Configuration Guide for Kerberos Client Products on HP-UX HP-UX 11.0, HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 Manufacturing Part Number: 5991-7718 February 2007 © Copyright 2007 Hewlett-Packard Development Company, L.P.
Legal Notices Copyright 2007 Hewlett-Packard Company, L.P. Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Copyright 1989-1991 The University of Maryland Copyright 1988 Carnegie Mellon University Copyright 1996 Massachusetts Institute of Technology Copyright 1996 OpenVision Technologies, Inc. Copyright 1996 Derrick J.
Contents 1. Overview Kerberos Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Kerberos Products and GSS-API on HP-UX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2. Introduction to the Kerberos Products and GSS-API PAM Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Windows 2000(R) Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Choice of C-Tree or LDAP Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auto-Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Generic Security Service Application Programming Interface (GSS-API) . . . . . . . . . . Credential Management Services . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents C. Sample krb.conf File D. Sample krb.realms File E. Kerberos Error Messages Kerberos V5 Library Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kerberos V5 Magic Numbers Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ANSI.1 Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GSSAPI Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 8
Figures Figure 1-1. Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Figure 2-1. HP-UX authentication modules under PAM . . . . . . . . . . . . . . . . . . . . . . .34 Figure 2-2. PAM Kerberos calls libkrb5.sl through PAM . . . . . . . . . . . . . . . . . . . . . .35 Figure 2-3. SIS uses Kerberos Client Library Directly . . . . . . . . . . . . . . . . . . . . . . . .52 Figure 2-4. GSS-API Library . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures 10
Tables Table 1. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Table 2-1. PAM Kerberos Library libpam_krb5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 Table 2-2. On HP-UX 11.0 and HP-UX 11i v1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Table 2-3. On HP-UX 11i v2 and HP-UX 11i v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Table 2-4. On HP-UX 11.0 and 11iv1 . . . . . . . . . . . . . . . . . .
Tables 12
About This Document This document describes how to configure a Kerberos environment on HP-UX servers and workstations running on HP-UX 11.0, HP-UX 11i v1, HP-UX 11i v2, and HP-UX servers running on HP-UX 11i v3. This document is intended for system managers or administrators who configure Kerberos related products on HP-UX. However, this document is not a replacement for the documents provided for HP’s Kerberos Server version 3.12.
Publishing History Table 1 describes the publishing details of this document for various HP-UX releases. Table 1 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Publication Date J5849-90003 HP-UX 11.X December 2000 J5849-90007 HP-UX 11.X September 2001 T1417-90005 HP-UX 11.X June 2002 T1417-90006 HP-UX 11.X July 2003 5991-7718 HP-UX 11.X February 2007 The latest version of this document is available at: http://www.docs.hp.com.
Document Organization The Configuration Guide for Kerberos Related Products on HP-UX is organized as follows: Chapter 1 Chapter 1, Overview, – Provides an insight to the Kerberos protocol. Chapter 2 Chapter 2, Introduction to the Kerberos Products and GSS-API, – Provides information about the different Kerberos products available on HP-UX. Chapter 3 Chapter 3, Configuring the Kerberos Environment, – Provides instructions for configuring a Kerberos environment.
a link to the manpage itself. From the HP-UX command line, you can enter “man audit” or “man 5 audit” to view the manpage. See man (1). 16 Book Title The title of a book. On the Web and on the Instant Information CD, it may be a link to the book itself. KeyCap The name of a keyboard key. Note that Return and Enter both refer to the same key. Emphasis Text that is emphasized. Bold The defined use of an important word or phrase. ComputerOut Text displayed by the computer.
Related Documentation Given below is a list of related documentation: • Kerberos Server Version 3.12 Release Notes (5991-7686) • PAM Kerberos v1.
Accessing the World Wide Web Given below is list of related documents that is available on the HP web sites: • HP Technical Documentation and White Papers — http://docs.hp.com — http://www.unixsolutions.hp.com/products/hpux/ hpux11/whitepapers/netsecur.pdf — http://www.hp.com/products1/unix/operating/security/ker beros_wp.pdf • HP-UX IT Resource Center: — http://us-support.external.hp.com (US and Asia Pacific) — http://europe-support.external.hp.
Related Request for Comments (RFCs) Given below is list of related Request for Comments: • RFC 1510 - The Kerberos Network Authentication Service (V5) • RFC 1964 - The Kerberos Version 5 GSS-API Mechanism • RFC 2743 - Generic Security Service Application Program Interface • RFC 2744 - Generic Security Service API • Open Group RFC 86.
1 Overview This chapter provides an overview of Kerberos and the available Kerberos products on HP-UX.
Overview It contains the following sections: 22 • “Kerberos Overview” on page 23 • “Authentication Process” on page 24 • “Kerberos Products and GSS-API on HP-UX” on page 28 Chapter 1
Overview Kerberos Overview Kerberos Overview Kerberos is a mature network authentication protocol based on the RFC 1510 specification of the IETF. It is designed to provide strong authentication for client or server applications by using the shared secret-key cryptography. The basic currency of Kerberos is the ticket, which the user presents in order to use a specific service. Each service, be it a login service or an FTP service, requires a different kind of ticket.
Overview Authentication Process Authentication Process The Kerberos server grants tickets to your user principal to access secured network services. You must authenticate yourself to the server by providing your user name and password. When the server authenticates you, it returns a set of initial credentials for you, including a TGT and a session key. The Kerberos server grants a service ticket for a specific service principal that can be associated with one or more Kerberos-secured services.
Overview Authentication Process Figure 1-1 illustrates the actions of the components and the Kerberos protocol in a secured environment. Figure 1-1 Authentication Process The following is a description of how a client and server authenticate each other using Kerberos: Step 1. Send a request to the AS for a TGT. You can choose to request specific ticket flags and specify the key type to be used to construct the secret key. You can also accept the default values configured for the client.
Overview Authentication Process • Time stamp • Nonce Step 2. If the AS decrypts the message successfully, it authenticates the requesting user and issues a TGT. The TGT contains the user name, a session key for your use, and name of the server to be used for any subsequent communication. The reply message is encrypted using your secret key. NOTE The AS decrypts the request only when the pre-authentication option is set in the AS request.
