" href="dbtypes.html#dbtypes"><span class="std std-ref">Database types</span></a>). Creating a database is described in +<a class="reference internal" href="install_kdc.html#create-db"><span class="std std-ref">Create the KDC database</span></a>.</p> +<p>To create a stash file using the master password (because the database +was not created with one using the <code class="docutils literal"><span class="pre">create</span> <span class="pre">-s</span></code> flag, or after +restoring from a backup which did not contain the stash file), use the +kdb5_util <strong>stash</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util stash +kdb5_util: Cannot find/read stored master key while reading master key +kdb5_util: Warning: proceeding without master key +Enter KDC database master key: <= Type the KDC database master password. +</pre></div> </div> -<div class="last versionchanged"> -<p><span class="versionmodified">Changed in version 1.5: </span>The <strong>-recurse</strong> option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal.</p> +<p>To destroy a database, use the kdb5_util destroy command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util destroy +Deleting KDC database stored in '/var/krb5kdc/principal', are you sure? +(type 'yes' to confirm)? yes +OK, deleting database '/var/krb5kdc/principal'... +** Database '/var/krb5kdc/principal' destroyed. +</pre></div> </div> -</dd> -</dl> -<div class="section" id="id3"> -<h4>Examples<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h4> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump dumpfile -shell% +<div class="section" id="dumping-and-loading-a-kerberos-database"> +<span id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink" href="#dumping-and-loading-a-kerberos-database" title="Permalink to this headline">¶</a></h3> +<p>To dump a Kerberos database into a text file for backup or transfer +purposes, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>dump</strong> command on one of the +KDCs:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util dump dumpfile -shell% kbd5_util dump -verbose dumpfile +$ kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU -shell% </pre></div> </div> -<p>If you specify which principals to dump, you must use the full -principal, as in the following example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU +<p>You may specify which principals to dump, using full principal names +including realm:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util dump -verbose someprincs K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU -shell% </pre></div> </div> -<p>Otherwise, the principals will not match those in the database and -will not be dumped:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin -shell% +<p>To restore a Kerberos database dump from a file, use the +<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> <strong>load</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util load dumpfile </pre></div> </div> -<p>If you do not specify a dump file, kdb5_util will dump the database to -the standard output.</p> -</div> -</div> -<div class="section" id="restoring-a-kerberos-database-from-a-dump-file"> -<span id="restore-from-dump"></span><h3>Restoring a Kerberos database from a dump file<a class="headerlink" href="#restoring-a-kerberos-database-from-a-dump-file" title="Permalink to this headline">¶</a></h3> -<p>To restore a Kerberos database dump from a file, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>load</strong> command on one of the KDCs.</p> -<blockquote> -<div><strong>load</strong> [<strong>-b7</strong>|<strong>-ov</strong>|<strong>-r13</strong>] [<strong>-hash</strong>] -[<strong>-verbose</strong>] [<strong>-update</strong>] <em>filename</em> [<em>dbname</em>]</div></blockquote> -<p>Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the <strong>-update</strong> option is given, <strong>load</strong> creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the <strong>-update</strong> flag is required.</p> -<p>Options:</p> -<dl class="docutils"> -<dt><strong>-b7</strong></dt> -<dd>requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format -produced on releases prior to 1.2.2.</dd> -<dt><strong>-ov</strong></dt> -<dd>requires the database to be in “ovsec_adm_import” format. Must be -used with the <strong>-update</strong> option.</dd> -<dt><strong>-r13</strong></dt> -<dd>requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.</dd> -<dt><strong>-r18</strong></dt> -<dd>requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.</dd> -<dt><strong>-hash</strong></dt> -<dd>requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals.</dd> -<dt><strong>-verbose</strong></dt> -<dd>causes the name of each principal and policy to be printed as it -is dumped.</dd> -<dt><strong>-update</strong></dt> -<dd>records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion.</dd> -</dl> -<p>If specified, <em>dbname</em> overrides the value specified on the command -line or the default.</p> -<div class="section" id="id4"> -<h4>Examples<a class="headerlink" href="#id4" title="Permalink to this headline">¶</a></h4> -<p>To load a single principal, either replacing or updating the database:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util load dumpfile principal -shell% - -shell% kdb5_util load -update dumpfile principal -shell% +<p>To update an existing database with a partial dump file containing +only some principals, use the <code class="docutils literal"><span class="pre">-update</span></code> flag:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util load -update someprincs </pre></div> </div> <div class="admonition note"> @@ -963,139 +261,63 @@ shell% <p class="last">If the database file exists, and the <em>-update</em> flag was not given, <em>kdb5_util</em> will overwrite the existing database.</p> </div> -<p>Using kdb5_util to upgrade a master KDC from krb5 1.1.x:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util dump old-kdb-dump -shell% kdb5_util dump -ov old-kdb-dump.ov - [Create a new KDC installation, using the old stash file/master password] -shell% kdb5_util load old-kdb-dump -shell% kdb5_util load -update old-kdb-dump.ov -</pre></div> -</div> -<p>The use of old-kdb-dump.ov for an extra dump and load is necessary -to preserve per-principal policy information, which is not included in -the default dump format of krb5 1.1.x.</p> -<div class="admonition note"> -<p class="first admonition-title">Note</p> -<p class="last">Using kdb5_util to dump and reload the principal database is -only necessary when upgrading from versions of krb5 prior -to 1.2.0—newer versions will use the existing database as-is.