3 @node Setting up a realm, Applications, Building and Installing, Top
5 @chapter Setting up a realm
9 realm is an administrative domain. The name of a Kerberos realm is
10 usually the Internet domain name in uppercase. Call your realm the same
11 as your Internet domain name if you do not have strong reasons for not
12 doing so. It will make life easier for you and everyone else.
15 * Configuration file::
16 * Creating the database::
17 * Modifying the database::
18 * Checking the setup::
20 * Serving Kerberos 4/524/kaserver::
21 * Remote administration::
23 * Testing clients and servers::
25 * Incremental propagation::
26 * Encryption types and salting::
27 * Credential cache server - KCM::
31 * Using LDAP to store the database::
32 * Providing Kerberos credentials to servers and programs::
33 * Setting up PK-INIT::
34 * Debugging Kerberos problems::
37 @node Configuration file, Creating the database, Setting up a realm, Setting up a realm
38 @section Configuration file
40 To setup a realm you will first have to create a configuration file:
41 @file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
42 configuration options, some of which are described here.
44 There is a sample @file{krb5.conf} supplied with the distribution.
46 The configuration file is a hierarchical structure consisting of
47 sections, each containing a list of bindings (either variable
48 assignments or subsections). A section starts with
49 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
50 (@samp{=}) and a right hand side (the left hand side tag must be
51 separated from the equal sign with some whitespace). Subsections have a
52 @samp{@{} as the first non-whitespace character after the equal sign. All
53 other bindings are treated as variable assignments. The value of a
54 variable extends to the end of the line.
60 other-var = value with @{@}
65 var = some other value
67 var = yet another value
70 In this manual, names of sections and bindings will be given as strings
71 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
72 be @samp{section1/a-subsection/other-var}.
74 For in-depth information about the contents of the configuration file, refer to
75 the @file{krb5.conf} manual page. Some of the more important sections
76 are briefly described here.
78 The @samp{libdefaults} section contains a list of library configuration
79 parameters, such as the default realm and the timeout for KDC
80 responses. The @samp{realms} section contains information about specific
81 realms, such as where they hide their KDC@. This section serves the same
82 purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
83 information. Finally the @samp{domain_realm} section contains a list of
84 mappings from domains to realms, equivalent to the Kerberos 4
85 @file{krb.realms} file.
87 To continue with the realm setup, you will have to create a configuration file,
88 with contents similar to the following.
92 default_realm = MY.REALM
95 kdc = my.kdc my.slave.kdc
98 kdc = [2001:6b0:1:ea::100]:88
101 .my.domain = MY.REALM
105 If you use a realm name equal to your domain name, you can omit the
106 @samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS
107 SRV-record for your realm, or your Kerberos server has DNS CNAME
108 @samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
110 @node Creating the database, Modifying the database, Configuration file, Setting up a realm
111 @section Creating the database
113 The database library will look for the database in the directory
114 @file{@value{dbdir}}, so you should probably create that directory.
115 Make sure the directory has restrictive permissions.
121 The keys of all the principals are stored in the database. If you
122 choose to, these can be encrypted with a master key. You do not have to
123 remember this key (or password), but just to enter it once and it will
124 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
125 master key, run @samp{kstash} to create this master key:
130 Verifying password - Master key:
133 If you want to generate a random master key you can use the
134 @kbd{--random-key} flag to kstash. This will make sure you have a good key
135 on which attackers can't do a dictionary attack.
137 If you have a master key, make sure you make a backup of your master
138 key file; without it backups of the database are of no use.
140 To initialise the database use the @command{kadmin} program, with the
141 @kbd{-l} option (to enable local database mode). First issue a
142 @kbd{init MY.REALM} command. This will create the database and insert
143 default principals for that realm. You can have more than one realm in
144 one database, so @samp{init} does not destroy any old database.
146 Before creating the database, @samp{init} will ask you some questions
147 about maximum ticket lifetimes.
149 After creating the database you should probably add yourself to it. You
150 do this with the @samp{add} command. It takes as argument the name of a
151 principal. The principal should contain a realm, so if you haven't set up
152 a default realm, you will need to explicitly include the realm.
156 kadmin> init MY.REALM
157 Realm max ticket life [unlimited]:
158 Realm max renewable ticket life [unlimited]:
160 Max ticket life [unlimited]:
161 Max renewable life [unlimited]:
164 Verifying password - Password:
167 Now start the KDC and try getting a ticket.
172 me@@MY.REALMS's Password:
174 Credentials cache: /tmp/krb5cc_0
175 Principal: me@@MY.REALM
177 Issued Expires Principal
178 Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM
181 If you are curious you can use the @samp{dump} command to list all the
182 entries in the database. It should look something similar to the
183 following example (note that the entries here are truncated for
184 typographical reasons):
188 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
189 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
190 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
191 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
194 @node Modifying the database, Checking the setup, Creating the database, Setting up a realm
195 @section Modifying the database
197 All modifications of principals are done with with kadmin.
199 A principal has several attributes and lifetimes associated with it.
201 Principals are added, renamed, modified, and deleted with the kadmin
202 commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}.
203 Both interactive editing and command line flags can be used (use --help
204 to list the available options).
206 There are different kinds of types for the fields in the database;
207 attributes, absolute time times and relative times.
209 @subsection Attributes
211 When doing interactive editing, attributes are listed with @samp{?}.
213 The attributes are given in a comma (@samp{,}) separated list.
214 Attributes are removed from the list by prefixing them with @samp{-}.
218 Max ticket life [1 day]:
219 Max renewable life [1 week]:
220 Principal expiration time [never]:
221 Password expiration time [never]:
222 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
224 Principal: me@@MY.REALM
226 Attributes: requires-pre-auth
229 @subsection Absolute times
231 The format for absolute times are any of the following:
241 @subsection Relative times
243 The format for relative times are any of the following combined:
254 @c Describe more of kadmin commands here...
256 @node Checking the setup, keytabs, Modifying the database, Setting up a realm
257 @section Checking the setup
259 There are two tools that can check the consistency of the Kerberos
260 configuration file and the Kerberos database.
