LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

131

132

133

134

135

136

137

138

139

140

6.16 Creating an /etc/krb5.keytab file

In the ADS multiple domain environment, your HP-UX client machine will communicate with multiple

Windows 2003 R2 or 2008 domain controllers. To set up Kerberos authentication, your HP-UX

host needs to have a service key known by every domain controller, which also acts as KDC. The

service key is created on Windows 2003 R2/2008 Server using ktpass (described in step 5 of

"Section 2.4.4 (page 34)"). After you create the service key file on each domain controller, you

need to securely transfer it to your HP-UX machine. All service key files must be merged and stored

in /etc/krb5.keytab.

For example, if you integrate LDAP-UX with ADS multiple domains so that users from DomainA,

DomainB, and DomainC can log into your HP-UX client machine, you will need to create the service

key on each domain controller (say domainA.keytab on DomainA, domainB.keytab on

DomainB and domainC.keytab on DomainC), then transfer those files into your HP-UX machine.

Finally, merge all three service key files to create /etc/krb5.keytab. Use ktutil to merge

service key files on your HP-UX machine:

# /usr/sbin/ktutil

ktutil: rkt domainA.keytab

ktutil: rkt domainB.keytab

ktutil: rkt domainC.keytab

ktutil: wkt krb5.keytab

ktutil: quit

Use klist -k to show the different entries in the keytab file /etc/krb5.keytab should be

readable only by the supervisor.

6.17 Considering performance impacts

The advantage of a directory server over flat files for naming and authentication services is its

design for quick access to information in large databases. Still, with very large databases,

administrators, and users should be aware of the following performance impacts:

6.17.1 Enumeration requests

Enumeration requests are directory queries that request all of a database, for example all users or

all groups. Enumeration requests of large databases can reduce network and server performance.

For this reason, you may want to restrict the use of the following commands that generate

enumeration requests:

• finger(1)

• grget(1) with no options

• pwget(1) with no options

• groups(1)

• listusers(1)

• logins(1M)

Also, applications written with the getpwent(3C) or getgrent(3C) family of routines can

enumerate a map, depending on how they are written.

It may be possible to rewrite these applications so that an LDAP search request is used instead of

a call to getpwent or getgrent.

6.16 Creating an /etc/krb5.keytab file 131