</p> -</div> -</div> -</div> -<div class="section" id="creating-a-stash-file"> -<span id="create-stash"></span><h3>Creating a stash file<a class="headerlink" href="#creating-a-stash-file" title="Permalink to this headline">¶</a></h3> -<p>A stash file allows a KDC to authenticate itself to the database -utilities, such as <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a>, <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a>, and -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a>.</p> -<p>To create a stash file, use the <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>stash</strong> command.</p> -<blockquote> -<div><strong>stash</strong> [<strong>-f</strong> <em>keyfile</em>]</div></blockquote> -<p>Stores the master principal’s keys in a stash file. The <strong>-f</strong> -argument can be used to override the <em>keyfile</em> specified in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> -<div class="section" id="example"> -<h4>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h4> -<blockquote> -<div>shell% kdb5_util stash -kdb5_util: Cannot find/read stored master key while reading master key -kdb5_util: Warning: proceeding without master key -Enter KDC database master key: <= Type the KDC database master password. -shell%</div></blockquote> -<p>If you do not specify a stash file, kdb5_util will stash the key in -the file specified in your <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> file.</p> -</div> -</div> -<div class="section" id="creating-and-destroying-a-kerberos-database"> -<h3>Creating and destroying a Kerberos database<a class="headerlink" href="#creating-and-destroying-a-kerberos-database" title="Permalink to this headline">¶</a></h3> -<p>If you need to create a new Kerberos database, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>create</strong> command.</p> -<blockquote> -<div><strong>create</strong> [<strong>-s</strong>]</div></blockquote> -<p>Creates a new database. If the <strong>-s</strong> option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run.</p> -<p>If you need to destroy the current Kerberos database, use the -<a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> <strong>destroy</strong> command.</p> -<blockquote> -<div><strong>destroy</strong> [<strong>-f</strong>]</div></blockquote> -<p>Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the <strong>-f</strong> argument, does not prompt the user.</p> -<div class="section" id="id5"> -<h4>Examples<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h4> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_util -r ATHENA.MIT.EDU create -s -Loading random data -Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', -master key name 'K/M@ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: <= Type the master password. -Re-enter KDC database master key to verify: <= Type it again. -shell% - -shell% kdb5_util -r ATHENA.MIT.EDU destroy -Deleting KDC database stored in '/usr/local/var/krb5kdc/principal', are you sure? -(type 'yes' to confirm)? <= yes -OK, deleting database '/usr/local/var/krb5kdc/principal'... -** Database '/usr/local/var/krb5kdc/principal' destroyed. -shell% -</pre></div> -</div> -</div> </div> <div class="section" id="updating-the-master-key"> -<h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3> -<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><em>kdb5_util</em></a> allows the master key +<span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updating-the-master-key" title="Permalink to this headline">¶</a></h3> +<p>Starting with release 1.7, <a class="reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kdb5_util</span></a> allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps:</p> <ol class="arabic"> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></tt> to view the current -master key version number (KVNO). If you have never rolled over -the master key before, this will likely be version 1:</p> -<div class="highlight-python"><div class="highlight"><pre>$ kdb5_util list_mkeys +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to view the +current master key version number (KVNO). If you have never rolled +over the master key before, this will likely be version 1:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM -KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 * +KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * </pre></div> </div> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></tt> to ensure that a +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">1</span></code> to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></tt> to create a new +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></code> to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active.</p> </li> -<li><p class="first">Propagate the database to all slave KDCs, either manually or by +<li><p class="first">Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have -any slave KDCs, you can skip this and the next step.</p> +any replica KDCs, you can skip this and the next step.</p> </li> -<li><p class="first">On each slave KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></tt> to verify that the -new master key is present, and then <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">stash</span></tt> to write -the new master key to the slave KDC’s stash file.</p> +<li><p class="first">On each replica KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">list_mkeys</span></code> to verify that +the new master key is present, and then <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">stash</span></code> to +write the new master key to the replica KDC’s stash file.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></tt> to begin using the -new master key. Replace <tt class="docutils literal"><span class="pre">2</span></tt> with the version of the new master +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">use_mkey</span> <span class="pre">2</span></code> to begin using the +new master key. Replace <code class="docutils literal"><span class="pre">2</span></code> with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active -immediately. Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> must be +immediately. Prior to release 1.12, <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> must be restarted for this change to take full effect.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></tt>. This -command will iterate over the database and re-encrypt all keys in -the new master key. If the database is large and uses DB2, the -master KDC will become unavailable while this command runs, but -clients should fail over to slave KDCs (if any are present) during -this time period. In release 1.13 and later, you can instead run -<tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></tt> to use unlocked -iteration; this variant will take longer, but will keep the -database available to the KDC and kadmind while it runs.