Configuration Guide for Kerberos Client Products on HP-UX HP-UX 11.0, 11i v1, 11i v1.6 and 11i v2 Manufacturing Part Number: T1417-90006 August 2003 U.S.A. © Copyright 2003 Hewlett-Packard Development Company L.P. All rights reserved.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
©copyright 1989-1991 The University of Maryland ©copyright 1988 Carnegie Mellon University ©copyright 1991-2000 Mentat Inc. ©copyright 1996 Morning Star Technologies, Inc. ©copyright 1996 Progressive Systems, Inc. ©copyright 1991-2000 Isogon Corporation, All Rights Reserved. Trademark Notices UNIX is a registered trademark of The Open Group. X Window System is a trademark of the Massachusetts Institute of Technology. MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation.
Contents 1. Overview Kerberos Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Kerberos Products and GSS-API on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2. Introduction to the Kerberos Products and GSS-API PAM Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The PAM Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents The /etc/gss/qop File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The gsscred.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Server Configuration Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring KDC - Kerberos Server version 2.0 on HP-UX 11i . . . . . . . . . . . . . . . .
Tables Table 1. HP-UX 11i Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 2. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 2-1. PAM Kerberos Library libpam_krb5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 2-2. On HP-UX 11.0 and 11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Table 2-3. On HP-UX 11i v1 and 11i v2 . . . . . . . . . . . . .
Tables 8
Figures Figure 1-1. Kerberos V5 Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Figure 2-1. HP-UX authentication modules under PAM . . . . . . . . . . . . . . . . . . . . . . Figure 2-2. PAM Kerberos calls libkrb5.sl through PAM . . . . . . . . . . . . . . . . . . . . . Figure 2-3. SIS uses Kerberos Client Library Directly . . . . . . . . . . . . . . . . . . . . . . . Figure 2-4. GSS-API Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures 10
About This Document This manual describes how to configure a Kerberos environment on HP-UX servers and workstations running on HP-UX 11.0, HP-UX 11i, HP-UX 11i v1 and HP-UX 11i v2. HP-UX Kerberos products include PAM Kerberos, KRB5 client software, Generic Security Services Application Programming Interface (GSS-API), and HP’s Kerberos Server Version 2.0. Intended Audience HP intends this manual for system managers or administrators responsible for configuring the Kerberos related products on HP-UX.
Publishing History Table 2 provides, for a particular document, the manufacturing part number, the respective operating systems, and the publication date. Table 2 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Publication Date J5849-90003 HP-UX 11.X December 2000 J5849-90007 HP-UX 11.X September 2001 T1417-90005 HP-UX 11.X June 2002 T1417-90006 HP-UX 11.
Appendix A Sample pam.conf File – Use this chapter to learn how to configure you pam.conf file. Appendix B Sample krb5.conf File – Use this chapter to learn how to configure you krb5.conf file. Appendix C Sample krb.conf File – Use this chapter to learn how to configure you krb.conf file. Appendix D Sample krb.realms File – Use this chapter to learn how to configure you krb.realms file.
• HP-UX IT Resource Center: — http://us-support.external.hp.com (US and Asia Pacific) — http://europe-support.external.hp.com (Europe) • The Internet Engineering Task Force RFC Pages — http://www.ietf.org/rfc.
Command A command name or qualified command phrase. Variable The name of a variable that you may replace in a command or function or information in a display that represents several possible values. [ ] The contents are optional in formats and command descriptions. If the contents are a list separated by |, you must choose one of the items. { } The contents are required in formats and command descriptions. If the contents are a list separated by |, you must choose one of the items. ...
1 Overview This chapter provides an overview of Kerberos and the available Kerberos products on HP-UX.
Overview It contains the following sections: 18 • “Kerberos Overview” on page 19 • “Kerberos Products and GSS-API on HP-UX” on page 23 Chapter 1
Overview Kerberos Overview Kerberos Overview Kerberos is a mature network authentication protocol based on the RFC 1510 specification of the IETF. It is designed to provide strong authentication for client or server applications by using the shared secret-key cryptography. The basic currency of Kerberos is the ticket, which the user presents in order to use a specific service. Each service, be it a login service or an FTP service, requires a different kind of ticket.
Overview Kerberos Overview and services. Kerberos allows entities to authenticate themselves, without having to transmit their passwords in clear text form, over the networks. Figure 1-1 Kerberos V5 Protocol Given below is a step-wise procedure of how a client and server authenticate each other using Kerberos. The step numbers match with the numbered arrows in Figure 1-1. Step 1. The user begins to use a Kerberized application by entering the user name and password.
Overview Kerberos Overview • T indicates the Time Stamp and • N indicates naunce Step 2. The Authentication Service (AS) is a component of the Key Distribution Center (KDC) that uses the client’s secret key to construct an authenticator that it sends to the user along with the TGT. These are referred to as ‘credentials’. The credentials consist of a ticket, called the ticket granting ticket (TGT), and a randomly generated temporary encryption key, often called the session key.
Overview Kerberos Overview The secure application validates the service ticket using the server’s service key present in the key tab file. Using this service key, the server decrypts the authenticator and verifies the identity of the user. It also verifies that the user’s service ticket granted to the user, has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client. Step 7. This is an optional step.
Overview Kerberos Products and GSS-API on HP-UX Kerberos Products and GSS-API on HP-UX HP-UX supports Kerberos products with a set of three software packages and Generic Security Service Application Programming Interface for HP-UX 11.0 onwards. These products are: • PAM Kerberos (PAM-Kerberos) • Kerberos Client Software • HP’s Kerberos Server Version 2.
Overview Kerberos Products and GSS-API on HP-UX — kvno to display the Kerberos key version number of the principals. • HP’s Kerberos Server Version 2.0 : The current version of the Kerberos server supersedes the earlier MIT-based Kerberos server (version 1.0), on HP-UX 11i. The Kerberos Server is based on a distributed client-server architecture. It ensures secure communication in a networked environment by leveraging individual trust relationships.
