This is krb5-install.info, produced by makeinfo version 4.0 from install.texinfo.  File: krb5-install.info, Node: Top, Next: Copyright, Prev: (dir), Up: (dir) This file documents how to install the 1.3 release of Kerberos V5. * Menu: * Copyright:: * Introduction:: * Realm Configuration Decisions:: * Building Kerberos V5:: * Installing Kerberos V5:: * Upgrading Existing Kerberos V5 Installations:: * Bug Reports for Kerberos V5::  File: krb5-install.info, Node: Copyright, Next: Introduction, Prev: Top, Up: Top Copyright ********* Copyright (C) 1985-2002 by the Massachusetts Institute of Technology. Export of software employing encryption from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc: Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system. You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON. OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright: Copyright 2000 by Zero-Knowledge Systems, Inc. Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright: Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; 2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials; 3. the copyright holder's name is not used to endorse products built using this software without specific written permission. DISCLAIMER This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose. Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: Copyright (C) 1983 Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notices and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided also that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions.  File: krb5-install.info, Node: Introduction, Next: Realm Configuration Decisions, Prev: Copyright, Up: Top Introduction ************ * Menu: * What is Kerberos and How Does it Work?:: * Why Should I use Kerberos?:: * Please Read the Documentation:: * Overview of This Guide::  File: krb5-install.info, Node: What is Kerberos and How Does it Work?, Next: Why Should I use Kerberos?, Prev: Introduction, Up: Introduction What is Kerberos and How Does it Work? ====================================== Kerberos V5 is based on the Kerberos authentication system developed at MIT. Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC). The KDC creates a "ticket-granting ticket" (TGT) for the client, encrypts it using the client's password as the key, and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password. If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, which indicates proof of the client's identity. The TGT, which expires at a specified time, permits the client to obtain additional tickets, which give permission for specific services. The requesting and granting of these additional tickets is user-transparent.  File: krb5-install.info, Node: Why Should I use Kerberos?, Next: Please Read the Documentation, Prev: What is Kerberos and How Does it Work?, Up: Introduction Why Should I use Kerberos? ========================== Since Kerberos negotiates authenticated, and optionally encrypted, communications between two points anywhere on the Internet, it provides a layer of security that is not dependent on which side of a firewall either client is on. Since studies have shown that half of the computer security breaches in industry happen from inside firewalls, Kerberos V5 from MIT will play a vital role in the security of your network.  File: krb5-install.info, Node: Please Read the Documentation, Next: Overview of This Guide, Prev: Why Should I use Kerberos?, Up: Introduction Please Read the Documentation ============================= As with any software package that uses a centrallized database, the installation procedure is somewhat involved, and requires forethought and planning. MIT has attempted to make this Kerberos V5 Installation Guide as concise as possible, rather than making it an exhaustive description of the details of Kerberos. Consequently, everything in this guide appears because MIT believes that it is important. Please read and follow these instructions carefully. This document is one piece of the document set for Kerberos V5. The documents, and their intended audiences, are: * Kerberos V5 Installation Guide: a concise guide for installing Kerberos V5. Kerberos administrators (particularly whoever will be making site-wide decisions about the installation) and the system administrators who will be installing the software should read this guide. * Kerberos V5 System Administrator's Guide: a sysadmin's guide to administering a Kerberos installation. The System Administrator's Guide describes the administration software and suggests policies and procedures for administering a Kerberos installation. Anyone who will have administrative access to your Kerberos database should read this guide. * Kerberos V5 UNIX User's Guide: a guide to using the Kerberos UNIX client programs. All users on UNIX systems should read this guide, particularly the "Tutorial" section.  File: krb5-install.info, Node: Overview of This Guide, Prev: Please Read the Documentation, Up: Introduction Overview of This Guide ====================== The next chapter describes the decisions you need to make before installing Kerberos V5. Chapter three provided instructions for building the Kerberos sources. Chapter four describes installation procedures for each class of Kerberos machines: 1. Key Distribution Centers (KDCs). A. The Master KDC. B. Slave KDCs. 2. UNIX client machines 3. UNIX application server machines Note that a machine can be both a client machine and an application server. Chapter five describes procedure for updating previous installations of Kerberos V5. Chapter six describes our problem reporting system.  