HP E0905 User Manual

Kerberos Server Version 3.1

Administrator’s Guide

HP-UX 11i v2

Edition 5

Manufacturing Part Number: T1417-90009

E0905

United States

Legal Notices

The information contained herein is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and ﬁtness for a particular purpose. Hewlett-Packard

shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Warranty

A copy of the speciﬁc warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Ofﬁce.

U.S. Government License

Proprietary computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Trademark Notices

UNIX is a registered trademark in the United States and other countries, licensed exclusively through The Open Group.

MS-DOS, Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

Intel and Itanium are trademarks or registered trademarks of Intel Corporation in the United States and other countries.

California

This software is based in part on the Fourth Berkeley Software Distribution under license from the Regents of the University of California.

© Copyright 1983-2005 Hewlett-Packard Co., All Rights Reserved © Copyright 1979, 1980,1983, 1985-1993 The Regents of the Univ. of California © Copyright 1980, 1984, 1986 Novell, Inc. © Copyright 1986-1992 Sun Microsystems, Inc. © Copyright 1985-2002 Massachusetts Institute of Technology © Copyright 1989-93 The Open Software Foundation, Inc. © Copyright 1986 Digital Equipment Corporation © Copyright 1990 Motorola, Inc. © Copyright 1990, 1991, 1992 Cornell University © Copyright 1989-1991 The University of Maryland © Copyright 1988 Carnegie Mellon University © Copyright 1984-2002 FairCom Corporation © Copyright 1998-2002 Cybersafe Corporation © Copyright 1991-2002 Mentat, Inc. © Copyright 1996 Morning Star Technologies, Inc. © Copyright 1996 Progressive Systems, Inc. © Copyright 1991-2000 Isogon Corporation, All Rights Reserved. © Copyright 1996 OpenVision Technologies, Inc., All Rights Reserved.

Contents

1. Overview

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

How the Kerberos Server Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

DES Versus 3DES Key Type Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Introduction to LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

LDAP Advantages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Integrating Kerberos Server v3.1 with LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

How is the Kerberos Principal Integrated in to the LDAP Directory?. . . . . . . . . . 34

2. Installing the Kerberos Server v3.1

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Installing the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3. Migrating to a Newer Version of the Kerberos Server

Migrating from Kerberos Server Version 1.0 to 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Migrating from Kerberos Server Version 2.0 to Version 3.0 . . . . . . . . . . . . . . . . . . . . . 47

Migrating from Kerberos Server Version 3.0 to Version 3.1 . . . . . . . . . . . . . . . . . . . . . 49

4. Interoperability with Windows 2000

Understanding the Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Kerberos Server and Windows 2000 Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Establishing Trust Between Kerberos Server and Windows 2000 . . . . . . . . . . . . . . . . 56

Single Realm (Domain) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Interrealm (Interdomain) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Special Considerations for Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Database Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Encryption Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Postdated Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

5. Conﬁguring the Kerberos Server With C-Tree Backend

Contents

Conﬁguration Files for the Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

The krb.conf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

The krb.conf File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

The krb.realms File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

The krb.realms File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Autoconﬁguring the Kerberos Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Conﬁguring the Kerberos Server with C-Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6. Conﬁguring the Kerberos Server with LDAP

Conﬁguration Files for LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

The krb5_ldap.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

The krb5_ldap.conf File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

The krb5_schema.conf File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

The krb5_schema.conf File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

The krb5_map.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

The krb5_map.conf File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Planning Your LDAP Conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Setting up Your LDAP Conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Autoconﬁguring the Kerberos Server With LDAP Integration . . . . . . . . . . . . . . . . . . . 88

Conﬁguring the Kerberos Server with LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Manually Conﬁguring the Kerberos Server with LDAP . . . . . . . . . . . . . . . . . . . . . . . . 92

Editing the Conﬁguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

7. Conﬁguring the Primary and Secondary Security Server

Conﬁguring the Primary Security Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Create the Principal Database After Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Add an Administrative Principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