</p> +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">update_princ_encryption</span></code>. +This command will iterate over the database and re-encrypt all keys +in the new master key. If the database is large and uses DB2, the +primary KDC will become unavailable while this command runs, but +clients should fail over to replica KDCs (if any are present) +during this time period. In release 1.13 and later, you can +instead run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class="pre">unlockiter</span> <span class="pre">update_princ_encryption</span></code> to +use unlocked iteration; this variant will take longer, but will +keep the database available to the KDC and kadmind while it runs.</p> </li> -<li><p class="first">On the master KDC, run <tt class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></tt> to clean up the +<li><p class="first">Wait until the above changes have propagated to all replica KDCs +and until all running KDC and kadmind processes have serviced +requests using updated principal entries.</p> +</li> +<li><p class="first">On the primary KDC, run <code class="docutils literal"><span class="pre">kdb5_util</span> <span class="pre">purge_mkeys</span></code> to clean up the old master key.</p> </li> </ol> @@ -1103,413 +325,111 @@ old master key.</p> </div> <div class="section" id="operations-on-the-ldap-database"> <span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#operations-on-the-ldap-database" title="Permalink to this headline">¶</a></h2> -<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> is the primary tool for administrating -the Kerberos LDAP database. It allows an administrator to manage -realms, Kerberos services (KDC and Admin Server) and ticket policies.</p> -<p><strong>kdb5_ldap_util</strong> -[<strong>-D</strong> <em>user_dn</em> [<strong>-w</strong> <em>passwd</em>]] -[<strong>-H</strong> <em>ldapuri</em>] -<strong>command</strong> -[<em>command_options</em>]</p> -<p><strong>OPTIONS</strong></p> -<dl class="docutils"> -<dt><strong>-D</strong> <em>user_dn</em></dt> -<dd>Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server.</dd> -<dt><strong>-w</strong> <em>passwd</em></dt> -<dd>Specifies the password of <em>user_dn</em>. This option is not -recommended.</dd> -<dt><strong>-H</strong> <em>ldapuri</em></dt> -<dd>Specifies the URI of the LDAP server. It is recommended to use -<tt class="docutils literal"><span class="pre">ldapi://</span></tt> or <tt class="docutils literal"><span class="pre">ldaps://</span></tt> to connect to the LDAP server.</dd> -</dl> -<div class="section" id="creating-a-kerberos-realm"> -<span id="ldap-create-realm"></span><h3>Creating a Kerberos realm<a class="headerlink" href="#creating-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to create a new realm, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> -<strong>create</strong> command as follows.</p> -<blockquote> -<div><strong>create</strong> -[<strong>-subtrees</strong> <em>subtree_dn_list</em>] -[<strong>-sscope</strong> <em>search_scope</em>] -[<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-k</strong> <em>mkeytype</em>] -[<strong>-kv</strong> <em>mkeyVNO</em>] -[<strong>-m|-P</strong> <em>password</em>|<strong>-sf</strong> <em>stashfilename</em>] -[<strong>-s</strong>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>]</div></blockquote> -<p>Creates realm in directory. Options:</p> -<dl class="docutils"> -<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> -<dd>Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>).</dd> -<dt><strong>-sscope</strong> <em>search_scope</em></dt> -<dd>Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees).</dd> -<dt><strong>-containerref</strong> <em>container_reference_dn</em></dt> -<dd>Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container.</dd> -<dt><strong>-k</strong> <em>mkeytype</em></dt> -<dd>Specifies the key type of the master key in the database. The -default is given by the <strong>master_key_type</strong> variable in -<a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> -<dt><strong>-kv</strong> <em>mkeyVNO</em></dt> -<dd>Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.</dd> -<dt><strong>-m</strong></dt> -<dd>Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk.</dd> -<dt><strong>-P</strong> <em>password</em></dt> -<dd>Specifies the master database password. This option is not -recommended.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-sf</strong> <em>stashfilename</em></dt> -<dd>Specifies the stash file of the master database password.</dd> -<dt><strong>-s</strong></dt> -<dd>Specifies that the stash file is to be created.</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for -principals in this realm.</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of -tickets for principals in this realm.</dd> -<dt><em>ticket_flags</em></dt> -<dd>Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Initializing database for realm 'ATHENA.MIT.EDU' -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re-enter KDC database master key to verify: +<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref">kdb5_ldap_util</span></a> command is the primary tool for +administrating the Kerberos database when using the LDAP module. +Creating an LDAP Kerberos database is describe in <a class="reference internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with OpenLDAP back-end</span></a>.</p> +<p>To view a list of realms in the LDAP database, use the kdb5_ldap_util +<strong>list</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list +KRBTEST.COM </pre></div> </div> -</div> -<div class="section" id="modifying-a-kerberos-realm"> -<span id="ldap-mod-realm"></span><h3>Modifying a Kerberos realm<a class="headerlink" href="#modifying-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to modify a realm, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> -<strong>modify</strong> command as follows.</p> -<blockquote> -<div><strong>modify</strong> -[<strong>-subtrees</strong> <em>subtree_dn_list</em>] -[<strong>-sscope</strong> <em>search_scope</em>] -[<strong>-containerref</strong> <em>container_reference_dn</em>] -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>]</div></blockquote> -<p>Modifies the attributes of a realm. Options:</p> -<dl class="docutils"> -<dt><strong>-subtrees</strong> <em>subtree_dn_list</em></dt> -<dd>Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (<tt class="docutils literal"><span class="pre">:</span></tt>). This list replaces the existing list.</dd> -<dt><strong>-sscope</strong> <em>search_scope</em></dt> -<dd>Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees).</dd> -<dt><strong>-containerref</strong> <em>container_reference_dn</em> Specifies the DN of the</dt> -<dd>container object in which the principals of a realm will be -created.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for -principals in this realm.</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of -tickets for principals in this realm.