Add Kerberos Keytab Entry (ADDKRBKTE)
Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Add Kerberos Keytab Entry (ADDKRBKTE) command is used to add an entry to the Kerberos keytab file for a specified principal name. A principal name consists of the user name or service name and the name of the realm in which that user or service belongs. If keytab entries exist for the specified principal name, the default is to add one to the largest version number of the existing entries.
Restrictions:
The Network Authentication Service Commands and APIs support job environments for most EBCDIC CCSIDs. CCSID 290 and 5026 are not supported because of the variance of lower-case letters a to z.
Top |
Parameters
Keyword | Description | Choices | Notes |
---|---|---|---|
PRINCIPAL | Principal | Element list | Required, Positional 1 |
Element 1: Name | Character value | ||
Element 2: Realm | Character value, *DFT | ||
PASSWORD | Password | Character value | Required, Positional 2 |
KEYTABFILE | Keytab file | Path name, *DFT | Optional |
VERSION | Version | 1-255, *GEN | Optional |
Top |
Principal (PRINCIPAL)
Specifies the principal name of a user or service principal on a host name in a Kerberos network. The principal and key pairs in the keytab file allow services running on the host to be authenticated by a Key Distribution Center (KDC). All the principals are added to the Kerberos server which maintains a database of all users and services within a Kerberos realm.
This is a required parameter.
Element 1: Name
Specifies the principal name or service principal on a specified host name.
- character-value
- Specify the user name of the Kerberos principal.
The Kerberos principal has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
/ - delimit name components.
Element 2: Realm
Specifies the realm in which the Kerberos user is registered and in which initial authentication took place.
- *DFT
- The default realm for the local system will be used. Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. If the default realm has not been set, it is obtained from the default_realm entry in the [libdefaults] section of the Kerberos configuration file.
- character-value
- Specify the name of the Kerberos realm where the user specified for the first element of this parameter is registered.
The name has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).
Special characters allowed:
@ - start realm.
Top |
Password (PASSWORD)
Specifies the password that allows the principal to authenticate in the Key Distribution Center (KDC).
This is a required parameter.
- character-value
- Specify the password value. The password can be up to 255 characters long.
Top |
Keytab file (KEYTABFILE)
Specifies the Kerberos keytab file where the group of principals and its keys are stored.
- *DFT
- The default keytab file for the current user will be used. If the KRB5_KTNAME environment variable is set, this is the name of the default keytab file. Otherwise, the keytab file name is obtained from the default_keytab_name entry in the [libdefaults] section of the Kerberos configuration file. If this entry is not defined, the default keytab file name is /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab.
- path-name
- Specify the path name of the stream file which contains the Kerberos keytab file to use.
Top |
Version (VERSION)
Specifies the key version number of the keytab entry.
- *GEN
- Generate the version number based on existing keytab entries. The first time a keytab entry is created for the specified principal, the default version number will be 1. If keytab entries exists for the specified principal, the default version number will be one greater than the largest version number of the existing entries.
- 1-255
- Specify the version number for the keytab entry for the specified principal.
Top |
Examples
Example 1: Adding a Service Principal Keytab Entry
ADDKRBKTE PRINCIPAL('krbsvr400/camolts.myco.com' MYCO.COM) PASSWORD(uneed2chg) VERSION(*GEN) KEYTABFILE(*DFT)
This command adds a service principal entry into the default Key Table file.
Example 2: Adding a Principal Name Keytab Entry
ADDKRBKTE PRINCIPAL('julius' GUADA.LAJARA.COM) PASSWORD(uneed2chg) VERSION(4) KEYTABFILE(*DFT)
This command adds a principal name entry into the default Key Table file.
Top |
Error messages
*ESCAPE Messages
- CPFC601
- No default keytab file found.
- CPFC602
- Keytab file &3 not found.
- CPFC603
- Keytab entry &2 not found.
- CPFC605
- Entry &1 could not be added to keytab file &2.
- CPFC607
- Key version &1 not found for &2.
- CPFC61B
- The principal name &3 can not be parsed.
Top |