3 @node Setting up a realm, Applications, Building and Installing, Top
5 @chapter Setting up a realm
9 realm is an administrative domain. The name of a Kerberos realm is
10 usually the Internet domain name in uppercase. Call your realm the same
11 as your Internet domain name if you do not have strong reasons for not
12 doing so. It will make life easier for you and everyone else.
15 * Configuration file::
16 * Creating the database::
17 * Modifying the database::
18 * Checking the setup::
20 * Remote administration::
22 * Testing clients and servers::
24 * Incremental propagation::
25 * Encryption types and salting::
26 * Credential cache server - KCM::
30 * Using LDAP to store the database::
31 * Providing Kerberos credentials to servers and programs::
32 * Setting up PK-INIT::
33 * Debugging Kerberos problems::
36 @node Configuration file, Creating the database, Setting up a realm, Setting up a realm
37 @section Configuration file
39 To setup a realm you will first have to create a configuration file:
40 @file{/etc/krb5.conf}. The @file{krb5.conf} file can contain many
41 configuration options, some of which are described here.
43 There is a sample @file{krb5.conf} supplied with the distribution.
45 The configuration file is a hierarchical structure consisting of
46 sections, each containing a list of bindings (either variable
47 assignments or subsections). A section starts with
48 @samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal sign
49 (@samp{=}) and a right hand side (the left hand side tag must be
50 separated from the equal sign with some whitespace). Subsections have a
51 @samp{@{} as the first non-whitespace character after the equal sign. All
52 other bindings are treated as variable assignments. The value of a
53 variable extends to the end of the line.
59 other-var = value with @{@}
64 var = some other value
66 var = yet another value
69 In this manual, names of sections and bindings will be given as strings
70 separated by slashes (@samp{/}). The @samp{other-var} variable will thus
71 be @samp{section1/a-subsection/other-var}.
73 For in-depth information about the contents of the configuration file, refer to
74 the @file{krb5.conf} manual page. Some of the more important sections
75 are briefly described here.
77 The @samp{libdefaults} section contains a list of library configuration
78 parameters, such as the default realm and the timeout for KDC
79 responses. The @samp{realms} section contains information about specific
80 realms, such as where they hide their KDC@. This section serves the same
81 purpose as the Kerberos 4 @file{krb.conf} file, but can contain more
82 information. Finally the @samp{domain_realm} section contains a list of
83 mappings from domains to realms, equivalent to the Kerberos 4
84 @file{krb.realms} file.
86 To continue with the realm setup, you will have to create a configuration file,
87 with contents similar to the following.
91 default_realm = MY.REALM
94 kdc = my.kdc my.slave.kdc
97 kdc = [2001:6b0:1:ea::100]:88
100 .my.domain = MY.REALM
104 If you use a realm name equal to your domain name, you can omit the
105 @samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS
106 SRV-record for your realm, or your Kerberos server has DNS CNAME
107 @samp{kerberos.my.realm}, you can omit the @samp{realms} section too.
110 If you want to use a different configuration file then the default you
111 can point a file with the enviroment variable @samp{KRB5_CONFIG}.
114 env KRB5_CONFIG=$HOME/etc/krb5.conf kinit user@@REALM
117 @node Creating the database, Modifying the database, Configuration file, Setting up a realm
118 @section Creating the database
120 The database library will look for the database in the directory
121 @file{@value{dbdir}}, so you should probably create that directory.
122 Make sure the directory has restrictive permissions.
128 The keys of all the principals are stored in the database. If you
129 choose to, these can be encrypted with a master key. You do not have to
130 remember this key (or password), but just to enter it once and it will
131 be stored in a file (@file{/var/heimdal/m-key}). If you want to have a
132 master key, run @samp{kstash} to create this master key:
137 Verifying password - Master key:
140 If you want to generate a random master key you can use the
141 @kbd{--random-key} flag to kstash. This will make sure you have a good key
142 on which attackers can't do a dictionary attack.
144 If you have a master key, make sure you make a backup of your master
145 key file; without it backups of the database are of no use.
147 To initialise the database use the @command{kadmin} program, with the
148 @kbd{-l} option (to enable local database mode). First issue a
149 @kbd{init MY.REALM} command. This will create the database and insert
150 default principals for that realm. You can have more than one realm in
151 one database, so @samp{init} does not destroy any old database.
153 Before creating the database, @samp{init} will ask you some questions
154 about maximum ticket lifetimes.
156 After creating the database you should probably add yourself to it. You
157 do this with the @samp{add} command. It takes as argument the name of a
158 principal. The principal should contain a realm, so if you haven't set up
159 a default realm, you will need to explicitly include the realm.
163 kadmin> init MY.REALM
164 Realm max ticket life [unlimited]:
165 Realm max renewable ticket life [unlimited]:
167 Max ticket life [unlimited]:
168 Max renewable life [unlimited]:
171 Verifying password - Password:
174 Now start the KDC and try getting a ticket.
179 me@@MY.REALMS's Password:
181 Credentials cache: /tmp/krb5cc_0
182 Principal: me@@MY.REALM
184 Issued Expires Principal
185 Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@@MY.REALM
188 If you are curious you can use the @samp{dump} command to list all the
189 entries in the database. It should look something similar to the
190 following example (note that the entries here are truncated for
191 typographical reasons):
195 me@@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
196 kadmin/admin@@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
197 krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
198 kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
201 @node Modifying the database, Checking the setup, Creating the database, Setting up a realm
202 @section Modifying the database
204 All modifications of principals are done with with kadmin.
206 A principal has several attributes and lifetimes associated with it.
208 Principals are added, renamed, modified, and deleted with the kadmin
209 commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}.
210 Both interactive editing and command line flags can be used (use --help
211 to list the available options).
213 There are different kinds of types for the fields in the database;
214 attributes, absolute time times and relative times.
216 @subsection Attributes
218 When doing interactive editing, attributes are listed with @samp{?}.
220 The attributes are given in a comma (@samp{,}) separated list.
221 Attributes are removed from the list by prefixing them with @samp{-}.
225 Max ticket life [1 day]:
226 Max renewable life [1 week]:
227 Principal expiration time [never]:
228 Password expiration time [never]:
229 Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable
231 Principal: me@@MY.REALM
233 Attributes: requires-pre-auth
236 @subsection Absolute times
238 The format for absolute times are any of the following:
248 @subsection Relative times
250 The format for relative times are any of the following combined:
261 @c Describe more of kadmin commands here...
263 @node Checking the setup, keytabs, Modifying the database, Setting up a realm
264 @section Checking the setup
266 There are two tools that can check the consistency of the Kerberos
267 configuration file and the Kerberos database.
