3 @node Setting up a realm, Applications, Building and Installing, Top
5 @chapter Setting up a realm
9 realm is an administrative domain. The name of a Kerberos realm is
10 usually the Internet domain name in uppercase. Call your realm the same
11 as your Internet domain name if you do not have strong reasons for not
12 doing so. It will make life easier for you and everyone else.
15 * Configuration file::
16 * Creating the database::
17 * Modifying the database::
18 * Checking the setup::
20 * Serving Kerberos 4/524/kaserver::
21 * Remote administration::
23 * Testing clients and servers::
25 * Incremental propagation::
26 * Encryption types and salting::
30 * Using LDAP to store the database::
31 * Providing Kerberos credentials to servers and programs::
32 * Setting up PK-INIT::
35 @node Configuration file, Creating the database, Setting up a realm, Setting up a realm
36 @section Configuration file
38 To setup a realm you will first have to create a configuration file:
39 @file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
40 configuration options, some of which are described here.
42 There is a sample @file{krb5.conf} supplied with the distribution.
44 The configuration file is a hierarchical structure consisting of
45 sections, each containing a list of bindings (either variable
46 assignments or subsections). A section starts with
47 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
48 (@samp{=}) and a right hand side (the left hand side tag must be
49 separated from the equal sign with some whitespace). Subsections have a
50 @samp{@{} as the first non-whitespace character after the equal sign. All
51 other bindings are treated as variable assignments. The value of a
52 variable extends to the end of the line.
58 other-var = value with @{@}
63 var = some other value
65 var = yet another value
68 In this manual, names of sections and bindings will be given as strings
69 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
70 be @samp{section1/a-subsection/other-var}.
72 For in-depth information about the contents of the configuration file, refer to
73 the @file{krb5.conf} manual page. Some of the more important sections
74 are briefly described here.
76 The @samp{libdefaults} section contains a list of library configuration
77 parameters, such as the default realm and the timeout for KDC
78 responses. The @samp{realms} section contains information about specific
79 realms, such as where they hide their KDC@. This section serves the same
80 purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
81 information. Finally the @samp{domain_realm} section contains a list of
82 mappings from domains to realms, equivalent to the Kerberos 4
83 @file{krb.realms} file.
85 To continue with the realm setup, you will have to create a configuration file,
86 with contents similar to the following.
90 default_realm = MY.REALM
93 kdc = my.kdc my.slave.kdc
96 kdc = [2001:6b0:1:ea::100]:88
103 If you use a realm name equal to your domain name, you can omit the
104 @samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS
105 SRV-record for your realm, or your Kerberos server has DNS CNAME
106 @samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
108 @node Creating the database, Modifying the database, Configuration file, Setting up a realm
109 @section Creating the database
111 The database library will look for the database in the directory
112 @file{@value{dbdir}}, so you should probably create that directory.
113 Make sure the directory has restrictive permissions.
119 The keys of all the principals are stored in the database. If you
120 choose to, these can be encrypted with a master key. You do not have to
121 remember this key (or password), but just to enter it once and it will
122 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
123 master key, run @samp{kstash} to create this master key:
128 Verifying password - Master key:
131 If you want to generate a random master key you can use the
132 @kbd{--random-key} flag to kstash. This will make sure you have a good key
133 on which attackers can't do a dictionary attack.
135 If you have a master key, make sure you make a backup of your master
136 key file; without it backups of the database are of no use.
138 To initialise the database use the @command{kadmin} program, with the
139 @kbd{-l} option (to enable local database mode). First issue a
140 @kbd{init MY.REALM} command. This will create the database and insert
141 default principals for that realm. You can have more than one realm in
142 one database, so @samp{init} does not destroy any old database.
144 Before creating the database, @samp{init} will ask you some questions
145 about maximum ticket lifetimes.
147 After creating the database you should probably add yourself to it. You
148 do this with the @samp{add} command. It takes as argument the name of a
149 principal. The principal should contain a realm, so if you haven't set up
150 a default realm, you will need to explicitly include the realm.
154 kadmin> init MY.REALM
155 Realm max ticket life [unlimited]:
156 Realm max renewable ticket life [unlimited]:
158 Max ticket life [unlimited]:
159 Max renewable life [unlimited]:
162 Verifying password - Password:
165 Now start the KDC and try getting a ticket.
170 me@@MY.REALMS's Password:
172 Credentials cache: /tmp/krb5cc_0
173 Principal: me@@MY.REALM
175 Issued Expires Principal
176 Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM
179 If you are curious you can use the @samp{dump} command to list all the
180 entries in the database. It should look something similar to the
181 following example (note that the entries here are truncated for
182 typographical reasons):
186 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
187 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
188 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
189 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
192 @node Modifying the database, Checking the setup, Creating the database, Setting up a realm
193 @section Modifying the database
195 All modifications of principals are done with with kadmin.
197 A principal has several attributes and lifetimes associated with it.
199 Principals are added, renamed, modified, and deleted with the kadmin
200 commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}.
201 Both interactive editing and command line flags can be used (use --help
202 to list the available options).
204 There are different kinds of types for the fields in the database;
205 attributes, absolute time times and relative times.
