Introduction

Kerberos is a popular protocol used for network authentication. Most modern operating systems as well as AIX® support Kerberos-based (Version 5) authentication. The IBM® version of Kerberos is called IBM Network Authentication Service (IBM NAS), and it can be installed from AIX 5.3 Expansion Pack CDs. IBM NAS for AIX supports both Kerberos clients and Kerberos servers and is used extensively in various AIX components, including:

• AIX Network File System (NFS) Version 4
• OpenSSH
• Integrated login on AIX
• AIX telnet
• AIX rlogin commands

It's also used by enterprises having solutions based on the IBM DB2® Universal Database® (DB2 UDB) for the AIX platform. Principals and policies are the main administrative entities in a Kerberos setup.

In this article, you are exposed to the fundamentals of Kerberos policy management provided by IBM NAS. The article explains the importance of IBM NAS policies and illustrates the usage of all policy management commands that aid you to apply the desired policies to your Kerberos realms.

Policies in IBM NAS

Setting rules for password management is a key aspect in security-based solutions, and it is stated as one of the mandatory requirements by many of the guidelines and standards for security compliance. IBM NAS provides policies that help setting rules on password management for the Kerberos protocol. IBM NAS policies are nothing more than the password policies that administer the password rules. These policies, when applied to the IBM NAS principal, control the manner in which the principle's password works.

Typically in a Kerberos environment where thousands of Kerberos principals are required to be maintained, management of principals becomes a cumbersome task. Administrators are often required to have a different set of rules for different group of principals. And then, there is also a constant need of dealing with expired passwords, following a strict corporate password policy or protecting users from choosing a password that is easily compromised.

All the above tasks can easily be carried out by the use of NAS policies. Administrators are only required to create various Kerberos policies according to the organization's requirements (preferably before creating the principals), and then assign these policies when needed to the Kerberos principals.

IBM NAS policies: Creation and modification

Policy creation is generally a one-time activity if the organization's password policy is set. Once created, these policies can be very useful to administrators whose production environment requires a variety of password rules for a variety of principals. Polices can be created, modified, deleted, backed up and restored by using various commands provided by IBM NAS. To execute the principal and policy management commands, IBM NAS ships two utilities, kadmin and kadmin.local. These interfaces are required to carry out the IBM NAS administration tasks. For more information on kadmin and kadmin.local, see the IBM NAS Version 1.4 Administration Guide, shipped with the AIX Version 5.3 Expansion Pack CD.

The key aspect to understand is that the IBM NAS policy helps manage the following password attributes:

• The maximum lifetime of a password.
• The minimum lifetime of a password.
• The minimum length of a password.
• The number of character classes in a password.
• The number of past keys kept for a principal.

To create a policy, use the kadmin (or kadmin.local) add_policy command. This command requires the add administrative privilege. An alias for this command is addpol:

Syntax: add_policy [options] <policy_name>

To modify attributes of a policy, use the kadmin (or kadmin.local) modify_policy command. This command requires the modify administrative privilege. An alias for this command is modpol:

Syntax: modify_policy [options] <policy_name>

The [options] can take the following attributes:

-maxlife <time>

Sets the maximum lifetime of a password to <time> . It's default value is zero.

-minlife <time>

Sets the minimum lifetime of a password to <time>. It's default value is zero.

-minlength <length>

Sets the minimum length of a password to <length> characters. It's default value is one.

-minclasses <number>

Sets the number of character classes in a password to <number>. It must be an integer between one and five. It's default value is one.

-history <number>

Sets the number of past keys kept for a principal to <number>. It's default value is one.

The following example shows how to create and run a new policy, once-a-min, with a maximum and minimum password lifetime of one minute.

kadmin:  add_policy -maxlife "1 min" -minlife "1 min" once-a-min

Create a principal called one-minute-sandy and assign the policy that you created to that principal (see the IBM NAS policies: Listing, retrieval, and deletion section for details on assigning a policy to principal).

kadmin:  add_principal -policy once-a-min one-minute-sandy
Enter password for principal "one-minute-sandy@ISL.IN.IBM.COM":
Re-enter password for principal "one-minute-sandy@ISL.IN.IBM.COM":
Principal "one-minute-sandy@ISL.IN.IBM.COM" created.
kadmin:  q

To acquire the Kerberos credential for this principal, use the kinit command and list the acquired credentials using the klist command. If you try to acquire the credential using the same principal after one minute, IBM NAS prompts for you to change the password because, according the principal policy, the password has already expired.