269 The Kerberos configuration file is checked using
270 @command{verify_krb5_conf}. The tool checks for common errors, but
271 commonly there are several uncommon configuration entries that are
272 never added to the tool and thus generates ``unknown entry'' warnings.
273 This is usually nothing to worry about.
275 The database check is built into the kadmin tool. It will check for
276 common configuration error that will cause problems later. Common
277 check are for existence and flags on important principals. The
278 database check by run by the following command :
281 kadmin -l check REALM.EXAMPLE.ORG
284 @node keytabs, Remote administration, Checking the setup, Setting up a realm
287 To extract a service ticket from the database and put it in a keytab, you
288 need to first create the principal in the database with @samp{add}
289 (using the @kbd{--random-key} flag to get a random key) and then
290 extract it with @samp{ext_keytab}.
293 kadmin> add --random-key host/my.host.name
294 Max ticket life [unlimited]:
295 Max renewable life [unlimited]:
297 kadmin> ext host/my.host.name
300 Version Type Principal
301 1 des-cbc-md5 host/my.host.name@@MY.REALM
302 1 des-cbc-md4 host/my.host.name@@MY.REALM
303 1 des-cbc-crc host/my.host.name@@MY.REALM
304 1 des3-cbc-sha1 host/my.host.name@@MY.REALM
307 @node Remote administration, Password changing, keytabs, Setting up a realm
308 @section Remote administration
310 The administration server, @command{kadmind}, can be started by
311 @command{inetd} (which isn't recommended) or run as a normal daemon. If you
312 want to start it from @command{inetd} you should add a line similar to the
313 one below to your @file{/etc/inetd.conf}.
316 kerberos-adm stream tcp nowait root /usr/heimdal/libexec/kadmind kadmind
319 You might need to add @samp{kerberos-adm} to your @file{/etc/services}
322 Access to the administration server is controlled by an ACL file,
323 (default @file{/var/heimdal/kadmind.acl}.) The file has the following
326 principal [priv1,priv2,...] [glob-pattern]
329 The matching is from top to bottom for matching principals (and if given,
330 glob-pattern). When there is a match, the access rights of that line are
333 The privileges you can assign to a principal are: @samp{add},
334 @samp{change-password} (or @samp{cpw} for short), @samp{delete},
335 @samp{get}, @samp{list}, and @samp{modify}, or the special privilege
336 @samp{all}. All of these roughly correspond to the different commands
339 If a @var{glob-pattern} is given on a line, it restricts the access
340 rights for the principal to only apply for subjects that match the
341 pattern. The patterns are of the same type as those used in shell
342 globbing, see @url{none,,fnmatch(3)}.
344 In the example below @samp{lha/admin} can change every principal in the
345 database. @samp{jimmy/admin} can only modify principals that belong to
346 the realm @samp{E.KTH.SE}. @samp{mille/admin} is working at the
347 help desk, so he should only be able to change the passwords for single
348 component principals (ordinary users). He will not be able to change any
349 @samp{/admin} principal.
352 lha/admin@@E.KTH.SE all
353 jimmy/admin@@E.KTH.SE all *@@E.KTH.SE
354 jimmy/admin@@E.KTH.SE all */*@@E.KTH.SE
355 mille/admin@@E.KTH.SE change-password *@@E.KTH.SE
358 @node Password changing, Testing clients and servers, Remote administration, Setting up a realm
359 @section Password changing
361 To allow users to change their passwords, you should run @command{kpasswdd}.
362 It is not run from @command{inetd}.
364 You might need to add @samp{kpasswd} to your @file{/etc/services} as
365 @samp{464/udp}. If your realm is not setup to use DNS, you might also
366 need to add a @samp{kpasswd_server} entry to the realm configuration
367 in @file{/etc/krb5.conf} on client machines:
372 kdc = my.kdc my.slave.kdc
373 kpasswd_server = my.kdc
377 @subsection Password quality assurance
379 It is important that users have good passwords, both to make it harder
380 to guess them and to avoid off-line attacks (although
381 pre-authentication provides some defence against off-line attacks).
382 To ensure that the users choose good passwords, you can enable
383 password quality controls in @command{kpasswdd} and @command{kadmind}.
384 The controls themselves are done in a shared library or an external
385 program that is used by @command{kpasswdd}. To configure in these
386 controls, add lines similar to the following to your
387 @file{/etc/krb5.conf}:
391 policies = external-check builtin:minimum-length modulename:policyname
392 external_program = /bin/false
393 policy_libraries = @var{library1.so} @var{library2.so}
396 In @samp{[password_quality]policies} the module name is optional if
397 the policy name is unique in all modules (members of
398 @samp{policy_libraries}). All built-in policies can be qualified with
399 a module name of @samp{builtin} to unambiguously specify the built-in
400 policy and not a policy by the same name from a loaded module.
402 The built-in policies are
408 Executes the program specified by @samp{[password_quality]external_program}.
410 A number of key/value pairs are passed as input to the program, one per
411 line, ending with the string @samp{end}. The key/value lines are of
414 principal: @var{principal}
415 new-password: @var{password}
417 where @var{password} is the password to check for the previous
420 If the external application approves the password, it should return
421 @samp{APPROVED} on standard out and exit with exit code 0. If it
422 doesn't approve the password, an one line error message explaining the
423 problem should be returned on standard error and the application
424 should exit with exit code 0. In case of a fatal error, the
425 application should, if possible, print an error message on standard
426 error and exit with a non-zero error code.
430 The minimum length password quality check reads the configuration file
431 stanza @samp{[password_quality]min_length} and requires the password
432 to be at least this length.
434 @item character-class
436 The character-class password quality check reads the configuration
437 file stanza @samp{[password_quality]min_classes}. The policy requires
438 the password to have characters from at least that many character
439 classes. Default value if not given is 3.
441 The four different characters classes are, uppercase, lowercase,
442 number, special characters.
446 If you want to write your own shared object to check password
447 policies, see the manual page @manpage{kadm5_pwcheck,3}.
449 Code for a password quality checking function that uses the cracklib
450 library can be found in @file{lib/kadm5/sample_password_check.c} in
451 the source code distribution. It requires that the cracklib library
452 be built with the patch available at
453 @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
455 A sample policy external program is included in
456 @file{lib/kadm5/check-cracklib.pl}.
458 If no password quality checking function is configured, the only check
459 performed is that the password is at least six characters long.
461 To check the password policy settings, use the command
462 @command{verify-password-quality} in @command{kadmin} program. The password
463 verification is only performed locally, on the client. It may be
464 convenient to set the environment variable @samp{KRB5_CONFIG} to point
465 to a test version of @file{krb5.conf} while you're testing the
466 @samp{[password_quality]} stanza that way.
468 @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm
469 @section Testing clients and servers
471 Now you should be able to run all the clients and servers. Refer to the
472 appropriate man pages for information on how to use them.