To add an Administrative Principal Using the HP Kerberos Administrator . . . . 97

To Add an Administrative Principal Through the Command Line . . . . . . . . . . . . 98

Create the host/<fqdn> Principal and Extracting the Service Key . . . . . . . . . . . . . . 98

Start the Kerberos Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Deﬁne Secondary Security Server Network Locations. . . . . . . . . . . . . . . . . . . . . . . 100

Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Password Policy File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

The admin_acl_ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Starting the Security Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Conﬁguring the Secondary Security Servers with C-Tree. . . . . . . . . . . . . . . . . . . . . . 103

Creating the Principal Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Copying the Kerberos Conﬁguration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Creating a host/<fqdn> Principal and Extracting the Key. . . . . . . . . . . . . . . . . . . . 104

Conﬁguring the Secondary Security Servers with LDAP . . . . . . . . . . . . . . . . . . . . . . 105

Copying the Kerberos Conﬁguration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Creating a stash ﬁle using the kdb_stash utility . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Using Indexes to Improve Database Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

8. Administering the Kerberos Server

Administering the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

The kadmind Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

The admin_acl_ﬁle File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Assigning Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Adding Entries to admin_acl_ﬁle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Creating Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Using Restricted Administrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

How the r/R Modiﬁers Work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Password Policy File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Editing the Default File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Adding User Principals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Adding New Service Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Reserved Service Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Removing User Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Removing Special Privilege Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Protecting a Secret Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Removing Service Principals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

The kadmin and kadminl Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Administration Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

HP Kerberos Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Standard Functionality of the Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Local Administrator – kadminl_ui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Using kadminl_ui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Principals Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Contents

General Tab (Principal Information Window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Adding Principals to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Adding Multiple Principals with Similar Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Creating an Administrative Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Searching for a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Deleting a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Loading Default Values for a Principal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Restoring Previously Saved Values for a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Changing Ticket Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Rules for Setting Maximum Ticket Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Rules for Setting Maximum Renew Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Changing Password Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Password Tab (Principal Information Window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Change Password Window (Password Tab). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Changing a Key Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Changing a DES-CRC or DES-MD5 Principal Key Type to 3DES . . . . . . . . . . . . . 165

Changing Principal Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Attributes Tab (Principal Information Window) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

LDAP Attributes Tab (Prinicpal Information Window). . . . . . . . . . . . . . . . . . . . . . . . 175

Deleting a Service Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Extracting Service Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Extracting a Service Key Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Using Groups to Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Editing the Default Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Group Information Window (Principal Information Window). . . . . . . . . . . . . . . . . . . 184

Principal Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Setting the Default Group Principal Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Default Principal Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Setting Administrative Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Realms Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Realm Information Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Adding a Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Deleting a Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Remote Administrator – kadmin_ui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Manual Administration Using kadmin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Contents

Adding a New Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Adding a Random Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Specifying a New Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Changing Password to a New Randomly Generated Password . . . . . . . . . . . . . . . . 206

Deleting a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Extracting a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Listing the Attributes of a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Modifying a Principal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Number of Authentication Failures (fcnt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Key Version Number Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

LDAP DN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Policy Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Allow Postdated Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Allow Renewable Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Allow Forwardable Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Allow Proxy Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Allow Duplicate Session Key Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Require Preauthentication Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Require Password Change Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Lock Principal Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Allow As Service Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Require Initial Authentication Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Set As Password Change Service Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Password Expiration Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Principal Expiration Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Key Type Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Principal Database Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Kerberos Database Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Database Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Database Master Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Destroying the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Dumping the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Loading the Kerberos Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Stashing the Master Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Starting and Stopping Daemons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Contents

Maintenance Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Protecting Security Server Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

host/fqdn@REALM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Master Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Backing Up primary security server Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Backing Up the Principal Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Removing Unused Space from the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

9. Propagating the Kerberos Server

Propagation Hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Propagation Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Service Key Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Maintaining Secret Keys in the Key Table File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Extracting a Key to the Service Key Table File. . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Creating a New Service Key Table File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Deleting Older Keys from the Service Key Table File. . . . . . . . . . . . . . . . . . . . . . 245