2 Introduction to the Kerberos Products and GSS-API This chapter describes the Kerberos-based products and GSS-API on HP-UX.
Introduction to the Kerberos Products and GSS-API It contains the following sections: 26 • “PAM Kerberos” on page 27 • “Secure Internet Services” on page 43 • “KRB5 Client Software” on page 46 • “HP’s Kerberos Server Version 2.
Introduction to the Kerberos Products and GSS-API PAM Kerberos PAM Kerberos HP-UX provides Kerberos authentication as part of the Pluggable Authentication Module (PAM) architecture as specified in RFC 86.0, of the Open Group. PAM allows multiple authentication technologies to co-exist on HP-UX. The configuration file, /etc/pam.conf, determines the authentication module to be used in a manner transparent to the applications that use the PAM library.
Introduction to the Kerberos Products and GSS-API PAM Kerberos For more information on the configuration file pam.conf, see the section “Configuring for PAM Kerberos” on page 85. Figure 2-1 HP-UX authentication modules under PAM login su passwd telnet Use the PAM configuration file, pam.conf, to indicate which authentication module to use PAM library UNIX DCE libpam_unix.1 Kerberos LDAP libpam_krb5.1 libpam_dce.1 Authentication Service NTLM libpam_ntlm.1 libpam_ldap.
Introduction to the Kerberos Products and GSS-API PAM Kerberos The Authentication Module supports seven options: use_first_pass, krb_prompt, try_first_pass, renewable=
Introduction to the Kerberos Products and GSS-API PAM Kerberos In the following code fragment from a pam.conf file, both libpam_krb5.1 and libpam_unix.1 are defined in the PAM stack as authentication modules. If a user is not authenticated under libpam_unix.1, PAM tries to authenticate the user through libpam_krb5.1 using the same password that is used with libpam_unix.1. If the authentication fails, PAM prompts for another password and tries again. Table 2-4 On HP-UX 11.
Introduction to the Kerberos Products and GSS-API PAM Kerberos forwardable When a user obtains service tickets, they are for a remote system. However, the user may want to use a secure service to access a remote system and then run a secure service from that remote system to a second remote system. It requires possession of a valid TGT for the first remote system. Kerberos provides the option to create TGTs with special attributes allowing them to be forwarded to the remote systems within the REALM.
Introduction to the Kerberos Products and GSS-API PAM Kerberos For example, with the following configuration, no Kerberos authentication is conducted for the root user. Table 2-7 On HP-UX 11.0 and 11i pam_user.conf: # # configuration for user root. KRB5 PAM module uses the ignore # option and returns PAM_IGNORE without any processing. # root auth /usr/lib/security/libpam_krb5.1 ignore root password /usr/lib/security/libpam_krb5.1 ignore root account /usr/lib/security/libpam_krb5.
Introduction to the Kerberos Products and GSS-API PAM Kerberos The Password Module The Password Management module provides a function to change passwords in the Kerberos password database. Unlike when changing a Unix password, a root user is always prompted for the old password. The following options may be passed to this PAM module through the /etc/pam.conf (4) file: debug This option allows syslog(3C) debugging information at LOG_DEBUG level.
Introduction to the Kerberos Products and GSS-API PAM Kerberos Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, prompt for a password. ignore This option returns PAM_IGNORE. Generally this option should not be used. However, it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases, you can use this option in /etc/pam_user.conf(4) for per user configuration.
Introduction to the Kerberos Products and GSS-API PAM Kerberos On HP-UX 11.0 and 11i # # PAM configuration # # This pam.conf file is intended as an example only. # see pam.conf(4) for more details # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.
Introduction to the Kerberos Products and GSS-API PAM Kerberos dtlogin dtaction dtaction OTHER # # Password # login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER session session session session required /usr/lib/security/libpam_unix.1 required /usr/lib/security/libpam_krb5.1 required /usr/lib/security/libpam_unix.1 sufficient /usr/lib/security/libpam_unix.1 management password password password password password password password password password sufficient /usr/lib/security/libpam_krb5.
Introduction to the Kerberos Products and GSS-API PAM Kerberos login account required /usr/lib/security/$ISA/libpam_unix.so.1 su account required /usr/lib/security/$ISA/libpam_krb5.so.1 su account required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin account required /usr/lib/security/$ISA/libpam_krb5.so.1 dtlogin account required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction account required /usr/lib/security/$ISA/libpam_krb5.so.1 dtaction account required /usr/lib/security/$ISA/libpam_unix.so.
Introduction to the Kerberos Products and GSS-API PAM Kerberos ignore This option returns PAM_IGNORE. Generally this option should not be used. However, it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section.
Introduction to the Kerberos Products and GSS-API PAM Kerberos pam_user.conf on HP-UX 11.0 and 11i # configuration for user root. KRB5 PAM module uses the # ignore option and returns PAM_IGNORE root auth /usr/lib/security/libpam_krb5.1 ignore root password /usr/lib/security/libpam_krb5.1 ignore root account /usr/lib/security/libpam_krb5.1 ignore root session /usr/lib/security/libpam_krb5.1 ignore pam_user.conf on HP-UX 11i v1 and 11i v2 # configuration for user root.
Introduction to the Kerberos Products and GSS-API PAM Kerberos try_first_pass login account login account required required /usr/lib/security/$ISA/libpam_updbe.so.1 /usr/lib/security/$ISA/libpam_krb5.so.1 pam_krb5 on HP-UX 11.0 and 11i login login login login account session session session required required required required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_updbe.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.
