kerberos - LCFG kerberos component
kerberos METHOD [ARGS]
An LCFG component that is used to configure and manage the MIT Kerberos service on clients and servers.
The non-standard component methods are described below.
On a client builds the client configuration and also creates the host key if requested to do so and not already done. On a slave builds the slave configuration and also creates the stash file if not already done. On a master builds the master configuration and also creates the master database if not already done. With the -f option on a slave or master will forcibly destroy the existing configuration and database and re-create from scratch. Starts the kdc server on a master and slave, the kpropd client on a slave, the kadmin process on a master and a keyserver process on a master and/or slave if requested.
The creation of the client host key and the slave stash file require input from the user and should not be executed when there isn't a user connected to stdin. The creation of the master database also requires input from the user and for reasons of security should only be run directly from the machine's console.
On a master propagates the current database to the slaves. This method should be called automatically at a regular frequency via the cron component.
Extract local passwords from the keyserver (if enabled).
On a server (master or slave) backs up the current Kerberos database as a K5 dump file. The directory the backups are saved to is specified in the backup resource. The backup files should be kept at the same level of security as the original live data. The backups can be safely taken while the service is live. This method is normally invoked automatically at a regular time interval via the cron component.
On a server (master or slave) loads the current Kerberos database from dump files produced via the save method. Takes one optional argument which is a timestamp. With no argument the load is done from the most recent dump file in the directory specified in the backup resource. The timestamp argument has the syntax [CC[YY[MM[DD[HH[MM]]]]]]]. For example, 200202 would load from the most recent dump file from Feb 2002, or 2002021211 would load from the most recent dump file for Feb 12 2002 during the 1100 hours period. Invoking this method destroys the existing database and recreates it from the saved data.
On an offline client (a normally disconnected machine such as a laptop) destroys any credential cache files in /tmp.
On a master or slave checks whether the root partition is filling up. When there is no free scratch space the server will continue to respond to incoming authentication requests but with bogus information and in the case of the master the service will not fall back to the slaves. This method would normaly be called automatically at a regular frequency via the cron component.
The non-standard component resources are described below.
The following resources control the configuration of clients and servers.
Indicates the type of the machine. This can be either client, offline, master or slave. Master and slave configure the relevant KDCs, offline indicates that the machine is a client which spends time disconnected, and so shouldn't attempt to do updates when the start method is called.
The Kerberos realm that the machine inhabits.
The following resources control the configuration of clients.
Ticket lifetime (also used by the Krb5 PAM module as the renew lifetime).
Supported encryption types for tickets.
Supported encryption types for the ticket granting service.
If set to true will look up the KDC using DNS SRV records so it does not need to be explictly specified.
If set to true will look up the default realm using DNS SRV records so it does not need to be explictly specified.
The addresses (in the form of machine:port) of KDCs for the default realm. Only necessary if DNS SRV records are not being used to provide this information.
If true the client will randomize the KDC list before adding it to the configuration file. Use this option with care. Having a KDC other than the master first in this list can cause problems when new services are being installed, as the newly created keys won't be available immediately on the slaves.
The address (in the same form as the kdc address) of the admin server for the default realm.
The default domain of this machine.
A space seperated list of tags for mapping domains to realms.
The name of the domain to map, if missing uses default domain.
The name of the realm to map to, if missing uses default realm.
If set, disables the creation of a host key for this host. This can be used for lightweight clients, but may have dramatic effects on machines that run Kerberized services, or that require the host key for machine based authentication. Use with extreme care.
A list of additional realms.
The extra realm name.
The extra realm admin server address.
The extra realm domain.
The extra realm kdc addresses.
The following resources (in conjunction with some of the above) control the configuration of the Kerberos PAM service.
Set to true if the tickets requested by the Kerberos PAM module should be forwardable. Also makes tickets acquired through kinit forwardable if set to true.
Set to true if the Kerberos PAM module should automaticaly convert Kerberos V tickets to Kerberos IV ones.
Control the timeouts in establishing the connection to the KDC. See the pam_krb5 manpage for more details.
Set to true if the user should be given addressless tickets, that is ones that can be used from behind a NAT or on a dialup host.
Set to true if the user's TGT should be validated against a local service before allowing the user to login. Setting this to false opens the machine up to a number of network based attacks.
The following resources control the automatic creation and extraction of host keys from the KDC to keytabs. This is not the only place that this may occur, individual services may perform their own key extraction.
A list of the keys to extract. These are assumed to be principal names, the actual key extracted will be key/hostname@default_realm. If the keytab_key resource has no value these will be extracted to the default keytab.
The keytab to extract key to.
