Kerberos for hp OpenVMS

Kerberos for hp OpenVMS  T2.0 Field Test Kit   Installation Guide and Release Notes     Updated:  February 7, 2003  Contents:   ª  prerequisites  ª ...
Author: Mariah Hunt
13 downloads 0 Views 154KB Size
Kerberos for hp OpenVMS  T2.0 Field Test Kit   Installation Guide and Release Notes  

 

Updated:  February 7, 2003  Contents:   ª  prerequisites  ª  documentation  ª  downloading the kit  ª  expanding the kit  ª  installing and configuring Kerberos on hp OpenVMS 7.2-2 and 7.3  ª  installing and configuring Kerberos on hp OpenVMS 7.3-1  ª  release notes  Kerberos T2.0 for hp OpenVMS field test kit is based on MIT Kerberos V5 Release 1.2.6. The  T2.0 kit runs on OpenVMS Alpha Version 7.2-2 and higher.   Kerberos is a network authentication protocol designed to provide strong authentication for  client/server applications by using secret-key cryptography.   Kerberos was created by the Massachusetts Institute of Technology as a solution for network  security. The Kerberos protocol uses strong cryptography so that a client can prove its identity to  a server (and vice versa) across an insecure network connection. After a client and server have  used Kerberos to prove their identity, they can also encrypt all of their communications to assure  privacy and data integrity.   Kerberos is freely available from MIT, under a copyright permission notice. Kerberos for hp  OpenVMS is supplied by Hewlett-Packard Corporation under the terms of the license from the  Massachusetts Institute of Technology. For more information on the Kerberos license, please see  http://web.mit.edu/kerberos/www/.   Prerequisites  Operating System   hp OpenVMS Alpha Version 7.2-2 or higher   TCP/IP Transport   hp TCP/IP Services for hp OpenVMS Version 5.3 or higher   Note: If you are running a third-party TCP/IP network product such as MultiNet or TCPware from  Process Software Corporation, contact your provider regarding running Kerberos T2.0 with their  TCP/IP network product.  Documentation  See the Kerberos for hp OpenVMS Documentation page for links to Kerberos documentation  from HP and MIT.  

General information about Kerberos is available at http://web.mit.edu/kerberos/www/.   Downloading the Kit  The Kerberos for hp OpenVMS kit is available for the Alpha platform as a compressed selfextracting file.   If you are running OpenVMS Version 7.3-1, Kerberos V1.0 is included in your operating system  distribution media. Because of Kerberos security vulnerabilities announced by MIT, you should  download and install Kerberos T2.0 at your earliest opportunity. Kerberos T2.0 will be included in  the OpenVMS V7.3-2 operating system distribution media.  Please fill out and submit the Kerberos for hp OpenVMS registration form to download the kit.   Expanding the Kit  After you download the Kerberos for hp OpenVMS kit, expand the self-extracting file by entering  the following command:   $ RUN HP-AXPVMS-KERBEROS-T0200--1.PCSI-DCX_AXPEXE At the Decompress into (file specification): prompt, press return. The system expands the file and  names the decompressed file HP-AXPVMS-KERBEROS-T0200--1.PCSI. Do not rename this file.   Installing and Configuring Kerberos on hp OpenVMS Version 7.2-2 and 7.3  If you are installing Kerberos T2.0 on hp OpenVMS Version 7.3-1, see Installing and Configuring  Kerberos on hp OpenVMS Version 7.3-1.   On hp OpenVMS Version 7.2-2 and 7.3:   1.  Shut down Kerberos Version 1.0, if it was previously installed, by executing  SYS$STARTUP:KRB$SHUTDOWN.COM.     2.  Remove Kerberos Version 1.0, if it was previously installed, by entering the PRODUCT  REMOVE KERBEROS command. (Do not remove the Kerberos data and directories if  you want to preserve your Kerberos V1 configuration.)     3.  Install the Kerberos T2.0 kit by entering PRODUCT INSTALL KERBEROS.     4.  Add @SYS$STARTUP:KRB$SYMBOLS to SYS$MANAGER:SYLOGIN.COM, if  Kerberos Version 1.0 was not previously installed and configured.     5.  Execute KRB$CONFIGURE.COM, if Kerberos Version 1.0 was not previously installed  and configured.     6.  Start Kerberos by executing SYS$STARTUP:KRB$STARTUP.COM.   Example of Installation Log on hp OpenVMS Version 7.2-2   Username: system Password:

