Manualshelf

PAM Kerberos Release Note, HP 9000 Networking

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
11121314151617181920
20 Chapter1
PAM Kerberos Release Note
Configuration
kadmind and krb5kdc daemons. If you do not want a stash file, run the kdb5_util without
the -s option.
Replace REALM.HP.COM with the name of your Kerberos realm in the following example.
The kdb5_util command will prompt for the master key for the Kerberos database. The
key can be any string.
shell% /usr/local/sbin/kdb5_util create -r REALM.HP.COM -s
This will create five files in the directory specified in your kdc.conf file: two Kerberos
database files, principal.db, and principal.ok; the Kerberos administrative database file,
principal.kadm5; the administrative database lock file, principal.kadm5.lock; and the
stash file, .k5stash.
5. Add administrators to the ACL file
Create an Access Control List (ACL) file, and enter at least one of the administrator as the
Kerberos principal. The filename should match the value you have set for acl_file in your
kdc.conf file. The default file name is /usr/local/var/krb5kdc/kadm5.acl. The format
of the file is:
Kerberos principal permissions optional target principal
The Kerberos principal and optional target principal can include the "*" wildcard. If you
want any principal with the instance "admin" to have full permissions on the database,
you could use the principal "*/admin" as in the following example. Replace
REALM.HP.COM with the name of your Kerberos realm.
*/admin@REALM.HP.COM *
Refer to the Kerberos V5 Installation Guide, Kerberos V5 Administrator's Guide or the
Kerberos V5 User's Guide (URLs listed under “References”) for explanations of
permissions, principals and instances.
6. Use kadmin.local to add administrative principals to the kerberos database as in the
example below. The administrative principals are the ones you added to the ACL file.
Replace REALM.HP.COM with the name of your Kerberos realm.
shell% /usr/local/sbin/kadmin.local
kadmin.local: addprinc admin/admin@REALM.HP.COM
(Enter the password when prompted)
kadmin.local: quit
7. Create a kadmind keytab
The kadmind keytab is the key that kadmind will use to decrypt administrators' Kerberos
tickets to determine whether access to the database should be granted. To create the
kadmin keytab with entries for the principals, kadmin/admin and kadmin/changepw, run