262 The Kerberos configuration file is checked using
263 @command{verify_krb5_conf}. The tool checks for common errors, but
264 commonly there are several uncommon configuration entries that are
265 never added to the tool and thus generates ``unknown entry'' warnings.
266 This is usually nothing to worry about.
268 The database check is built into the kadmin tool. It will check for
269 common configuration error that will cause problems later. Common
270 check are for existence and flags on important principals. The
271 database check by run by the following command :
274 kadmin -l check REALM.EXAMPLE.ORG
277 @node keytabs, Serving Kerberos 4/524/kaserver, Checking the setup, Setting up a realm
280 To extract a service ticket from the database and put it in a keytab, you
281 need to first create the principal in the database with @samp{add}
282 (using the @kbd{--random-key} flag to get a random key) and then
283 extract it with @samp{ext_keytab}.
286 kadmin> add --random-key host/my.host.name
287 Max ticket life [unlimited]:
288 Max renewable life [unlimited]:
290 kadmin> ext host/my.host.name
293 Version Type Principal
294 1 des-cbc-md5 host/my.host.name@@MY.REALM
295 1 des-cbc-md4 host/my.host.name@@MY.REALM
296 1 des-cbc-crc host/my.host.name@@MY.REALM
297 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
300 @node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm
301 @section Serving Kerberos 4/524/kaserver
303 Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
304 these services are turned off by default. Kerberos 4 is always
305 supported by the KDC, but the Kerberos 4 client support also depends
306 on Kerberos 4 support having been included at compile-time, using
307 @kbd{--with-krb4=dir}.
311 524 is a service that allows the KDC to convert Kerberos 5 tickets to
312 Kerberos 4 tickets for backward compatibility. See also Using 2b
313 tokens with AFS in @xref{AFS}.
315 524 can be turned on by adding this to the configuration file
322 @subsection Kerberos 4
324 Kerberos 4 is the predecessor to to Kerberos 5. It only supports
325 single DES@. You should only enable Kerberos 4 support if you have
326 needs for compatibility with an installed base of Kerberos 4
329 Kerberos 4 can be turned on by adding this to the configuration file
333 enable-kerberos4 = yes
338 Kaserver is a Kerberos 4 that is used in AFS@. The protocol has some
339 extra features over plain Kerberos 4, but like Kerberos 4, only uses
342 You should only enable Kaserver support if you have needs for
343 compatibility with an installed base of AFS machines.
345 Kaserver can be turned on by adding this to the configuration file
349 enable-kaserver = yes
352 @node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm
353 @section Remote administration
355 The administration server, @command{kadmind}, can be started by
356 @command{inetd} (which isn't recommended) or run as a normal daemon. If you
357 want to start it from @command{inetd} you should add a line similar to the
358 one below to your @file{/etc/inetd.conf}.
361 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
364 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
367 Access to the administration server is controlled by an ACL file,
368 (default @file{/var/heimdal/kadmind.acl}.) The file has the following
371 principal [priv1,priv2,...] [glob-pattern]
374 The matching is from top to bottom for matching principals (and if given,
375 glob-pattern). When there is a match, the access rights of that line are
378 The privileges you can assign to a principal are: @samp{add},
379 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
380 @samp{get}, @samp{list}, and @samp{modify}, or the special privilege
381 @samp{all}. All of these roughly correspond to the different commands
384 If a @var{glob-pattern} is given on a line, it restricts the access
385 rights for the principal to only apply for subjects that match the
386 pattern. The patterns are of the same type as those used in shell
387 globbing, see @url{none,,fnmatch(3)}.
389 In the example below @samp{lha/admin} can change every principal in the
390 database. @samp{jimmy/admin} can only modify principals that belong to
391 the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
392 help desk, so he should only be able to change the passwords for single
393 component principals (ordinary users). He will not be able to change any
394 @samp{/admin} principal.
397 lha/admin@@E.KTH.SE all
398 jimmy/admin@@E.KTH.SE all *@@E.KTH.SE
399 jimmy/admin@@E.KTH.SE all */*@@E.KTH.SE
400 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
403 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
404 @section Password changing
406 To allow users to change their passwords, you should run @command{kpasswdd}.
407 It is not run from @command{inetd}.
409 You might need to add @samp{kpasswd} to your @file{/etc/services} as
410 @samp{464/udp}. If your realm is not setup to use DNS, you might also
411 need to add a @samp{kpasswd_server} entry to the realm configuration
412 in @file{/etc/krb5.conf} on client machines:
417 kdc = my.kdc my.slave.kdc
418 kpasswd_server = my.kdc
422 @subsection Password quality assurance
424 It is important that users have good passwords, both to make it harder
425 to guess them and to avoid off-line attacks (although
426 pre-authentication provides some defence against off-line attacks).
427 To ensure that the users choose good passwords, you can enable
428 password quality controls in @command{kpasswdd} and @command{kadmind}.
429 The controls themselves are done in a shared library or an external
430 program that is used by @command{kpasswdd}. To configure in these
431 controls, add lines similar to the following to your
432 @file{/etc/krb5.conf}:
436 policies = external-check builtin:minimum-length modulename:policyname
437 external_program = /bin/false
438 policy_libraries = @var{library1.so} @var{library2.so}
441 In @samp{[password_quality]policies} the module name is optional if
442 the policy name is unique in all modules (members of
443 @samp{policy_libraries}). All built-in policies can be qualified with
444 a module name of @samp{builtin} to unambiguously specify the built-in
445 policy and not a policy by the same name from a loaded module.
447 The built-in policies are
453 Executes the program specified by @samp{[password_quality]external_program}.
455 A number of key/value pairs are passed as input to the program, one per
456 line, ending with the string @samp{end}. The key/value lines are of
459 principal: @var{principal}
460 new-password: @var{password}
462 where @var{password} is the password to check for the previous
465 If the external application approves the password, it should return
466 @samp{APPROVED} on standard out and exit with exit code 0. If it
467 doesn't approve the password, an one line error message explaining the
468 problem should be returned on standard error and the application
469 should exit with exit code 0. In case of a fatal error, the
470 application should, if possible, print an error message on standard
471 error and exit with a non-zero error code.
