3 @node Setting up a realm, Applications, Building and Installing, Top
5 @chapter Setting up a realm
9 realm is an administrative domain. The name of a Kerberos realm is
10 usually the Internet domain name in uppercase. Call your realm the same
11 as your Internet domain name if you do not have strong reasons for not
12 doing so. It will make life easier for you and everyone else.
15 * Configuration file::
16 * Creating the database::
17 * Modifying the database::
18 * Checking the setup::
20 * Remote administration::
22 * Testing clients and servers::
24 * Incremental propagation::
25 * Encryption types and salting::
26 * Credential cache server - KCM::
30 * Using LDAP to store the database::
31 * Providing Kerberos credentials to servers and programs::
32 * Setting up PK-INIT::
33 * Debugging Kerberos problems::
36 @node Configuration file, Creating the database, Setting up a realm, Setting up a realm
37 @section Configuration file
39 To setup a realm you will first have to create a configuration file:
40 @file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
41 configuration options, some of which are described here.
43 There is a sample @file{krb5.conf} supplied with the distribution.
45 The configuration file is a hierarchical structure consisting of
46 sections, each containing a list of bindings (either variable
47 assignments or subsections). A section starts with
48 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
49 (@samp{=}) and a right hand side (the left hand side tag must be
50 separated from the equal sign with some whitespace). Subsections have a
51 @samp{@{} as the first non-whitespace character after the equal sign. All
52 other bindings are treated as variable assignments. The value of a
53 variable extends to the end of the line.
55 Configuration files can also include other files, or all files in a
56 directory. Use absolute paths in include directives. When including a
57 directoty, only files whose names consist of alphanumeric, hyphen, or
58 underscore characters are allowed, though they may end in '.conf'.
61 include /some/config/file
62 includedir /some/config/directory
66 other-var = value with @{@}
71 var = some other value
73 var = yet another value
76 In this manual, names of sections and bindings will be given as strings
77 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
78 be @samp{section1/a-subsection/other-var}.
80 For in-depth information about the contents of the configuration file, refer to
81 the @file{krb5.conf} manual page. Some of the more important sections
82 are briefly described here.
84 The @samp{libdefaults} section contains a list of library configuration
85 parameters, such as the default realm and the timeout for KDC
86 responses. The @samp{realms} section contains information about specific
87 realms, such as where they hide their KDC@. This section serves the same
88 purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
89 information. Finally the @samp{domain_realm} section contains a list of
90 mappings from domains to realms, equivalent to the Kerberos 4
91 @file{krb.realms} file.
93 To continue with the realm setup, you will have to create a configuration file,
94 with contents similar to the following.
98 default_realm = MY.REALM
101 kdc = my.kdc my.slave.kdc
104 kdc = [2001:6b0:1:ea::100]:88
107 .my.domain = MY.REALM
111 If you use a realm name equal to your domain name, you can omit the
112 @samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS
113 SRV-record for your realm, or your Kerberos server has DNS CNAME
114 @samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
117 If you want to use a different configuration file then the default you
118 can point a file with the environment variable @samp{KRB5_CONFIG}.
121 env KRB5_CONFIG=$HOME/etc/krb5.conf kinit user@@REALM
124 @cindex GSS_MECH_CONFIG
125 The GSS-API mechanism configuration file can also be changed from the
126 default with the enviornment variable @samp{GSS_MECH_CONFIG}. Note that
127 this file only configures additional plugin mechanisms: Kerberos, NTLM
128 and SPNEGO are built in to the Heimdal GSS-API library.
130 @node Creating the database, Modifying the database, Configuration file, Setting up a realm
131 @section Creating the database
133 The database library will look for the database in the directory
134 @file{@value{dbdir}}, so you should probably create that directory.
135 Make sure the directory has restrictive permissions.
139 # chmod og-rwx /var/heimdal
142 Heimdal supports various database backends: lmdb (LMDB), db3 (Berkeley
143 DB 3.x, 4.x, or 5.x), db1 (Berkeley DB 2.x), sqlite (SQLite3), and ldap
144 (LDAP). The default is @value{dbtype}, and is selected at build time
145 from one of lmdb, db3, or db1.
147 These defaults can be overriden in the 'database' key in the @samp{kdc}
148 section of the configuration.
153 dbname = lmdb:/path/to/db-file
155 acl_file = /path/to/kadmind.acl
156 mkey_file = /path/to/mkey
157 log_file = /path/to/iprop-log-file
161 To use LDAP, see @xref{Using LDAP to store the database}.
163 The keys of all the principals are stored in the database. If you
164 choose to, these can be encrypted with a master key. You do not have to
165 remember this key (or password), but just to enter it once and it will
166 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
167 master key, run @samp{kstash} to create this master key:
172 Verifying password - Master key:
175 If you want to generate a random master key you can use the
176 @kbd{--random-key} flag to kstash. This will make sure you have a good key
177 on which attackers can't do a dictionary attack.
179 If you have a master key, make sure you make a backup of your master
180 key file; without it backups of the database are of no use.
182 To initialise the database use the @command{kadmin} program, with the
183 @kbd{-l} option (to enable local database mode). First issue a
184 @kbd{init MY.REALM} command. This will create the database and insert
185 default principals for that realm. You can have more than one realm in
186 one database, so @samp{init} does not destroy any old database.
188 Before creating the database, @samp{init} will ask you some questions
189 about maximum ticket lifetimes.
191 After creating the database you should probably add yourself to it. You
192 do this with the @samp{add} command. It takes as argument the name of a
193 principal. The principal should contain a realm, so if you haven't set up
194 a default realm, you will need to explicitly include the realm.
198 kadmin> init MY.REALM
199 Realm max ticket life [unlimited]:
200 Realm max renewable ticket life [unlimited]:
202 Max ticket life [unlimited]:
203 Max renewable life [unlimited]:
206 Verifying password - Password:
209 Now start the KDC and try getting a ticket.
214 me@@MY.REALMS's Password:
216 Credentials cache: /tmp/krb5cc_0
217 Principal: me@@MY.REALM
219 Issued Expires Principal
220 Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM
223 If you are curious you can use the @samp{dump} command to list all the
224 entries in the database. It should look something similar to the
225 following example (note that the entries here are truncated for
226 typographical reasons):
230 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
231 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
232 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
233 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
236 @node Modifying the database, Checking the setup, Creating the database, Setting up a realm
237 @section Modifying the database
239 All modifications of principals are done with with kadmin.
241 A principal has several attributes and lifetimes associated with it.
243 Principals are added, renamed, modified, and deleted with the kadmin
244 commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}.
