Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Principals
Chapter 6 107
WARNING Do not remove, modify, or change the key type for this principal.
Do NOT generate a new key for this principal.
default@REALM The default@REALM principal name contains the
default group principal attributes for REALM. This principal is required in
each realm. This principal, called the default group, is automatically
created when a realm is added to the database.
The attributes and properties of this principal act as a template for
adding principals to a realm in a Security Server’s principal database.
This principal uses a random key. However, you should not extract this
key to a service key table file. This principal is locked by default,
eliminating the security risk of an attacker attempting to authenticate
using this principal account.
WARNING Do NOT remove this principal entry. Do not unlock this principal
account.
krbtgt/REALM@REALM The krbtgt/REALM@REALM principal’s secret
key is used to encrypt and decrypt TGTs (ticket-granting tickets) issued
by the security server for principals in the realm REALM.
WARNING Do NOT remove or modify this principal entry, except when
adding a 3DES key if you need to add support for this encryption
type.
To configure inter-realm authentication, you must create distinct
reserved principals with the prefix name krbtgt/ for each realm.
If you change any attribute or the password of the krbtgt/REALM@REALM
principal for the default realm, that is, the realm that contains the
K/M@REALM principal, you must close all administrative programs,
including kadmin, kadminl_ui and kdcd; then restart all administrative
services/daemons for that realm in order for the changes to take effect.