475 The minimum length password quality check reads the configuration file
476 stanza @samp{[password_quality]min_length} and requires the password
477 to be at least this length.
479 @item character-class
481 The character-class password quality check reads the configuration
482 file stanza @samp{[password_quality]min_classes}. The policy requires
483 the password to have characters from at least that many character
484 classes. Default value if not given is 3.
486 The four different characters classes are, uppercase, lowercase,
487 number, special characters.
491 If you want to write your own shared object to check password
492 policies, see the manual page @manpage{kadm5_pwcheck,3}.
494 Code for a password quality checking function that uses the cracklib
495 library can be found in @file{lib/kadm5/sample_password_check.c} in
496 the source code distribution. It requires that the cracklib library
497 be built with the patch available at
498 @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
500 A sample policy external program is included in
501 @file{lib/kadm5/check-cracklib.pl}.
503 If no password quality checking function is configured, the only check
504 performed is that the password is at least six characters long.
506 To check the password policy settings, use the command
507 @command{verify-password-quality} in @command{kadmin} program. The password
508 verification is only performed locally, on the client. It may be
509 convenient to set the environment variable @samp{KRB5_CONFIG} to point
510 to a test version of @file{krb5.conf} while you're testing the
511 @samp{[password_quality]} stanza that way.
513 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
514 @section Testing clients and servers
516 Now you should be able to run all the clients and servers. Refer to the
517 appropriate man pages for information on how to use them.
519 @node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
520 @section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
522 It is desirable to have at least one backup (slave) server in case the
523 master server fails. It is possible to have any number of such slave
524 servers but more than three usually doesn't buy much more redundancy.
526 All Kerberos servers for a realm must have the same database so that
527 they present the same service to the users. The
529 @command{hprop} program, running on the master, will propagate the database
530 to the slaves, running
532 @command{hpropd} processes.
534 Every slave needs a database directory, the master key (if it was used
535 for the database) and a keytab with the principal
536 @samp{hprop/@var{hostname}}. Add the principal with the
538 @command{ktutil} command and start
540 @command{hpropd}, as follows:
543 slave# ktutil get -p foo/admin hprop/`hostname`
544 slave# mkdir /var/heimdal
548 The master will use the principal @samp{kadmin/hprop} to authenticate to
549 the slaves. This principal should be added when running @kbd{kadmin -l
550 init} but if you do not have it in your database for whatever reason,
551 please add it with @kbd{kadmin -l add}.
555 @code{hprop} on the master:
561 This was just an hands-on example to make sure that everything was
562 working properly. Doing it manually is of course the wrong way, and to
563 automate this you will want to start
565 @command{hpropd} from @command{inetd} on the slave(s) and regularly run
567 @command{hprop} on the master to regularly propagate the database.
568 Starting the propagation once an hour from @command{cron} is probably a
571 @node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
572 @section Incremental propagation
574 There is also a newer mechanism for
575 doing incremental propagation in Heimdal. Instead of sending the whole
576 database regularly, it sends the changes as they happen on the master to
577 the slaves. The master keeps track of all the changes by assigning a
578 version number to every change to the database. The slaves know which
579 was the latest version they saw and in this way it can be determined if
580 they are in sync or not. A log of all the changes is kept on the master,
581 and when a slave is at an older version than the oldest one in the
582 log, the whole database has to be sent.
584 Protocol-wise, all the slaves connect to the master and as a greeting
585 tell it the latest version that they have (@samp{IHAVE} message). The
586 master then responds by sending all the changes between that version and
587 the current version at the master (a series of @samp{FORYOU} messages)
588 or the whole database in a @samp{TELLYOUEVERYTHING} message. There is
589 also a keep-alive protocol that makes sure all slaves are up and running.
591 In addition on listening on the network to get connection from new
592 slaves, the ipropd-master also listens on a status unix
593 socket. kadmind and kpasswdd both open that socket when a transation
594 is done and written a notification to the socket. That cause
595 ipropd-master to check for new version in the log file. As a fallback in
596 case a notification is lost by the unix socket, the log file is
597 checked after 30 seconds of no event.
599 @subsection Configuring incremental propagation
601 The program that runs on the master is @command{ipropd-master} and all
602 clients run @command{ipropd-slave}.
604 Create the file @file{/var/heimdal/slaves} on the master containing all
605 the slaves that the database should be propagated to. Each line contains
606 the full name of the principal (for example
607 @samp{iprop/hemligare.foo.se@@FOO.SE}).
609 You should already have @samp{iprop/tcp} defined as 2121, in your
610 @file{/etc/services}. Otherwise, or if you need to use a different port
611 for some peculiar reason, you can use the @kbd{--port} option. This is
612 useful when you have multiple realms to distribute from one server.
614 Then you need to create those principals that you added in the
615 configuration file. Create one @samp{iprop/hostname} for the master and
620 master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
624 slave# /usr/heimdal/sbin/ktutil get iprop/`hostname`
628 The next step is to start the @command{ipropd-master} process on the master
629 server. The @command{ipropd-master} listens on the UNIX domain socket
630 @file{/var/heimdal/signal} to know when changes have been made to the
631 database so they can be propagated to the slaves. There is also a
632 safety feature of testing the version number regularly (every 30
633 seconds) to see if it has been modified by some means that do not raise
634 this signal. Then, start @command{ipropd-slave} on all the slaves:
637 master# /usr/heimdal/libexec/ipropd-master &
638 slave# /usr/heimdal/libexec/ipropd-slave master &
641 To manage the iprop log file you should use the @command{iprop-log}
642 command. With it you can dump, truncate and replay the logfile.
644 @node Encryption types and salting, Credential cache server - KCM, Incremental propagation, Setting up a realm
645 @section Encryption types and salting
647 @cindex Encryption types
649 The encryption types that the KDC is going to assign by default is
650 possible to change. Since the keys used for user authentication is
651 salted the encryption types are described together with the salt
654 Salting is used to make it harder to pre-calculate all possible
655 keys. Using a salt increases the search space to make it almost
656 impossible to pre-calculate all keys. Salting is the process of mixing a
657 public string (the salt) with the password, then sending it through an
658 encryption type specific string-to-key function that will output the
659 fixed size encryption key.