Last interactive login on Tuesday, February 4, 2003 11:12 AM Last non-interactive login on Wednesday, February 5, 2003 02:30 PM

$ @SYS$STARTUP:KRB$SHUTDOWN $ PRODUCT REMOVE KERBEROS The following product has been selected: CPQ ALPVMS KERBEROS V1.0

Layered Product

Do you want to continue? [YES] The following product will be removed from destination: CPQ ALPVMS KERBEROS V1.0 DISK$TUTU_SYS:[VMS$COMMON.] Portion done: 0%...10% Remove OpenVMS Kerberos 5 V1.0 data & directories ? [ Y ]: n ...30%...40%...50%...60%...70%...80%...90%...100% The following product has been removed: CPQ ALPVMS KERBEROS V1.0

Layered Products

The next step is to install the new Kerberos T2.0 kit: $ PRODUCT INSTALL KERBEROS The following product has been selected: HP AXPVMS KERBEROS T2.0

Layered Product

Do you want to continue? [YES] Configuration phase starting ... You will be asked to choose options, if any, for each selected product and for any products that may be installed to satisfy software dependency requirements. HP AXPVMS KERBEROS T2.0 Do you want the defaults for all options? [YES] Do you want to review the options? [NO] Execution phase starting ... The following product will be installed to destination: HP AXPVMS KERBEROS T2.0 DISK$TUTU_SYS:[VMS$COMMON.] Portion done: 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% The following product has been installed: HP AXPVMS KERBEROS T2.0

Layered Product

HP AXPVMS KERBEROS T2.0 Configure the OpenVMS Kerberos clients & servers Please take the time to run the following command after the installation: @SYS$STARTUP:KRB$CONFIGURE.COM The Kerberos 5 T2.0 documentation has been provided as it was received from MIT. This documentation may differ slightly from the OpenVMS Kerberos

implementation as it describes the Kerberos implementation in a Unix environment. The documents are: KRB$ROOT:[DOC]IMPLEMENT.PDF KRB$ROOT:[DOC]LIBRARY.PDF KRB$ROOT:[DOC]ADMIN-GUIDE.PS KRB$ROOT:[DOC]INSTALL-GUIDE.PS KRB$ROOT:[DOC]KRB425-GUIDE.PS KRB$ROOT:[DOC]USER-GUIDE.PS $ LOGOUT SYSTEM

logged out at February 6, 2002 11:15 AM

Example of Configuration Log on hp OpenVMS Version 7.2-2   You need only configure Kerberos T2.0 if Kerberos Version 1.0 was not previously installed and  configured.   $ @SYS$STARTUP:KRB$SYMBOLS $ @SYS$STARTUP:KRB$CONFIGURE Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: 1 Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ zko.dec.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.DEC.COM ]: Press Return to continue ... Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: 3

Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ zko.dec.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.DEC.COM ]: The type of roles the KDC can perform are: NO_KDC -- where the KDC will not be run SINGLE_KDC -- where the KDC is the only one in the realm MASTER_KDC -- where the KDC is the master of 1 or more other KDCs SLAVE_KDC -- where the KDC is slave to another KDC What will be the KDC's role on this node [ SINGLE_KDC ]: Create the OpenVMS Kerberos 5 database [ Y ]: Creating OpenVMS Kerberos 5 database ... Initializing database 'krb$root:[krb5kdc]principal' for realm 'SYSTEM.DEC.COM', master key name 'K/[email protected]' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Priority: info No dictionary file specified, continuing without one. Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]: Authenticating as principal KRBTSTADM/[email protected] with password. Enter password for principal "SYSTEM/[email protected]": Re-enter password for principal "SYSTEM/[email protected]": Principal "SYSTEM/[email protected]" created. Priority: info No dictionary file specified, continuing without one. WARNING: no policy specified for SYSTEM/[email protected]; defaulting to no policy Create OpenVMS Kerberos 5 principals [ Y ]: n Authenticating as principal SYSTEM/[email protected] with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Authenticating as principal SYSTEM/[email protected] with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Press Return to continue ... Configuration options:

1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: 6

Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)... Starting OpenVMS Kerberos server KRB$KRB5KDC ... %RUN-S-PROC_ID, identification of created process is 00000429 Starting OpenVMS Kerberos server KRB$KADMIND ... %RUN-S-PROC_ID, identification of created process is 0000042A Press Return to continue ... Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: E

Example of Kerberos Startup on hp OpenVMS Version 7.2-2   $ @SYS$STARTUP:KRB$STARTUP %KRB-I-UPDATE2DO, procedure.