Propagation Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

The kpropd Daemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

The mkpropcf Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

The kpropd.ini File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

The [default_values] Section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

The [secsrv_name] Section . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

The prpadmin Administrative Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Setting Up Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Monitoring Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Monitoring the Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Critical Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Monitoring Propagation Queue Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Monitoring Old File Date and Large File Size . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Updating the principal.ok Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Comparing the Database to Its Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

The kdb_dump Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Restarting Propagation Using a Simple Process . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Restarting Propagation Using the Full Dump Method . . . . . . . . . . . . . . . . . . . . . . 268

Propagation Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Converting a secondary security server to a primary security server. . . . . . . . . . . 270

Restarting Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Cleaning the Temp Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Conﬁguring Multirealm Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Number of Realms per Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

primary security servers Supporting Multiple Realms . . . . . . . . . . . . . . . . . . . . . . 272

Multiple primary security servers Supporting a Single Realm . . . . . . . . . . . . . . . . 273

Adding More Realms to a Multirealm Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Database Propagation for Multirealm Databases. . . . . . . . . . . . . . . . . . . . . . . . . . . 274

10. Managing Multiple Realms

Considering a Trust Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

One-Way Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Two-Way Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Hierarchical Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Other Types of Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Conﬁguring Direct Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Hierarchical Interrealm Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Hierarchical Chain of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Hierarchical Interrealm Conﬁguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Conﬁguring the Local Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Conﬁguring the Intermediate Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Conﬁguring the Target Realm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Contents

11. Troubleshooting

Characterizing a Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Diagnostic Tools Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Troubleshooting Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Logging Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

UNIX Syslog File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Services Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Troubleshooting Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

General Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Forgotten Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Contents

Locking and Unlocking Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Clock Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

User Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Decrypt Integrity Check Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Password Has Already Been Used or Is Too Close to Current One . . . . . . . . . . . . . 305

Administrative Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Password Has Expired While Getting Initial Ticket . . . . . . . . . . . . . . . . . . . . . . . . 306

Service Key Not Available While Getting Initial Ticket. . . . . . . . . . . . . . . . . . . . . . 306

Reporting Problems to Your HP Support Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

The services File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Tables

Table 1. HP-UX 11i Releases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table 2. Publishing History Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table 4-1. Table of Analogous Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 5-1. Security Server Files That Require Conﬁguration . . . . . . . . . . . . . . . . . . 64

Table 5-2. Wildcard Characters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Table 6-1. LDAP Conﬁguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Table 6-2. krb5_ldap.conf File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Table 8-1. Conﬁguration Files Required for kadmind . . . . . . . . . . . . . . . . . . . . . . . 112

Table 8-2. Administrative Permission Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Table 8-3. Default Password Policy Settings for the Base Group . . . . . . . . . . . . . . 119

Table 8-4. Administration Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Table 8-5. Function of OK, Apply, and Cancel Buttons . . . . . . . . . . . . . . . . . . . . . . 133

Table 8-6. Principals Tab Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Table 8-7. Principal Information Window Components . . . . . . . . . . . . . . . . . . . . . . 139

Table 8-8. General Tab Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Table 8-9. Search Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Table 8-10. Password Tab Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Table 8-11. Change Password Window Components . . . . . . . . . . . . . . . . . . . . . . . . 163

Table 8-12. Attributes Tab Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Table 8-13. Extract Service Key Table Components . . . . . . . . . . . . . . . . . . . . . . . . 181

Table 8-14. Group Information Window Components . . . . . . . . . . . . . . . . . . . . . . . 185

Table 8-15. Group Information Window Components . . . . . . . . . . . . . . . . . . . . . . . 190

Table 8-16. Realms Tab Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Table 8-17. Realm Information Window Components . . . . . . . . . . . . . . . . . . . . . . . 195

