########### # allgemein ########### Alle Commands zu kerberos koennen hier http://www.pdc.kth.se/doc/SP/manuals/pssp-3.1/html/cmdsv1/spc1mst15.html gefunden werden. ################### # kerberos probleme ################### dumpen der kerberos datenbank root@cws [~]#/usr/lpp/ssp/kerberos/etc/kdb_util dump /var/kerberos/database/dump _20020729 ################ # Kerberos Files ################ On CWS /.k $HOME/.klogin /etc/krb-srvtab /etc/krb-conf /etc/krb.realms /var/kerberos/database/* $KRBTKFILE or /tmp/tkt. On the nodes, we should find the following files: $HOME/.klogin /etc/krb-srvtab /etc/krb.realms /etc/krb-conf $KRBTKFILE or /tmp/tkt. ############################## # recreating kerberos database ############################## CWS: login root PATH=$PATH:/usr/lpp/ssp/kerberos/etc:/usr/lpp/ssp/kerberos/bin:/usr/lpp/ssp/bin stopsrc -s kerberos stopsrc -s kadmind stopsrc -s hardmon stopsrc -s splogd root@cws [~]#/usr/lpp/ssp/kerberos/bin/kdestroy Tickets destroyed. root@cws [~]#/usr/lpp/ssp/kerberos/etc/kdb_destroy You are about to destroy the Kerberos V4 database on this machine. Are you sure you want to do this (yes/no)? yes Database deleted at /var/kerberos/database/principal. root@cws [~]#rm /etc/krb* root@cws [~]#rm $HOME/.klogin root@cws [~]#rm /.k root@cws [~]#/usr/lpp/ssp/bin/setup_authent ********************************************************************* Creating the Kerberos V4 Database Invoking the kdb_init and kstash utilities to create the database. You must decide on a master password for the database. You will be prompted to enter it twice. Save this password in a very secure place, since it is used to encrypt all keys in the database and you will need it for other administrative tasks. After you complete this task, the Kerberos V4 daemons will be started: kerberos for ticket-granting services, kadmind for administration. For more information see the kdb_init and kstash man pages. ******************************************************************** You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter Kerberos V4 master key: Enter Kerberos V4 master key: The kdb_edit utility is used to define the initial Kerberos V4 users. You must define a user whose UID is 0 as a Kerberos V4 database administrator. This user will have to login to Kerberos V4 with this name prior to performing installation tasks that result in execution of the setup_server command, during installation or whenever network interfaces have been added or renamed in the SP system configuration. kdb_edit prompts you separately for the name and the instance. First enter the user name, specifying the login name of the user who will be the primary Kerberos V4 administrator for the local realm. When you are prompted for the instance, you must enter admin. You must assign a Kerberos V4 password for this user and enter it twice (you may use the AIX login password). To take default values on other options, hit . You may create any number of other Kerberos V4 principals at this time. To exit kdb_edit, hit when prompted for another principal name. For more information see the kdb_edit man page. ************************************************************************ Opening database... Previous or default values are in [brackets]; hit to leave the same, or new value. Principal name: root Instance: admin , Create [yes]? Principal: root, Instance: admin, kdc_key_ver: 1 New Password: Verifying, please re-enter New Password: Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [2 37-12-31] ? Max ticket lifetime [ 255 ] ? Attributes [ ] ? Edit O.K. Principal name: Logging into Kerberos as an admin user You must assume the role of a Kerberos administrator .admin to complete th e initialization of kerberos on the local system. The k4init command is invoked and will prompt you for the password. If you are setting up your primary server here, you just defined it. If you have defined multiple administrative principal s, or if your primary authentication server is on another system, you must first enter the name of an administrative principal who has root privilege (UID ). Y ou need to be authenticated as this administrator so that this program can creat e the principals and service key files for the authenticated services that run o n the SP system. For more information, see the k4init man page. Kerberos Initialization for "root.admin" Password: root@cws [/tftpboot]#spbootins -r customize -s no -l 1 root@cws [/tftpboot]#spbootins -r customize -s no -l 5 root@cws [/]#cd /usr/lpp/ssp/kerberos/etc/ root@cws [/usr/lpp/ssp/kerberos/etc]#ls chkp kprop node1_srvtab ext_srvtab kpropd node5_css-new-srvtab kadmind krunitrc node5_i-new-srvtab kdb_destroy kstash node5-new-srvtab kdb_edit lskp node5_srvtab kdb_init mkkp push-kprop kdb_util node1_css-new-srvtab rmkp kerberos node1_i-new-srvtab Kinit node1-new-srvtab propagate new-srvtab to nodes root@cws [/spdata/sys1/k4srvtabs]#rcp node1-new-srvtab node1_i:/etc/krb-srvtab root@cws [/spdata/sys1/k4srvtabs]#rcp node5-new-srvtab node5_i:/etc/krb-srvtab root@cws [~]#spbootins -r disk -l 1,5 Ein customize der nodes kann auch ueber /etc/rc.sp auf dem betreffenden node durchgefuehrt werden. Anschliessend syspar_ctrl -R auf cws und allen nodes ############ # krb-srvtab ############ Ab PSSP3.2 liegen new-srvtabs nicht in tftpboot sondern in colonia:/spdata/sys1/k4srvtabs#ls -al total 72 drwxr-xr-x 2 bin bin 512 Feb 23 14:28 . drwxr-xr-x 16 bin bin 512 Feb 22 14:13 .. -r-------- 1 root system 167 Apr 05 13:08 colon01-new-srvtab -r-------- 1 root system 165 Apr 05 13:00 colon05-new-srvtab -r-------- 1 root system 168 Apr 05 13:08 colon07-new-srvtab -r-------- 1 root system 169 Apr 05 13:08 colon09-new-srvtab -r-------- 1 root system 166 Feb 23 10:19 colon11-new-srvtab -r-------- 1 root system 168 Feb 23 14:12 colon17-new-srvtab -r-------- 1 root system 167 Apr 05 13:08 colon19-new-srvtab ################## # kinit root.admin ################## colonia:/spdata/sys1/install/AIX-432/lppsource 376# Eunfence colon19 Eunfence: 0028-157 Remote execution of the request to colon07.sp.media-support.de failed. krshd: Kerberos Authentication Failed. /usr/lpp/ssp/rcmd/bin/rsh: 0041-004 Kerberos rcmd failed: rcmd protocol failure. trying normal rsh (/usr/bin/rsh) Unable to unfence the following nodes: colon19.sp.media-support.de No topology colonia:/spdata/sys1/install/AIX-432/lppsource 377# [303]colonia:/home/kutz> auf colonia: Kerberos name: ^Ccolonia:/ 129# kinit root.admin Kerberos Initialization for "root.admin" Password: ######################## # authentication failure ######################## ? 15 Message 15: From daemon Sat Apr 7 00:00:05 2001 Date: Sat, 7 Apr 2001 00:00:04 +0200 From: daemon To: root 2502-604 Unable to determine the active authentication methods. k4destroy: 2502-000 No tickets to destroy. ***************************************************************** cron: The previous message is the standard output and standard error of one of the cron commands. 2502-604 Unable to determine the active authentication methods. Explanation: This information could not be read from file /spdata/sys1/spsec/auth_methods. This is probably a system error. User Response: Follow normal problem reporting procedures. Korrekte Installation colon17:/#ls -al /spdata/sys1/spsec/auth_methods -rw-r--r-- 1 root system 8 Mar 27 15:32 /spdata/sys1/spsec/auth_methods Fehlerhafte Installation colon05:/#ls -al /spdata/sys1/spsec/auth_methods ls: 0653-341 The file /spdata/sys1/spsec/auth_methods does not exist. ########################## # lost root.admin password ########################## kdb_edit -n Principal name: root instance: admin Change Password [no]? y New Password: Verify New Password: ctrl+d ################ # lost masterkey ################ Kann nur durch neuaufsetzten kerberos repariert werden! Auf CWS als root: kdb_destroy rm /var/kerberos/database/* rm /etc/krb* rm /.k rm /.klogin kdestroy stopsrc -s hardmon kerberos kadmind setup_authent ######################## # change master password ######################## kinit root.admin kdb_util new_master_key /var/kerberos/database/newdb.$$ Enter Current master key Enter New master key kdb_util load /var/kerberos/database/newdb.