Adding IBM i principals to the Kerberos server

Edit online

After you configure network authentication service on your IBM® i platform, you must add your IBM i principals to the Kerberos server.

Network authentication service provides an IBM i principal name, krbsvr400, for the system and the IBM i applications. The name of the principal that represents IBM i is krbsrv400/IBM i host name@REALM NAME, where IBM i host name is either the fully qualified host name or the short host name for the IBM i platform. This principal name needs to be added to the Kerberos server so that Kerberos client applications can request and receive service tickets. For example, in our configuration scenarios, the administrator for MyCo added the service principal krbsvr400/systema.myco.com@MYCO.COM to the company's Kerberos server.

Depending on the operating system on which you have configured a Kerberos server, the steps for adding the IBM i principal are different. This information provides instructions on adding the IBM i principals to a Kerberos server in PASE for i or a Windows domain. If you have optionally created service principals for IBM Tivoli® Directory Server for IBM i (LDAP), IBM i NetServer, Network File System (NFS) Server, or HTTP Server, you must also add those service principals to the Kerberos server.

  1. PASE for i

    If your Kerberos server is located in PASE for i, you can add IBM i service principals by using the QP2TERM command, which opens an interactive shell environment that allows you to work with PASE for i applications. To add an IBM i service principal to a Kerberos server in PASE for i, complete these steps:

    1. In a character-based interface, type call QP2TERM.
    2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin.
      This command points to the Kerberos scripts that are necessary to run the executable files.
    3. At the command line, type kadmin -p admin/admin.
    4. Log on with your user name and password.
    5. At the kadmin command line, enter addprinc -pw secret krbsvr400/IBM i fully qualified host name@REALM, where secret is the password for the IBM i service principal.
      For example, krbsvr400/systema.myco.com@MYCO.COM might be a valid IBM i service principal name.
  2. Microsoft Active Directory

    To add an IBM i service principal to a Kerberos server, you have two options: Allow the Network Authentication Service wizard to add the principals or add them manually.

    The Network Authentication Service wizard allows you to optionally create a batch file, called NASConfig_localhost.bat. This batch file contains all of the principal names for the services that you selected during configuration. You can also choose to add their associated passwords in this batch file.
    Note: If you include the password, anyone with read access to the batch file can view the passwords. It is recommended that if you include the password, that you delete the batch file from the Kerberos server and from the IBM i immediately after use. If you do not include the password in the batch file, you will be prompted for a password when the batch file is run on the Windows server.
    Using the batch file generated by the Network Authentication Service wizard
    1. As the administrator on your Windows server do the following:
      1. Using IBM i Access Client Solutions (ACS) for System A, select Actions > General > Integrated File System.
      2. Log in with your user ID and password.
      3. In the Directory field, enter the directory in which the configuration file was saved, /QIBM/UserData/OS400/iSeriesNavigator/config, and press Enter.
      4. Select NASConfig_localhost.bat, Right-click NASConfig_systema.bat and select Download
      5. In the Download box, click Okay
      6. Enter your user ID and password.
      7. The downloaded file will be put in your downloads directory.
        Note: It is recommended that you now delete the NASConfig_systema.bat file from System A.
    2. On your Windows server, open the folder where you downloaded the batch file.
    3. Find the NASConfig_localhost.bat file and double-click the file to run it.
    4. After the file runs, verify that the IBM i principal name has been added to the Microsoft Active Directory by completing the following steps:
      1. On your Windows server, expand Start > Windows Administrative Tools > Active Directory Users and Computers > Users.
      2. Verify that the IBM i platform has a user account by selecting the appropriate Windows domain.
        Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
      3. In the list of users that displays, find the name that corresponds with the service principal that you just added.
      4. Access the properties on your Active Directory users. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
        Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
    Manually adding the service principal to Microsoft Active Directory
    You can also add IBM i principals to the Microsoft Active Directory manually by using the ktpass command. This command is shipped with Windows Support Tools and must be installed on the system being used as the Kerberos server.
    1. On yourWindows server, expand Start > Windows Administrative Tools > Active Directory Users and Computers.
    2. Select the Windows domain to which you want to add the IBM i user account and expand Action > New > User.
      Note: This Windows domain should be the same as the default realm name that you specified for network authentication service configuration.
    3. In the Name field, enter a name that will identify the IBM i platform to this Windows domain.
      This will add a new user account for the IBM i platform.
      For example, you might enter the name krbsvr400systema or httpsystema as a valid user account name.
    4. Access the properties on the Active Directory user that you created in Step 3. From the Delegation tab, select Trust this user for delegation to any service (Kerberos only).
      This allows the IBM i service principal to access other services on behalf of a signed-in user.
    5. You need to map the user account you just created to the IBM i service principal by using the ktpass command. To map the user account, complete the following task:
      1. At a command prompt, enter
        ktpass -mapuser krbsvr400systema -pass secret -princ krbsvr400/system-domain-name@REALM 
    -mapop set
        Note: In the command, krbsvr400systema represents the user account name that was created in step 3 and secret is the password that you entered during network authentication service configuration for the IBM i principal.