Table 8-18. Require Initial Authentication Attribute Settings . . . . . . . . . . . . . . . . 220

Table 8-19. Principal Database Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Table 8-20. Starting and Stopping Daemons and Services . . . . . . . . . . . . . . . . . . . 235

Table 9-1. Propagation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Table 9-2. primary security server Services and Daemons . . . . . . . . . . . . . . . . . . . 259

Table 11-1. Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Table 11-2. Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Table 11-3. Troubleshooting Scenarios for your LDAP-based Kerberos server . . . 299

Table A-1. Conﬁguration Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Tables

Table A-2. Conﬁguration Worksheet Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Authentication Process 28 Integrating a Kerberos Principal in to the LDAP Directory 34 Principals Tab 137 Principal Information Window 139 Change Password Window 144 Administrative Permissions Window 147 Password Tab 160 Change Password Window 163 Attributes Tab 168 LDAP Attributes Tab 176 Extract Service Key Table Window 180 Group Information Window 185 Administrative Permissions Window 189 Realms Tab 194 Realm Information Window 195 Logon Screen 199 Change Password Screen 200 Warning Message 200 Hierarchical Interrealm Configuration 283

Figures

About This Manual

This manual describes how to install, conﬁgure, administer, and troubleshoot the Kerberos server on HP Integrity servers running the HP-UX 11i v2 operating system.

Intended Audience

HP intends this manual for system managers or administrators responsible for conﬁguring and maintaining the Kerberos server running HP-UX 11i v2.

This manual is based on the assumption that you meet the following prerequisites:

• Understand distributed network concepts and client/server computing

• UNIX operating system

• Understand the Kerberos basics

• Understand LDAP concepts

What Is in This Document

Kerberos Server Version 3.1 Administrator’s Guide is divided into the following chapters, which contain information about installing, conﬁguring, and administering the Kerberos server:

• Chapter 1, “Overview,” on page 23: Provides an introduction to the Kerberos server, outlines the new features in this release, and highlights the key advantages of using the Kerberos server. It also provides an introduction to LDAP, and provides details on integrating Kerberos v3.1 with LDAP.

• Chapter 2, “Installing the Kerberos Server v3.1,” on page 35: Describes how to install the Kerberos server on the HP-UX 11i v2 operating system.

• Chapter 3, “Migrating to a Newer Version of the Kerberos Server,” on page 41: Explains the migration process from earlier versions of the Kerberos server to v3.1.

• Chapter 4, “Interoperability with Windows 2000,” on page 51: Contains information speciﬁc to establishing interoperability with Windows 2000 Kerberos implementations.

• Chapter 5, “Conﬁguring the Kerberos Server With C-Tree Backend,” on page 63: Provides information on the conﬁguration ﬁles required to conﬁgure the Kerberos server with C-tree as the backend database.

• Chapter 6, “Conﬁguring the Kerberos Server with LDAP,” on page 73: Provides information on the conﬁguration ﬁles required to conﬁgure the Kerberos server with LDAP as the backend database.

• Chapter 7, “Conﬁguring the Primary and Secondary Security Server,” on page 95: Describes the procedure for conﬁguring the primary and secondary servers.

• Chapter 8, “Administering the Kerberos Server,” on page 109: Describes the procedures for administering the Kerberos server database. It also discusses principals and their attributes.

• Chapter 9, “Propagating the Kerberos Server,” on page 241: Describes how to propagate the Kerberos server database from the primary security server to the secondary security servers.

• Chapter 10, “Managing Multiple Realms,” on page 275: Explains interrealm authentication and interoperability trust. In addition, it gives you an overview of the additional server conﬁguration requirements in deployments that use multiple realms and interrealm authentication.

• Chapter 11, “Troubleshooting,” on page 289: Describes how to troubleshoot the common problems encountered while using the Kerberos server. In addition, it contains a brief note on reporting problems to your Hewlett-Packard Support Contact.

