Creating host, user, and service principals

Here is the procedure for creating host principals for your Windows workstations and for creating user and service principals on your Kerberos server.

To provide interoperability between a Windows workstation and a Kerberos server in IBM® i PASE, you need to add a host principal for the workstation to the Kerberos realm. For users to be authenticated to services in your network, you must add them to the Kerberos server as principals. These user principals are stored on the Kerberos server and are used to validate users on the network. For IBM i to accept Kerberos tickets, you must add them to the Kerberos server as principals. Complete the following tasks:

Note: User names, host names, and passwords are used for example purposes only.
  1. In a character-based interface, enter call QP2TERM at the command line.
    This command opens an interactive shell environment where you can work with IBM i PASE applications.
  2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin.
    This command points to the Kerberos scripts that are necessary to run the executable files.
  3. At the command line, enter kadmin -p admin/admin, and press Enter.
  4. Sign in with administrator's password.
  5. At the kadmin prompt, enter addprinc -pw secret1 host/pc1.myco.com.
    This command creates a host principal for the PC in your network. Repeat this step for all the PCs in your network.
  6. Enter addprinc -pw secret jonesm.
    This command creates a principal for your user, Mary Jones. Repeat this step for all of your users.
  7. At the kadmin prompt, enter addprinc -pw systema123 krbsvr400/systema.myco.com.
    This command creates a service principal for the Kerberos server.
  8. Enter quit to exit the kadmin interface, and press F3 (Exit) to exit the PASE environment.