Novell Documentation: Novell Kerberos Login Method for NMAS

Managing a Service Principal

This section discusses the following:

Creating a Service Principal for eDirectory

You must create a service principal for eDirectory in the same Kerberos realm as the users that use the Kerberos Login Method for NMAS in order to log in to both eDirectory and KDC (to access the eDirectory services and the Kerberized services). This can be done with the help of your Kerberos administrator.

Use the Kerberos Administration tool that is available with your KDC to create the eDirectory Service principal with the encryption type and salt type as DES-CBC-CRC and Normal respectively.

The name of the principal must be novledir/TREENAME@REALMNAME.

NOTE: The TREENAME in novledir/TREENAME@REALMNAME must be in uppercase.

For example, if you are using MIT KDC, execute the following command:

kadmin:addprinc -e des-cbc-crc:normal novledir/MYTREE@MYREALM

For example, if you are using Heimdal KDC, execute the following command:

kadmin -lkadmin> add --random-key novledir/MYTREE@MYREALM

To delete the unsupported encryption types for the service principal, execute the following command:

kadmin> del_enctype novledir/MYTREE@MYREALM des-cbc-md4kadmin> del_enctype novledir/MYTREE@MYREALM des-cbc-md5kadmin> del_enctype novledir/MYTREE@MYREALM des3-cbc-sha1

where MYTREE is the treename and MYREALM is the Kerberos realm.

Extracting the Key of the Service Principal for eDirectory

Use the Kerberos Administration tool that is available with your KDC to extract the key of the eDirectory service principal created in the Creating a Service Principal for eDirectory and store it in the local file system. This can be done with the help of your Kerberos administrator.

For example, if you are using an MIT KDC, execute the following command:

kadmin: ktadd -k /directory_path/keytabfilename -e des-cbc-crc:normal novledir/MYTREE@MYREALM

For example, if you are using Microsoft KDC, create a user novledirMYTREE in Active Directory and then execute the following command:

ktpass -princ novledir/MYTREE@MYREALM -mapuser novledirMYTREE -pass mypassword -out MYTREE.keytab

This command maps the principal (novledir/MYTREE@MYREALM) to the user account (novledirMYTREE), sets the host principal password to mypassword, and extracts the key into the MYTREE.keytab file.

For example, if you are using Heimdal KDC, execute the following command:

kadmin> ext_keytab -k /directory_path/keytabfilename novledir/MYTREE@MYREALM

where keytabfilename is the name of the file that contains the extracted key, MYTREE is the treename, and MYREALM is the Kerberos realm.

Creating a Service Principal Object in eDirectory

You must create a Kerberos service principal with the same name (novledir/TREENAME@REALMNAME) as specified in Creating a Service Principal for eDirectory.

Best Practice

Service principals for eDirectory must be readily accessible to all servers enabled for Kerberos Login Method for NMAS. If these eDirectory service principals are not created under the Kerberos Realm container inside the Security container, we strongly recommend that you create the container that contains these eDirectory service principals as a separate partition, and that the container be widely replicated.

In iManager, click Kerberos Management > New Principal to open the New Principal page.
Specify the name of the principal that is to be created.

The principal name must be in the format novledir/TREENAME@REALMNAME.
Specify the name of the container where the principal object is to be created or use the Object Selector icon to select it.
Specify the name of the realm.

If you have already specified the realm name in Step 2, leave this field blank.
Do either of the following:
- Specify the keytab filename or click Browse to select the location where the keytab file is stored.
  This is the file that contains the key extracted in Extracting the Key of the Service Principal for eDirectory.
- Specify the password and confirm the password and then select the encryption type and salt type combination.
  The password and encryption type/salt type combination must be the same as the those specified while creating the service principal in the KDC database.
Click OK.

Viewing the Kerberos Service Principal Keys

This task helps you edit an existing Kerberos foreign principal.

In iManager, click Kerberos Management > View Principal Keys to open the View Principal Keys page.
Specify the name of the principal key that is to be viewed or use the Object Selector icon to select it.

The following information of the principal keys is displayed:
- Principal name
- Key Table
  - Number: Specifies the serial number of the key in the key table
  - Version: Specifies the version of the key
  - Key Type: Specifies the type of this principal key
  - Salt Type: Specifies the salt type of this principal key
Click OK.

Deleting a Kerberos Service Principal Object

This task helps you delete an existing Kerberos service principal.

You can select a single object, multiple objects, or perform an advanced selection of the principal objects to be deleted.

To delete a single principal object:

In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.
Click Select a single object.
Specify the name of the principal object that is to be deleted or use the Object Selector icon to select it.
Click OK.
Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

To delete multiple principal objects:

In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.
Click Select multiple objects.
Specify the name of the principal objects that are to be deleted or use the Object Selector icon to select them.
Select the principal that must be deleted.
Click OK.
Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

To delete a principal using advanced selection:

In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.
Click Advanced Selection.
Select the object class.
Specify the container that contains the principal object or use the Object Selector icon to select it.
Click Include sub-containers to include the sub-containers of the container specified in Step 3.
Click to open the Advanced Selection Criteria window.
Select the type of attribute and the operator from the drop-down list and provide the corresponding values.
Click Add row to include more Logic groups to the selection.
Click OK to set the filter.
Click Show preview to display the preview of the advanced selection.
Click OK.
Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.

Setting a Password for the Kerberos Service Principal

This task helps you set the password of an existing Kerberos service principal.

If the eDirectory service principal key has been reset in your KDC, you must update the key for this principal in eDirectory also.

For information on extracting the key, refer to Extracting the Key of the Service Principal for eDirectory.

In iManager, click Kerberos Management > Set Principal Password to open the Set Principal Password page.
Select the name of the principal object for which an individual password has to be set or use the Object Selector icon to select it.
Specify the keytab filename or click Browse to browse the location where the keytab file is stored.
Do either of the following:
- Specify the name of the keytab file that contains the principal key or click Browse to select the location where the keytab file is stored.
  NOTE: For more information on creating service principals and extracting the keys, refer Creating a Service Principal for eDirectory and Extracting the Key of the Service Principal for eDirectory.
- Specify the password and confirm the password and then select the encryption type and salt type combination.
Click OK to set the password.
(Optional) To set the password for another principal, click Repeat Task.