245 Both interactive editing and command line flags can be used (use --help
246 to list the available options).
248 There are different kinds of types for the fields in the database;
249 attributes, absolute time times and relative times.
251 @subsection Attributes
253 When doing interactive editing, attributes are listed with @samp{?}.
255 The attributes are given in a comma (@samp{,}) separated list.
256 Attributes are removed from the list by prefixing them with @samp{-}.
260 Max ticket life [1 day]:
261 Max renewable life [1 week]:
262 Principal expiration time [never]:
263 Password expiration time [never]:
264 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
266 Principal: me@@MY.REALM
268 Attributes: requires-pre-auth
271 @subsection Absolute times
273 The format for absolute times are any of the following:
283 @subsection Relative times
285 The format for relative times are any of the following combined:
296 @c Describe more of kadmin commands here...
298 @node Checking the setup, keytabs, Modifying the database, Setting up a realm
299 @section Checking the setup
301 There are two tools that can check the consistency of the Kerberos
302 configuration file and the Kerberos database.
304 The Kerberos configuration file is checked using
305 @command{verify_krb5_conf}. The tool checks for common errors, but
306 commonly there are several uncommon configuration entries that are
307 never added to the tool and thus generates ``unknown entry'' warnings.
308 This is usually nothing to worry about.
310 The database check is built into the kadmin tool. It will check for
311 common configuration error that will cause problems later. Common
312 check are for existence and flags on important principals. The
313 database check by run by the following command :
316 kadmin -l check REALM.EXAMPLE.ORG
319 @node keytabs, Remote administration, Checking the setup, Setting up a realm
322 To extract a service ticket from the database and put it in a keytab, you
323 need to first create the principal in the database with @samp{add}
324 (using the @kbd{--random-key} flag to get a random key) and then
325 extract it with @samp{ext_keytab}.
328 kadmin> add --random-key host/my.host.name
329 Max ticket life [unlimited]:
330 Max renewable life [unlimited]:
332 kadmin> ext host/my.host.name
335 Version Type Principal
336 1 des-cbc-md5 host/my.host.name@@MY.REALM
337 1 des-cbc-md4 host/my.host.name@@MY.REALM
338 1 des-cbc-crc host/my.host.name@@MY.REALM
339 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
342 @node Remote administration, Password changing, keytabs, Setting up a realm
343 @section Remote administration
345 The administration server, @command{kadmind}, can be started by
346 @command{inetd} (which isn't recommended) or run as a normal daemon. If you
347 want to start it from @command{inetd} you should add a line similar to the
348 one below to your @file{/etc/inetd.conf}.
351 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
354 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
357 Access to the administration server is controlled by an ACL file,
358 (default @file{/var/heimdal/kadmind.acl}.) The file has the following
361 principal [priv1,priv2,...] [glob-pattern]
364 The matching is from top to bottom for matching principals (and if given,
365 glob-pattern). When there is a match, the access rights of that line are
368 The privileges you can assign to a principal are: @samp{add},
369 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
370 @samp{get}, @samp{list}, and @samp{modify}, or the special privilege
371 @samp{all}. All of these roughly correspond to the different commands
374 If a @var{glob-pattern} is given on a line, it restricts the access
375 rights for the principal to only apply for subjects that match the
376 pattern. The patterns are of the same type as those used in shell
377 globbing, see @url{none,,fnmatch(3)}.
379 In the example below @samp{lha/admin} can change every principal in the
380 database. @samp{jimmy/admin} can only modify principals that belong to
381 the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
382 help desk, so he should only be able to change the passwords for single
383 component principals (ordinary users). He will not be able to change any
384 @samp{/admin} principal.
387 lha/admin@@E.KTH.SE all
388 jimmy/admin@@E.KTH.SE all *@@E.KTH.SE
389 jimmy/admin@@E.KTH.SE all */*@@E.KTH.SE
390 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
393 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
394 @section Password changing
396 To allow users to change their passwords, you should run @command{kpasswdd}.
397 It is not run from @command{inetd}.
399 You might need to add @samp{kpasswd} to your @file{/etc/services} as
400 @samp{464/udp}. If your realm is not setup to use DNS, you might also
401 need to add a @samp{kpasswd_server} entry to the realm configuration
402 in @file{/etc/krb5.conf} on client machines:
407 kdc = my.kdc my.slave.kdc
408 kpasswd_server = my.kdc
412 @subsection Password quality assurance
414 It is important that users have good passwords, both to make it harder
415 to guess them and to avoid off-line attacks (although
416 pre-authentication provides some defence against off-line attacks).
417 To ensure that the users choose good passwords, you can enable
418 password quality controls in @command{kpasswdd} and @command{kadmind}.
419 The controls themselves are done in a shared library or an external
420 program that is used by @command{kpasswdd}. To configure in these
421 controls, add lines similar to the following to your
422 @file{/etc/krb5.conf}:
426 policies = external-check builtin:minimum-length modulename:policyname
427 external_program = /bin/false
428 policy_libraries = @var{library1.so} @var{library2.so}
431 In @samp{[password_quality]policies} the module name is optional if
432 the policy name is unique in all modules (members of
433 @samp{policy_libraries}). All built-in policies can be qualified with
434 a module name of @samp{builtin} to unambiguously specify the built-in
435 policy and not a policy by the same name from a loaded module.
437 The built-in policies are
443 Executes the program specified by @samp{[password_quality]external_program}.
445 A number of key/value pairs are passed as input to the program, one per
446 line, ending with the string @samp{end}. The key/value lines are of
449 principal: @var{principal}
450 new-password: @var{password}
452 where @var{password} is the password to check for the previous
455 If the external application approves the password, it should return
456 @samp{APPROVED} on standard out and exit with exit code 0. If it
457 doesn't approve the password, an one line error message explaining the
458 problem should be returned on standard error and the application
459 should exit with exit code 0. In case of a fatal error, the
460 application should, if possible, print an error message on standard
461 error and exit with a non-zero error code.
465 The minimum length password quality check reads the configuration file
466 stanza @samp{[password_quality]min_length} and requires the password
467 to be at least this length.
469 @item character-class
471 The character-class password quality check reads the configuration
472 file stanza @samp{[password_quality]min_classes}. The policy requires
473 the password to have characters from at least that many character
474 classes. Default value if not given is 3.
476 The four different characters classes are, uppercase, lowercase,
477 number, special characters.