$ kinit one-minute-sandy
Password for one-minute-sandy@ISL.IN.IBM.COM:

$ klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  one-minute-sandy@ISL.IN.IBM.COM

Valid starting     Expires            Service principal
07/26/07 06:38:33  07/27/07 06:38:30  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM

$ date
Thu Jul 26 06:38:44 WDT 2007

$ date
Thu Jul 26 06:39:47 WDT 2007

$ kinit one-minute-sandy
Password for one-minute-sandy@ISL.IN.IBM.COM:
Password expired.  You must change it now.
Enter new password:
Enter it again:

$ klist
Ticket cache:  FILE:/var/krb5/security/creds/krb5cc_0
Default principal:  one-minute-sandy@ISL.IN.IBM.COM

Valid starting     Expires            Service principal
07/26/07 06:40:17  07/27/07 06:40:17  krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM

When a principal is associated with a password policy, the policy attributes start managing the principal's password immediately. If somebody tries to change the password of this principal, they need to satisfy all the policy attribute restrictions before they can change the password.

IBM NAS policies: Listing, retrieval, and deletion

You can retrieve a list of policies with the kadmin list_policies command, which requires the list administrative privilege.

Syntax: list_policies [expression]

The [expression] is a shell-style global expression that can contain the characters *, ?, and []. All policy names matching the expression are displayed. The list_policies command has the aliases listpols, get_policies, and getpols.

The following example shows the use of the list_policies/get_policies:

kadmin:  list_policies
admins
default
guest
once-a-min

kadmin:  get_policies *a*
admins
default
once-a-min

To retrieve a policy from the IBM NAS database, use the get_policy kadmin command. The policies are stored with the other principals in the IBM NAS principal database. The alias for get_policy is getpol. It requires the inquire administrative privilege:

Syntax: get_policy [-terse] <policy_name>

kadmin:  add_policy -maxlife "1 day" -minlife "1 hour" -minlength "4" guest

kadmin:  get_policy guest
Policy: guest
Maximum password life: 86400
Minimum password life: 3600
Minimum password length: 4
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 1

The maximum and minimum password life is shown in seconds. You can also see the default values for character class, key history, and reference count. The reference count is the number of principals using that policy.

Note: If an LDAP directory is used to store IBM NAS authentication data, then the reference count is always equal to zero.

The get_policy command -terse option lists each field as a quoted, tab-separated string.

For example:

kadmin:  getpol -terse guest
"guest" 86400   3600    4       1       1       1

To delete a policy, use the kadmin delete_policy command. This command requires the delete administrative privilege. An alias for delete_policy is delpol.

Syntax: delete_policy [-force]
      <policy_name>

The delete_policy command asks for confirmation before deletion, unless you specify the -force option. You must remove the policy from all principals before deleting it. The delete_policy command fails if the policy is being used by any principal. For examples of the delete_policy command, see the Principals and policies: Assignment and removal section.

Default policy and no policy

IBM NAS offers a facility of default policy. This default policy acts as a placeholder for those principals whose policy is not decided at the time of creation. In order to exercise the default policy, you need to create a policy by the name of default. Once created, this policy will be automatically applied to the principal, unless you specify another policy name or -clearpolicy option during principal creation or modification. The default policy is in action from the moment it's created.

The following examples show how to create a default policy and auto-assignment. First, create a default policy:

kadmin:  add_policy -maxlife "3 months" -minlife "1 day" -minlength "5" default

kadmin:  get_policy default
Policy: default
Maximum password life: 7948800
Minimum password life: 86400
Minimum password length: 5
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 0

Notice the minimum password length of five characters. Now try creating a principal without specifying any policy so that default policy will be applied, and give a three-character password:

kadmin:  add_principal mack
NOTICE: no policy specified for mack@ISL.IN.IBM.COM;
assigning "default". Note that policy may be overridden by ACL restrictions.
Enter password for principal "mack@ISL.IN.IBM.COM":            <<enter 3 characters here
Re-enter password for principal "mack@ISL.IN.IBM.COM":	        <<repeat
Unable to create principal "mack@ISL.IN.IBM.COM".
Status 0x29c2516 - Password is too short
            

In the above case, you are unable to create the principal because of the default policy not allowing you to give password of less than five characters.

Now let's try to create a principal with a six-character password:

kadmin:  add_principal mack_correct
NOTICE: no policy specified for mack_correct@ISL.IN.IBM.COM;
assigning "default". Note that policy may be overridden by ACL restrictions.
Enter password for principal "mack_correct@ISL.IN.IBM.COM":    <<enter 6 characters here
Re-enter password for principal "mack_correct@ISL.IN.IBM.COM":  <<repeat
Principal "mack_correct@ISL.IN.IBM.COM" created.

