Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

kdcmgr(8)

Name

kdcmgr - set up a Kerberos Key Distribution Center (KDC)

Synopsis

/usr/sbin/kdcmgr [-a admprincipal] [-e enctype]
     [-h] [-p pwfile] [-r realm] subcommand

Description

Use the kdcmgr utility to do the following:

  • Configure a master Key Distribution Center (KDC) server.

  • Configure a slave KDC. This assumes that a master KDC has already been configured. The default propagation method configured is incremental propagation. See kpropd(8).

  • Specify a list of slave KDCs to configure service principals and create access control list for those slaves on the master KDC.

If you specify no options, kdcmgr prompts you for required information, including a password to generate the master key and a password for the administrative principal. When you specify sufficient options, you are still prompted for these passwords, unless you specified the –p pwfile option.

The kdcmgr utility must be run by an administrator who is assigned the Kerberos Server Management rights profile or by root. The command must be run on the server from which it is invoked.

Note that kdcmgr requires the user to enter sensitive information, such as the password used to generate the database's master key and the password for the administrative principal. Great care must be taken to ensure that the connection to the server is secured over the network, by using a protocol such as ssh(1).

You must also exercise great care when selecting the administrative and master key passwords. They should be derived from non-dictionary words and a long string of characters consisting of all of the following character classes:

  • special characters (for example, !@#$%^&*)

  • numerals (0-9)

  • uppercase letters

  • lowercase letters

Options

The following options are supported:

–a admprincipal

When creating a master KDC, specifies the administrative principal, admprincipal, that will be created.

When creating a slave KDC, admprincipal is used to authenticate as the administrative principal.

If you omit –a, the suggested default administrative principal name is the output of logname(1) appended by /admin.

–e enctype

Specifies the encryption type to be used when creating the key for the master key, which is used to encrypt all principal keys in the database. The set of valid encryption types used here are described in krb5.conf under the permitted_enctypes option. Note that the encryption type specified here must be supported on all KDCs or else they will not be able to decrypt any of the principal keys. Solaris 9 and earlier releases support only the des-cbc-crc encryption type for the master key. Therefore, if any of the master or slave KDCs are of these older releases, then –e des-cbc-crc would need to be specified on all KDCs configured with kdcmgr.

The default encryption type is aes256-cts-hmac-sha1-96.

–h

Displays usage information for kdcmgr.

–p pwfile

Provides the location of the password file that contains the password used to create the administrative principal and/or master key.

Warning: This option should be used with great care. Make sure that this pwfile is accessible only by a privileged user and on a local file system. Once the KDC has been configured, you should remove pwfile.

–r realm

Set the default realm for this server.

If the –r option is not specified, kdcmgr attempts to obtain the machine's local domain name by submitting the canonical form of the machine's host name to DNS and using the return value to derive the domain name. If successful, the domain name is converted to uppercase and proposed as the default realm name.

Subcommands

The following subcommands are supported:

create [ master ]
create [ –m masterkdc ] slave

Creates a KDC. If no option is specified, an attempt to create a master KDC is made.

create [ master ]

Create a master KDC. Upon successful configuration the krb5kdc(8) and kadmind(8) are enabled on the machine.

create [ –m masterkdc ] slave

Configures a slave KDC. After configuration, the krb5kdc(8) and kpropd(8) services are enabled on the machine.

masterkdc specifies the master KDC to authenticate and with which to perform administrative tasks. If the –m option is not specified, you are prompted for a master KDC host name.

destroy

Remove all Kerberos configuration and database files associated with the KDC server. A confirmation is required before these files are deleted.

status

Determines the role of the KDC, master or slave, and outputs this and the state of such associated processes as:

The subcommand also displays information on incremental propagation if the configuration has this feature enabled, as well as any issues with dependent files.

Examples

Example 1 Setting up a Master KDC

The following command configures a master KDC with the administrative principal user1/admin and with the realm name EXAMPLE.COM:

$ kdcmgr -a user1/admin -r EXAMPLE.COM create

Note that a password will be required to assign to the newly created user1/admin principal. The password for the master key will also need to be provided.

Example 2 Setting up a Slave KDC

The following command configures a slave KDC, authenticates with the administrative principal user1/admin, specifies kdc1 as the master, and uses the EXAMPLE.COM realm name:

$ kdcmgr -a user1/admin -r EXAMPLE.COM create -m kdc1 slave

Note that you must enter the correct password for user1/admin and that the master KDC must already have been created before entering this command. The correct password for the master key is also required.

Files

/etc/krb5/krb5.conf

Main Kerberos configuration file.

/etc/krb5/kdc.conf

KDC configuration, used by both master and slave servers.

/etc/krb5/krb5.keytab

Default location of the local host's service keys.

/etc/krb5/kadm5.acl

Kerberos administrative access control list (ACL).

/etc/krb5/kadm5.keytab

Service keys specific to kadmind(8).

/var/krb5/principal

Kerberos principal database.

/var/krb5/principal.kadm5

Kerberos policy database.

/etc/krb5/kpropd.acl

Used by slaves to indicate from which server to receive updates.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/security/kerberos-5
Interface Stability
See below

The command line interface (CLI) is Uncommitted. The CLI output is Not an Interface.

See Also

logname(1), ssh(1), attributes(7), kadmind(8), kdb5_ldap_util(8), kdb5_util(8), kpropd(8), krb5kdc(8), ping(8), svcadm(8)