Kerberos V2.0 will complete its post-installation

============================================================================ KRB$V2_UPDATE is migrating your Kerberos V1.0 configuration to V2.0. ============================================================================ %% Delete sys$common:[sysexe]krb5kdc.dir;,etc.dir;,bin.dir;,log.dir;,tmp.dir;,doc.dir; %% and their sub-directories when your Kerberos configuration is complete.

Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)... Starting OpenVMS Kerberos server KRB$KRB5KDC ... %RUN-S-PROC_ID, identification of created process is 00000425 Starting OpenVMS Kerberos server KRB$KADMIND ... %RUN-S-PROC_ID, identification of created process is 00000426 $

Installing and Configuring Kerberos on hp OpenVMS Version 7.3-1  If you are installing Kerberos T2.0 on hp OpenVMS Version 7.2-2 or 7.3, see Installing Kerberos  on hp OpenVMS Version 7.2-2 and 7.3.   On hp OpenVMS Version 7.3-1:   1.  Shut down Kerberos Version 1.0 by executing the  SYS$STARTUP:KRB$SHUTDOWN.COM.  (Kerberos Version 1.0 was installed by  default when you installed hp OpenVMS Version 7.3-1.)    2.  Create a directory to temporarily hold the upgrade command procedure and kit contents.     3.  Set default to the temporary directory.     4.  Extract the upgrade command file OVERLAY_KRB5KIT.COM by entering PRODUCT  EXTRACT FILE KERBEROS /SELECT=OVERLAY_KRB5KIT.COM.     5.  Install the Kerberos T2.0 kit by executing OVERLAY_KRB5KIT.COM.     6.  Execute KRB$CONFIGURE.COM, if Kerberos Version 1.0 was not previously  configured.     7.  Start Kerberos by executing SYS$STARTUP:KRB$STARTUP.COM.   Example of Installation Log on hp OpenVMS Version 7.3-1   Username: system Password: Last interactive login on Tuesday, February 4, 2003 11:32 AM Last non-interactive login on Wednesday, February 5, 2003 03:45 PM

$ @SYS$STARTUP:KRB$SHUTDOWN $ CREATE/DIRECTORY [.OVERLAY] $ SET DEFAULT [.OVERLAY] $ PRODUCT EXTRACT FILE KERBEROS /source=DKA200:[KERBEROS.KITS.OVERLAY] _$ /DESTINATION=DKA200:[KERBEROS.KITS.OVERLAY] /SELECT=OVERLAY_KRB5KIT.COM" The following product has been selected: HP AXPVMS KERBEROS T2.0

Layered Product

Do you want to continue? [YES] Portion done: 0%...100% $ @OVERLAY_KRB5KIT T2.0 ====================================================== Installing an overlay of HP-AXPVMS-KERBEROS-T2.0 %DELETE-W-SEARCHFAIL, error searching for SYS$COMMON:[SYSLIB]KRB$RTL32.EXE;* -RMS-E-FNF, file not found

. . . %CREATE-I-EXISTS, SYS$COMMON:[SYSHLP.EXAMPLES.KRB] already exists The following product has been selected: HP AXPVMS KERBEROS T2.0

Layered Product

Portion done: 0%...100% OVERLAY of Kerberos V2.0 on top of VMS 7.3-1 is complete. $ LOGOUT SYSTEM logged out at February 6, 2002 03:15 PM

