G.3 Kerberos Password Agent

You must install KPA and the load it on the eDirectory server where the password change occurs.

To start the KPA, enter kpa -l.

To stop the KPA, enter kpa -u.

The messages logged by the Password Agent are displayed when the Misc tag is enabled in ndstrace. The messages are also logged in the log file that is configured for the eDirectory server.

IMPORTANT:The Kerberos Password Agent is not loaded automatically when the machine or eDirectory is restarted. You must load it manually.

G.3.1 Generating Keys

The encryption types and salt type used by the Kerberos Password Agent to generate the Kerberos keys from the Universal Password are based on the following:

  • If the principal has Kerberos keys, the encryption and salt types used for generating the existing keys are used to generate the new keys from the Universal Password.

  • If the principal does not have the Kerberos password set, the default encryption salt types configured for the realm are used for the key generation.

If the default key types are not configured for the realm, the key types used are DES3-HMAC-SHAI:NORMAL and DES-CBC-CRC:NORMAL.

The following are the supported encryption and salt types:

Encryption Types

  • DES-CBC-CRC: DES cbc mode with CRC-32

  • DES-CBC-MD4: DES cbc mode with RSA-MD4

  • DES-CBC-MD5: DES cbc mode with RSA-MD5

  • DES3-CBC-SHA1-KD: triple DES cbc mode with HMAC/sha1

  • AES128-CTS-HMAC-SHA1-96

  • AES256-CTS-HMAC-SHA1-96

  • RC4-HMAC

Salt Types

  • normal: default for Kerberos Version 5

  • v4: the only type used by Kerberos Version 4, no salt

  • norealm: same as the default, without using realm information

  • onlyrealm: uses only realm information as the salt

  • special: only used in very special cases; not fully supported