479 @item enforce_on_admin_set
481 The enforce_on_admin_set check subjects administrative password updates to the
482 password policy. An administrative password update is a create principal or
483 change password request via @command{kadmind}, or a set password request via
484 @command{kpasswdd}. (A set password request is one where the authenticating
485 principal differs from the principal whose password is being changed.) Password
486 policies are always ignored if the authenticating principal is the kadmin
487 service itself, for example when running @command{kadmin} in local mode. The
488 default value for enforce_on_admin_set if not given is true.
492 If you want to write your own shared object to check password
493 policies, see the manual page @manpage{kadm5_pwcheck,3}.
495 Code for a password quality checking function that uses the cracklib
496 library can be found in @file{lib/kadm5/sample_password_check.c} in
497 the source code distribution. It requires that the cracklib library
498 be built with the patch available at
499 @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
501 A sample policy external program is included in
502 @file{lib/kadm5/check-cracklib.pl}.
504 If no password quality checking function is configured, the only check
505 performed is that the password is at least six characters long.
507 To check the password policy settings, use the command
508 @command{verify-password-quality} in @command{kadmin} program. The password
509 verification is only performed locally, on the client. It may be
510 convenient to set the environment variable @samp{KRB5_CONFIG} to point
511 to a test version of @file{krb5.conf} while you're testing the
512 @samp{[password_quality]} stanza that way.
514 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
515 @section Testing clients and servers
517 Now you should be able to run all the clients and servers. Refer to the
518 appropriate man pages for information on how to use them.
520 @node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
521 @section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
523 It is desirable to have at least one backup (slave) server in case the
524 master server fails. It is possible to have any number of such slave
525 servers but more than three usually doesn't buy much more redundancy.
527 All Kerberos servers for a realm must have the same database so that
528 they present the same service to the users. The
530 @command{hprop} program, running on the master, will propagate the database
531 to the slaves, running
533 @command{hpropd} processes.
535 Every slave needs a database directory, the master key (if it was used
536 for the database) and a keytab with the principal
537 @samp{hprop/@var{hostname}}. Add the principal with the
539 @command{ktutil} command and start
541 @command{hpropd}, as follows:
544 slave# ktutil get -p foo/admin hprop/`hostname`
545 slave# mkdir /var/heimdal
549 The master will use the principal @samp{kadmin/hprop} to authenticate to
550 the slaves. This principal should be added when running @kbd{kadmin -l
551 init} but if you do not have it in your database for whatever reason,
552 please add it with @kbd{kadmin -l add}.
556 @code{hprop} on the master:
562 This was just an hands-on example to make sure that everything was
563 working properly. Doing it manually is of course the wrong way, and to
564 automate this you will want to start
566 @command{hpropd} from @command{inetd} on the slave(s) and regularly run
568 @command{hprop} on the master to regularly propagate the database.
569 Starting the propagation once an hour from @command{cron} is probably a
572 @node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
573 @section Incremental propagation
575 There is also a newer mechanism for
576 doing incremental propagation in Heimdal. Instead of sending the whole
577 database regularly, it sends the changes as they happen on the master to
578 the slaves. The master keeps track of all the changes by assigning a
579 version number to every change to the database. The slaves know which
580 was the latest version they saw and in this way it can be determined if
581 they are in sync or not. A log of all the changes is kept on the master,
582 and when a slave is at an older version than the oldest one in the
583 log, the whole database has to be sent.
585 Protocol-wise, all the slaves connect to the master and as a greeting
586 tell it the latest version that they have (@samp{IHAVE} message). The
587 master then responds by sending all the changes between that version and
588 the current version at the master (a series of @samp{FORYOU} messages)
589 or the whole database in a @samp{TELLYOUEVERYTHING} message. There is
590 also a keep-alive protocol that makes sure all slaves are up and running.
592 In addition on listening on the network to get connection from new
593 slaves, the ipropd-master also listens on a status unix
594 socket. kadmind and kpasswdd both open that socket when a transation
595 is done and written a notification to the socket. That cause
596 ipropd-master to check for new version in the log file. As a fallback in
597 case a notification is lost by the unix socket, the log file is
598 checked after 30 seconds of no event.
600 @subsection Configuring incremental propagation
602 The program that runs on the master is @command{ipropd-master} and all
603 clients run @command{ipropd-slave}.
605 Create the file @file{/var/heimdal/slaves} on the master containing all
606 the slaves that the database should be propagated to. Each line contains
607 the full name of the principal (for example
608 @samp{iprop/hemligare.foo.se@@FOO.SE}).
610 You should already have @samp{iprop/tcp} defined as 2121, in your
611 @file{/etc/services}. Otherwise, or if you need to use a different port
612 for some peculiar reason, you can use the @kbd{--port} option. This is
613 useful when you have multiple realms to distribute from one server.
615 Then you need to create those principals that you added in the
616 configuration file. Create one @samp{iprop/hostname} for the master and
621 master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
625 slave# /usr/heimdal/sbin/ktutil get iprop/`hostname`
629 The next step is to start the @command{ipropd-master} process on the master
630 server. The @command{ipropd-master} listens on the UNIX domain socket
631 @file{/var/heimdal/signal} to know when changes have been made to the
632 database so they can be propagated to the slaves. There is also a
633 safety feature of testing the version number regularly (every 30
634 seconds) to see if it has been modified by some means that do not raise
635 this signal. Then, start @command{ipropd-slave} on all the slaves:
638 master# /usr/heimdal/libexec/ipropd-master &
639 slave# /usr/heimdal/libexec/ipropd-slave master &
642 To manage the iprop log file you should use the @command{iprop-log}
643 command. With it you can dump, truncate and replay the logfile.
645 @subsection Status of iprop master and slave
647 Both the master and slave provides status of the world as they see it.
649 The master write outs the current status of the slaves, last seen and
650 their version number in @file{/var/heimdal/slaves-stats}.
652 The slave write out the current status in @file{/var/heimdal/ipropd-slave-status}.
654 These locations can be changed with command line options, and in the
655 case of @command{ipropd_master}, the configuration file.
657 @node Encryption types and salting, Credential cache server - KCM, Incremental propagation, Setting up a realm
658 @section Encryption types and salting
660 @cindex Encryption types
662 The encryption types that the KDC is going to assign by default is
663 possible to change. Since the keys used for user authentication is
664 salted the encryption types are described together with the salt
667 Salting is used to make it harder to pre-calculate all possible
668 keys. Using a salt increases the search space to make it almost
669 impossible to pre-calculate all keys. Salting is the process of mixing a
670 public string (the salt) with the password, then sending it through an
671 encryption type specific string-to-key function that will output the
672 fixed size encryption key.
