1 @node How to set up a realm, One-Time Passwords, Installing programs, Top
2 @chapter How to set up a realm
6 Who willed you? or whose will stands but mine?
7 There's none protector of the realm but I.
8 Break up the gates, I'll be your warrantize.
9 Shall I be flouted thus by dunghill grooms?
10 --- King Henry VI, 6.1
15 * How to set up the kerberos server::
16 * Install the client programs::
17 * Install the kerberised services::
18 * Install a slave kerberos server::
19 * Cross-realm functionality ::
22 @node How to set up the kerberos server, Install the client programs, How to set up a realm, How to set up a realm
23 @section How to set up the kerberos server
26 * Choose a realm name::
27 * Choose a kerberos server::
28 * Install the configuration files::
29 * Install the /etc/services::
30 * Install the kerberos server::
32 * Add a few important principals::
34 * Try to get tickets::
35 * Create initial ACL for the admin server::
36 * Start the admin server::
37 * Add users to the database::
38 * Automate the startup of the servers::
41 @node Choose a realm name, Choose a kerberos server, How to set up the kerberos server, How to set up the kerberos server
42 @subsection Choose a realm name
46 realm is an administrative domain. Kerberos realms are usually
47 written in uppercase and consist of a Internet domain
48 name@footnote{Using lowercase characters in the realm name might break
49 in mysterious ways. This really should have been fixed, but has not.}.
50 Call your realm the same as your Internet domain name if you do not have
51 strong reasons for not doing so. It will make life easier for you and
54 @node Choose a kerberos server, Install the configuration files, Choose a realm name, How to set up the kerberos server
55 @subsection Choose a kerberos server
57 You need to choose a machine to run the
59 kerberos server program. If the kerberos database residing on this host
60 is compromised, your entire realm will be compromised. Therefore, this
61 machine must be as secure as possible. Preferably it should not run any
62 services other than Kerberos. The secure-minded administrator might
63 only allow logins on the console.
65 This machine has also to be reliable. If it is down, you will not be
66 able to use any kerberised services unless you have also configured a
67 slave server (@pxref{Install a slave kerberos server}).
69 Running the kerberos server requires very little CPU power and a small
70 amount of disk. An old PC with some hundreds of megabytes of free disk
71 space should do fine. Most of the disk space will be used for various
74 @node Install the configuration files, Install the /etc/services, Choose a kerberos server, How to set up the kerberos server
75 @subsection Install the configuration files
77 There are two important configuration files: @file{/etc/krb.conf} and
78 @file{/etc/krb.realms}.
82 The @file{krb.conf} file determines which machines are servers for
83 different realms. The format of this file is:
88 THIS.REALM kerberos.this.realm admin server
89 THIS.REALM kerberos-1.this.realm
90 SUPP.LOCAL.REALM kerberos.supp.local.realm admin server
91 ANOTHER.REALM kerberos.another.realm
94 The first line defines the name of the local realm. The next few lines
95 optionally defines supplementary local realms.
96 @cindex supplementary local realms
98 defines the names of the kerberos servers and the database
99 administration servers for all known realms. You can define any number
100 of kerberos slave servers similar to the one defined on line
101 four. Clients will try to contact servers in listed order.
103 The @samp{admin server} clause at the first entry states that this is
105 @cindex master server
106 (the one to contact when modifying the database, such as changing
107 passwords). There should be only one such entry for each realm.
109 In the original MIT Kerberos 4 (as in most others), the server
110 specification could only take the form of a host-name. To facilitate
111 having kerberos servers in odd places (such as behind a firewall),
112 support has been added for ports other than the default (750), and
113 protocols other than UDP.
115 The formal syntax for an entry is now
116 @samp{[@var{proto}/]@var{host}[:@var{port}]}. @var{proto} is either
117 @samp{UDP}, @samp{TCP}, or @samp{HTTP}, and @var{port} is the port to
118 talk to. Default value for @var{proto} is @samp{UDP} and for @var{port}
119 whatever @samp{kerberos-iv} is defined to be in @file{/etc/services} or
120 750 if undefined. If @var{proto} is @samp{HTTP}, the default port is
121 80. An @samp{http} entry may also be specified in URL format.