Example of Configuration Log on hp OpenVMS Version 7.3-1   You need only configure Kerberos T2.0 if Kerberos Version 1.0 was not previously configured.   $ @SYS$STARTUP:KRB$CONFIGURE Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: 1 Where will the OpenVMS Kerberos 5 KDC be running [ system ]: What is the OpenVMS Kerberos 5 default domain [ zko.dec.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.DEC.COM ]: Press Return to continue ... Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: 3 Where will the OpenVMS Kerberos 5 KDC be running [ system ]:

What is the OpenVMS Kerberos 5 default domain [ zko.dec.com ]: What is the OpenVMS Kerberos 5 Realm name [ SYSTEM.DEC.COM ]: The type of roles the KDC can perform are: NO_KDC -- where the KDC will not be run SINGLE_KDC -- where the KDC is the only one in the realm MASTER_KDC -- where the KDC is the master of 1 or more other KDCs SLAVE_KDC -- where the KDC is slave to another KDC What will be the KDC's role on this node [ SINGLE_KDC ]: Create the OpenVMS Kerberos 5 database [ Y ]: Creating OpenVMS Kerberos 5 database ... Initializing database 'krb$root:[krb5kdc]principal' for realm 'SYSTEM.DEC.COM', master key name 'K/[email protected]' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Priority: info No dictionary file specified, continuing without one. Please enter a default OpenVMS Kerberos 5 administrator [ SYSTEM ]: Authenticating as principal SYSTEM/[email protected] with password. Enter password for principal "SYSTEM/[email protected]": Re-enter password for principal "SYSTEM/[email protected]": Principal "SYSTEM/[email protected]" created. Priority: info No dictionary file specified, continuing without one. WARNING: no policy specified for SYSTEM/[email protected]; defaulting to no policy Create OpenVMS Kerberos 5 principals [ Y ]: n Authenticating as principal SYSTEM/[email protected] with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Authenticating as principal SYSTEM/[email protected] with password. Priority: info No dictionary file specified, continuing without one. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. KADMIN_LOCAL: Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE=KRB$ROOT:[KRB5KDC]KADM5.KEYTAB. Press Return to continue ... Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: 6

Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)... Starting OpenVMS Kerberos server KRB$KRB5KDC ... %RUN-S-PROC_ID, identification of created process is 00000060 Starting OpenVMS Kerberos server KRB$KADMIND ... %RUN-S-PROC_ID, identification of created process is 00000061 Press Return to continue ... Kerberos X2.0 for OpenVMS Configuration Menu Configuration options: 1 2

-

Setup Client configuration Edit Client configuration

3 4

-

Setup Server configuration Edit Server configuration

5 6

-

Shutdown Servers Startup Servers

E

-

Exit configuration procedure

Enter Option: E

Example of Kerberos Startup on hp OpenVMS Version 7.3-1   $ @SYS$STARTUP:KRB$STARTUP %KRB-I-UPDATE2DO, procedure.

Kerberos V2.0 will complete its post-installation

=============================================================================== KRB$V2_UPDATE is migrating your Kerberos V1.0/7.3-1 configuration to V2.0. =============================================================================== %% Delete sys$common:[sysexe]kerberos_v1dir_2remove.dir; %% and its sub-directories when your Kerberos configuration is complete.

Starting OpenVMS Kerberos Servers (Role: SINGLE_KDC)... Starting OpenVMS Kerberos server KRB$KRB5KDC ... %RUN-S-PROC_ID, identification of created process is 00000425 Starting OpenVMS Kerberos server KRB$KADMIND ... %RUN-S-PROC_ID, identification of created process is 00000426 $

Release Notes  • 

Remove Kerberos V1.0 layered product PCSI kit before upgrading to T2.0   If you have installed the PCSI (layered product) kit of Kerberos Version 1.0 for hp  OpenVMS Alpha, you must use the PCSI utility to remove it before you upgrade to  Kerberos T2.0.   If you are running OpenVMS Version 7.3-1, Kerberos V1.0 was installed during the   OpenVMS installation procedure. Do not use the PCSI utility to remove Kerberos V1.0.  The OVERLAY_KRB5KIT.COM command procedure performs the upgrade properly.   To remove the Kerberos V1.0 PCSI kit from OpenVMS Version 7.2-2 or 7.3, enter the  PCSI command PRODUCT REMOVE KERBEROS. During the removal, you are asked if  you want to remove the data and directories. (Data refers to the configuration data files  along with the principal database, if one was created.) If you want to save this information  for use later, respond "No" to the question.   After the upgrade, the new Kerberos directories are located under SYSCOMMON in  KERBEROS.DIR. New Kerberos data is either created during configuration or copied  from the old Kerberos directories. If you removed a previously installed Kerberos PCSI kit  and saved the data and directories, the data will be copied into the new directories  automatically when Kerberos starts for the first time.   To optionally save the log files, enter the following:   $ RENAME/LOG SYS$COMMON:[SYSEXE.LOG]*.* KRB$ROOT:[LOG]*.*; 