Since you are satisfying all the restrictions of the default principal, you are able to create the principal above.

If there is no default policy and no policy is being specified while creating a principal, then kadmin chooses to stick to no policy for that principal which means that the principal is not governed by any policies. The following example shows an automatic no policy assignment:

kadmin:  add_principal john
WARNING: no policy specified for john@ISL.IN.IBM.COM;
defaulting to no policy. Note that policy may be overridden by ACL restrictions.
Enter password for principal "john@ISL.IN.IBM.COM":
Re-enter password for principal "john@ISL.IN.IBM.COM":
Principal "john@ISL.IN.IBM.COM" created.

Principals and policies: Assignment and removal

You can assign policies to a new principal as well as existing principals.

Assigning a policy to a new principal

While creating the new principals, you can directly specify the policy with the -policy option of the add_principal command of kadmin. For example, the following command assigns a policy called guest_policy to the new sachin/guest principal.

kadmin:  add_principal -policy guest_policy sachin/guest
Enter password for principal "sachin/guest@ISL.IN.IBM.COM":
Re-enter password for principal "sachin/guest@ISL.IN.IBM.COM":
Principal "sachin/guest@ISL.IN.IBM.COM" created.

Assigning a policy to an existing principal

If the principal already exists, then you need to modify it to assign a desired policy. Use the kadmin modify_principal command (or alias modprinc) with a -policy option. In the following scenario, you assign the admins policy to an existing admin/sales principal.

First, let's see the current status of dmin/sales. Notice Policy : [none] at the end.

kadmin:  get_principal admin/sales
Principal: admin/sales@ISL.IN.IBM.COM
Expiration date: [never]
Last password change:  Thu Jul 26 08:41:19 WDT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 08:41:21 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt

Attributes:
 REQUIRES_PRE_AUTH
Policy: [none]
                

Now, let's modify this principal using the modify_principal command to assign the admins policy and verify it by seeing the principal details after that.

kadmin:  modprinc -policy admins admin/sales
Principal "admin/sales@ISL.IN.IBM.COM" modified.

kadmin:  get_principal admin/sales
Principal: admin/sales@ISL.IN.IBM.COM
Expiration date: [never]
Last password change:  Thu Jul 26 08:41:19 WDT 2007
Password expiration date: Thu Jul 26 10:41:19 WDT 2007
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 08:41:54 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt

Attributes:
 REQUIRES_PRE_AUTH
Policy: admins
                

Now the admins policy has been assigned to the admin/sales principal.

Removing policy from principal and deleting policy

To remove a policy from a principal, use the -clearpolicy option. For the modify_principal command, -clearpolicy removes the current policy from a principal. For the add_principal command, -clearpolicy suppresses the automatic assignment of the default policy. The following example shows a policy removal and deletion. Here you have a policy called del-me that's assigned to one principal tester, and you will try to delete this policy. First, list the details of the tester principal:

kadmin:  get_principal tester
Principal: tester@ISL.IN.IBM.COM
Expiration date: [never]
Last password change:  Thu Jul 26 09:38:26 WDT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 09:38:27 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt

Attributes:
 REQUIRES_PRE_AUTH
Policy: del-me
                

Next, list the details of the del-me policy:

Policy: del-me
Maximum password life: 0
Minimum password life: 0
Minimum password length: 1
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 1
                

Notice the reference count, which is 1 at this time. Now try to delete this policy without removing it from the principal.

kadmin:  delpol del-me
Are you sure you want to delete the policy "del-me"? (yes/no): yes
Unable to delete policy "del-me".
        Status 0x29c251b - Policy is in use.
                

You are getting this error because the del-me policy is being used by the tester principal. Now remove the policy from the tester principal:

kadmin:  modprinc -clearpolicy tester
Principal "tester@ISL.IN.IBM.COM" modified.

kadmin:  get_principal tester
Principal: tester@ISL.IN.IBM.COM
Expiration date: [never]
Last password change:  Thu Jul 26 09:38:26 WDT 2007
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 09:44:07 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt

Attributes:
 REQUIRES_PRE_AUTH
Policy: [none]
                

Now let's see what the del-me policy looks like:

kadmin:  getpol del-me
Policy: del-me
Maximum password life: 0
Minimum password life: 0
Minimum password length: 1
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 0
                

Notice that the reference count is now showing zero. Once again, try to delete the policy:

kadmin:  delpol del-me
Are you sure you want to delete the policy "del-me"? (yes/no): yes

Now the policy has been deleted successfully.

