Kerberos is a popular protocol used for network authentication. Most modern operating systems as well as AIX® support Kerberos-based (Version 5) authentication. The IBM® version of Kerberos is called IBM Network Authentication Service (IBM NAS), and it can be installed from AIX 5.3 Expansion Pack CDs. IBM NAS for AIX supports both Kerberos clients and Kerberos servers and is used extensively in various AIX components, including:
- AIX Network File System (NFS) Version 4
- OpenSSH
- Integrated login on AIX
- AIX telnet
- AIX
rlogincommands
It's also used by enterprises having solutions based on the IBM DB2® Universal Database® (DB2 UDB) for the AIX platform. Principals and policies are the main administrative entities in a Kerberos setup.
In this article, you are exposed to the fundamentals of Kerberos policy management provided by IBM NAS. The article explains the importance of IBM NAS policies and illustrates the usage of all policy management commands that aid you to apply the desired policies to your Kerberos realms.
Setting rules for password management is a key aspect in security-based solutions, and it is stated as one of the mandatory requirements by many of the guidelines and standards for security compliance. IBM NAS provides policies that help setting rules on password management for the Kerberos protocol. IBM NAS policies are nothing more than the password policies that administer the password rules. These policies, when applied to the IBM NAS principal, control the manner in which the principle's password works.
Typically in a Kerberos environment where thousands of Kerberos principals are required to be maintained, management of principals becomes a cumbersome task. Administrators are often required to have a different set of rules for different group of principals. And then, there is also a constant need of dealing with expired passwords, following a strict corporate password policy or protecting users from choosing a password that is easily compromised.
All the above tasks can easily be carried out by the use of NAS policies. Administrators are only required to create various Kerberos policies according to the organization's requirements (preferably before creating the principals), and then assign these policies when needed to the Kerberos principals.
IBM NAS policies: Creation and modification
Policy creation is generally a one-time activity if the organization's
password policy is set. Once created, these policies can be very useful to
administrators whose production environment requires a variety of password rules
for a variety of principals. Polices can be created, modified, deleted, backed up
and restored by using various commands provided by IBM NAS. To execute the
principal and policy management commands, IBM NAS ships two utilities,
kadmin and kadmin.local.
These interfaces are required to carry out the IBM NAS administration tasks. For
more information on kadmin and
kadmin.local, see the IBM NAS Version 1.4
Administration Guide, shipped with the AIX Version 5.3 Expansion Pack CD.
The key aspect to understand is that the IBM NAS policy helps manage the following password attributes:
- The maximum lifetime of a password.
- The minimum lifetime of a password.
- The minimum length of a password.
- The number of character classes in a password.
- The number of past keys kept for a principal.
To create a policy, use the kadmin (or
kadmin.local) add_policy
command. This command requires the add administrative
privilege. An alias for this command is addpol:
Syntax: add_policy [options] <policy_name> |
To modify attributes of a policy, use the kadmin (or
kadmin.local) modify_policy
command. This command requires the modify
administrative privilege. An alias for this command is
modpol:
Syntax: modify_policy [options] <policy_name> |
The [options] can take the following attributes:
- -maxlife <time>
- Sets the maximum lifetime of a password to <time> . It's default value is zero.
- -minlife <time>
- Sets the minimum lifetime of a password to <time>. It's default value is zero.
- -minlength <length>
- Sets the minimum length of a password to <length> characters. It's default value is one.
- -minclasses <number>
- Sets the number of character classes in a password to <number>. It must be an integer between one and five. It's default value is one.
- -history <number>
- Sets the number of past keys kept for a principal to <number>. It's default value is one.
The following example shows how to create and run a new policy,
once-a-min, with a maximum and minimum password
lifetime of one minute.
kadmin: add_policy -maxlife "1 min" -minlife "1 min" once-a-min |
Create a principal called one-minute-sandy and assign
the policy that you created to that principal (see the
IBM NAS policies: Listing, retrieval, and deletion
section for details on assigning a policy to principal).
kadmin: add_principal -policy once-a-min one-minute-sandy Enter password for principal "one-minute-sandy@ISL.IN.IBM.COM": Re-enter password for principal "one-minute-sandy@ISL.IN.IBM.COM": Principal "one-minute-sandy@ISL.IN.IBM.COM" created. kadmin: q |
To acquire the Kerberos credential for this principal, use the
kinit command and list the acquired credentials using
the klist command. If you try to acquire the credential
using the same principal after one minute, IBM NAS prompts for you to change the
password because, according the principal policy, the password has already
expired.
