Справочник ПользователяСодержаниеKerberos Server Version 3.1 Administrator’s Guide11 Overview23Introduction25How the Kerberos Server Works26authentication27DES Versus 3DES Key Type Settings31Introduction to LDAP32LDAP Advantages32Integrating Kerberos Server v3.1 with LDAP33How is the Kerberos Principal Integrated in to the LDAP Directory?342 Installing the Kerberos Server v3.135Prerequisites37System Requirements38Hardware Requirements38Software Requirements38Version Compatibility38Installing the Server393 Migrating to a Newer Version of the Kerberos Server41Migrating from Kerberos Server Version 1.0 to 3.043Migrating from Kerberos Server Version 2.0 to Version 3.047Migrating from Kerberos Server Version 3.0 to Version 3.1494 Interoperability with Windows 200051Understanding the Terminology53Kerberos Server and Windows 2000 Interoperability55Establishing Trust Between Kerberos Server and Windows 200056Single Realm (Domain) Authentication58Interrealm (Interdomain) Authentication59Special Considerations for Interoperability60Database Considerations60Encryption Considerations60Postdated Tickets605 Configuring the Kerberos Server With C-Tree Backend63Configuration Files for the Kerberos Server64The65krb.conf Format65The66The67Autoconfiguring the Kerberos Server69Configuring the Kerberos Server with C-Tree716 Configuring the Kerberos Server with LDAP73Configuration Files for LDAP Integration74The krb5_ldap.conf File74The75The77The78The81The81Planning Your LDAP Configuration83Before You Begin83Setting up Your LDAP Configuration84Autoconfiguring the Kerberos Server With LDAP Integration88Configuring the Kerberos Server with LDAP88Manually Configuring the Kerberos Server with LDAP92Edit the Configuration Files927 Configuring the Primary and Secondary Security Server95Configuring the Primary Security Server96Create the Principal Database After Installation96Add an Administrative Principal97To add an Administrative Principal Using the HP Kerberos Administrator97To Add an Administrative Principal Through the Command Line98Create the host/<fqdn> Principal and Extracting the Service Key98Start the Kerberos Daemons99Define Secondary Security Server Network Locations100Security Policies101Password Policy File101The admin_acl_file101Starting the Security Server102Configuring the Secondary Security Servers with C-Tree103Creating the Principal Database103Copying the Kerberos Configuration File103Creating a host/<fqdn> Principal and Extracting the Key104Configuring the Secondary Security Servers with LDAP105Copying the Kerberos Configuration File105Creating a stash file using the105Using Indexes to Improve Database Performance1078 Administering the Kerberos Server109Administering the Kerberos Database111The kadmind Command112The admin_acl_file File113Assigning Administrative Permissions114Adding Entries to admin_acl_file116Creating Administrative Accounts117Using Restricted Administrator117How the r/R Modifiers Work117Password Policy File119Editing the Default File119Principals121Adding User Principals123Adding New Service Principals123Reserved Service Principals124K/M@REALM:124default@REALM:125krbtgt/REALM@REALM:125kadmin/REALM@REALM:126kadmin/changepw@REALM:126kcpwd/REALM@REALM:126host/fqdn@REALM:126Removing User Principals127Removing Special Privilege Settings127Protecting a Secret Key128Removing Service Principals128The kadmin and kadminl Utilities130Administration Utilities131HP Kerberos Administrator132Standard Functionality of the Administrator133Local Administrator – kadminl_ui134Using kadminl_ui134Principals Tab136General Tab (Principal Information Window)139Adding Principals to the Database143Adding Multiple Principals with Similar Settings145Creating an Administrative Principal146Searching for a Principal149Deleting a Principal151Loading Default Values for a Principal152Restoring Previously Saved Values for a Principal153Changing Ticket Information154Rules for Setting Maximum Ticket Lifetime155Rules for Setting Maximum Renew Time156Changing Password Information158Password Tab (Principal Information Window)160Change Password Window (Password Tab)162Changing a Key Type165Changing a DES-CRC or DES-MD5 Principal Key Type to 3DES165Changing Principal Attributes167Attributes Tab (Principal Information Window)168LDAP