674 In Kerberos 5 the salt is determined by the encryption type, except in
677 In @code{des} there is the Kerberos 4 salt
678 (none at all) or the afs-salt (using the cell (realm in
681 In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
682 there is no salt. This is to be compatible with NTLM keys in Windows
685 @code{[kadmin]default_keys} in @file{krb5.conf} controls
688 The syntax of @code{[kadmin]default_keys} is
689 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
690 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
691 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
692 salt-string is the string that will be used as salt (remember that if
693 the salt is appended/prepended, the empty salt "" is the same thing as
696 Common types of salting include
699 @item @code{v4} (or @code{des:pw-salt:})
701 The Kerberos 4 salting is using no salt at all. Reason there is colon
702 at the end of the salt string is that it makes the salt the empty
703 string (same as no salt).
705 @item @code{v5} (or @code{pw-salt})
707 @code{pw-salt} uses the default salt for each encryption type is
708 specified for. If the encryption type @samp{etype} isn't given, all
709 default encryption will be used.
711 @item @code{afs3-salt}
713 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
714 the cell name appended to the password.
718 @node Credential cache server - KCM, Cross realm, Encryption types and salting, Setting up a realm
719 @section Credential cache server - KCM
721 @cindex Credential cache server
723 When KCM running is easy for users to switch between different
724 kerberos principals using @file{kswitch} or built in support in
725 application, like OpenSSH's GSSAPIClientIdentity.
727 Other advantages are that there is the long term credentials are not
728 written to disk and on reboot the credential is removed when kcm
729 process stopps running.
731 Configure the system startup script to start the kcm process,
732 @file{/usr/heimdal/libexec/kcm} and then configure the system to use kcm in @file{krb5.conf}.
736 default_cc_type = KCM
739 Now when you run @command{kinit} it doesn't overwrite your existing
740 credentials but rather just add them to the set of
741 credentials. @command{klist -l} lists the credentials and the star
742 marks the default credential.
746 lha@@KTH.SE's Password:
748 Name Cache name Expires
749 lha@@KTH.SE 0 Nov 22 23:09:40 *
750 lha@@SU.SE Initial default ccache Nov 22 14:14:24
753 When switching between credentials you can use @command{kswitch}.
763 After switching, a new set of credentials are used as default.
767 Name Cache name Expires
768 lha@@SU.SE Initial default ccache Nov 22 14:14:24 *
769 lha@@KTH.SE 0 Nov 22 23:09:40
772 Som applications, like openssh with Simon Wilkinsons patch applied,
773 support specifiying that credential to use. The example below will
774 login to the host computer.kth.se using lha@@KTH.SE (not the current
779 -o GSSAPIAuthentication=yes \
780 -o GSSAPIKeyExchange=yes \
781 -o GSSAPIClientIdentity=lha@@KTH.SE \
787 @node Cross realm, Transit policy, Credential cache server - KCM, Setting up a realm
791 Suppose you reside in the realm @samp{MY.REALM}, how do you
792 authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
793 @samp{MY.REALM} allows you to communicate with Kerberised services in that
794 realm. However, the computer in the other realm does not have a secret
795 key shared with the Kerberos server in your realm.
797 It is possible to share keys between two realms that trust each
798 other. When a client program, such as @command{telnet} or @command{ssh},
799 finds that the other computer is in a different realm, it will try to
800 get a ticket granting ticket for that other realm, but from the local
801 Kerberos server. With that ticket granting ticket, it will then obtain
802 service tickets from the Kerberos server in the other realm.
804 For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM}
805 add the following principals to each realm. The principals should be
806 @samp{krbtgt/OTHER.REALM@@MY.REALM} and
807 @samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and
808 @samp{krbtgt/MY.REALM@@OTHER.REALM} and
809 @samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}.
811 In Kerberos 5 the trust can be configured to be one way. So that
812 users from @samp{MY.REALM} can authenticate to services in
813 @samp{OTHER.REALM}, but not the opposite. In the example above, the
814 @samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed.
816 The two principals must have the same key, key version number, and the
817 same set of encryption types. Remember to transfer the two keys in a
822 Credentials cache: FILE:/tmp/krb5cc_913.console
823 Principal: lha@@E.KTH.SE
825 Issued Expires Principal
826 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
828 vr$ telnet -l lha hummel.it.su.se
829 Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
830 Connected to hummel.it.su.se.
831 Escape character is '^]'.
832 Waiting for encryption to be negotiated...
833 [ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ]
834 [ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ]
835 Encryption negotiated.
836 Last login: Sat May 3 14:11:47 from vr.l.nxs.se
840 Credentials cache: FILE:/tmp/krb5cc_913.console
841 Principal: lha@@E.KTH.SE
843 Issued Expires Principal
844 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
845 May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE
846 May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE
850 @node Transit policy, Setting up DNS, Cross realm, Setting up a realm
851 @section Transit policy
852 @cindex Transit policy
854 Under some circumstances, you may not wish to set up direct
855 cross-realm trust with every realm to which you wish to authenticate
856 or from which you wish to accept authentications. Kerberos supports
857 multi-hop cross-realm trust where a client principal in realm A
858 authenticates to a service in realm C through a realm B with which
859 both A and C have cross-realm trust relationships. In this situation,
860 A and C need not set up cross-realm principals between each other.
862 If you want to use cross-realm authentication through an intermediate
863 realm, it must be explicitly allowed by either the KDCs for the realm
864 to which the client is authenticating (in this case, realm C), or the
865 server receiving the request. This is done in @file{krb5.conf} in the
866 @code{[capaths]} section.
868 In addition, the client in realm A need to be configured to know how
869 to reach realm C via realm B. This can be done either on the client or
870 via KDC configuration in the KDC for realm A.
872 @subsection Allowing cross-realm transits
874 When the ticket transits through a realm to another realm, the
875 destination realm adds its peer to the "transited-realms" field in the
876 ticket. The field is unordered, since there is no way to know if know
877 if one of the transited-realms changed the order of the list. For the
878 authentication to be accepted by the final destination realm, all of
879 the transited realms must be listed as trusted in the @code{[capaths]}
880 configuration, either in the KDC for the destination realm or on the
881 server receiving the authentication.
883 The syntax for @code{[capaths]} section is:
888 SERVER-REALM = PERMITTED-CROSS-REALMS ...
892 In the following example, the realm @code{STACKEN.KTH.SE} only has
893 direct cross-realm set up with @code{KTH.SE}. @code{KTH.SE} has
894 direct cross-realm set up with @code{STACKEN.KTH.SE} and @code{SU.SE}.
895 @code{DSV.SU.SE} only has direct cross-realm set up with @code{SU.SE}.