Overview Authentication Process verifies that the user’s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client. Step 7. (Optional) At the client’s request, the application server can also return the timestamp sent by the client, encrypted in the session key. This ensures a mutual authentication between the client and the server.
Overview Kerberos Products and GSS-API on HP-UX Kerberos Products and GSS-API on HP-UX HP-UX supports Kerberos products with a set of three software packages and Generic Security Service Application Programming Interface (GSS-API) for HP-UX 11.0 onwards. These products are: • PAM Kerberos (PAM-Kerberos) • Kerberos Client Software • Kerberos Server • GSS-API Application programmers can create “Kerberized” applications using either the GSS-APIs or the Kerberos APIs.
Overview Kerberos Products and GSS-API on HP-UX On HP-UX 11i v3, the KRB5-Client libraries are based on MIT Kerberos V5 1.3.5 release. These KRB5-Client libraries support the DES, AES, 3DES and RC4 encryption types. NOTE The Kerberos Client utilities are as follows: — kinit, klist, and kdestroy to manage credentials — kpasswd to change Kerberos passwords — ktutil to maintain keytab file — kvno to display the Kerberos key version number of the principals. • Kerberos Server Version 3.
Overview Kerberos Products and GSS-API on HP-UX 30 Chapter 1
2 Introduction to the Kerberos Products and GSS-API This chapter describes the Kerberos-based products and GSS-API on HP-UX.
Introduction to the Kerberos Products and GSS-API It contains the following sections: 32 • “PAM Kerberos” on page 33 • “Secure Internet Services” on page 52 • “KRB5 Client Software” on page 54 • “HP Kerberos Server” on page 64 • “Generic Security Service Application Programming Interface (GSS-API)” on page 68 Chapter 2
Introduction to the Kerberos Products and GSS-API PAM Kerberos PAM Kerberos HP-UX provides Kerberos authentication as part of the Pluggable Authentication Module (PAM) architecture as specified in RFC 86.0, of the Open Group. PAM allows multiple authentication technologies to co-exist on HP-UX. The /etc/pam.conf configuration file determines the authentication module to be used in a manner transparent to the applications that use the PAM library.
Introduction to the Kerberos Products and GSS-API PAM Kerberos The PAM Framework Figure 2-1 shows the relationship between the PAM Kerberos Library and various authentication modules that HP-UX provides. Note that the PAM Kerberos Library is one of the many authentication modules that PAM can invoke based on what is defined under the PAM configuration file: /etc/pam.conf. Figure 2-1 HP-UX authentication modules under PAM login su passwd telnet Use the PAM configuration file, pam.
Introduction to the Kerberos Products and GSS-API PAM Kerberos Table 2-1 PAM Kerberos Library libpam_krb5 Platform Itanium based platform PA-RISC platform Location /usr/lib/security/$ISA/libpam_krb5.so.1 /usr/lib/security/libpam_krb5.1 Figure 2-2 shows a secure environment consisting of the following nodes: • KDC Server • The application server (rlogind process) • The application client (rlogin process) The application client is not a KDC client under PAM Kerberos.
Introduction to the Kerberos Products and GSS-API PAM Kerberos When using PAM Kerberos, users only configure the application server as a KDC client. Users are prompted for a password when they first log into the server from the application client. The user has no credential and their password is sent in clear text to the application server. Following are the authentication steps as shown in Figure 2-2: 1. The user sends a password to a remote system 2. The application server invokes libkrb5.
Introduction to the Kerberos Products and GSS-API PAM Kerberos • proxiable • debug • ignore The following paragraphs list and describe each of these options. Option Definition use_first_pass Uses the same password given to the first module configured for authentication in the pam.conf file (see Figure 2-1). The module does not prompt for the password if the user cannot be authenticated by the first password.
Introduction to the Kerberos Products and GSS-API PAM Kerberos In the following code fragment from a pam.conf file, both libpam_krb5.1 and libpam_unix.1 are defined in the PAM stack as authentication modules. If a user is not authenticated under libpam_unix.1, PAM tries to authenticate the user through libpam_krb5.1 using the same password that is used with libpam_unix.1. If the authentication fails, PAM prompts for another password and tries again. Table 2-4 On HP-UX 11.
Introduction to the Kerberos Products and GSS-API PAM Kerberos For forwardable tickets to be granted, you must specify that the user can be granted forwardable tickets in the user's account in the Kerberos KDC. proxiable At times, it may be necessary for a principal to allow a service to perform an operation on its behalf. The service must be able to take on the identity of the client, but only for a particular purpose by granting it a proxy.
Introduction to the Kerberos Products and GSS-API PAM Kerberos # option and returns PAM_IGNORE without any processing. # root auth /usr/lib/security/$ISA/libpam_krb5.so.1 ignore root password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore root account /usr/lib/security/$ISA/libpam_krb5.so.1 ignore root session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore To enable the configuration defined in the pam_user.conf file, the libpam_updbe module must be the first module in the stack in the pam.conf file.
Introduction to the Kerberos Products and GSS-API PAM Kerberos $ old Kerberos password <--- Output if krb_prompt is specified user_first_prompt This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, it quits without prompting for a password.
Introduction to the Kerberos Products and GSS-API PAM Kerberos ppid is the parent process pid is the process id of the process that is creating this credential file An example PAM configuration file is as shown below: 42 Chapter 2
Introduction to the Kerberos Products and GSS-API PAM Kerberos On HP-UX 11.0 and 11iv1 # # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.
Introduction to the Kerberos Products and GSS-API PAM Kerberos OTHER # # Password # login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER session sufficient /usr/lib/security/libpam_unix.1 management password password password password password password password password password sufficient /usr/lib/security/libpam_krb5.1 required /usr/lib/security/libpam_unix.1 sufficient /usr/lib/security/libpam_krb5.1 required /usr/lib/security/libpam_unix.1 sufficient /usr/lib/security/libpam_krb5.