File: krb5-install.info, Node: Realm Configuration Decisions, Next: Building Kerberos V5, Prev: Introduction, Up: Top Realm Configuration Decisions ***************************** Before installing Kerberos V5, it is necessary to consider the following issues: * The name of your Kerberos realm (or the name of each realm, if you need more than one). * How you will map your hostnames onto Kerberos realms. * Which ports your KDC and and kadmin (database access) services will use. * How many slave KDCs you need and where they should be located. * The hostnames of your master and slave KDCs. * How frequently you will propagate the database from the master KDC to the slave KDCs. * Whether you need backward compatibility with Kerberos V4. * Menu: * Kerberos Realms:: * Mapping Hostnames onto Kerberos Realms:: * Ports for the KDC and Admin Services:: * Slave KDCs:: * Hostnames for the Master and Slave KDCs:: * Database Propagation::  File: krb5-install.info, Node: Kerberos Realms, Next: Mapping Hostnames onto Kerberos Realms, Prev: Realm Configuration Decisions, Up: Realm Configuration Decisions Kerberos Realms =============== Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters. For example, hosts in the domain example.com would be in the Kerberos realm EXAMPLE.COM. If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as BOSTON.EXAMPLE.COM and HOUSTON.EXAMPLE.COM.  File: krb5-install.info, Node: Mapping Hostnames onto Kerberos Realms, Next: Ports for the KDC and Admin Services, Prev: Kerberos Realms, Up: Realm Configuration Decisions Mapping Hostnames onto Kerberos Realms ====================================== Mapping hostnames onto Kerberos realms is done in one of two ways. The first mechanism, which has been in use for years in MIT-based Kerberos distributions, works through a set of rules in the `krb5.conf' configuration file. (*Note krb5.conf::.) You can specify mappings for an entire domain or subdomain, and/or on a hostname-by-hostname basis. Since greater specificity takes precedence, you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. The second mechanism works by looking up the information in special `TXT' records in the Domain Name Service. This is currently not used by default because security holes could result if the DNS TXT records were spoofed. If this mechanism is enabled on the client, it will try to look up a `TXT' record for the DNS name formed by putting the prefix `_kerberos' in front of the hostname in question. If that record is not found, it will try using `_kerberos' and the host's domain name, then its parent domain, and so forth. So for the hostname BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be: _kerberos.boston.engineering.foobar.com _kerberos.engineering.foobar.com _kerberos.foobar.com _kerberos.com The value of the first TXT record found is taken as the realm name. (Obviously, this doesn't work all that well if a host and a subdomain have the same name, and different realms. For example, if all the hosts in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in another realm. In that case, you would set up TXT records for all hosts, rather than relying on the fallback to the domain name.) Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites.  File: krb5-install.info, Node: Ports for the KDC and Admin Services, Next: Slave KDCs, Prev: Mapping Hostnames onto Kerberos Realms, Up: Realm Configuration Decisions Ports for the KDC and Admin Services ==================================== The default ports used by Kerberos are port 88 for the KDC(1) and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host's `/etc/services' and `krb5.conf' files, and the `kdc.conf' file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the "Configuring Your Firewall to Work With Kerberos V5" section of the `Kerberos V5 System Administrator's Guide'. ---------- Footnotes ---------- (1) Kerberos V4 used port 750. If necessary, you can run on both ports for backward compatibility.  File: krb5-install.info, Node: Slave KDCs, Next: Hostnames for the Master and Slave KDCs, Prev: Ports for the KDC and Admin Services, Up: Realm Configuration Decisions Slave KDCs ========== Slave KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the master KDC. The number of slave KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. All of the Kerberos authentication on your network requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a slave KDC to take up the slack. Some considerations include: * Have at least one slave KDC as a backup, for when the master KDC is down, is being upgraded, or is otherwise unavailable. * If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a slave KDC accessible to each segment. * If possible, have at least one slave KDC in a different building from the master, in case of power outages, fires, or other localized disasters.  