Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Kerberos Server Version 3.12 Administrator's Guide: HP-UX 11i v3 > Chapter 7 Configuring the Primary and Secondary Security Server

Configuring the Primary Security Server
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The following sections describe the initial configuration tasks you need to perform to get your primary and secondary security server up and running.

The primary security server requires the following basic configuration tasks:

  1. Execute the krb5_encrypt command to generate the master key.

    NOTE: If you have opted to configure your Kerberos with LDAP as the backend, specify the master key, generated by executing the krb5_encrypt command, in the proxy_user field in the krb5_ldap.conf file.

  2. “Create the Principal Database After Installation”

  3. “Add an Administrative Principal”

  4. “Create the host/<fqdn> Principal and Extracting the Service Key”

  5. “Start the Kerberos Daemons”

  6. “Define Secondary Security Server Network Locations”

Create the Principal Database After Installation

If you choose not to create the principal database during installation, create it before configuring the security server. To create the principal database, execute the following command:

kdb_create -s
NOTE: The kdb_create command uses the 3DES encrypted database by default.

If you are using Kerberos server v2.0 or v3.0, and want to migrate the principal database to Kerberos server v3.12, see Chapter 3 “Migrating to a Newer Version of the Kerberos Server”.

Add an Administrative Principal

Use the HP Kerberos Administrator (kadminl_ui) instead of the command-line administrator (kadminl) to add the principal account. For more information on using the HP Kerberos Administrator and the command-line administrator, see “The kadmin and kadminl Utilities”.

Though it is possible to use the kadmin option to create an administrative principal, you cannot use kadmin to assign administrative privileges. If you want to use the kadmin utilities to manage your administrative principals, use a text editor to add the required entries to the file.

NOTE: You must log on as a root user, on the primary security server, to add an administrative principal.

For the first administrative principal, HP recommends that you assign all permissions, indicated by * in admin_acl_file. For more information, see “The admin_acl_file File”.

You can add an administrative principal through the HP Kerberos Administrator GUI, or through the command-line interface.

To add an Administrative Principal Using the HP Kerberos Administrator

Following steps show you how to add an administrative principal using the HP Kerberos Administrator:

  1. Invoke the HP Kerberos Administrator using the command kadminl_ui.

  2. Add a new principal to the default realm using the following syntax:

    # identifier/admin@DEFAULT_REALM

  3. Assign the password.

  4. Use the Edit>Edit Administrative Permissions menu to assign all administrative permissions to the principal.

  5. On the Attributes tab, clear the Require Password Change checkbox to disable the password change requirement.

    You can also disable the password change requirement by setting the NoReqChangePwd setting in the principal’s password policy file to 1.

    NOTE: By default, the principal account requires a password change at the first logon. However, kadmin does not permit password changes, unless you have explicit permissions to change your password.

  6. Save your changes and close the HP Kerberos Administrator.

For more information on using the HP Kerberos Administrator, see “HP Kerberos Administrator”.

To Add an Administrative Principal Through the Command Line

Following steps show how to add an administrative principal through the command-line interface:

  1. Run the kadmin command-line administrator.

  2. Add a new principal to the default realm using the following syntax:

    command: add
    Name of Principal to add: admin
    Enter password:password
    Re-enter password for verification:password
    Enter policy name (Press enter key to apply default policy):
    Principal added

For more information on assigning administrative privileges to principals, see “Manual Administration Using kadmin”.

Create the host/<fqdn> Principal and Extracting the Service Key

To allow principal database propagation, the primary security server must have a host/<fqdn> principal and the service key for this principal must be extracted to the service key table file of the server.

The host/<fqdn> principal is not automatically added to the principal database during security server software installation; you must manually add the host/<fqdn> principal using the kadminl_ui or kadminl command.

NOTE: You must log on as a root user, on the primary security server, to add the host/<fqdn> principal to the database.

HP recommends that you create a host/<fqdn> principal and extract its service key using the kadminl command. To do this, type the following command at the prompt:

# kadminl -R “ext host/<fqdn>”

The host/<fqdn> is added to the principal database, along with a random key. The random key is added to the service key table. To verify that these operations are successful, use the ktutil-k command to list the contents of the key table file. The existence of a host/entry file indicates that the principal has been successfully added to the database with a random key.

NOTE: Propagation is disabled if you select LDAP as your backend database. Check with your LDAP administrator, for more information about propagation of information on the LDAP Server.

Start the Kerberos Daemons

You can use the krbsetup tool to start the following Kerberos daemons:

  • kdcd

  • kadmind

NOTE: You cannot use the krbsetup tool to start the kpropd daemon. Start the kpropd daemon manually.

Alternatively, you can use the following command to start the Kerberos daemons kdcd and kadmind:

/sbin/init.d/krbsrv start

To start the kpropd daemon, use the following command:

/opt/krb5/sbin/krpopd
NOTE: Propagation is disabled if you select LDAP as your backend database. Check with your LDAP administrator, for more information about propagation of information on the LDAP Server.

Define Secondary Security Server Network Locations

To configure propagation, alter the Kerberos configuration files to define server network locations. For more information, see Chapter 9 “Propagating the Kerberos Server”.

For each secondary security server installed on your network, edit the krb.conf file on the primary security server by adding an entry to define the role of this secondary security server in the realm. For more information on the configuration files, see “The krb.conf File”.



Chapter 7 Configuring the Primary and Secondary Security Server
  		 


Security Policies  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.