896 The goal is to allow principals in the @code{DSV.SU.SE} or
897 @code{SU.SE} realms to authenticate to services in
898 @code{STACKEN.KTH.SE}. This is done with the following
899 @code{[capaths]} entry on either the server accepting authentication
900 or on the KDC for @code{STACKEN.KTH.SE}.
905 STACKEN.KTH.SE = KTH.SE
908 STACKEN.KTH.SE = SU.SE KTH.SE
912 The first entry allows cross-realm authentication from clients in
913 @code{SU.SE} transiting through @code{KTH.SE} to
914 @code{STACKEN.KTH.SE}. The second entry allows cross-realm
915 authentication from clients in @code{DSV.SU.SE} transiting through
916 both @code{SU.SE} and @code{KTH.SE} to @code{STACKEN.KTH.SE}.
918 Be careful of which realm goes where; it's easy to put realms in the
919 wrong place. The block is tagged with the client realm (the realm of
920 the principal authenticating), and the realm before the equal sign is
921 the final destination realm: the realm to which the client is
922 authenticating. After the equal sign go all the realms that the
923 client transits through.
925 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
926 doing transit cross realm verification.
928 @subsection Configuring client cross-realm transits
930 The @code{[capaths]} section is also used for another purpose: to tell
931 clients which realm to transit through to reach a realm with which
932 their local realm does not have cross-realm trust. This can be done
933 by either putting a @code{[capaths]} entry in the configuration of the
934 client or by putting the entry in the configuration of the KDC for the
935 client's local realm. In the latter case, the KDC will then hand back
936 a referral to the client when the client requests a cross-realm ticket
937 to the destination realm, telling the client to try to go through an
940 For client configuration, the order of @code{PERMITTED-CROSS-REALMS}
941 is significant, since only the first realm in this section (after the
942 equal sign) is used by the client.
944 For example, again consider the @code{[capaths]} entry above for the
945 case of a client in the @code{SU.SE} realm, and assume that the client
946 or the @code{SU.SE} KDC has that @code{[capaths]} entry. If the
947 client attempts to authenticate to a service in the
948 @code{STACKEN.KTH.SE} realm, that entry says to first authenticate
949 cross-realm to the @code{KTH.SE} realm (the first realm listed in the
950 @code{PERMITTED-CROSS-REALMS} section), and then from there to
951 @code{STACKEN.KTH.SE}.
953 Each entry in @code{[capaths]} can only give the next hop, since only
954 the first realm in @code{PERMITTED-CROSS-REALMS} is used. If, for
955 instance, a client in @code{DSV.SU.SE} had a @code{[capaths]}
956 configuration as above but without the first block for @code{SU.SE},
957 they would not be able to reach @code{STACKEN.KTH.SE}. They would get
958 as far as @code{SU.SE} based on the @code{DSV.SU.SE} entry in
959 @code{[capaths]} and then attempt to go directly from there to
960 @code{STACKEN.KTH.SE} and get stuck (unless, of course, the
961 @code{SU.SE} KDC had the additional entry required to tell the client
962 to go through @code{KTH.SE}).
964 @subsection Active Directory forest example
966 One common place where a @code{[capaths]} configuration is desirable
967 is with Windows Active Directory forests. One common Active Directory
968 configuration is to have one top-level Active Directory realm but then
969 divide systems, services, and users into child realms (perhaps based
970 on organizational unit). One generally establishes cross-realm trust
971 only with the top-level realm, and then uses transit policy to permit
972 authentications to and from the child realms.
974 For example, suppose an organization has a Heimdal realm
975 @code{EXAMPLE.COM}, a Windows Active Directory realm
976 @code{WIN.EXAMPLE.COM}, and then child Active Directory realms
977 @code{ENGR.WIN.EXAMPLE.COM} and @code{SALES.WIN.EXAMPLE.COM}. The
978 goal is to allow users in any of these realms to authenticate to
979 services in any of these realms. The @code{EXAMPLE.COM} KDC (and
980 possibly client) configuration should therefore contain a
981 @code{[capaths]} section as follows:
985 ENGR.WIN.EXAMPLE.COM = @{
986 EXAMPLE.COM = WIN.EXAMPLE.COM
988 SALES.WIN.EXAMPLE.COM = @{
989 EXAMPLE.COM = WIN.EXAMPLE.COM
992 ENGR.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
993 SALES.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
997 The first two blocks allow clients in the @code{ENGR.WIN.EXAMPLE.COM}
998 and @code{SALES.WIN.EXAMPLE.COM} realms to authenticate to services in
999 the @code{EXAMPLE.COM} realm. The third block tells the client (or
1000 tells the KDC to tell the client via referrals) to transit through
1001 @code{WIN.EXAMPLE.COM} to reach these realms. Both sides of the
1002 configuration are needed for bi-directional transited cross-realm
1005 @c To test the cross realm configuration, use:
1006 @c kmumble transit-check client server transit-realms ...
1008 @node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
1009 @section Setting up DNS
1010 @cindex Setting up DNS
1012 @subsection Using DNS to find KDC
1014 If there is information about where to find the KDC or kadmind for a
1015 realm in the @file{krb5.conf} for a realm, that information will be
1016 preferred, and DNS will not be queried.
1018 Heimdal will try to use DNS to find the KDCs for a realm. First it
1019 will try to find a @code{SRV} resource record (RR) for the realm. If no
1020 SRV RRs are found, it will fall back to looking for an @code{A} RR for
1021 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
1023 Adding this information to DNS minimises the client configuration (in
1024 the common case, resulting in no configuration needed) and allows the
1025 system administrator to change the number of KDCs and on what machines
1026 they are running without caring about clients.
1028 The downside of using DNS is that the client might be fooled to use the
1029 wrong server if someone fakes DNS replies/data, but storing the IP
1030 addresses of the KDC on all the clients makes it very hard to change
1033 An example of the configuration for the realm @code{EXAMPLE.COM}:
1037 $ORIGIN example.com.
1038 _kerberos._tcp SRV 10 1 88 kerberos.example.com.
1039 _kerberos._udp SRV 10 1 88 kerberos.example.com.
1040 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
1041 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
1042 _kpasswd._udp SRV 10 1 464 kerberos.example.com.
1043 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
1047 More information about DNS SRV resource records can be found in
1048 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
1050 @subsection Using DNS to map hostname to Kerberos realm
1052 Heimdal also supports a way to lookup a realm from a hostname. This to
1053 minimise configuration needed on clients. Using this has the drawback
1054 that clients can be redirected by an attacker to realms within the
1055 same cross realm trust and made to believe they are talking to the
1056 right server (since Kerberos authentication will succeed).