207 @subsection Attributes
209 When doing interactive editing, attributes are listed with @samp{?}.
211 The attributes are given in a comma (@samp{,}) separated list.
212 Attributes are removed from the list by prefixing them with @samp{-}.
216 Max ticket life [1 day]:
217 Max renewable life [1 week]:
218 Principal expiration time [never]:
219 Password expiration time [never]:
220 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
222 Principal: me@@MY.REALM
224 Attributes: requires-pre-auth
227 @subsection Absolute times
229 The format for absolute times are any of the following:
239 @subsection Relative times
241 The format for relative times are any of the following combined:
252 @c Describe more of kadmin commands here...
254 @node Checking the setup, keytabs, Modifying the database, Setting up a realm
255 @section Checking the setup
257 There are two tools that can check the consistency of the Kerberos
258 configuration file and the Kerberos database.
260 The Kerberos configuration file is checked using
261 @command{verify_krb5_conf}. The tool checks for common errors, but
262 commonly there are several uncommon configuration entries that are
263 never added to the tool and thus generates ``unknown entry'' warnings.
264 This is usually nothing to worry about.
266 The database check is built into the kadmin tool. It will check for
267 common configuration error that will cause problems later. Common
268 check are for existence and flags on important principals. The
269 database check by run by the following command :
272 kadmin check REALM.EXAMPLE.ORG
275 @node keytabs, Serving Kerberos 4/524/kaserver, Checking the setup, Setting up a realm
278 To extract a service ticket from the database and put it in a keytab, you
279 need to first create the principal in the database with @samp{ank}
280 (using the @kbd{--random-key} flag to get a random key) and then
281 extract it with @samp{ext_keytab}.
284 kadmin> add --random-key host/my.host.name
285 Max ticket life [unlimited]:
286 Max renewable life [unlimited]:
288 kadmin> ext host/my.host.name
291 Version Type Principal
292 1 des-cbc-md5 host/my.host.name@@MY.REALM
293 1 des-cbc-md4 host/my.host.name@@MY.REALM
294 1 des-cbc-crc host/my.host.name@@MY.REALM
295 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
298 @node Serving Kerberos 4/524/kaserver, Remote administration, keytabs, Setting up a realm
299 @section Serving Kerberos 4/524/kaserver
301 Heimdal can be configured to support 524, Kerberos 4 or kaserver. All
302 these services are turned off by default. Kerberos 4 is always
303 supported by the KDC, but the Kerberos 4 client support also depends
304 on Kerberos 4 support having been included at compile-time, using
305 @kbd{--with-krb4=dir}.
309 524 is a service that allows the KDC to convert Kerberos 5 tickets to
310 Kerberos 4 tickets for backward compatibility. See also Using 2b
311 tokens with AFS in @xref{AFS}.
313 524 can be turned on by adding this to the configuration file
320 @subsection Kerberos 4
322 Kerberos 4 is the predecessor to to Kerberos 5. It only supports
323 single DES@. You should only enable Kerberos 4 support if you have
324 needs for compatibility with an installed base of Kerberos 4
327 Kerberos 4 can be turned on by adding this to the configuration file
331 enable-kerberos4 = yes
336 Kaserver is a Kerberos 4 that is used in AFS@. The protocol has some
337 extra features over plain Kerberos 4, but like Kerberos 4, only uses
340 You should only enable Kaserver support if you have needs for
341 compatibility with an installed base of AFS machines.
343 Kaserver can be turned on by adding this to the configuration file
347 enable-kaserver = yes
350 @node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm
351 @section Remote administration
353 The administration server, @command{kadmind}, can be started by
354 @command{inetd} (which isn't recommended) or run as a normal daemon. If you
355 want to start it from @command{inetd} you should add a line similar to the
356 one below to your @file{/etc/inetd.conf}.
359 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
362 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
365 Access to the administration server is controlled by an ACL file,
366 (default @file{/var/heimdal/kadmind.acl}.) The file has the following
369 principal [priv1,priv2,...] [glob-pattern]
372 The matching is from top to bottom for matching principals (and if given,
373 glob-pattern). When there is a match, the access rights of that line are
376 The privileges you can assign to a principal are: @samp{add},
377 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
378 @samp{get}, @samp{list}, and @samp{modify}, or the special privilege
379 @samp{all}. All of these roughly correspond to the different commands
382 If a @var{glob-pattern} is given on a line, it restricts the access
383 rights for the principal to only apply for subjects that match the
384 pattern. The patterns are of the same type as those used in shell
385 globbing, see @url{none,,fnmatch(3)}.
387 In the example below @samp{lha/admin} can change every principal in the
388 database. @samp{jimmy/admin} can only modify principals that belong to
389 the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
390 help desk, so he should only be able to change the passwords for single
391 component principals (ordinary users). He will not be able to change any
392 @samp{/admin} principal.
