Adding IBM i principals to the Kerberos server

After you configure network authentication service on your IBM® i platform, you must add your IBM i principals to the Kerberos server.

Network authentication service provides an IBM i principal name, krbsvr400, for the system and the IBM i applications. The name of the principal that represents IBM i is krbsrv400/IBM i host name@REALM NAME, where IBM i host name is either the fully qualified host name or the short host name for the IBM i platform. This principal name needs to be added to the Kerberos server so that Kerberos client applications can request and receive service tickets. For example, in our configuration scenarios, the administrator for MyCo added the service principal krbsvr400/systema.myco.com@MYCO.COM to the company's Kerberos server.

Depending on the operating system on which you have configured a Kerberos server, the steps for adding the IBM i principal are different. This information provides instructions on adding the IBM i principals to a Kerberos server in PASE for i or a Windows 2000 domain. If you have optionally created service principals for IBM Tivoli® Directory Server for i5/OS (LDAP), IBM i NetServer, Network File System (NFS) Server, or HTTP Server, you must also add those service principals to the Kerberos server.

PASE for i
If your Kerberos server is located in PASE for i, you can add IBM i service principals by using the QP2TERM command, which opens an interactive shell environment that allows you to work with PASE for iapplications. To add an IBM i service principal to a Kerberos server in PASE for i, complete these steps:
1. In a character-based interface, type call QP2TERM.
2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.
3. At the command line, type kadmin -p admin/admin.
4. Log on with your user name and password.
5. At the kadmin command line, enter addprinc -pw secret krbsvr400/System i fully qualified host name@REALM, where secret is the password for the IBM i service principal. For example, krbsvr400/systema.myco.com@MYCO.COM might be a valid IBM i service principal name.
Microsoft Active Directory
To add an IBM i service principal to a Kerberos server, you have two options: Allow the Network Authentication Service wizard to add the principals or add them manually.

The Network Authentication Service wizard allows you to optionally create a batch file, called NASConfig.bat. This batch file contains all of the principal names for the services that you selected during configuration. You can also choose to add their associated passwords in this batch file.
Note: If you include the password, anyone with read access to the batch file can view the passwords. It is recommended that if you include the password, that you delete the batch file from the Kerberos server and from your PC immediately after use. If you do not include the password in the batch file, you will be prompted for a password when the batch file is run on the Windows server.

Using the batch file generated by the Network Authentication Service wizard
1. Using FTP on the Windows 2000 workstation that the administrator used to configure network authentication service, open a command prompt and type ftp server where server is the host name for the Kerberos server. This will start an FTP session on your PC. You will be prompted for the administrator's user name and password.
2. At the FTP prompt, type lcd "C:\Documents and Settings\All Users\Documents\IBM\Client Access". Press Enter.
  Note: This is an example of a directory that might contain the batch file.
  You should receive the message Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client Access.
3. At the FTP prompt, type binary. This indicates that the file to be transferred is binary.
4. At the FTP prompt, type cd \mydirectory, where mydirectory is a directory on the Windows server where you want to place the batch file.
5. At the FTP prompt, type put NASConfig.bat. You should receive this message: 226 Transfer complete.
6. On your Windows 2000 server, open the directory where you transferred the batch file.
7. Find the NASConfig.bat file and double-click the file to run it.
8. After the file runs, verify that the IBM i principal name has been added to the Microsoft Active Directory by completing the following steps:
  1. On your Windows 2000 server, expand Start > Programs > Administrative Tools > Active Directory Users and Computers > Users.
  2. Verify that the IBM i platform has a user account by selecting the appropriate Windows 2000 domain.
    Note: This Windows domain should be the same as the default realm name that you specified for the network authentication service configuration.
  3. In the list of users that displays, find the name that corresponds with the service principal that you just added.
  4. Access the properties on your Active Directory users. From the Account tab, select the Account is trusted for delegation.
    Note: This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the IBM i service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.
Manually adding the service principal to Microsoft Active Directory You can also add IBM i principals to the Microsoft Active Directory manually by using the ktpass command. This command is shipped with Windows Support Tools and must be installed on the system being used as the Kerberos server.
1. On your Windows 2000 server, expand Start > Programs > Administrative Tools > Active Directory Users and Computers.
2. Select the Windows 2000 domain to which you want to add the IBM i user account and expand Action > New > User.
  Note: This Windows 2000 domain should be the same as the default realm name that you specified for network authentication service configuration.
3. In the Name field, enter a name that will identify the IBM i platform to this Windows 2000 domain. This will add a new user account for the IBM i platform. For example, you might enter the name krbsvr400systema or httpsystema as a valid user account name.
4. Access the properties on the Active Directory user that you created in Step 3. From the Account tab, select the Account is trusted for delegation. This allows the IBM i service principal to access other services on behalf of a signed-in user.
5. You need to map the user account you just created to the IBM i service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. To map the user account, complete the following task:
  1. At a command prompt, enter
```
ktpass -mapuser krbsvr400systema -pass secret -princ krbsvr400/system-domain-name@REALM 
    -mapop set
```
    Note: In the command, krbsvr400systema represents the user account name that was created in step 3 and secret is the password that you entered during network authentication service configuration for the IBM i principal.