The UID or username to own the keytab for key. Note that if the same keytab is used for multiple keys, then the last key to be extracted will determine the ownership of the keytab. Defaults to root.
The GID or groupname to own the keytab for key. Defaults to root.
The following resources control the configuration of master and slave KDCs.
List of FQDNs of machines that slave from this one.
List(!) of FQDNs that this machine will accept KDC propagation requests from. There should obviously only be one machine active at propagating at any one time, but this allows for easy recovery from a dead master KDC.
The type of the KDC master key. Do not change this on a running KDC, unless you are aware of exactly what you are doing.
Encryption types that should be created for keys in the KDC.
Encryption types supported for authentication to the KDC.
List of ACL rules for the kadmin server, used as keys for the acl_tag resource.
Kadmin ACL list entry for tag. Together with the acls resource, this builds the ACL control file. Entries are as described in the kadmind(5) manpage.
If the KDC type is a master and this resource has a value the physical content of /var/kerberos/krb5kdc is relocated into the given directory and a symbolic link is made from /var/kerberos/krb5kdc to the new location. This is only ever done once as part of the buildmaster method.
Location that the KDC should log to.
Location that the Admin Server should log to.
Directory where the master servers database snapshot save files are stored.
Maximum number of snapshot save files to retain, the most recent N-1 of these are always held and N or more over this are always removed.
If set to true run the kpropd on demand via xinetd (this must be separately configured, ideally using the lcfg-xinetd component) rather than stopping and starting the daemon when the kdc service is stopped and started.
Specifies the maximum time period that a ticket may be renewed for in this realm.
Maximum diskspace percentage used before starting to send warning messages. Default is 90%.
Maximum diskspace percentage used before trying to increase space by continually deleting log files. Default is 95%.
Maximum diskspace percentage used before giving up and stopping the server (requests automatically fall back to any configured slave servers if this is the master). Default is 99%.
Email addresses to send reports from the check method to.
The following resources control the configuration of local authentication for operation when disconnected (or no route to KDC).
A lauth crypted string containing the root password for the machine. This will probably eventually go away, in favour of extracting this directly from the KDC.
If true run the kdcpwdserver (must also be either a master or slave) to allow remote extraction of hashed passwords for local users.
The host to contact for remote extraction of hashed passwords, the host running the kdcpwdserver process.
A space separated list of those users who are allowed to log in to this machine when it is disconnected. This is used both on the client (to decide whether to extract keys) and on the key server (via an LCFG spanning map).
The following resources control the configuration of cross-realm authentication. These resources generate the capaths section of /etc/krb5.conf - see krb5.conf(5) for more details.
capaths
A space separated list of keys for each participating realm, to be used as keys in the resources below.
caname_key
The name of the realm indicated by the key.
caentries_key
A space separated list of subkeys for defining the authentication path for any participating realm indicated by key.
casub_key_subkey
The realm name to be used as a subtag.
caval_key_subkey
The realm name to be used as the value of the subtag.
Configuration of cross-realm authentication using these resources is easier to understand with an example. The following resources...
kerberos.capaths inf ed
kerberos.caname_inf INF.ED.AC.UK
kerberos.caentries_inf ed
kerberos.casub_inf_ed ED.AC.UK
kerberos.caval_inf_ed EASE.ED.AC.UK
kerberos.caname_ed ED.AC.UK
kerberos.caentries_ed inf
kerberos.casub_ed_inf INF.ED.AC.UK
kerberos.caval_ed_inf EASE.ED.AC.UK... would lead to the following being generated in /etc/krb5.conf...
[capaths]
INF.ED.AC.UK = {
ED.AC.UK = EASE.ED.AC.UK
}
ED.AC.UK = {
INF.ED.AC.UK = EASE.ED.AC.UK
}The kerberos object publishes and subscribes to two sets of spanning maps. The first distributes the list of localusers to the KDCs, and the second distributes the list of service keys contained in the keys resource
exportcluster
Name of the spanning map for a client to publish the localusers list to.
importcluster
Name of the spanning map for a server to retrieve the set of localusers from.
exportkeysmap
Name of the spanning map for a client to publish its list of service keys to.
importkeysmap
Name of the spanning map which a server should retrieve the list of all of its clients service keys from.
Fedora3,Fedora5
kdb5_util, kadmin.local, kprop, pwdclient, kdcpwdserver
DICE Infrastructure Unit <inf-unit@inf.ed.ac.uk>
Hey! The above document had some coding errors, which are explained below:
You forgot a '=back' before '=head2'
'=item' outside of any '=over'
You can't have =items (as at line 410) unless the first thing after the =over is an =item
You can't have =items (as at line 474) unless the first thing after the =over is an =item