395 lha/admin@@E.KTH.SE all
396 jimmy/admin@@E.KTH.SE all *@@E.KTH.SE
397 jimmy/admin@@E.KTH.SE all */*@@E.KTH.SE
398 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
401 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
402 @section Password changing
404 To allow users to change their passwords, you should run @command{kpasswdd}.
405 It is not run from @command{inetd}.
407 You might need to add @samp{kpasswd} to your @file{/etc/services} as
410 @subsection Password quality assurance
412 It is important that users have good passwords, both to make it harder
413 to guess them and to avoid off-line attacks (although
414 pre-authentication provides some defence against off-line attacks).
415 To ensure that the users choose good passwords, you can enable
416 password quality controls in @command{kpasswdd} and @command{kadmind}.
417 The controls themselves are done in a shared library or an external
418 program that is used by @command{kpasswdd}. To configure in these
419 controls, add lines similar to the following to your
420 @file{/etc/krb5.conf}:
424 policies = external-check builtin:minimum-length module:policyname
425 external_program = /bin/false
426 policy_libraries = @var{library1.so} @var{library2.so}
429 In @samp{[password_quality]policies} the module name is optional if
430 the policy name is unique in all modules (members of
431 @samp{policy_libraries}).
433 The built-in polices are
439 Executes the program specified by @samp{[password_quality]external_program}.
441 A number of key/value pairs are passed as input to the program, one per
442 line, ending with the string @samp{end}. The key/value lines are of
445 principal: @var{principal}
446 new-password: @var{password}
448 where @var{password} is the password to check for the previous
451 If the external application approves the password, it should return
452 @samp{APPROVED} on standard out and exit with exit code 0. If it
453 doesn't approve the password, an one line error message explaining the
454 problem should be returned on standard error and the application
455 should exit with exit code 0. In case of a fatal error, the
456 application should, if possible, print an error message on standard
457 error and exit with a non-zero error code.
461 The minimum length password quality check reads the configuration file
462 stanza @samp{[password_quality]min_length} and requires the password
463 to be at least this length.
465 @item character-class
467 The character-class password quality check reads the configuration
468 file stanza @samp{[password_quality]min_classes}. The policy requires
469 the password to have characters from at least that many character
470 classes. Default value if not given is 3.
472 The four different characters classes are, uppercase, lowercase,
473 number, special characters.
477 If you want to write your own shared object to check password
478 policies, see the manual page @manpage{kadm5_pwcheck,3}.
480 Code for a password quality checking function that uses the cracklib
481 library can be found in @file{lib/kadm5/sample_password_check.c} in
482 the source code distribution. It requires that the cracklib library
483 be built with the patch available at
484 @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
486 A sample policy external program is included in
487 @file{lib/kadm5/check-cracklib.pl}.
489 If no password quality checking function is configured, the only check
490 performed is that the password is at least six characters long.
492 To check the password policy settings, use the command
493 @command{password-quality} in @command{kadmin} program. The password
494 verification is only performed locally, on the client. It may be
495 convenient to set the environment variable @samp{KRB5_CONFIG} to point
496 to a test version of @file{krb5.conf} while you're testing the
497 @samp{[password_quality]} stanza that way.
499 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
500 @section Testing clients and servers
502 Now you should be able to run all the clients and servers. Refer to the
503 appropriate man pages for information on how to use them.
505 @node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
506 @section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
508 It is desirable to have at least one backup (slave) server in case the
509 master server fails. It is possible to have any number of such slave
510 servers but more than three usually doesn't buy much more redundancy.
512 All Kerberos servers for a realm must have the same database so that
513 they present the same service to the users. The
515 @command{hprop} program, running on the master, will propagate the database
516 to the slaves, running
518 @command{hpropd} processes.
520 Every slave needs a database directory, the master key (if it was used
521 for the database) and a keytab with the principal
522 @samp{hprop/@var{hostname}}. Add the principal with the
524 @command{ktutil} command and start
526 @command{hpropd}, as follows:
529 slave# ktutil get -p foo/admin hprop/`hostname`
530 slave# mkdir /var/heimdal
534 The master will use the principal @samp{kadmin/hprop} to authenticate to
535 the slaves. This principal should be added when running @kbd{kadmin -l
536 init} but if you do not have it in your database for whatever reason,
537 please add it with @kbd{kadmin -l add}.
541 @code{hprop} on the master:
547 This was just an hands-on example to make sure that everything was
548 working properly. Doing it manually is of course the wrong way, and to
549 automate this you will want to start
551 @command{hpropd} from @command{inetd} on the slave(s) and regularly run
553 @command{hprop} on the master to regularly propagate the database.
554 Starting the propagation once an hour from @command{cron} is probably a
557 @node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
558 @section Incremental propagation
560 There is also a newer mechanism for
561 doing incremental propagation in Heimdal. Instead of sending the whole
562 database regularly, it sends the changes as they happen on the master to
563 the slaves. The master keeps track of all the changes by assigning a
564 version number to every change to the database. The slaves know which
565 was the latest version they saw and in this way it can be determined if
566 they are in sync or not. A log of all the changes is kept on the master,
567 and when a slave is at an older version than the oldest one in the
568 log, the whole database has to be sent.
