How to Use kdcmgr to Configure the Master KDC

The kdcmgr script provides a command-line interface to install the master and slave KDCs. For the master, you must create a password for the Kerberos database and a password for the administrator. On the slave KDCs, you must supply these passwords to complete the installation. For information about these passwords, see the kdcmgr(1M) man page.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

1. Create the master KDC.

   On the command line, run the kdcmgr command and name the administrator and the realm.

   You are prompted for the Kerberos database password, called the master key and the password for the administrative principal. The script prompts for the passwords.

   kdc1# kdcmgr -a kws/admin -r EXAMPLE.COM create master
   
   Starting server setup
   ---------------------------------------
   
   Setting up /etc/krb5/kdc.conf
   
   Setting up /etc/krb5/krb5.conf
   
   Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM',
   master key name 'K/[email protected]'
   You will be prompted for the database Master Password.
   It is important that you NOT FORGET this password.
   Enter KDC database master key:/** Type strong password **/
   Re-enter KDC database master key to verify: xxxxxxxx
   
   Authenticating as principal root/[email protected] with password.
   WARNING: no policy specified for kws/[email protected]; defaulting to no policy
   Enter password for principal "kws/[email protected]":/** Type strong password **/
   Re-enter password for principal "kws/[email protected]": xxxxxxxx
   Principal "kws/[email protected]" created.
   
   Setting up /etc/krb5/kadm5.acl.
   
   ---------------------------------------------------
   Setup COMPLETE.
   
   kdc1#

   ---

   Note -  Save and store these passwords in a safe location.

   ---

2. (Optional) Display the status of the master KDC.

   # kdcmgr status

3. Synchronize this system's clock with other clocks in the realm by using NTP or another mechanism.

   For authentication to succeed, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file. For more information, see the krb5.conf(4) man page. For information about the Network Time Protocol (NTP), see Synchronizing Clocks Between KDCs and Kerberos Clients.

   ---

   Note -  The master KDC cannot be the NTP server. If you do not have an NTP server, return to the master KDC after the NTP server is installed, and make the master KDC a client of the NTP server.

   ---

Example 4-1  Running the kdcmgr Command Without Arguments

In this example, the administrator supplies the realm name and admin principal when prompted by the script.

kdc1# kdcmgr create master

Starting server setup
---------------------------------------

Enter the Kerberos realm: EXAMPLE.COM

Setting up /etc/krb5/kdc.conf

Setting up /etc/krb5/krb5.conf

Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:/** Type strong password **/
Re-enter KDC database master key to verify: xxxxxxxx

Enter the krb5 administrative principal to be created: kws/admin

Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for kws/[email protected]; defaulting to no policy
Enter password for principal "kws/[email protected]":/** Type strong password **/
Re-enter password for principal "kws/[email protected]": xxxxxxxx
Principal "kws/[email protected]" created.

Setting up /etc/krb5/kadm5.acl.

---------------------------------------------------
Setup COMPLETE.

kdc1#