474 @node Slave Servers, Incremental propagation, Testing clients and servers, Setting up a realm
475 @section Slave servers, Incremental propagation, Testing clients and servers, Setting up a realm
477 It is desirable to have at least one backup (slave) server in case the
478 master server fails. It is possible to have any number of such slave
479 servers but more than three usually doesn't buy much more redundancy.
481 All Kerberos servers for a realm must have the same database so that
482 they present the same service to the users. The
484 @command{hprop} program, running on the master, will propagate the database
485 to the slaves, running
487 @command{hpropd} processes.
489 Every slave needs a database directory, the master key (if it was used
490 for the database) and a keytab with the principal
491 @samp{hprop/@var{hostname}}. Add the principal with the
493 @command{ktutil} command and start
495 @command{hpropd}, as follows:
498 slave# ktutil get -p foo/admin hprop/`hostname`
499 slave# mkdir /var/heimdal
503 The master will use the principal @samp{kadmin/hprop} to authenticate to
504 the slaves. This principal should be added when running @kbd{kadmin -l
505 init} but if you do not have it in your database for whatever reason,
506 please add it with @kbd{kadmin -l add}.
510 @code{hprop} on the master:
516 This was just an hands-on example to make sure that everything was
517 working properly. Doing it manually is of course the wrong way, and to
518 automate this you will want to start
520 @command{hpropd} from @command{inetd} on the slave(s) and regularly run
522 @command{hprop} on the master to regularly propagate the database.
523 Starting the propagation once an hour from @command{cron} is probably a
526 @node Incremental propagation, Encryption types and salting, Slave Servers, Setting up a realm
527 @section Incremental propagation
529 There is also a newer mechanism for
530 doing incremental propagation in Heimdal. Instead of sending the whole
531 database regularly, it sends the changes as they happen on the master to
532 the slaves. The master keeps track of all the changes by assigning a
533 version number to every change to the database. The slaves know which
534 was the latest version they saw and in this way it can be determined if
535 they are in sync or not. A log of all the changes is kept on the master,
536 and when a slave is at an older version than the oldest one in the
537 log, the whole database has to be sent.
539 Protocol-wise, all the slaves connect to the master and as a greeting
540 tell it the latest version that they have (@samp{IHAVE} message). The
541 master then responds by sending all the changes between that version and
542 the current version at the master (a series of @samp{FORYOU} messages)
543 or the whole database in a @samp{TELLYOUEVERYTHING} message. There is
544 also a keep-alive protocol that makes sure all slaves are up and running.
546 In addition on listening on the network to get connection from new
547 slaves, the ipropd-master also listens on a status unix
548 socket. kadmind and kpasswdd both open that socket when a transation
549 is done and written a notification to the socket. That cause
550 ipropd-master to check for new version in the log file. As a fallback in
551 case a notification is lost by the unix socket, the log file is
552 checked after 30 seconds of no event.
554 @subsection Configuring incremental propagation
556 The program that runs on the master is @command{ipropd-master} and all
557 clients run @command{ipropd-slave}.
559 Create the file @file{/var/heimdal/slaves} on the master containing all
560 the slaves that the database should be propagated to. Each line contains
561 the full name of the principal (for example
562 @samp{iprop/hemligare.foo.se@@FOO.SE}).
564 You should already have @samp{iprop/tcp} defined as 2121, in your
565 @file{/etc/services}. Otherwise, or if you need to use a different port
566 for some peculiar reason, you can use the @kbd{--port} option. This is
567 useful when you have multiple realms to distribute from one server.
569 Then you need to create those principals that you added in the
570 configuration file. Create one @samp{iprop/hostname} for the master and
575 master# /usr/heimdal/sbin/ktutil get iprop/`hostname`
579 slave# /usr/heimdal/sbin/ktutil get iprop/`hostname`
583 The next step is to start the @command{ipropd-master} process on the master
584 server. The @command{ipropd-master} listens on the UNIX domain socket
585 @file{/var/heimdal/signal} to know when changes have been made to the
586 database so they can be propagated to the slaves. There is also a
587 safety feature of testing the version number regularly (every 30
588 seconds) to see if it has been modified by some means that do not raise
589 this signal. Then, start @command{ipropd-slave} on all the slaves:
592 master# /usr/heimdal/libexec/ipropd-master &
593 slave# /usr/heimdal/libexec/ipropd-slave master &
596 To manage the iprop log file you should use the @command{iprop-log}
597 command. With it you can dump, truncate and replay the logfile.
599 @node Encryption types and salting, Credential cache server - KCM, Incremental propagation, Setting up a realm
600 @section Encryption types and salting
602 @cindex Encryption types
604 The encryption types that the KDC is going to assign by default is
605 possible to change. Since the keys used for user authentication is
606 salted the encryption types are described together with the salt
609 Salting is used to make it harder to pre-calculate all possible
610 keys. Using a salt increases the search space to make it almost
611 impossible to pre-calculate all keys. Salting is the process of mixing a
612 public string (the salt) with the password, then sending it through an
613 encryption type specific string-to-key function that will output the
614 fixed size encryption key.
616 In Kerberos 5 the salt is determined by the encryption type, except in
619 In @code{des} there is the Kerberos 4 salt
620 (none at all) or the afs-salt (using the cell (realm in
623 In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses)
624 there is no salt. This is to be compatible with NTLM keys in Windows
627 @code{[kadmin]default_keys} in @file{krb5.conf} controls
630 The syntax of @code{[kadmin]default_keys} is
631 @samp{[etype:]salt-type[:salt-string]}. @samp{etype} is the encryption
632 type (des-cbc-crc, arcfour-hmac-md5, aes256-cts-hmac-sha1-96),
633 @code{salt-type} is the type of salt (pw-salt or afs3-salt), and the
634 salt-string is the string that will be used as salt (remember that if
635 the salt is appended/prepended, the empty salt "" is the same thing as
638 Common types of salting include
641 @item @code{v4} (or @code{des:pw-salt:})
643 The Kerberos 4 salting is using no salt at all. Reason there is colon
644 at the end of the salt string is that it makes the salt the empty
645 string (same as no salt).
647 @item @code{v5} (or @code{pw-salt})
649 @code{pw-salt} uses the default salt for each encryption type is
650 specified for. If the encryption type @samp{etype} isn't given, all
651 default encryption will be used.
653 @item @code{afs3-salt}
655 @code{afs3-salt} is the salt that is used with Transarc kaserver. It's
656 the cell name appended to the password.
660 @node Credential cache server - KCM, Cross realm, Encryption types and salting, Setting up a realm
661 @section Credential cache server - KCM
663 @cindex Credential cache server
665 When KCM running is easy for users to switch between different
666 kerberos principals using @file{kswitch} or built in support in
667 application, like OpenSSH's GSSAPIClientIdentity.