661 In Kerberos 5 the salt is determined by the encryption type, except in
664 In @code{des} there is the Kerberos 4 salt
665 (none at all) or the afs-salt (using the cell (realm in
668 In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
669 there is no salt. This is to be compatible with NTLM keys in Windows
672 @code{[kadmin]default_keys} in @file{krb5.conf} controls
675 The syntax of @code{[kadmin]default_keys} is
676 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
677 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
678 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
679 salt-string is the string that will be used as salt (remember that if
680 the salt is appended/prepended, the empty salt "" is the same thing as
683 Common types of salting include
686 @item @code{v4} (or @code{des:pw-salt:})
688 The Kerberos 4 salting is using no salt at all. Reason there is colon
689 at the end of the salt string is that it makes the salt the empty
690 string (same as no salt).
692 @item @code{v5} (or @code{pw-salt})
694 @code{pw-salt} uses the default salt for each encryption type is
695 specified for. If the encryption type @samp{etype} isn't given, all
696 default encryption will be used.
698 @item @code{afs3-salt}
700 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
701 the cell name appended to the password.
705 @node Credential cache server - KCM, Cross realm, Encryption types and salting, Setting up a realm
706 @section Credential cache server - KCM
708 @cindex Credential cache server
710 When KCM running is easy for users to switch between different
711 kerberos principals using @file{kswitch} or built in support in
712 application, like OpenSSH's GSSAPIClientIdentity.
714 Other advantages are that there is the long term credentials are not
715 written to disk and on reboot the credential is removed when kcm
716 process stopps running.
718 Configure the system startup script to start the kcm process,
719 @file{/usr/heimdal/libexec/kcm} and then configure the system to use kcm in @file{krb5.conf}.
723 default_cc_type = KCM
726 Now when you run @command{kinit} it doesn't overwrite your existing
727 credentials but rather just add them to the set of
728 credentials. @command{klist -l} lists the credentials and the star
729 marks the default credential.
733 lha@@KTH.SE's Password:
735 Name Cache name Expires
736 lha@@KTH.SE 0 Nov 22 23:09:40 *
737 lha@@SU.SE Initial default ccache Nov 22 14:14:24
740 When switching between credentials you can use @command{kswitch}.
750 After switching, a new set of credentials are used as default.
754 Name Cache name Expires
755 lha@@SU.SE Initial default ccache Nov 22 14:14:24 *
756 lha@@KTH.SE 0 Nov 22 23:09:40
759 Som applications, like openssh with Simon Wilkinsons patch applied,
760 support specifiying that credential to use. The example below will
761 login to the host computer.kth.se using lha@@KTH.SE (not the current
766 -o GSSAPIAuthentication=yes \
767 -o GSSAPIKeyExchange=yes \
768 -o GSSAPIClientIdentity=lha@@KTH.SE \
774 @node Cross realm, Transit policy, Credential cache server - KCM, Setting up a realm
778 Suppose you reside in the realm @samp{MY.REALM}, how do you
779 authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
780 @samp{MY.REALM} allows you to communicate with Kerberised services in that
781 realm. However, the computer in the other realm does not have a secret
782 key shared with the Kerberos server in your realm.
784 It is possible to share keys between two realms that trust each
785 other. When a client program, such as @command{telnet} or @command{ssh},
786 finds that the other computer is in a different realm, it will try to
787 get a ticket granting ticket for that other realm, but from the local
788 Kerberos server. With that ticket granting ticket, it will then obtain
789 service tickets from the Kerberos server in the other realm.
791 For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM}
792 add the following principals to each realm. The principals should be
793 @samp{krbtgt/OTHER.REALM@@MY.REALM} and
794 @samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and
795 @samp{krbtgt/MY.REALM@@OTHER.REALM} and
796 @samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}.
798 In Kerberos 5 the trust can be configured to be one way. So that
799 users from @samp{MY.REALM} can authenticate to services in
800 @samp{OTHER.REALM}, but not the opposite. In the example above, the
801 @samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed.
803 The two principals must have the same key, key version number, and the
804 same set of encryption types. Remember to transfer the two keys in a
809 Credentials cache: FILE:/tmp/krb5cc_913.console
810 Principal: lha@@E.KTH.SE
812 Issued Expires Principal
813 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
815 vr$ telnet -l lha hummel.it.su.se
816 Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
817 Connected to hummel.it.su.se.
818 Escape character is '^]'.
819 Waiting for encryption to be negotiated...
820 [ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ]
821 [ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ]
822 Encryption negotiated.
823 Last login: Sat May 3 14:11:47 from vr.l.nxs.se
827 Credentials cache: FILE:/tmp/krb5cc_913.console
828 Principal: lha@@E.KTH.SE
830 Issued Expires Principal
831 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
832 May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE
833 May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE
837 @node Transit policy, Setting up DNS, Cross realm, Setting up a realm
838 @section Transit policy
839 @cindex Transit policy
841 Under some circumstances, you may not wish to set up direct
842 cross-realm trust with every realm to which you wish to authenticate
843 or from which you wish to accept authentications. Kerberos supports
844 multi-hop cross-realm trust where a client principal in realm A
845 authenticates to a service in realm C through a realm B with which
846 both A and C have cross-realm trust relationships. In this situation,
847 A and C need not set up cross-realm principals between each other.
849 If you want to use cross-realm authentication through an intermediate
850 realm, it must be explicitly allowed by either the KDCs for the realm
851 to which the client is authenticating (in this case, realm C), or the
852 server receiving the request. This is done in @file{krb5.conf} in the
853 @code{[capaths]} section.
855 In addition, the client in realm A need to be configured to know how
856 to reach realm C via realm B. This can be done either on the client or
857 via KDC configuration in the KDC for realm A.
859 @subsection Allowing cross-realm transits
861 When the ticket transits through a realm to another realm, the
862 destination realm adds its peer to the "transited-realms" field in the
863 ticket. The field is unordered, since there is no way to know if know
864 if one of the transited-realms changed the order of the list. For the
865 authentication to be accepted by the final destination realm, all of
866 the transited realms must be listed as trusted in the @code{[capaths]}
867 configuration, either in the KDC for the destination realm or on the
868 server receiving the authentication.
