This is done on the Kerberos server only. First make sure that you
do not have any old Kerberos databases around. You should change to the
directory /etc/kerberosIV and check that only the following
files are present:
grunt# cd /etc/kerberosIV
grunt# ls
README krb.conf krb.realms
If any additional files (such as principal.* or
master_key) exist, then use the kdb_destroy
command to destroy the old Kerberos database, of if Kerberos
is not running, simply delete the extra files.
You should now edit the krb.conf and krb.realms
files to define your Kerberos realm. In this case the realm will
be GRONDAR.ZA and the server is grunt.grondar.za.
We edit or create the krb.conf file:
grunt# cat krb.conf
GRONDAR.ZA
GRONDAR.ZA grunt.grondar.za admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
In this case, the other realms do not need to be there. They are here as an example of how a machine may be made aware of multiple realms. You may wish to not include them for simplicity.
The first line names the realm in which this system works. The other lines contain realm/host entries. The first item on a line is a realm, and the second is a host in that realm that is acting as a ``key distribution centre''. The words ``admin server'' following a hosts name means that host also provides an administrative database server. For further explanation of these terms, please consult the Kerberos man pages.
Now we have to add grunt.grondar.za to the GRONDAR.ZA
realm and also add an entry to put all hosts in the .grondar.za
domain in the GRONDAR.ZA realm. The krb.realms file
would be updated as follows:
grunt# cat krb.realms
grunt.grondar.za GRONDAR.ZA
.grondar.za GRONDAR.ZA
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDU
Again, the other realms do not need to be there. They are here as an example of how a machine may be made aware of multiple realms. You may wish to remove them to simplify things.
The first line puts the specific system into the named realm. The rest of the lines show how to default systems of a particular subdomain to a named realm.
Now we are ready to create the database. This only needs to run on
the Kerberos server (or Key Distribution Centre). Issue the
kdb_init command to do this:
grunt# kdb_init
Realm name [default ATHENA.MIT.EDU ]: GRONDAR.ZA
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:
Now we have to save the key so that servers on the local
machine can pick it up. Use the kstash command to
do this.
grunt# kstash
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
This saves the encrypted master password in
/etc/kerberosIV/master_key.