Introduction to the Kerberos Products and GSS-API PAM Kerberos ftp auth required libpam_unix.so.1 try_first_pass OTHER auth sufficient libpam_unix.so.1 # # Account management # login account required libpam_krb5.so.1 login account required libpam_unix.so.1 su account required libpam_krb5.so.1 su account required libpam_unix.so.1 dtlogin account required libpam_krb5.so.1 dtlogin account required libpam_unix.so.1 dtaction account required libpam_krb5.so.1 dtaction account required libpam_unix.so.
Introduction to the Kerberos Products and GSS-API PAM Kerberos The Account Management Module The Account Management module provides a function to perform account management. This function retrieves the user’s account and password expiration information from the Kerberos database and verifies that they have not expired. The module does not issue any warning if the account or the password is about to expire. The following options can be passed to the Account Management module through the /etc/pam.
Introduction to the Kerberos Products and GSS-API PAM Kerberos Example The following is a sample configuration in which no authentication is done with Kerberos for root. KRB5 PAM module does nothing. It just returns PAM_IGNORE for user root. For every user other than root, it tries to authenticate using Kerberos. If Kerberos succeeds, the user is authenticated. If Kerberos fails to authenticate the user, PAM tries to authenticate with UNIX PAM using the same password. The pam_user.conf File on HP-UX 11.
Introduction to the Kerberos Products and GSS-API PAM Kerberos The pam.conf File on HP-UX 11i v2 and HP-UX 11i v3 # For per user configuration the libpam_updbe.1 (pam_updbe(5)) module # must be the first module in the stack. If Kerberos authentication # is valid the UNIX authentication function will not be invoked.
Introduction to the Kerberos Products and GSS-API PAM Kerberos NOTE • Checks for the validity of the control_flags and the module_types specified for the PAM Kerberos specific entries in the /etc/pam.conf file. • Checks if the PAM Kerberos specific module_path specified in the /etc/pam.conf file exists. If the module_path name is not absolute it is assumed to be relative to /usr/lib/security/$ISA/.
Introduction to the Kerberos Products and GSS-API PAM Kerberos Logging The pamkrbval tool logs all messages to stdout. Following are the log categories provided: [LOG] These messages are logged when the verbose option is set. [NOTICE] These messages are logged to notify the user about the erroneous lines in the PAM configuration files or notify about the skipping of /etc/pam_user.conf file validation. [FAIL] These messages are logged when validation fails.
Introduction to the Kerberos Products and GSS-API PAM Kerberos ia64 for Itanium 64-bit architecture Depending on this flag, $ISA in the module_path will be expanded as explained above. -c Return Value Chapter 2 Use this option when Common Internet File System (CIFS) is configured on the system.
Introduction to the Kerberos Products and GSS-API Secure Internet Services Secure Internet Services If you want to authenticate users on remote systems without sending the password in clear text over the network, you can use the built-in support that HP provides for the following secure Internet services applications: • ftp • rcp • rlogin • telnet • remsh In Figure 2-3, SIS invokes the libsis.sl library.
Introduction to the Kerberos Products and GSS-API Secure Internet Services 3. Using the credentials, the application client creates an authenticator and sends the authenticator and service ticket to the remote host. 4. The kerberized telnet server on the remote host verifies the user identity by decrypting the service ticket. To turn on SIS, issue the following command at the HP-UX command prompt: inetsvcs_sec enable NOTE Chapter 2 The library, libsis.sl, is supported upto the HP-UX 11i v1.5 release.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software KRB5 Client Software This section presents an overview of the KRB5-Client software, which consists of libraries, header files, manpages, and Kerberos utilities. The section is divided into two parts. The following subsection, “Libraries and Header Files”, discusses the libraries and header files supplied with the KRB5-Client software. The second subsection,“Kerberos Utilities” on page 56, discusses the Kerberos utilities.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software Table 2-6 lists and describes the Kerberos client libraries. Table 2-6 Kerberos Client Libraries on HP-UX 11i v3 PA-RISC Architecture 32-bit 64-bit Functionality /usr/lib/libkrb5.sl ->/usr/lib/libkrb5.1 /usr/lib/pa20_64/ libkrb5.sl -> /usr/lib/pa20_64/ librb5.1 Authenticates users, verifies tickets, creates authenticator, and manages the context /usr/lib/ libcom_err.sl -> /usr/lib/libcom_err.1 /usr/lib/pa20_64/ libcom_err.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software • /usr/include/com_err.h • /usr/include/krb5/gssapi.h HP-UX includes DCE Kerberos and its manpages, so you must use specific manpage numbers for the Kerberos client software. For example, refer to man 1 kinit for the Kerberos manpages and to man 1m kinit for the DCE manpage. The default is the Kerberos manpage. Refer to /usr/share/man/man3.Z/libkrb5.3 for more information on the libkrb5 library.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software /usr/bin/kinit -R [principal] /usr/bin/kinit -k [-t keytab_file][principal] /usr/bin/kinit -c [cache_name] [principal] /usr/bin/kinit -S service_name [principal] Options -l lifetime The -l option requests a ticket with the lifetime of the value defined in lifetime.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software -R The -R option requests renewal of the TGT. You cannot renew an expired ticket even if the ticket is still within its renewable life. -k [-t keytab_file] The -k option requests a host ticket obtained from a key in the local host’s keytab file. You can specify the name and location of the keytab file with the -t keytab_file option; otherwise the default name and location will be used.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software NOTE For DCE operations use /opt/dce/bin/kinit. Reference To view the kinit manpage, issue the following command: $ man 1 kinit The klist Utility Description The klist utility lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software Reference • I - Initial • i - invalid -s The -s option sets exit status without klist output. -k The -k option lists keys held in a keytab file. -t The -t option displays the time entry timestamps for each keytab entry in the keytab file. -K The -K option displays the value of the encryption key in each keytab entry in the keytab file.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software $ man 1 kdestroy The kpasswd Utility Description The kpasswd utility changes a user’s Kerberos password. If the optional parameter principal is not used, kpasswd uses the principal name from an existing cache if there is one. If not, the principal is derived from the identity of the user by invoking kpasswd.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software ktutil: quit (Alias: exit or q) Options list (Alias: l) The l option displays the current keylist. read_kt keytab (Alias: rkt) The rkt option reads the Kerberos V5 keytab file keytab into the current keylist. read_st srvtab (Alias: rst) The rst option reads the Kerberos V4 server KEYTAB file server keytab into the current keylist.
