System Administration Commands kdcmgr(1M)
NAME
kdcmgr - set up a Kerberos Key Distribution Center (KDC)
SYNOPSIS
/usr/sbin/kdcmgr [-a admprincipal] [-e enctype]
[-h] [-p pwfile] [-r realm] realm
DESCRIPTION
Use the kdcmgr utility to do the following:
o Configure a master Key Distribution Center (KDC)
server.
o Configure a slave KDC. This assumes that a master
KDC has already been configured. The default propa-
gation method configured is incremental propaga-
tion. See kpropd(1M).
o Specify a list of slave KDCs to configure service
principals and create access control list for those
slaves on the master KDC.
If you specify no options, kdcmgr prompts you for required
information, including a password to generate the master key
and a password for the administrative principal. When you
specify sufficient options, you are still prompted for these
passwords, unless you specified the -p pwfile option.
The kdcmgr utility must be run as superuser or by someone
who has the Primary Administrator role. The command must be
run on the server from which it is invoked.
Note that kdcmgr requires the user to enter sensitive infor-
mation, such as the password used to generate the database's
master key and the password for the administrative princi-
pal. Great care must be taken to ensure that the connection
to the server is secured over the network, by using a proto-
col such as ssh(1).
You must also exercise great care when selecting the admin-
istrative and master key passwords. They should be derived
from non-dictionary words and a long string of characters
consisting of all of the following character classes:
o special characters (for example, !@#$%^&*)
o numerals (0-9)
SunOS 5.11 Last change: 19 Sep 2007 1
System Administration Commands kdcmgr(1M)
o uppercase letters
o lowercase letters
OPTIONS
The following options are supported:
-a admprincipal
When creating a master KDC, specifies the administrative
principal, admprincipal, that will be created.
When creating a slave KDC, admprincipal is used to
authenticate as the administrative principal.
If you omit -a, the suggested default administrative
principal name is the output of logname(1) appended by
/admin.
-e enctype
Specifies the encryption type to be used when creating
the key for the master key, which is used to encrypt all
principal keys in the database. The set of valid encryp-
tion types used here are described in krb5.conf(4) under
the permittedenctypes option. Note that the encryption
type specified here must be supported on all KDCs or
else they will not be able to decrypt any of the princi-
pal keys. Solaris 9 and earlier releases support only
the des-cbc-crc encryption type for the master key.
Therefore, if any of the master or slave KDCs are of
these older releases, then -e des-cbc-crc would need to
be specified on all KDCs configured with kdcmgr.
The default encryption type is aes128-cts-hmac-sha1-96.
-h
Displays usage information for kdcmgr.
-p pwfile
Provides the location of the password file that contains
the password used to create the administrative principal
and/or master key.
Warning: This option should be used with great care.
Make sure that this pwfile is accessible only by a
privileged user and on a local file system. Once the KDC
SunOS 5.11 Last change: 19 Sep 2007 2
System Administration Commands kdcmgr(1M)
has been configured, you should remove pwfile.
-r realm
Set the default realm for this server.
If the -r option is not specified, kdcmgr attempts to
obtain the machine's local domain name by submitting the
canonical form of the machine's host name to DNS and
using the return value to derive the domain name. If
successful, the domain name is converted to uppercase
and proposed as the default realm name.
SUBCOMANDS
The following subcommands are supported:
create [ master ]
create [ -m masterkdc ] slave
Creates a KDC. If no option is specified, an attempt to
create a master KDC is made.
create [ master ]
Create a master KDC. Upon successful configuration
the krb5kdc(1M) and kadmind(1M) are enabled on the
machine.
create [ -m masterkdc ] slave
Configures a slave KDC. After configuration, the
krb5kdc(1M) and kpropd(1M) services are enabled on
the machine.
masterkdc specifies the master KDC to authenticate
and with which to perform administrative tasks. If
the -m option is not specified, you are prompted for
a master KDC host name.
destroy
Remove all Kerberos configuration and database files
associated with the KDC server. A confirmation is
required before these files are deleted.
SunOS 5.11 Last change: 19 Sep 2007 3
System Administration Commands kdcmgr(1M)
status
Determines the role of the KDC, master or slave, and
outputs this and the state of such associated processes
as:
o krb5kdc(1M)
o kadmind(1M)
o kpropd(1M)
The subcommand also displays information on incremental
propagation if the configuration has this feature
enabled, as well as any issues with dependent files.
EXAMPLES
Example 1 Setting up a Master KDC
The following command configures a master KDC with the
administrative principal user1/admin and with the realm name
EXAMPLE.COM:
$ kdcmgr -a user1/admin -r EXAMPLE.COM create
Note that a password will be required to assign to the newly
created user1/admin principal. The password for the master
key will also need to be provided.
Example 2 Setting up a Slave KDC
The following command configures a slave KDC, authenticates
with the administrative principal user1/admin, specifies
kdc1 as the master, and uses the EXAMPLE.COM realm name:
$ kdcmgr -a user1/admin -r EXAMPLE.COM create -m kdc1 slave
Note that you must enter the correct password for
user1/admin and that the master KDC must already have been
created before entering this command. The correct password
for the master key is also required.
SunOS 5.11 Last change: 19 Sep 2007 4
System Administration Commands kdcmgr(1M)
FILES
/etc/krb5/krb5.conf
Main Kerberos configuration file.
/etc/krb5/kdc.conf
KDC configuration, used by both master and slave
servers.
/etc/krb5/krb5.keytab
Default location of the local host's service keys.
/etc/krb5/kadm5.acl
Kerberos administrative access control list (ACL).
/etc/krb5/kadm5.keytab
Service keys specific to kadmind(1M).
/var/krb5/principal
Kerberos principal database.
/var/krb5/principal.kadm5
Kerberos policy database.
/etc/krb5/kpropd.acl
Used by slaves to indicate from which server to receive
updates.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
SunOS 5.11 Last change: 19 Sep 2007 5
System Administration Commands kdcmgr(1M)
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWkdcu
Interface Stability See below
The command line interface (CLI) is Uncommitted. The CLI
output is Not an Interface.
SEE ALSO
logname(1), ssh(1), kadmin(1M), kadmind(1M), kdb5util(1M),
kdb5ldaputil(1M), kpropd(1M), krb5kdc(1M), ping(1M),
svcadm(1M), kdc.conf(4), krb5.conf(4), attributes(5)
SunOS 5.11 Last change: 19 Sep 2007 6
|