• 

Kerberized telnet does not work with Kerberos T2.0   Because of changes in the use of certain data structures used by Kerberized telnet, the  telnet in hp TCP/IP Services Version 5.3 for hp OpenVMS does not work with Kerberos  T2.0. This will be corrected in a patch kit that will be available from the Kerberos for hp  OpenVMS website as soon as possible. It will also be corrected in a future release of hp  TCP/IP Services for hp OpenVMS. 

• 

Kerberos T2.0 cannot be installed using the PCSI utility on hp OpenVMS V7.3-1   Because Kerberos was integrated into the operating system for OpenVMS V7.3-1, copies  of Kerberos files already exist on that version of OpenVMS, but are not owned by the  Kerberos product. (Kerberos is being removed as an integrated component in OpenVMS  V7.3-2, and although it will be a required component of  OpenVMS, it will be installed as  a layered product.) For OpenVMS V7.3-1, a special command file has been provided with  Kerberos T2.0 to extract the PCSI kit contents and move them to the appropriate  locations.  

• 

Building a Kerberos application   When you build a Kerberos application, you must link your C application with a compile  option of /POINTER_SIZE=LONG, because Kerberos on OpenVMS expects 64-bit  pointers.  

The example programs in SYS$COMMON:[SYSHLP.EXAMPLES.KRB] show you how to  build a Kerberos application on OpenVMS. Support for both 64- and 32-bit pointers will  be included in the next release of Kerberos for OpenVMS.   To build an application using 32-bit pointers, omit the /POINTER_SIZE=LONG from your  compile, and link against KRB$RTL32.EXE and GSS$RTL32.EXE instead of  KRB$RTL.EXE and GSS$RTL.EXE.   • 

Kerberos is not cluster-aware   Kerberos for hp OpenVMS is not cluster-aware. Kerberos tickets are encoded with the  originating node name as a security feature. A ticket-granting ticket (TGT), obtained from  one node in a cluster, is valid only on the node from which the request was made. Further  requests for tickets must originate from the same node where the ticket-granting-ticket  request originated.   Although the ticket cache is visible from other nodes in the cluster, the Kerberos KDC  does not allow nodes other than the node encoded in the ticket to use the TGT.  

• 

Kerberos and lowercase user names   When Kerberos obtains a user name from the system's user authorization file (UAF), by  default it does not modify the case of the user name.  OpenVMS user names are in  uppercase.   To accomodate the use of lowercase user names (UNIX user names are usually  lowercase), you can define the logical KRB$LOWERCASE_UAF_USERNAME. This  logical causes a user name retrieved from the UAF file to be set to lowercase. If you do  not define this logical, the case of the user name remains unchanged.  

• 

Kerberos command lines entered are changed to upper case   When you enter commands at the Kerberos prompt, the commands you enter are  changed to uppercase unless they are enclosed in quotation marks. For portions of the  command that contain lowercase letters like principal names and passwords, be sure to  use quotation marks. This does not apply to password prompting.   In the following example, foobar was changed to uppercase because it was not enclosed  in quotation marks.   Kerberos> modify password foobar /password="passfoobar" Password for "FOOBAR@REALM" changed. Kerberos> modify password foobar Enter password for principal "FOOBAR": foobarpass Re-enter password for principal "FOOBAR": foobarpass change_password: password for "FOOBAR@REALM" changed. Kerberos> exit $