1058 An example configuration that informs clients that for the realms
1059 it.example.com and srv.example.com, they should use the realm
1064 $ORIGIN example.com.
1065 _kerberos.it TXT "EXAMPLE.COM"
1066 _kerberos.srv TXT "EXAMPLE.COM"
1070 @node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
1071 @section Using LDAP to store the database
1072 @cindex Using the LDAP backend
1074 This document describes how to install the LDAP backend for
1075 Heimdal. Note that before attempting to configure such an
1076 installation, you should be aware of the implications of storing
1077 private information (such as users' keys) in a directory service
1078 primarily designed for public information. Nonetheless, with a
1079 suitable authorisation policy, it is possible to set this up in a
1080 secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to
1081 install this backend. The HDB schema was devised by Leif Johansson.
1083 This assumes, OpenLDAP 2.3 or later.
1090 A current release of Heimdal, configured with
1091 @code{--with-openldap=/usr/local} (adjust according to where you have
1092 installed OpenLDAP).
1094 You can verify that you manage to configure LDAP support by running
1095 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
1098 Its also possible to configure the ldap backend as a shared module,
1099 see option --hdb-openldap-module to configure.
1102 Optionally configure OpenLDAP with @kbd{--enable-local} to enable the
1106 Add the hdb schema to the LDAP server, it's included in the source-tree
1107 in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
1110 include /usr/local/etc/openldap/schema/hdb.schema
1114 Configure the LDAP server ACLs to accept writes from clients. For
1119 by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write
1122 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
1123 "uid=heimdal,dc=services,dc=example,dc=com"
1127 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
1128 a tree. The user that the key is mapped to should be have a
1129 krb5Principal aux object with krb5PrincipalName set so that the
1130 ``creator'' and ``modifier'' is right in @file{kadmin}.
1132 Another option is to create an admins group and add the dn to that
1135 If a non-local LDAP connection is used, the authz-regexp is not
1136 needed as Heimdal will bind to LDAP over the network using
1137 provided credentials.
1139 Since Heimdal talks to the LDAP server over a UNIX domain socket when
1140 configured for ldapi:///, and uses external sasl authentication, it's
1141 not possible to require security layer quality (ssf in cyrus-sasl lingo).
1142 So that requirement has to be turned off in OpenLDAP @command{slapd}
1147 sasl-secprops minssf=0
1152 Start @command{slapd} with the local listener (as well as the default TCP/IP
1153 listener on port 389) as follows:
1156 slapd -h "ldapi:/// ldap:///"
1159 Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key
1160 binary attribute on shutdown. This may be related to our use of the V3
1161 schema definition syntax instead of the old UMich-style, V2 syntax.
1164 You should specify the distinguished name under which your
1165 principals will be stored in @file{krb5.conf}. Also you need to
1166 enter the path to the kadmin acl file:
1171 # Optional configuration
1172 hdb-ldap-structural-object = inetOrgPerson
1173 hdb-ldap-url = ldapi:/// (default), ldap://hostname or ldaps://hostname
1174 hdb-ldap-secret-file = /path/to/file/containing/ldap/credentials
1175 hdb-ldap-start-tls = false
1178 dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
1179 acl_file = /path/to/kadmind.acl
1180 mkey_file = /path/to/mkey
1184 @samp{mkey_file} can be excluded if you feel that you trust your ldap
1185 directory to have the raw keys inside it. The
1186 hdb-ldap-structural-object is not necessary if you do not need Samba
1189 If connecting to a server over a non-local transport, the @samp{hdb-ldap-url}
1190 and @samp{hdb-ldap-secret-file} options must be provided. The
1191 @samp{hdb-ldap-secret-file} must contain the bind credentials:
1195 hdb-ldap-bind-dn = uid=heimdal,dc=services,dc=example,dc=com
1196 hdb-ldap-bind-password = secretBindPassword
1199 The @samp{hdb-ldap-secret-file} and should be protected with appropriate
1203 Once you have built Heimdal and started the LDAP server, run kadmin
1204 (as usual) to initialise the database. Note that the instructions for
1205 stashing a master key are as per any Heimdal installation.
1209 kadmin> init EXAMPLE.COM
1210 Realm max ticket life [unlimited]:
1211 Realm max renewable ticket life [unlimited]:
1213 Max ticket life [1 day]:
1214 Max renewable life [1 week]:
1215 Principal expiration time [never]:
1216 Password expiration time [never]:
1218 lukeh@@EXAMPLE.COM's Password:
1219 Verifying password - lukeh@@EXAMPLE.COM's Password:
1223 Verify that the principal database has indeed been stored in the
1224 directory with the following command:
1227 kdc# ldapsearch -L -h localhost -D cn=manager \
1228 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1229 'objectclass=krb5KDCEntry'
1233 Now consider adding indexes to the database to speed up the access, at
1234 least theses should be added to slapd.conf.
1237 index objectClass eq
1238 index cn eq,sub,pres
1239 index uid eq,sub,pres
1240 index displayName eq,sub,pres
1241 index krb5PrincipalName eq
1246 @subsection smbk5pwd overlay
1248 The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber
1249 appropriately when it receives an LDAP Password change Extended
1252 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0}
1254 @subsection Troubleshooting guide
1256 @url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide}
1259 @subsection Using Samba LDAP password database
1262 @c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
1263 @c @section Using Samba LDAP password database
1265 The Samba domain and the Kerberos realm can have different names since
1266 arcfour's string to key functions principal/realm independent. So now
1267 will be your first and only chance name your Kerberos realm without
1268 needing to deal with old configuration files.
1270 First, you should set up Samba and get that working with LDAP backend.
1272 Now you can proceed as in @xref{Using LDAP to store the database}.
1273 Heimdal will pick up the Samba LDAP entries if they are in the same
1274 search space as the Kerberos entries.
1276 @node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
1277 @section Providing Kerberos credentials to servers and programs
1279 Some services require Kerberos credentials when they start to make
1280 connections to other services or need to use them when they have started.
1282 The easiest way to get tickets for a service is to store the key in a
1283 keytab. Both ktutil get and kadmin ext can be used to get a
1284 keytab. ktutil get is better in that way it changes the key/password
1285 for the user. This is also the problem with ktutil. If ktutil is used
1286 for the same service principal on several hosts, they keytab will only
1287 be useful on the last host. In that case, run the extract command on
1288 one host and then securely copy the keytab around to all other hosts
1292 host# ktutil -k /etc/krb5-service.keytab \
1293 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1294 lha/admin@@EXAMPLE.ORG's Password:
1297 To get a Kerberos credential file for the service, use kinit in the
1298 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1299 key from the keytab.