870 The syntax for @code{[capaths]} section is:
875 SERVER-REALM = PERMITTED-CROSS-REALMS ...
879 In the following example, the realm @code{STACKEN.KTH.SE} only has
880 direct cross-realm set up with @code{KTH.SE}. @code{KTH.SE} has
881 direct cross-realm set up with @code{STACKEN.KTH.SE} and @code{SU.SE}.
882 @code{DSV.SU.SE} only has direct cross-realm set up with @code{SU.SE}.
883 The goal is to allow principals in the @code{DSV.SU.SE} or
884 @code{SU.SE} realms to authenticate to services in
885 @code{STACKEN.KTH.SE}. This is done with the following
886 @code{[capaths]} entry on either the server accepting authentication
887 or on the KDC for @code{STACKEN.KTH.SE}.
892 STACKEN.KTH.SE = KTH.SE
895 STACKEN.KTH.SE = SU.SE KTH.SE
899 The first entry allows cross-realm authentication from clients in
900 @code{SU.SE} transiting through @code{KTH.SE} to
901 @code{STACKEN.KTH.SE}. The second entry allows cross-realm
902 authentication from clients in @code{DSV.SU.SE} transiting through
903 both @code{SU.SE} and @code{KTH.SE} to @code{STACKEN.KTH.SE}.
905 Be careful of which realm goes where; it's easy to put realms in the
906 wrong place. The block is tagged with the client realm (the realm of
907 the principal authenticating), and the realm before the equal sign is
908 the final destination realm: the realm to which the client is
909 authenticating. After the equal sign go all the realms that the
910 client transits through.
912 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
913 doing transit cross realm verification.
915 @subsection Configuring client cross-realm transits
917 The @code{[capaths]} section is also used for another purpose: to tell
918 clients which realm to transit through to reach a realm with which
919 their local realm does not have cross-realm trust. This can be done
920 by either putting a @code{[capaths]} entry in the configuration of the
921 client or by putting the entry in the configuration of the KDC for the
922 client's local realm. In the latter case, the KDC will then hand back
923 a referral to the client when the client requests a cross-realm ticket
924 to the destination realm, telling the client to try to go through an
927 For client configuration, the order of @code{PERMITTED-CROSS-REALMS}
928 is significant, since only the first realm in this section (after the
929 equal sign) is used by the client.
931 For example, again consider the @code{[capaths]} entry above for the
932 case of a client in the @code{SU.SE} realm, and assume that the client
933 or the @code{SU.SE} KDC has that @code{[capaths]} entry. If the
934 client attempts to authenticate to a service in the
935 @code{STACKEN.KTH.SE} realm, that entry says to first authenticate
936 cross-realm to the @code{KTH.SE} realm (the first realm listed in the
937 @code{PERMITTED-CROSS-REALMS} section), and then from there to
938 @code{STACKEN.KTH.SE}.
940 Each entry in @code{[capaths]} can only give the next hop, since only
941 the first realm in @code{PERMITTED-CROSS-REALMS} is used. If, for
942 instance, a client in @code{DSV.SU.SE} had a @code{[capaths]}
943 configuration as above but without the first block for @code{SU.SE},
944 they would not be able to reach @code{STACKEN.KTH.SE}. They would get
945 as far as @code{SU.SE} based on the @code{DSV.SU.SE} entry in
946 @code{[capaths]} and then attempt to go directly from there to
947 @code{STACKEN.KTH.SE} and get stuck (unless, of course, the
948 @code{SU.SE} KDC had the additional entry required to tell the client
949 to go through @code{KTH.SE}).
951 @subsection Active Directory forest example
953 One common place where a @code{[capaths]} configuration is desirable
954 is with Windows Active Directory forests. One common Active Directory
955 configuration is to have one top-level Active Directory realm but then
956 divide systems, services, and users into child realms (perhaps based
957 on organizational unit). One generally establishes cross-realm trust
958 only with the top-level realm, and then uses transit policy to permit
959 authentications to and from the child realms.
961 For example, suppose an organization has a Heimdal realm
962 @code{EXAMPLE.COM}, a Windows Active Directory realm
963 @code{WIN.EXAMPLE.COM}, and then child Active Directory realms
964 @code{ENGR.WIN.EXAMPLE.COM} and @code{SALES.WIN.EXAMPLE.COM}. The
965 goal is to allow users in any of these realms to authenticate to
966 services in any of these realms. The @code{EXAMPLE.COM} KDC (and
967 possibly client) configuration should therefore contain a
968 @code{[capaths]} section as follows:
972 ENGR.WIN.EXAMPLE.COM = @{
973 EXAMPLE.COM = WIN.EXAMPLE.COM
975 SALES.WIN.EXAMPLE.COM = @{
976 EXAMPLE.COM = WIN.EXAMPLE.COM
979 ENGR.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
980 SALES.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
984 The first two blocks allow clients in the @code{ENGR.WIN.EXAMPLE.COM}
985 and @code{SALES.WIN.EXAMPLE.COM} realms to authenticate to services in
986 the @code{EXAMPLE.COM} realm. The third block tells the client (or
987 tells the KDC to tell the client via referrals) to transit through
988 @code{WIN.EXAMPLE.COM} to reach these realms. Both sides of the
989 configuration are needed for bi-directional transited cross-realm
992 @c To test the cross realm configuration, use:
993 @c kmumble transit-check client server transit-realms ...
995 @node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
996 @section Setting up DNS
997 @cindex Setting up DNS
999 @subsection Using DNS to find KDC
1001 If there is information about where to find the KDC or kadmind for a
1002 realm in the @file{krb5.conf} for a realm, that information will be
1003 preferred, and DNS will not be queried.
1005 Heimdal will try to use DNS to find the KDCs for a realm. First it
1006 will try to find a @code{SRV} resource record (RR) for the realm. If no
1007 SRV RRs are found, it will fall back to looking for an @code{A} RR for
1008 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
1010 Adding this information to DNS minimises the client configuration (in
1011 the common case, resulting in no configuration needed) and allows the
1012 system administrator to change the number of KDCs and on what machines
1013 they are running without caring about clients.
