Configuring the Network Authentication Service server with legacy database storage
You can set up Network Authentication Service KDC and administration servers with a legacy Kerberos database and configure Network Authentication Service servers using the mkkrb5srv command.
For additional information about using the mkkrb5srv command, see the mkkrb5srv command.
- Set up the KDC server as a time server by starting the timed daemon, as follows:
timed -M
- Start the timed daemon on each Kerberos client
as follows:
timed -t
- To configure the Kerberos KDC and kadmin servers,
run the mkkrb5srv command. For example, to configure
Kerberos for the
MYREALM
realm, thesundial
server, and thexyz.com
domain, run the following command:
Wait a few minutes for the kadmind and krb5kdc commands to start from the/etc/inittab file.mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
Network Authentication Service uses space in the /var filesystem to store information. This information includes database, log, and credential cache files of the authenticated users. The size of these files can increase over time. Ensure that the /var filesystem has sufficient free space to hold this information by regularly monitoring the amount of free space.
mkkrb5srv –r Realm_Name –s KDC_Server –d Domain_Name –a Admin_Name
The variable values in Table 1 are used in the following example of how to configure Network Authentication Service servers with legacy database.
Variable Name | Variable Value |
---|---|
Realm Name | MYREALM |
KDC Server | kdcsrv.austin.ibm.com |
Domain Name | austin.ibm.com |
Administrator Name | admin/admin |
If there is an existing Kerberos server configuration, you can remove it by using either the mkkrb5srv –U or unconfig.krb5 command.
The following procedure is an example of how to configure Network Authentication Service servers with legacy database.
- Enter the following command:
mkkrb5srv -r MYREALM -s kdcsrv.austin.ibm.com -d austin.ibm.com -a admin/admin
After entering this command, you are prompted for a master database password.
Because Network Authentication Service does not support configurations where KDC and the administrative server are on different hosts, the local host is used for both the KDC and administrative server. Ignore the following error message if it is displayed:
The -s option is not supported
. - Enter the master database password when you are prompted.
- Enter the administrative-principal password when you are prompted.
After you enter the administrative-principal password, the mkkrb5srv command starts the kadmind and krb5kdc daemons from the /etc/inittab file path. This process can last several minutes.
- Verify the entries in the /etc/inittab file
by running the following commands:
lsitab krb5kdc lsitab kadm
- Verify that the KDC and kadmind servers have started by entering
the following command:
ps -ef | grep -v grep | grep krb5
The mkkrb5srv command creates the master KDC and the kadmind administrative servers for the Kerberos realm (MYREALM). It also creates the configuration files, initializes the principal database, and starts the KDC and kadmind servers.
- Creates the /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. The /etc/krb5/krb5.conf file also sets the paths for the default_keytab_name, kdc, and admin_server log files.
- Creates the /var/krb5/krb5kdc/kdc.conf file. The /var/krb5/krb5kdc/kdc.conf file sets the values for the kdc_ports, kadmin_port, max_life, max_renewable_life, master_key_type, and supported_enctypes variables. This file also sets the paths for the database_name, admin_keytab, acl_file, dict_file, and key_stash_file variables.
- Creates the /var/krb5/krb5kdc/kadm5.acl file. Sets up the access control for admin, root, and host principals.
- Creates the database and one admin principal. You are asked to set a Kerberos master key and to name and set the password for a Kerberos administrative principal identity. For disaster-recovery purposes, it is critical that the master key and administrative principal identity and password are securely stored.