$ kinit one-minute-sandy
Password for one-minute-sandy@ISL.IN.IBM.COM:
$ klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: one-minute-sandy@ISL.IN.IBM.COM
Valid starting Expires Service principal
07/26/07 06:38:33 07/27/07 06:38:30 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
$ date
Thu Jul 26 06:38:44 WDT 2007
$ date
Thu Jul 26 06:39:47 WDT 2007
$ kinit one-minute-sandy
Password for one-minute-sandy@ISL.IN.IBM.COM:
Password expired. You must change it now.
Enter new password:
Enter it again:
$ klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: one-minute-sandy@ISL.IN.IBM.COM
Valid starting Expires Service principal
07/26/07 06:40:17 07/27/07 06:40:17 krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
|
When a principal is associated with a password policy, the policy attributes start managing the principal's password immediately. If somebody tries to change the password of this principal, they need to satisfy all the policy attribute restrictions before they can change the password.
IBM NAS policies: Listing, retrieval, and deletion
You can retrieve a list of policies with the
kadmin list_policies command, which requires the
list administrative privilege.
Syntax: list_policies [expression] |
The [expression] is a shell-style global expression
that can contain the characters *, ?, and []. All policy names matching the
expression are displayed. The list_policies command has
the aliases listpols,
get_policies, and getpols.
The following example shows the use of the
list_policies/get_policies:
kadmin: list_policies admins default guest once-a-min kadmin: get_policies *a* admins default once-a-min |
To retrieve a policy from the IBM NAS database, use the
get_policy kadmin command. The policies are stored with
the other principals in the IBM NAS principal database. The alias for
get_policy is getpol. It
requires the inquire administrative privilege:
Syntax: get_policy [-terse] <policy_name> |
kadmin: add_policy -maxlife "1 day" -minlife "1 hour" -minlength "4" guest kadmin: get_policy guest Policy: guest Maximum password life: 86400 Minimum password life: 3600 Minimum password length: 4 Minimum number of password character classes: 1 Number of old keys kept: 1 Reference count: 1 |
The maximum and minimum password life is shown in seconds. You can also see the default values for character class, key history, and reference count. The reference count is the number of principals using that policy.
Note: If an LDAP directory is used to store IBM NAS authentication data, then the reference count is always equal to zero.
The get_policy command -terse option lists each field
as a quoted, tab-separated string.
For example:
kadmin: getpol -terse guest "guest" 86400 3600 4 1 1 1 |
To delete a policy, use the kadmin delete_policy
command. This command requires the delete
administrative privilege. An alias for delete_policy is
delpol.
Syntax: delete_policy [-force]
<policy_name> |
The delete_policy command asks for confirmation before
deletion, unless you specify the -force option. You
must remove the policy from all principals before deleting it. The
delete_policy command fails if the policy is being used
by any principal. For examples of the delete_policy
command, see the
Principals and policies: Assignment and removal
section.
IBM NAS offers a facility of default policy. This default policy acts as a
placeholder for those principals whose policy is not decided at the time of
creation. In order to exercise the default policy, you need to create a policy by
the name of default. Once created, this policy will be
automatically applied to the principal, unless you specify another policy name or
-clearpolicy option during principal creation or modification. The default policy
is in action from the moment it's created.
The following examples show how to create a default policy and auto-assignment. First, create a default policy:
kadmin: add_policy -maxlife "3 months" -minlife "1 day" -minlength "5" default kadmin: get_policy default Policy: default Maximum password life: 7948800 Minimum password life: 86400 Minimum password length: 5 Minimum number of password character classes: 1 Number of old keys kept: 1 Reference count: 0 |
Notice the minimum password length of five characters. Now try creating a principal without specifying any policy so that default policy will be applied, and give a three-character password:
kadmin: add_principal mack NOTICE: no policy specified for mack@ISL.IN.IBM.COM; assigning "default". Note that policy may be overridden by ACL restrictions. Enter password for principal "mack@ISL.IN.IBM.COM": <<enter 3 characters here Re-enter password for principal "mack@ISL.IN.IBM.COM": <<repeat Unable to create principal "mack@ISL.IN.IBM.COM". Status 0x29c2516 - Password is too short |
In the above case, you are unable to create the principal because of the default policy not allowing you to give password of less than five characters.
