You can set up a callback path for IBM® Network Authentication Service (Kerberos).
The client receiving the delegation must be a full client
with its own host principal. However, you can establish a generic
host principal for all clients to use for callbacks.
To establish a generic host principal for all clients
to use for callbacks, perform these steps:
- To create a service principal (for example,
nfs/client)
using the same method used to create a host principal, refer to Creating a Kerberos principal in Security.
- Create a keytab entry for that service principal.
For example, to create a keytab called slapd_krb5.keytab,
do the following:
kadmin.local: ktadd -k /etc/security/slapd_krb5.keytab ldap/plankton.austin.ibm.com
Entry for principal ldap/plankton.austin.ibm.com with kvno 2,
encryption type Triple DES cbc mode with HMAC/sha1 added to keytab
WRFILE:/etc/security/slapd_krb5.keytab.
Entry for principal ldap/plankton.austin.ibm.com with kvno 2,
encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/security/slapd_krb5.keytab.
Entry for principal ldap/plankton.austin.ibm.com with kvno 2,
encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab
WRFILE:/etc/security/slapd_krb5.keytab.
Entry for principal ldap/plankton.austin.ibm.com with kvno 2,
encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/security/slapd_krb5.keytab.
kadmin.local:
- Distribute this keytab to all clients that will use it.
- Configure the clients with the nfshostkey command.
This process is identical to the process for configuring a
server for use with Kerberos, but the generic principal cannot be
used for servers; each server must have its own principal of the form nfs/hostname.