PAM Kerberos Release Note, HP 9000 Networking
Chapter 1 21
PAM Kerberos Release Note
Configuration
kadmin and issue the ktadd command as in the following example:
shell% /usr/local/sbin/kadmin.local
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin \
kadmin/changepw
kadmin.local: quit
8. Start the Kerberos daemons by typing:
shell% /usr/local/sbin/krb5kdc
shell% /usr/local/sbin/kadmind
Verify that they started properly by checking for their startup messages in the logging
location specified in /etc/krb5.conf.
9. Once the KDC is setup and running, it is time to load principals for users, hosts, and other
services into the Kerberos database using kadmin.
Configuring the corresponding Application Server (Kerberos Client)
1. Edit the configuration files, /etc/pam.conf, /etc/krb5.conf and /etc/services, as
described under “Configuration”, Application Server section.
2. All Kerberos machine need a keytab file, /etc/krb5.keytab, to authenticate to the KDC.
Create the keytab file for the UNIX client using the kadmin tool.
3. Securely transfer the keytab file to the UNIX client. Alternatively, if kadmin utility is
installed on the UNIX client, you can create the keytab file on the client machine.
4. Merge the imported keytab with the default keytab file /etc/krb5.keytab.
5. Use the Kerberos utility, ktutil, to merge the keytab or copy the keytab file to the
/etc/krb5.keytab.
When copying the keytab file to the default location, be careful not to overwrite any keys
installed for other applications. In such cases, use the Kerberos utility, ktutil, to import
the keys.
6. Create Kerberos principals in the KDC.
7. Add equivalent UNIX accounts, if they do not exist.
Configuring KDC - Microsoft Windows 2000 KDC
1. Create an account for a client machine in Microsoft Windows 2000 KDC.
2. Use the Microsoft Windows 2000 directory management tool to create a new user account
for the UNIX host.
3. Create a keytab file for the client machine on Microsoft Windows 2000 KDC.