1999-09-19 14:19:32 +00:00
|
|
|
.\" $Id: kerberos.8,v 1.4 1997/09/26 17:55:23 joda Exp $
|
1997-09-04 06:04:33 +00:00
|
|
|
.\"
|
1999-09-19 14:19:32 +00:00
|
|
|
.Dd September 26, 1997
|
1997-09-04 06:04:33 +00:00
|
|
|
.Dt KERBEROS 8
|
|
|
|
.Os KTH-KRB
|
|
|
|
.Sh NAME
|
|
|
|
.Nm kerberos
|
|
|
|
.Nd The kerberos daemon
|
|
|
|
.Sh SYNPOSIS
|
|
|
|
.Nm
|
1999-09-19 14:19:32 +00:00
|
|
|
.Op Fl mns
|
1997-09-04 06:04:33 +00:00
|
|
|
.Op Fl a Ar max age
|
1999-09-19 14:19:32 +00:00
|
|
|
.Op Fl i Ar address
|
1997-09-04 06:04:33 +00:00
|
|
|
.Op Fl l Ar log
|
1999-09-19 14:19:32 +00:00
|
|
|
.Op Fl p Ar pause
|
|
|
|
.Op Fl P Ar portspec
|
1997-09-04 06:04:33 +00:00
|
|
|
.Op Fl r Ar realm
|
1999-09-19 14:19:32 +00:00
|
|
|
.Op Ar database
|
1997-09-04 06:04:33 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
This is the
|
|
|
|
.Nm
|
|
|
|
daemon.
|
|
|
|
.Pp
|
|
|
|
Options:
|
|
|
|
.Bl -tag -width -ident
|
|
|
|
.It Fl a
|
|
|
|
Set the
|
|
|
|
.Ar max age
|
|
|
|
before the database is considered stale.
|
1999-09-19 14:19:32 +00:00
|
|
|
.It Fl i
|
|
|
|
Only listen on
|
|
|
|
.Ar address .
|
|
|
|
Normally, the kerberos server listens on all addresses of all
|
|
|
|
interfaces.
|
1997-09-04 06:04:33 +00:00
|
|
|
.It Fl l
|
|
|
|
Write the log to
|
|
|
|
.Ar log
|
1999-09-19 14:19:32 +00:00
|
|
|
.It Fl m
|
|
|
|
Run manually and prompt for master key.
|
|
|
|
.It Fl n
|
|
|
|
Do not check max age.
|
|
|
|
.It Fl p
|
|
|
|
Pause for
|
|
|
|
.Ar pause
|
|
|
|
before dying.
|
|
|
|
.It Fl P
|
|
|
|
Listen to the ports specified by
|
|
|
|
.Ar portspec .
|
|
|
|
This should be a white-space separated list of port specificatios. A
|
|
|
|
port specification follows the format:
|
|
|
|
.Ar port Ns Op / Ns Ar protocol .
|
|
|
|
The
|
|
|
|
.Ar port
|
|
|
|
can be either a symbolic port name (from
|
|
|
|
.Pa /etc/services), or a number;
|
|
|
|
.Ar protocol can be either
|
|
|
|
.Li udp ,
|
|
|
|
or
|
|
|
|
.Li tcp .
|
|
|
|
If left out, the KDC will listen to both UDP and TCP sockets on the
|
|
|
|
specified port.
|
|
|
|
.br
|
|
|
|
The special string
|
|
|
|
.Li +
|
|
|
|
mean that the default set of ports (TCP and UDP on ports 88 and 750)
|
|
|
|
should be included.
|
1997-09-04 06:04:33 +00:00
|
|
|
.It Fl r
|
|
|
|
Run as a server for realm
|
|
|
|
.Ar realm
|
1999-09-19 14:19:32 +00:00
|
|
|
.It Fl s
|
|
|
|
Set slave parameters. This will enable check to see if data is
|
|
|
|
getting too stale relative to the master.
|
|
|
|
.El
|
|
|
|
|
|
|
|
If no
|
|
|
|
.Ar database
|
|
|
|
is given a default datbase will be used, normally
|
|
|
|
.Pa /var/kerberos/principal .
|
|
|
|
.Sh DIAGNOSTICS
|
|
|
|
|
|
|
|
The server logs several messages in a log file
|
|
|
|
.Pf ( Pa /var/run/kerberos.log
|
|
|
|
by default). The logging mechanism opens and closes the log file for
|
|
|
|
each message, so you can safely rename the log file when the server is
|
|
|
|
running.
|
|
|
|
.Ss Operational messages
|
|
|
|
These are normal messages that you will see in the log. They might be
|
|
|
|
followed by some error message.
|
|
|
|
.Bl -tag -width xxxxx
|
|
|
|
.It Li Getting key for Ar REALM
|
|
|
|
The server fetched the key for
|
|
|
|
.Sq krbtgt.REALM
|
|
|
|
for the specific
|
|
|
|
realm. You will see this at startup, and for every attempt to use
|
|
|
|
cross realm authentication.