• Appendix A, “Conﬁguration Worksheet,” on page 311: Provides a worksheet that will help you conﬁgure the Kerberos server with LDAP as the backend database.

• Appendix B, “Sample krb.conf File,” on page 317: Provides a sample krb.conf ﬁle.

• Appendix C, “Sample krb.realms File,” on page 319: Provides a sample krb.realms ﬁle.

• Glossary

• Index

Typographic Conventions

The following conventions are used throughout this manual: Text Conventions

italic Identiﬁes book titles.

bold Identiﬁes options, command buttons, and menu

items.

Syntax Conventions

fixed width Identiﬁes ﬁle names, system prompts, operating

system commands, and UNIX error and system messages.

italic ﬁxed width Identiﬁes variables that you need to replace

according to your environment.

bold ﬁxed width

| Separates mutually exclusive parameters; only

[ ] Indicate that the enclosed parameters are

{ } Indicate that only one of the enclosed parameters

\ Indicates that a command line, parameter, or code

# Precedes a UNIX command that must be

% Precedes a UNIX command that must be

Identiﬁes the default in a series of parameters.

one of the parameters separated by the bar is allowed.

optional.

are required.

continues on the following line.

performed as a root user.

performed as an ordinary user.

HP-UX Release Name and Release Identiﬁer

Each HP-UX 11i release has an associated release name and release identiﬁer. The uname (1) command with the -r option returns the release identiﬁer. Table 1 lists the releases available for HP-UX 11i.

Table 1 HP-UX 11i Releases

Release

Identiﬁer

B.11.11 HP-UX 11i v1 PA-RISC

B.11.20 HP-UX 11i v1.5 Intel Itanium

B.11.22 HP-UX 11i v1.6 Intel Itanium

B.11.23 HP-UX 11i v2 Intel Itanium

Release Name

Publishing History

Table 2 provides, for a particular document, the manufacturing part number, the respective operating systems, and the publication date.

Table 2 Publishing History Details

Document

Manufacturing

Part Number

T1417-90001 HP-UX 11.0 and 11i v1 September 2001

T1417-90003 HP-UX 11.0 and 11i v1 June 2002

Operating System

Supported

Processor

Architecture

Publication Date

T1417-90007 HP-UX 11i v2 October 2003

T1417-90009 HP-UX 11i v2 April 2004

Related Software Products

Following are the products related to the Kerberos server:

• PAM Kerberos on HP-UX 11i v2, delivered as part of the HP-UX Internet operating environment component.

• KRB5 Client Software on HP-UX 11i v2, delivered as part of the core operating system.

• GSS-API on HP-UX 11i v2, delivered as part of the core operating system.

1 Overview

This chapter provides an introduction to the Kerberos server v3.1, available on the HP-UX 11i v2 operating system.

Chapter 1 23

Overview

This chapter discusses the following topics:

• “How the Kerberos Server Works” on page 26

• “Authentication Process” on page 27

• “DES Versus 3DES Key Type Settings” on page 31

• “Introduction to LDAP” on page 32

— “Integrating Kerberos Server v3.1 with LDAP” on page 33

Chapter 124

Overview

Introduction

The term Kerberos was derived from the Greek mythology. Cerberus is the latin variant of Kerberos, who guarded the entrance of Hades, the Greek hell. The Kerberos security system, on the other hand, guards electronic transmissions that are sent across a network.

Kerberos is a mature network authentication protocol based on the RFC 1510 (The Kerberos Network Authentication Service (V5)) speciﬁcation of the Internet Engineering Task Force (IETF). It is designed to provide strong authentication for client or server applications using the shared secret key cryptography.

The Kerberos server is based on a distributed client/server architecture. It ensures secure communication in a networked environment by leveraging individual trust relationships. It then brokers that trust

across enterprise wide, distributed client/server networks.

