Managing Kerberos in Oracle^® Solaris 11.4

How to Use kdcmgr to Configure the Master KDC

The kdcmgr script provides a command-line interface to install the master and slave KDCs. For the master, you must create a password for the Kerberos database and a password for the administrator. On the slave KDCs, you must supply these passwords to complete the installation. For information about these passwords, see the kdcmgr(8) man page.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

1. Create the master KDC.

   On the command line, run the kdcmgr command and name the administrator and the realm.

   You are prompted for the Kerberos database password, called the master key and the password for the administrative principal. The script prompts for the passwords.

   kdc1# kdcmgr -a admin-name/admin -r DOMAIN.SUFFIX create master
   
   Starting server setup
   ---------------------------------------
   
   Setting up /etc/krb5/kdc.conf
   
   Setting up /etc/krb5/krb5.conf
   
   Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM',
   master key name 'K/M@DOMAIN.SUFFIX'
   You will be prompted for the database Master Password.
   It is important that you NOT FORGET this password.
   Enter KDC database master key:/** Type strong password **/
   Re-enter KDC database master key to verify: xxxxxxxx
   
   Authenticating as principal root/admin@DOMAIN.SUFFIX with password.
   WARNING: no policy specified for admin-name/admin@DOMAIN.SUFFIX; defaulting to no policy
   Enter password for principal "admin-name/admin@DOMAIN.SUFFIX":/** Type strong password **/
   Re-enter password for principal "admin-name/admin@DOMAIN.SUFFIX": xxxxxxxx
   Principal "admin-name/admin@DOMAIN.SUFFIX" created.
   
   Setting up /etc/krb5/kadm5.acl.
   
   ---------------------------------------------------
   Setup COMPLETE.
   
   kdc1#

   ---

   Note -  Save and store these passwords in a safe location.

   ---

2. (Optional) Display the status of the master KDC.

   # kdcmgr status

3. Synchronize this system's clock with other clocks in the realm.

   ---

   Note -  A master KDC cannot be the clock synchronization server.

   ---

   For more information and pointers to procedures, see Synchronizing Clocks Between KDCs and Kerberos Clients. See also the krb5.conf(5) man page.

Example 1  Running the kdcmgr Command Without Arguments

In this example, the administrator supplies the realm name and admin principal when prompted by the script.

kdc1# kdcmgr create master

Starting server setup
---------------------------------------

Enter the Kerberos realm: EXAMPLE.COM

Setting up /etc/krb5/kdc.conf

Setting up /etc/krb5/krb5.conf

Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:/** Type strong password **/
Re-enter KDC database master key to verify: xxxxxxxx

Enter the krb5 administrative principal to be created: kws/admin

Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for kws/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "kws/admin@EXAMPLE.COM":/** Type strong password **/
Re-enter password for principal "kws/admin@EXAMPLE.COM": xxxxxxxx
Principal "kws/admin@EXAMPLE.COM" created.

Setting up /etc/krb5/kadm5.acl.

---------------------------------------------------
Setup COMPLETE.

kdc1#