Introduction to the Kerberos Products and GSS-API PAM Kerberos hpux32 for Itanium 32-bit option (ia32), or with hpux64 for Itanium 64 bit option (ia64), or with null for PA-32 bit option (pa32), or with pa20_64 for PA 64-bit option (pa64). NOTE • Checks if the options specified for the pam_krb5 library are valid PAM Kerberos options. • Validates the /etc/pam_user.conf only if libpam_updbe is configured in the /etc/pam.conf file. This validation is similar to the /etc/pam.conf validation.
Introduction to the Kerberos Products and GSS-API PAM Kerberos [NOTICE] These messages are logged to notify the user about the erroneous lines in the PAM configuration files or notify about the skipping of /etc/pam_user.conf file validation. [FAIL] These messages are logged when any of the above mentioned validation fails. [PASS] These messages are logged when any of the above mentioned validation succeeds. [IGNORE] These messages are logged when validation of the /etc/krb5.keytab is ignored.
Introduction to the Kerberos Products and GSS-API Secure Internet Services Secure Internet Services Although you may use Kerberos to authenticate a user to the local host, most likely you want to authenticate the users on remote systems without sending the password in clear text over the network. HP-UX provides built-in support for the following secure Internet services applications: ftp, rcp, rlogin, telnet, and remsh.
Introduction to the Kerberos Products and GSS-API Secure Internet Services authenticator. Finally, based on whether the password provided is valid in Step 4, the user is either authenticated or denied access based on the result of Step 3. Figure 2-2 PAM Kerberos calls libkrb5.sl through PAM Figure 2-3 SIS uses Kerberos Client Library Directly KDC Server 5 2 libsis.sl libsis.
Introduction to the Kerberos Products and GSS-API Secure Internet Services As shown in Figure 2-5, SIS invokes libsis.sl currently, and may change to libkrb5.sl in the future. When SIS is enabled at the application client, the password is not sent to the application server. Instead, SIS uses an encrypted ticket each time the user requests a remote service. As shown in Figure 2-3 above, the client requests credentials from KDC in Step 1 and obtains credentials for the remote host in Step 2.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software KRB5 Client Software This section presents an overview of the KRB5-Client software, which consists of libraries, header files, manpages, and Kerberos utilities. The section is divided into two parts. The following subsection, “Libraries and Header Files”, discusses the libraries and header files supplied with the KRB5-Client software. The second subsection,“Kerberos Utilities” on page 48, discusses the Kerberos utilities.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software Table 2-9 Kerberos Client Libraries (Continued) Library Availability • Itanium 32 /usr/lib/hpux32/libcom_err.so • PA-RISC 32 - /usr/lib/libcom_err.sl • Itanium 64 /usr/lib/hpux64/libcom_err.so • PA-RISC 64 /usr/lib/pa20_64/libcom_err.sl • Itanium 32 /usr/lib/hpux32/lib5crypto.so • PA-RISC 32 - /usr/lib/libk5crypto.sl • Itanium 64 /usr/lib/hpux64/lib4crypto.so • PA-RISC 64 /usr/lib/pa20_64/libk5crypto.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software • /usr/include/com_err.h • /usr/include/krb5/gssapi.h HP-UX includes DCE Kerberos and its manpages, so you should use specific manpage numbers for the Kerberos client software; for example, refer to man 1 kinit for the Kerberos manpages and to man 1m kinit for the DCE manpage. The default is the Kerberos manpage. Refer to /usr/share/man/man3.Z/libkrb5.3 for more information on the libkrb5 library.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software /usr/bin/kinit -f [principal] /usr/bin/kinit -r renewable_life [principal] /usr/bin/kinit -R [principal] /usr/bin/kinit -k [-t keytab_file][principal] /usr/bin/kinit -c [cache_name] [principal] /usr/bin/kinit -S service_name [principal] OPTIONS -l lifetime The -l option requests a ticket with the lifetime of the value defined in lifetime.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software -p The -p option requests proxiable ticket. -f The -f option requests forwardable ticket. -r renewable_life The -r option requests renewable tickets, with a total lifetime of renewable_life. The duration is in the same format as the -l option, with the same delimiters. -R The -R option requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software NOTE tkt_lifetime This relationship specifies the lifetime of the ticket to be obtained. The unit of lifetime is either seconds, minutes, hours or days. renew_lifetime This relationship specifies the renewable life of the ticket to be obtained. The unit of lifetime is either seconds, minutes, hours or days. For DCE operations use /opt/dce/bin/kinit.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software -c The -c option lists tickets held in a credentials cache. This is the default if neither -c nor -k is specified. -f The -f option shows the flags present in the credentials, using the following abbreviations: Table 2-11 F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid -s The -s option will only set exit status without klist output.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software The kdestroy utility destroys the user’s active Kerberos authorization tickets by writing zeros to the specified credentials cache that contains them. If the credential cache is not specified, the default credential cache is destroyed. A user's credentials are not automatically removed by exiting from a SHELL or logging out. You need to remove the credential cache files manually before logging out using the kdestroy command.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software If the optional parameter principal is not used, kpasswd uses the principal name from an existing cache if there is one. If not, the principal is derived from the identity of the user by invoking the kpasswd command. kpasswd prompts for the current Kerberos password that is used to obtain a changepw ticket from the KDC for the user’s Kerberos REALM.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software ktutil DESCRIPTION ktutil maintains the keytab files. It is restricted only for system administrator’s use.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software list_requests (Alias: lr or ?) The list_request option displays a list of available commands. REFERENCE To view the ktutil manpage, issue the following command: shell%: man 1 ktutil kvno DESCRIPTION kvno acquires a service ticket for the specified Kerberos principals to return key version numbers of Kerberos principals. kvno uses the environment variable KRB5CCNAME, which records the location of the credentials (ticket) cache.