Now let's try to create a principal with a six-character password:
kadmin: add_principal mack_correct
NOTICE: no policy specified for mack_correct@ISL.IN.IBM.COM;
assigning "default". Note that policy may be overridden by ACL restrictions.
Enter password for principal "mack_correct@ISL.IN.IBM.COM": <<enter 6 characters here
Re-enter password for principal "mack_correct@ISL.IN.IBM.COM": <<repeat
Principal "mack_correct@ISL.IN.IBM.COM" created.
|
Since you are satisfying all the restrictions of the default principal, you are able to create the principal above.
If there is no default policy and no policy is being specified while creating a
principal, then kadmin chooses to stick to
no policy for that principal which means that the
principal is not governed by any policies. The following example shows an
automatic no policy assignment:
kadmin: add_principal john
WARNING: no policy specified for john@ISL.IN.IBM.COM;
defaulting to no policy. Note that policy may be overridden by ACL restrictions.
Enter password for principal "john@ISL.IN.IBM.COM":
Re-enter password for principal "john@ISL.IN.IBM.COM":
Principal "john@ISL.IN.IBM.COM" created.
|
Principals and policies: Assignment and removal
You can assign policies to a new principal as well as existing principals.
Assigning a policy to a new principal
While creating the new principals, you can directly specify the policy with the
-policy option of the
add_principal command of
kadmin. For example, the following command assigns a
policy called guest_policy to the new
sachin/guest principal.
kadmin: add_principal -policy guest_policy sachin/guest Enter password for principal "sachin/guest@ISL.IN.IBM.COM": Re-enter password for principal "sachin/guest@ISL.IN.IBM.COM": Principal "sachin/guest@ISL.IN.IBM.COM" created. |
Assigning a policy to an existing principal
If the principal already exists, then you need to modify it to assign a desired
policy. Use the kadmin
modify_principal command (or alias
modprinc) with a -policy
option. In the following scenario, you assign the
admins policy to an existing
admin/sales principal.
First, let's see the current status of
dmin/sales. Notice
Policy :
[none] at the end.
kadmin: get_principal admin/sales
Principal: admin/sales@ISL.IN.IBM.COM
Expiration date: [never]
Last password change: Thu Jul 26 08:41:19 WDT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 08:41:21 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt
Attributes:
REQUIRES_PRE_AUTH
Policy: [none]
|
Now, let's modify this principal using the
modify_principal command to assign the
admins policy and verify it by seeing the principal
details after that.
kadmin: modprinc -policy admins admin/sales
Principal "admin/sales@ISL.IN.IBM.COM" modified.
kadmin: get_principal admin/sales
Principal: admin/sales@ISL.IN.IBM.COM
Expiration date: [never]
Last password change: Thu Jul 26 08:41:19 WDT 2007
Password expiration date: Thu Jul 26 10:41:19 WDT 2007
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 08:41:54 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt
Attributes:
REQUIRES_PRE_AUTH
Policy: admins
|
Now the admins policy has been assigned to the
admin/sales principal.
Removing policy from principal and deleting policy
To remove a policy from a principal, use the
-clearpolicy option. For the
modify_principal command,
-clearpolicy removes the current policy from a
principal. For the add_principal command,
-clearpolicy suppresses the automatic assignment of the
default policy. The following example shows a policy removal and deletion. Here
you have a policy called del-me that's assigned to one
principal tester, and you will try to delete this
policy. First, list the details of the tester
principal:
kadmin: get_principal tester
Principal: tester@ISL.IN.IBM.COM
Expiration date: [never]
Last password change: Thu Jul 26 09:38:26 WDT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 09:38:27 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt
Attributes:
REQUIRES_PRE_AUTH
Policy: del-me
|
Next, list the details of the del-me policy:
Policy: del-me
Maximum password life: 0
Minimum password life: 0
Minimum password length: 1
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 1
|
Notice the reference count, which is 1 at this time. Now try to delete this policy without removing it from the principal.
kadmin: delpol del-me
Are you sure you want to delete the policy "del-me"? (yes/no): yes
Unable to delete policy "del-me".
