Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 5 Configuring the Kerberos Server With C-Tree Backend

Configuration Files for the Kerberos Server
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You must install all the critical Kerberos server files on the system before you start configuring the Kerberos Server. You must configure these files on the primary security server and copy these files to all the secondary security servers on the network. Table 5-1 “Security Server Files That Require Configuration” briefly describes the server files that you need to configure.

Table 5-1 Security Server Files That Require Configuration

Configuration FileFunction
/opt/krb5/krb.confDescribes the default realm of the primary security server and the roles of each server for that particular realm.
/opt/krb5/krb.realmsProvides a way to map the host name or domain name to the associated realm name.

/opt/krb5/admin_acl_file

Controls the administrative permissions for administrators. See “The admin_acl_file File” for more information.
/opt/krb5/password.policyControls password policy for the entire security network. See “Password Policy File” for more information.
/opt/krb5/kpropd.iniContains the configuration information that is used for propagation. This is a text file. See “The kpropd.ini File” for more information.

 

This chapter contains detailed descriptions of the krb.conf and krb.realms configuration files. If you have opted to configure LDAP as the backend, see “Planning Your LDAP Configuration”.

The krb.conf File

The krb.conf configuration file contains information about the default realm of the host, the administration server, and security servers for known realms. HP recommends that you copy the krb.conf.sample file from the /opt/krb5/examples directory to the /opt/krb5 directory.

This file must reside in the /opt/krb5 directory and must have the following permissions:

-rw-r--r--      root       3

The configuration file identifies the servers that support authentication for the designated realm, and defines the default realm for the host where the file is stored.

The krb.conf file lists the default realm of the host system. It also maps known realms to their primary and secondary security servers by host name, and network location.

Assuming that your network environment performs load-balancing and redundancy, you must create multiple versions of the krb.conf file. You must also configure secondary security servers to act as authentication servers. This allows the primary security server to be available for tasks other than authentication.

The krb.conf file is used during propagation configuration. The realm specified in the first line of the configuration file is considered as the default realm of the server. This has to be the first realm created in the database containing the K/M principal.

The krb.conf File Format

Use the format shown below to create an entry in the krb.conf file. See Appendix B “Sample krb.conf File” to see how a sample krb.conf file looks.

Your_Realm_Name
Your_Realm_Name Your_Secondary_Server1
Your_Realm_Name Your_Secondary_Server2
Your_Realm_Name your_primary_server admin server

The first line of the krb.conf file identifies the host system’s default realm. By convention, realm names are in uppercase letters to visually distinguish them from domain names.

NOTE: Realm names are case sensitive; you must type the realm name correctly if your site does not follow the uppercase convention.

The subsequent lines require fields that identify the security server host names. Each field in the line must be separated by a space or a tab. The second field indicates the Fully Qualified Domain Name (FQDN) of the host security server for that realm.

The order of entries in the krb.conf file is important on the client system, because it is used to identify the intended order of redundant security servers. Applications attempting to connect to the security server use this file to read the entries in the listed order. Redundant security servers are used when higher priority security servers are unavailable or when a network timeout has occurred.

To create comments, use the hash sign(#). Ignore blank lines, leading or trailing white spaces in a line, and characters after a hash (#) symbol.

The krb.realms File

The krb.realms file defines host-to-realm or domain-to-realm name mapping data. The krb.realms file is located only on Kerberos server systems in the /opt/krb5 directory.

The krb.realms file ensures that all systems on the network can identify the other systems that reside in each realm.

Because, the realm name is case sensitive, the Kerberos Server looks for a domain name that is in uppercase characters. If you decide to follow the default realm naming convention, the realm names are already in uppercase characters, and you need not configure and maintain the krb.realms file on your client system.

Secure applications initially search for a matching host name and then a matching domain name in the krb.realms file. If a match is not found, the application initiates a wildcard match.

If no translation entry applies or the file does not exist, the realm name of the host is considered as the domain name of the host’s domain. This domain name is converted to the uppercase equivalent.

The krb.realms file must contain sufficient entries to define the realm used by every service a client computer must access. You can create a krb.realms file that contains all the required entries for your enterprise.

If you support inter-realm authentication, the krb.realms file must contain the required entries to locate the foreign realms.

NOTE: The krb.realms file does not identify systems as primary or secondary security servers. It does not define the relationship between the primary and secondary security servers. These definitions exist in the krb.conf configuration file.

The krb.realms File Format

Use the format below to add entries in the krb.realms file. See Appendix C “Sample krb.realms File”to see how a sample krb.realms file looks.

Your_Primary_Security_Server Your_Realm_Name     
.Your_Secondary_Security_Server Your_Realm_Name  
*.Your_Domain_Name Your_Realm_Name                   

You can add entries to the file to identify various translations from host names to realm names. The order of the entries is insignificant.

Each entry in the file requires two fields that are separated either by a space or by a tab. The following format is generally used:

  • The first field specifies a name. You can either specify a single host name or specify multiple host names with one entry using the wildcards . (period) or * (asterisk), respectively, as described in Table 5-2 “Wildcard Characters”.

  • The second field specifies the associated realm. By convention, realm names must be in uppercase letters to visually distinguish realm names from domain names.

NOTE: Realm names are case sensitive. You must type the correct case for the realm name if you are not following the uppercase convention.

To create comments, use the hash sign (#). Any characters after a # sign are ignored. Blank lines and any leading or trailing white spaces in a line are also ignored.

To identify multiple hosts that belong to the same realm in a single entry, use one of the wildcard characters described in Table 5-2 “Wildcard Characters”.

Table 5-2 Wildcard Characters

Wildcard Character

Description

. (period)

Begin the name field with a period followed by a domain name to designate that all hosts in the specified domain belong to the indicated realm.

For example, to indicate that the hosts sales.bambi.com and mrkt.bambi.com belong to REALM1, add the following entry in your krb.realms file:

.bambi.com	 REALM1
* (asterisk)

Begin the name field with an asterisk (*) followed by a parent domain name to designate all hosts in subdomains that belong to the indicated realm.

For example, to indicate that hosts bob.sales.bambi.com and man.john.sales.bambi.com belong to REALM2, add the following entry in your krb.realms file:

*.sales.com REALM2

 



Chapter 5 Configuring the Kerberos Server With C-Tree Backend
  		 


Autoconfiguring the Kerberos Server  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.