570 Protocol-wise, all the slaves connect to the master and as a greeting
571 tell it the latest version that they have (@samp{IHAVE} message). The
572 master then responds by sending all the changes between that version and
573 the current version at the master (a series of @samp{FORYOU} messages)
574 or the whole database in a @samp{TELLYOUEVERYTHING} message. There is
575 also a keep-alive protocol that makes sure all slaves are up and running.
577 In addition on listening on the network to get connection from new
578 slaves, the ipropd-master also listens on a status unix
579 socket. kadmind and kpasswdd both open that socket when a transation
580 is done and written a notification to the socket. That cause
581 ipropd-master to check for new version in the log file. As a fallback in
582 case a notification is lost by the unix socket, the log file is
583 checked after 30 seconds of no event.
585 @subsection Configuring incremental propagation
587 The program that runs on the master is @command{ipropd-master} and all
588 clients run @command{ipropd-slave}.
590 Create the file @file{/var/heimdal/slaves} on the master containing all
591 the slaves that the database should be propagated to. Each line contains
592 the full name of the principal (for example
593 @samp{iprop/hemligare.foo.se@@FOO.SE}).
595 You should already have @samp{iprop/tcp} defined as 2121, in your
596 @file{/etc/services}. Otherwise, or if you need to use a different port
597 for some peculiar reason, you can use the @kbd{--port} option. This is
598 useful when you have multiple realms to distribute from one server.
600 Then you need to create those principals that you added in the
601 configuration file. Create one @samp{iprop/hostname} for the master and
606 master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
610 slave# /usr/heimdal/sbin/ktutil get iprop/`hostname`
614 The next step is to start the @command{ipropd-master} process on the master
615 server. The @command{ipropd-master} listens on the UNIX domain socket
616 @file{/var/heimdal/signal} to know when changes have been made to the
617 database so they can be propagated to the slaves. There is also a
618 safety feature of testing the version number regularly (every 30
619 seconds) to see if it has been modified by some means that do not raise
620 this signal. Then, start @command{ipropd-slave} on all the slaves:
623 master# /usr/heimdal/libexec/ipropd-master &
624 slave# /usr/heimdal/libexec/ipropd-slave master &
627 To manage the iprop log file you should use the @command{iprop-log}
628 command. With it you can dump, truncate and replay the logfile.
630 @node Encryption types and salting, Cross realm, Incremental propagation, Setting up a realm
631 @section Encryption types and salting
633 @cindex Encryption types
635 The encryption types that the KDC is going to assign by default is
636 possible to change. Since the keys used for user authentication is
637 salted the encryption types are described together with the salt
640 Salting is used to make it harder to pre-calculate all possible
641 keys. Using a salt increases the search space to make it almost
642 impossible to pre-calculate all keys. Salting is the process of mixing a
643 public string (the salt) with the password, then sending it through an
644 encryption type specific string-to-key function that will output the
645 fixed size encryption key.
647 In Kerberos 5 the salt is determined by the encryption type, except in
650 In @code{des} there is the Kerberos 4 salt
651 (none at all) or the afs-salt (using the cell (realm in
654 In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
655 there is no salt. This is to be compatible with NTLM keys in Windows
658 @code{[kadmin]default_keys} in @file{krb5.conf} controls
661 The syntax of @code{[kadmin]default_keys} is
662 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
663 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
664 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
665 salt-string is the string that will be used as salt (remember that if
666 the salt is appended/prepended, the empty salt "" is the same thing as
669 Common types of salting include
672 @item @code{v4} (or @code{des:pw-salt:})
674 The Kerberos 4 salting is using no salt at all. Reason there is colon
675 at the end of the salt string is that it makes the salt the empty
676 string (same as no salt).
678 @item @code{v5} (or @code{pw-salt})
680 @code{pw-salt} uses the default salt for each encryption type is
681 specified for. If the encryption type @samp{etype} isn't given, all
682 default encryption will be used.
684 @item @code{afs3-salt}
686 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
687 the cell name appended to the password.
691 @node Cross realm, Transit policy, Encryption types and salting, Setting up a realm
695 Suppose you reside in the realm @samp{MY.REALM}, how do you
696 authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
697 @samp{MY.REALM} allows you to communicate with Kerberised services in that
698 realm. However, the computer in the other realm does not have a secret
699 key shared with the Kerberos server in your realm.
701 It is possible to share keys between two realms that trust each
702 other. When a client program, such as @command{telnet} or @command{ssh},
703 finds that the other computer is in a different realm, it will try to
704 get a ticket granting ticket for that other realm, but from the local
705 Kerberos server. With that ticket granting ticket, it will then obtain
706 service tickets from the Kerberos server in the other realm.
708 For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM}
709 add the following principals to each realm. The principals should be
710 @samp{krbtgt/OTHER.REALM@@MY.REALM} and
711 @samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and
712 @samp{krbtgt/MY.REALM@@OTHER.REALM} and
713 @samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}.
715 In Kerberos 5 the trust can be configured to be one way. So that
716 users from @samp{MY.REALM} can authenticate to services in
717 @samp{OTHER.REALM}, but not the opposite. In the example above, the
718 @samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed.