123 If the information about a realm is missing from the @file{krb.conf}
124 file, or if the information is wrong, the following methods will be
129 If you have an SRV-record (@cite{RFC 2052}) for your realm it will be
130 used. This record should be of the form
131 @samp{kerberos-iv.@var{protocol}.@var{REALM}}, where @var{proto} is
132 either @samp{UDP}, @samp{TCP}, or @samp{HTTP}. (Note: the current
133 implementation does not look at priority or weight when deciding which
136 If there isn't any SRV-record, it tries to find a TXT-record for the
137 same domain. The contents of the record should have the same format as the
138 host specification in @file{krb.conf}. (Note: this is a temporary
139 solution if your name server doesn't support SRV records. The clients
140 should work fine with SRV records, so if your name server supports them,
141 they are very much preferred.)
143 If no valid kerberos server is found, it will try to talk UDP to the
144 service @samp{kerberos-iv} with fall-back to port 750 with
145 @samp{kerberos.@var{REALM}} (which is also assumed to be the master
146 server), and then @samp{kerberos-1.@var{REALM}},
147 @samp{kerberos-2.@var{REALM}}, and so on.
150 SRV records have been supported in BIND since 4.9.5T2A. An example
151 would look like the following in the zone file:
154 kerberos-iv.udp.foo.se. 1M IN SRV 1 0 750 kerberos-1.foo.se.
155 kerberos-iv.udp.foo.se. 1M IN SRV 0 0 750 kerberos.foo.se.
158 We strongly recommend that you add a CNAME @samp{kerberos.@var{REALM}}
159 pointing to your kerberos master server.
161 The @file{krb.realms} file is used to find out what realm a particular
162 host belongs to. An example of this file could look like:
165 this.realm THIS.REALM
166 .this.realm THIS.REALM
167 foo.com SOME.OTHER.REALM
168 www.foo.com A.STRANGE.REALM
172 Entries starting with a dot are taken as the name of a domain. Entries
173 not starting with a dot are taken as a host-name. The first entry matched
174 is used. The entry for @samp{this.realm} is only necessary if there is a
175 host named @samp{this.realm}.
177 If no matching realm is found in @file{krb.realms}, DNS is searched for
178 the correct realm. For example, if we are looking for host @samp{a.b.c},
179 @samp{krb4-realm.a.b.c} is first tried and then @samp{krb4-realm.b.c}
180 and so on. The entry should be a TXT record containing the name of the
184 krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE"
187 If this didn't help the domain name sans the first part in uppercase is
190 The plain vanilla version of Kerberos doesn't have any fancy methods of
191 getting realms and servers so it is generally a good idea to keep
192 @file{krb.conf} and @file{krb.realms} up to date.
194 In addition to these commonly used files, @file{/etc/krb.extra}
196 holds some things that are not normally used. It consists of a number of
197 @samp{@var{variable} = @var{value}} pairs, blank lines and lines
198 beginning with a hash (#) are ignored.
200 The currently defined variables are:
205 The time in seconds to wait for an answer from the KDC (the default is 4
209 This flag enables storing of the time differential to the KDC when
210 getting an initial ticket. This differential is used later on to compute
211 the correct time. This can help if your machine doesn't have a working
213 @item firewall_address
214 @cindex firewall_address
215 The IP address that hosts outside the firewall see when connecting from
216 within the firewall. If this is specified, the code will try to compute
217 the value for @samp{reverse_lsb_test}.
220 When getting tickets via HTTP, this specifies the proxy to use. The
221 default is to speak directly to the KDC.
