Please note that dig(1M) is provided in SUNWbind from the Freeware consolidation with an interface stability of "External". Is it OK to rely on that? Does a contract need to be put in place?
Regards, Stacey Wyllys Ingersoll wrote: > Template Version: @(#)sac_nextcase 1.61 05/24/07 SMI > This information is Copyright 2007 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > kdcmgr utility > 1.2. Name of Document Author/Supplier: > Author: Shawn Emery > 1.3 Date of This Document: > 08 June, 2007 > 4. Technical Description > > ABSTRACT > -------- > > Some customers find the manual way of configuring Key Distribution Center > (KDC) servers tedious and is prone to error for them. This represents > dissatisfaction and increase in support costs to Sun. But more importantly, > administrators have come to expect simple interfaces for configuring servers. > > This project will provide a CLI to administrators for configuring > Kerberos Key Distribution Center (KDC) servers. The CLI will supply > options for configuring a master KDC and slave KDC. > > PROPOSAL > -------- > > This will be implemented in a scripting language (ksh) that will > make calls to Kerberos utilities to configure the master and slave > KDC servers. These Kerberos and system utilities include: > > kdb5_util(1M) > kadmin(1M) > kadmin.local(1M) > svcadm(1M) > dig(1M) > ping(1M) > > An alternative would be to make a GUI for configuring the KDC servers > using Java. However, this would require more resources as it > would take longer to implement. Most customers could still benefit > from an interactive script. > > The kdcmgr script will perform basic security checks and warn the > administrator if it detects a problem. > > Given the hundreds of possible KDC configurations it is impossible > to provide a simple interface to handle all of these. The assumption > is that this utility will provide configurations for a simple, but > common subset. > > DOCUMENTATION > ------------- > > kdcmgr(1M) is the new CLI for configuring KDC servers. It has an interactve > interface, but with options that can limit the interaction. > > A new man page will be created for kdcmgr(1M): > > System Administration Commands kdcmgr(1M) > > NAME > kdcmgr - set up a Kerberos Key Distribution Center (KDC) > > SYNOPSIS > /usr/sbin/kdcmgr [ -a admprincipal ] [ -e enctype ] [ -h ] > [ -p pwfile ] [ -r realm ] subcommand > > DESCRIPTION > The kdcmgr utility can be used to configure the following: > > o Configure a master Key Distribution Center (KDC) server. > > o Configure a slave KDC. Assumes that a master KDC has already been > configured. The default propagation method configured is incremental > propagation, see kpropd(1M). > > o Specify a list of slave KDCs to configure service principals and > create access control list for these slaves on the master KDC. > > If none of the options are provided then the user is prompted for > the required information. When sufficient options are provided the > user is still prompted for the password to generate the master key > and the password for the administrative principal, unless the -p > pwfile option was provided. > > The utility needs to be run as root on the server from which it is > invoked. Note that kdcmgr requires the user to enter sensitive > information, such as the password used to generate the database's > master key and the password for the administrative principal. Great > care must be taken to ensure that the connection to the server is > secured over the network, by using a protocol such as ssh. > > Great care must also be made when selecting the administrative and > master key passwords. They should be based off of non-dictionary > words and a long string of characters consisting of all of the > following character classes: > > Special characters (e.g. !...@#$%^&*) > Numerals (0-9) > Upper case letters > Lower case letters > > OPTIONS > -a admprincipal > > When creating a master KDC, the -a argument specifies the > administrative principal, admprincipal, that will be created. > > When creating a slave KDC, admprincipal is used to authenticate > as the administrative principal. > > If -a is not specified then the suggested default adminstrative > principal name would be the output of logname(1) concatenated with > "/admin". > > -e enctype > > Specifies the encryption type to be used when creating the key for > the master key, which is used to encrypt all principal keys in the > database. The set of valid encryption types used here are > described > in krb5.conf(4) under the permitted_enctypes option. > Note that the encryption type specified here must be supported on > all KDCs or else they will not be able to decrypt any of the > principal keys. Solaris 9 or earlier releases only support the > des-cbc-crc encryption type for the master key. Therefore if any > of the master or slave KDCs are of these older releases then > "-e des-cbc-crc" would need to be specified on all KDCs configured > with kdcmgr. > > The default encryption type is aes128-cts-hmac-sha1-96. > > -h > > Prints out the usage information for the kdcmgr utility. > > -p pwfile > > Provides the location of the password file that contains the > password > used to create the administrative principal and/or master key. > > WARNING: This option should be used with great care to make sure > that this pwfile is accessible only by the root user and on a > local file system. Once the KDC has been configured removal of > the file should be performed. > > -r realm > > Set the default realm for this server. > > If the -r option is not specified then kdcmgr will attempt to > obtain the machine's local domain name by canonicalizing the > machine's host name through DNS and using the return value to > determine the domain name of the local machine. If successful > then the domain name will be upper cased and suggested as the > default realm name. > > SUBCOMMANDS > The following subcommands are supported: > > create [ master ] > create [ -m masterkdc ] slave > > Will create a KDC. If no option is specified an attempt to > create > a master KDC will be made. > > create [ master ] > > Create a master KDC. Upon successful configuration the > krb5kdc(1M) and kadmind(1M) are enabled on the machine > > create [ -m masterkdc ] slave > > Configures a slave KDC. After configuration the krb5kdc(1M) > and kpropd(1M) services are enabled on the machine. > > masterkdc specifies the master KDC to authenticate and perform > administrative tasks with. If -m is not provided the user > will be prompted for a master KDC host name to use. > > Note that kdcmgr will need to be executed separately on each > of the slaves using kdcmgr's "create slave" subcommand. > > destroy > > Remove all Kerberos configuration and database files associated > with the KDC server. A confirmation is required before these > files are deleted. > > status > > Determines the role of the KDC, master or slave, and outputs > this and the state of the associated processes, such as: > > krb5kdc(1M) > kadmind(1M) > kpropd(1M) > > The subcommand will also display information on incremental > propagation if the configuration has this enabled, and any > issues with any dependent files. > > EXAMPLES > Example 1: Setting up a master KDC > > The following command will configure a master KDC with the > administrative principal user1/admin and with the EXAMPLE.COM > realm name: > > $ kdcmgr -a user1/admin -r EXAMPLE.COM create > > Note that a password will be required to assign to the user1/admin > principal that is created. The password for the master key will also > need to be provided. > > Example 2: Setting up a slave KDC > > The following command will configure a slave KDC, authenticate with > the > administrative principal user1/admin, specifies kdc1 as the master, > and > use the EXAMPLE.COM realm name: > > $ kdcmgr -a user1/admin -r EXAMPLE.COM create -m kdc1 slave > > Note that the correct password for user1/admin will need to be entered > and that the master KDC would have already been created before this. > The correct password for the master key will also be required. > > FILES > /etc/krb5/krb5.conf > Main Kerberos configuration file. > > /etc/krb5/kdc.conf > KDC configuration, used by both master and slave servers. > > /etc/krb5/krb5.keytab > Default location of the local host's service keys. > > /etc/krb5/kadm5.acl > Kerberos administrative access control list (ACL). > > /etc/krb5/kadm5.keytab > Service keys specific to kadmind(1M). > > /var/krb5/principal > Kerberos principal database. > > /var/krb5/principal.kadm5 > Kerberos policy database. > > /etc/krb5/kpropd.acl > Used by slaves to indicate which server to receive updates > from. > > ATTRIBUTES > See attributes(5) for descriptions of the following attributes: > > ____________________________________________________________ > | ATTRIBUTE TYPE | ATTRIBUTE VALUE | > |_____________________________|_____________________________| > | Availability | SUNWkdcu | > |_____________________________|_____________________________| > | Interface Stability | See below | > |_____________________________|_____________________________| > > The command line interface (CLI) is Uncommitted. The CLI output is Not > an Interface. > > SEE ALSO > krb5.conf(4), kdc.conf(4), krb5kdc(1M), kpropd(1M), kadmind(1M), > kdb5_util(1M), kadmin(1M), kadmin.local(1M), svcadm(1M), dig(1M), > ping(1M) > > INTERFACE STABILITY AND RELEASE BINDINGS > ---------------------------------------- > > Interface Stability Release Binding > > kdcmgr(1M) Committed micro/patch > > 6. Resources and Schedule: > 6.4. Product Approval Committee requested information: > 6.4.1. Consolidation C-team Name: ON > 6.5. ARC review type: FastTrack > > > 6. Resources and Schedule > 6.4. Steering Committee requested information > 6.4.1. Consolidation C-team Name: > ON > 6.5. ARC review type: FastTrack > -- Stacey Jonathan Marshall. Solaris Revenue Product Engineering, EMEA Sun Microsystems Limited. +44-(0)1252-426106 (x26106) --------------------------------------------------------------------- http://blogs.sun.com/ace --------------------------------------------------------------------- NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