1302 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1303 --keytab=/etc/krb5-service.keytab \
1304 service-principal@@EXAMPLE.ORG
1307 Long running services might need credentials longer then the
1308 expiration time of the tickets. kinit can run in a mode that refreshes
1309 the tickets before they expire. This is useful for services that write
1310 into AFS and other distributed file systems using Kerberos. To run the
1311 long running script, just append the program and arguments (if any)
1312 after the principal. kinit will stop refreshing credentials and remove
1313 the credentials when the script-to-start-service exits.
1316 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1317 --keytab=/etc/krb5-service.keytab \
1318 service-principal@@EXAMPLE.ORG \
1319 script-to-start-service argument1 argument2
1323 @node Setting up PK-INIT, Debugging Kerberos problems, Providing Kerberos credentials to servers and programs, Setting up a realm
1324 @section Setting up PK-INIT
1326 PK-INIT leverages an existing PKI (public key infrastructure), using
1327 certificates to get the initial ticket (usually the krbtgt
1328 ticket-granting ticket).
1330 To use PK-INIT you must first have a PKI. If you don't have one, it is
1331 time to create it. You should first read the whole current chapter of
1332 the document to see the requirements imposed on the CA software.
1334 A mapping between the PKI certificate and what principals that
1335 certificate is allowed to use must exist. There are several ways to do
1336 this. The administrator can use a configuration file, store the
1337 principal in the SubjectAltName extension of the certificate, or store
1338 the mapping in the principals entry in the kerberos database.
1340 @section Certificates
1342 This and following subsection documents the requirements on the KDC
1343 and client certificates and the format used in the id-pkinit-san
1344 OtherName extension.
1346 On how to create certificates, you should read @ref{Use OpenSSL to
1347 create certificates}.
1349 @subsection KDC certificate
1351 The certificate for the KDC has several requirements.
1353 First, the certificate should have an Extended Key Usage (EKU)
1354 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
1355 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
1356 the type field and a DER encoded KRB5PrincipalName that matches the
1357 name of the TGS of the target realm. Also, if the certificate has a
1358 nameConstraints extension with a Generalname with dNSName or iPAdress,
1359 it must match the hostname or adress of the KDC.
1361 The client is not required by the standard to check the server
1362 certificate for this information if the client has external
1363 information confirming which certificate the KDC is supposed to be
1364 using. However, adding this information to the KDC certificate removes
1365 the need to specially configure the client to recognize the KDC
1368 Remember that if the client would accept any certificate as the KDC's
1369 certificate, the client could be fooled into trusting something that
1370 isn't a KDC and thus expose the user to giving away information (like
1371 a password or other private information) that it is supposed to keep
1374 @subsection Client certificate
1376 The client certificate may need to have a EKU id-pkekuoid
1377 (1.3.6.1.5.2.3.4) set depending on the configuration on the KDC.
1379 It possible to store the principal (if allowed by the KDC) in the
1380 certificate and thus delegate responsibility to do the mapping between
1381 certificates and principals to the CA.
1383 This behavior is controlled by KDC configuration option:
1387 pkinit_principal_in_certificate = yes
1390 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1392 The OtherName extension in the GeneralName is used to do the mapping
1393 between certificate and principal. For the KDC certificate, this
1394 stores the krbtgt principal name for that KDC. For the client
1395 certificate, this stores the principal for which that certificate is
1396 allowed to get tickets.
1398 The principal is stored in a SubjectAltName in the certificate using
1399 OtherName. The OID in the type is id-pkinit-san.
1402 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1403 internet (1) security (5) kerberosv5 (2) 2 @}
1406 The data part of the OtherName is filled with the following DER
1407 encoded ASN.1 structure:
1410 KRB5PrincipalName ::= SEQUENCE @{
1412 principalName [1] PrincipalName
1416 where Realm and PrincipalName is defined by the Kerberos ASN.1
1419 @section Naming certificate using hx509
1421 hx509 is the X.509 software used in Heimdal to handle
1422 certificates. hx509 supports several different syntaxes for specifying
1423 certificate files or formats. Several formats may be used: PEM,
1424 certificates embedded in PKCS#12 files, certificates embedded in
1425 PKCS#11 devices, and raw DER encoded certificates.
1427 Those formats may be specified as follows:
1433 DIR specifies a directory which contains certificates in the DER or
1436 The main feature of DIR is that the directory is read on demand when
1437 iterating over certificates. This allows applications, in some
1438 situations, to avoid having to store all certificates in memory. It's
1439 very useful for tests that iterate over large numbers of certificates.
1444 DIR:/path/to/der/files
1449 FILE: specifies a file that contains a certificate or private key.
1450 The file can be either a PEM (openssl) file or a raw DER encoded
1451 certificate. If it's a PEM file, it can contain several keys and
1452 certificates and the code will try to match the private key and
1453 certificate together. Multiple files may be specified, separated by
1456 It's useful to have one PEM file that contains all the trust anchors.
1461 FILE:certificate.pem,private-key.key,other-cert.pem,....
1466 PKCS11: is used to handle smartcards via PKCS#11 drivers, such as
1467 soft-token, opensc, or muscle. The argument specifies a shared object
1468 that implements the PKCS#11 API. The default is to use all slots on
1474 PKCS11:shared-object.so
1479 PKCS12: is used to handle PKCS#12 files. PKCS#12 files commonly have
1480 the extension pfx or p12.
1485 PKCS12:/path/to/file.pfx
1490 @section Configure the Kerberos software
1492 First configure the client's trust anchors and what parameters to
1493 verify. See the subsections below for how to do that. Then, you can
1494 use kinit to get yourself tickets. For example:
1497 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1498 Enter your private key passphrase:
1499 : lha@@nutcracker ; klist
1500 Credentials cache: FILE:/tmp/krb5cc_19100a
1501 Principal: lha@@EXAMPLE.ORG
1503 Issued Expires Principal
1504 Apr 20 02:08:08 Apr 20 12:08:08 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1507 Using PKCS#11 it can look like this instead:
1510 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1511 PIN code for SoftToken (slot):
1513 Credentials cache: API:4
1514 Principal: lha@@EXAMPLE.ORG
1516 Issued Expires Principal
1517 Mar 26 23:40:10 Mar 27 09:40:10 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1520 @section Configure the client
1524 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1528 pkinit_require_eku = true
1529 pkinit_require_krbtgt_otherName = true
1531 pkinit_win2k_require_binding = yes
1536 @section Configure the KDC
1538 Configuration options for the KDC.
1541 @item enable-pkinit = bool
1543 Enable PKINIT for this KDC.
1545 @item pkinit_identity = string
1547 Identity that the KDC will use when talking to clients. Mandatory.
1549 @item pkinit_anchors = string
1551 Trust anchors that the KDC will use when evaluating the trust of the
1552 client certificate. Mandatory.