222 @item krb_default_tkt_root
223 @cindex krb_default_tkt_root
224 The default prefix for ticket files. The default is @file{/tmp/tkt}.
225 Normally the uid or tty is appended to this prefix.
226 @item krb_default_keyfile
227 @cindex krb_default_keyfile
228 The file where the server keys are stored, the default is @file{/etc/srvtab}.
231 If the client is behind a Network Address Translator (NAT).
232 @cindex Network Address Translator
234 @item reverse_lsb_test
235 @cindex reverse_lsb_test
236 Reverses the test used by @code{krb_mk_safe}, @code{krb_rd_safe},
237 @code{krb_mk_priv}, and @code{krb_rd_priv} to compute the ordering of
238 the communicating hosts. This test can cause truble when using
242 @node Install the /etc/services, Install the kerberos server, Install the configuration files, How to set up the kerberos server
243 @subsection Updating /etc/services
245 You should append or merge the contents of @file{services.append} to
246 your @file{/etc/services} files or NIS-map. Remove any unused factory
247 installed kerberos port definitions to avoid possible conflicts.
250 Most of the programs will fall back to the default ports if the port
251 numbers are not found in @file{/etc/services}, but it is convenient to
252 have them there anyway.
254 @node Install the kerberos server, Set up the server, Install the /etc/services, How to set up the kerberos server
255 @subsection Install the kerberos server
257 You should have already chosen the machine where you want to run the
258 kerberos server and the realm name. The machine should also be as
259 secure as possible (@pxref{Choose a kerberos server}) before installing
260 the kerberos server. In this example, we will install a kerberos server
261 for the realm @samp{FOO.SE} on a machine called @samp{hemlig.foo.se}.
263 @node Set up the server, Add a few important principals, Install the kerberos server, How to set up the kerberos server
264 @subsection Setup the server
266 Login as root on the console of the kerberos server. Add
267 @file{/usr/athena/bin} and @file{/usr/athena/sbin} to your path. Create
268 the directory @file{/var/kerberos} (@kbd{mkdir /var/kerberos}), which is
269 where the database will be stored. Then, to create the database, run
275 hemlig# mkdir /var/kerberos
277 Realm name [default FOO.SE ]:
278 You will be prompted for the database Master Password.
279 It is important that you NOT FORGET this password.
281 Enter Kerberos master password:
283 Enter Kerberos master password:
287 If you have set up the configuration files correctly, @kbd{kdb_init}
288 should choose the correct realm as the default, otherwise a (good) guess
289 is made. Enter the master password.
291 This password will only be used for encrypting the kerberos database on
292 disk and for generating new random keys. You will not have to remember
293 it, only to type it again when you run @kbd{kstash}. Choose something
294 long and random. Now run @kbd{kstash} using the same password:
301 Enter Kerberos master password:
303 Current Kerberos master key version is 1.
305 Master key entered. BEWARE!
306 Wrote master key to /.k
310 After entering the same master password it will be saved in the file
311 @file{/.k} and the kerberos server will read it when needed. Write down
312 the master password and put it in a sealed envelope in a safe, you might
313 need it if your disk crashes or should you want to set up a slave
316 @code{kdb_init} initializes the database with a few entries:
319 @item krbtgt.@var{REALM}
320 The key used for authenticating to the kerberos server.
322 @item changepw.kerberos
323 The key used for authenticating to the administrative server, i.e. when
324 adding users, changing passwords, and so on.
327 This entry is copied to new items when these are added. Enter here the
328 values you want new entries to have, particularly the expiry date.
331 This is the master key and it is only used to verify that the master key
332 that is saved un-encrypted in @file{/.k} is correct and corresponds to
337 @code{kstash} only reads the master password and writes it to
338 @file{/.k}. This enables the kerberos server to start without you
339 having to enter the master password. This file (@file{/.k}) is only
340 readable by root and resides on a ``secure'' machine.
342 @node Add a few important principals, Start the server, Set up the server, How to set up the kerberos server
343 @subsection Add a few important principals
345 Now the kerberos database has been created, containing only a few
346 principals. The next step is to add a few more so that you can test
347 that it works properly and so that you can administer your realm without
348 having to use the console on the kerberos server. Use @kbd{kdb_edit}
349 to edit the kerberos database directly on the server.
352 @code{kdb_edit} is intended as a bootstrapping and fall-back mechanism
353 for editing the database. For normal purposes, use the @code{kadmin}
354 program (@pxref{Add users to the database}).