</dd> -<dt><em>ticket_flags</em></dt> -<dd>Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the <strong>add_principal</strong> command in -<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth -r - ATHENA.MIT.EDU -Password for "cn=admin,o=org": -shell% +<p>To modify the attributes of a realm, use the kdb5_ldap_util <strong>modify</strong> +command. For example, to change the default realm’s maximum ticket +life:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify -maxtktlife "10 hours" </pre></div> </div> +<p>To display the attributes of a realm, use the kdb5_ldap_util <strong>view</strong> +command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view + Realm Name: KRBTEST.COM + Maximum Ticket Life: 0 days 00:10:00 +</pre></div> </div> -<div class="section" id="destroying-a-kerberos-realm"> -<h3>Destroying a Kerberos realm<a class="headerlink" href="#destroying-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to destroy a Kerberos realm, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>destroy</strong> command as follows.</p> -<blockquote> -<div><strong>destroy</strong> [<strong>-f</strong>] [<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Destroys an existing realm. Options:</p> -<dl class="docutils"> -<dt><strong>-f</strong></dt> -<dd>If specified, will not prompt the user for confirmation.</dd> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? +<p>To remove a realm from the LDAP database, destroying its contents, use +the kdb5_ldap_util <strong>destroy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy +Deleting KDC database of 'KRBTEST.COM', are you sure? (type 'yes' to confirm)? yes -OK, deleting database of 'ATHENA.MIT.EDU'... -shell% +OK, deleting database of 'KRBTEST.COM'... +** Database of 'KRBTEST.COM' destroyed. </pre></div> </div> -</div> -<div class="section" id="retrieving-information-about-a-kerberos-realm"> -<h3>Retrieving information about a Kerberos realm<a class="headerlink" href="#retrieving-information-about-a-kerberos-realm" title="Permalink to this headline">¶</a></h3> -<p>If you need to display the attributes of a realm, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>view</strong> command as follows.</p> -<blockquote> -<div><strong>view</strong> [<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Displays the attributes of a realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<div class="section" id="ticket-policy-operations"> +<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3> +<p>Unlike the DB2 and LMDB modules, the LDAP module supports ticket +policy objects, which can be associated with principals to restrict +maximum ticket lifetimes and set mandatory principal flags. Ticket +policy objects are distinct from the password policies described +earlier on this page, and are chiefly managed through kdb5_ldap_util +rather than kadmin. To create a new ticket policy, use the +kdb5_ldap_util <strong>create_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util create_policy -maxrenewlife "2 days" users </pre></div> </div> -</div> -<div class="section" id="listing-available-kerberos-realms"> -<h3>Listing available Kerberos realms<a class="headerlink" href="#listing-available-kerberos-realms" title="Permalink to this headline">¶</a></h3> -<p>If you need to display the list of the realms, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>list</strong> command as follows.</p> -<blockquote> -<div><strong>list</strong></div></blockquote> -<p>Lists the name of realms.</p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list -Password for "cn=admin,o=org": -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA-LAB.MIT.EDU -shell% +<p>To associate a ticket policy with a principal, use the +<a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>modify_principal</strong> (or <strong>add_principal</strong>) command +with the <strong>-x tktpolicy=</strong><em>policy</em> option:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy=users alice </pre></div> </div> -</div> -<div class="section" id="stashing-service-object-s-password"> -<span id="stash-ldap"></span><h3>Stashing service object’s password<a class="headerlink" href="#stashing-service-object-s-password" title="Permalink to this headline">¶</a></h3> -<p>The <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>stashsrvpw</strong> command allows an -administrator to store the password of service object in a file. The -KDC and Administration server uses this password to authenticate to -the LDAP server.</p> -<blockquote> -<div><strong>stashsrvpw</strong> -[<strong>-f</strong> <em>filename</em>] -<em>name</em></div></blockquote> -<p>Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options:</p> -<dl class="docutils"> -<dt><strong>-f</strong> <em>filename</em></dt> -<dd>Specifies the complete path of the service password file. By -default, <tt class="docutils literal"><span class="pre">/usr/local/var/service_passwd</span></tt> is used.</dd> -<dt><em>name</em></dt> -<dd>Specifies the name of the object whose password is to be stored. -If <a class="reference internal" href="admin_commands/krb5kdc.html#krb5kdc-8"><em>krb5kdc</em></a> or <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> are configured for -simple binding, this should be the distinguished name it will -use as given by the <strong>ldap_kdc_dn</strong> or <strong>ldap_kadmind_dn</strong> -variable in <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the <strong>ldap_kdc_sasl_authcid</strong> or -<strong>ldap_kadmind_sasl_authcid</strong> variable.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org -Password for "cn=service-kdc,o=org": -Re-enter password for "cn=service-kdc,o=org": +<p>To remove a ticket policy reference from a principal, use the same +command with an empty <em>policy</em>:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kadmin.local modprinc -x tktpolicy= alice </pre></div> </div> -</div> -<div class="section" id="ticket-policy-operations"> -<h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink to this headline">¶</a></h3> -<div class="section" id="creating-a-ticket-policy"> -<h4>Creating a Ticket Policy<a class="headerlink" href="#creating-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To create a new ticket policy in directory , use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>create_policy</strong> command. Ticket policy -objects are created under the realm container.</p> -<blockquote> -<div><strong>create_policy</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>] -<em>policy_name</em></div></blockquote> -<p>Creates a ticket policy in the directory. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-maxtktlife</strong> <em>max_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum ticket life for -principals.</dd> -<dt><strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em></dt> -<dd>(<a class="reference internal" href="../basic/date_format.html#getdate"><em>getdate time</em></a> string) Specifies maximum renewable life of -tickets for principals.