Introduction to the Kerberos Products and GSS-API KRB5 Client Software $ man 1 kvno Chapter 2 63
Introduction to the Kerberos Products and GSS-API HP Kerberos Server HP Kerberos Server Kerberos Server ensures secure communication in a networked environment by leveraging individual trust relationships. It then brokers that trust across enterprise wide, distributed client-server networks. Table 2-7 lists the various versions of Kerberos Server available for different HP-UX operating systems.
Introduction to the Kerberos Products and GSS-API HP Kerberos Server Kerberos server v3.12 supersedes the earlier MIT based Kerberos server (version 1.0), on HP-UX 11i. This version of the Kerberos server offers many enhancements when compared to the previous version. For information on previous Kerberos Server versions, see the Release Notes at www.docs.hp.com/en/internet.html#Kerberos.
Introduction to the Kerberos Products and GSS-API HP Kerberos Server The secondary security server also provides redundancy against a single point of failure. The Kerberos Server also allows administrators to organize realms according to the types of users or services. Dynamic Propagation In Kerberos server version 1.0, the entire database had to be periodically dumped and propagated. This resulted in heavy network traffic and thus reduced performance.
Introduction to the Kerberos Products and GSS-API HP Kerberos Server Choice of C-Tree or LDAP Database Kerberos server version 3.12 allows you to use a C-Tree or an LDAP database as the backend database. By integrating the Kerberos principals with the corresponding users in the LDAP directory, you store data in a common repository. For more information, see Kerberos Server Version 3.12 Administrator’s Guide (5991-7686) on www.docs.hp.com.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) Generic Security Service Application Programming Interface (GSS-API) The GSS-API provides authentication, integrity, and confidentiality services to the calling application. Figure 2-4 shows the libgss.sl shared library, which is independent of underlying security mechanisms.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) With an Open System architecture, GSS-API provides portability in a heterogeneous environment. It contains all the GSS-APIs specified in RFC 2743. It is implemented as a package of C-language interfaces as defined in RFC 2744, Generic Security Service API: C-bindings. The Kerberos Version 5 GSS-API Mechanism is explained in RFC 1964.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) GSS-API filesets are listed in Table 2-8 and Table 2-9. Table 2-8 GSS-API Libraries Library Availability • Itanium 32 /usr/lib/hpux32/libgss.so • PA-RISC 32 - /usr/lib/libgss.sl • Itanium 64 /usr/lib/hpux64/libgss.so • Table 2-9 Functionality This is the front-end GSS-API library, which has all the GSS-APIs PA-RISC 64 /usr/lib/pa20_64/libgss.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) • “Context Level Services” on page 71 • “Authentication Services” on page 72 • “Confidentiality Service” on page 72 • “Support Services” on page 72 Credential Management Services Credential management function calls acquire and release credentials by principals. Applications are responsible for establishing a security mechanism based on the initial credentials.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) • gss_context_time: Indicate validity time remaining in context Authentication Services Two sets of per-message calls provide security to the context. The gss_get_mic() and gss_verify_mic()function calls provide data origin authentication and data integrity services. The gss_wrap() and gss_unwrap() function calls support caller requested confidentiality.
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) Chapter 2 • gss_compare_name: Compare two names • gss_display_name: Translate name to printable format • gss_import_name: Convert printable name to normalized form • gss_release_name: Free storage of name • gss_release_buffer: Free storage of general GSS-allocated object • gss_release_OID_set: Free storage of OID set object • gss_create_empty_OID_set: Create empty OID set •
Introduction to the Kerberos Products and GSS-API Generic Security Service Application Programming Interface (GSS-API) 74 Chapter 2
3 Configuring the Kerberos Environment This chapter describes the files and procedures that are used to configure Kerberos on HP-UX.
Configuring the Kerberos Environment It contains the following sections: • “Configuration Files for Kerberos Clients” on page 77 • “Configuration Files for GSS-API” on page 82 • “Configuring the Kerberos Server” on page 85 — “Configuring Your Microsoft Windows 2000 KDC” on page 85 76 • “Configuring the Kerberos Client” on page 87 • “Configuring for PAM Kerberos” on page 88 Chapter 3
Configuring the Kerberos Environment Configuration Files for Kerberos Clients Configuration Files for Kerberos Clients Table 3-1 lists and describes the files that you use to configure a Kerberos server or a Kerberos client using PAM Kerberos. Samples of all the configuration files shown in the table are listed in the Appendices.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients pam.conf The configuration file /etc/pam.conf controls the behavior of the PAM modules. The pam.conf file contains a listing of system entry services, each of which is paired with its corresponding service module. When a service is requested, its associated module is invoked.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients krb5.conf The krb5.conf file specifies the defaults for the REALM and Kerberos applications, mappings of the hostnames onto Kerberos REALMs, and the location of KDCs for Kerberos REALMs. Application clients depend on the configuration file /etc/krb5.conf to locate the REALM's KDC. The [libdefaults] section of the krb5.conf file specifies various parameters for the Kerberos library.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients } [domain_realm] .subdomain.domain.com = KDC1.SUBDOMAIN.DOMAIN.COM .subdomain.domain.com = KDC2.SUBDOMAIN.DOMAIN.COM The ldapux_multidomain Option The ldapux_multidomain option needs to be set to 1 by the administrator if the realm name of the user needs to be obtained from the W2K multidomain. See the ldapux (5) manpage for more information to configure W2K multidomain.
Configuring the Kerberos Environment Configuration Files for Kerberos Clients kerberos5 kerberos5 kerberos-adm kerberos-cpw krb5_prop 88/udp 88/tcp 749/tcp 751/tcp 754/tcp kdc kdc kerberos_adm kerberos_master # Kerberos authentication # Kerberos authentication # Kerberos admin/changepw # Kerberos changepw # Kerberos slave propogation For more information on services, see services(4).