356 The following example shows the adding of the principal
357 @samp{nisse.admin} into the kerberos database. This principal is used
358 by @samp{nisse} when administrating the kerberos database. Later on the
359 normal principal for @samp{nisse} will be created. Replace @samp{nisse}
360 and @samp{password} with your own username and password.
366 Current Kerberos master key version is 1.
368 Master key entered. BEWARE!
369 Previous or default values are in [brackets] ,
370 enter return to leave the same, or new value.
372 Principal name: <nisse>
375 <Not found>, Create [y] ? <>
377 Principal: nisse, Instance: admin, kdc_key_ver: 1
378 New Password: <password>
380 New Password: <password>
382 Principal's new key version = 1
383 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? <>
384 Max ticket lifetime (*5 minutes) [ 255 ] ? <>
385 Attributes [ 0 ] ? <>
391 @code{kdb_edit} will loop until you hit the @kbd{return} key at the
392 ``Principal name'' prompt. Now you have added nisse as an administrator.
396 @node Start the server, Try to get tickets, Add a few important principals, How to set up the kerberos server
397 @subsection Start the server
402 hemlig# /usr/athena/libexec/kerberos &
403 Kerberos server starting
404 Sleep forever on error
405 Log file is /var/log/kerberos.log
406 Current Kerberos master key version is 1.
408 Master key entered. BEWARE!
410 Current Kerberos master key version is 1
415 @node Try to get tickets, Create initial ACL for the admin server, Start the server, How to set up the kerberos server
416 @subsection Try to get tickets
418 You can now verify that these principals have been added and that the
419 server is working correctly.
425 eBones International (hemlig.foo.se)
426 Kerberos Initialization
427 Kerberos name: <nisse.admin>
432 If you do not get any error message from @code{kinit}, then everything
433 is working (otherwise, see @ref{Common error messages}). Use
434 @code{klist} to verify the tickets you acquired with @code{kinit}:
440 Ticket file: /tmp/tkt0
441 Principal: nisse.admin@@FOO.SE
443 Issued Expires Principal
444 May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE
448 @node Create initial ACL for the admin server, Start the admin server, Try to get tickets, How to set up the kerberos server
449 @subsection Create initial ACL for the admin server
451 The admin server, @code{kadmind}, uses a series of files to determine who has
453 the right to perform certain operations. The files are:
454 @file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.del}, and
455 @file{admin_acl.mod}. Create these with @samp{nisse.admin@@FOO.SE} as
457 @pindex admin_acl.add
458 @pindex admin_acl.get
459 @pindex admin_acl.del
460 @pindex admin_acl.mod
464 hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.add
465 hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.get
466 hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.mod
467 hemlig# echo "nisse.admin@@FOO.SE" >> /var/kerberos/admin_acl.del
471 Later on you may wish to add more users with administration
472 privileges. Make sure that you create both the administration principals
473 and add them to the admin server ACL.
475 @node Start the admin server, Add users to the database, Create initial ACL for the admin server, How to set up the kerberos server
476 @subsection Start the admin server
481 hemlig# /usr/athena/libexec/kadmind &
482 KADM Server KADM0.0A initializing
483 Please do not use 'kill -9' to kill this job, use a
486 Current Kerberos master key version is 1.
488 Master key entered. BEWARE!
492 @node Add users to the database, Automate the startup of the servers, Start the admin server, How to set up the kerberos server
493 @subsection Add users to the database
495 Use the @code{kadmin} client to add users to the database:
500 hemlig# kadmin -p nisse.admin -m
501 Welcome to the Kerberos Administration Program, version 2
502 Type "help" if you need it.
504 Admin password: <nisse.admin's password>
505 Maximum ticket lifetime? (255) [Forever]
507 Expiration date (enter yyyy-mm-dd) ? [Sat Jan 1 05:59:00 2000]
509 Verifying password Password for nisse:
510 nisse added to database.
514 Add whatever other users you want to have in the same way. Verify that
515 a user is in the database and check the database entry for that user:
520 Info in Database for nisse.:
521 Max Life: 255 (Forever) Exp Date: Sat Jan 1 05:59:59 2000
525 Cleaning up and exiting.
529 @node Automate the startup of the servers, , Add users to the database, How to set up the kerberos server
530 @subsection Automate the startup of the servers
532 Add the lines that were used to start the kerberos server and the
533 admin server to your startup scripts (@file{/etc/rc} or similar).