</dd> -<dt><em>ticket_flags</em></dt> -<dd>Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the <strong>add_principal</strong> -command in <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a>.</dd> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy -Password for "cn=admin,o=org": +<p>To list the existing ticket policy objects, use the kdb5_ldap_util +<strong>list_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util list_policy +users </pre></div> </div> -</div> -<div class="section" id="modifying-a-ticket-policy"> -<h4>Modifying a Ticket Policy<a class="headerlink" href="#modifying-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To modify a ticket policy in directory, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>modify_policy</strong> command.</p> -<blockquote> -<div><strong>modify_policy</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-maxtktlife</strong> <em>max_ticket_life</em>] -[<strong>-maxrenewlife</strong> <em>max_renewable_ticket_life</em>] -[<em>ticket_flags</em>] -<em>policy_name</em></div></blockquote> -<p>Modifies the attributes of a ticket policy. Options are same as for -<strong>create_policy</strong>.</p> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy -Password for "cn=admin,o=org": +<p>To modify the attributes of a ticket policy object, use the +kdb5_ldap_util <strong>modify_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util modify_policy -allow_svr +requires_preauth users </pre></div> </div> -</div> -<div class="section" id="retrieving-information-about-a-ticket-policy"> -<h4>Retrieving Information About a Ticket Policy<a class="headerlink" href="#retrieving-information-about-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To display the attributes of a ticket policy, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>view_policy</strong> command.</p> -<blockquote> -<div><strong>view_policy</strong> -[<strong>-r</strong> <em>realm</em>] -<em>policy_name</em></div></blockquote> -<p>Displays the attributes of a ticket policy. Options:</p> -<dl class="docutils"> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view_policy -r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE +<p>To view the attributes of a ticket policy object, use the +kdb5_ldap_util <strong>view_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util view_policy users + Ticket policy: users + Maximum renewable life: 2 days 00:00:00 + Ticket flags: REQUIRES_PRE_AUTH DISALLOW_SVR </pre></div> </div> -</div> -<div class="section" id="destroying-a-ticket-policy"> -<h4>Destroying a Ticket Policy<a class="headerlink" href="#destroying-a-ticket-policy" title="Permalink to this headline">¶</a></h4> -<p>To destroy an existing ticket policy, use the <a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> -<strong>destroy_policy</strong> command.</p> -<blockquote> -<div><strong>destroy_policy</strong> -[<strong>-r</strong> <em>realm</em>] -[<strong>-force</strong>] -<em>policy_name</em></div></blockquote> -<p>Destroys an existing ticket policy. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -<dt><strong>-force</strong></dt> -<dd>Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy.</dd> -<dt><em>policy_name</em></dt> -<dd>Specifies the name of the ticket policy.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - destroy_policy -r ATHENA.MIT.EDU tktpolicy -Password for "cn=admin,o=org": -This will delete the policy object 'tktpolicy', are you sure? +<p>To destroy an ticket policy object, use the kdb5_ldap_util +<strong>destroy_policy</strong> command:</p> +<div class="highlight-default"><div class="highlight"><pre><span></span>$ kdb5_ldap_util destroy_policy users +This will delete the policy object 'users', are you sure? (type 'yes' to confirm)? yes -** policy object 'tktpolicy' deleted. -</pre></div> -</div> -</div> -<div class="section" id="listing-available-ticket-policies"> -<h4>Listing available Ticket Policies<a class="headerlink" href="#listing-available-ticket-policies" title="Permalink to this headline">¶</a></h4> -<p>To list the name of ticket policies in a realm, use the -<a class="reference internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><em>kdb5_ldap_util</em></a> <strong>list_policy</strong> command.</p> -<blockquote> -<div><strong>list_policy</strong> -[<strong>-r</strong> <em>realm</em>]</div></blockquote> -<p>Lists the ticket policies in realm if specified or in the default -realm. Options:</p> -<dl class="docutils"> -<dt><strong>-r</strong> <em>realm</em></dt> -<dd>Specifies the Kerberos realm of the database.</dd> -</dl> -<p>Example:</p> -<div class="highlight-python"><div class="highlight"><pre>kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - list_policy -r ATHENA.MIT.EDU -Password for "cn=admin,o=org": -tktpolicy -tmppolicy -userpolicy +** policy object 'users' deleted. </pre></div> </div> </div> </div> -</div> <div class="section" id="cross-realm-authentication"> <span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-realm-authentication" title="Permalink to this headline">¶</a></h2> <p>In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross-realm authentication between the realms -<tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> and <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt>, you would need to add the -principals <tt class="docutils literal"><span class="pre">krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</span></tt> and -<tt class="docutils literal"><span class="pre">krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</span></tt> to both databases. +<code class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></code> and <code class="docutils literal"><span class="pre">EXAMPLE.COM</span></code>, you would need to add the +principals <code class="docutils literal"><span class="pre">krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</span></code> and +<code class="docutils literal"><span class="pre">krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</span></code> to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the <strong>-kvno</strong> option.</p> <p>In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators would run the following commands on the KDCs in both realms:</p> -<div class="highlight-python"><div class="highlight"><pre>shell%: kadmin.local -e "aes256-cts:normal" -kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM -Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: -Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: -kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU -Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: -Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: -kadmin: +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">shell</span><span class="o">%</span><span class="p">:</span> <span class="n">kadmin</span><span class="o">.