1015 The downside of using DNS is that the client might be fooled to use the
1016 wrong server if someone fakes DNS replies/data, but storing the IP
1017 addresses of the KDC on all the clients makes it very hard to change
1020 An example of the configuration for the realm @code{EXAMPLE.COM}:
1024 $ORIGIN example.com.
1025 _kerberos._tcp SRV 10 1 88 kerberos.example.com.
1026 _kerberos._udp SRV 10 1 88 kerberos.example.com.
1027 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
1028 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
1029 _kpasswd._udp SRV 10 1 464 kerberos.example.com.
1030 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
1034 More information about DNS SRV resource records can be found in
1035 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
1037 @subsection Using DNS to map hostname to Kerberos realm
1039 Heimdal also supports a way to lookup a realm from a hostname. This to
1040 minimise configuration needed on clients. Using this has the drawback
1041 that clients can be redirected by an attacker to realms within the
1042 same cross realm trust and made to believe they are talking to the
1043 right server (since Kerberos authentication will succeed).
1045 An example configuration that informs clients that for the realms
1046 it.example.com and srv.example.com, they should use the realm
1051 $ORIGIN example.com.
1052 _kerberos.it TXT "EXAMPLE.COM"
1053 _kerberos.srv TXT "EXAMPLE.COM"
1057 @node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
1058 @section Using LDAP to store the database
1059 @cindex Using the LDAP backend
1061 This document describes how to install the LDAP backend for
1062 Heimdal. Note that before attempting to configure such an
1063 installation, you should be aware of the implications of storing
1064 private information (such as users' keys) in a directory service
1065 primarily designed for public information. Nonetheless, with a
1066 suitable authorisation policy, it is possible to set this up in a
1067 secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to
1068 install this backend. The HDB schema was devised by Leif Johansson.
1070 This assumes, OpenLDAP 2.3 or later.
1077 A current release of Heimdal, configured with
1078 @code{--with-openldap=/usr/local} (adjust according to where you have
1079 installed OpenLDAP).
1081 You can verify that you manage to configure LDAP support by running
1082 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
1085 Its also possible to configure the ldap backend as a shared module,
1086 see option --hdb-openldap-module to configure.
1089 Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
1092 Add the hdb schema to the LDAP server, it's included in the source-tree
1093 in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
1096 include /usr/local/etc/openldap/schema/hdb.schema
1100 Configure the LDAP server ACLs to accept writes from clients over the
1101 local transport. For example:
1105 by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write
1108 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
1109 "uid=heimdal,dc=services,dc=example,dc=com"
1113 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
1114 a tree. The user that the key is mapped to should be have a
1115 krb5Principal aux object with krb5PrincipalName set so that the
1116 ``creator'' and ``modifier'' is right in @file{kadmin}.
1118 Another option is to create an admins group and add the dn to that
1121 Since Heimdal talks to the LDAP server over a UNIX domain socket, and
1122 uses external sasl authentication, it's not possible to require
1123 security layer quality (ssf in cyrus-sasl lingo). So that requirement
1124 has to be turned off in OpenLDAP @command{slapd} configuration file
1128 sasl-secprops minssf=0
1133 Start @command{slapd} with the local listener (as well as the default TCP/IP
1134 listener on port 389) as follows:
1137 slapd -h "ldapi:/// ldap:///"
1140 Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key
1141 binary attribute on shutdown. This may be related to our use of the V3
1142 schema definition syntax instead of the old UMich-style, V2 syntax.
1145 You should specify the distinguished name under which your
1146 principals will be stored in @file{krb5.conf}. Also you need to
1147 enter the path to the kadmin acl file:
1153 dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
1154 hdb-ldap-structural-object = inetOrgPerson
1155 acl_file = /path/to/kadmind.acl
1156 mkey_file = /path/to/mkey
1160 @samp{mkey_file} can be excluded if you feel that you trust your ldap
1161 directory to have the raw keys inside it. The
1162 hdb-ldap-structural-object is not necessary if you do not need Samba
1168 Once you have built Heimdal and started the LDAP server, run kadmin
1169 (as usual) to initialise the database. Note that the instructions for
1170 stashing a master key are as per any Heimdal installation.
1174 kadmin> init EXAMPLE.COM
1175 Realm max ticket life [unlimited]:
1176 Realm max renewable ticket life [unlimited]:
1178 Max ticket life [1 day]:
1179 Max renewable life [1 week]:
1180 Principal expiration time [never]:
1181 Password expiration time [never]:
1183 lukeh@@EXAMPLE.COM's Password:
1184 Verifying password - lukeh@@EXAMPLE.COM's Password:
1188 Verify that the principal database has indeed been stored in the
1189 directory with the following command:
1192 kdc# ldapsearch -L -h localhost -D cn=manager \
1193 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1194 'objectclass=krb5KDCEntry'
1198 Now consider adding indexes to the database to speed up the access, at
1199 least theses should be added to slapd.conf.
1202 index objectClass eq
1203 index cn eq,sub,pres
1204 index uid eq,sub,pres
1205 index displayName eq,sub,pres
1206 index krb5PrincipalName eq
1211 @subsection smbk5pwd overlay
1213 The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber
1214 appropriately when it receives an LDAP Password change Extended
1217 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0}
1219 @subsection Troubleshooting guide
1221 @url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide}
1224 @subsection Using Samba LDAP password database
1227 @c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
1228 @c @section Using Samba LDAP password database
1230 The Samba domain and the Kerberos realm can have different names since
1231 arcfour's string to key functions principal/realm independent. So now
1232 will be your first and only chance name your Kerberos realm without
1233 needing to deal with old configuration files.
1235 First, you should set up Samba and get that working with LDAP backend.
1237 Now you can proceed as in @xref{Using LDAP to store the database}.
1238 Heimdal will pick up the Samba LDAP entries if they are in the same
1239 search space as the Kerberos entries.
1241 @node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
1242 @section Providing Kerberos credentials to servers and programs
1244 Some services require Kerberos credentials when they start to make
1245 connections to other services or need to use them when they have started.
