The primary security server contains a database of all principals
that are trusted in each of the supported realms. You can also create
the database during installation. See “Autoconfiguring the
Kerberos Server ”“Auto-Configuration of the Kerberos
Server” on page 63 for more information.
The kdb_create utility creates a Kerberos database and adds a realm
to the existing database. You cannot use this utility if you do
not remember the master password. After creating the principal database
using the kdb_create utility, you can load a previously dumped database
by using the kdb_load utility.
 |
| |
|
 | NOTE: You must be a root user to execute the kdb_create utility. |
|
| |
|
The general syntax for creating the Kerberos database is as
follows:
kdb_create [-a REALM] [-e enctype] [-M mkeyname] [-p PASSWORD] [-r REALM] [-s[-f keyfile]] [-v] |
The -a, -e and the -M switches are used to override defaults. You must use
these switches each time you run other daemons and programs that use
the defaults. For example, when you use the kadmind or kdb_load utility, use the switches mentioned in the kdb_create command.
Restart the kadmind and the kdcd daemons after you invoke the kdb_create utility.
You can invoke the kdb_create utility with the following options:
- -a Realms
Adds the realm REALM to the existing principal database. To use this
switch, you must be aware of the master password and the principal
database must already exist.
- -e enctype
Specifies the encryption and checksum mechanism
of the primary principal. Following are the encryption types that
are supported:
3DES or 5: DES-CBC-MD5 (default)
DES-MD5 or
3: DES-CBC-MD5
DES-CRC or
1: DES-CBC-CRC
|
| |
|
| NOTE: The default, DES3-CBC-MD5, will be
set as the encryption type if you do not specify any of the encryption
types previously mentioned. |
|
| |
|
- -f keyfile
Specifies an alternate name for the stash file when used
with the -s switch. If you do not use the -f switch, .k5.REALM is used as the default keyfile.
- -M mkeyname
Specifies an alternate primary principal name. The default
primary name is K/M@REALM.
- -p PASSWORD
Suppresses kdb_create from prompting you for the master password, which makes
it easier to configure a database with a shell script. Uses the
master password to generate an encryption key that protects all
the entries in the database.
You cannot use this option to change the master password.
- -r REALM
Creates the principal database for the realm REALM. By default, kdb_create uses the realm defined in the krb.conf file. If this file does not exist, the command uses
the uppercase equivalent of the domain name.
- -s
Stores the master key in a stash file that can be automatically
retrieved, eliminating the need to manually enter the key each time
you start the Kerberos server.
- -v
Runs kdb_create in verbose mode.
The following example displays how to use kdb_create:
shell% kdb_create -a BAMBI.COM
Initializing database /opt/krb5/principal for realm BAMBI.COM.
master key name is K/M@DCETST3.FINANCE.BAMBI.COM
You will be prompted for the database Master Password
It is important that you DO NOT FORGET this password.
Enter password:
Re-enter password for verification:
Adding principals to database...
Cleaning up....
shell% |
The kdb_create command creates the following principals:
K/M@<REALM NAME>
This is the default key name.
However, you can configure this key name.
kadmin/<REALM NAME>@<REALM NAME>
kcpwd/<REALM NAME>@<REALM NAME>
krbtgt/<REALM NAME>@<REALM NAME>
|
| |
|
 | IMPORTANT: Do not delete these principals. |
|
| |
|
The K/M keyname is the default master key name. However, you can change
the master key name by specifying the tag while using the -M mkeyname option in kdb_create command.
The stash file is a local copy of the master key that resides on
the local disk of the primary security server in an encrypted format.
This stash file is usually located in the same directory as the
Kerberos database. By default, kdb_create does not create a stash file. A stash file allows the database
utilities, such as kadmind, kadminl, kdcd and others, to authenticate themselves.
Occasionally, however, you may have to restart the machine
on which the KDC runs, and if a stash file is present, you can configure
KDC to start automatically without any human intervention whenever
the machine is rebooted. The stash file, like the keytab file, is a potential point-of-entry for a break-in,
and if compromised, allows unrestricted access to the Kerberos database.
For more information, see “Service
Key Table”.
Database
Encryption |
|
The Kerberos server supports the following encryption types:
The encryption type selected during database creation determines
the encryption type applied to the master password, which in turn
is used to create the key that secures all records stored in the
principal database.
Encrypt the database using DES encryption if you are installing
a secondary security server that has an existing principal database encrypted
using DES. In this case, do not create the database during installation.
Instead, use the kdb_create utility to create the database after installation.
Regardless of the database encryption choice, the installation
program always installs both DES and 3DES algorithms. Therefore,
you can specify any key type for individual principal accounts in
the database.
Database
Master Password |
|
When you create the principal database, you must supply a
master password. The master password, along with the specified encryption type,
generates the master key that protects the database entries. In other
words, the stored keys of each principal account are encrypted with the
master key. This provides double security protection for each stored key.
The kdb_create utility prompts you for the master key for the Kerberos database.
This key can be any string. A good key is one you can remember, but that
no one else can guess. Examples of bad keys are words
that can be found in a dictionary; any common or popular name, especially
a famous person or a cartoon character; or your user name in any
form (forward, backward, repeated twice, and so on).
Printable version