</span><span class="n">local</span> <span class="o">-</span><span class="n">e</span> <span class="s2">"aes256-cts:normal"</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="p">:</span> +<span class="n">kadmin</span><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n">requires_preauth</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">Enter</span> <span class="n">password</span> <span class="k">for</span> <span class="n">principal</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">EXAMPLE</span><span class="o">.</span><span class="n">COM</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="p">:</span> +<span class="n">kadmin</span><span class="p">:</span> </pre></div> </div> <div class="admonition note"> @@ -1531,17 +451,17 @@ at least 26 characters of random ASCII text.</p> <div class="section" id="changing-the-krbtgt-key"> <span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#changing-the-krbtgt-key" title="Permalink to this headline">¶</a></h2> <p>A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the -principal <tt class="docutils literal"><span class="pre">krbtgt/REALM</span></tt>. The key for this principal is created +principal <code class="docutils literal"><span class="pre">krbtgt/REALM</span></code>. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed.</p> -<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><em>kadmin</em></a> +<p>Changing this key using the normal <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadmin</span></a> <strong>change_password</strong> command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the <strong>-keepold</strong> flag to change_password to retain the previous key in the database as well as the new key. For example:</p> -<div class="highlight-python"><div class="highlight"><pre>kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU +<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">change_password</span> <span class="o">-</span><span class="n">randkey</span> <span class="o">-</span><span class="n">keepold</span> <span class="n">krbtgt</span><span class="o">/</span><span class="n">ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span><span class="nd">@ATHENA</span><span class="o">.</span><span class="n">MIT</span><span class="o">.</span><span class="n">EDU</span> </pre></div> </div> <div class="admonition warning"> @@ -1557,14 +477,14 @@ tickets issued with the old keys have expired.</p> ticket-granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see -<a class="reference internal" href="enctypes.html#session-key-selection"><em>Session key selection</em></a>). Because non-MIT Kerberos clients +<a class="reference internal" href="enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</span></a>). Because non-MIT Kerberos clients sometimes send a limited set of encryption types when making AS -requests, it can be important to for the krbtgt service to support +requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any <strong>-e</strong> option when changing the krbtgt key, or by setting the <strong>session_enctypes</strong> string attribute on the krbtgt -principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><em>set_string</em></a>).</p> +principal (see <a class="reference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">set_string</span></a>).</p> <p>Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. @@ -1576,23 +496,17 @@ Upgrading the KDC to release 1.14 or later will correct this bug.</p> <h3>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h3> <p>At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the -master KDC to the slave KDCs. The incremental propagation support +primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this.</p> -<p>With incremental propagation enabled, all programs on the master KDC +<p>With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to -an “update log” file, maintained as a circular buffer of a certain -size. A process on each slave KDC connects to a service on the master -KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> server) and +an “update log” file, maintained as a circular buffer of a certain +size. A process on each replica KDC connects to a service on the +primary KDC (currently implemented in the <a class="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadmind</span></a> server) and periodically requests the changes that have been made since the last -check. By default, this check is done every two minutes. If the -database has just been modified in the previous several seconds -(currently the threshold is hard-coded at 10 seconds), the slave will -not retrieve updates, but instead will pause and try again soon after. -This reduces the likelihood that incremental update queries will cause -delays for an administrator trying to make a bunch of changes to the -database at the same time.</p> +check. By default, this check is done every two minutes.</p> <p>Incremental propagation uses the following entries in the per-realm -data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>):</p> +data in the KDC config file (See <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>):</p> <table border="1" class="docutils"> <colgroup> <col width="4%" /> @@ -1608,60 +522,61 @@ data in the KDC config file (See <a class="reference internal" href="conf_files/ <td><em>integer</em></td> <td>Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.</td> </tr> -<tr class="row-odd"><td>iprop_slave_poll</td> +<tr class="row-odd"><td>iprop_replica_poll</td> <td><em>time interval</em></td> -<td>Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes.</td> +<td>Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes.</td> </tr> <tr class="row-even"><td>iprop_port</td> <td><em>integer</em></td> -<td>Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files.</td> +<td>Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files.</td> </tr> <tr class="row-odd"><td>iprop_resync_timeout</td> <td><em>integer</em></td> -<td>Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes).</td> +<td>Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes).</td> </tr> <tr class="row-even"><td>iprop_logfile</td> <td><em>file name</em></td> -<td>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em> default value will not use values from the <em>dbmodules</em> section.)</td> +<td>Specifies where the update log file for the realm database is to be stored. The default is to use the <em>database_name</em> entry from the realms section of the config file <a class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kdc.conf</span></a>, with <em>.ulog</em> appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the <em>dbmodules</em> section, then the hard-coded default for <em>database_name</em> is used. Determination of the <em>iprop_logfile</em> default value will not use values from the <em>dbmodules</em> section.)