669 Other advantages are that there is the long term credentials are not
670 written to disk and on reboot the credential is removed when kcm
671 process stopps running.
673 Configure the system startup script to start the kcm process,
674 @file{/usr/heimdal/libexec/kcm} and then configure the system to use kcm in @file{krb5.conf}.
678 default_cc_type = KCM
681 Now when you run @command{kinit} it doesn't overwrite your existing
682 credentials but rather just add them to the set of
683 credentials. @command{klist -l} lists the credentials and the star
684 marks the default credential.
688 lha@@KTH.SE's Password:
690 Name Cache name Expires
691 lha@@KTH.SE 0 Nov 22 23:09:40 *
692 lha@@SU.SE Initial default ccache Nov 22 14:14:24
695 When switching between credentials you can use @command{kswitch}.
705 After switching, a new set of credentials are used as default.
709 Name Cache name Expires
710 lha@@SU.SE Initial default ccache Nov 22 14:14:24 *
711 lha@@KTH.SE 0 Nov 22 23:09:40
714 Som applications, like openssh with Simon Wilkinsons patch applied,
715 support specifiying that credential to use. The example below will
716 login to the host computer.kth.se using lha@@KTH.SE (not the current
721 -o GSSAPIAuthentication=yes \
722 -o GSSAPIKeyExchange=yes \
723 -o GSSAPIClientIdentity=lha@@KTH.SE \
729 @node Cross realm, Transit policy, Credential cache server - KCM, Setting up a realm
733 Suppose you reside in the realm @samp{MY.REALM}, how do you
734 authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
735 @samp{MY.REALM} allows you to communicate with Kerberised services in that
736 realm. However, the computer in the other realm does not have a secret
737 key shared with the Kerberos server in your realm.
739 It is possible to share keys between two realms that trust each
740 other. When a client program, such as @command{telnet} or @command{ssh},
741 finds that the other computer is in a different realm, it will try to
742 get a ticket granting ticket for that other realm, but from the local
743 Kerberos server. With that ticket granting ticket, it will then obtain
744 service tickets from the Kerberos server in the other realm.
746 For a two way trust between @samp{MY.REALM} and @samp{OTHER.REALM}
747 add the following principals to each realm. The principals should be
748 @samp{krbtgt/OTHER.REALM@@MY.REALM} and
749 @samp{krbtgt/MY.REALM@@OTHER.REALM} in @samp{MY.REALM}, and
750 @samp{krbtgt/MY.REALM@@OTHER.REALM} and
751 @samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}.
753 In Kerberos 5 the trust can be configured to be one way. So that
754 users from @samp{MY.REALM} can authenticate to services in
755 @samp{OTHER.REALM}, but not the opposite. In the example above, the
756 @samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed.
758 The two principals must have the same key, key version number, and the
759 same set of encryption types. Remember to transfer the two keys in a
764 Credentials cache: FILE:/tmp/krb5cc_913.console
765 Principal: lha@@E.KTH.SE
767 Issued Expires Principal
768 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
770 vr$ telnet -l lha hummel.it.su.se
771 Trying 2001:6b0:5:1095:250:fcff:fe24:dbf...
772 Connected to hummel.it.su.se.
773 Escape character is '^]'.
774 Waiting for encryption to be negotiated...
775 [ Trying mutual KERBEROS5 (host/hummel.it.su.se@@SU.SE)... ]
776 [ Kerberos V5 accepts you as ``lha@@E.KTH.SE'' ]
777 Encryption negotiated.
778 Last login: Sat May 3 14:11:47 from vr.l.nxs.se
782 Credentials cache: FILE:/tmp/krb5cc_913.console
783 Principal: lha@@E.KTH.SE
785 Issued Expires Principal
786 May 3 13:55:52 May 3 23:55:54 krbtgt/E.KTH.SE@@E.KTH.SE
787 May 3 13:55:56 May 3 23:55:54 krbtgt/SU.SE@@E.KTH.SE
788 May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE
792 @node Transit policy, Setting up DNS, Cross realm, Setting up a realm
793 @section Transit policy
794 @cindex Transit policy
796 Under some circumstances, you may not wish to set up direct
797 cross-realm trust with every realm to which you wish to authenticate
798 or from which you wish to accept authentications. Kerberos supports
799 multi-hop cross-realm trust where a client principal in realm A
800 authenticates to a service in realm C through a realm B with which
801 both A and C have cross-realm trust relationships. In this situation,
802 A and C need not set up cross-realm principals between each other.
804 If you want to use cross-realm authentication through an intermediate
805 realm, it must be explicitly allowed by either the KDCs for the realm
806 to which the client is authenticating (in this case, realm C), or the
807 server receiving the request. This is done in @file{krb5.conf} in the
808 @code{[capaths]} section.
810 In addition, the client in realm A need to be configured to know how
811 to reach realm C via realm B. This can be done either on the client or
812 via KDC configuration in the KDC for realm A.
814 @subsection Allowing cross-realm transits
816 When the ticket transits through a realm to another realm, the
817 destination realm adds its peer to the "transited-realms" field in the
818 ticket. The field is unordered, since there is no way to know if know
819 if one of the transited-realms changed the order of the list. For the
820 authentication to be accepted by the final destination realm, all of
821 the transited realms must be listed as trusted in the @code{[capaths]}
822 configuration, either in the KDC for the destination realm or on the
823 server receiving the authentication.
825 The syntax for @code{[capaths]} section is:
830 SERVER-REALM = PERMITTED-CROSS-REALMS ...
834 In the following example, the realm @code{STACKEN.KTH.SE} only has
835 direct cross-realm set up with @code{KTH.SE}. @code{KTH.SE} has
836 direct cross-realm set up with @code{STACKEN.KTH.SE} and @code{SU.SE}.
837 @code{DSV.SU.SE} only has direct cross-realm set up with @code{SU.SE}.
838 The goal is to allow principals in the @code{DSV.SU.SE} or
839 @code{SU.SE} realms to authenticate to services in
840 @code{STACKEN.KTH.SE}. This is done with the following
841 @code{[capaths]} entry on either the server accepting authentication
842 or on the KDC for @code{STACKEN.KTH.SE}.
847 STACKEN.KTH.SE = KTH.SE
850 STACKEN.KTH.SE = SU.SE KTH.SE
854 The first entry allows cross-realm authentication from clients in
855 @code{SU.SE} transiting through @code{KTH.SE} to
856 @code{STACKEN.KTH.SE}. The second entry allows cross-realm
857 authentication from clients in @code{DSV.SU.SE} transiting through
858 both @code{SU.SE} and @code{KTH.SE} to @code{STACKEN.KTH.SE}.