• 

Kerberos KDC Propagation Daemon on hp OpenVMS fails on slave KDC systems  on OpenVMS   The Kerberos KDC Propagation Daemon on OpenVMS unexpectedly fails on slave KDC  systems on OpenVMS, causing scheduled KDC propagation to not update the slave's  KDC database.   Workaround: Set up the propagation daemon as a TCP/IP service. As a TCP/IP service,  the daemon will run only when an update request is made to the slave KDC system from  the master. The daemon will execute and then exit. To set up the service, manually enter  the following commands or save and execute the commands in a .COM file. You need to  run this setup procedure only once.   $! $! Sets up Kerberos5 propagation daemon as TCP/IP service $! $ TCPIP SET SERVICE KRB5_PROP /FILE=KRB$ROOT:[BIN]KRB$KPROPD.COM /PORT=754 /USER=SYSTEM /PROCESS_NAME=KRB$KPROP /LOG_OPTIONS=(FILE=SYS$MANAGER:KRB$KPROP.LOG,ALL) $! $ TCPIP ENABLE SERVICE KRB5_PROP $! $ TCPIP SHOW SERVICE/FULL KRB5_PROP $! $ EXIT

• 

Problem obtaining a ticket granting ticket   A problem exists where you cannot obtain a ticket granting ticket from a Tru64 Unix  (Digital UNIX V4.0F (Rev. 1229)) system running an MIT Kerberos5 1.1.x KDC. If this  problem occurs, you receive the following error:   "KINIT: Cannot contact any KDC for requested realm while getting initial credentials" The KDC appears to be active and running on the Tru64 system.   Analysis: This is not a problem with the Kerberos Client on OpenVMS, and will appear  on any system that attempts to access this particular KDC. If the KDC is installed on the  Tru64 Unix system (as outlined in the Kerberos Installation Guide) so that it starts at  system boot time by making entries in the file inittab, this problem results. At system  startup, the KDC loops, appearing as though it is active and ready to service requests.  The reason for this behavior is unknown.   Workaround: The KDC must be started manually. First, if the KDC process is running  and is looping, kill the process. Then issue the command /usr/local/sbin/krb5kdc from a  terminal window or command line prompt to manually start the KDC. The KDC will then  start properly and begin servicing requests.  

• 

UNIX to OpenVMS file naming differences   The Kerberos documentation is written for a UNIX audience. When reading the Kerberos  documentation, note the following differences between UNIX and OpenVMS:   o  File specification format   The following example shows the differences in the file specification format of a  lock file. In this example, the UNIX file specification  /usr/local/var/krb5kdc/principal.kadm5.lock is equivalent to  KRB$ROOT:[KRB5KDC]PRINCIPAL_KADM5_LOCK.;1 on OpenVMS.   o  Configuration file format   The following examples show the differences in format of two configurarion files,  krb5.conf and kdc.conf.   The krb5.conf file on a UNIX system is as follows:   [libdefaults] ticket_lifetime = 600 default_realm = ATHENA.MIT.EDU default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu:749 default_domain = mit.edu } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb 5lib.log

The krb5.conf file on an OpenVMS system is as follows:   [libdefaults] default_realm = NODE32.DEC.COM default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc [realms] NODE32.DEC.COM = { kdc = node32.zko.dec.com:88 admin_server = node32.zko.dec.com:749 default_domain = zko.dec.com }

[domain_realm] .zko.dec.com = NODE32.DEC.COM zko.dec.com = NODE32.DEC.COM [logging] kdc = FILE=krb$root:[log]krb$krb5kdc.log admin_server = FILE=krb$root:[log]krb$kadmind.log default = FILE=krb$root:[log]krb5lib.log

The kdc.conf file on a UNIX system is as follows:   [kdcdefaults] kdc_ports = 88,750 [realms] ATHENA.MIT.EDU = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/local/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/var/krb5kdc/.k5.ATHENA.MIT.EDU kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal }

The krb5.conf file on an OpenVMS system is as follows:   [kdcdefaults] kdc_ports = 750,88 clockskew = 5000 [realms] NODE32.DEC.COM = { database_name = krb$root:[krb5kdc]principal admin_keytab = krb$root:[krb5kdc]kadm5.keytab acl_file = krb$root:[krb5kdc]kadm5.acl key_stash_file = krb$root:[krb5kdc]_k5_NODE32_DEC_COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 }