</td> </tr> </tbody> </table> -<p>Both master and slave sides must have a principal named -<tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> (where <em>hostname</em> is the lowercase, +<p>Both primary and replica sides must have a principal named +<code class="docutils literal"><span class="pre">kiprop/hostname</span></code> (where <em>hostname</em> is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the -default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><em>DEFKTNAME</em></a>). In release 1.13, the -<tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> principal is created automatically for the master -KDC, but it must still be created for slave KDCs.</p> -<p>On the master KDC side, the <tt class="docutils literal"><span class="pre">kiprop/hostname</span></tt> principal must be -listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><em>kadm5.acl</em></a>, and given the -<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><em>Privileges</em></a>).</p> -<p>On the slave KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><em>kpropd</em></a> should be run. When +default keytab file (<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span></a>). The <code class="docutils literal"><span class="pre">kiprop/hostname</span></code> principal may +have been created automatically for the primary KDC, but it must +always be created for replica KDCs.</p> +<p>On the primary KDC side, the <code class="docutils literal"><span class="pre">kiprop/hostname</span></code> principal must be +listed in the kadmind ACL file <a class="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">kadm5.acl</span></a>, and given the +<strong>p</strong> privilege (see <a class="reference internal" href="#privileges"><span class="std std-ref">Privileges</span></a>).</p> +<p>On the replica KDC side, <a class="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpropd</span></a> should be run. When incremental propagation is enabled, it will connect to the kadmind on -the master KDC and start requesting updates.</p> +the primary KDC and start requesting updates.</p> <p>The normal kprop mechanism is disabled by the incremental propagation -support. However, if the slave has been unable to fetch changes from -the master KDC for too long (network problems, perhaps), the log on -the master may wrap around and overwrite some of the updates that the -slave has not yet retrieved. In this case, the slave will instruct -the master KDC to dump the current database out to a file and invoke a -one-time kprop propagation, with special options to also convey the -point in the update log at which the slave should resume fetching -incremental updates. Thus, all the keytab and ACL setup previously -described for kprop propagation is still needed.</p> -<p>If an environment has a large number of slaves, it may be desirable to -arrange them in a hierarchy instead of having the master serve updates -to every slave. To do this, run <tt class="docutils literal"><span class="pre">kadmind</span> <span class="pre">-proponly</span></tt> on each -intermediate slave, and <tt class="docutils literal"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></tt> on downstream -slaves to direct each one to the appropriate upstream slave.</p> +support. However, if the replica has been unable to fetch changes +from the primary KDC for too long (network problems, perhaps), the log +on the primary may wrap around and overwrite some of the updates that +the replica has not yet retrieved. In this case, the replica will +instruct the primary KDC to dump the current database out to a file +and invoke a one-time kprop propagation, with special options to also +convey the point in the update log at which the replica should resume +fetching incremental updates. Thus, all the keytab and ACL setup +previously described for kprop propagation is still needed.</p> +<p>If an environment has a large number of replicas, it may be desirable +to arrange them in a hierarchy instead of having the primary serve +updates to every replica. To do this, run <code class="docutils literal"><span class="pre">kadmind</span> <span class="pre">-proponly</span></code> on +each intermediate replica, and <code class="docutils literal"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class="pre">upstreamhostname</span></code> on +downstream replicas to direct each one to the appropriate upstream +replica.</p> <p>There are several known restrictions in the current implementation:</p> <ul class="simple"> <li>The incremental update protocol does not transport changes to policy -objects. Any policy changes on the master will result in full -resyncs to all slaves.</li> -<li>The slave’s KDB module must support locking; it cannot be using the +objects. Any policy changes on the primary will result in full +resyncs to all replicas.</li> +<li>The replica’s KDB module must support locking; it cannot be using the LDAP KDB module.</li> -<li>The master and slave must be able to initiate TCP connections in +<li>The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT.</li> </ul> </div> @@ -1670,22 +585,22 @@ both directions, without an intervening NAT.</li> <p>Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based -on Sun’s patches. Changes to Sun’s implementation since then may not +on Sun’s patches. Changes to Sun’s implementation since then may not be reflected here.)</p> -<p>The Sun config file support looks for <tt class="docutils literal"><span class="pre">sunw_dbprop_enable</span></tt>, -<tt class="docutils literal"><span class="pre">sunw_dbprop_master_ulogsize</span></tt>, and <tt class="docutils literal"><span class="pre">sunw_dbprop_slave_poll</span></tt>.</p> +<p>The Sun config file support looks for <code class="docutils literal"><span class="pre">sunw_dbprop_enable</span></code>, +<code class="docutils literal"><span class="pre">sunw_dbprop_master_ulogsize</span></code>, and <code class="docutils literal"><span class="pre">sunw_dbprop_slave_poll</span></code>.</p> <p>The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with -some modern versions of rpcbind doesn’t always work well, the port -number must be specified in the config file on both the master and -slave sides.</p> -<p>The Sun implementation hard-codes pathnames in <tt class="docutils literal"><span class="pre">/var/krb5</span></tt> for the -update log and the per-slave kprop dump files. In the MIT +some modern versions of rpcbind doesn’t always work well, the port +number must be specified in the config file on both the primary and +replica sides.</p> +<p>The Sun implementation hard-codes pathnames in <code class="docutils literal"><span class="pre">/var/krb5</span></code> for the +update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the -config file, and the per-slave dump files are stored in -<a class="reference internal" href="../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/slave_datatrans_hostname</span></tt>.