860 Be careful of which realm goes where; it's easy to put realms in the
861 wrong place. The block is tagged with the client realm (the realm of
862 the principal authenticating), and the realm before the equal sign is
863 the final destination realm: the realm to which the client is
864 authenticating. After the equal sign go all the realms that the
865 client transits through.
867 The order of the @code{PERMITTED-CROSS-REALMS} is not important when
868 doing transit cross realm verification.
870 @subsection Configuring client cross-realm transits
872 The @code{[capaths]} section is also used for another purpose: to tell
873 clients which realm to transit through to reach a realm with which
874 their local realm does not have cross-realm trust. This can be done
875 by either putting a @code{[capaths]} entry in the configuration of the
876 client or by putting the entry in the configuration of the KDC for the
877 client's local realm. In the latter case, the KDC will then hand back
878 a referral to the client when the client requests a cross-realm ticket
879 to the destination realm, telling the client to try to go through an
882 For client configuration, the order of @code{PERMITTED-CROSS-REALMS}
883 is significant, since only the first realm in this section (after the
884 equal sign) is used by the client.
886 For example, again consider the @code{[capaths]} entry above for the
887 case of a client in the @code{SU.SE} realm, and assume that the client
888 or the @code{SU.SE} KDC has that @code{[capaths]} entry. If the
889 client attempts to authenticate to a service in the
890 @code{STACKEN.KTH.SE} realm, that entry says to first authenticate
891 cross-realm to the @code{KTH.SE} realm (the first realm listed in the
892 @code{PERMITTED-CROSS-REALMS} section), and then from there to
893 @code{STACKEN.KTH.SE}.
895 Each entry in @code{[capaths]} can only give the next hop, since only
896 the first realm in @code{PERMITTED-CROSS-REALMS} is used. If, for
897 instance, a client in @code{DSV.SU.SE} had a @code{[capaths]}
898 configuration as above but without the first block for @code{SU.SE},
899 they would not be able to reach @code{STACKEN.KTH.SE}. They would get
900 as far as @code{SU.SE} based on the @code{DSV.SU.SE} entry in
901 @code{[capaths]} and then attempt to go directly from there to
902 @code{STACKEN.KTH.SE} and get stuck (unless, of course, the
903 @code{SU.SE} KDC had the additional entry required to tell the client
904 to go through @code{KTH.SE}).
906 @subsection Active Directory forest example
908 One common place where a @code{[capaths]} configuration is desirable
909 is with Windows Active Directory forests. One common Active Directory
910 configuration is to have one top-level Active Directory realm but then
911 divide systems, services, and users into child realms (perhaps based
912 on organizational unit). One generally establishes cross-realm trust
913 only with the top-level realm, and then uses transit policy to permit
914 authentications to and from the child realms.
916 For example, suppose an organization has a Heimdal realm
917 @code{EXAMPLE.COM}, a Windows Active Directory realm
918 @code{WIN.EXAMPLE.COM}, and then child Active Directory realms
919 @code{ENGR.WIN.EXAMPLE.COM} and @code{SALES.WIN.EXAMPLE.COM}. The
920 goal is to allow users in any of these realms to authenticate to
921 services in any of these realms. The @code{EXAMPLE.COM} KDC (and
922 possibly client) configuration should therefore contain a
923 @code{[capaths]} section as follows:
927 ENGR.WIN.EXAMPLE.COM = @{
928 EXAMPLE.COM = WIN.EXAMPLE.COM
930 SALES.WIN.EXAMPLE.COM = @{
931 EXAMPLE.COM = WIN.EXAMPLE.COM
934 ENGR.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
935 SALES.WIN.EXAMPLE.COM = WIN.EXAMPLE.COM
939 The first two blocks allow clients in the @code{ENGR.WIN.EXAMPLE.COM}
940 and @code{SALES.WIN.EXAMPLE.COM} realms to authenticate to services in
941 the @code{EXAMPLE.COM} realm. The third block tells the client (or
942 tells the KDC to tell the client via referrals) to transit through
943 @code{WIN.EXAMPLE.COM} to reach these realms. Both sides of the
944 configuration are needed for bi-directional transited cross-realm
947 @c To test the cross realm configuration, use:
948 @c kmumble transit-check client server transit-realms ...
950 @node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm
951 @section Setting up DNS
952 @cindex Setting up DNS
954 @subsection Using DNS to find KDC
956 If there is information about where to find the KDC or kadmind for a
957 realm in the @file{krb5.conf} for a realm, that information will be
958 preferred, and DNS will not be queried.
960 Heimdal will try to use DNS to find the KDCs for a realm. First it
961 will try to find a @code{SRV} resource record (RR) for the realm. If no
962 SRV RRs are found, it will fall back to looking for an @code{A} RR for
963 a machine named kerberos.REALM, and then kerberos-1.REALM, etc
965 Adding this information to DNS minimises the client configuration (in
966 the common case, resulting in no configuration needed) and allows the
967 system administrator to change the number of KDCs and on what machines
968 they are running without caring about clients.
970 The downside of using DNS is that the client might be fooled to use the
971 wrong server if someone fakes DNS replies/data, but storing the IP
972 addresses of the KDC on all the clients makes it very hard to change
975 An example of the configuration for the realm @code{EXAMPLE.COM}:
980 _kerberos._tcp SRV 10 1 88 kerberos.example.com.
981 _kerberos._udp SRV 10 1 88 kerberos.example.com.
982 _kerberos._tcp SRV 10 1 88 kerberos-1.example.com.
983 _kerberos._udp SRV 10 1 88 kerberos-1.example.com.
984 _kpasswd._udp SRV 10 1 464 kerberos.example.com.
985 _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com.
989 More information about DNS SRV resource records can be found in
990 RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)).
992 @subsection Using DNS to map hostname to Kerberos realm
994 Heimdal also supports a way to lookup a realm from a hostname. This to
995 minimise configuration needed on clients. Using this has the drawback
996 that clients can be redirected by an attacker to realms within the
997 same cross realm trust and made to believe they are talking to the
998 right server (since Kerberos authentication will succeed).
1000 An example configuration that informs clients that for the realms
1001 it.example.com and srv.example.com, they should use the realm
1006 $ORIGIN example.com.
1007 _kerberos.it TXT "EXAMPLE.COM"
1008 _kerberos.srv TXT "EXAMPLE.COM"
1012 @node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm
1013 @section Using LDAP to store the database
1014 @cindex Using the LDAP backend
1016 This document describes how to install the LDAP backend for
1017 Heimdal. Note that before attempting to configure such an
1018 installation, you should be aware of the implications of storing
1019 private information (such as users' keys) in a directory service
1020 primarily designed for public information. Nonetheless, with a
1021 suitable authorisation policy, it is possible to set this up in a
1022 secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to
1023 install this backend. The HDB schema was devised by Leif Johansson.