720 The two principals must have the same key, key version number, and the
721 same set of encryption types. Remember to transfer the two keys in a
726 Credentials cache: FILE:/tmp/krb5cc_913.console
727 Principal: lha@@E.KTH.SE
729 Issued Expires Principal
730 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
732 vr$ telnet -l lha hummel.it.su.se
733 Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
734 Connected to hummel.it.su.se.
735 Escape character is '^]'.
736 Waiting for encryption to be negotiated...
737 [ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ]
738 [ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ]
739 Encryption negotiated.
740 Last login: Sat May 3 14:11:47 from vr.l.nxs.se
744 Credentials cache: FILE:/tmp/krb5cc_913.console
745 Principal: lha@@E.KTH.SE
747 Issued Expires Principal
748 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
749 May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE
750 May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE
754 @node Transit policy, Setting up DNS, Cross realm, Setting up a realm
755 @section Transit policy
756 @cindex Transit policy
758 If you want to use cross realm authentication through an intermediate
759 realm, it must be explicitly allowed by either the KDCs or the server
760 receiving the request. This is done in @file{krb5.conf} in the
761 @code{[capaths]} section.
763 When the ticket transits through a realm to another realm, the
764 destination realm adds its peer to the "transited-realms" field in the
765 ticket. The field is unordered, since there is no way to know if
766 know if one of the transited-realms changed the order of the list.
768 The syntax for @code{[capaths]} section:
773 SERVER-REALM = PERMITTED-CROSS-REALMS ...
777 The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and
778 @code{DSV.SU.SE} to cross it. Since @code{STACKEN.KTH.SE} only has
779 direct cross realm setup with @code{KTH.SE}, and @code{DSV.SU.SE} only
780 has direct cross realm setup with @code{SU.SE} they need to use both
781 @code{SU.SE} and @code{KTH.SE} as transit realms.
786 STACKEN.KTH.SE = KTH.SE
789 STACKEN.KTH.SE = SU.SE KTH.SE
794 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
795 doing transit cross realm verification.
797 However, the order is important when the @code{[capaths]} section is used
798 to figure out the intermediate realm to go to when doing multi-realm
799 transit. When figuring out the next realm, the first realm of the list
800 of @code{PERMITTED-CROSS-REALMS} is chosen. This is done in both the
801 client kerberos library and the KDC.
803 @c To test the cross realm configuration, use:
804 @c kmumble transit-check client server transit-realms ...
806 @node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
807 @section Setting up DNS
808 @cindex Setting up DNS
810 @subsection Using DNS to find KDC
812 If there is information about where to find the KDC or kadmind for a
813 realm in the @file{krb5.conf} for a realm, that information will be
814 preferred, and DNS will not be queried.
816 Heimdal will try to use DNS to find the KDCs for a realm. First it
817 will try to find a @code{SRV} resource record (RR) for the realm. If no
818 SRV RRs are found, it will fall back to looking for an @code{A} RR for
819 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
821 Adding this information to DNS minimises the client configuration (in
822 the common case, resulting in no configuration needed) and allows the
823 system administrator to change the number of KDCs and on what machines
824 they are running without caring about clients.
826 The downside of using DNS is that the client might be fooled to use the
827 wrong server if someone fakes DNS replies/data, but storing the IP
828 addresses of the KDC on all the clients makes it very hard to change
831 An example of the configuration for the realm @code{EXAMPLE.COM}:
836 _kerberos._tcp SRV 10 1 88 kerberos.example.com.
837 _kerberos._udp SRV 10 1 88 kerberos.example.com.
838 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
839 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
840 _kpasswd._udp SRV 10 1 464 kerberos.example.com.
841 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
845 More information about DNS SRV resource records can be found in
846 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
848 @subsection Using DNS to map hostname to Kerberos realm
850 Heimdal also supports a way to lookup a realm from a hostname. This to
851 minimise configuration needed on clients. Using this has the drawback
852 that clients can be redirected by an attacker to realms within the
853 same cross realm trust and made to believe they are talking to the
854 right server (since Kerberos authentication will succeed).
856 An example configuration that informs clients that for the realms
857 it.example.com and srv.example.com, they should use the realm
863 _kerberos.it TXT "EXAMPLE.COM"
864 _kerberos.srv TXT "EXAMPLE.COM"
868 @node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
869 @section Using LDAP to store the database
870 @cindex Using the LDAP backend
872 This document describes how to install the LDAP backend for
873 Heimdal. Note that before attempting to configure such an
874 installation, you should be aware of the implications of storing
875 private information (such as users' keys) in a directory service
876 primarily designed for public information. Nonetheless, with a
877 suitable authorisation policy, it is possible to set this up in a
878 secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to
879 install this backend. The HDB schema was devised by Leif Johansson.
881 This assumes, OpenLDAP 2.3 or later.
888 A current release of Heimdal, configured with
889 @code{--with-openldap=/usr/local} (adjust according to where you have
892 You can verify that you manage to configure LDAP support by running
893 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
896 Its also possible to configure the ldap backend as a shared module,
897 see option --hdb-openldap-module to configure.
