kdcmgr 脚本提供了用于安装主从 KDC 的命令行界面。对于主服务器,必须分别为 Kerberos 数据库和管理员创建一个口令。在从 KDC 上,必须提供这些口令才能完成安装。有关这些口令的信息,请参见 kdcmgr(1M) 手册页。
开始之前
您必须承担 root 角色。有关更多信息,请参见在 Oracle Solaris 11.2 中确保用户和进程的安全 中的使用所指定的管理权限。
在命令行上运行 kdcmgr 命令,并指定管理员和领域。
系统将提示您提供 Kerberos 数据库口令(称为主密钥)和管理主体的口令。脚本将提示提供口令。
kdc1# kdcmgr -a kws/admin -r EXAMPLE.COM create master Starting server setup --------------------------------------- Setting up /etc/krb5/kdc.conf Setting up /etc/krb5/krb5.conf Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:/** Type strong password **/ Re-enter KDC database master key to verify: xxxxxxxx Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for kws/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "kws/admin@EXAMPLE.COM":/** Type strong password **/ Re-enter password for principal "kws/admin@EXAMPLE.COM": xxxxxxxx Principal "kws/admin@EXAMPLE.COM" created. Setting up /etc/krb5/kadm5.acl. --------------------------------------------------- Setup COMPLETE. kdc1#
# kdcmgr status
要使验证成功通过,每个时钟都必须处于 krb5.conf 文件的 libdefaults 部分中定义的缺省时间之内。有关更多信息,请参见 krb5.conf(4) 手册页。有关网络时间协议 (Network Time Protocol, NTP) 的信息,请参见同步 KDC 与 Kerberos 客户机的时钟。
在本示例中,管理员在脚本提示时提供领域名称和 admin 主体。
kdc1# kdcmgr create master Starting server setup --------------------------------------- Enter the Kerberos realm: EXAMPLE.COM Setting up /etc/krb5/kdc.conf Setting up /etc/krb5/krb5.conf Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:/** Type strong password **/ Re-enter KDC database master key to verify: xxxxxxxx Enter the krb5 administrative principal to be created: kws/admin Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for kws/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "kws/admin@EXAMPLE.COM":/** Type strong password **/ Re-enter password for principal "kws/admin@EXAMPLE.COM": xxxxxxxx Principal "kws/admin@EXAMPLE.COM" created. Setting up /etc/krb5/kadm5.acl. --------------------------------------------------- Setup COMPLETE. kdc1#