1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
.\" $Id: kerberos.8,v 1.4 1997/09/26 17:55:23 joda Exp $
.\"
.Dd September 26, 1997
.Dt KERBEROS 8
.Os KTH-KRB
.Sh NAME
.Nm kerberos
.Nd the kerberos daemon
.Sh SYNPOSIS
.Nm
.Op Fl mns
.Op Fl a Ar max age
.Op Fl i Ar address
.Op Fl l Ar log
.Op Fl p Ar pause
.Op Fl P Ar portspec
.Op Fl r Ar realm
.Op Ar database
.Sh DESCRIPTION
This is the
.Nm
daemon.
.Pp
Options:
.Bl -tag -width -ident
.It Fl a
Set the
.Ar max age
before the database is considered stale.
.It Fl i
Only listen on
.Ar address .
Normally, the kerberos server listens on all addresses of all
interfaces.
.It Fl l
Write the log to
.Ar log
.It Fl m
Run manually and prompt for master key.
.It Fl n
Do not check max age.
.It Fl p
Pause for
.Ar pause
before dying.
.It Fl P
Listen to the ports specified by
.Ar portspec .
This should be a white-space separated list of port specificatios. A
port specification follows the format:
.Ar port Ns Op / Ns Ar protocol .
The
.Ar port
can be either a symbolic port name (from
.Pa /etc/services ) ,
or a number;
.Ar protocol can be either
.Li udp ,
or
.Li tcp .
If left out, the KDC will listen to both UDP and TCP sockets on the
specified port.
.br
The special string
.Li +
mean that the default set of ports (TCP and UDP on ports 88 and 750)
should be included.
.It Fl r
Run as a server for realm
.Ar realm
.It Fl s
Set slave parameters. This will enable check to see if data is
getting too stale relative to the master.
.El
.Pp
If no
.Ar database
is given a default datbase will be used, normally
.Pa /var/kerberos/principal .
.Sh DIAGNOSTICS
The server logs several messages in a log file
.Pf ( Pa /var/run/kerberos.log
by default). The logging mechanism opens and closes the log file for
each message, so you can safely rename the log file when the server is
running.
.Ss Operational messages
These are normal messages that you will see in the log. They might be
followed by some error message.
.Bl -tag -width xxxxx
.It Li Getting key for Ar REALM
The server fetched the key for
.Sq krbtgt.REALM
for the specific
realm. You will see this at startup, and for every attempt to use
cross realm authentication.
.It Xo Li Starting Kerberos for
.Ar REALM
.Li (kvno Ar kvno )
.Xc
You will see this also if you start with
.Fl m .
.It Xo Li AS REQ
.Ar name.instance@REALM
.Li for
.Ar sname.sinstance
.Li from
.Ar ip-number
.Xc
An initial (password authenticated) request was received.
.It Xo Li APPL REQ
.Ar name.instance@REALM
.Li for
.Ar sname.sinstance
.Li from Ar ip-number
.Xc
A tgt-based request for a ticket was made.
.El
.Ss Error messages
These messages reflects misconfigured clients, invalid requests, or
possibly attepted attacks.
.Bl -tag -width xxxxx
.It Li UNKNOWN Ar name.instance
The server received a request with an unknown principal. This is most
likely because someone typed the wrong name at a login prompt. It
could also be someone trying to get a list of possible users.
.It Xo Li Unknown realm Ar REALM
.Li from Ar ip-number
.Xc
There isn't a principal for
.Sq krbtgt.REALM
in the database.
.It Xo Li Can't hop realms: Ar REALM1
.Li -> Ar REALM2
.Xc
There was a request for a ticket for another realm. This might be
because of a misconfigured client.
.It Li Principal not unique Ar name.instance
There is more than one entry for this principal in the database. This
is not very good.
.It Li Null key Ar name.instance
Someone tried to use a principal that for some reason doesn't have a
key.
.It Xo Li Incorrect master key version for
.Ar name.instance
.Li : Ar number
.Li (should be Ar number )
.Xc
The principal has it's key encrypted with the wrong master key.
.It Xo Li Principal Ar name.instance
.Li expired at Ar date
.Xc
The principal's key has expired.
.It Li krb_rd_req from Ar ip-number : error-message
The message couldn't be decoded properly. The error message will give
you further hints. You will see this if someone is trying to use
expired tickets.
.It Xo Li Unknown message type: Ar number
.Li from Ar ip-number
.Xc
The message received was not one that is understood by this server.
.It Li Can't authorize password changed based on TGT
Someone tried to get a
.Sq changepw.kerberos
via a tgt exchange. This is
because of a broken client, or possibly an attack.
.It Li KRB protocol version mismatch ( Ar number )
The server received a request with an unknown version number.
.El
.Ss Fatal error messages
The following messages indicate problems when starting the server.
.Bl -tag -width xxxxx
.It Li Database unavailable!
There was some problem reading the database.
.It Li Database currently being updated!
Someone is currently updating the database (possibly via krop).
.It Li Database out of date!
The database is older than the maximum age specified.
.It Li Couldn't get master key.
The master key file wasn't found or the file is damaged.
.It Li Can't verify master key.
The key in the keyfile doesn't match the current databse.
.It Li Ticket granting ticket service unknown
The database doesn't contain a
.Sq krbtgt.REALM
for the local realm.
.El
.Sh SEE ALSO
.Xr kprop 8 ,
.Xr kpropd 8
|
