This section discusses the following:
You must create a service principal for eDirectory in the same Kerberos realm as the users that use the Kerberos Login Method for NMAS in order to log in to both eDirectory and KDC (to access the eDirectory services and the Kerberized services). This can be done with the help of your Kerberos administrator.
Use the Kerberos Administration tool that is available with your KDC to create the eDirectory Service principal with the encryption type and salt type as DES-CBC-CRC and Normal respectively.
The name of the principal must be novledir/TREENAME@REALMNAME.
NOTE: The TREENAME in novledir/TREENAME@REALMNAME must be in uppercase.
For example, if you are using MIT KDC, execute the following command:
kadmin:addprinc -e des-cbc-crc:normal novledir/MYTREE@MYREALM
For example, if you are using Heimdal KDC, execute the following command:
kadmin -lkadmin> add --random-key novledir/MYTREE@MYREALM
To delete the unsupported encryption types for the service principal, execute the following command:
kadmin> del_enctype novledir/MYTREE@MYREALM des-cbc-md4kadmin> del_enctype novledir/MYTREE@MYREALM des-cbc-md5kadmin> del_enctype novledir/MYTREE@MYREALM des3-cbc-sha1
where MYTREE is the treename and MYREALM is the Kerberos realm.
Use the Kerberos Administration tool that is available with your KDC to extract the key of the eDirectory service principal created in the Creating a Service Principal for eDirectory and store it in the local file system. This can be done with the help of your Kerberos administrator.
For example, if you are using an MIT KDC, execute the following command:
kadmin: ktadd -k /directory_path/keytabfilename -e des-cbc-crc:normal novledir/MYTREE@MYREALM
For example, if you are using Microsoft KDC, create a user novledirMYTREE in Active Directory and then execute the following command:
ktpass -princ novledir/MYTREE@MYREALM -mapuser novledirMYTREE -pass mypassword -out MYTREE.keytab
This command maps the principal (novledir/MYTREE@MYREALM) to the user account (novledirMYTREE), sets the host principal password to mypassword, and extracts the key into the MYTREE.keytab file.
For example, if you are using Heimdal KDC, execute the following command:
kadmin> ext_keytab -k /directory_path/keytabfilename novledir/MYTREE@MYREALM
where keytabfilename is the name of the file that contains the extracted key, MYTREE is the treename, and MYREALM is the Kerberos realm.
You must create a Kerberos service principal with the same name (novledir/TREENAME@REALMNAME) as specified in Creating a Service Principal for eDirectory.
Service principals for eDirectory must be readily accessible to all servers enabled for Kerberos Login Method for NMAS. If these eDirectory service principals are not created under the Kerberos Realm container inside the Security container, we strongly recommend that you create the container that contains these eDirectory service principals as a separate partition, and that the container be widely replicated.
In iManager, click Kerberos Management > New Principal to open the New Principal page.
Specify the name of the principal that is to be created.
The principal name must be in the format novledir/TREENAME@REALMNAME.
Specify the name of the container where the principal object is to be created or use the Object Selector icon to select it.
Specify the name of the realm.
If you have already specified the realm name in Step 2, leave this field blank.
Do either of the following:
This is the file that contains the key extracted in Extracting the Key of the Service Principal for eDirectory.
The password and encryption type/salt type combination must be the same as the those specified while creating the service principal in the KDC database.
Click OK.
This task helps you edit an existing Kerberos foreign principal.
In iManager, click Kerberos Management > View Principal Keys to open the View Principal Keys page.
Specify the name of the principal key that is to be viewed or use the Object Selector icon to select it.
The following information of the principal keys is displayed:
Click OK.
This task helps you delete an existing Kerberos service principal.
You can select a single object, multiple objects, or perform an advanced selection of the principal objects to be deleted.
In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.
Click Select a single object.
Specify the name of the principal object that is to be deleted or use the Object Selector icon to select it.
Click OK.
Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.
In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.
Click Select multiple objects.
Specify the name of the principal objects that are to be deleted or use the Object Selector icon to select them.
Select the principal that must be deleted.
Click OK.
Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.
In iManager, click Kerberos Management > Delete Principal to open the Delete Principal page.
Click Advanced Selection.
Select the object class.
Specify the container that contains the principal object or use the Object Selector icon to select it.
Click Include sub-containers to include the sub-containers of the container specified in Step 3.
Click to open the Advanced Selection Criteria window.
Select the type of attribute and the operator from the drop-down list and provide the corresponding values.
Click Add row to include more Logic groups to the selection.
Click OK to set the filter.
Click Show preview to display the preview of the advanced selection.
Click OK.
Click OK again to confirm the delete operation or click Cancel to cancel the delete operation.
This task helps you set the password of an existing Kerberos service principal.
If the eDirectory service principal key has been reset in your KDC, you must update the key for this principal in eDirectory also.
For information on extracting the key, refer to Extracting the Key of the Service Principal for eDirectory.
In iManager, click Kerberos Management > Set Principal Password to open the Set Principal Password page.
Select the name of the principal object for which an individual password has to be set or use the Object Selector icon to select it.
Specify the keytab filename or click Browse to browse the location where the keytab file is stored.
Do either of the following:
NOTE: For more information on creating service principals and extracting the keys, refer Creating a Service Principal for eDirectory and Extracting the Key of the Service Principal for eDirectory.
Click OK to set the password.
(Optional) To set the password for another principal, click Repeat Task.