Introduction to the Kerberos Products and GSS-API HP’s Kerberos Server Version 2.0 HP’s Kerberos Server Version 2.0 Kerberos is a network authentication protocol based on the RFC 1510, designed to provide strong authentication for client or server applications using shared secret-key cryptography. Kerberos has emerged as a standard that enhances the security of enterprise-wise network authentication. HP’s Kerberos Server Version 2.
Introduction to the Kerberos Products and GSS-API HP’s Kerberos Server Version 2.0 This enables the user to create and manage the principals in the Kerberos Realms. This includes both the remote administrator, kadmin_ui, and the local administrator, kadminl_ui.
Introduction to the Kerberos Products and GSS-API HP’s Kerberos Server Version 2.0 Dynamic Propagation In Kerberos server version 1.0, the entire database had to be periodically dumped and propagated. This resulted in heavy network traffic and thus reduced performance. It is important that secondary servers are configured to act as authentication servers. This allows the Primary Server to be available for tasks other than authentication.
Introduction to the Kerberos Products and GSS-API HP’s Kerberos Server Version 2.0 C-Tree database The Kerberos server maintains the complete information of all the principals with their keys in a database in the machine on which the Kerberos server is run. C-Tree database is used as the backend database, which is based on the B+ Tree algorithm. This database is faster when compared to the DBM-based database that was used in the earlier version of the Kerberos Server.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) Generic Security Service Application Programming Interface (GSS-API) The GSS-API (Generic Security Services - Application Programming Interface) provides authentication, integrity, and confidentiality services to the calling application. As shown in Figure 2-4, “GSS-API Library,” libgss.sl is a shared library independent of underlying security mechanisms.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) With an Open System architecture, GSS-API provides portability in a heterogeneous environment. It contains all the GSS-APIs specified in RFC 2743. It is implemented as a package of C-language interfaces as defined in RFC 2744, "Generic Security Service API: C-bindings." The Kerberos Version 5 GSS-API Mechanism is explained in RFC 1964.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) Table 2-12 GSS-API Libraries Library Availability Table 2-13 Functionality • Itanium 32 /usr/lib/hpux32/libgss.so • PA-RISC 32 - /usr/lib/libgss.sl • Itanium 64 /usr/lib/hpux64/libgss.so • PA-RISC 64 /usr/lib/pa20_64/libgss.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) • Credential Management Services • Context-Level Services • Authentication Services • Confidentiality Services • Support Services These services are discussed in detail in the subsequent sections. Credential Management Services Credential-management calls provide functions to acquire and release credentials by principals.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) • gss_import_sec_context: Import context from other process • gss_inquire_context: Display information about context • gss_context_time: Indicate validity time remaining in context Authentication Services Two sets of per-message calls provide security to the context. gss_get_mic() and gss_verify_mic() call provide the data origin authentication and data integrity services.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) 66 • gss_display_status: Translate status codes into printable format • gss_indicate_mechs: Indicate supported mech_type on local system • gss_compare_name: Compare two names • gss_display_name: Translate name to printable format • gss_import_name: Convert printable name to normalized form • gss_release_name: Free storage of name • gss_release_buffer: Free storage of general
3 Configuring the Kerberos Environment This chapter describes the files and procedures that are used to configure Kerberos on HP-UX.
Configuring the Kerberos Environment It contains the following sections: • “Configuration Files for Kerberos Clients” on page 69 • “Configuration Files for GSS-API” on page 74 • “Server Configuration Procedures” on page 77 — “Configuring KDC - Kerberos Server version 2.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients Configuration Files for Kerberos Clients Table 3-1 lists and describes the files that you use to configure a Kerberos server or a Kerberos client using PAM Kerberos. Samples of all the configuration files shown in the table are listed in the Appendices for your reference.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients pam.conf The configuration file /etc/pam.conf controls the behavior of the PAM modules. The pam.conf file contains a listing of system entry services, each of which is paired with its corresponding service module. When a service is requested, its associated module is invoked.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients The PAM Kerberos options are: renewable=
Configuring the Kerberos Environment Configuration Files for Kerberos Clients [libdefaults] default_realm = KDC1.SUBDOMAIN.DOMAIN.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 [realms] KDC1.SUBDOMAIN.DOMAIN.COM = { kdc = hostname1.subdomain.domain.com:88 admin_server = hostname1.subdomain.domain.com:749 } KDC2.SUBDOMAIN.DOMAIN.COM = { kdc = hostname2.subdomain.domain.com:88 admin_server = hostname2.subdomain.domain.com:749 } [domain_realm] .subdomain.domain.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients To view the krb5.conf manpage, issue the following command: shell%: man 4 krb5.conf Appendix B, Sample krb5.conf File, contains a sample copy of the /etc/krb5.conf file. In the HP-UX 11i version, a sample krb5.conf file is available as /etc/krb5.conf.sample. services The services file contains entries that allow client applications to establish socket connections to the KDC or to the application servers.
Configuring the Kerberos Environment Configuration Files for GSS-API Configuration Files for GSS-API Three configuration files are essential for proper functioning of GSS-API: NOTE • /etc/gss/mech • /etc/gss/qop • /etc/gss/gsscred.conf IPv6 support for GSS-API has been enabled only for the Itanium binaries on HP-UX 11i v2 systems. These three kinds of files are described under the subheadings that follow.
Configuring the Kerberos Environment Configuration Files for GSS-API Table 3-6 Entries in the mech file (Continued) Column Description Third column Contains the name of the shared library that implements the back-end security mechanism for GSSAPI. The back-end library has to be placed in /usr/lib/gss path for 32-bit and /usr/lib/pa20_64/gss path for 64-bit versions on PA based systems.