900 Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
903 Add the hdb schema to the LDAP server, it's included in the source-tree
904 in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
907 include /usr/local/etc/openldap/schema/hdb.schema
911 Configure the LDAP server ACLs to accept writes from clients over the
912 local transport. For example:
916 by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write
919 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
920 "uid=heimdal,dc=services,dc=example,dc=com"
924 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
925 a tree. The user that the key is mapped to should be have a
926 krb5Principal aux object with krb5PrincipalName set so that the
927 ``creator'' and ``modifier'' is right in @file{kadmin}.
929 Another option is to create an admins group and add the dn to that
932 Since Heimdal talks to the LDAP server over a UNIX domain socket, and
933 uses external sasl authentication, it's not possible to require
934 security layer quality (ssf in cyrus-sasl lingo). So that requirement
935 has to be turned off in OpenLDAP @command{slapd} configuration file
939 sasl-secprops minssf=0
944 Start @command{slapd} with the local listener (as well as the default TCP/IP
945 listener on port 389) as follows:
948 slapd -h "ldapi:/// ldap:///"
951 Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key
952 binary attribute on shutdown. This may be related to our use of the V3
953 schema definition syntax instead of the old UMich-style, V2 syntax.
956 You should specify the distinguished name under which your
957 principals will be stored in @file{krb5.conf}. Also you need to
958 enter the path to the kadmin acl file:
964 dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
965 hdb-ldap-structural-object = inetOrgPerson
966 acl_file = /path/to/kadmind.acl
967 mkey_file = /path/to/mkey
971 @samp{mkey_file} can be excluded if you feel that you trust your ldap
972 directory to have the raw keys inside it. The
973 hdb-ldap-structural-object is not necessary if you do not need Samba
979 Once you have built Heimdal and started the LDAP server, run kadmin
980 (as usual) to initialise the database. Note that the instructions for
981 stashing a master key are as per any Heimdal installation.
985 kadmin> init EXAMPLE.COM
986 Realm max ticket life [unlimited]:
987 Realm max renewable ticket life [unlimited]:
989 Max ticket life [1 day]:
990 Max renewable life [1 week]:
991 Principal expiration time [never]:
992 Password expiration time [never]:
994 lukeh@@EXAMPLE.COM's Password:
995 Verifying password - lukeh@@EXAMPLE.COM's Password:
999 Verify that the principal database has indeed been stored in the
1000 directory with the following command:
1003 kdc# ldapsearch -L -h localhost -D cn=manager \
1004 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1005 'objectclass=krb5KDCEntry'
1009 Now consider adding indexes to the database to speed up the access, at
1010 least theses should be added to slapd.conf.
1013 index objectClass eq
1014 index cn eq,sub,pres
1015 index uid eq,sub,pres
1016 index displayName eq,sub,pres
1017 index krb5PrincipalName eq
1022 @subsection smbk5pwd overlay
1024 The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber
1025 appropriately when it receives an LDAP Password change Extended
1028 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0}
1030 @subsection Troubleshooting guide
1032 @url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide}
1035 @subsection Using Samba LDAP password database
1038 @c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
1039 @c @section Using Samba LDAP password database
1041 The Samba domain and the Kerberos realm can have different names since
1042 arcfour's string to key functions principal/realm independent. So now
1043 will be your first and only chance name your Kerberos realm without
1044 needing to deal with old configuration files.
1046 First, you should set up Samba and get that working with LDAP backend.
1048 Now you can proceed as in @xref{Using LDAP to store the database}.
1049 Heimdal will pick up the Samba LDAP entries if they are in the same
1050 search space as the Kerberos entries.
1052 @node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
1053 @section Providing Kerberos credentials to servers and programs
1055 Some services require Kerberos credentials when they start to make
1056 connections to other services or need to use them when they have started.
1058 The easiest way to get tickets for a service is to store the key in a
1059 keytab. Both ktutil get and kadmin ext can be used to get a
1060 keytab. ktutil get is better in that way it changes the key/password
1061 for the user. This is also the problem with ktutil. If ktutil is used
1062 for the same service principal on several hosts, they keytab will only
1063 be useful on the last host. In that case, run the extract command on
1064 one host and then securely copy the keytab around to all other hosts
1068 host# ktutil -k /etc/krb5-service.keytab \
1069 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1070 lha/admin@@EXAMPLE.ORG's Password:
1073 To get a Kerberos credential file for the service, use kinit in the
1074 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1075 key from the keytab.
1078 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1079 --keytab=/etc/krb5-service.keytab \
1080 service-principal@@EXAMPLE.ORG
1083 Long running services might need credentials longer then the
1084 expiration time of the tickets. kinit can run in a mode that refreshes
1085 the tickets before they expire. This is useful for services that write
1086 into AFS and other distributed file systems using Kerberos. To run the
1087 long running script, just append the program and arguments (if any)
1088 after the principal. kinit will stop refreshing credentials and remove
1089 the credentials when the script-to-start-service exits.
1092 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1093 --keytab=/etc/krb5-service.keytab \
1094 service-principal@@EXAMPLE.ORG \
1095 script-to-start-service argument1 argument2
1099 @node Setting up PK-INIT, , Providing Kerberos credentials to servers and programs, Setting up a realm
1100 @section Setting up PK-INIT
1102 PK-INIT is levering the existing PKI infrastructure to use
1103 certificates to get the initial ticket, that is usually the krbtgt.