File: krb5-install.info, Node: Hostnames for the Master and Slave KDCs, Next: Database Propagation, Prev: Slave KDCs, Up: Realm Configuration Decisions Hostnames for the Master and Slave KDCs ======================================= MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as `kerberos' for the master KDC and `kerberos-1', `kerberos-2', ... for the slave KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. A new mechanism for locating KDCs of a realm through DNS has been added to the MIT Kerberos V5 distribution. A relatively new record type called `SRV' has been added to DNS. Looked up by a service name and a domain name, these records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. (See RFC 2782 if you want more information. You can follow the example below for straightforward cases.) The use with Kerberos is fairly straightforward. The domain name used in the SRV record name is the domain-style Kerberos realm name. (It is possible to have Kerberos realm names that are not DNS-style names, but we don't recommend it for Internet use, and our code does not support it well.) Several different Kerberos-related service names are used: `_kerberos._udp' This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. `_kerberos._tcp' This is for contacting any KDC by TCP. The MIT KDC by default will not listen on any TCP ports, so unless you've changed the configuration or you're running another KDC implementation, you should leave this unspecified. If you do enable TCP support, normally you should use port 88. `_kerberos-master._udp' This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. This entry is used only in one case, when the user is logging in and the password appears to be incorrect; the master KDC is then contacted, and the same password used to try to decrypt the response, in case the user's password had recently been changed and the first KDC contacted hadn't been updated. Only if that fails is an "incorrect password" error given. If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. `_kerberos-adm._tcp' This should list port 749 on your master KDC. Support for it is not complete at this time, but it will eventually be used by the `kadmin' program and related utilities. For now, you will also need the `admin_server' entry in `krb5.conf'. (*Note krb5.conf::.) `_kpasswd._udp' This should list port 464 on your master KDC. It is used when a user changes her password. `_kerberos-iv._udp' This should refer to your KDCs that serve Kerberos version 4 requests, if you have Kerberos v4 enabled. Be aware, however, that the DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file: $ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit _kerberos._udp SRV 0 0 88 daisy SRV 0 0 88 use-the-force-luke SRV 0 0 88 bunny-rabbit _kerberos-master._udp SRV 0 0 88 daisy _kerberos-adm._tcp SRV 0 0 749 daisy _kpasswd._udp SRV 0 0 464 daisy As with the DNS-based mechanism for determining the Kerberos realm of a host, we recommend distributing the information this way for use by other sites that may want to interact with yours using Kerberos, even if you don't immediately make use of it within your own site. If you anticipate installing a very large number of machines on which it will be hard to update the Kerberos configuration files, you may wish to do all of your Kerberos service lookups via DNS and not put the information (except for `admin_server' as noted above) in future versions of your `krb5.conf' files at all. Eventually, we hope to phase out the listing of server hostnames in the client-side configuration files; making preparations now will make the transition easier in the future.  File: krb5-install.info, Node: Database Propagation, Prev: Hostnames for the Master and Slave KDCs, Up: Realm Configuration Decisions Database Propagation ==================== The Kerberos database resides on the master KDC, and must be propagated regularly (usually by a cron job) to the slave KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of slaves, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the master KDC propagate the database to one set of slaves, and then have each of these slaves propagate the database to additional slaves.  File: krb5-install.info, Node: Building Kerberos V5, Next: Installing Kerberos V5, Prev: Realm Configuration Decisions, Up: Top Building Kerberos V5 ******************** Kerberos V5 uses a configuration system built using the Free Software Foundation's `autoconf' program. This system makes Kerberos V5 much simpler to build and reduces the amount of effort required in porting Kerberos V5 to a new platform. * Menu: * Organization of the Source Directory:: Description of the source tree. * Build Requirements:: How much disk space, etc. you need to build Kerberos. * Unpacking the Sources:: Preparing the source tree. * Doing the Build:: Compiling Kerberos. * Installing the Binaries:: Installing the compiled binaries. * Testing the Build:: Making sure Kerberos built correctly. * Options to Configure:: Command-line options to Configure * osconf.h:: Header file-specific configurations * Shared Library Support:: Building Shared Libraries for Kerberos V5 * OS Incompatibilities:: Special cases to watch for. * Using Autoconf:: Modifying Kerberos V5's configuration scripts.  