Creating the Kerberos Database

The primary security server contains a database of all principals that are trusted in each of the supported realms. The database can also be created during installation, refer to “Auto-Configuration of the Security Server”, for more information.

The kdb_create utility creates a database and adds a realm to the existing database. After the kdb_create utility, creates the principal database, you can load a previously dumped database by using the kdb_load utility.




	NOTE: You must be a root user to execute this command.

This utility cannot be used if you have forgotten the master password.

The general syntax for this is:

kdb_create [-a REALM] [-e enctype] [-M mkeyname] [-p PASSWORD] [-r REALM] [-s[-f keyfile]] [-v]

If the -d, -e or the -M switches are used to over-ride defaults. These switches must be used each time you run other daemons and programs that use the defaults. For example, when using the kadmind or kdb_load utilities.

The kadmind and the kdcd daemons should be restarted after you invoke the kdb_create utility.

The kdb_create utility uses the following options:

-a Realms

Adds the realm REALM to the existing principal database. To use this switch, the principal database must already exist and you must be aware of the master password.

-e enctype

Specifies the encryption and checksum mechanism of the primary principal. The three encryption types supported are:

DES-CRC or 1: DES-CBC-CRC
DES-MD5 or 3: DES-CBC-MD5
3DES or 5: DES-CBC-MD5 (default)

-f keyfile

When used with the -s switch, it specifies an alternate name for the stash file. If you do not use the -f switch, the default keyfile is .k5.REALM.

-M mkeyname

Specifies an alternate primary principal name. The default primary name is K/M@REALM.

-p PASSWORD

Suppress the kdb_create from prompting you for the master password, which makes it easier to configure a database with a shell script. The master password is used to generate an encryption key that protects all the entries in the database.

You cannot use this option to change the master password.

-r REALM

Creates the principal database for the realm REALM. By default, kdb_create uses the realm defined in the krb.conf file. If this file does not exist the command uses the uppercase equivalent of the domain name.

-s

Stores the master key in a stash file that can be automatically retrieved, eliminating the need to manually enter the key each time you start the security server.

-v

Runs the kdb_create in verbose mode.

Given below is an example of using the kdb_create:

shell% kdb_create -a BAMBI.COM Initializing database /opt/krb5/principal for realm BAMBI.COM... master key name is K/M@DCETST3.FINANCE.BAMBI.COM It is important that you NOT FORGET this password. Enter password: Re-enter password for verification: Adding principals to database... Cleaning up.... shell%

The kdb_create command creates the principals mentioned below:

K/M@<REALM NAME>
This is the default key name. However this key name is can be configured.
default@<REALM NAME>
kadmin/<REALM NAME>@<REALM NAME>
kcpwd/<REALM NAME>@<REALM NAME>
krbtgt/<REALM NAME>@<REALM NAME>




	IMPORTANT: The principals mentioned above should NOT be deleted.

The K/M keyname is the default master-key-name. However, the master-key-name can be changed by specifying the tag when using the -M mkeyname option in kdb_create command.

The stash file is a local copy of the master key that resides in an encrypted format on the primary security server's local disk. This stash file is usually located in the same directory as the Kerberos database. By default the kdb_create does not create a stash file. A stash file allows the database utilities, such as kadmind, kadminl, kdcd et all, to authenticate themselves.

Occasionally, however, the machine on which the KDC runs may have to be restarted, and if a stash file is present, the KDC can be configured to start automatically without any human interaction whenever the machine is rebooted. The stash file, like the keytab file is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. For more information on the keytab file refer to, “Service Key Table (v5srvtab)”.

Database Encryption

The Kerberos Security Server supports two encryption types:

Data Encryption Standard (DES)
Security-Enhanced Triple Data Encryption Standard (3DES)

The encryption type selected during database creation determines the encryption type applied to the master password, which, in turn, is used to create the key that secures all records stored in the principal database.

Encrypt the database using the DES encryption if you are installing a secondary security server that has an existing principal database encrypted using DES. In this case, do not create the database during installation, instead use the kdb_create utility to create the database after installation.

Regardless of the database encryption choice, the installation program always installs both DES and 3DES algorithms. Therefore you can specify either key type for individual principal accounts in the database.

Database Master Password

When you create the principal database, you supply a master password. The master password, along with the specified encryption type, is used to generate the master key that protects the database entries. In other words, the stored keys of each principal account are encrypted with the master key. This provides double security protection for each stored key.

The kdb_create will prompt you for the master key for the Kerberos database. This key can be any string. A good key is one you can remember, but that no one else can guess. Examples of bad keys are words that can be found in a dictionary, any common or popular name, especially a famous person or a cartoon character, your username in any form (e.g., forward, backward, repeated twice, etc.).

Creating the Kerberos Database

Technical documentation

» Table of Contents

» Glossary

» Index

Database Encryption

Database Master Password