Configuring the Kerberos Environment Configuration Files for GSS-API Configuration Files for GSS-API Following configuration files are essential for proper functioning of GSS-API: NOTE • “The mech File” on page 82 • “The /etc/gss/qop File” on page 83 • “The gsscred.conf File” on page 84 IPv6 support for GSS-API has been enabled only for the Itanium binaries on HP-UX 11i v2 and HP-UX 11i v3 systems.
Configuring the Kerberos Environment Configuration Files for GSS-API Table 3-2 Entries in the mech file (Continued) Column Description Third column Contains the name of the shared library that implements the back-end security mechanism for GSSAPI. The back-end library must be placed in the /usr/lib/gss path for 32-bit and the /usr/lib/pa20_64/gss path for 64-bit versions on PA-RISC based systems.
Configuring the Kerberos Environment Configuration Files for GSS-API QOP values are used with the Kerberos V5 GSS-API mechanism as input to gss_wrap() and gss_get_mic() in order to select alternate integrity and confidentiality algorithms. Table 3-3 shows the format of the /etc/gss/qop file: Table 3-3 Format of the /etc/gss/qop file Column Description First column Specifies the string name of QOP. Second column Contains its QOP value (32-bit integer).
Configuring the Kerberos Environment Configuring the Kerberos Server Configuring the Kerberos Server You can configure a Kerberos client in the same way whether your KDC server is a Kerberos server on HP-UX 11i or a Microsoft 2000 KDC server. However, for a Microsoft Windows 2000 KDC server or the Kerberos server on HP-UX 11i, the server configuration procedures are different.
Configuring the Kerberos Environment Configuring the Kerberos Server — hostname is the unix host DNS name. — NT-DNS-REALM-NAME is the uppercase name of the Windows 2000 domain. All domain names should be in upper case. — your-password is the password for this principal, hostname. This step creates an account in the name of host/hostname.subdomain.domain.com. 3. Follow step 3 under “Configuring the Kerberos Client” on page 87 to merge the KEYTAB file at the Kerberos client system. 4.
Configuring the Kerberos Environment Configuring the Kerberos Client Configuring the Kerberos Client To configure the Kerberos Client, complete the following steps: 1. Edit the configuration files, /etc/krb5.conf and /etc/services as described in “Configuration Files for Kerberos Clients” on page 77. 2. All Kerberos systems need a KEYTAB file (/etc/krb5.keytab) to authenticate themselves to the KDC. Create a KEYTAB file for each KDC client on your KDC Server. 3.
Configuring the Kerberos Environment Configuring for PAM Kerberos Configuring for PAM Kerberos If you want to run PAM Kerberos, after you complete KDC client configuration from the previous section, you must edit the PAM configuration files for PAM Kerberos. Using the /etc/pam.krb5 file as an example, edit the /etc/pam.conf as described in “Configuration Files for Kerberos Clients” on page 77.
4 Troubleshooting Kerberos Related Products This chapter explains the error messages that you can encounter while using the Kerberos client products.
Troubleshooting Kerberos Related Products It contains the following sections: 90 • “Troubleshooting PAM Kerberos” on page 91 • “Troubleshooting the Kerberos Client Utilities” on page 94 • “Troubleshooting GSS-API” on page 96 • “Troubleshooting Using the pamkrbval Tool” on page 100 Chapter 4
Troubleshooting Kerberos Related Products Troubleshooting PAM Kerberos Troubleshooting PAM Kerberos The PAM Kerberos module returns debug and error messages that are logged using the syslog utility. Use the appropriate syslog log levels to gather more information about error scenarios. Debug logging is enabled using the debug option in the /etc/pam.conf file for Kerberos PAM module, as shown in following example: login auth sufficient /usr/lib/security/libpam_krb5.
Troubleshooting Kerberos Related Products Troubleshooting PAM Kerberos Table 4-1 Error No. Error Codes and Corrective Actions (Continued) PAM Error Code Meaning Reason/ Corrective Actions 4 PAM_AUTH_ERR Authentication failure 5 PAM_CRED_INSUFFICIENT Cannot access authentication data: insufficient credentials 6 PAM_AUTHINFO_UNAVAIL Authentication service not available KDC Server is down or not reachable.
Troubleshooting Kerberos Related Products Troubleshooting PAM Kerberos Table 4-1 Error No. Error Codes and Corrective Actions (Continued) PAM Error Code Meaning Reason/ Corrective Actions 13 PAM_AUTHTOK_RECOVE RY_ERR Authentication information cannot be recovered. Old password is not correct. 14 PAM_TRY_AGAIN Preliminary check by password service failed. Try again. 15 OTHER Errors Chapter 4 See the syslog(1M) manpage for more specific information.
Troubleshooting Kerberos Related Products Troubleshooting the Kerberos Client Utilities Troubleshooting the Kerberos Client Utilities Kerberos utilities, kdestroy, kinit, klist, and kpasswd can return the following errors. Table 4-2 provides a list of errors with their meaning and suggested corrective actions for each error. Table 4-2 Error No. Kerberos Client Error Codes Reason/Corrective Action Error Meaning 1 kdestroy: No credentials cache file found while destroying cache.
Troubleshooting Kerberos Related Products Troubleshooting the Kerberos Client Utilities Table 4-2 Error No. Kerberos Client Error Codes (Continued) Error Meaning Reason/Corrective Action 5 klist: No such file or directory while starting keytab scan The keytab file was not found. (The default location of the keytab file is /etc/krb5.keytab.) Verify the keytab file. If the keytab file does not exist, create the keytab file with specific entries.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Troubleshooting GSS-API This section provides troubleshooting tips for GSS-API. Error Codes It is the responsibility of the application programmer to check for the major and minor status values. For debugging purposes, HP recommends using the gss_display_status() function call for getting the textual representation of a GSS-API status code that can be displayed to a user or used for logging.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Table 4-3 Common GSS-API Errors (Continued) Error No. Name Meaning 3 GSS_S_BAD_NAMETYPE The name type passed is unsupported. 4 GSS_S_BAD_BINDINGS The channel bindings are incorrect. 5 GSS_S_BAD_STATUS A status value is invalid. 6 GSS_S_BAD_SIG A token has an invalid signature. 7 GSS_S_NO_CRED No credentials are supplied. 8 GSS_S_NO_CONTEXT No context established. 9 GSS_S_DEFECTIVE_TOKEN Invalid token.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Table 4-4 lists the calling error values and their meanings: Table 4-4 Calling Errors Error No. Name Meaning 1 GSS_S_CALL_INACCESSIBLE_READ Cannot read a required input parameter. 2 GSS_S_CALL_INACCESSIBLE_WRITE Cannot write a required output parameter. 3 GSS_S_BAD_STRUCTURE Cannot structure parameter correctly.