Configuring the Kerberos Environment Configuration Files for GSS-API Quality of Protection (QOP) values are used with the Kerberos V5 GSS-API mechanism as input to gss_wrap() and gss_get_mic() routines in order to select among alternate integrity and confidentiality algorithms. Additional QOP values may be added in future versions. The /etc/gss/qop file has the following format: Table 3-9 Format of the /etc/gss/qop file First column Specifies the string name of QOP.
Configuring the Kerberos Environment Server Configuration Procedures Server Configuration Procedures You will configure a Kerberos client in the same way, no matter whether your KDC server is a Kerberos server on HP-UX 11i or a Microsoft 2000 KDC server. However, for a Microsoft Windows 2000 KDC server or the Kerberos server on HP-UX 11i, the server configuration procedures are different.
Configuring the Kerberos Environment Server Configuration Procedures • enables you with the option of creating a stash file • allows you to specify the encryption type The other sections in the configuration files will be set to it’s default values. If you want to customize these sections, you will have to manually edit the configuration files and restart the kdcd and kadmind daemons using this tool. This tool also allows you to customize the encryption type and stash file.
Configuring the Kerberos Environment Server Configuration Procedures NOTE The steps mentioned below are the identical for configuring both the primary security server as well as the secondary security server. b. You will be prompted to specify the encryption type. If you do not specify this value, the default value, DES-MD5, will be selected. c. You will be prompted to stash the principal database key on your local disk.
Configuring the Kerberos Environment Server Configuration Procedures The krb.conf file, with the default values for all the sections generated by the auto-configuration tool is as shown below: Your_Realm_NAme Your_Realm_Name Your_Secondary_Server1 Your_Realm_Name Your_Secondary_Server2 Your_Realm_Name host.subdomain.domain.com admin server The krb.realms file, with the default values generated by the auto-configuration tool is as shown below: Your_Primary_Security_Server Your_Realm_Name .
Configuring the Kerberos Environment Server Configuration Procedures shell% /opt/krb5/sbin/kadmind You can also start the Kerberos daemons by typing the command prompt: % /sbin/init.d/krbsrv start Verify that the daemons have started properly by checking for the messages in the system log files. Step 7. Once the KDC is set up and running, it is time to create the principals of all the hosts and users into the Kerberos database. Configuring KDC Server - Microsoft Windows 2000 KDC 1.
Configuring the Kerberos Environment Server Configuration Procedures This step will create an account in the name of: host/hostname.subdomain.domain.com. 3. Follow the step 3 under Configuring Kerberos Client to merge the KEYTAB file at the Kerberos client system. 4. For each user in the Kerberos client, create a Kerberos principal in the KDC Server: 82 • From Administrators Tools, select the Active Directory Users and Computers.
Configuring the Kerberos Environment Configuring the Kerberos Client Configuring the Kerberos Client 1. Edit the configuration files, /etc/krb5.conf and /etc/services as described in “Configuration Files for Kerberos Clients” on page 69. 2. All Kerberos systems need a KEYTAB file (/etc/krb5.keytab) to authenticate themselves to the KDC. Create a KEYTAB file for each KDC client on your KDC Server following the procedures described in “Configuring KDC - Kerberos Server version 2.
Configuring the Kerberos Environment Configuring the Kerberos Client 5. Synchronize the KDC client’s clock to the KDC server’s clock (within two minutes).
Configuring the Kerberos Environment Configuring for PAM Kerberos Configuring for PAM Kerberos If you want to run PAM Kerberos, after you complete KDC client configuration from the previous section, you also need to edit the PAM configuration files for PAM Kerberos. Using the /etc/pam.conf.krb5 file as an example, edit the /etc/pam.conf as described in “Configuration Files for Kerberos Clients” on page 69.
Configuring the Kerberos Environment Configuring for PAM Kerberos 86 Chapter 3
4 Troubleshooting Kerberos Related Products This chapter explains the error messages that you might encounter while using the Kerberos client products.
Troubleshooting Kerberos Related Products It contains the following sections: 88 • “Troubleshooting the PAM Kerberos” on page 89 • “Troubleshooting the Kerberos Client Utilities” on page 93 • “Troubleshooting GSS-API” on page 96 Chapter 4
Troubleshooting Kerberos Related Products Troubleshooting the PAM Kerberos Troubleshooting the PAM Kerberos The PAM Kerberos module returns debug and error messages that are logged using the syslog utility. Use the appropriate syslog log levels to gather more information about error scenarios. Debug logging is enabled using the debug option in the /etc/pam.conf file for Kerberos PAM module, as shown in the example below: Table 4-1 login auth sufficient /usr/lib/security/libpam_krb5.
Troubleshooting Kerberos Related Products Troubleshooting the PAM Kerberos Table 4-3 Error No. 90 Error Codes and Corrective Actions (Continued) PAM Error Code Meaning Corrective Actions 2 PAM_BUF_ERR Memory buffer error Ensure that sufficient system memory is available for all processes. 3 PAM_PERM_DENIED No permission Check the permissions/ACLs .
Troubleshooting Kerberos Related Products Troubleshooting the PAM Kerberos Table 4-3 Error No. Chapter 4 Error Codes and Corrective Actions (Continued) PAM Error Code Meaning Corrective Actions 8 PAM_CRED_UNAVAIL Cannot retrieve user credentials KRB5CCNAME is not set OR the credential file does not exist OR the user is not permitted to use the credential cache. 9 PAM_CRED_EXPIRED User credentials expired Credential expired. Re-initialize the credentials.
Troubleshooting Kerberos Related Products Troubleshooting the PAM Kerberos Table 4-3 Error No. 15 92 Error Codes and Corrective Actions (Continued) PAM Error Code OTHER Errors Meaning Corrective Actions See syslog for more specific information.
