How to Restart the Secure RPC Keyserver

oracle home

Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.2

Exit Print View

Search Term

Search Scope:

This Document Entire Library

Managing Kerberos and Other Authentication Services in Oracle^® Solaris 11.2

Document Information

Using This Documentation

Product Documentation Library

Access to Oracle Support

Feedback

Chapter 1 Using Pluggable Authentication Modules

What's New in Authentication in Oracle Solaris 11.2

What's New in PAM

What's New in Kerberos

About PAM

Introduction to the PAM Framework

Benefits of Using PAM

Planning a Site-Specific PAM Configuration

Assigning a Per-User PAM Policy

Configuring PAM

How to Create a Site-Specific PAM Configuration File

How to Add a PAM Module

How to Assign a Modified PAM Policy

How to Log PAM Error Reports

How to Troubleshoot PAM Configuration Errors

PAM Configuration Reference

PAM Configuration Files

PAM Configuration Search Order

PAM Configuration File Syntax

PAM Stacking

PAM Stacking Example

PAM Service Modules

Chapter 2 About the Kerberos Service

What Is the Kerberos Service?

How the Kerberos Service Works

Initial Authentication: the Ticket-Granting Ticket

Subsequent Kerberos Authentications

Kerberos Authentication of Batch Jobs

Kerberos, DNS, and the Naming Service

Kerberos Components

Kerberos Network Programs

Kerberos Security Services

Kerberos Encryption Types

FIPS 140 Algorithms and Kerberos Encryption Types

How Kerberos Credentials Provide Access to Services

Obtaining a Credential for the Ticket-Granting Service

Obtaining a Credential for a Kerberized Server

Obtaining Access to a Specific Kerberos Service

Notable Differences Between Oracle Solaris Kerberos and MIT Kerberos

Chapter 3 Planning for the Kerberos Service

Planning a Kerberos Deployment

Planning Kerberos Realms

Kerberos Realm Names

Number of Kerberos Realms

Kerberos Realm Hierarchy

Mapping Host Names to Kerberos Realms

Kerberos Client and Service Principal Names

Clock Synchronization Within a Kerberos Realm

Supported Encryption Types in Kerberos

Planning KDCs

Ports for the KDC and Admin Services

Number of Slave KDCs

Kerberos Database Propagation

KDC Configuration Options

Planning for Kerberos Clients

Planning for Automatic Installation of Kerberos Clients

Kerberos Client Configuration Options

Kerberos Client Login Security

Trusted Delegated Services in Kerberos

Planning Kerberos Use of UNIX Names and Credentials

Map GSS Credentials to UNIX Credentials

gsscred Table

Automatic User Migration to a Kerberos Realm

Chapter 4 Configuring the Kerberos Service

Configuring the Kerberos Service

Configuring Additional Kerberos Services

Configuring KDC Servers

How to Install the KDC Package

How to Configure Kerberos to Run in FIPS 140 Mode

How to Use kdcmgr to Configure the Master KDC

How to Use kdcmgr to Configure a Slave KDC

How to Manually Configure a Master KDC

How to Manually Configure a Slave KDC

How to Configure the Master KDC to Use an LDAP Directory Server

Replacing the Ticket-Granting Service Keys on a Master Server

Managing a KDC on an LDAP Directory Server

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

How to Destroy a Realm on an LDAP Directory Server

Configuring Kerberos Clients

How to Create a Kerberos Client Installation Profile

How to Automatically Configure a Kerberos Client

How to Interactively Configure a Kerberos Client

How to Join a Kerberos Client to an Active Directory Server

How to Manually Configure a Kerberos Client

Disabling Verification of the Ticket-Granting Ticket

How to Access a Kerberos Protected NFS File System as the root User

How to Configure Automatic Migration of Users in a Kerberos Realm

Automatically Renewing All Ticket-Granting Tickets

Configuring Kerberos Network Application Servers

How to Configure a Kerberos Network Application Server

How to Use the Generic Security Service With Kerberos When Running FTP

Configuring Kerberos NFS Servers

How to Configure Kerberos NFS Servers

How to Create and Modify a Credential Table

How to Provide Credential Mapping Between Realms

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

Configuring Delayed Execution for Access to Kerberos Services

How to Configure a cron Host for Access to Kerberos Services

Configuring Cross-Realm Authentication

How to Establish Hierarchical Cross-Realm Authentication

How to Establish Direct Cross-Realm Authentication

Synchronizing Clocks Between KDCs and Kerberos Clients

Swapping a Master KDC and a Slave KDC

How to Configure a Swappable Slave KDC

How to Swap a Master KDC and a Slave KDC

Administering the Kerberos Database

Backing Up and Propagating the Kerberos Database

kpropd.acl File

kprop_script Command

Backing Up the Kerberos Database

How to Restore a Backup of the Kerberos Database

How to Convert a Kerberos Database After a Server Upgrade

How to Reconfigure a Master KDC to Use Incremental Propagation

How to Reconfigure a Slave KDC to Use Incremental Propagation

How to Verify That the KDC Servers Are Synchronized

Manually Propagating the Kerberos Database to the Slave KDCs

How to Manually Propagate the Kerberos Database to a Slave KDC

Setting Up Parallel Propagation for Kerberos

Configuration Steps for Setting Up Parallel Propagation

Administering the Stash File for the Kerberos Database

How to Create, Use, and Store a New Master Key for the Kerberos Database

Increasing Security on Kerberos Servers

Restricting Access to KDC Servers

Using a Dictionary File to Increase Password Security

Chapter 5 Administering Kerberos Principals and Policies

Ways to Administer Kerberos Principals and Policies

Automating the Creation of New Kerberos Principals

gkadmin GUI

Administering Kerberos Principals

Viewing Kerberos Principals and Their Attributes

Creating a New Kerberos Principal

Modifying a Kerberos Principal

Deleting a Kerberos Principal

Duplicating a Kerberos Principal by Using the gkadmin GUI

Modifying Principals' Kerberos Administration Privileges

Administering Kerberos Policies

Administering Keytab Files

Adding a Kerberos Service Principal to a Keytab File

Removing a Service Principal From a Keytab File

Displaying the Principals in a Keytab File

Temporarily Disabling a Kerberos Service on a Host

How to Temporarily Disable Authentication for a Kerberos Service on a Host

Chapter 6 Using Kerberos Applications

Kerberos Ticket Management

Creating a Kerberos Ticket

Viewing Kerberos Tickets

Destroying Kerberos Tickets

Kerberos Password Management

Changing Your Password

Remote Logins in Kerberos

Kerberos User Commands

Chapter 7 Kerberos Service Reference

Kerberos-Specific Terminology

Authentication-Specific Terminology

Types of Tickets

Ticket Lifetimes

Kerberos Principal Names

Chapter 8 Kerberos Error Messages and Troubleshooting

Kerberos Error Messages

gkadmin GUI Error Messages

Common Kerberos Error Messages (A-M)

Common Kerberos Error Messages (N-Z)

Kerberos Troubleshooting

Problems With Key Version Numbers

Problems With the Format of the krb5.conf File

Problems Propagating the Kerberos Database

Problems Mounting a Kerberized NFS File System

Problems Authenticating as the root User

Observing Mapping From GSS Credentials to UNIX Credentials

Using DTrace With the Kerberos Service

Chapter 9 Using Simple Authentication and Security Layer

About SASL

SASL Reference

SASL Plugins

SASL Environment Variable

SASL Options

Chapter 10 Configuring Network Services Authentication

About Secure RPC

NFS Services and Secure RPC

Kerberos Authentication

DES Encryption With Secure NFS

Diffie-Hellman Authentication and Secure RPC

Administering Authentication With Secure RPC

How to Restart the Secure RPC Keyserver

How to Set Up a Diffie-Hellman Key for an NIS Host

How to Set Up a Diffie-Hellman Key for an NIS User

How to Share NFS Files With Diffie-Hellman Authentication

Appendix A DTrace Probes for Kerberos

DTrace Probes in Kerberos

Definitions of Kerberos DTrace Probes

DTrace Argument Structures in Kerberos

Kerberos Message Information in DTrace

Kerberos Connection Information in DTrace

Kerberos Authenticator Information in DTrace

Security Glossary

Index

Index Numbers and Symbols

Language:

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Verify that the keyserv daemon is running.

# svcs \*keyserv\*
STATE    STIME   FMRI
disabled Dec_14  svc:/network/rpc/keyserv

Enable the keyserver service if the service is not online.
```
# svcadm enable network/rpc/keyserv
```