Troubleshooting Kerberos Related Products Troubleshooting GSS-API Other Common Causes of Errors Other common causes of errors include the following: NOTE • If KRB5-Client product is not installed, you can get an error trying to use gssapi with /etc/gss/mech configured to krb5_mech. • Improper permissions of the libgssapi_krb5.sl / libgssapi_krb5.so library.
Troubleshooting Kerberos Related Products Troubleshooting Using the pamkrbval Tool Troubleshooting Using the pamkrbval Tool This section provides tips for troubleshooting with the pamkrbval tool. When you use the pamkrbval tool for troubleshooting, you can get error messages when validating the keytab file. NOTE Use the pamkrbval command with the -c option to troubleshoot CIFS-related issues. Table 4-6 lists various errors that can occur and provides methods to troubleshoot the errors.
Troubleshooting Kerberos Related Products Troubleshooting Using the pamkrbval Tool Table 4-6 Error Messages that Appear During keytab Validation Error/Warning Messages [WARNING] : Key incorrect [WARNING] : The keytab entry for the host service principal host/example.com@EXAMPLE.C OM is invalid Reason for Message Troubleshooting There is a key mismatch between the client and the server. Get the new keytab entry with the correct key from the Kerberos server. The KDC is not accessible.
Troubleshooting Kerberos Related Products Troubleshooting Using the pamkrbval Tool Table 4-6 Error Messages that Appear During keytab Validation Error/Warning Messages [LOG] : The keytab entry for host/cherry is not found in keytab file /etc/krb5.keytab [FAIL]: The keytab validation failed Reason for Message Troubleshooting The keytab entry for the host service principal is not available. This error only occurs in the CIFS environment.
Troubleshooting Kerberos Related Products Troubleshooting Using the pamkrbval Tool Table 4-6 Error Messages that Appear During keytab Validation Error/Warning Messages pamkrbval: Key version number for principal in key table is incorrect while reading request [FAIL]: The keytab validation failed Reason for Message The key has been changed on the server but has not been updated in the user’s system.
Troubleshooting Kerberos Related Products Troubleshooting Using the pamkrbval Tool 104 Chapter 4
A Sample pam.conf File The file presented below is /etc/pam.krb5, a sample pam.conf file that comes with PAM Kerberos.
Sample pam.conf File On HP-UX 11.0 and HP-UX 11i v1 # # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.
Sample pam.conf File login passwd passwd dtlogin dtlogin dtaction dtaction OTHER Appendix A password password password password password password password password required required required required required required required required /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.
Sample pam.conf File On HP-UX 11i v2 and HP-UX 11i v3 # # PAM configuration # # Notes: This pam.conf file is intended as an example only. # If the path to a library is not absolute, it is assumed to be # relative to one of the following directories: # /usr/lib/security (PA 32-bit) # /usr/lib/security/pa20_64 (PA 64-bit) # /usr/lib/security/hpux32 (IA 32-bit) # /usr/lib/security/hpux64 (IA 64-bit) # The IA file name convention is normally used; for example: # libpam_unix.so.1 # For PA libpam_unix.so.
Sample pam.conf File dtaction account required libpam_unix.so.1 ftp account required libpam_krb5.so.1 ftp account required libpam_unix.so.1 OTHER account sufficient libpam_unix.so.1 # # Session management # login session required libpam_krb5.so.1 login session required libpam_unix.so.1 dtlogin session required libpam_krb5.so.1 dtlogin session required libpam_unix.so.1 dtaction session required libpam_krb5.so.1 dtaction session required libpam_unix.so.1 OTHER session sufficient libpam_unix.so.
Sample pam.
B Sample krb5.conf File The following is a /etc/krb5.conf.sample file, which is provided with KRB5-Client from HP-UX 11i v2 onwards. You can modify this file for use as your own krb5.conf file.
Sample krb5.conf File KDC.SUBDOMAIN.DOMAIN.COM and hostname.subdomain.domain.com with the name of your Kerberos REALM and hostname. [libdefaults] default_realm = KDC.SUBDOMAIN.DOMAIN.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 checksum_type = 1 [realms] KDC.SUBDOMAIN.DOMAIN.COM = { kdc = hostname.subdomain.domain.com:88 admin_server = hostname.subdomain.domain.com:749 kpasswd_server = hostname.subdomain.domain.com } [domain_realm] .subdomain.domain.com = KDC.
C Sample krb.conf File The following is a sample krb.conf.
Sample krb.conf File Copy this sample file to /opt/krb5/krb.conf file and modify it to reflect the hostnames and realm name of your realm. Replace the underlined Your_Realm_Name, Your_Secondary_Server1, Your_Secondary_Server2 and hostname.subdomain.domain.com with the name of your Kerberos REALM, Primary and Secondary Servers hostnames. Your_Realm_Name Your_Realm_Name Your_Secondary_Server1 Your_Realm_Name Your_Secondary_Server2 Your_Realm_Name host.subdomain.domain.
D Sample krb.realms File The following is a sample krb.realms.
Sample krb.realms File Replace the underlined Your_Realm_Name, Your_Primary_Security_Server, Your_Secondary_Server_Server and Your_Domain_Name with the name of your Kerberos REALM, primary and secondary servers hostnames. Your_Primary_Security_Server Your_Realm_Name .Your_Secondary_Security_Server Your_Realm_Name *.Your_Domain_Name Your_Realm_Name # # # Given below is an example with a brief explanation of the krb.realms file. deer.bambi.com BAMBI.COM .fox.bambi.com BAMBI.COM *.bambi.com BAMBI.