Troubleshooting Kerberos Related Products Troubleshooting the Kerberos Client Utilities Troubleshooting the Kerberos Client Utilities Kerberos utilities, kdestroy, kinit, klist, and kpasswd may return the following errors. Table 4-2 provides a list of errors with their meaning and suggested corrective actions for each error. Table 4-4 Error No. Chapter 4 Kerberos Client Error Codes Reason/Corrective Action Error Meaning 1 kdestroy: No credentials cache file found while destroying cache.
Troubleshooting Kerberos Related Products Troubleshooting the Kerberos Client Utilities Table 4-4 Error No. 94 Kerberos Client Error Codes (Continued) Error Meaning Reason/Corrective Action 5 klist: No such file or directory while starting keytab scan The keytab file was not found. (The default location of the keytab file is /etc/krb5.keytab.) Verify the keytab file. If the keytab file does not exist, create the keytab file with specific entries.
Troubleshooting Kerberos Related Products Troubleshooting the Kerberos Client Utilities You can find Kerberos V5 Library Error Codes from Appendix A of MIT’s “Kerberos V5 System Administrator’s Guide”.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Troubleshooting GSS-API This section provides troubleshooting tips for GSS-API. Error Codes It is the responsibility of the application programmer to check for the Major and Minor status values. For debugging purposes, it is recommended that you use gss_display_status() call for getting the textual representation of a GSS-API status code that can be displayed to a user or used for logging.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Table 4-5 Routine GSS-API Errors (Continued) Error No. Name Meaning 3 GSS_S_BAD_NAMETYPE The name type passed is unsupported. 4 GSS_S_BAD_BINDINGS The channel bindings are incorrect. 5 GSS_S_BAD_STATUS A status value was invalid. 6 GSS_S_BAD_SIG A token had an invalid signature. 7 GSS_S_NO_CRED No credentials were supplied. 8 GSS_S_NO_CONTEXT No context has been established. 9 GSS_S_DEFECTIVE_TOKEN A token was invalid.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API The following table lists the calling error values and their meanings: Table 4-6 Calling Errors Error No. Name Meaning 1 GSS_S_CALL_INACCESSIBLE_RE AD Could not read a required input parameter. 2 GSS_S_CALL_INACCESSIBLE_WR ITE Could not write a required output parameter. 3 GSS_S_BAD_STRUCTURE Could not structure parameter correctly.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Other Common Causes of Errors Other common causes of errors include the following: NOTE • With KRB5-Client product not installed, trying to use gssapi with /etc/gss/mech configured to krb5_mech. • Improper permissions of the libgssapi_krb5.sl / libgssapi_krb5.so library.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API 100 Chapter 4
A Sample pam.conf File The file presented below is pam.conf.krb5, a sample pam.conf file that comes with PAM Kerberos.
Sample pam.conf File On HP-UX 11.0 and 11i # # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.
Sample pam.conf File login passwd passwd dtlogin dtlogin dtaction dtaction OTHER Appendix A password password password password password password password password required required required required required required required required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.
Sample pam.conf File On HP-UX 11i v1 and 11i v2 # # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1 login auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass su auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1 su auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass dtlogin auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1 dtlogin auth required /usr/lib/security/$ISA/libpam_unix.so.
Sample pam.conf File # login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER Appendix A password password password password password password password password password required required required required required required required required required /usr/lib/security/$ISA/libpam_krb5.so.1 /usr/lib/security/$ISA/libpam_unix.so.1 /usr/lib/security/$ISA/libpam_krb5.so.1 /usr/lib/security/$ISA/libpam_unix.so.1 /usr/lib/security/$ISA/libpam_krb5.so.1 /usr/lib/security/$ISA/libpam_unix.so.
Sample pam.
B Sample krb5.conf File The following is a /etc/krb5.conf.sample file, which is provided with KRB5-Client product. You can modify this file for use as your own krb5.conf file.
Sample krb5.conf File KDC.SUBDOMAIN.DOMAIN.COM and hostname.subdomain.domain.com with the name of your Kerberos REALM and hostname. [libdefaults] default_realm = KDC.SUBDOMAIN.DOMAIN.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 checksum_type = 1 [realms] KDC.SUBDOMAIN.DOMAIN.COM = { kdc = hostname.subdomain.domain.com:88 admin_server = hostname.subdomain.domain.com:749 kpasswd_server = hostname.subdomain.domain.com } [domain_realm] .subdomain.domain.com = KDC.
C Sample krb.conf File The following is a sample krb.conf.
Sample krb.conf File Copy this sample file to /opt/krb5/krb.conf file and modify it to reflect the hostnames and realm name of your realm. Replace the underlined Your_Realm_Name, Your_Secondary_Server1, Your_Secondary_Server2 and hostname.subdomain.domain.com with the name of your Kerberos REALM, Primary and Secondary Servers hostnames. Your_Realm_Name Your_Realm_Name Your_Secondary_Server1 Your_Realm_Name Your_Secondary_Server2 Your_Realm_Name host.subdomain.domain.
D Sample krb.realms File The following is a sample krb.realms.
Sample krb.realms File Replace the underlined Your_Realm_Name, Your_Primary_Security_Server, Your_Secondary_Server_Server and Your_Domain_Name with the name of your Kerberos REALM, primary and secondary servers hostnames. Your_Primary_Security_Server Your_Realm_Name .Your_Secondary_Security_Server Your_Realm_Name *.Your_Domain_Name Your_Realm_Name # # # Given below is an example with a brief explanation of the krb.realms file. deer.bambi.com BAMBI.COM .fox.bambi.com BAMBI.COM *.bambi.com BAMBI.
E Kerberos Error Messages The following is a list of Kerberos Error Messages that you might encounter while using the Kerberos server.
Kerberos Error Messages NOTE 114 The error codes are denoted in capital letters, followed by their respective error message.