1247 The easiest way to get tickets for a service is to store the key in a
1248 keytab. Both ktutil get and kadmin ext can be used to get a
1249 keytab. ktutil get is better in that way it changes the key/password
1250 for the user. This is also the problem with ktutil. If ktutil is used
1251 for the same service principal on several hosts, they keytab will only
1252 be useful on the last host. In that case, run the extract command on
1253 one host and then securely copy the keytab around to all other hosts
1257 host# ktutil -k /etc/krb5-service.keytab \
1258 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1259 lha/admin@@EXAMPLE.ORG's Password:
1262 To get a Kerberos credential file for the service, use kinit in the
1263 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1264 key from the keytab.
1267 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1268 --keytab=/etc/krb5-service.keytab \
1269 service-principal@@EXAMPLE.ORG
1272 Long running services might need credentials longer then the
1273 expiration time of the tickets. kinit can run in a mode that refreshes
1274 the tickets before they expire. This is useful for services that write
1275 into AFS and other distributed file systems using Kerberos. To run the
1276 long running script, just append the program and arguments (if any)
1277 after the principal. kinit will stop refreshing credentials and remove
1278 the credentials when the script-to-start-service exits.
1281 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1282 --keytab=/etc/krb5-service.keytab \
1283 service-principal@@EXAMPLE.ORG \
1284 script-to-start-service argument1 argument2
1288 @node Setting up PK-INIT, Debugging Kerberos problems, Providing Kerberos credentials to servers and programs, Setting up a realm
1289 @section Setting up PK-INIT
1291 PK-INIT leverages an existing PKI (public key infrastructure), using
1292 certificates to get the initial ticket (usually the krbtgt
1293 ticket-granting ticket).
1295 To use PK-INIT you must first have a PKI. If you don't have one, it is
1296 time to create it. You should first read the whole chapter of the
1297 document to see the requirements imposed on the CA software.
1299 A mapping between the PKI certificate and what principals that
1300 certificate is allowed to use must exist. There are several ways to do
1301 this. The administrator can use a configuration file, store the
1302 principal in the SubjectAltName extension of the certificate, or store
1303 the mapping in the principals entry in the kerberos database.
1305 @section Certificates
1307 This section documents the requirements on the KDC and client
1308 certificates and the format used in the id-pkinit-san OtherName
1311 @subsection KDC certificate
1313 The certificate for the KDC has serveral requirements.
1315 First, the certificate should have an Extended Key Usage (EKU)
1316 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
1317 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
1318 the type field and a DER encoded KRB5PrincipalName that matches the
1319 name of the TGS of the target realm. Also, if the certificate has a
1320 nameConstraints extention with a Generalname with dNSName or iPAdress,
1321 it must match the hostname or adress of the KDC.
1323 The client is not required by the standard to check the server
1324 certificate for this information if the client has external
1325 information confirming which certificate the KDC is supposed to be
1326 using. However, adding this information to the KDC certificate removes
1327 the need to specially configure the client to recognize the KDC
1330 Remember that if the client would accept any certificate as the KDC's
1331 certificate, the client could be fooled into trusting something that
1332 isn't a KDC and thus expose the user to giving away information (like
1333 a password or other private information) that it is supposed to keep
1336 @subsection Client certificate
1338 The client certificate may need to have a EKU id-pkekuoid
1339 (1.3.6.1.5.2.3.4) set depending on the certifiate on the KDC.
1341 It possible to store the principal (if allowed by the KDC) in the
1342 certificate and thus delegate responsibility to do the mapping between
1343 certificates and principals to the CA.
1345 This behavior is controlled by KDC configuration option:
1349 pkinit_principal_in_certificate = yes
1352 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1354 The OtherName extention in the GeneralName is used to do the mapping
1355 between certificate and principal. For the KDC certificate, this
1356 stores the krbtgt principal name for that KDC. For the client
1357 certificate, this stores the principal for which that certificate is
1358 allowed to get tickets.
1360 The principal is stored in a SubjectAltName in the certificate using
1361 OtherName. The OID in the type is id-pkinit-san.
1364 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1365 internet (1) security (5) kerberosv5 (2) 2 @}
1368 The data part of the OtherName is filled with the following DER
1369 encoded ASN.1 structure:
1372 KRB5PrincipalName ::= SEQUENCE @{
1374 principalName [1] PrincipalName
1378 where Realm and PrincipalName is defined by the Kerberos ASN.1
1381 @section Naming certificate using hx509
1383 hx509 is the X.509 software used in Heimdal to handle
1384 certificates. hx509 supports several different syntaxes for specifying
1385 certificate files or formats. Several formats may be used: PEM,
1386 certificates embedded in PKCS#12 files, certificates embedded in
1387 PKCS#11 devices, and raw DER encoded certificates.
1389 Those formats may be specified as follows:
1395 DIR specifies a directory which contains certificates in the DER or
1398 The main feature of DIR is that the directory is read on demand when
1399 iterating over certificates. This allows applications, in some
1400 situations, to avoid having to store all certificates in memory. It's
1401 very useful for tests that iterate over large numbers of certificates.
1406 DIR:/path/to/der/files
1411 FILE: specifies a file that contains a certificate or private key.
1412 The file can be either a PEM (openssl) file or a raw DER encoded
1413 certificate. If it's a PEM file, it can contain several keys and
1414 certificates and the code will try to match the private key and
1415 certificate together. Multiple files may be specified, separated by
1418 It's useful to have one PEM file that contains all the trust anchors.
1423 FILE:certificate.pem,private-key.key,other-cert.pem,....
1428 PKCS11: is used to handle smartcards via PKCS#11 drivers, such as
1429 soft-token, opensc, or muscle. The argument specifies a shared object
1430 that implements the PKCS#11 API. The default is to use all slots on
1436 PKCS11:shared-object.so
1441 PKCS12: is used to handle PKCS#12 files. PKCS#12 files commonly have
1442 the extension pfx or p12.