E Kerberos Error Messages The following is a list of Kerberos Error Messages that you might encounter while using the Kerberos server.
Kerberos Error Messages NOTE 118 The error codes are denoted in capital letters, followed by their respective error message.
Kerberos Error Messages Kerberos V5 Library Error Codes Kerberos V5 Library Error Codes This is the Kerberos v5 library error code table. Protocol error codes are ERROR_TABLE_BASE_krb5 + the protocol error code number; other error codes start at ERROR_TABLE_BASE_krb5 + 128. 1. KRB5KDC_ERR_NONE: No error 2. KRB5KDC_ERR_NAME_EXP: Client’s entry in database has expired 3. KRB5KDC_ERR_SERVICE_EXP: Server’s entry in database has expired 4. KRB5KDC_ERR_BAD_PVNO: Requested protocol version not supported 5.
Kerberos Error Messages Kerberos V5 Library Error Codes 16. KRB5KDC_ERR_SUMTYPE_NOSUPP: KDC has no support for checksum type 17. KRB5KDC_ERR_PADATA_TYPE_NOSUPP: KDC has no support for padata type 18. KRB5KDC_ERR_TRTYPE_NOSUPP: KDC has no support for transited type 19. KRB5KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked 20. KRB5KDC_ERR_SERVICE_REVOKED: Credentials for server have been revoked 21. KRB5KDC_ERR_TGT_REVOKED: TGT has been revoked 22.
Kerberos Error Messages Kerberos V5 Library Error Codes 37. KRB5KRB_AP_ERR_BADMATCH: Ticket/authenticator don’t match 38. KRB5KRB_AP_ERR_SKEW: Clock skew too great 39. KRB5KRB_AP_ERR_BADADDR: Incorrect net address 40. KRB5KRB_AP_ERR_BADVERSION: Protocol version mismatch 41. KRB5KRB_AP_ERR_MSG_TYPE: Invalid message type 42. KRB5KRB_AP_ERR_MODIFIED: Message stream modified 43. KRB5KRB_AP_ERR_BADORDER: Message out of order 44. KRB5KRB_AP_ERR_ILL_CR_TKT: Illegal cross-realm ticket 45.
Kerberos Error Messages Kerberos V5 Library Error Codes 62. KRB5KRB_ERR_FIELD_TOOLONG: Field is too long for this implementation 63. KRB5PLACEHOLD_62: KRB5 error code 62 64. KRB5PLACEHOLD_63: KRB5 error code 63 65. KRB5PLACEHOLD_64: KRB5 error code 64 66. KRB5PLACEHOLD_65: KRB5 error code 65 67. KRB5PLACEHOLD_66: KRB5 error code 66 68. KRB5PLACEHOLD_67: KRB5 error code 67 69. KRB5PLACEHOLD_68: KRB5 error code 68 70. KRB5PLACEHOLD_69: KRB5 error code 69 71. KRB5PLACEHOLD_70: KRB5 error code 70 72.
Kerberos Error Messages Kerberos V5 Library Error Codes 90. KRB5PLACEHOLD_89: KRB5 error code 89 91. KRB5PLACEHOLD_90: KRB5 error code 90 92. KRB5PLACEHOLD_91: KRB5 error code 91 93. KRB5PLACEHOLD_92: KRB5 error code 92 94. KRB5PLACEHOLD_93: KRB5 error code 93 95. KRB5PLACEHOLD_94: KRB5 error code 94 96. KRB5PLACEHOLD_95: KRB5 error code 95 97. KRB5PLACEHOLD_96: KRB5 error code 96 98. KRB5PLACEHOLD_97: KRB5 error code 97 99. KRB5PLACEHOLD_98: KRB5 error code 98 100.KRB5PLACEHOLD_99: KRB5 error code 99 101.
Kerberos Error Messages Kerberos V5 Library Error Codes 118.KRB5PLACEHOLD_117: KRB5 error code 117 119.KRB5PLACEHOLD_118: KRB5 error code 118 120.KRB5PLACEHOLD_119: KRB5 error code 119 121.KRB5PLACEHOLD_120: KRB5 error code 120 122.KRB5PLACEHOLD_121: KRB5 error code 121 123.KRB5PLACEHOLD_122: KRB5 error code 122 124.KRB5PLACEHOLD_123: KRB5 error code 123 125.KRB5PLACEHOLD_124: KRB5 error code 124 126.KRB5PLACEHOLD_125: KRB5 error code 125 127.KRB5PLACEHOLD_126: KRB5 error code 126 128.
Kerberos Error Messages Kerberos V5 Library Error Codes 144.KRB5_NO_TKT_SUPPLIED: Request did not supply a ticket 145.KRB5KRB_AP_WRONG_PRINC: Wrong principal in request 146.KRB5KRB_AP_ERR_TKT_INVALID: Ticket has invalid flag set 147.KRB5_PRINC_NOMATCH: Requested principal and ticket don’t match 148.KRB5_KDCREP_MODIFIED: KDC reply did not match expectations 149.KRB5_KDCREP_SKEW: Clock skew too great in KDC reply 150.KRB5_IN_TKT_REALM_MISMATCH: Client/server realm mismatch in initial ticket request 151.
Kerberos Error Messages Kerberos V5 Library Error Codes 166.KRB5_RC_NOIO: Replay cache type does not support non-volatile storage 167.KRB5_RC_PARSE: Replay cache name parse/format error 168.KRB5_RC_IO_EOF: End-of-file on replay cache I/O 169.KRB5_RC_IO_MALLOC: No more memory to allocate (in replay cache I/O code) 170.KRB5_RC_IO_PERM: Permission denied in replay cache code 171.KRB5_RC_IO_IO: I/O error in replay cache i/o code 172.KRB5_RC_IO_UNKNOWN: Generic unknown RC/IO error 173.