Status 0x29c251b - Policy is in use.
|
You are getting this error because the del-me policy
is being used by the tester principal. Now remove the
policy from the tester principal:
kadmin: modprinc -clearpolicy tester Principal "tester@ISL.IN.IBM.COM" modified. kadmin: get_principal tester Principal: tester@ISL.IN.IBM.COM Expiration date: [never] Last password change: Thu Jul 26 09:38:26 WDT 2007 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 26 09:44:07 WDT 2007 (admin/admin@ISL.IN.IBM.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, DES cbc mode with RSA-MD5, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] |
Now let's see what the del-me policy looks
like:
kadmin: getpol del-me
Policy: del-me
Maximum password life: 0
Minimum password life: 0
Minimum password length: 1
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 0
|
Notice that the reference count is now showing zero. Once again, try to delete the policy:
kadmin: delpol del-me Are you sure you want to delete the policy "del-me"? (yes/no): yes |
Now the policy has been deleted successfully.
NAS Policies: Backup and restore
Backing up IBM NAS policies (Legacy database only)
NAS policies are stored along with IBM NAS principal information in the NAS
principal database. For the purpose of disaster recovery, there is a need to
backup the NAS database to a backup file. To take the backup, you need to use the
/usr/krb5/sbin/kdb5_util dump command:
Syntax: $kdb5_util dump [-verbose] [<filename> [<principals>]] |
For example, to back up the whole database to a
total_backup file, use the following command:
$kdb5_util dump -verbose total_backup K/M@ISL.IN.IBM.COM admin/admin@ISL.IN.IBM.COM admin/sales@ISL.IN.IBM.COM john@ISL.IN.IBM.COM kadmin/admin@ISL.IN.IBM.COM kadmin/changepw@ISL.IN.IBM.COM kadmin/history@ISL.IN.IBM.COM kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM mack_correct@ISL.IN.IBM.COM one-minute-sandy@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM tester@ISL.IN.IBM.COM vipin@ISL.IN.IBM.COM admins default guest once-a-min |
The kdb5_util dump command also creates an additional
file named total_backup.dump_ok.
Notice that this command has backed up all the principals as well as policies.
The -verbose option lists whatever is being backed up
on the console. The kdb5_util dump command always dumps
all the policies, even if you try to dump only few principals.
For example:
$kdb5_util dump -verbose dumpfile sachin/guest@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM admin default del-me guest once-a-min |
In this command, even though only one principal was specified, it has dumped all the policies.
Restoring IBM NAS policies (Legacy database only)
To restore the IBM NAS database information from a backup file, use the
/usr/krb5/sbin/kdb5_util load command:
Syntax: kdb5_util load [-verbose] [-update] <filename> |
If you do not specify the -update option, the
existing IBM NAS principal database is replaced by the specified dump file. Make
sure you have specified the -update option while
restoring, unless you are sure you want to purge the current database.
The following example shows a backup and restore of the IBM NAS policies. In this
scenario, you take the backup of the sachin/guest
principal. After that you delete the principal and its policy, try to restore it
from the backed up dump file.
First, list the sachin/guest principal:
kadmin: get_principal sachin/guest
Principal: sachin/guest@ISL.IN.IBM.COM
Expiration date: [never]
Last password change: Thu Jul 26 08:26:07 WDT 2007
Password expiration date: Fri Jul 27 08:26:07 WDT 2007
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 08:26:08 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt
Attributes:
REQUIRES_PRE_AUTH
Policy: guest
|
List the policy named guest, which is associated with
the sachin/guest principal:
kadmin: getpol guest Policy: guest Maximum password life: 86400 Minimum password life: 3600 Minimum password length: 4 Minimum number of password character classes: 1 Number of old keys kept: 1 Reference count: 1 |
Now create the backup:
$kdb5_util dump -verbose dumpfile sachin/guest@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM admin default del-me guest once-a-min |
Delete the sachin/guest principal and the
guest policy:
kadmin: delprinc sachin/guest
Are you sure you want to delete the principal \
"sachin/guest@ISL.IN.IBM.COM"? (yes/no): yes
Principal "sachin/guest@ISL.IN.IBM.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: delpol guest
Are you sure you want to delete the policy "guest"? (yes/no): yes
|
To try to restore them from the dump file, enter:
$kdb5_util load -verbose -update dumpfile sachin/guest@ISL.IN.IBM.COM stored. Created policy admin. Created policy default. Created policy del-me. Created policy guest. Created policy once-a-min. |
Enter the kadmin: list_principals command to see that
the deleted entries in the database are recovered.