File: krb5-install.info, Node: Organization of the Source Directory, Next: Build Requirements, Prev: Building Kerberos V5, Up: Building Kerberos V5 Organization of the Source Directory ==================================== Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. appl applications with Kerberos V5 extensions clients Kerberos V5 user programs gen-manpages manpages for Kerberos V5 and the Kerberos V5 login program include include files kadmin administrative interface to the Kerberos master database kdc the Kerberos V5 Authentication Service and Key Distribution Center krb524 utilities for converting between Kerberos 4 and Kerberos 5 lib libraries for use with/by Kerberos V5 mac source code for building Kerberos V5 on MacOS prototype templates for source code files slave utilities for propagating the database to slave KDCs tests test suite util various utilities for building/configuring the code, sending bug reports, etc. windows source code for building Kerberos V5 on Windows (see windows/README) * Menu: * The appl Directory:: * The clients Directory:: * The gen-manpages Directory:: * The include Directory:: * The kadmin Directory:: * The kdc Directory:: * The krb524 Directory:: * The lib Directory:: * The prototype Directory:: * The slave Directory:: * The util Directory::  File: krb5-install.info, Node: The appl Directory, Next: The clients Directory, Prev: Organization of the Source Directory, Up: Organization of the Source Directory The appl Directory ------------------ The Kerberos release provides certain UNIX utilities, modified to use Kerberos authentication. In the appl/bsd directory are the Berkeley utilities login, rlogin, rsh, and rcp, as well as the associated daemons kshd and klogind. The login program obtains ticket-granting tickets for users upon login; the other utilities provide authenticated Unix network services. The appl directory also contains Kerberized telnet and ftp programs, as well as sample Kerberos application client and server programs.  File: krb5-install.info, Node: The clients Directory, Next: The gen-manpages Directory, Prev: The appl Directory, Up: Organization of the Source Directory The clients Directory --------------------- This directory contains the code for several user-oriented programs. kdestroy This program destroys the user's active Kerberos authorization tickets. MIT recommends that users `kdestroy' before logging out. kinit This program prompts users for their Kerberos principal name and password, and attempts to get an initial ticket-granting-ticket for that principal. klist This program lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. kpasswd This program changes a user's Kerberos password. ksu This program is a Kerberized version of the `su' program that is meant to securely change the real and effective user ID to that of the target user and to create a new security context. kvno This program acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each.  File: krb5-install.info, Node: The gen-manpages Directory, Next: The include Directory, Prev: The clients Directory, Up: Organization of the Source Directory The gen-manpages Directory -------------------------- There are two manual pages in this directory. One is an introduction to the Kerberos system. The other describes the `.k5login' file which allows users to give access with their UID to other users authenticated by the Kerberos system.  File: krb5-install.info, Node: The include Directory, Next: The kadmin Directory, Prev: The gen-manpages Directory, Up: Organization of the Source Directory The include Directory --------------------- This directory contains the include files needed to build the Kerberos system.  File: krb5-install.info, Node: The kadmin Directory, Next: The kdc Directory, Prev: The include Directory, Up: Organization of the Source Directory The kadmin Directory -------------------- In this directory is the code for the utilities `kadmin', `kadmin.local', `kdb5_util', and `ktutil'. `ktutil' is the Kerberos keytab file maintenance utility from which a Kerberos administrator can read, write, or edit entries in a Kerberos V5 keytab or Kerberos V4 srvtab. `kadmin' and `kadmin.local' are command-line interfaces to the Kerberos V5 KADM5 administration system. `kadmin.local' runs on the master KDC and does not use Kerberos to authenticate to the database, while `kadmin' uses Kerberos authentication and an encrypted RPC. The two provide identical functionalities, which allow administrators to modify the database of Kerberos principals. `kdb5_util' allows administrators to perform low-level maintenance procedures on Kerberos and the KADM5 database. With this utility, databases can be created, destroyed, or dumped to and loaded from ASCII files. It can also be used to create master key stash files.  File: krb5-install.info, Node: The kdc Directory, Next: The krb524 Directory, Prev: The kadmin Directory, Up: Organization of the Source Directory The kdc Directory ----------------- This directory contains the code for the `krb5kdc' daemon, the Kerberos Authentication Service and Key Distribution Center.  File: krb5-install.info, Node: The krb524 Directory, Next: The lib Directory, Prev: The kdc Directory, Up: Organization of the Source Directory The krb524 Directory -------------------- This directory contains the code for `krb524', a service that converts Kerberos V5 credentials into Kerberos V4 credentials suitable for use with applications that for whatever reason do not use V5 directly.  