Configuring the Secondary Security Servers with C-Tree

Creating the Principal Database

By default, the Kerberos security server uses DES3 to encrypt the principal database. If you are using DES encryption to secure your principal database, use the following command:

kdb_create -s -e enctype

where enctype is DES-CBC-CRC, DES-CBC-MD5, or DES3-CBC-MD5. You can also specify 1 for DES-CBC-CRC, 3 for DES-CBC-MD5, and 5 for DES3-CBC-MD5.

Copying the Kerberos Configuration File

Each secondary security server must have a copy of the Kerberos configuration files from the primary security server. The following is the default path and file name:

/opt/krb5/krb.conf

Following lists the default configuration files required on the secondary security server:

Creating a host/<fqdn> Principal and Extracting the Key

To allow principal database propagation, each secondary security server must contain a host/<fqdn> principal. You must also extract the key for the host/<fqdn> principal to that service key table file of the server.

You can create a host/<fqdn> principal and extract its key on a secondary security server by using the same procedure that is used on the primary security server. You need not log on as a root user to perform these tasks on a secondary security server. You can run kadmin and log on using the administrative principal name and password when prompted. For more information, see “Create the host/<fqdn> Principal and Extracting the Service Key”.

Each KDC must have a host service principal in the Kerberos database. You can create a host service principal from any host if the kadmind daemon is running.