kadmin: list_principals K/M@ISL.IN.IBM.COM admin/admin@ISL.IN.IBM.COM admin/sales@ISL.IN.IBM.COM john@ISL.IN.IBM.COM kadmin/admin@ISL.IN.IBM.COM kadmin/changepw@ISL.IN.IBM.COM kadmin/history@ISL.IN.IBM.COM kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM mack_correct@ISL.IN.IBM.COM one-minute-sandy@ISL.IN.IBM.COM sachin/guest@ISL.IN.IBM.COM tester@ISL.IN.IBM.COM vipin@ISL.IN.IBM.COM kadmin: getpols admin default del-me guest once-a-min |
Note: The backup and restoration described above is only available on IBM NAS with a legacy database. For more information on IBM NAS configuration with a legacy database and for backup and restoration of IBM NAS configured with LDAP, see the IBM NAS Version 1.4 Administration Guide, shipped with AIX Version 5.3 Expansion Pack CD.
IBM NAS policy management using GUI
The "IBM GUI-based administration tool for IBM NAS," available in IBM alphaWorks, provides assistance to administrators preferring a GUI interface to execute all of the NAS principal and policy management commands listed so far. This does not apply to the policy backup and restore module. Figure 1 provides a snap-shot of the tool. (See the Resources section additional information.)
Figure 1: Snap-shot of IBM GUI-based administration tool for NAS
This article covered all the aspects and the related commands of Kerberos policy management provided by IBM NAS for AIX, which should help you with systems based on Kerberos authentication.
Learn
-
Configuring AIX
5L for Kerberos-based authentication using IBM Network Authentication Service:
This paper provides information on using Kerberos as an alternative authentication
mechanism to AIX.
- "A Kerberos
primer"
(developerWorks, Nov 2001): This article introduces Kerberos technology and
Distributed Computing Environment-based applications.
-
Popular content:
See what AIX and UNIX® content your peers find interesting.
-
AIX and
UNIX:
The AIX and UNIX developerWorks zone provides a wealth of information relating to
all aspects of AIX systems administration and expanding your UNIX skills.
-
New to AIX and UNIX?:
Visit the "New to AIX and UNIX" page to learn more about AIX and UNIX.
-
AIX Wiki:
A collaborative environment for technical information related to AIX.
- Search the AIX and UNIX library by topic:
- System administration
- Application development
- Performance
- Porting
- Security
- Tips
- Tools and utilities
- Java™ technology
- Linux®
- Open source
-
Safari bookstore:
Visit this e-reference library to find specific technical resources.
-
developerWorks technical events and webcasts:
Stay current with developerWorks technical events and webcasts.
-
Podcasts: Tune in and
catch up with IBM technical experts.
Get products and technologies
- Download the
IBM GUI-based Administration Tool for
Network Authentication Service
and experience the GUI to perform the IBM NAS related administration tasks.
-
AIX 5L Expansion Pack and Web Download Pack:
Start downloading now.
-
IBM trial software:
Build your next development project with software for download directly from
developerWorks.
Discuss
- Participate in the
developerWorks blogs
and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums:
- AIX —technical forum
- AIX 6 Open Beta
- AIX for Developers Forum
- Cluster Systems Management
- IBM Support Assistant
- Performance Tools—technical
- Virtualization—technical
- More AIX and UNIX forums
Vipin Rathor, in his two years with IBM India Software Lab, has been working for IBM Network Authentication Service (IBM Kerberos) Development and Support activities. His areas of interest include Kerberos and LDAP integration, network security, authentication protocols, and PKI.
Sandeep Ramesh Patil works as an Advisory Software Engineer for the IBM India Software Labs. He has worked for IBM for the past six years, focusing on distributed technology including DCE, SARPC, and security products, such as the IBM Network Authentication Service (IBM Kerberos). He is currently developing new features and implementing security-related RFC for the IBM Network Authentication Service, along with its product support. Sandeep holds a Bachelor of Engineering degree in computer science from the University of Pune, India. You can contact him at rsandeep@in.ibm.com.
Table of contents
- Introduction
- Policies in IBM NAS
- IBM NAS policies: Creation and modification
- IBM NAS policies: Listing, retrieval, and deletion
- Default policy and no policy
- Principals and policies: Assignment and removal
- NAS Policies: Backup and restore
- IBM NAS policy management using GUI
- Conclusion
- Resources
- About the authors
- Comments