|
|
|
|
.It Xo Li Starting Kerberos for
|
|
|
|
.Ar REALM
|
|
|
|
.Li (kvno Ar kvno )
|
|
|
|
.Xc
|
|
|
|
You will see this also if you start with
|
|
|
|
.Fl m .
|
|
|
|
.It Xo Li AS REQ
|
|
|
|
.Ar name.instance@REALM
|
|
|
|
.Li for
|
|
|
|
.Ar sname.sinstance
|
|
|
|
.Li from
|
|
|
|
.Ar ip-number
|
|
|
|
.Xc
|
|
|
|
An initial (password authenticated) request was received.
|
|
|
|
.It Xo Li APPL REQ
|
|
|
|
.Ar name.instance@REALM
|
|
|
|
.Li for
|
|
|
|
.Ar sname.sinstance
|
|
|
|
.Li from Ar ip-number
|
|
|
|
.Xc
|
|
|
|
A tgt-based request for a ticket was made.
|
|
|
|
.El
|
|
|
|
|
|
|
|
.Ss Error messages
|
|
|
|
These messages reflects misconfigured clients, invalid requests, or
|
|
|
|
possibly attepted attacks.
|
|
|
|
.Bl -tag -width xxxxx
|
|
|
|
.It Li UNKNOWN Ar name.instance
|
|
|
|
The server received a request with an unknown principal. This is most
|
|
|
|
likely because someone typed the wrong name at a login prompt. It
|
|
|
|
could also be someone trying to get a list of possible users.
|
|
|
|
.It Xo Li Unknown realm Ar REALM
|
|
|
|
.Li from Ar ip-number
|
|
|
|
.Xc
|
|
|
|
There isn't a principal for
|
|
|
|
.Sq krbtgt.REALM
|
|
|
|
in the database.
|
|
|
|
.It Xo Li Can't hop realms: Ar REALM1
|
|
|
|
.Li -> Ar REALM2
|
|
|
|
.Xc
|
|
|
|
There was a request for a ticket for another realm. This might be
|
|
|
|
because of a misconfigured client.
|
|
|
|
.It Li Principal not unique Ar name.instance
|
|
|
|
There is more than one entry for this principal in the database. This
|
|
|
|
is not very good.
|
|
|
|
.It Li Null key Ar name.instance
|
|
|
|
Someone tried to use a principal that for some reason doesn't have a
|
|
|
|
key.
|
|
|
|
.It Xo Li Incorrect master key version for
|
|
|
|
.Ar name.instance
|
|
|
|
.Li : Ar number
|
|
|
|
.Li (should be Ar number )
|
|
|
|
.Xc
|
|
|
|
The principal has it's key encrypted with the wrong master key.
|
|
|
|
.It Xo Li Principal Ar name.instance
|
|
|
|
.Li expired at Ar date
|
|
|
|
.Xc
|
|
|
|
The principal's key has expired.
|
|
|
|
.It Li krb_rd_req from Ar ip-number : error-message
|
|
|
|
The message couldn't be decoded properly. The error message will give
|
|
|
|
you further hints. You will see this if someone is trying to use
|
|
|
|
expired tickets.
|
|
|
|
.It Xo Li Unknown message type: Ar number
|
|
|
|
.Li from Ar ip-number
|
|
|
|
.Xc
|
|
|
|
The message received was not one that is understood by this server.
|
|
|
|
.It Li Can't authorize password changed based on TGT
|
|
|
|
Someone tried to get a
|
|
|
|
.Sq changepw.kerberos
|
|
|
|
via a tgt exchange. This is
|
|
|
|
because of a broken client, or possibly an attack.
|
|
|
|
.It Li KRB protocol version mismatch ( Ar number )
|
|
|
|
The server received a request with an unknown version number.
|
|
|
|
.El
|
|
|
|
|
|
|
|
.Ss Fatal error messages
|
|
|
|
The following messages indicate problems when starting the server.
|
|
|
|
.Bl -tag -width xxxxx
|
|
|
|
.It Li Database unavailable!
|
|
|
|
There was some problem reading the database.
|
|
|
|
.It Li Database currently being updated!
|
|
|
|
Someone is currently updating the database (possibly via krop).
|
|
|
|
.It Li Database out of date!
|
|
|
|
The database is older than the maximum age specified.
|
|
|
|
.It Li Couldn't get master key.
|
|
|
|
The master key file wasn't found or the file is damaged.
|
|
|
|
.It Li Can't verify master key.
|
|
|
|
The key in the keyfile doesn't match the current databse.
|
|
|
|
.It Li Ticket granting ticket service unknown
|
|
|
|
The database doesn't contain a
|
|
|
|
.Sq krbtgt.REALM
|
|
|
|
for the local realm.
|
|
|
|
.El
|
|
|
|
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr kprop 8 ,
|
|
|
|
.Xr kpropd 8
|