Kerberos Error Messages Kerberos V5 Library Error Codes Kerberos V5 Library Error Codes This is the Kerberos v5 library error code table. Protocol error codes are ERROR_TABLE_BASE_krb5 + the protocol error code number; other error codes start at ERROR_TABLE_BASE_krb5 + 128. 1. KRB5KDC_ERR_NONE: No error 2. KRB5KDC_ERR_NAME_EXP: Client’s entry in database has expired 3. KRB5KDC_ERR_SERVICE_EXP: Server’s entry in database has expired 4. KRB5KDC_ERR_BAD_PVNO: Requested protocol version not supported 5.
Kerberos Error Messages Kerberos V5 Library Error Codes 16. KRB5KDC_ERR_SUMTYPE_NOSUPP: KDC has no support for checksum type 17. KRB5KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type 18. KRB5KDC_ERR_TRTYPE_NOSUPP: KDC has no support for transited type 19. KRB5KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked 20. KRB5KDC_ERR_SERVICE_REVOKED: Credentials for server have been revoked 21. KRB5KDC_ERR_TGT_REVOKED: TGT has been revoked 22.
Kerberos Error Messages Kerberos V5 Library Error Codes 37. KRB5KRB_AP_ERR_BADMATCH: Ticket/authenticator don’t match 38. KRB5KRB_AP_ERR_SKEW: Clock skew too great 39. KRB5KRB_AP_ERR_BADADDR: Incorrect net address 40. KRB5KRB_AP_ERR_BADVERSION: Protocol version mismatch 41. KRB5KRB_AP_ERR_MSG_TYPE: Invalid message type 42. KRB5KRB_AP_ERR_MODIFIED: Message stream modified 43. KRB5KRB_AP_ERR_BADORDER: Message out of order 44. KRB5KRB_AP_ERR_ILL_CR_TKT: Illegal cross-realm ticket 45.
Kerberos Error Messages Kerberos V5 Library Error Codes 62. KRB5KRB_ERR_FIELD_TOOLONG: Field is too long for this implementation 63. KRB5PLACEHOLD_62: KRB5 error code 62 64. KRB5PLACEHOLD_63: KRB5 error code 63 65. KRB5PLACEHOLD_64: KRB5 error code 64 66. KRB5PLACEHOLD_65: KRB5 error code 65 67. KRB5PLACEHOLD_66: KRB5 error code 66 68. KRB5PLACEHOLD_67: KRB5 error code 67 69. KRB5PLACEHOLD_68: KRB5 error code 68 70. KRB5PLACEHOLD_69: KRB5 error code 69 71. KRB5PLACEHOLD_70: KRB5 error code 70 72.
Kerberos Error Messages Kerberos V5 Library Error Codes 90. KRB5PLACEHOLD_89: KRB5 error code 89 91. KRB5PLACEHOLD_90: KRB5 error code 90 92. KRB5PLACEHOLD_91: KRB5 error code 91 93. KRB5PLACEHOLD_92: KRB5 error code 92 94. KRB5PLACEHOLD_93: KRB5 error code 93 95. KRB5PLACEHOLD_94: KRB5 error code 94 96. KRB5PLACEHOLD_95: KRB5 error code 95 97. KRB5PLACEHOLD_96: KRB5 error code 96 98. KRB5PLACEHOLD_97: KRB5 error code 97 99. KRB5PLACEHOLD_98: KRB5 error code 98 100.KRB5PLACEHOLD_99: KRB5 error code 99 101.
Kerberos Error Messages Kerberos V5 Library Error Codes 118.KRB5PLACEHOLD_117: KRB5 error code 117 119.KRB5PLACEHOLD_118: KRB5 error code 118 120.KRB5PLACEHOLD_119: KRB5 error code 119 121.KRB5PLACEHOLD_120: KRB5 error code 120 122.KRB5PLACEHOLD_121: KRB5 error code 121 123.KRB5PLACEHOLD_122: KRB5 error code 122 124.KRB5PLACEHOLD_123: KRB5 error code 123 125.KRB5PLACEHOLD_124: KRB5 error code 124 126.KRB5PLACEHOLD_125: KRB5 error code 125 127.KRB5PLACEHOLD_126: KRB5 error code 126 128.
Kerberos Error Messages Kerberos V5 Library Error Codes 144.KRB5_NO_TKT_SUPPLIED: Request did not supply a ticket 145.KRB5KRB_AP_WRONG_PRINC: Wrong principal in request 146.KRB5KRB_AP_ERR_TKT_INVALID: Ticket has invalid flag set 147.KRB5_PRINC_NOMATCH: Requested principal and ticket don’t match 148.KRB5_KDCREP_MODIFIED: KDC reply did not match expectations 149.KRB5_KDCREP_SKEW: Clock skew too great in KDC reply 150.KRB5_IN_TKT_REALM_MISMATCH: Client/server realm mismatch in initial ticket request 151.
Kerberos Error Messages Kerberos V5 Library Error Codes 166.KRB5_RC_NOIO: Replay cache type does not support non-volatile storage 167.KRB5_RC_PARSE: Replay cache name parse/format error 168.KRB5_RC_IO_EOF: End-of-file on replay cache I/O 169.KRB5_RC_IO_MALLOC: No more memory to allocate (in replay cache I/O code) 170.KRB5_RC_IO_PERM: Permission denied in replay cache code 171.KRB5_RC_IO_IO: I/O error in replay cache i/o code 172.KRB5_RC_IO_UNKNOWN: Generic unknown RC/IO error 173.
Kerberos Error Messages Kerberos V5 Library Error Codes 190.KRB5_BAD_KEYSIZE: Key size is incompatible with encryption type 191.KRB5_BAD_MSIZE: Message size is incompatible with encryption type 192.KRB5_CC_TYPE_EXISTS: Credentials cache type is already registered. 193.KRB5_KT_TYPE_EXISTS: Key table type is already registered. 194.KRB5_CC_IO: Credentials cache I/O operation failed XXX 195.KRB5_FCC_PERM: Credentials cache file permissions incorrect 196.KRB5_FCC_NOFILE: No credentials cache file found 197.
