Kerberos Password Agent
The Kerberos Password Agent (KPA) synchronizes the Kerberos password with universal password based on the configuration at the realm and user. KPA must be installed on all the eDirectory servers with writable replica of the Kerberos data that the users use to change passwords.
To start KPA, enter the following:
kpa -l
To stop KPA, enter the following:
kpa -u
The messsages logged by the Password Agent will be displayed when the Misc tag is enabled in the ndstrace. In eDirectory 8.8, the messages are also logged in the log file that is configured.
WARNING: The Kerberos Password Agent is not loaded automatically when the machine or eDirectory is restarted. It has to be loaded manually.
Key Generation
The encryption types and salt type used by the Kerberos Password Agent to generate the Kerberos keys from the universal password is based on the following:
- If the principal has Kerberos keys, the encryption and salt types used in generating the existing keys will be used to generate the new keys from the universal password.
- If the principal does not have the Kerberos passwd set, the realm configuration is used to determine the encryption and salt types to be used for key generation.
- The default encryption type or supported encryption types (configured at the realm) is used, with default type taking precedence over supported. If both these values are not configured, the encrytion type used is DES3-HMAC-SHA1.
- Similarly, for the salt type, the default salt type or supported salt types (configured at the realm) is used, with default type taking precedence over supported. If both these values are not configured, the salt type used is NORMAL.
The following table illustrates some of the encryption and salt type combinations for the key generation:
Table 38. Key Generation Logic
For more information on the supported encryption and salt types, refer to Supported Encryption Types and Salt Types.