Configuring Novell Kerberos KDC Services

Configure the KDC server as follows:

  1. Create a realm as follows. From the /opt/novell/kerberos/sbin/ directory, enter the following:

    kdb5_util -D admin_dn create -subtree subtree

    For example,

    kdb5_util -D cn=admin,o=mit create -subtree o=mit

    You can also create a realm through iManager as follows:

    1. In Novell iManager, click the Roles and Tasks button Roles and task button.

    2. Select Kerberos Management > New Realm.

      For more information, refer to the online help available for all the screens in iManager.

    The realm gets created under the cn=kerberos container.

  2. Create the KDC, Administration, and Password service objects in eDirectory using the kdb5_util utility. The kdb5_util utility is present in the /opt/novell/kerberos/sbin/ directory:

    kdb5_util -D admin_dn create_service {-kdc | -admin | -pwd} -realm realm_list [-randpw|-fileonly] -f filename servicedn

    The key file name for all the services should be the same. It also needs to match the value of the ldap_service_password_file parameter in the /etc/krb5.conf file.

    For example, to create a KDC server object:

    kdb5_util -D cn=admin,o=mit create_service -kdc -realm ATHENA.MIT.EDU  
    -randpw -f /opt/novell/kerberos/keyfile cn=kdc-service,o=mit

    Similarly, create the Administration and Password service object.

    If you are creating the service objects using iManager, then, you must run kdb5_util to set the passwords as follows:

    kdb5_util -D admin_dn setsrvpw [-randpw|-fileonly] [-f filename] service_dn

    For example, to set the password of the service objects:

    kdb5_util -D cn=admin,o=mit setsrvpw -randpw -f /opt/novell/kerberos/keyfile "cn=KDC Server - kerberos.mit.edu,o=mit"

    NOTE:  The service passwords are encrypted with NICI keys, so the keyfile cannot be moved to other hosts and used from there. As the encryption keys are specific to the hosts and are not accessible from browsers, iManager does not provide an option to stash the service passwords.

  3. Create the kadm5.acl file in/opt/novell/kerberos/kadm5.acl with "* *" as its content.

    Administrative privileges for the Kerberos data are stored in the kadm5.acl file.

    IMPORTANT:  By mentioning "* *" in the file, you give all privileges to all principals. After creating a principal, you must update this file with appropriate administrative privileges for that principal. For details, refer to the Novell Kerberos KDC Administration Guide.