1105 To use PK-INIT you must first have a PKI, so if you don't have one,
1106 it is time to create it. Note that you should read the whole chapter
1107 of the document to see the requirements on the CA software.
1109 There needs to exist a mapping between the certificate and what
1110 principals that certificate is allowed to use. There are several ways
1111 to do this. The administrator can use a configuration file, storing
1112 the principal in the SubjectAltName extension of the certificate, or store the
1113 mapping in the principals entry in the kerberos database.
1115 @section Certificates
1117 This section documents the requirements on the KDC and client
1118 certificates and the format used in the id-pkinit-san OtherName
1121 @subsection KDC certificate
1123 The certificate for the KDC have serveral requirements.
1125 First the certificate should have an Extended Key Usage (EKU)
1126 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second there must be a
1127 subjectAltName otherName using oid id-pkinit-san (1.3.6.1.5.2.2) in
1128 the type field and a DER encoded KRB5PrincipalName that matches the
1129 name of the TGS of the target realm.
1131 Both of these two requirements are not required by the standard to be
1132 checked by the client if it have external information what the
1133 certificate the KDC is supposed to be used. So it's in the interest of
1134 minimum amount of configuration on the clients they should be included.
1136 Remember that if the client would accept any certificate as the KDC's
1137 certificate, the client could be fooled into trusting something that
1138 isn't a KDC and thus expose the user to giving away information (like
1139 password or other private information) that it is supposed to secret.
1141 Also, if the certificate has a nameConstraints extention with a
1142 Generalname with dNSName or iPAdress it must match the hostname or
1145 @subsection Client certificate
1147 The client certificate may need to have a EKU id-pkekuoid
1148 (1.3.6.1.5.2.3.4) set depending on the certifiate on the KDC.
1150 It possible to store the principal (if allowed by the KDC) in the
1151 certificate and thus delegate responsibility to do the mapping between
1152 certificates and principals to the CA.
1154 This behavior is controlled by KDC configuration option:
1158 pkinit_principal_in_certificate = yes
1162 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1164 OtherName extention in the GeneralName is used to do the
1165 mapping between certifiate and principal in the certifiate or storing
1166 the krbtgt principal in the KDC certificate.
1168 The principal is stored in a SubjectAltName in the certificate using
1169 OtherName. The oid in the type is id-pkinit-san.
1172 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1173 internet (1) security (5) kerberosv5 (2) 2 @}
1176 The data part of the OtherName is filled with the following DER
1177 encoded ASN.1 structure:
1180 KRB5PrincipalName ::= SEQUENCE @{
1182 principalName [1] PrincipalName
1186 where Realm and PrincipalName is defined by the Kerberos ASN.1 specification.
1188 @section Naming certificate using hx509
1190 hx509 is the X.509 software used in Heimdal to handle
1191 certificates. hx509 uses different syntaxes to specify the different
1192 formats the certificates are stored in and what formats they exist in.
1194 There are several formats that can be used, PEM, embedded into PKCS12
1195 files, embedded into PKCS11 devices and raw DER encoded certificates.
1196 Below is a list of types to use.
1203 DIR is reading all certificates in a directory that is DER or PEM
1206 The main feature of DIR is that the directory is read on demand when
1207 iterating over certificates, that way applictions can for some cases
1208 avoid to store all certificates in memory. It's very useful for tests
1209 that iterate over larger amount of certificates.
1214 DIR:/path/to/der/files
1219 FILE: is used to have the lib pick up a certificate chain and a
1220 private key. The file can be either a PEM (openssl) file or a raw DER
1221 encoded certificate. If it's a PEM file it can contain several keys and
1222 certificates and the code will try to match the private key and
1223 certificate together.
1225 Its useful to have one PEM file that contains all the trust anchors.
1230 FILE:certificate.pem,private-key.key,other-cert.pem,....
1235 PKCS11: is used to handle smartcards via PKCS11 drivers, for example
1236 soft-token, opensc, or muscle. The default is to use all slots on the
1242 PKCS11:shared-object.so
1247 PKCS12: is used to handle PKCS12 files. PKCS12 files commonly have the
1248 extension pfx or p12.
1253 PKCS12:/path/to/file.pfx
1258 @section Configure the Kerberos software
1260 First configure the client's trust anchors and what parameters to
1261 verify, see subsection below how to do that. Now you can use kinit to
1262 get yourself tickets. One example how that can look like is:
1265 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1266 Enter your private key passphrase:
1267 : lha@@nutcracker ; klist
1268 Credentials cache: FILE:/tmp/krb5cc_19100a
1269 Principal: lha@@EXAMPLE.ORG
1271 Issued Expires Principal
1272 Apr 20 02:08:08 Apr 20 12:08:08 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1275 Using PKCS11 it can look like this instead:
1278 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1279 PIN code for SoftToken (slot):