536 @node Install the client programs, Install the kerberised services, How to set up the kerberos server, How to set up a realm
537 @section Install the client programs
539 Making a machine a kerberos client only requires a few steps. First you
540 might need to change the configuration files as with the kerberos
541 server. (@pxref{Install the configuration files} and @pxref{Install the
542 /etc/services}.) Also you need to make the programs in
543 @file{/usr/athena/bin} available. This can be done by adding the
544 @file{/usr/athena/bin} directory to the users' paths, by making symbolic
545 links, or even by copying the programs.
547 You should also verify that the local time on the client is synchronised
548 with the time on the kerberos server by some means. The maximum allowed
549 time difference between the participating servers and a client is 5
552 One good way to synchronize the time is NTP (Network Time Protocol), see
553 @url{http://www.eecis.udel.edu/~ntp/}.
555 If you need to run the client programs on a machine where you do not
556 have root-access, you can hopefully just use the binaries and no
557 configuration will be needed. The heuristics used are mentioned above
558 (see @ref{Install the configuration files}). If this is not the case
559 and you need to have @file{krb.conf} and/or @file{krb.realms}, you can
560 copy them into a directory of your choice and
563 set the environment variable @var{KRBCONFDIR} to point at this
567 To test the client functionality, run the @code{kinit} program:
572 eBones International (foo.foo.se)
573 Kerberos Initialization
574 Kerberos name: <nisse>
578 Ticket file: /tmp/tkt4711
579 Principal: nisse@@FOO.SE
581 Issued Expires Principal
582 May 24 21:06:03 May 25 07:06:03 krbtgt.FOO.SE@@FOO.SE
586 @node Install the kerberised services, Install a slave kerberos server, Install the client programs, How to set up a realm
587 @section Install the kerberised services
589 These includes @code{rsh}, @code{rlogin}, @code{telnet}, @code{ftp},
590 @code{rxtelnet}, and so on.
597 First follow the steps mentioned in the prior section to make it a
598 client and verify its operation. Change @file{inetd.conf} next to use
599 the new daemons. Look at the file
601 @file{etc/inetd.conf.changes} to see the changes that we recommend you
602 perform on @file{inetd.conf}.
604 You should at this point decide what services you want to run on
607 @subsection rsh, rlogin, and rcp
612 These exist in kerberised versions and ``old-style'' versions. The
613 different versions use different port numbers, so you can choose none,
614 one, or both. If you do not want to use ``old-style'' r* services, you
615 can let the programs output the text ``Remote host requires Kerberos
616 authentication'' instead of just refusing connections to that port.
617 This is enabled with the @samp{-v} option. The kerberised services
618 exist in encrypted and non-encrypted versions. The encrypted services
619 have an ``e'' prepended to the name and the programs take @samp{-x} as an
620 option indicating encryption.
622 Our recommendation is to only use the kerberised services and give
623 explanation messages for the old ports.
628 The telnet service always uses the same port and negotiates as to which
629 authentication method should be used. The @code{telnetd} program has
631 an option ``-a user'' that only allows kerberised and authenticated
632 connections. If this is not included, it falls back to using clear text
633 passwords. For obvious reasons, we recommend that you enable this
634 option. If you want to use one-time passwords (@pxref{One-Time
635 Passwords}) you can use the ``-a otp'' option which will allow OTPs or
636 kerberised connections.
641 The ftp service works as telnet does, with just one port being used. By
642 default only kerberos authenticated connections are allowed. You can
643 specify additional levels that are thus allowed with these options:
647 Allow one-time passwords (@pxref{One-Time Passwords}).
649 Allow anonymous login (as user ``ftp'' or ``anonymous'').
651 The same as @kbd{-a ftp}, for backwards compatibility.
653 Allow clear-text passwords.
655 The same as @kbd{-a ftp -a plain}.
657 A no-op, also there for backwards compatibility reasons.
660 When running anonymous ftp you should read the man page on @code{ftpd}
661 which explains how to set it up.