File: krb5-install.info, Node: The lib Directory, Next: The prototype Directory, Prev: The krb524 Directory, Up: Organization of the Source Directory The lib Directory ----------------- The lib directory contain 10 subdirectories as well as some definition and glue files. The crypto subdirectory contains the Kerberos V5 encryption library. The des425 subdirectory exports the Kerberos V4 encryption API, and translates these functions into calls to the Kerberos V5 encryption API. The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication. The kadm5 directory contains the libraries for the KADM5 administration utilities. The Kerberos 5 database libraries are contained in kdb. The directories krb4 and krb5 contain the Kerberos 4 and Kerberos 5 APIs, respectively. The rpc directory contains the API for the Kerberos Remote Procedure Call protocol.  File: krb5-install.info, Node: The prototype Directory, Next: The slave Directory, Prev: The lib Directory, Up: Organization of the Source Directory The prototype Directory ----------------------- This directory contains several template files. The `prototype.h' and `prototype.c' files contain the MIT copyright message and a placeholder for the title and description of the file. `prototype.h' also has a short template for writing `ifdef' and `ifndef' preprocessor statements. The `getopt.c' file provides a template for writing code that will parse the options with which a program was called.  File: krb5-install.info, Node: The slave Directory, Next: The util Directory, Prev: The prototype Directory, Up: Organization of the Source Directory The slave Directory ------------------- This directory contains code which allows for the propagation of the Kerberos principal database from the master KDC to slave KDCs over an encrypted, secure channel. `kprop' is the program which actually propagates the database dump file. `kpropd' is the Kerberos V5 slave KDC update server which accepts connections from the `kprop' program. `kslave_update' is a script that takes the name of a slave server, and propagates the database to that server if the database has been modified since the last dump or if the database has been dumped since the last propagation.  File: krb5-install.info, Node: The util Directory, Prev: The slave Directory, Up: Organization of the Source Directory The util Directory ------------------ This directory contains several utility programs and libraries. The programs used to configure and build the code, such as `autoconf', `lndir', `kbuild', `reconf', and `makedepend', are in this directory. The profile directory contains most of the functions which parse the Kerberos configuration files (`krb5.conf' and `kdc.conf'). Also in this directory are the Kerberos error table library and utilities (et), the Sub-system library and utilities (ss), database utilities (db2), pseudo-terminal utilities (pty), and bug-reporting program `send-pr'.  File: krb5-install.info, Node: Build Requirements, Next: Unpacking the Sources, Prev: Organization of the Source Directory, Up: Building Kerberos V5 Build Requirements ================== In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89"). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command-line options to enable ANSI C conformance. If you wish to keep a separate "build tree", which contains the compiled `*.o' file and executables, separate from your source tree, you will need a `make' program which supports `VPATH', or you will need to use a tool such as `lndir' to produce a symbolic link tree for your build tree.  File: krb5-install.info, Node: Unpacking the Sources, Next: Doing the Build, Prev: Build Requirements, Up: Building Kerberos V5 Unpacking the Sources ===================== The first step in each of these build procedures is to unpack the source distribution. The Kerberos V5 distribution comes in a tar file, generally named `krb5-1.3.tar', which contains a compressed tar file consisting of the sources for all of Kerberos (generally `krb5-1.3.tar.gz') and a PGP signature for this source tree (generally `krb5-1.3.tar.gz.asc'). MIT highly recommends that you verify the integrity of the source code using this signature. Unpack the compressed tar file in some directory, such as `/u1/krb5-1.3'. (In the rest of this document, we will assume that you have chosen to unpack the Kerberos V5 source distribution in this directory. Note that the tarfiles will by default all unpack into the `./krb5-1.3' directory, so that if your current directory is `/u1' when you unpack the tarfiles, you will get `/u1/krb5-1.3/src', etc.)  File: krb5-install.info, Node: Doing the Build, Next: Installing the Binaries, Prev: Unpacking the Sources, Up: Building Kerberos V5 Doing the Build =============== You have a number of different options in how to build Kerberos. If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at *Note OS Incompatibilities::, for notes that we have on particular operating systems. * Menu: * Building Within a Single Tree:: * Building with Separate Build Directories:: * Building using lndir::  File: krb5-install.info, Node: Building Within a Single Tree, Next: Building with Separate Build Directories, Prev: Doing the Build, Up: Doing the Build Building Within a Single Tree ----------------------------- If you don't want separate build trees for each architecture, then use the following abbreviated procedure. 1. `cd /u1/krb5-1.3/src' 2. `./configure' 3. `make' That's it!  