1447 PKCS12:/path/to/file.pfx
1452 @section Configure the Kerberos software
1454 First configure the client's trust anchors and what parameters to
1455 verify. See the subsections below for how to do that. Then, you can
1456 use kinit to get yourself tickets. For example:
1459 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1460 Enter your private key passphrase:
1461 : lha@@nutcracker ; klist
1462 Credentials cache: FILE:/tmp/krb5cc_19100a
1463 Principal: lha@@EXAMPLE.ORG
1465 Issued Expires Principal
1466 Apr 20 02:08:08 Apr 20 12:08:08 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1469 Using PKCS#11 it can look like this instead:
1472 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1473 PIN code for SoftToken (slot):
1475 Credentials cache: API:4
1476 Principal: lha@@EXAMPLE.ORG
1478 Issued Expires Principal
1479 Mar 26 23:40:10 Mar 27 09:40:10 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1482 TODO: Write about the KDC.
1484 @section Configure the client
1488 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1492 pkinit_require_eku = true
1493 pkinit_require_krbtgt_otherName = true
1495 pkinit_win2k_require_binding = yes
1500 @section Configure the KDC
1505 pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
1506 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1507 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1508 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1509 pkinit_allow_proxy_certificate = no
1510 pkinit_win2k_require_binding = yes
1511 pkinit_principal_in_certificate = no
1514 @subsection Using pki-mapping file
1516 Note that the file name is space sensitive.
1519 # cat /var/heimdal/pki-mapping
1520 # comments starts with #
1521 lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
1522 lha@@EXAMPLE.ORG:CN=Love,UID=lha
1525 @subsection Using the Kerberos database
1527 @section Use hxtool to create certificates
1529 @subsection Generate certificates
1531 First, you need to generate a CA certificate. This example creates a
1532 CA certificate that will be valid for 10 years.
1534 You need to change --subject in the command below to something
1535 appropriate for your site.
1538 hxtool issue-certificate \
1541 --generate-key=rsa \
1542 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1543 --lifetime=10years \
1544 --certificate="FILE:ca.pem"
1547 The KDC needs to have a certificate, so generate a certificate of the
1548 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1549 name of the krbtgt of the realm.
1551 You need to change --subject and --pk-init-principal in the command
1552 below to something appropriate for your site.
1555 hxtool issue-certificate \
1556 --ca-certificate=FILE:ca.pem \
1557 --generate-key=rsa \
1558 --type="pkinit-kdc" \
1559 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1560 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1561 --certificate="FILE:kdc.pem"
1564 The users also needs to have certificates. For your first client,
1565 generate a certificate of type ``pkinit-client''. The client doesn't
1566 need to have the PK-INIT SubjectAltName set; you can have the Subject
1567 DN in the ACL file (pki-mapping) instead.
1569 You need to change --subject and --pk-init-principal in the command
1570 below to something appropriate for your site. You can omit
1571 --pk-init-principal if you're going to use the ACL file instead.
1574 hxtool issue-certificate \
1575 --ca-certificate=FILE:ca.pem \
1576 --generate-key=rsa \
1577 --type="pkinit-client" \
1578 --pk-init-principal="lha@@TEST.H5L.SE" \
1579 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1580 --certificate="FILE:user.pem"
1583 @subsection Validate the certificate
1585 hxtool also contains a tool that will validate certificates according
1586 to rules from the PKIX document. These checks are not complete, but
1587 they provide a good test of whether you got all of the basic bits
1588 right in your certificates.
1591 hxtool validate FILE:user.pem
1594 @section Use OpenSSL to create certificates
1596 This section tries to give the CA owners hints how to create
1597 certificates using OpenSSL (or CA software based on OpenSSL).
1599 @subsection Using OpenSSL to create certificates with krb5PrincipalName
1601 To make OpenSSL create certificates with krb5PrincipalName, use an
1602 @file{openssl.cnf} as described below. To see a complete example of
1603 creating client and KDC certificates, see the test-data generation
1604 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1605 certicates it creates are used to test the PK-INIT functionality in
1606 @file{tests/kdc/check-kdc.in}.
1608 To use this example you have to use OpenSSL 0.9.8a or later.
1613 subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
1616 realm = EXP:0, GeneralString:MY.REALM
1617 principal_name = EXP:1, SEQUENCE:principal_seq
1620 name_type = EXP:0, INTEGER:1
1621 name_string = EXP:1, SEQUENCE:principals
1624 princ1 = GeneralString:userid
1631 openssl x509 -extensions user_certificate
1632 openssl ca -extensions user_certificate
1636 @c --- ms certificate
1639 @c msCertificateTemplateName = 1.3.6.1.4.1.311.20.2
1642 @c [ req_smartcard ]
1643 @c keyUsage = digitalSignature, keyEncipherment
1644 @c extendedKeyUsage = msSmartcardLogin, clientAuth
1645 @c msCertificateTemplateName = ASN1:BMP:SmartcardLogon
1646 @c subjectAltName = otherName:msUPN;UTF8:lukeh@dsg.padl.com
1647 @c #subjectAltName = email:copy
1650 @section Using PK-INIT with Windows
1652 @subsection Client configration
1654 Clients using a Windows KDC with PK-INIT need configuration since
1655 windows uses pre-standard format and this can't be autodetected.
1657 The pkinit_win2k_require_binding option requires the reply for the KDC
1658 to be of the new, secure, type that binds the request to
1659 reply. Before, clients could fake the reply from the KDC. To use this
1660 option you have to apply a fix from Microsoft.
1666 pkinit_win2k_require_binding = no
1670 @subsection Certificates
1672 The client certificates need to have the extended keyusage ``Microsoft
1673 Smartcardlogin'' (openssl has the OID shortname msSmartcardLogin).
1675 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1676 Smart Card Logon with Third-Party Certification Authorities'' for a
1677 more extensive description of how set setup an external CA so that it
1678 includes all the information required to make a Windows KDC happy.
1680 @subsection Configure Windows 2000 CA
1682 To enable Microsoft Smartcardlogin for certificates in your Windows
1683 2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
1684 ``HOW TO: Configure a Certification Authority to Issue Smart Card
1685 Certificates in Windows''.
1687 @node Debugging Kerberos problems, , Setting up PK-INIT, Setting up a realm
1688 @section Debugging Kerberos problems
1690 To debug Kerberos client and server problems you can enable debug
1691 traceing by adding the following to @file{/etc/krb5,conf}. Note that the
1692 trace logging is sparse at the moment, but will continue to improve.
1696 libkrb5 = 0-/SYSLOG: