summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/man/kerberos.8
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/man/kerberos.8')
-rw-r--r--crypto/kerberosIV/man/kerberos.8192
1 files changed, 192 insertions, 0 deletions
diff --git a/crypto/kerberosIV/man/kerberos.8 b/crypto/kerberosIV/man/kerberos.8
new file mode 100644
index 0000000..5d89635
--- /dev/null
+++ b/crypto/kerberosIV/man/kerberos.8
@@ -0,0 +1,192 @@
+.\" $Id: kerberos.8,v 1.4 1997/09/26 17:55:23 joda Exp $
+.\"
+.Dd September 26, 1997
+.Dt KERBEROS 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kerberos
+.Nd The kerberos daemon
+.Sh SYNPOSIS
+.Nm
+.Op Fl mns
+.Op Fl a Ar max age
+.Op Fl i Ar address
+.Op Fl l Ar log
+.Op Fl p Ar pause
+.Op Fl P Ar portspec
+.Op Fl r Ar realm
+.Op Ar database
+.Sh DESCRIPTION
+This is the
+.Nm
+daemon.
+.Pp
+Options:
+.Bl -tag -width -ident
+.It Fl a
+Set the
+.Ar max age
+before the database is considered stale.
+.It Fl i
+Only listen on
+.Ar address .
+Normally, the kerberos server listens on all addresses of all
+interfaces.
+.It Fl l
+Write the log to
+.Ar log
+.It Fl m
+Run manually and prompt for master key.
+.It Fl n
+Do not check max age.
+.It Fl p
+Pause for
+.Ar pause
+before dying.
+.It Fl P
+Listen to the ports specified by
+.Ar portspec .
+This should be a white-space separated list of port specificatios. A
+port specification follows the format:
+.Ar port Ns Op / Ns Ar protocol .
+The
+.Ar port
+can be either a symbolic port name (from
+.Pa /etc/services), or a number;
+.Ar protocol can be either
+.Li udp ,
+or
+.Li tcp .
+If left out, the KDC will listen to both UDP and TCP sockets on the
+specified port.
+.br
+The special string
+.Li +
+mean that the default set of ports (TCP and UDP on ports 88 and 750)
+should be included.
+.It Fl r
+Run as a server for realm
+.Ar realm
+.It Fl s
+Set slave parameters. This will enable check to see if data is
+getting too stale relative to the master.
+.El
+
+If no
+.Ar database
+is given a default datbase will be used, normally
+.Pa /var/kerberos/principal .
+.Sh DIAGNOSTICS
+
+The server logs several messages in a log file
+.Pf ( Pa /var/run/kerberos.log
+by default). The logging mechanism opens and closes the log file for
+each message, so you can safely rename the log file when the server is
+running.
+.Ss Operational messages
+These are normal messages that you will see in the log. They might be
+followed by some error message.
+.Bl -tag -width xxxxx
+.It Li Getting key for Ar REALM
+The server fetched the key for
+.Sq krbtgt.REALM
+for the specific
+realm. You will see this at startup, and for every attempt to use
+cross realm authentication.
+.It Xo Li Starting Kerberos for
+.Ar REALM
+.Li (kvno Ar kvno )
+.Xc
+You will see this also if you start with
+.Fl m .
+.It Xo Li AS REQ
+.Ar name.instance@REALM
+.Li for
+.Ar sname.sinstance
+.Li from
+.Ar ip-number
+.Xc
+An initial (password authenticated) request was received.
+.It Xo Li APPL REQ
+.Ar name.instance@REALM
+.Li for
+.Ar sname.sinstance
+.Li from Ar ip-number
+.Xc
+A tgt-based request for a ticket was made.
+.El
+
+.Ss Error messages
+These messages reflects misconfigured clients, invalid requests, or
+possibly attepted attacks.
+.Bl -tag -width xxxxx
+.It Li UNKNOWN Ar name.instance
+The server received a request with an unknown principal. This is most
+likely because someone typed the wrong name at a login prompt. It
+could also be someone trying to get a list of possible users.
+.It Xo Li Unknown realm Ar REALM
+.Li from Ar ip-number
+.Xc
+There isn't a principal for
+.Sq krbtgt.REALM
+in the database.
+.It Xo Li Can't hop realms: Ar REALM1
+.Li -> Ar REALM2
+.Xc
+There was a request for a ticket for another realm. This might be
+because of a misconfigured client.
+.It Li Principal not unique Ar name.instance
+There is more than one entry for this principal in the database. This
+is not very good.
+.It Li Null key Ar name.instance
+Someone tried to use a principal that for some reason doesn't have a
+key.
+.It Xo Li Incorrect master key version for
+.Ar name.instance
+.Li : Ar number
+.Li (should be Ar number )
+.Xc
+The principal has it's key encrypted with the wrong master key.
+.It Xo Li Principal Ar name.instance
+.Li expired at Ar date
+.Xc
+The principal's key has expired.
+.It Li krb_rd_req from Ar ip-number : error-message
+The message couldn't be decoded properly. The error message will give
+you further hints. You will see this if someone is trying to use
+expired tickets.
+.It Xo Li Unknown message type: Ar number
+.Li from Ar ip-number
+.Xc
+The message received was not one that is understood by this server.
+.It Li Can't authorize password changed based on TGT
+Someone tried to get a
+.Sq changepw.kerberos
+via a tgt exchange. This is
+because of a broken client, or possibly an attack.
+.It Li KRB protocol version mismatch ( Ar number )
+The server received a request with an unknown version number.
+.El
+
+.Ss Fatal error messages
+The following messages indicate problems when starting the server.
+.Bl -tag -width xxxxx
+.It Li Database unavailable!
+There was some problem reading the database.
+.It Li Database currently being updated!
+Someone is currently updating the database (possibly via krop).
+.It Li Database out of date!
+The database is older than the maximum age specified.
+.It Li Couldn't get master key.
+The master key file wasn't found or the file is damaged.
+.It Li Can't verify master key.
+The key in the keyfile doesn't match the current databse.
+.It Li Ticket granting ticket service unknown
+The database doesn't contain a
+.Sq krbtgt.REALM
+for the local realm.
+.El
+
+.Sh SEE ALSO
+.Xr kprop 8 ,
+.Xr kpropd 8
OpenPOWER on IntegriCloud