666 The Post Office Protocol (POP) is used to retrieve mail from the mail
667 hub. The @code{popper} program implements the standard POP3 protocol
668 and the kerberised KPOP. Use the @samp{-k} option to run the kerberos
669 version of the protocol. This service should only be run on your mail
675 @code{kx} allows you to run X over a kerberos-authenticated and
676 encrypted connection. This program is used by @code{rxtelnet},
677 @code{tenletxr}, and @code{rxterm}.
679 If you have some strange kind of operating system with X libraries that
680 do not allow you to use unix-sockets, you need to specify the @samp{-t}
682 option to @code{kxd}. Otherwise it should be sufficient by adding the
683 daemon in @file{inetd.conf}.
688 This service allows you to create tickets on a remote host. To
689 enable it just insert the corresponding line in @file{inetd.conf}.
694 In the same way every user needs to have a password registered with
695 the kerberos server, every service needs to have a shared key with the
696 kerberos server. The service keys are stored in a file, usually called
697 @file{/etc/srvtab}. This file should not be readable to anyone but
698 root, in order to keep the key from being divulged. The name of this principal
699 in the kerberos database is usually the service name and the hostname. Examples
700 of such principals are @samp{pop.@var{hostname}} and
701 @samp{rcmd.@var{hostname}}. (rcmd comes from ``remote command''.) Here
702 is a list of the most commonly used srvtab types and what programs use them.
705 @item rcmd.@var{hostname}
706 rsh, rcp, rlogin, telnet, kauth, su, kx
709 @item pop.@var{hostname}
710 popper, movemail, push
711 @item sample.@var{hostname}
712 sample_server, simple_server
713 @item changepw.kerberos
715 @item krbtgt.@var{realm}
716 kerberos (not stored in any srvtab)
717 @item ftp.@var{hostname}
718 ftp (also tries with rcmd.@var{hostname})
721 @item afs or afs.@var{cellname}
725 To create these keys you will use the the @code{ksrvutil} program.
732 bar# ksrvutil -p nisse.admin get
736 Is this correct? (y,n) [y] <>
737 Add more keys? (y,n) [n] <>
738 Password for nisse.admin@@FOO.SE: <nisse.admin's password>
741 Old keyfile in /etc/srvtab.old.
745 @subsection Complete test of the kerberised services
747 Obtain a ticket on one machine (@samp{foo}) and use it to login with a
748 kerberised service to a second machine (@samp{bar}). The test should
749 look like this if successful:
754 eBones International (foo.foo.se)
755 Kerberos Initialization for "nisse"
756 Password: <nisse's password>
758 Ticket file: /tmp/tkt4711
759 Principal: nisse@@FOO.SE
761 Issued Expires Principal
762 May 30 13:48:03 May 30 23:48:03 krbtgt.FOO.SE@@FOO.SE
764 Trying 17.17.17.17...
765 Connected to bar.foo.se
766 Escape character is '^]'.
767 [ Trying mutual KERBEROS4 ... ]
768 [ Kerberos V4 accepts you ]
769 [ Kerberos V4 challenge successful ]
774 You can also try with @code{rsh}, @code{rcp}, @code{rlogin},
775 @code{rlogin -x}, and some other commands to see that everything is
778 @node Install a slave kerberos server, Cross-realm functionality , Install the kerberised services, How to set up a realm
779 @section Install a slave kerberos server
781 It is desirable to have at least one backup (slave) server in case the
782 master server fails. It is possible to have any number of such slave
783 servers but more than three usually doesn't buy much more redundancy.
785 First select a good server machine. (@pxref{Choose a kerberos
788 On the master, add a @samp{rcmd.kerberos} (note, it should be literally
789 ``kerberos'') principal (using @samp{ksrvutil get}). The
791 @code{kprop} program, running on the master, will use this when
792 authenticating to the
794 @code{kpropd} daemons running on the slave servers. The @code{kpropd}
795 on the slave will use its @samp{rcmd.hostname} key for authenticating
796 the connection from the master. Therefore, the slave needs to have this
797 key in its srvtab, and it of course also needs to have enough of the
798 configuration files to act as a server. See @ref{Install the kerberised
799 services} for information on how to do this.