1025 This assumes, OpenLDAP 2.3 or later.
1032 A current release of Heimdal, configured with
1033 @code{--with-openldap=/usr/local} (adjust according to where you have
1034 installed OpenLDAP).
1036 You can verify that you manage to configure LDAP support by running
1037 @file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry
1040 Its also possible to configure the ldap backend as a shared module,
1041 see option --hdb-openldap-module to configure.
1044 Configure OpenLDAP with @kbd{--enable-local} to enable the local transport.
1047 Add the hdb schema to the LDAP server, it's included in the source-tree
1048 in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
1051 include /usr/local/etc/openldap/schema/hdb.schema
1055 Configure the LDAP server ACLs to accept writes from clients over the
1056 local transport. For example:
1060 by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write
1063 authz-regexp "gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth''
1064 "uid=heimdal,dc=services,dc=example,dc=com"
1068 The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in
1069 a tree. The user that the key is mapped to should be have a
1070 krb5Principal aux object with krb5PrincipalName set so that the
1071 ``creator'' and ``modifier'' is right in @file{kadmin}.
1073 Another option is to create an admins group and add the dn to that
1076 Since Heimdal talks to the LDAP server over a UNIX domain socket, and
1077 uses external sasl authentication, it's not possible to require
1078 security layer quality (ssf in cyrus-sasl lingo). So that requirement
1079 has to be turned off in OpenLDAP @command{slapd} configuration file
1083 sasl-secprops minssf=0
1088 Start @command{slapd} with the local listener (as well as the default TCP/IP
1089 listener on port 389) as follows:
1092 slapd -h "ldapi:/// ldap:///"
1095 Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key
1096 binary attribute on shutdown. This may be related to our use of the V3
1097 schema definition syntax instead of the old UMich-style, V2 syntax.
1100 You should specify the distinguished name under which your
1101 principals will be stored in @file{krb5.conf}. Also you need to
1102 enter the path to the kadmin acl file:
1108 dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com
1109 hdb-ldap-structural-object = inetOrgPerson
1110 acl_file = /path/to/kadmind.acl
1111 mkey_file = /path/to/mkey
1115 @samp{mkey_file} can be excluded if you feel that you trust your ldap
1116 directory to have the raw keys inside it. The
1117 hdb-ldap-structural-object is not necessary if you do not need Samba
1123 Once you have built Heimdal and started the LDAP server, run kadmin
1124 (as usual) to initialise the database. Note that the instructions for
1125 stashing a master key are as per any Heimdal installation.
1129 kadmin> init EXAMPLE.COM
1130 Realm max ticket life [unlimited]:
1131 Realm max renewable ticket life [unlimited]:
1133 Max ticket life [1 day]:
1134 Max renewable life [1 week]:
1135 Principal expiration time [never]:
1136 Password expiration time [never]:
1138 lukeh@@EXAMPLE.COM's Password:
1139 Verifying password - lukeh@@EXAMPLE.COM's Password:
1143 Verify that the principal database has indeed been stored in the
1144 directory with the following command:
1147 kdc# ldapsearch -L -h localhost -D cn=manager \
1148 -w secret -b ou=KerberosPrincipals,dc=example,dc=com \
1149 'objectclass=krb5KDCEntry'
1153 Now consider adding indexes to the database to speed up the access, at
1154 least theses should be added to slapd.conf.
1157 index objectClass eq
1158 index cn eq,sub,pres
1159 index uid eq,sub,pres
1160 index displayName eq,sub,pres
1161 index krb5PrincipalName eq
1166 @subsection smbk5pwd overlay
1168 The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber
1169 appropriately when it receives an LDAP Password change Extended
1172 @url{http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0}
1174 @subsection Troubleshooting guide
1176 @url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide}
1179 @subsection Using Samba LDAP password database
1182 @c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm
1183 @c @section Using Samba LDAP password database
1185 The Samba domain and the Kerberos realm can have different names since
1186 arcfour's string to key functions principal/realm independent. So now
1187 will be your first and only chance name your Kerberos realm without
1188 needing to deal with old configuration files.
1190 First, you should set up Samba and get that working with LDAP backend.
1192 Now you can proceed as in @xref{Using LDAP to store the database}.
1193 Heimdal will pick up the Samba LDAP entries if they are in the same
1194 search space as the Kerberos entries.
1196 @node Providing Kerberos credentials to servers and programs, Setting up PK-INIT, Using LDAP to store the database, Setting up a realm
1197 @section Providing Kerberos credentials to servers and programs
1199 Some services require Kerberos credentials when they start to make
1200 connections to other services or need to use them when they have started.
1202 The easiest way to get tickets for a service is to store the key in a
1203 keytab. Both ktutil get and kadmin ext can be used to get a
1204 keytab. ktutil get is better in that way it changes the key/password
1205 for the user. This is also the problem with ktutil. If ktutil is used
1206 for the same service principal on several hosts, they keytab will only
1207 be useful on the last host. In that case, run the extract command on
1208 one host and then securely copy the keytab around to all other hosts
1212 host# ktutil -k /etc/krb5-service.keytab \
1213 get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG
1214 lha/admin@@EXAMPLE.ORG's Password:
1217 To get a Kerberos credential file for the service, use kinit in the
1218 @kbd{--keytab} mode. This will not ask for a password but instead fetch the
1219 key from the keytab.
1222 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1223 --keytab=/etc/krb5-service.keytab \
1224 service-principal@@EXAMPLE.ORG
1227 Long running services might need credentials longer then the
1228 expiration time of the tickets. kinit can run in a mode that refreshes
1229 the tickets before they expire. This is useful for services that write
1230 into AFS and other distributed file systems using Kerberos. To run the
1231 long running script, just append the program and arguments (if any)
1232 after the principal. kinit will stop refreshing credentials and remove
1233 the credentials when the script-to-start-service exits.
1236 service@@host$ kinit --cache=/var/run/service_krb5_cache \
1237 --keytab=/etc/krb5-service.keytab \
1238 service-principal@@EXAMPLE.ORG \
1239 script-to-start-service argument1 argument2
1243 @node Setting up PK-INIT, Debugging Kerberos problems, Providing Kerberos credentials to servers and programs, Setting up a realm
1244 @section Setting up PK-INIT
1246 PK-INIT leverages an existing PKI (public key infrastructure), using
1247 certificates to get the initial ticket (usually the krbtgt
1248 ticket-granting ticket).
1250 To use PK-INIT you must first have a PKI. If you don't have one, it is
1251 time to create it. You should first read the whole current chapter of
1252 the document to see the requirements imposed on the CA software.