Chapter 1 25

Overview

How the Kerberos Server Works

The basic currency of Kerberos is the ticket, which the user presents to use a speciﬁc service. Each service, be it a login service or an FTP service, requires a different kind of ticket. The applications on the Kerberos server keep track of all the various kinds of tickets.

When you ﬁrst log on to Kerberos each day, you enter your Kerberos password. In return, the Kerberos server gives you an initial ticket, which you use to request additional tickets from the Kerberos server for all the other services. For this reason, the initial ticket is also called the ticket-granting ticket, or TGT.

Use the Kerberos protocol to secure the communication between the client and server. Thus, client programs make authentication requests to an authentication server, and server programs in turn service those client requests. Based on your user credentials, the server program grants or denies your request to access network applications and services. The Kerberos server allows entities to authenticate themselves, without having to transmit their passwords in clear text form over the network.

For more information on the basics of Kerberos, see Installing,

Conﬁguring and Administering the Kerberos Server on HP-UX 11i

(T1417-0001), available at http://www.docs.hp.com/hpux/internet/index.html#Kerberos.

Chapter 126

Overview

Authentication Process

The Kerberos server grants tickets to your user principal to access secured network services. You must log on to the server by providing your user name and password. When the server authenticates you, it returns a set of initial credentials for you, including a TGT and a session key.

The Kerberos server grants a service ticket for a speciﬁc service principal that can be associated with one or more Kerberos-secured services on the same system. A client application uses your service ticket to authenticate you to a Kerberos-secured network service. The secured client application automatically handles the transactions with the server and the secured application server. Service tickets and associated session keys are generally cached in your user credentials cache along with the TGT of the user.

Chapter 1 27

Overview

Authentication Process

Figure 1-1 illustrates the actions of the components and the Kerberos protocol in a secured environment.

Figure 1-1 Authentication Process

The following is a description of how a client and server authenticate each other using Kerberos:

Step 1. You can begin to use a Kerberos-secured application by entering your

principal name and password. Optionally, you can request speciﬁc ticket ﬂags and specify the key type to be used to construct the secret key. You can also accept the default values conﬁgured for the client.

You can send the following information to the Authentication Service (AS) to obtain credentials:

Chapter 128

Overview

Authentication Process

• Client-indicates the user name, also referred to as the principal name

• Server-indicates the Application Server

• Time stamp

• Nonce

Step 2. If the AS decrypts the message successfully, it authenticates the

requesting user and issues a TGT. The TGT contains the user name, a session key for your use, and name of the server to be used for any subsequent communication. The reply message is encrypted using your secret key.

Step 3. The client decrypts the message using your secret key. The TGT and the

session key from the message are stored in the client’s credential cache. These credentials are used to obtain tickets for each network service the principal wants to access.

The Kerberos protocol exchange has the following important features:

• The authentication scheme does not require that the password be sent across the network, either in encrypted form or in clear text.

• The client (or any other user) cannot view or modify the contents of the TGT.

Step 4. To obtain access to a secured network service such as rlogin, rsh, rcp,

ftp, or telnet, the requesting client application uses the previously

obtained TGT in a dialogue with the TGS to obtain a service ticket. The protocol is the same as used while obtaining the TGT, except that the messages contain the name of the server and a copy of the previously obtained TGT.

Step 5. The TGS returns a new service ticket that the application client can use

to authenticate the service.

Step 6. The application client tries to authenticate to the service on the

application server using the service ticket obtained from the TGS.

The secure application validates the service ticket using the service key of the server that is present in the key tab ﬁle. Using the session key, the server decrypts the authenticator and veriﬁes the identity of the user. It

Chapter 1 29

Overview

Authentication Process

Step 7. (Optional) At the client’s request, the application server can also return

also veriﬁes that the user’s service ticket has not expired. If the user does not have a valid service ticket, then the server will return an appropriate error code to the client.

the timestamp sent by the client, encrypted in the session key. This ensures a mutual authentication between the client and the server.

Chapter 130

+ 297 hidden pages