801 To summarize, the master should have a key for @samp{rcmd.kerberos} and
802 the slave one for @samp{rcmd.hostname}.
804 The slave will need the same master key as you used at the master.
806 On your master server, create a file, e.g. @file{/var/kerberos/slaves},
807 that contains the hostnames of your kerberos slave servers.
809 Start @code{kpropd} with @samp{kpropd -i} on your slave servers.
811 On your master server, create a dump of the database and then propagate
815 foo# kdb_util slave_dump /var/kerberos/slave_dump
819 You should now have copies of the database on your slave servers. You
820 can verify this by issuing @samp{kdb_util dump @var{file}} on your
821 slave servers, and comparing with the original file on the master
822 server. Note that the entries will not be in the same order.
824 This procedure should be automated with a script run regularly by cron,
825 for instance once an hour.
827 Since the master and slave servers will use copies of the same
828 database, they need to use the same master key. Add the master key on
829 the slave with @code{kstash}. (@pxref{Set up the server})
831 To start the kerberos server on slaves, you first have to copy the
832 master key from the master server. You can do this either by remembering
833 the master password and issuing @samp{kstash}, or you can just copy the
834 keyfile. Remember that if you copy the file, do so on a safe media, not
835 over the network. Good means include floppy or paper. Paper is better,
836 since it is easier to swallow afterwards.
838 The kerberos server should be started with @samp{-s} on the slave
839 servers. This enables sanity checks, for example checking the time since
840 the last update from the master.
842 All changes to the database are made by @code{kadmind} at the master,
843 and then propagated to the slaves, so you should @strong{not} run
844 @code{kadmind} on the slaves.
846 Finally add the slave servers to
847 @file{/etc/krb.conf}. The clients will ask the servers in the order
848 specified by that file.
850 Consider adding CNAMEs to your slave servers, see @ref{Install the
851 configuration files}.
853 @node Cross-realm functionality , , Install a slave kerberos server, How to set up a realm
854 @section Cross-realm functionality
856 Suppose you are residing in the realm @samp{MY.REALM}, how do you
857 authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in
858 @samp{MY.REALM} allows you to communicate with kerberised services in that
859 realm. However, the computer in the other realm does not have a secret
860 key shared with the kerberos server in your realm.
862 It is possible to add a shared key between two realms that trust each
863 other. When a client program, such as @code{telnet}, finds that the
864 other computer is in a different realm, it will try to get a ticket
865 granting ticket for that other realm, but from the local kerberos
866 server. With that ticket granting ticket, it will then obtain service
867 tickets from the kerberos server in the other realm.
869 To add this functionality you have to add a principal to each realm. The
870 principals should be @samp{krbtgt.OTHER.REALM} in @samp{MY.REALM}, and
871 @samp{krbtgt.MY.REALM} in @samp{OTHER.REALM}. The two different
872 principals should have the same key (and key version number). Remember
873 to transfer this key in a safe manner. This is all that is required.
880 Ticket file: /tmp/tkt3008
881 Principal: joda@@NADA.KTH.SE
883 Issued Expires Principal
884 Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE
885 blubb$ telnet agat.e.kth.se
886 Trying 130.237.48.12...
887 Connected to agat.e.kth.se.
888 Escape character is '^]'.
889 [ Trying mutual KERBEROS4 ... ]
890 [ Kerberos V4 accepts you ]
891 [ Kerberos V4 challenge successful ]
892 Last login: Sun Jun 2 20:51:50 from emma.pdc.kth.se
895 Connection closed by foreign host.
897 Ticket file: /tmp/tkt3008
898 Principal: joda@@NADA.KTH.SE
900 Issued Expires Principal
901 Jun 7 02:26:23 Jun 7 12:26:23 krbtgt.NADA.KTH.SE@@NADA.KTH.SE
902 Jun 7 02:26:50 Jun 7 12:26:50 krbtgt.E.KTH.SE@@NADA.KTH.SE
903 Jun 7 02:26:51 Jun 7 12:26:51 rcmd.agat@@E.KTH.SE