Attributes Tab (Prinicpal Information Window)175Deleting a Service Principal177Extracting Service Keys178Extracting a Service Key Table180Using Groups to Control Settings182Editing the Default Group182Group Information Window (Principal Information Window)184Principal Attributes186Setting the Default Group Principal Attributes186Default Principal Attributes186Setting Administrative Permissions188Administrative Permissions189Realms Tab193Realm Information Window195Adding a Realm196Deleting a Realm197Remote Administrator – kadmin_ui198Manual Administration Using kadmin202Adding a New Principal204Adding a Random Key205Specifying a New Password205Changing Password to a New Randomly Generated Password206Deleting a Principal206Extracting a Principal207Listing the Attributes of a Principal208Modifying a Principal208Number of Authentication Failures (209Key Version Number Attribute210LDAP DN210Policy Name211Attributes211Allow Postdated Attribute211Allow Renewable Attribute212Allow Forwardable Attribute213Allow Proxy Attribute214Allow Duplicate Session Key Attribute215Require Preauthentication Attribute216Require Password Change Attribute216Lock Principal Attribute217Allow As Service Attribute218Require Initial Authentication Attribute219Set As Password Change Service Attribute220Password Expiration Attribute221Principal Expiration Attribute222Maximum Ticket Lifetime Attribute222Maximum Renew Time Attribute223Key Type Attribute223Salt Type Attribute223Principal Database Utilities224Kerberos Database Utilities225Database Encryption227Database Master Password228Destroying the Kerberos Database229Dumping the Kerberos Database231Loading the Kerberos Database232Stashing the Master Key233Starting and Stopping Daemons235Maintenance Tasks236Protecting Security Server Secrets236host/fqdn@REALM236Master Password236Backing Up primary security server Data237Backing Up the Principal Database237Removing Unused Space from the Database2399 Propagating the Kerberos Server241Propagation Hierarchy243Propagation Relationships243Service Key Table244Maintaining Secret Keys in the Key Table File244Extracting a Key to the Service Key Table File244Creating a New Service Key Table File245Deleting Older Keys from the Service Key Table File245Propagation Tools246The kpropd Daemon248The mkpropcf Tool249The kpropd.ini File251Sections252The [default_values] Section252The [secsrv_name] Section254Examples255The prpadmin Administrative Application257Setting Up Propagation258Monitoring Propagation263Monitoring the Log File263Critical Error Messages263Monitoring Propagation Queue Files264Monitoring Old File Date and Large File Size264Updating the principal.ok Time Stamp265Comparing the Database to Its Copies265The kdb_dump Utility267Restarting Propagation Using a Simple Process268Restarting Propagation Using the Full Dump Method268Propagation Failure269Converting a secondary security server to a primary security server270Restarting Services271Cleaning the Temp Directory271Configuring Multirealm Enterprises272Number of Realms per Database272primary security servers Supporting Multiple Realms272Multiple primary security servers Supporting a Single Realm273Adding More Realms to a Multirealm Database273database propagation27410 Managing Multiple Realms275Considering a Trust Relationship277one-way trust277two-way trust277hierarchal trust278Other Types of Trust278Configuring Direct Trust Relationships279Hierarchical Interrealm Trust281Hierarchical Chain of Trust281Hierarchical Interrealm Configuration282Configuring the Local Realm284Configuring the Intermediate Realm285Configuring the Target Realm28611 Troubleshooting289Characterizing a Problem291Diagnostic Tools Summary293Troubleshooting Kerberos294Error Messages294Logging Capabilities294UNIX295Services Checklist296Troubleshooting Techniques296General Errors303Forgotten Passwords303Locking and Unlocking Accounts304clock synchronization304User Error Messages305Decrypt Integrity Check Failed305Password Has Already Been Used or Is Too Close to Current One305Administrative Error Messages306Password Has Expired While Getting Initial Ticket306Service Key Not Available While Getting Initial Ticket306Reporting Problems to Your HP Support Contact308The services File317Размер: 1,7 МБСтраницы: 327Язык: EnglishПросмотреть