Kerberos Error Messages Kerberos V5 Library Error Codes 190.KRB5_BAD_KEYSIZE: Key size is incompatible with encryption type 191.KRB5_BAD_MSIZE: Message size is incompatible with encryption type 192.KRB5_CC_TYPE_EXISTS: Credentials cache type is already registered. 193.KRB5_KT_TYPE_EXISTS: Key table type is already registered. 194.KRB5_CC_IO: Credentials cache I/O operation failed XXX 195.KRB5_FCC_PERM: Credentials cache file permissions incorrect 196.KRB5_FCC_NOFILE: No credentials cache file found 197.
Kerberos Error Messages Kerberos V5 Library Error Codes 210.KRB5_PREAUTH_FAILED: Generic pre-authentication failure 211.KRB5_RCACHE_BADVNO: Unsupported replay cache format version number 212.KRB5_CCACHE_BADVNO: Unsupported credentials cache format version number 213.KRB5_KEYTAB_BADVNO: Unsupported key table format version number 214.KRB5_PROG_ATYPE_NOSUPP: Program lacks support for address type 215.KRB5_RC_REQUIRED: Message replay detection requires rcache parameter 216.
Kerberos Error Messages Kerberos V5 Magic Numbers Error Codes Kerberos V5 Magic Numbers Error Codes This is the Kerberos v5 magic numbers error code table. 1. KV5M_NONE: Kerberos V5 magic number table 2. KV5M_PRINCIPAL: Bad magic number for krb5_principal structure 3. KV5M_DATA: Bad magic number for krb5_data structure 4. KV5M_KEYBLOCK: Bad magic number for krb5_keyblock structure 5. KV5M_CHECKSUM: Bad magic number for krb5_checksum structure 6.
Kerberos Error Messages Kerberos V5 Magic Numbers Error Codes 20. KV5M_ERROR: Bad magic number for krb5_error structure 21. KV5M_AP_REQ: Bad magic number for krb5_ap_req structure 22. KV5M_AP_REP: Bad magic number for krb5_ap_rep structure 23. KV5M_AP_REP_ENC_PART: Bad magic number for krb5_ap_rep_enc_part structure 24. KV5M_RESPONSE: Bad magic number for krb5_response structure 25. KV5M_SAFE: Bad magic number for krb5_safe structure 26. KV5M_PRIV: Bad magic number for krb5_priv structure 27.
Kerberos Error Messages Kerberos V5 Magic Numbers Error Codes 41. KV5M_RCACHE: Bad magic number for krb5_rcache structure 42. KV5M_CCACHE: Bad magic number for krb5_ccache structure 43. KV5M_PREAUTH_OPS: Bad magic number for krb5_preauth_ops 44.
Kerberos Error Messages ANSI.1 Error Codes ANSI.1 Error Codes 1. ASN1_BAD_TIMEFORMAT: ASN.1 failed call to system time library 2. ASN1_MISSING_FIELD: ASN.1 structure is missing a required field 3. ASN1_MISPLACED_FIELD: ASN.1 unexpected field number 4. ASN1_TYPE_MISMATCH: ASN.1 type numbers are inconsistent 5. ASN1_OVERFLOW: ASN.1 value too large 6. ASN1_OVERRUN: ASN.1 encoding ended unexpectedly 7. ASN1_BAD_ID: ASN.1 identifier doesn’t match expected value 8. ASN1_BAD_LENGTH: ASN.
Kerberos Error Messages GSSAPI Error Codes GSSAPI Error Codes Generic GSSAPI Errors: 1. GSS_KRB5_S_G_BAD_SERVICE_NAME: /* "No @ in SERVICE-NAME name string" */ 2. GSS_KRB5_S_G_BAD_STRING_UID: /* "STRING-UID-NAME contains nondigits" */ 3. GSS_KRB5_S_G_NOUSER: /* "UID does not resolve to username" */ 4. GSS_KRB5_S_G_VALIDATE_FAILED: /* "Validation error" */ 5. GSS_KRB5_S_G_BUFFER_ALLOC: /* "Couldn’t allocate gss_buffer_t data" */ 6. GSS_KRB5_S_G_BAD_MSG_CTX: /* "Message context invalid" */ 7.
Kerberos Error Messages GSSAPI Error Codes 7. GSS_KRB5_S_KG_BAD_LENGTH: /* "Invalid field length in token" */ 8. GSS_KRB5_S_KG_CTX_INCOMPLETE: /* "Attempt to use incomplete security context" */ FATAL ERROR CODES 1. GSS_S_BAD_BINDINGS: channel binding mismatch 2. GSS_S_BAD_MECH: unsupported mechanism requested 3. GSS_S_BAD_NAME: invalid name provided 4. GSS_S_BAD_NAMETYPE: name of unsupported type provided 5. GSS_S_BAD_STATUS: invalid input status selector 6.
Kerberos Error Messages GSSAPI Error Codes 3. GSS_S_DUPLICATE_TOKEN: duplicate per-message token detected 4. GSS_S_OLD_TOKEN: timed-out per-message token detected 5. GSS_S_UNSEQ_TOKEN: reordered (early) per-message token detected 6.
Kerberos Error Messages GSSAPI Error Codes 136 Appendix E
F Kerberos Client Environment Variables This appendix lists and describes the various Kerberos environment variables that you may need to set while using Kerberos Client.
Kerberos Client Environment Variables Kerberos Client Environment Variables Kerberos Client Environment Variables Following lists and describes the Kerberos Client environment variables: KRB5RCACHEDIR The default replay cache directory. The placement of the replay cache file can be changed by setting the KRB5RCACHEDIR or KRB5RCACHENAME environment variable. KRB5RCACHENAME The default replay cache name. The default is /var/tmp/rc_host_(uid) where is the user id of the process.
Kerberos Client Environment Variables Kerberos Client Environment Variables KRB5_KTNAME The default key table name. You can set the variable type to the following value: [[:]] where: • can be FILE or WRFILE • is the location of the keytab file Use the FILE type for read operations, and the WRFILE type for write operations. If KRB5_KTNAME is not specified, the file specified by the default_keytab_name configuration entry in the configuration file is used.
Kerberos Client Environment Variables Kerberos Client Environment Variables 140 Appendix F