1254 A mapping between the PKI certificate and what principals that
1255 certificate is allowed to use must exist. There are several ways to do
1256 this. The administrator can use a configuration file, store the
1257 principal in the SubjectAltName extension of the certificate, or store
1258 the mapping in the principals entry in the kerberos database.
1260 @section Certificates
1262 This and following subsection documents the requirements on the KDC
1263 and client certificates and the format used in the id-pkinit-san
1264 OtherName extention.
1266 On how to create certificates, you should read @ref{Use OpenSSL to
1267 create certificates}.
1269 @subsection KDC certificate
1271 The certificate for the KDC has serveral requirements.
1273 First, the certificate should have an Extended Key Usage (EKU)
1274 id-pkkdcekuoid (1.3.6.1.5.2.3.5) set. Second, there must be a
1275 subjectAltName otherName using OID id-pkinit-san (1.3.6.1.5.2.2) in
1276 the type field and a DER encoded KRB5PrincipalName that matches the
1277 name of the TGS of the target realm. Also, if the certificate has a
1278 nameConstraints extention with a Generalname with dNSName or iPAdress,
1279 it must match the hostname or adress of the KDC.
1281 The client is not required by the standard to check the server
1282 certificate for this information if the client has external
1283 information confirming which certificate the KDC is supposed to be
1284 using. However, adding this information to the KDC certificate removes
1285 the need to specially configure the client to recognize the KDC
1288 Remember that if the client would accept any certificate as the KDC's
1289 certificate, the client could be fooled into trusting something that
1290 isn't a KDC and thus expose the user to giving away information (like
1291 a password or other private information) that it is supposed to keep
1294 @subsection Client certificate
1296 The client certificate may need to have a EKU id-pkekuoid
1297 (1.3.6.1.5.2.3.4) set depending on the configuration on the KDC.
1299 It possible to store the principal (if allowed by the KDC) in the
1300 certificate and thus delegate responsibility to do the mapping between
1301 certificates and principals to the CA.
1303 This behavior is controlled by KDC configuration option:
1307 pkinit_principal_in_certificate = yes
1310 @subsubsection Using KRB5PrincipalName in id-pkinit-san
1312 The OtherName extention in the GeneralName is used to do the mapping
1313 between certificate and principal. For the KDC certificate, this
1314 stores the krbtgt principal name for that KDC. For the client
1315 certificate, this stores the principal for which that certificate is
1316 allowed to get tickets.
1318 The principal is stored in a SubjectAltName in the certificate using
1319 OtherName. The OID in the type is id-pkinit-san.
1322 id-pkinit-san OBJECT IDENTIFIER ::= @{ iso (1) org (3) dod (6)
1323 internet (1) security (5) kerberosv5 (2) 2 @}
1326 The data part of the OtherName is filled with the following DER
1327 encoded ASN.1 structure:
1330 KRB5PrincipalName ::= SEQUENCE @{
1332 principalName [1] PrincipalName
1336 where Realm and PrincipalName is defined by the Kerberos ASN.1
1339 @section Naming certificate using hx509
1341 hx509 is the X.509 software used in Heimdal to handle
1342 certificates. hx509 supports several different syntaxes for specifying
1343 certificate files or formats. Several formats may be used: PEM,
1344 certificates embedded in PKCS#12 files, certificates embedded in
1345 PKCS#11 devices, and raw DER encoded certificates.
1347 Those formats may be specified as follows:
1353 DIR specifies a directory which contains certificates in the DER or
1356 The main feature of DIR is that the directory is read on demand when
1357 iterating over certificates. This allows applications, in some
1358 situations, to avoid having to store all certificates in memory. It's
1359 very useful for tests that iterate over large numbers of certificates.
1364 DIR:/path/to/der/files
1369 FILE: specifies a file that contains a certificate or private key.
1370 The file can be either a PEM (openssl) file or a raw DER encoded
1371 certificate. If it's a PEM file, it can contain several keys and
1372 certificates and the code will try to match the private key and
1373 certificate together. Multiple files may be specified, separated by
1376 It's useful to have one PEM file that contains all the trust anchors.
1381 FILE:certificate.pem,private-key.key,other-cert.pem,....
1386 PKCS11: is used to handle smartcards via PKCS#11 drivers, such as
1387 soft-token, opensc, or muscle. The argument specifies a shared object
1388 that implements the PKCS#11 API. The default is to use all slots on
1394 PKCS11:shared-object.so
1399 PKCS12: is used to handle PKCS#12 files. PKCS#12 files commonly have
1400 the extension pfx or p12.
1405 PKCS12:/path/to/file.pfx
1410 @section Configure the Kerberos software
1412 First configure the client's trust anchors and what parameters to
1413 verify. See the subsections below for how to do that. Then, you can
1414 use kinit to get yourself tickets. For example:
1417 $ kinit -C FILE:$HOME/.certs/lha.crt,$HOME/.certs/lha.key lha@@EXAMPLE.ORG
1418 Enter your private key passphrase:
1419 : lha@@nutcracker ; klist
1420 Credentials cache: FILE:/tmp/krb5cc_19100a
1421 Principal: lha@@EXAMPLE.ORG
1423 Issued Expires Principal
1424 Apr 20 02:08:08 Apr 20 12:08:08 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1427 Using PKCS#11 it can look like this instead:
1430 $ kinit -C PKCS11:/usr/heimdal/lib/hx509.so lha@@EXAMPLE.ORG
1431 PIN code for SoftToken (slot):
1433 Credentials cache: API:4
1434 Principal: lha@@EXAMPLE.ORG
1436 Issued Expires Principal
1437 Mar 26 23:40:10 Mar 27 09:40:10 krbtgt/EXAMPLE.ORG@@EXAMPLE.ORG
1440 @section Configure the client
1444 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1448 pkinit_require_eku = true
1449 pkinit_require_krbtgt_otherName = true
1451 pkinit_win2k_require_binding = yes
1456 @section Configure the KDC
1458 Configuration options for the KDC.
1461 @item enable-pkinit = bool
1463 Enable PKINIT for this KDC.
1465 @item pkinit_identity = string
1467 Identity that the KDC will use when talking to clients. Mandatory.
1469 @item pkinit_anchors = string
1471 Trust anchors that the KDC will use when evaluating the trust of the
1472 client certificate. Mandatory.
1474 @item pkinit_pool = strings ...
1476 Extra certificate the KDC will use when building trust chains if it
1477 can't find enough certificates in the request from the client.
1479 @item pkinit_allow_proxy_certificate = bool
1481 Allow clients to use proxy certificates, its the root certificate that
1482 is clients EE certificate that is used for authorisation.
1484 @item pkinit_win2k_require_binding = bool
1486 Require windows clients up be upgrade to not allow cut and paste
1487 attack on encrypted data, applies to Windows XP and windows 2000
1490 @item pkinit_principal_in_certificate = bool
1492 Enable the KDC to use id-pkinit-san to determine to determine the
1493 mapping between a certificate and principal.