NAS Policies: Backup and restore

Backing up IBM NAS policies (Legacy database only)

NAS policies are stored along with IBM NAS principal information in the NAS principal database. For the purpose of disaster recovery, there is a need to backup the NAS database to a backup file. To take the backup, you need to use the /usr/krb5/sbin/kdb5_util dump command:

Syntax: $kdb5_util dump [-verbose] [<filename> [<principals>]]

For example, to back up the whole database to a total_backup file, use the following command:

$kdb5_util dump -verbose total_backup
K/M@ISL.IN.IBM.COM
admin/admin@ISL.IN.IBM.COM
admin/sales@ISL.IN.IBM.COM
john@ISL.IN.IBM.COM
kadmin/admin@ISL.IN.IBM.COM
kadmin/changepw@ISL.IN.IBM.COM
kadmin/history@ISL.IN.IBM.COM
kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM
krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
mack_correct@ISL.IN.IBM.COM
one-minute-sandy@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
tester@ISL.IN.IBM.COM
vipin@ISL.IN.IBM.COM
admins
default
guest
once-a-min

The kdb5_util dump command also creates an additional file named total_backup.dump_ok.

Notice that this command has backed up all the principals as well as policies. The -verbose option lists whatever is being backed up on the console. The kdb5_util dump command always dumps all the policies, even if you try to dump only few principals.

For example:

$kdb5_util dump -verbose dumpfile sachin/guest@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
admin
default
del-me
guest
once-a-min

In this command, even though only one principal was specified, it has dumped all the policies.

Restoring IBM NAS policies (Legacy database only)

To restore the IBM NAS database information from a backup file, use the /usr/krb5/sbin/kdb5_util load command:

Syntax: kdb5_util load [-verbose] [-update] <filename>

If you do not specify the -update option, the existing IBM NAS principal database is replaced by the specified dump file. Make sure you have specified the -update option while restoring, unless you are sure you want to purge the current database.

The following example shows a backup and restore of the IBM NAS policies. In this scenario, you take the backup of the sachin/guest principal. After that you delete the principal and its policy, try to restore it from the backed up dump file.

First, list the sachin/guest principal:

kadmin: get_principal sachin/guest
Principal: sachin/guest@ISL.IN.IBM.COM
Expiration date: [never]
Last password change:  Thu Jul 26 08:26:07 WDT 2007
Password expiration date: Fri Jul 27 08:26:07 WDT 2007
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jul 26 08:26:08 WDT 2007 (admin/admin@ISL.IN.IBM.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1,
no salt
Key: vno 1, ArcFour with HMAC/md5,
no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
no salt
Key: vno 1, DES cbc mode with RSA-MD5,
no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
no salt

Attributes:
 REQUIRES_PRE_AUTH
Policy: guest
                

List the policy named guest, which is associated with the sachin/guest principal:

kadmin:  getpol guest
Policy: guest
Maximum password life: 86400
Minimum password life: 3600
Minimum password length: 4
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 1

Now create the backup:

$kdb5_util dump -verbose dumpfile sachin/guest@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
admin
default
del-me
guest
once-a-min

Delete the sachin/guest principal and the guest policy:

kadmin:  delprinc sachin/guest
Are you sure you want to delete the principal \
     "sachin/guest@ISL.IN.IBM.COM"? (yes/no):  yes
Principal "sachin/guest@ISL.IN.IBM.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

kadmin:  delpol guest
Are you sure you want to delete the policy "guest"? (yes/no): yes

To try to restore them from the dump file, enter:

$kdb5_util load -verbose -update dumpfile
sachin/guest@ISL.IN.IBM.COM stored.
Created policy admin.
Created policy default.
Created policy del-me.
Created policy guest.
Created policy once-a-min.

Enter the kadmin: list_principals command to see that the deleted entries in the database are recovered.

kadmin:  list_principals
K/M@ISL.IN.IBM.COM
admin/admin@ISL.IN.IBM.COM
admin/sales@ISL.IN.IBM.COM
john@ISL.IN.IBM.COM
kadmin/admin@ISL.IN.IBM.COM
kadmin/changepw@ISL.IN.IBM.COM
kadmin/history@ISL.IN.IBM.COM
kadmin/huntcup.in.ibm.com@ISL.IN.IBM.COM
krbtgt/ISL.IN.IBM.COM@ISL.IN.IBM.COM
mack_correct@ISL.IN.IBM.COM
one-minute-sandy@ISL.IN.IBM.COM
sachin/guest@ISL.IN.IBM.COM
tester@ISL.IN.IBM.COM
vipin@ISL.IN.IBM.COM

kadmin:  getpols
admin
default
del-me
guest
once-a-min

Note: The backup and restoration described above is only available on IBM NAS with a legacy database. For more information on IBM NAS configuration with a legacy database and for backup and restoration of IBM NAS configured with LDAP, see the IBM NAS Version 1.4 Administration Guide, shipped with AIX Version 5.3 Expansion Pack CD.