1281 Credentials cache: API:4
1282 Principal: lha@@EXAMPLE.ORG
1284 Issued Expires Principal
1285 Mar 26 23:40:10 Mar 27 09:40:10 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1289 Write about the kdc.
1291 @section Configure the client
1295 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1299 pkinit_require_eku = true
1300 pkinit_require_krbtgt_otherName = true
1302 pkinit_win2k_require_binding = yes
1307 @section Configure the KDC
1312 pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
1313 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1314 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1315 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1316 pkinit_allow_proxy_certificate = no
1317 pkinit_win2k_require_binding = yes
1318 pkinit_principal_in_certificate = no
1321 @subsection Using pki-mapping file
1323 Note that the file name is space sensitive.
1326 # cat /var/heimdal/pki-mapping
1327 # comments starts with #
1328 lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
1329 lha@@EXAMPLE.ORG:CN=Love,UID=lha
1332 @subsection Using the Kerberos database
1334 @section Use hxtool to create certificates
1336 @subsection Generate certificates
1338 First you need to generate a CA certificate, change the --subject to
1339 something appropriate, the CA certificate will be valid for 10 years.
1341 You need to change --subject in the command below.
1344 hxtool issue-certificate \
1347 --generate-key=rsa \
1348 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1349 --lifetime=10years \
1350 --certificate="FILE:ca.pem"
1353 The KDC needs to have a certificate, so generate a certificate of the
1354 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1355 name of the krbtgt of the realm.
1357 You need to change --subject and --pk-init-principal in the command below.
1360 hxtool issue-certificate \
1361 --ca-certificate=FILE:ca.pem \
1362 --generate-key=rsa \
1363 --type="pkinit-kdc" \
1364 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1365 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1366 --certificate="FILE:kdc.pem"
1369 The users also needs to have a certificate, so generate a certificate
1370 of the type ``pkinit-client''. The client doesn't need to have the PK-INIT
1371 SubjectAltName set, you can have the Subject DN in the ACL file
1372 (pki-mapping) instead.
1374 You need to change --subject and --pk-init-principal in the command below.
1377 hxtool issue-certificate \
1378 --ca-certificate=FILE:ca.pem \
1379 --generate-key=rsa \
1380 --type="pkinit-client" \
1381 --pk-init-principal="lha@@TEST.H5L.SE" \
1382 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1383 --certificate="FILE:user.pem"
1386 @subsection Validate the certificate
1388 hxtool also contains a tool that will validate certificates according to
1389 rules from the PKIX document. These checks are not complete, but a good test
1390 to check if you got all of the basic bits right in your certificates.
1393 hxtool validate FILE:user.pem
1396 @section Use OpenSSL to create certificates
1398 This section tries to give the CA owners hints how to create
1399 certificates using OpenSSL (or CA software based on OpenSSL).
1401 @subsection Using OpenSSL to create certificates with krb5PrincipalName
1403 To make OpenSSL create certificates with krb5PrincipalName use
1404 @file{openssl.cnf} as described below. To see a complete example of
1405 creating client and KDC certificates, see the test-data generation
1406 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1407 certicates it creates are used to test the PK-INIT functionality in
1408 @file{tests/kdc/check-kdc.in}.
1410 To use this example you have to use OpenSSL 0.9.8a or later.
1415 subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
1418 realm = EXP:0, GeneralString:MY.REALM
1419 principal_name = EXP:1, SEQUENCE:principal_seq
1422 name_type = EXP:0, INTEGER:1
1423 name_string = EXP:1, SEQUENCE:principals
1426 princ1 = GeneralString:userid
1433 openssl x509 -extensions user_certificate
1434 openssl ca -extensions user_certificate
1438 @c --- ms certificate
1441 @c msCertificateTemplateName = 1.3.6.1.4.1.311.20.2
1444 @c [ req_smartcard ]
1445 @c keyUsage = digitalSignature, keyEncipherment
1446 @c extendedKeyUsage = msSmartcardLogin, clientAuth
1447 @c msCertificateTemplateName = ASN1:BMP:SmartcardLogon
1448 @c subjectAltName = otherName:msUPN;UTF8:lukeh@dsg.padl.com
1449 @c #subjectAltName = email:copy
1452 @section Using PK-INIT with Windows
1454 @subsection Client configration
1456 Clients using a Windows KDC with PK-INIT need configuration since
1457 windows uses pre-standard format and this can't be autodetected.
1459 The pkinit_win2k_require_binding option requires the reply for the KDC
1460 to be of the new, secure, type that binds the request to reply. Before
1461 clients should fake the reply from the KDC. To use this option you
1462 have to apply a fix from Microsoft.
1468 pkinit_win2k_require_binding = no
1472 @subsection Certificates
1474 The client certificates need to have the extended keyusage ``Microsoft
1475 Smartcardlogin'' (openssl have the oid shortname msSmartcardLogin).
1477 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1478 Smart Card Logon with Third-Party Certification Authorities'' for a
1479 more extensive description of how set setup an external CA to it
1480 includes all information that will make a Windows KDC happy.
1482 @subsection Configure Windows 2000 CA
1484 To enable Microsoft Smartcardlogin> for certificates in your Windows
1485 2000 CA, you want to look at Microsoft Knowledge Base Article -
1486 313274 ``HOW TO: Configure a Certification Authority to Issue
1487 Smart Card Certificates in Windows''.