The Kerberos Password Agent (KPA) synchronizes the Kerberos password with Universal Password based on the configuration at the realm and user. It is sufficient to install the KPA on one of the eDirectory servers with the writable replica of the Kerberos data.
To start the KPA, enter the following:
kpa -l
To stop the KPA, enter the following:
kpa -u
The messsages logged by the Password Agent are displayed when the Misc tag is enabled in the ndstrace. The messages are also logged in the log file that is configured for the eDirectory server.
IMPORTANT:The Kerberos Password Agent is not loaded automatically when the machine or eDirectory is restarted. It msut be loaded manually.
The encryption types and salt type used by the Kerberos Password Agent to generate the Kerberos keys from the Universal Password are based on the following:
If the principal has Kerberos keys, the encryption and salt types used in generating the existing keys are used to generate the new keys from the Universal Password.
If the principal does not have the Kerberos password set, the default encryption salt types configured for the realm are used for the key generation.
If the default key types are not configured for the realm, the key types used are DES3-HMAC-SHAI:NORMAL and DES-CBC-CRC:NORMAL.
For more information on the supported encryption and salt types, refer to Section B.0, Supported Encryption Types and Salt Types.