IBM NAS policy management using GUI

The "IBM GUI-based administration tool for IBM NAS," available in IBM alphaWorks, provides assistance to administrators preferring a GUI interface to execute all of the NAS principal and policy management commands listed so far. This does not apply to the policy backup and restore module. Figure 1 provides a snap-shot of the tool. (See the Resources section additional information.)

Conclusion

This article covered all the aspects and the related commands of Kerberos policy management provided by IBM NAS for AIX, which should help you with systems based on Kerberos authentication.

Resources

Learn

• Configuring AIX 5L for Kerberos-based authentication using IBM Network Authentication Service: This paper provides information on using Kerberos as an alternative authentication mechanism to AIX.
  
  
• "A Kerberos primer" (developerWorks, Nov 2001): This article introduces Kerberos technology and Distributed Computing Environment-based applications.
  
  
• Popular content: See what AIX and UNIX® content your peers find interesting.
  
  
• AIX and UNIX: The AIX and UNIX developerWorks zone provides a wealth of information relating to all aspects of AIX systems administration and expanding your UNIX skills.
  
  
• New to AIX and UNIX?: Visit the "New to AIX and UNIX" page to learn more about AIX and UNIX.
  
  
• AIX Wiki: A collaborative environment for technical information related to AIX.
  
  
• Search the AIX and UNIX library by topic:
  • System administration
  • Application development
  • Performance
  • Porting
  • Security
  • Tips
  • Tools and utilities
  • Java™ technology
  • Linux®
  • Open source
  
  
• Safari bookstore: Visit this e-reference library to find specific technical resources.
  
  
• developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
  
  
• Podcasts: Tune in and catch up with IBM technical experts.
  
  

Get products and technologies

• Download the IBM GUI-based Administration Tool for Network Authentication Service and experience the GUI to perform the IBM NAS related administration tasks.
  
  
• AIX 5L Expansion Pack and Web Download Pack: Start downloading now.
  
  
• IBM trial software: Build your next development project with software for download directly from developerWorks.
  
  

Discuss

• Participate in the developerWorks blogs and get involved in the developerWorks community.
  
  
• Participate in the AIX and UNIX forums:
  • AIX —technical forum
  • AIX 6 Open Beta
  • AIX for Developers Forum
  • Cluster Systems Management
  • IBM Support Assistant
  • Performance Tools—technical
  • Virtualization—technical
  • More AIX and UNIX forums
  
  

About the authors

Vipin Rathor, in his two years with IBM India Software Lab, has been working for IBM Network Authentication Service (IBM Kerberos) Development and Support activities. His areas of interest include Kerberos and LDAP integration, network security, authentication protocols, and PKI.

Sandeep Ramesh Patil works as an Advisory Software Engineer for the IBM India Software Labs. He has worked for IBM for the past six years, focusing on distributed technology including DCE, SARPC, and security products, such as the IBM Network Authentication Service (IBM Kerberos). He is currently developing new features and implementing security-related RFC for the IBM Network Authentication Service, along with its product support. Sandeep holds a Bachelor of Engineering degree in computer science from the University of Pune, India. You can contact him at rsandeep@in.ibm.com.

Comments (Undergoing maintenance)

Back to top

Trademarks  |  My developerWorks terms and conditions

Table of contents

• Introduction
• Policies in IBM NAS
• IBM NAS policies: Creation and modification
• IBM NAS policies: Listing, retrieval, and deletion
• Default policy and no policy
• Principals and policies: Assignment and removal
• NAS Policies: Backup and restore
• IBM NAS policy management using GUI
• Conclusion
• Resources
• About the authors
• Comments

Local resources

• IBM Innovation Center - Austin, TX
• IBM Innovation Center - Chicago, IL
• IBM Innovation Center - Dallas, TX
• IBM Innovation Center - San Mateo, CA
• IBM Innovation Center - Waltham, MA
• Technical Briefings in North America

My developerWorks community

Dig deeper into AIX and UNIX on developerWorks

Calling all developers

Download no charge Lotus Domino Designer

Special offers