Create a realm. From the /opt/novell/kerberos/sbin/ directory, enter the following:

kdb5_ldap_util -D admin_dn -H ldapuri create -subtrees subtree

For example:

kdb5_ldap_util -D cn=admin,o=mit -H ldaps://kerberos.mit.edu create -subtrees o=mit

You can also create a realm through iManager as follows:

Create the KDC, Administration, and Password service objects in eDirectory by using the kdb5_ldap_util utility. The kdb5_ldap_util utility is present in the /opt/novell/kerberos/sbin/ directory:

kdb5_ldap_util -D admin_dn create_service {-kdc | -admin | -pwd} -realm realm_list [-randpw|-fileonly] -f filename servicedn

The keyfile name for all the services should be the same. It also needs to match the value of the ldap_service_password_file parameter in the /etc/krb5.conf file.

For example, to create a KDC server object:

kdb5_ldap_util -D cn=admin,o=mit create_service -kdc -realm ATHENA.MIT.EDU 
-randpw -f /opt/novell/kerberos/keyfile "cn=kdc-service,o=mit"

Similarly, create the Administration and Password service objects.

If you are creating the service objects with iManager, you must run kdb5_ldap_util to set the passwords as follows:

kdb5_ldap_util -D admin_dn setsrvpw [-randpw|-fileonly] [-f filename] service_dn

For example, to set the password of the service objects:

kdb5_ldap_util -D cn=admin,o=mit setsrvpw -randpw -f /opt/novell/kerberos/keyfile "cn=kdc-server,o=mit"

The service passwords are encrypted with NICI keys, so the keyfile cannot be moved to other hosts and used from there. Because the encryption keys are specific to the hosts and are not accessible from browsers, iManager does not provide an option to cache the service passwords.

Create the kadm5.acl file in /opt/novell/kerberos/kadm5.acl with "* *" as its content.

Administrative privileges for the Kerberos data are stored in the kadm5.acl file.