$$ kstash stopsrc -s kerberos stopsrc -s kadmind startsrc -s kadmind startsrc -s kerberos ###################### # lifetime of a ticket ###################### colonia:/#kinit -l root.admin Kerberos V4 Initialization for "root.admin" Kerberos V4 ticket lifetime (minutes): 7200 Password: ################### # password changing ################### colonia:/#kpasswd Old password for root.admin: New Password for root.admin: Verifying, please re-enter New Password for root.admin: Password changed. oder kpasswd -n principal oder kadmin change_password principal oder kdb_edit colonia:/#kdb_edit Enter Kerberos master password: Principal Name: xyz Change Password (n)? y New Password: Verifying, please re-enter New Password oder kadmin -m Allows multiple requests without Kerberos Version 4 reauthentication (reentry of your administrative password). admin: cpw xyz Admin password: New Password for xyz: Verifying, please re-enter New Password for xyz Password changed for xyz ################################### # principals fuer adapter erstellen ################################### cws:/usr/lpp/ssp/kerberos/etc> ./ext_srvtab -n node1_boot node1_srv node1_stb node1 node1_css Generating 'node1_boot-new-srvtab'.... Generating 'node1_srv-new-srvtab'.... Generating 'node1_stb-new-srvtab'.... Generating 'node1-new-srvtab'.... Generating 'node1_css-new-srvtab'.... cws:/usr/lpp/ssp/kerberos/etc> ls -ltr total 1288 -r-xr-x--- 1 bin bin 2929 17 Okt 2001 Kinit -r-xr-x--- 1 root security 10915 17 Okt 2001 rmkp -r-xr-x--- 1 root security 7892 17 Okt 2001 mkkp -r-xr-x--- 1 root security 14530 17 Okt 2001 lskp -r-xr-x--- 1 root security 8040 17 Okt 2001 chkp -r-xr-x--- 1 bin bin 1164 17 Okt 2001 krunitrc -r-xr-x--- 1 root security 76980 17 Okt 2001 kerberos -r-xr-x--- 1 root security 753 17 Okt 2001 push-kprop -r-xr-x--- 1 root security 66870 17 Okt 2001 kpropd -r-xr-x--- 1 root security 74830 17 Okt 2001 kprop -r-xr-x--- 1 root security 5030 17 Okt 2001 kdb_destroy -r-xr-x--- 1 root security 50578 17 Okt 2001 ext_srvtab -r-xr-x--- 1 root security 52800 17 Okt 2001 kdb_init -r-xr-x--- 1 root security 44158 17 Okt 2001 kdb_edit -r-xr-x--- 1 root security 34488 17 Okt 2001 kstash -r-xr-x--- 1 root security 41984 17 Okt 2001 kdb_util -r-xr-x--- 1 root security 100792 18 Okt 2001 kadmind -rw------- 1 root system 25 27 Jun 09:41 node23-new-srvtab -rw------- 1 root system 29 27 Jun 09:41 node23_css-new-srvtab -rw-r--r-- 1 root system 54 27 Jun 09:41 node23-tab -rw------- 1 root system 56 05 Aug 08:37 node1_stb-new-srvtab -rw------- 1 root system 56 05 Aug 08:37 node1_srv-new-srvtab -rw------- 1 root system 24 05 Aug 08:37 node1-new-srvtab -rw------- 1 root system 28 05 Aug 08:37 node1_css-new-srvtab -rw------- 1 root system 58 05 Aug 08:37 node1_boot-new-srvtab -rw-r--r-- 1 root system 222 05 Aug 08:38 neue_srvtab -rw------- 1 root system 56 05 Aug 08:40 node9_stb-new-srvtab -rw------- 1 root system 56 05 Aug 08:40 node9_srv-new-srvtab -rw------- 1 root system 24 05 Aug 08:40 node9-new-srvtab -rw------- 1 root system 28 05 Aug 08:40 node9_css-new-srvtab -rw------- 1 root system 58 05 Aug 08:40 node9_boot-new-srvtab cws:/usr/lpp/ssp/kerberos/etc> cat node9_stb-new-srvtab node9_srv-new-srvtab node9-new-srvtab node9_css-new-srvtab node9_boot-new-srvtab >neue_srvtab cws:/usr/lpp/ssp/kerberos/etc> ls -ltr total 1336 -r-xr-x--- 1 bin bin 2929 17 Okt 2001 Kinit -r-xr-x--- 1 root security 10915 17 Okt 2001 rmkp -r-xr-x--- 1 root security 7892 17 Okt 2001 mkkp -r-xr-x--- 1 root security 14530 17 Okt 2001 lskp -r-xr-x--- 1 root security 8040 17 Okt 2001 chkp -r-xr-x--- 1 bin bin 1164 17 Okt 2001 krunitrc -r-xr-x--- 1 root security 76980 17 Okt 2001 kerberos -r-xr-x--- 1 root security 753 17 Okt 2001 push-kprop -r-xr-x--- 1 root security 66870 17 Okt 2001 kpropd -r-xr-x--- 1 root security 74830 17 Okt 2001 kprop -r-xr-x--- 1 root security 5030 17 Okt 2001 kdb_destroy -r-xr-x--- 1 root security 50578 17 Okt 2001 ext_srvtab -r-xr-x--- 1 root security 52800 17 Okt 2001 kdb_init -r-xr-x--- 1 root security 44158 17 Okt 2001 kdb_edit -r-xr-x--- 1 root security 34488 17 Okt 2001 kstash -r-xr-x--- 1 root security 41984 17 Okt 2001 kdb_util -r-xr-x--- 1 root security 100792 18 Okt 2001 kadmind -rw------- 1 root system 25 27 Jun 09:41 node23-new-srvtab -rw------- 1 root system 29 27 Jun 09:41 node23_css-new-srvtab -rw-r--r-- 1 root system 54 27 Jun 09:41 node23-tab -rw------- 1 root system 56 05 Aug 08:37 node1_stb-new-srvtab -rw------- 1 root system 56 05 Aug 08:37 node1_srv-new-srvtab -rw------- 1 root system 24 05 Aug 08:37 node1-new-srvtab -rw------- 1 root system 28 05 Aug 08:37 node1_css-new-srvtab -rw------- 1 root system 58 05 Aug 08:37 node1_boot-new-srvtab -rw------- 1 root system 56 05 Aug 08:40 node9_stb-new-srvtab -rw------- 1 root system 56 05 Aug 08:40 node9_srv-new-srvtab -rw------- 1 root system 24 05 Aug 08:40 node9-new-srvtab -rw------- 1 root system 28 05 Aug 08:40 node9_css-new-srvtab -rw------- 1 root system 58 05 Aug 08:40 node9_boot-new-srvtab -rw-r--r-- 1 root system 222 05 Aug 08:41 neue_srvtab ######################################### # vorher /etc/krb-srvtab auf node sichern ######################################### cws:/usr/lpp/ssp/kerberos/etc> rcp neue_srvtab node9:/etc/krb-srvtab ############################ # .klogin auf nodes anpassen ############################ vi /.klogin Adapter muss enthalten sein rcmd.node1@CWS rcmd.node1_boot@CWS rcmd.node1_srv@CWS rcmd.node1_stb@CWS ################# # list principals ################# cws:/> lskp changepw.kerberos tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 default tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 godm.node1_boot tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 godm.node1_srv tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 godm.node1_stb tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 godm.node9_boot tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 godm.node9_srv tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 godm.node9_stb tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 hardmon.cws tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 K.M tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 krbtgt.CWS tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 rcmd.cws tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node1 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node13 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node13_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node17 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node17_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node1_boot tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node1_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node1_srv tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node21 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node21_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node23 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node23_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node5 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node5_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node9 tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node9_boot tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node9_css tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node9_srv tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rcmd.node9_stb tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 rmcd.node1_stb tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 root.admin tkt-life: 30d key-vers: 1 expires: 2037-12-31 22:59 root.SPbgAdm tkt-life: Unlimited key-vers: 1 expires: 2037-12-31 22:59 ################################## # change expire of ticket lifetime ################################## ticket endet am 2002-12-31 und hat eine Lebensdauer von 180 Minuten fuer user xyz chkp -e 2002-12-31 -l 180 xyz ################### # add new principal ################### # /usr/lpp/ssp/kerberos/bin/kadmin Welcome to the Kerberos Administration Program Type help if you need it admin: ank Usage: add_new_key user_name admin: ank xyz Password for xyz: Verifying, please re-enter Password for xyz: xyz added to database admin: quit Cleaning up and exit ############### # add new admin ############### kadmin ank abc anschliessend abc in /var/kerberos/database/admin_acl.add (neue principals hinzufuegen) /var/kerberos/database/admin_acl.get (info principals aus database einsehen) /var/kerberos/database/admin_acl.mod (eintrage modifizieren) ######################### # loeschen von principals ######################### rmkp -v xyz oder kdb_util dump /var/kerberos/database/slavesave vi /var/kerberos/database/slavesave (remove alle Eintrage von xyz) kdb_util load /var/kerberos/database/slavesave ####### # klist ####### root@cws [/usr/lpp/ssp/kerberos/etc]#lskp -s hardmon.cws tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 hardmon.cws_ex tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.cws tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.cws_ex tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.node1 tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.node1_css tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.node1_i tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.node5 tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.node5_css tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 rcmd.node5_i tkt-life: Unlimited key-vers: 1 expires: 2038-01-01 05:59 ############################ # list local /etc/krb-srvtab ############################ root@cws [/usr/lpp/ssp/kerberos/etc]#klist -srvtab Server key file: /etc/krb-srvtab Service Instance Realm Key Version ------------------------------------------------------ hardmon cws CWS 1 rcmd cws CWS 1 rcmd cws_ex CWS 1 hardmon cws_ex CWS 1 root SPbgAdm CWS 1 ################################# # list principals in node1_srvtab ################################# root@cws [/usr/lpp/ssp/kerberos/etc]#ksrvutil list -f ./node1_srvtab Version Principal 1 rcmd.node1_css@CWS 1 rcmd.node1_i@CWS 1 rcmd.node1@CWS ###################################### # setting up secondary kerberos server ###################################### On secondary: install ssp.authent install ssp.client On Primary: add line to /etc/krb.conf The following example of an /etc/krb.conf shows a simple configuration consisting a single realm with two servers, the primary and one secondary: EAST.COAST EAST.COAST master.authent.abc.com admin server EAST.COAST backup.authent.abc.com Here, "admin server" identifies the system whose full host name is "master.authent.abc.com" as the primary server, responsible for administration of the master database. Note that, in this case, there would have to be information in the /etc/krb.realms file to map the two host names or the domain name authent.abc.com to the local realm name, "EAST.COAST". See the Example section of the krb.realms file. On secondary: copy /etc/krb.conf from primary copy /etc/krb.realms from primary run setup_authent On primary: root crontab /usr/kerberos/etc/push-kprop ls -al /usr/kerberos/etc/push-kprop -r-xr-x--- 1 root security 753 13 Jun 2000 /usr/kerberos/etc/push-kprop kprop runs on secondary ####################### # authentication failed ####################### 1. dsh funktioniert telnet nicht telnetd: No authentication methods enabled Loesung: chauthpar k4 std 2. dsh funktioniert nicht rshd failed Kerberos failed 0041-004 Loesung: chauthent std 3. dsh funktioniert nicht rshd failed Loesung: spsetauth -p k4 std ########################## # backup kerberos database ########################## root@cws [/var/ha/log]#ls -al /var/kerberos/database/ total 38 drwx------ 2 root security 512 31 Jul 08:34 . drwxr-xr-x 3 root system 512 02 Jan 2002 .. -rw-r----- 1 root system 11 30 Jul 09:27 admin_acl.add -rw-r----- 1 root system 11 30 Jul 09:27 admin_acl.get -rw-r----- 1 root system 11 30 Jul 09:27 admin_acl.mod -rw------- 1 root system 4096 30 Jul 14:46 principal.dir -rw------- 1 root system 0 30 Jul 09:17 principal.ok -rw------- 1 root system 11264 30 Jul 14:46 principal.pag kdb_util dump /var/kerberos/database/slavesave recover kdb_util load /var/kerberos/database/slavesave kstash backups ziehen ueber cron 0 17 * * 1-5 kdb_util dump /var/kerberos/database/slavesave or 0 17 * * 1-5 /usr/kerberos/etc/push-kprop ############### # node recovery ############### werden per reboot oder /etc/rc.sp erstellt /etc/krb.conf /etc/krb.realms /.klogin wird per customize und (reboot oder /etc/rc.sp) erstellt /etc/krb-srvtab ################################ # authentication server recovery ################################ copy on nodes, secondary, backup /etc/krb.conf /etc/krb.realms /.klogin setup_server /etc/krb-srvtab kstash /.k restart stopsrc -s kadmind stopsrc -s kerberos startsrc -s kerberos startsrc -s kadmind