Kerberos Error Messages Kerberos V5 Library Error Codes 210.KRB5_PREAUTH_FAILED: Generic pre-authentication failure 211.KRB5_RCACHE_BADVNO: Unsupported replay cache format version number 212.KRB5_CCACHE_BADVNO: Unsupported credentials cache format version number 213.KRB5_KEYTAB_BADVNO: Unsupported key table format version number 214.KRB5_PROG_ATYPE_NOSUPP: Program lacks support for address type 215.KRB5_RC_REQUIRED: Message replay detection requires rcache parameter 216.
Kerberos Error Messages Kerberos V5 Magic Numbers Error Codes Kerberos V5 Magic Numbers Error Codes This is the Kerberos v5 magic numbers error code table. 1. KV5M_NONE: Kerberos V5 magic number table 2. KV5M_PRINCIPAL: Bad magic number for krb5_principal structure 3. KV5M_DATA: Bad magic number for krb5_data structure 4. KV5M_KEYBLOCK: Bad magic number for krb5_keyblock structure 5. KV5M_CHECKSUM: Bad magic number for krb5_checksum structure 6.
Kerberos Error Messages Kerberos V5 Magic Numbers Error Codes 20. KV5M_ERROR: Bad magic number for krb5_error structure 21. KV5M_AP_REQ: Bad magic number for krb5_ap_req structure 22. KV5M_AP_REP: Bad magic number for krb5_ap_rep structure 23. KV5M_AP_REP_ENC_PART: Bad magic number for krb5_ap_rep_enc_part structure 24. KV5M_RESPONSE: Bad magic number for krb5_response structure 25. KV5M_SAFE: Bad magic number for krb5_safe structure 26. KV5M_PRIV: Bad magic number for krb5_priv structure 27.
Kerberos Error Messages Kerberos V5 Magic Numbers Error Codes 41. KV5M_RCACHE: Bad magic number for krb5_rcache structure 42. KV5M_CCACHE: Bad magic number for krb5_ccache structure 43. KV5M_PREAUTH_OPS: Bad magic number for krb5_preauth_ops 44. KV5M_SAM_CHALLENGE: Bad magic number for krb5_sam_challenge 45. KV5M_SAM_KEY: Bad magic number for krb5_sam_key 46. KV5M_ENC_SAM_RESPONSE_ENC: Bad magic number for krb5_enc_sam_response_enc 47. KV5M_SAM_RESPONSE: Bad magic number for krb5_sam_response 48.
Kerberos Error Messages ANSI.1 Error Codes ANSI.1 Error Codes 1. ASN1_BAD_TIMEFORMAT: ASN.1 failed call to system time library 2. ASN1_MISSING_FIELD: ASN.1 structure is missing a required field 3. ASN1_MISPLACED_FIELD: ASN.1 unexpected field number 4. ASN1_TYPE_MISMATCH: ASN.1 type numbers are inconsistent 5. ASN1_OVERFLOW: ASN.1 value too large 6. ASN1_OVERRUN: ASN.1 encoding ended unexpectedly 7. ASN1_BAD_ID: ASN.1 identifier doesn’t match expected value 8. ASN1_BAD_LENGTH: ASN.
Kerberos Error Messages GSSAPI Error Codes GSSAPI Error Codes Generic GSSAPI Errors: 1. GSS_KRB5_S_G_BAD_SERVICE_NAME: /* "No @ in SERVICE-NAME name string" */ 2. GSS_KRB5_S_G_BAD_STRING_UID: /* "STRING-UID-NAME contains nondigits" */ 3. GSS_KRB5_S_G_NOUSER: /* "UID does not resolve to username" */ 4. GSS_KRB5_S_G_VALIDATE_FAILED: /* "Validation error" */ 5. GSS_KRB5_S_G_BUFFER_ALLOC: /* "Couldn’t allocate gss_buffer_t data" */ 6. GSS_KRB5_S_G_BAD_MSG_CTX: /* "Message context invalid" */ 7.
Kerberos Error Messages GSSAPI Error Codes 7. GSS_KRB5_S_KG_BAD_LENGTH: /* "Invalid field length in token" */ 8. GSS_KRB5_S_KG_CTX_INCOMPLETE: /* "Attempt to use incomplete security context" */ FATAL ERROR CODES 1. GSS_S_BAD_BINDINGS : channel binding mismatch 2. GSS_S_BAD_MECH : unsupported mechanism requested 3. GSS_S_BAD_NAME : invalid name provided 4. GSS_S_BAD_NAMETYPE : name of unsupported type provided 5. GSS_S_BAD_STATUS : invalid input status selector 6.
Kerberos Error Messages GSSAPI Error Codes 3. GSS_S_DUPLICATE_TOKEN : duplicate per-message token detected 4. GSS_S_OLD_TOKEN : timed-out per-message token detected 5. GSS_S_UNSEQ_TOKEN : reordered (early) per-message token detected 6.
Kerberos Error Messages GSSAPI Error Codes 132 Appendix E
Index Symbols ,, 19 /opt/krb5/sbin, 77 /var/adm/krb5/krb5kdc, 109, 111 A auto-configuration tool, 80 auto-configure, 77 automated tool, 77 C credential, 34, 56, 83 D DCE, 28, 48 G Generic Security Service Application Programming Interface (GSS-API), 24, 61, 96 GSS-API calling errors, 98 sample, 99 supplementary bits, 98 H hostname.subdomain.domain.com, 110, 112 I IETF, 19 initial ticket, 19 K kadmind, 71 kdc.