1554 @item pkinit_pool = strings ...
1556 Extra certificate the KDC will use when building trust chains if it
1557 can't find enough certificates in the request from the client.
1559 @item pkinit_allow_proxy_certificate = bool
1561 Allow clients to use proxy certificates. The root certificate
1562 of the client's End Entity certificate is used for authorisation.
1564 @item pkinit_win2k_require_binding = bool
1566 Require windows clients up be upgrade to not allow cut and paste
1567 attack on encrypted data, applies to Windows XP and windows 2000
1570 @item pkinit_principal_in_certificate = bool
1572 Enable the KDC to use id-pkinit-san to determine to determine the
1573 mapping between a certificate and principal.
1580 pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
1581 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1582 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1583 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1584 pkinit_allow_proxy_certificate = no
1585 pkinit_win2k_require_binding = yes
1586 pkinit_principal_in_certificate = no
1589 @subsection Using pki-mapping file
1591 Note that the file contents are space sensitive.
1594 # cat /var/heimdal/pki-mapping
1595 # comments starts with #
1596 lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
1597 lha@@EXAMPLE.ORG:CN=Love,UID=lha
1600 @subsection Using the Kerberos database
1602 You can also store the subject of the certificate in the principal
1603 entry in the kerberos database.
1606 kadmin modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" user@@REALM
1609 @section Use hxtool to create certificates
1611 @subsection Generate certificates
1613 First, you need to generate a CA certificate. This example creates a
1614 CA certificate that will be valid for 10 years.
1616 You need to change --subject in the command below to something
1617 appropriate for your site.
1620 hxtool issue-certificate \
1623 --generate-key=rsa \
1624 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1625 --lifetime=10years \
1626 --certificate="FILE:ca.pem"
1629 The KDC needs to have a certificate, so generate a certificate of the
1630 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1631 name of the krbtgt of the realm.
1633 You need to change --subject and --pk-init-principal in the command
1634 below to something appropriate for your site.
1637 hxtool issue-certificate \
1638 --ca-certificate=FILE:ca.pem \
1639 --generate-key=rsa \
1640 --type="pkinit-kdc" \
1641 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1642 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1643 --certificate="FILE:kdc.pem"
1646 The users also needs to have certificates. For your first client,
1647 generate a certificate of type ``pkinit-client''. The client doesn't
1648 need to have the PK-INIT SubjectAltName set; you can have the Subject
1649 DN in the ACL file (pki-mapping) instead.
1651 You need to change --subject and --pk-init-principal in the command
1652 below to something appropriate for your site. You can omit
1653 --pk-init-principal if you're going to use the ACL file instead.
1656 hxtool issue-certificate \
1657 --ca-certificate=FILE:ca.pem \
1658 --generate-key=rsa \
1659 --type="pkinit-client" \
1660 --pk-init-principal="lha@@TEST.H5L.SE" \
1661 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1662 --certificate="FILE:user.pem"
1665 @subsection Validate the certificate
1667 hxtool also contains a tool that will validate certificates according
1668 to rules from the PKIX document. These checks are not complete, but
1669 they provide a good test of whether you got all of the basic bits
1670 right in your certificates.
1673 hxtool validate FILE:user.pem
1676 @section Use OpenSSL to create certificates
1677 @anchor{Use OpenSSL to create certificates}
1679 This section tries to give the CA owners hints how to create
1680 certificates using OpenSSL (or CA software based on OpenSSL).
1682 @subsection Using OpenSSL to create certificates with krb5PrincipalName
1684 To make OpenSSL create certificates with krb5PrincipalName, use an
1685 @file{openssl.cnf} as described below. To see a complete example of
1686 creating client and KDC certificates, see the test-data generation
1687 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1688 certicates it creates are used to test the PK-INIT functionality in
1689 @file{tests/kdc/check-kdc.in}.
1691 To use this example you have to use OpenSSL 0.9.8a or later.
1696 subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
1699 realm = EXP:0, GeneralString:MY.REALM
1700 principal_name = EXP:1, SEQUENCE:principal_seq
1703 name_type = EXP:0, INTEGER:1
1704 name_string = EXP:1, SEQUENCE:principals
1707 princ1 = GeneralString:userid
1714 openssl x509 -extensions user_certificate
1715 openssl ca -extensions user_certificate
1719 @c --- ms certificate
1722 @c msCertificateTemplateName = 1.3.6.1.4.1.311.20.2
1725 @c [ req_smartcard ]
1726 @c keyUsage = digitalSignature, keyEncipherment
1727 @c extendedKeyUsage = msSmartcardLogin, clientAuth
1728 @c msCertificateTemplateName = ASN1:BMP:SmartcardLogon
1729 @c subjectAltName = otherName:msUPN;UTF8:lukeh@dsg.padl.com
1730 @c #subjectAltName = email:copy
1733 @section Using PK-INIT with Windows
1735 @subsection Client configration
1737 Clients using a Windows KDC with PK-INIT need configuration since
1738 windows uses pre-standard format and this can't be autodetected.
1740 The pkinit_win2k_require_binding option requires the reply for the KDC
1741 to be of the new, secure, type that binds the request to
1742 reply. Before, clients could fake the reply from the KDC. To use this
1743 option you have to apply a fix from Microsoft.
1749 pkinit_win2k_require_binding = no
1753 @subsection Certificates
1755 The client certificates need to have the extended keyusage ``Microsoft
1756 Smartcardlogin'' (openssl has the OID shortname msSmartcardLogin).
1758 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1759 Smart Card Logon with Third-Party Certification Authorities'' for a
1760 more extensive description of how set setup an external CA so that it
1761 includes all the information required to make a Windows KDC happy.
1763 @subsection Configure Windows 2000 CA
1765 To enable Microsoft Smartcardlogin for certificates in your Windows
1766 2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
1767 ``HOW TO: Configure a Certification Authority to Issue Smart Card
1768 Certificates in Windows''.
1770 @node Debugging Kerberos problems, , Setting up PK-INIT, Setting up a realm
1771 @section Debugging Kerberos problems
1773 To debug Kerberos client and server problems you can enable debug
1774 tracing by adding the following to @file{/etc/krb5.conf}. Note that the
1775 trace logging is sparse at the moment, but will continue to improve.
1779 libkrb5 = 0-/SYSLOG: