This is krb5-install.info, produced by makeinfo version 4.0 from install.texinfo.  File: krb5-install.info, Node: Options to Configure, Next: osconf.h, Prev: Testing the Build, Up: Building Kerberos V5 Options to Configure ==================== There are a number of options to `configure' which you can use to control how the Kerberos distribution is built. The following table lists the most commonly used options to Kerberos V5's `configure' program. `--help' Provides help to configure. This will list the set of commonly used options for building Kerberos. `--prefix=PREFIX' By default, Kerberos will install the package's files rooted at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc. If you desire a different location, use this option. `--exec-prefix=EXECPREFIX' This option allows one to separate the architecture independent programs from the configuration files and manual pages. `--localstatedir=LOCALSTATEDIR' This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in `LOCALSTATEDIR/krb5kdc', which is by default `PREFIX/var/krb5kdc'. `CC=COMPILER' Use `COMPILER' as the C compiler. `CFLAGS=FLAGS' Use `FLAGS' as the default set of C compiler flags. Note that if you use the native Ultrix compiler on a DECstation you are likely to lose if you pass no flags to cc; md4.c takes an estimated 3,469 billion years to compile if you provide neither the `-g' flag nor the `-O' flag to `cc'. `CPPFLAGS=CPPOPTS' Use `CPPOPTS' as the default set of C preprocessor flags. The most common use of this option is to select certain `#define''s for use with the operating system's include files. `LD=LINKER' Use `LINKER' as the default loader if it should be different from C compiler as specified above. `LDFLAGS=LDOPTS' This option allows one to specify optional arguments to be passed to the linker. This might be used to specify optional library paths. `--with-krb4' This option enables Kerberos V4 backwards compatibility using the builtin Kerberos V4 library. `--with-krb4=KRB4DIR' This option enables Kerberos V4 backwards compatibility using a pre-existing Kerberos V4 installation. The directory specified by `KRB4DIR' specifies where the V4 header files should be found (`KRB4DIR/include') as well as where the V4 Kerberos library should be found (`KRB4DIR/lib'). `--without-krb4' Disables Kerberos V4 backwards compatibility. This prevents Kerberos V4 clients from using the V5 services including the KDC. This would be useful if you know you will never install or need to interact with V4 clients. `--with-netlib[=libs]' Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for `-lnsl' and `-lsocket'. If your operating system has a broken resolver library (see *Note Solaris versions 2.0 through 2.3::) or fails to pass the tests in `src/tests/resolv' you will need to use this option. `--with-tcl=TCLPATH' Some of the unit-tests in the build tree rely upon using a program in Tcl. The directory specified by `TCLPATH' specifies where the Tcl header file (`TCLPATH/include/tcl.h' as well as where the Tcl library should be found (`TCLPATH/lib'). `--enable-shared' This option will turn on the building and use of shared library objects in the Kerberos build. This option is only supported on certain platforms. `--enable-dns' `--enable-dns-for-kdc' `--enable-dns-for-realm' Enable the use of DNS to look up a host's Kerberos realm, or a realm's KDCs, if the information is not provided in krb5.conf. See *Note Hostnames for the Master and Slave KDCs:: for information about using DNS to locate the KDCs, and *Note Mapping Hostnames onto Kerberos Realms:: for information about using DNS to determine the default realm. By default, DNS lookups are enabled for the former but not for the latter. `--enable-kdc-replay-cache' Enable a cache in the KDC to detect retransmitted messages, and resend the previous responses to them. This protects against certain types of attempts to extract information from the KDC through some of the hardware preauthentication systems. `--with-system-et' Use an installed version of the error-table support software, the `compile_et' program, the `com_err.h' header file and the `com_err' library. If these are not in the default locations, you may wish to specify `CPPFLAGS=-I/some/dir' and `LDFLAGS=-L/some/other/dir' options at configuration time as well. If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. `--with-system-ss' Use an installed version of the subsystem command-line interface software, the `mk_cmds' program, the `ss/ss.h' header file and the `ss' library. If these are not in the default locations, you may wish to specify `CPPFLAGS=-I/some/dir' and `LDFLAGS=-L/some/other/dir' options at configuration time as well. See also the `SS_LIB' option. If this option is not given, the `ss' library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. `SS_LIB=libs...' If `-lss' is not the correct way to link in your installed `ss' library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified. This option is ignored if `--with-system-ss' is not specified. `--with-system-db' Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is _unsupported_ and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly. If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven't investigated sufficiently yet.) `DB_HEADER=headername.h' If `db.h' is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, `DB_HEADER=db3/db_185.h'. `DB_LIB=libs...' If `-ldb' is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, `DB_LIB=-ldb-3.3'. For example, in order to configure Kerberos on a Solaris machine using the `suncc' compiler with the optimizer turned on, run the configure script with the following options: % ./configure CC=suncc CFLAGS=-O For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in `/usr/foobar', including Berkeley DB 3.3, and an `ss' library that needs to link against the `curses' library. The configuration of Kerberos might be done thus: % ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ --with-system-et --with-system-ss --with-system-db \ SS_LIB='-lss -lcurses' \ DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 In previous releases, `--with-' options were used to specify the compiler and linker and their options.  File: krb5-install.info, Node: osconf.h, Next: Shared Library Support, Prev: Options to Configure, Up: Building Kerberos V5 `osconf.h' ========== There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution: `include/krb5/stock/osconf.h'. The list that follows is by no means complete, just some of the more interesting variables. Please note: The former configuration file `config.h' no longer exists as its functionality has been merged into the auto-configuration process. *Note Options to Configure::. `DEFAULT_PROFILE_PATH' The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is /etc/krb5.conf. The profile file format is no longer the same format as Kerberos V4's `krb.conf' file. `DEFAULT_KEYTAB_NAME' The type and pathname to the default server keytab file (the equivalent of Kerberos V4's `/etc/srvtab'). The default is /etc/krb5.keytab. `DEFAULT_KDC_ENCTYPE' The default encryption type for the KDC. The default value is des3-cbc-sha1. `KDCRCACHE' The name of the replay cache used by the KDC. The default value is krb5kdc_rcache. `RCTMPDIR' The directory which stores replay caches. The default is to try /var/tmp, /usr/tmp, /var/usr/tmp, and /tmp. `DEFAULT_KDB_FILE' The location of the default database. The default value is /usr/local/var/krb5kdc/principal.  File: krb5-install.info, Node: Shared Library Support, Next: OS Incompatibilities, Prev: osconf.h, Up: Building Kerberos V5 Shared Library Support ====================== Shared library support is provided for a few operating systems. There are restrictions as to which compiler to use when using shared libraries. In all cases, executables linked with the shared libraries in this build process will have built in the location of the libraries, therefore obliterating the need for special LD_LIBRARY_PATH, et al environment variables when using the programs. Except where noted, multiple versions of the libraries may be installed on the same system and continue to work. Currently the supported platforms are Solaris 2.6-2.9 (aka SunOS 5.6-5.9), Irix 6.5, Redhat Linux, MacOS 8-10, and Microsoft Windows (using DLLs). Shared library support has been tested on the following platforms but not exhaustively (they have been built but not necessarily tested in an installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, and HP/UX 10.20. Platforms for which there is shared library support but not significant testing include FreeBSD, OpenBSD, AIX (4.3.3), Linux, NetBSD 1.4.x (i386), and SunOS 4.x. To enable shared libraries on the above platforms, run the configure script with the option `--enable-shared'.  File: krb5-install.info, Node: OS Incompatibilities, Next: Using Autoconf, Prev: Shared Library Support, Up: Building Kerberos V5 Operating System Incompatibilities ================================== This section details operating system incompatibilities with Kerberos V5 which have been reported to the developers at MIT. If you find additional incompatibilities, and/or discover workarounds to such problems, please send a report via the `krb5-send-pr' program. Thanks! * Menu: * AIX:: * Alpha OSF/1 V1.3:: * Alpha OSF/1 V2.0:: * Alpha OSF/1 V4.0:: * BSDI:: * HPUX:: * Solaris versions 2.0 through 2.3:: * Solaris 2.X:: * Solaris 9:: * SGI Irix 5.X:: * Ultrix 4.2/3::  File: krb5-install.info, Node: AIX, Next: Alpha OSF/1 V1.3, Prev: OS Incompatibilities, Up: OS Incompatibilities AIX --- The AIX 3.2.5 linker dumps core trying to build a shared `libkrb5.a' produced with the GNU C compiler. The native AIX compiler works fine. This problem is fixed using the AIX 4.1 linker.  File: krb5-install.info, Node: Alpha OSF/1 V1.3, Next: Alpha OSF/1 V2.0, Prev: AIX, Up: OS Incompatibilities Alpha OSF/1 V1.3 ---------------- Using the native compiler, compiling with the `-O' compiler flag causes the `asn.1' library to be compiled incorrectly. Using GCC version 2.6.3 or later instead of the native compiler will also work fine, both with or without optimization.  File: krb5-install.info, Node: Alpha OSF/1 V2.0, Next: Alpha OSF/1 V4.0, Prev: Alpha OSF/1 V1.3, Up: OS Incompatibilities Alpha OSF/1 V2.0 ---------------- There used to be a bug when using the native compiler in compiling `md4.c' when compiled without either the `-O' or `-g' compiler options. We have changed the code and there is no problem under V2.1, but we do not have access to V2.0 to test and see if the problem would exist there. (We welcome feedback on this issue). There was never a problem in using GCC version 2.6.3. In version 3.2 and beyond of the operating system, we have not seen this sort of problem with the native compiler.  File: krb5-install.info, Node: Alpha OSF/1 V4.0, Next: BSDI, Prev: Alpha OSF/1 V2.0, Up: OS Incompatibilities Alpha OSF/1 (Digital UNIX) V4.0 ------------------------------- The C compiler provided with Alpha OSF/1 V4.0 (a.k.a. Digital UNIX) defaults to an extended K&R C mode, not ANSI C. You need to provide the `-std' argument to the compiler (i.e., `./configure CC='cc -std'') to enable extended ANSI C mode. More recent versions of the operating system, such as 5.0, seem to have C compilers which default to `-std'.  File: krb5-install.info, Node: BSDI, Next: HPUX, Prev: Alpha OSF/1 V4.0, Up: OS Incompatibilities BSDI ---- BSDI versions 1.0 and 1.1 reportedly has a bad `sed' which causes it to go into an infinite loop during the build. The work around is to use a `sed' from somewhere else, such as GNU. (This may be true for some versions of other systems derived from BSD 4.4, such as NetBSD and FreeBSD.)  File: krb5-install.info, Node: HPUX, Next: Solaris versions 2.0 through 2.3, Prev: BSDI, Up: OS Incompatibilities HPUX ---- The native (bundled) compiler for HPUX currently will not work, because it is not a full ANSI C compiler. The optional ANSI C compiler should work as long as you give it the `-Ae' flag (i.e. `./configure CC='cc -Ae''). This is equivalent to `./configure CC='c89 -D_HPUX_SOURCE'', which was the previous recommendation. This has only been tested recently for HPUX 10.20.  File: krb5-install.info, Node: Solaris versions 2.0 through 2.3, Next: Solaris 2.X, Prev: HPUX, Up: OS Incompatibilities Solaris versions 2.0 through 2.3 -------------------------------- The `gethostbyname()' routine is broken; it does not return a fully qualified domain name, even if you are using the Domain Name Service routines. Since Kerberos V5 uses the fully qualified domain name as the second component of a service principal (i.e, `host/tsx-11.mit.edu@ATHENA.MIT.EDU'), this causes problems for servers who try to figure out their own fully qualified domain name. Workarounds: 1. Supply your own resolver library. (such as bind-4.9.3pl1 available from ftp.vix.com) 2. Upgrade to Solaris 2.4 3. Make sure your /etc/nsswitch.conf has `files' before `dns' like: hosts: files dns and then in /etc/hosts, make sure there is a line with your workstation's IP address and hostname, with the fully qualified domain name first. Example: 18.172.1.4 dcl.mit.edu dcl Note that making this change may cause other programs in your environment to break or behave differently.  File: krb5-install.info, Node: Solaris 2.X, Next: Solaris 9, Prev: Solaris versions 2.0 through 2.3, Up: OS Incompatibilities Solaris 2.X ----------- You must compile Kerberos V5 without the UCB compatibility libraries. This means that `/usr/ucblib' must not be in the LD_LIBRARY_PATH environment variable when you compile it. Alternatively you can use the `-i' option to `cc', by using the specifying `CFLAGS=-i' option to `configure'. If you are compiling for a 64-bit execution environment, you may need to configure with the option `CFLAGS="-D_XOPEN_SOURCE=500 -D__EXTENSIONS__"'. This is not well tested; at MIT we work primarily with the 32-bit execution environment.  File: krb5-install.info, Node: Solaris 9, Next: SGI Irix 5.X, Prev: Solaris 2.X, Up: OS Incompatibilities Solaris 9 --------- Solaris 9 has a kernel race condition which causes the final output written to the slave side of a pty to be lost upon the final close() of the slave device. This causes the dejagnu-based tests to fail intermittently. A workaround exists, but requires some help from the scheduler, and the "make check" must be executed from a shell with elevated priority limits. Run something like `priocntl -s -c FX -m 30 -p 30 -i pid nnnn' as root, where `nnnn' is the pid of the shell whose priority limit you wish to raise.  File: krb5-install.info, Node: SGI Irix 5.X, Next: Ultrix 4.2/3, Prev: Solaris 9, Up: OS Incompatibilities SGI Irix 5.X ------------ If you are building in a tree separate from the source tree, the vendors version of make does not work properly with regards to `VPATH'. It also has problems with standard inference rules in 5.2 (not tested yet in 5.3) so one needs to use GNU's make. Under 5.2, there is a bug in the optional System V `-lsocket' library in which the routine `gethostbyname()' is broken. The system supplied version in `-lc' appears to work though so one may simply specify `--with-netlib' option to `configure'. In 5.3, `gethostbyname()' is no longer present in `-lsocket' and is no longer an issue.  File: krb5-install.info, Node: Ultrix 4.2/3, Prev: SGI Irix 5.X, Up: OS Incompatibilities Ultrix 4.2/3 ------------ The DEC MIPS platform currently will not support the native compiler, since the Ultrix compiler is not a full ANSI C compiler. You should use GCC instead.  File: krb5-install.info, Node: Using Autoconf, Prev: OS Incompatibilities, Up: Building Kerberos V5 Using `Autoconf' ================ (If you are not a developer, you can skip this section.) In most of the Kerberos V5 source directories, there is a `configure' script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. These `configure' files are generated using `autoconf', which can be found in the `src/util/autoconf' directory in the distribution. Normal users will not need to worry about running `autoconf'; the distribution comes with the `configure' files already prebuilt. Developers who wish to modify the `configure.in' files should see *Note Overview: (autoconf)Top. Note that in order to run `autoconf', you must have GNU `m4' in your path. Before you use the `autoconf' in the Kerberos V5 source tree, you may also need to run `configure', and then run `make' in the `src/util/autoconf' directory in order to properly set up `autoconf'. One tool which is provided for the convenience of developers can be found in `src/util/reconf'. This program should be run while the current directory is the top source directory. It will automatically rebuild any `configure' files which need rebuilding. If you know that you have made a change that will require that all the `configure' files need to be rebuilt from scratch, specify the `--force' option: % cd /u1/krb5-1.3/src % ./util/reconf --force The developmental sources are a raw source tree (before it's been packaged for public release), without the pre-built `configure' files. In order to build from such a source tree, you must do: % cd krb5/util/autoconf % ./configure % make % cd ../.. % util/reconf Then follow the instructions for building packaged source trees (above). To install the binaries into a binary tree, do: % cd /u1/krb5-1.3/src % make all % make install DESTDIR=somewhere-else  File: krb5-install.info, Node: Installing Kerberos V5, Next: Upgrading Existing Kerberos V5 Installations, Prev: Building Kerberos V5, Up: Top Installing Kerberos V5 ********************** The sections of this chapter describe procedures for installing Kerberos V5 on: 1. The KDCs 2. UNIX client machines 3. UNIX Application Servers * Menu: * Installing KDCs:: * Installing and Configuring UNIX Client Machines:: * UNIX Application Servers::  File: krb5-install.info, Node: Installing KDCs, Next: Installing and Configuring UNIX Client Machines, Prev: Installing Kerberos V5, Up: Installing Kerberos V5 Installing KDCs =============== The Key Distribution Centers (KDCs) issue Kerberos tickets. Each KDC contains a copy of the Kerberos database. The master KDC contains the master copy of the database, which it propagates to the slave KDCs at regular intervals. All database changes (such as password changes) are made on the master KDC. Slave KDCs provide Kerberos ticket-granting services, but not database administration. This allows clients to continue to obtain tickets when the master KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the master or one of the slaves. This will enable you to easily switch your master KDC with one of the slaves if necessary. (*Note Switching Master and Slave KDCs::.) This installation procedure is based on that recommendation. * Menu: * Install the Master KDC:: * Install the Slave KDCs:: * Back on the Master KDC:: * Finish Installing the Slave KDCs:: * Add Kerberos Principals to the Database:: * Limit Access to the KDCs:: * Switching Master and Slave KDCs::  File: krb5-install.info, Node: Install the Master KDC, Next: Install the Slave KDCs, Prev: Installing KDCs, Up: Installing KDCs Install the Master KDC ---------------------- This installation procedure will require you to go back and forth a couple of times between the master KDC and each of the slave KDCs. The first few steps must be done on the master KDC. * Menu: * Edit the Configuration Files:: * krb5.conf:: * kdc.conf:: * Create the Database:: * Add Administrators to the Acl File:: * Add Administrators to the Kerberos Database:: * Create a kadmind Keytab (optional):: * Start the Kerberos Daemons::  File: krb5-install.info, Node: Edit the Configuration Files, Next: krb5.conf, Prev: Install the Master KDC, Up: Install the Master KDC Edit the Configuration Files ............................ Modify the configuration files, `/etc/krb5.conf' and `/usr/local/var/krb5kdc/kdc.conf' to reflect the correct information (such as the hostnames and realm name) for your realm. MIT recommends that you keep `krb5.conf' in `/etc'. Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the `krb5.conf' file whose values must be specified, and this section will explain those as well as give an overview of all of the sections in both configuration files. For more information on changing defaults with the configuration files, see the Kerberos V5 System Administrator's Guide sections on configuration files.  File: krb5-install.info, Node: krb5.conf, Next: kdc.conf, Prev: Edit the Configuration Files, Up: Install the Master KDC krb5.conf ......... The `krb5.conf' file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your `krb5.conf' file in the directory `/etc'. You can override the default location by setting the environment variable `KRB5_CONFIG'. The `krb5.conf' file is set up in the style of a Windows INI file. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form: foo = bar or fubar = { foo = bar baz = quux } Placing a `*' at the end of a line indicates that this is the "final" value for the tag. This means that neither the remainder of this configuration file nor any other configuration file will be checked for any other values for this tag. For example, if you have the following lines: foo = bar* foo = baz then the second value of foo (baz) would never be read. The `krb5.conf' file may contain any or all of the following sections: libdefaults Contains default values used by the Kerberos V5 library. login Contains default values used by the Kerberos V5 login program. appdefaults Contains default values that can be used by Kerberos V5 applications. realms Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. domain_realm Contains relations which map domain names and subdomains onto Kerberos realm names. This is used by programs to determine what realm a host should be in, given its fully qualified domain name. logging Contains relations which determine how Kerberos programs are to perform logging. capaths Contains the authentication paths used with direct (nonhierarchical) cross-realm authentication. Entries in this section are used by the client to determine the intermediate realms which may be used in cross-realm authentication. It is also used by the end-service when checking the transited field for trusted intermediate realms. If you are not using DNS TXT records, you must specify the `default_realm' in the `libdefaults' section. If you are not using DNS SRV records, you must include the `kdc' tag for each realm in the `realms' section. To communicate with the kadmin server in each realm, the `admin_server' tag must be set in the `realms' section. If your domain name and realm name are not the same, you must provide a translation in `domain_realm'. It is also higly recommeneded that you create a `[logging]' stanza if the computer will be functioning as a KDC so that the KDC and kadmind will generate logging output. An example `krb5.conf' file: [libdefaults] default_realm = ATHENA.MIT.EDU [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu { [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log  File: krb5-install.info, Node: kdc.conf, Next: Create the Database, Prev: krb5.conf, Up: Install the Master KDC kdc.conf ........ The `kdc.conf' file contains KDC configuration information, including defaults used when issuing Kerberos tickets. Normally, you should install your `kdc.conf' file in the directory `/usr/local/var/krb5kdc'. You can override the default location by setting the environment variable `KRB5_KDC_PROFILE'. The `kdc.conf' file is set up in the same format as the `krb5.conf' file. (*Note krb5.conf::.) The `kdc.conf' file may contain any or all of the following three sections: kdcdefaults Contains default values for overall behavior of the KDC. realms Contains subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. logging Contains relations which determine how Kerberos programs are to perform logging.  File: krb5-install.info, Node: Create the Database, Next: Add Administrators to the Acl File, Prev: kdc.conf, Up: Install the Master KDC Create the Database ................... You will use the `kdb5_util' command _on the Master KDC_ to create the Kerberos database and the optional stash file. The "stash file" is a local copy of the master key that resides in encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the `kadmind' and `krb5kdc' daemons (e.g., as part of the machine's boot sequence). The stash file, like the keytab file (see *Note The Keytab File::, for more information) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. Note that `kdb5_util' will prompt you for the master key for the Kerberos database. This key can be any string. A good key is one you can remember, but that no one else can guess. Examples of bad keys are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample keys that appear in this manual. One example of a key which might be good if it did not appear in this manual is "MITiys4K5!", which represents the sentence "MIT is your source for Kerberos 5!" (It's the first letter of each word, substituting the numeral "4" for the word "for", and includes the punctuation mark at the end.) The following is an example of how to create a Kerberos database and stash file on the master KDC, using the `kdb5_util' command. (The line that begins with => is a continuation of the previous line.) Replace ATHENA.MIT.EDU with the name of your Kerberos realm. shell% /usr/local/sbin/kdb5_util create -r ATHENA.MIT.EDU -s Initializing database '/usr/local/var/krb5kdc/principal' for => realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% This will create five files in the directory specified in your `kdc.conf' file: two Kerberos database files, `principal.db', and `principal.ok'; the Kerberos administrative database file, `principal.kadm5'; the administrative database lock file, `principal.kadm5.lock'; and the stash file, `.k5stash'. (The default directory is `/usr/local/var/krb5kdc'.) If you do not want a stash file, run the above command without the `-s' option.  File: krb5-install.info, Node: Add Administrators to the Acl File, Next: Add Administrators to the Kerberos Database, Prev: Create the Database, Up: Install the Master KDC Add Administrators to the Acl File .................................. Next, you need create an Access Control List (acl) file, and put the Kerberos principal of at least one of the administrators into it. The filename should match the value you have set for "acl_file" in your `kdc.conf' file. The default file name is `/usr/local/var/krb5kdc/kadm5.acl'. The format of the file is: Kerberos_principal permissions [target_principal] [restrictions] The Kerberos principal (and optional target principal) can include the "*" wildcard, so if you want any principal with the instance "admin" to have full permissions on the database, you could use the principal "`*/admin@REALM'" where "REALM" is your Kerberos realm. `target_principal' can also include backreferences to `Kerberos_principal', in which "*number" matches the component number in the `Kerberos_principal'. Note: a common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user `joeadmin' might have a principal for his administrative use, called `joeadmin/admin'. This way, `joeadmin' would obtain `joeadmin/admin' tickets only when he actually needs to use those permissions. The permissions are represented by single letters; UPPER-CASE letters represent negative permissions. The permissions are: a allows the addition of principals or policies in the database. A disallows the addition of principals or policies in the database. d allows the deletion of principals or policies in the database. D disallows the deletion of principals or policies in the database. m allows the modification of principals or policies in the database. M disallows the modification of principals or policies in the database. c allows the changing of passwords for principals in the database. C disallows the changing of passwords for principals in the database. i allows inquiries to the database. I disallows inquiries to the database. l allows the listing of principals or policies in the database. L disallows the listing of principals or policies in the database. s allows the explicit setting of the key for a principal S disallows the explicit setting of the key for a principal * All privileges (admcil). x All privileges (admcil); identical to "*". The restrictions are a string of flags. Allowed restrictions are: [+ -]flagname flag is forced to indicated value. The permissible flags are the same as the `+' and `-' flags for the `kadmin addprinc' and `modprinc' commands. -clearpolicy policy is forced to clear -policy pol policy is forced to be pol expire time pwexpire time maxlife time maxrenewlife time associated value will be forced to MIN(time, requested value) The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. Here is an example of a `kadm5.acl' file. Note that order is important; permissions are determined by the first matching entry. */admin@ATHENA.MIT.EDU * joeadmin@ATHENA.MIT.EDU ADMCIL joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU *@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU */*@ATHENA.MIT.EDU i */admin@EXAMPLE.COM * -maxlife 9h -postdateable In the above file, any principal in the ATHENA.MIT.EDU realm with an `admin' instance has all administrative privileges. The user `joeadmin' has all permissions with his `admin' instance, `joeadmin/admin@ATHENA.MIT.EDU' (matches the first line). He has no permissions at all with his `null' instance, `joeadmin@ATHENA.MIT.EDU' (matches the second line). His root instance has inquire and list permissions with any other principal that has the instance `root'. Any principal in ATHENA.MIT.EDU can inquire, list, or change the password of their `admin' instance, but not any other `admin' instance. Any principal in the realm `ATHENA.MIT.EDU' (except for `joeadmin@ATHENA.MIT.EDU', as mentioned above) has inquire privileges. Finally, any principal with an admin instance in EXAMPLE.COM has all permissions, but any principal that they create or modify will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.  File: krb5-install.info, Node: Add Administrators to the Kerberos Database, Next: Create a kadmind Keytab (optional), Prev: Add Administrators to the Acl File, Up: Install the Master KDC Add Administrators to the Kerberos Database ........................................... Next you need to add administrative principals to the Kerberos database. (You must add at least one now.) To do this, use `kadmin.local' _on the master KDC_. The administrative principals you create should be the ones you added to the ACL file. (See *Note Add Administrators to the Acl File::.) In the following example, the administration principal `admin/admin' is created: shell% /usr/local/sbin/kadmin.local kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU NOTICE: no policy specified for "admin/admin@ATHENA.MIT.EDU"; assigning "default". Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. Principal "admin/admin@ATHENA.MIT.EDU" created. kadmin.local:  File: krb5-install.info, Node: Create a kadmind Keytab (optional), Next: Start the Kerberos Daemons, Prev: Add Administrators to the Kerberos Database, Up: Install the Master KDC Create a kadmind Keytab (optional) .................................. The kadmind keytab is the key that the legacy admininstration daemons `kadmind4' and `v5passwdd' will use to decrypt administrators' or clients' Kerberos tickets to determine whether or not they should have access to the database. You need to create the kadmin keytab with entries for the principals `kadmin/admin' and `kadmin/changepw'. (These principals are placed in the Kerberos database automatically when you create it.) To create the kadmin keytab, run `kadmin.local' and use the `ktadd' command, as in the following example. (The line beginning with => is a continuation of the previous line.): shell% /usr/local/sbin/kadmin.local kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab => kadmin/admin kadmin/changepw Entry for principal kadmin/admin with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 5, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 5, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab. kadmin.local: quit shell% As specified in the `-k' argument, `ktadd' will save the extracted keytab as `/usr/local/var/krb5kdc/kadm5.keytab'. The filename you use must be the one specified in your `kdc.conf' file.  File: krb5-install.info, Node: Start the Kerberos Daemons, Prev: Create a kadmind Keytab (optional), Up: Install the Master KDC Start the Kerberos Daemons on the Master KDC ............................................ At this point, you are ready to start the Kerberos daemons on the Master KDC. To do so, type: shell% /usr/local/sbin/krb5kdc shell% /usr/local/sbin/kadmind Each daemon will fork and run in the background. Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC's `/etc/rc' or `/etc/inittab' file. You need to have a stash file in order to do this. You can verify that they started properly by checking for their startup messages in the logging locations you defined in `/etc/krb5.conf'. (*Note Edit the Configuration Files::.) For example: shell% tail /var/log/krb5kdc.log Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation shell% tail /var/log/kadmin.log Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting Any errors the daemons encounter while starting will also be listed in the logging output.  File: krb5-install.info, Node: Install the Slave KDCs, Next: Back on the Master KDC, Prev: Install the Master KDC, Up: Installing KDCs Install the Slave KDCs ---------------------- You are now ready to start configuring the slave KDCs. Assuming you are setting the KDCs up so that you can easily switch the master KDC with one of the slaves, you should perform each of these steps on the master KDC as well as the slave KDCs, unless these instructions specify otherwise. * Menu: * Create Host Keys for the Slave KDCs:: * Extract Host Keytabs for the KDCs:: * Set Up the Slave KDCs for Database Propagation::  File: krb5-install.info, Node: Create Host Keys for the Slave KDCs, Next: Extract Host Keytabs for the KDCs, Prev: Install the Slave KDCs, Up: Install the Slave KDCs Create Host Keys for the Slave KDCs ................................... Each KDC needs a host principal in the Kerberos database. You can enter these from any host, once the `kadmind' daemon is running. For example, if your master KDC were called kerberos.mit.edu, and you had two KDC slaves named kerberos-1.mit.edu and kerberos-2.mit.edu, you would type the following: shell% /usr/local/sbin/kadmin kadmin: addprinc -randkey host/kerberos.mit.edu NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. kadmin: addprinc -randkey host/kerberos-1.mit.edu NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. kadmin: addprinc -randkey host/kerberos-2.mit.edu NOTICE: no policy specified for "host/kerberos-2.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-2.mit.edu@ATHENA.MIT.EDU" created. kadmin: It is not actually necessary to have the master KDC server in the Kerberos database, but it can be handy if: * anyone will be logging into the machine as something other than root * you want to be able to swap the master KDC with one of the slaves if necessary.  File: krb5-install.info, Node: Extract Host Keytabs for the KDCs, Next: Set Up the Slave KDCs for Database Propagation, Prev: Create Host Keys for the Slave KDCs, Up: Install the Slave KDCs Extract Host Keytabs for the KDCs ................................. Each KDC (including the master) needs a keytab to decrypt tickets. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab on a KDC called kerberos.mit.edu, you would execute the following command: kadmin: ktadd host/kerberos.mit.edu kadmin: Entry for principal host/kerberos.mit.edu@ATHENA.MIT.EDU with kvno 1, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab. kadmin: Note that the principal must exist in the Kerberos database in order to extract the keytab.  File: krb5-install.info, Node: Set Up the Slave KDCs for Database Propagation, Prev: Extract Host Keytabs for the KDCs, Up: Install the Slave KDCs Set Up the Slave KDCs for Database Propagation .............................................. The database is propagated from the master KDC to the slave KDCs via the `kpropd' daemon. To set up propagation, create a file on each KDC, named `/usr/local/var/krb5kdc/kpropd.acl', containing the principals for each of the KDCs. For example, if the master KDC were `kerberos.mit.edu', the slave KDCs were `kerberos-1.mit.edu' and `kerberos-2.mit.edu', and the realm were `ATHENA.MIT.EDU', then the file's contents would be: host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU host/kerberos-2.mit.edu@ATHENA.MIT.EDU Then, add the following lines to `/etc/inetd.conf' file on each KDC (the line beginnng with => is a continuation of the previous line): krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd eklogin stream tcp nowait root /usr/local/sbin/klogind => klogind -k -c -e The first line sets up the `kpropd' database propagation daemon. The second line sets up the `eklogin' daemon, allowing Kerberos-authenticated, encrypted rlogin to the KDC. You also need to add the following lines to `/etc/services' on each KDC: kerberos 88/udp kdc # Kerberos authentication (udp) kerberos 88/tcp kdc # Kerberos authentication (tcp) krb5_prop 754/tcp # Kerberos slave propagation kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp) kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp) eklogin 2105/tcp # Kerberos encrypted rlogin  File: krb5-install.info, Node: Back on the Master KDC, Next: Finish Installing the Slave KDCs, Prev: Install the Slave KDCs, Up: Installing KDCs Back on the Master KDC ---------------------- Now that the slave KDCs are able to accept database propagation, you'll need to propagate the database to each of them. * Menu: * Propagate the Database to Each Slave KDC::  File: krb5-install.info, Node: Propagate the Database to Each Slave KDC, Prev: Back on the Master KDC, Up: Back on the Master KDC Propagate the Database to Each Slave KDC ........................................ First, create a dump of the database on the master KDC, as follows: shell% /usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans shell% Next, you need to manually propagate the database to each slave KDC, as in the following example. (The lines beginning with => are continuations of the previous line.): /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans => kerberos-1.mit.edu /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans => kerberos-2.mit.edu You will need a script to dump and propagate the database. The following is an example of a bourne shell script that will do this. (Note that the line that begins with => is a continuation of the previous line. Remember that you need to replace /usr/local with the name of the directory in which you installed Kerberos V5.) #!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" /usr/local/sbin/kdb5_util -R "dump => /usr/local/var/krb5kdc/slave_datatrans" for kdc in $kdclist do /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (*Note Database Propagation::.)  File: krb5-install.info, Node: Finish Installing the Slave KDCs, Next: Add Kerberos Principals to the Database, Prev: Back on the Master KDC, Up: Installing KDCs Finish Installing the Slave KDCs -------------------------------- Now that the slave KDCs have copies of the Kerberos database, you can create stash files for them and start the `krb5kdc' daemon. * Menu: * Create Stash Files on the Slave KDCs:: * Start the krb5kdc Daemon on Each KDC::  File: krb5-install.info, Node: Create Stash Files on the Slave KDCs, Next: Start the krb5kdc Daemon on Each KDC, Prev: Finish Installing the Slave KDCs, Up: Finish Installing the Slave KDCs Create Stash Files on the Slave KDCs .................................... Create stash files, by issuing the following commands on each slave KDC: shell% kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <= Enter the database master key. shell% As mentioned above, the stash file is necessary for your KDCs to be able authenticate to themselves, such as when they reboot. You could run your KDCs without stash files, but you would then need to type in the Kerberos database master key by hand every time you start a KDC daemon.  File: krb5-install.info, Node: Start the krb5kdc Daemon on Each KDC, Prev: Create Stash Files on the Slave KDCs, Up: Finish Installing the Slave KDCs Start the krb5kdc Daemon on Each KDC .................................... The final step in configuing your slave KDCs is to run the KDC daemon: shell% /usr/local/sbin/krb5kdc As with the master KDC, you will probably want to add this command to the KDCs' `/etc/rc' or `/etc/inittab' files, so they will start the krb5kdc daemon automatically at boot time.  File: krb5-install.info, Node: Add Kerberos Principals to the Database, Next: Limit Access to the KDCs, Prev: Finish Installing the Slave KDCs, Up: Installing KDCs Add Kerberos Principals to the Database --------------------------------------- Once your KDCs are set up and running, you are ready to use `kadmin' to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in the "Adding or Modifying Principals" section of the Kerberos V5 System Administrator's Guide. (*Note Create Host Keys for the Slave KDCs::, for a brief description.) The keytab is generated by running `kadmin' and issuing the `ktadd' command.