Configuring the Network Authentication Service server with legacy database storage

Edit online

You can set up Network Authentication Service KDC and administration servers with a legacy Kerberos database and configure Network Authentication Service servers using the mkkrb5srv command.

For additional information about using the mkkrb5srv command, see the mkkrb5srv command.

Note: Do not install both DCE and Kerberos server software on the same physical system. If you must do so, the default operational internet port numbers must be changed for either the DCE clients and server, or for the Kerberos clients and server. In either case, such a change can affect interoperability with existing DCE and Kerberos deployments in your environment. For information about coexistence of DCE and Kerberos, refer to Network Authentication Services documentation.
Kerberos Version 5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC. The default value for maximum clock skew is 300 seconds (five minutes). Kerberos requires that some form of time synchronization is configured between the servers and the clients. It is recommended that you use the xntpd or timed daemons for time synchronization. To use the timed daemon, do the following:
  1. Set up the KDC server as a time server by starting the timed daemon, as follows: 
    timed -M
  2. Start the timed daemon on each Kerberos client as follows: 
    timed -t
  3. To configure the Kerberos KDC and kadmin servers, run the mkkrb5srv command. For example, to configure Kerberos for the MYREALM realm, the sundial server, and the xyz.com domain, run the following command: 
    mkkrb5srv -r MYREALM -s sundial.xyz.com -d xyz.com -a admin/admin
    Wait a few minutes for the kadmind and krb5kdc commands to start from the/etc/inittab file.

Network Authentication Service uses space in the /var filesystem to store information. This information includes database, log, and credential cache files of the authenticated users. The size of these files can increase over time. Ensure that the /var filesystem has sufficient free space to hold this information by regularly monitoring the amount of free space.

The following is a typical mkkrb5srv command:
mkkrb5srv –r Realm_Name –s KDC_Server –d Domain_Name –a Admin_Name

The variable values in Table 1 are used in the following example of how to configure Network Authentication Service servers with legacy database.

Table 1. The mkkrb5srv command variable names
Variable Name Variable Value
Realm Name MYREALM
KDC Server kdcsrv.austin.ibm.com
Domain Name austin.ibm.com
Administrator Name admin/admin

If there is an existing Kerberos server configuration, you can remove it by using either the mkkrb5srv –U or unconfig.krb5 command.

Attention: If you need to keep an existing Kerberos server configuration, do not be perform the following steps.

The following procedure is an example of how to configure Network Authentication Service servers with legacy database.

  1. Enter the following command:
    mkkrb5srv -r MYREALM -s kdcsrv.austin.ibm.com -d austin.ibm.com -a admin/admin

    After entering this command, you are prompted for a master database password.

    Because Network Authentication Service does not support configurations where KDC and the administrative server are on different hosts, the local host is used for both the KDC and administrative server. Ignore the following error message if it is displayed: The -s option is not supported.

  2. Enter the master database password when you are prompted.
  3. Enter the administrative-principal password when you are prompted.

    After you enter the administrative-principal password, the mkkrb5srv command starts the kadmind and krb5kdc daemons from the /etc/inittab file path. This process can last several minutes.

  4. Verify the entries in the /etc/inittab file by running the following commands:
    lsitab krb5kdc
lsitab kadm
  5. Verify that the KDC and kadmind servers have started by entering the following command:
    ps -ef | grep -v grep | grep krb5

The mkkrb5srv command creates the master KDC and the kadmind administrative servers for the Kerberos realm (MYREALM). It also creates the configuration files, initializes the principal database, and starts the KDC and kadmind servers.

Running the mkkrb5srv command results in the following actions:
  1. Creates the /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. The /etc/krb5/krb5.conf file also sets the paths for the default_keytab_name, kdc, and admin_server log files.
  2. Creates the /var/krb5/krb5kdc/kdc.conf file. The /var/krb5/krb5kdc/kdc.conf file sets the values for the kdc_ports, kadmin_port, max_life, max_renewable_life, master_key_type, and supported_enctypes variables. This file also sets the paths for the database_name, admin_keytab, acl_file, dict_file, and key_stash_file variables.
  3. Creates the /var/krb5/krb5kdc/kadm5.acl file. Sets up the access control for admin, root, and host principals.
  4. Creates the database and one admin principal. You are asked to set a Kerberos master key and to name and set the password for a Kerberos administrative principal identity. For disaster-recovery purposes, it is critical that the master key and administrative principal identity and password are securely stored.
For more information, see Sample runs and Error messages and recovery actions.