File: krb5-install.info, Node: Building with Separate Build Directories, Next: Building using lndir, Prev: Building Within a Single Tree, Up: Doing the Build Building with Separate Build Directories ---------------------------------------- If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your `make' program support `VPATH'. GNU's make will provide this functionality, for example.) If your `make' program does not support this, see the next section. For example, if you wish to create a build directory for `pmax' binaries you might use the following procedure: 1. `mkdir /u1/krb5-1.3/pmax' 2. `cd /u1/krb5-1.3/pmax' 3. `../src/configure' 4. `make'  File: krb5-install.info, Node: Building using lndir, Prev: Building with Separate Build Directories, Up: Doing the Build Building Using `lndir' ---------------------- If you wish to keep separate build directories for each platform, and you do not have access to a `make' program which supports `VPATH', all is not lost. You can use the `lndir' program to create symbolic link trees in your build directory. For example, if you wish to create a build directory for solaris binaries you might use the following procedure: 1. `mkdir /u1/krb5-1.3/solaris' 2. `cd /u1/krb5-1.3/solaris' 3. `/u1/krb5-1.3/src/util/lndir `pwd`/../src' 4. `./configure' 5. `make' You must give an absolute pathname to `lndir' because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable.  File: krb5-install.info, Node: Installing the Binaries, Next: Testing the Build, Prev: Doing the Build, Up: Building Kerberos V5 Installing the Binaries ======================= Once you have built Kerberos, you should install the binaries. You can do this by running: % make install If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use: % make install DESTDIR=/path/to/destdir This will install the binaries under `DESTDIR/PREFIX', e.g., the user programs will install into `DESTDIR/PREFIX/bin', the libraries into `DESTDIR/PREFIX/lib', etc. Note that if you want to test the build (see *Note Testing the Build::), you usually do not need to do a `make install' first.  File: krb5-install.info, Node: Testing the Build, Next: Options to Configure, Prev: Installing the Binaries, Up: Building Kerberos V5 Testing the Build ================= The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed `make' to start building Kerberos; see *Note Doing the Build::.): % make check * Menu: * The DejaGnu Tests:: * The KADM5 Tests::  File: krb5-install.info, Node: The DejaGnu Tests, Next: The KADM5 Tests, Prev: Testing the Build, Up: Testing the Build The DejaGnu Tests ----------------- Some of the built-in regression tests are setup to use the DejaGnu framework for running tests. These tests tend to be more comprehensive than the normal built-in tests as they setup test servers and test client/server activities. DejaGnu may be found wherever GNU software is archived. Most of the tests are setup to run as a non-privileged user. For some of the krb-root tests to work properly, either (a) the user running the tests must not have a .k5login file in the home directory or (b) the .k5login file must contain an entry for `@KRBTEST.COM'. There are two series of tests (`rlogind' and `telnetd') which require the ability to `rlogin' as root to the local machine. Admittedly, this does require the use of a `.rhosts' file or some authenticated means. (1) If you cannot obtain root access to your machine, all the other tests will still run. Note however, with DejaGnu 1.2, the "untested testcases" will cause the testsuite to exit with a non-zero exit status which `make' will consider a failure of the testing process. Do not worry about this, as these tests are the last run when `make check' is executed from the top level of the build tree. This problem does not exist with DejaGnu 1.3. ---------- Footnotes ---------- (1) If you are fortunate enough to have a previous version of Kerberos V5 or V4 installed, and the Kerberos rlogin is first in your path, you can setup `.k5login' or `.klogin' respectively to allow you access.  File: krb5-install.info, Node: The KADM5 Tests, Prev: The DejaGnu Tests, Up: Testing the Build The KADM5 Tests --------------- Regression tests for the KADM5 system, including the GSS-RPC, KADM5 client and server libraries, and kpasswd, are also included in this release. Each set of KADM5 tests is contained in a sub-directory called `unit-test' directly below the system being tested. For example, lib/rpc/unit-test contains the tests for GSS-RPC. The tests are all based on DejaGnu (but they are not actually called part of "The DejaGnu tests," whose naming predates the inclusion of the KADM5 system). In addition, they require the Tool Command Language (TCL) header files and libraries to be available during compilation and some of the tests also require Perl in order to operate. If all of these resources are not available during configuration, the KADM5 tests will not run. The TCL installation directory can be specified with the `--with-tcl' configure option. (See *Note Options to Configure::.) The runtest and perl programs must be in the current execution path. If you install DejaGnu, TCL, or Perl after configuring and building Kerberos and then want to run the KADM5 tests, you will need to re-configure the tree and run `make' at the top level again to make sure all the proper programs are built. To save time, you actually only need to reconfigure and build in the directories src/kadmin/testing, src/lib/rpc, src/lib/kadm5.