</p> +config file, and the per-replica dump files are stored in +<a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTATEDIR</span></a><code class="docutils literal"><span class="pre">/krb5kdc</span></code><code class="docutils literal"><span class="pre">/replica_datatrans_hostname</span></code>.</p> </div> </div> </div> @@ -1699,71 +614,19 @@ config file, and the per-slave dump files are stored in <h2>On this page</h2> <ul> <li><a class="reference internal" href="#">Database administration</a><ul> -<li><a class="reference internal" href="#kadmin-options">kadmin options</a></li> -<li><a class="reference internal" href="#date-format">Date Format</a></li> -<li><a class="reference internal" href="#principals">Principals</a><ul> -<li><a class="reference internal" href="#adding-modifying-and-deleting-principals">Adding, modifying and deleting principals</a></li> -<li><a class="reference internal" href="#add-principal">add_principal</a></li> -<li><a class="reference internal" href="#modify-principal">modify_principal</a></li> -<li><a class="reference internal" href="#delete-principal">delete_principal</a><ul> -<li><a class="reference internal" href="#examples">Examples</a></li> -</ul> -</li> -<li><a class="reference internal" href="#retrieving-information-about-a-principal">Retrieving information about a principal</a></li> -<li><a class="reference internal" href="#get-principal">get_principal</a></li> -<li><a class="reference internal" href="#list-principals">list_principals</a></li> -<li><a class="reference internal" href="#changing-passwords">Changing passwords</a></li> -<li><a class="reference internal" href="#change-password">change_password</a></li> -</ul> -</li> +<li><a class="reference internal" href="#principals">Principals</a></li> <li><a class="reference internal" href="#policies">Policies</a><ul> -<li><a class="reference internal" href="#adding-modifying-and-deleting-policies">Adding, modifying and deleting policies</a></li> -<li><a class="reference internal" href="#add-policy">add_policy</a></li> -<li><a class="reference internal" href="#modify-policy">modify_policy</a></li> -<li><a class="reference internal" href="#delete-policy">delete_policy</a></li> -<li><a class="reference internal" href="#retrieving-policies">Retrieving policies</a></li> -<li><a class="reference internal" href="#get-policy">get_policy</a></li> -<li><a class="reference internal" href="#list-policies">list_policies</a></li> -<li><a class="reference internal" href="#policies-and-principals">Policies and principals</a></li> <li><a class="reference internal" href="#updating-the-history-key">Updating the history key</a></li> </ul> </li> <li><a class="reference internal" href="#privileges">Privileges</a></li> <li><a class="reference internal" href="#operations-on-the-kerberos-database">Operations on the Kerberos database</a><ul> -<li><a class="reference internal" href="#dumping-a-kerberos-database-to-a-file">Dumping a Kerberos database to a file</a><ul> -<li><a class="reference internal" href="#id3">Examples</a></li> -</ul> -</li> -<li><a class="reference internal" href="#restoring-a-kerberos-database-from-a-dump-file">Restoring a Kerberos database from a dump file</a><ul> -<li><a class="reference internal" href="#id4">Examples</a></li> -</ul> -</li> -<li><a class="reference internal" href="#creating-a-stash-file">Creating a stash file</a><ul> -<li><a class="reference internal" href="#example">Example</a></li> -</ul> -</li> -<li><a class="reference internal" href="#creating-and-destroying-a-kerberos-database">Creating and destroying a Kerberos database</a><ul> -<li><a class="reference internal" href="#id5">Examples</a></li> -</ul> -</li> +<li><a class="reference internal" href="#dumping-and-loading-a-kerberos-database">Dumping and loading a Kerberos database</a></li> <li><a class="reference internal" href="#updating-the-master-key">Updating the master key</a></li> </ul> </li> <li><a class="reference internal" href="#operations-on-the-ldap-database">Operations on the LDAP database</a><ul> -<li><a class="reference internal" href="#creating-a-kerberos-realm">Creating a Kerberos realm</a></li> -<li><a class="reference internal" href="#modifying-a-kerberos-realm">Modifying a Kerberos realm</a></li> -<li><a class="reference internal" href="#destroying-a-kerberos-realm">Destroying a Kerberos realm</a></li> -<li><a class="reference internal" href="#retrieving-information-about-a-kerberos-realm">Retrieving information about a Kerberos realm</a></li> -<li><a class="reference internal" href="#listing-available-kerberos-realms">Listing available Kerberos realms</a></li> -<li><a class="reference internal" href="#stashing-service-object-s-password">Stashing service object’s password</a></li> -<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a><ul> -<li><a class="reference internal" href="#creating-a-ticket-policy">Creating a Ticket Policy</a></li> -<li><a class="reference internal" href="#modifying-a-ticket-policy">Modifying a Ticket Policy</a></li> -<li><a class="reference internal" href="#retrieving-information-about-a-ticket-policy">Retrieving Information About a Ticket Policy</a></li> -<li><a class="reference internal" href="#destroying-a-ticket-policy">Destroying a Ticket Policy</a></li> -<li><a class="reference internal" href="#listing-available-ticket-policies">Listing available Ticket Policies</a></li> -</ul> -</li> +<li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a></li> </ul> </li> <li><a class="reference internal" href="#cross-realm-authentication">Cross-realm authentication</a></li> @@ -1785,9 +648,8 @@ config file, and the per-slave dump files are stored in <li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> -<li class="toctree-l2 current"><a class="current reference internal" href="">Database administration</a><ul class="simple"> -</ul> -</li> +<li class="toctree-l2 current"><a class="current reference internal" href="#">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> @@ -1795,6 +657,8 @@ config file, and the per-slave dump files are stored in <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> @@ -1834,8 +698,8 @@ config file, and the per-slave dump files are stored in <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.16</i><br /> - © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + <div class="right" ><i>Release: 1.21.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2023, MIT. </div> <div class="left"> @@ -1843,7 +707,7 @@ config file, and the per-slave dump files are stored in >Contents</a> | <a href="realm_config.html" title="Realm configuration decisions" >previous</a> | - <a href="lockout.html" title="Account lockout" + <a href="dbtypes.html" title="Database types" >next</a> | <a href="../genindex.html" title="General Index" >index</a> | |