1500 pkinit_identity = FILE:/secure/kdc.crt,/secure/kdc.key
1501 pkinit_anchors = FILE:/path/to/trust-anchors.pem
1502 pkinit_pool = PKCS12:/path/to/useful-intermediate-certs.pfx
1503 pkinit_pool = FILE:/path/to/other-useful-intermediate-certs.pem
1504 pkinit_allow_proxy_certificate = no
1505 pkinit_win2k_require_binding = yes
1506 pkinit_principal_in_certificate = no
1509 @subsection Using pki-mapping file
1511 Note that the file name is space sensitive.
1514 # cat /var/heimdal/pki-mapping
1515 # comments starts with #
1516 lha@@EXAMPLE.ORG:C=SE,O=Stockholm universitet,CN=Love,UID=lha
1517 lha@@EXAMPLE.ORG:CN=Love,UID=lha
1520 @subsection Using the Kerberos database
1522 You can also store the subject of the certificate in the principal
1523 entry in the kerberos database.
1526 kadmin modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" user@@REALM
1529 @section Use hxtool to create certificates
1531 @subsection Generate certificates
1533 First, you need to generate a CA certificate. This example creates a
1534 CA certificate that will be valid for 10 years.
1536 You need to change --subject in the command below to something
1537 appropriate for your site.
1540 hxtool issue-certificate \
1543 --generate-key=rsa \
1544 --subject="CN=CA,DC=test,DC=h5l,DC=se" \
1545 --lifetime=10years \
1546 --certificate="FILE:ca.pem"
1549 The KDC needs to have a certificate, so generate a certificate of the
1550 type ``pkinit-kdc'' and set the PK-INIT specifial SubjectAltName to the
1551 name of the krbtgt of the realm.
1553 You need to change --subject and --pk-init-principal in the command
1554 below to something appropriate for your site.
1557 hxtool issue-certificate \
1558 --ca-certificate=FILE:ca.pem \
1559 --generate-key=rsa \
1560 --type="pkinit-kdc" \
1561 --pk-init-principal="krbtgt/TEST.H5L.SE@@TEST.H5L.SE" \
1562 --subject="uid=kdc,DC=test,DC=h5l,DC=se" \
1563 --certificate="FILE:kdc.pem"
1566 The users also needs to have certificates. For your first client,
1567 generate a certificate of type ``pkinit-client''. The client doesn't
1568 need to have the PK-INIT SubjectAltName set; you can have the Subject
1569 DN in the ACL file (pki-mapping) instead.
1571 You need to change --subject and --pk-init-principal in the command
1572 below to something appropriate for your site. You can omit
1573 --pk-init-principal if you're going to use the ACL file instead.
1576 hxtool issue-certificate \
1577 --ca-certificate=FILE:ca.pem \
1578 --generate-key=rsa \
1579 --type="pkinit-client" \
1580 --pk-init-principal="lha@@TEST.H5L.SE" \
1581 --subject="uid=lha,DC=test,DC=h5l,DC=se" \
1582 --certificate="FILE:user.pem"
1585 @subsection Validate the certificate
1587 hxtool also contains a tool that will validate certificates according
1588 to rules from the PKIX document. These checks are not complete, but
1589 they provide a good test of whether you got all of the basic bits
1590 right in your certificates.
1593 hxtool validate FILE:user.pem
1596 @section Use OpenSSL to create certificates
1597 @anchor{Use OpenSSL to create certificates}
1599 This section tries to give the CA owners hints how to create
1600 certificates using OpenSSL (or CA software based on OpenSSL).
1602 @subsection Using OpenSSL to create certificates with krb5PrincipalName
1604 To make OpenSSL create certificates with krb5PrincipalName, use an
1605 @file{openssl.cnf} as described below. To see a complete example of
1606 creating client and KDC certificates, see the test-data generation
1607 script @file{lib/hx509/data/gen-req.sh} in the source-tree. The
1608 certicates it creates are used to test the PK-INIT functionality in
1609 @file{tests/kdc/check-kdc.in}.
1611 To use this example you have to use OpenSSL 0.9.8a or later.
1616 subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
1619 realm = EXP:0, GeneralString:MY.REALM
1620 principal_name = EXP:1, SEQUENCE:principal_seq
1623 name_type = EXP:0, INTEGER:1
1624 name_string = EXP:1, SEQUENCE:principals
1627 princ1 = GeneralString:userid
1634 openssl x509 -extensions user_certificate
1635 openssl ca -extensions user_certificate
1639 @c --- ms certificate
1642 @c msCertificateTemplateName = 1.3.6.1.4.1.311.20.2
1645 @c [ req_smartcard ]
1646 @c keyUsage = digitalSignature, keyEncipherment
1647 @c extendedKeyUsage = msSmartcardLogin, clientAuth
1648 @c msCertificateTemplateName = ASN1:BMP:SmartcardLogon
1649 @c subjectAltName = otherName:msUPN;UTF8:lukeh@dsg.padl.com
1650 @c #subjectAltName = email:copy
1653 @section Using PK-INIT with Windows
1655 @subsection Client configration
1657 Clients using a Windows KDC with PK-INIT need configuration since
1658 windows uses pre-standard format and this can't be autodetected.
1660 The pkinit_win2k_require_binding option requires the reply for the KDC
1661 to be of the new, secure, type that binds the request to
1662 reply. Before, clients could fake the reply from the KDC. To use this
1663 option you have to apply a fix from Microsoft.
1669 pkinit_win2k_require_binding = no
1673 @subsection Certificates
1675 The client certificates need to have the extended keyusage ``Microsoft
1676 Smartcardlogin'' (openssl has the OID shortname msSmartcardLogin).
1678 See Microsoft Knowledge Base Article - 281245 ``Guidelines for Enabling
1679 Smart Card Logon with Third-Party Certification Authorities'' for a
1680 more extensive description of how set setup an external CA so that it
1681 includes all the information required to make a Windows KDC happy.
1683 @subsection Configure Windows 2000 CA
1685 To enable Microsoft Smartcardlogin for certificates in your Windows
1686 2000 CA, you want to look at Microsoft Knowledge Base Article - 313274
1687 ``HOW TO: Configure a Certification Authority to Issue Smart Card
1688 Certificates in Windows''.
1690 @node Debugging Kerberos problems, , Setting up PK-INIT, Setting up a realm
1691 @section Debugging Kerberos problems
1693 To debug Kerberos client and server problems you can enable debug
1694 traceing by adding the following to @file{/etc/krb5,conf}. Note that the
1695 trace logging is sparse at the moment, but will continue to improve.
1699 libkrb5 = 0-/SYSLOG: