Managing Realms
You can manage realms by using the kdb5_util utility.
This section provides information about the following:
Creating a Realm
You can create realm using either of the following methods:
Command Line
Use the following syntax to create a realm:
kdb5_util [-D user_dn] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
create [-subtree subtree_dn] [-sscope search_scope]
[-ldapdn ldap_server_list] [-kdcdn kdc_service_list]
[-admindn admin_service_list] [-pwddn passwd_service_list]
[-enctypes supported_enc_types] [-defenctype default_enc_type]
[-salttypes supported_salt_types] [-defsalttype default_salt_type]
[-policy policy_dn] [-up]
[-k mkeytype] [-m|-P password|-f stashfilename]
[-r realm]
For example:
kdb5_util -r ATHENA.MIT.EDU -D cn=admin,o=org -h ldap-server1.mit.edu create
-sscope 2 -kdcdn cn=service-kdc,o=org:cn=service-kdc2,o=org -enctypes des-cbc-crc:des3-cbc-sha1 -defenctype des3-cbc-sha1 -salttypes normal:onlyrealm -defsalttype normal -policy cn=rpolicy,o=org
Output of the above command:
Password for "cn=admin,o=org":
Initializing database for realm 'ATHENA.MIT.EDU'
Enter KDC database master key:
Re-enter KDC database master key to verify:
Table 18. Create Realm Parameter Description
-subtree |
Subtree where principals and other Kerberos objects in the realm are placed. |
-sscope |
Scope for searching the principals under the specified subtree. The parameter sscope specifies the search scope for searching the principals under the subtree specified. The possible values are 1 or one (one level), 2 or sub (subtree). |
-ldapdn |
List of LDAP servers that the Kerberos servers (KDC and administration servers) can contact. The list contains the DNs of the LDAP servers separated by a colon (:). |
-kdcdn |
List of KDC Service objects serving the realm. The list contains the DNs of the KDC Service objects separated by a colon (:). |
-admindn |
List of Administration Service objects serving the realm. The list contains the DNs of the Administration Service objects separated by a colon (:). |
-pwddn |
List of Password service objects serving the realm. The list contains the DNs of the Password service objects separated by a colon (:). |
-enctypes |
Encryption types supported by the realm.This is a colon-separated list. |
-defenctype |
Default encryption type for the realm. This is also a part of supported enctypes list. |
-salttypes |
Salt types supported by the realm. This is a colon-separated list. |
-defsalttype |
Default salt types for the realm. |
-policy |
Reference to a policy object (dn) that is applicable to all the principals in a realm. |
-up |
Specifies to use the universal password of the user as the Kerberos password for the principals in the realm. |
-k |
Specifies the encryption type of the master key in the database. The default is the type given in the krb5.conf file. |
-m |
Specifies that the master password should be read from the keyboard rather than from a file or disk. |
-P |
Master password. |
-f |
Stash file of the master password. |
-r |
Specifies the Kerberos realm. By default, the default_realm parameter of the krb5.conf file is used. |
iManager
-
In Novell iManager, click the Roles and Tasks button .
-
Click Kerberos Management > New Realm.
Refer to the iManager online help for more information.
Modifying a Realm
You can modify the realm using either of the following methods:
Command Line
Use the following syntax to modify a realm:
kdb5_util [-D user_dn] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
modify [-subtree subtree_dn] [-sscope search_scope]
[-ldapdn ldap_server_list | [-clearldapdn ldap_server_list]
[-addldapdn ldap_server_list]] [-kdcdn kdc_service_list |
[-clearkdcdn kdc_service_list] [-addkdcdn kdc_service_list]]
[-admindn admin_service_list | [-clearadmindn admin_service_list]
[-addadmindn admin_service_list]] [-pwddn passwd_service_list |
[-clearpwddn passwd_service_list] [-addpwddn passwd_service_list]]
[-enctypes supported_enc_types | [-clearenctypes enc_type_list]
[-addenctypes enc_type_list]] [-defenctype default_enc_type]
[-salttypes supported_salt_types | [-clearsalttypes salt_type_list]
[-addsalttypes salt_type_list]] [-defsalttype default_salt_type]
[-policy policy_dn|-clearpolicy] [-up|-clearup] [-r realm]
For example:
kdb5_util -r ATHENA.MIT.EDU -D cn=admin,o=org modify -sscope 1 -clearkdcdn cn=service-kdc1,o=org:cn=service-kdc2,o=org -addkdcdn cn=service-kdc3,o=org:cn=servcie-kdc4,o=org -enctypes des3-hmac-sha1:des-cbc-md5 -defenctype des3-hmac-sha1 -addsalttypes v4:special -clearpolicy -up
Output of the above command:
Password for "cn=admin,o=org":
Table 19. Modify Realm Parameter Description
-subtree |
Subtree containing principals and other Kerberos objects in the realm. |
-sscope |
Scope for searching the principals under the specified subtree. The parameter sscope specifies the search scope for searching the principals under the subtree specified. The possible values are 1 or one (one level), 2 or sub (subtree). |
-ldapdn |
List of LDAP servers that the Kerberos servers (KDC and administration servers) can contact. The list contains the DNs of the LDAP servers separated by a colon (:). |
-clearldapdn |
List of LDAP servers that need to be removed from the list. The list contains the DNs of the LDAP servers separated by a colon (:). |
-addldapdn |
List of LDAP servers that need to be added to the list. The list contains the DNs of the LDAP servers separated by a colon (:). |
-kdcdn |
List of KDC service objects serving the realm. The list contains the DNs of the KDC Service objects separated by a colon (:). |
-clearkdcdn |
List of KDC service objects that need to be removed from the list. The list contains the DNs of the KDC service objects separated by a colon (:). |
-addkdcdn |
List of KDC service objects that need to be added to the list. The list contains the DNs of the KDC service objects separated by a colon (:). |
-admindn |
List of Administration service objects serving the realm. The list contains the DNs of the Administration service objects separated by a colon (:). |
-clearadmindn |
List of Administration service objects that need to be removed from the list. The list contains the DNs of the Administration service objects separated by a colon (:). |
-addadmindn |
List of Administration service objects that need to be added to the list. The list contains the DNs of the Administration service objects separated by a colon (:). |
-pwddn |
List of Password service objects serving the realm. The list contains the DNs of the Password service objects separated by a colon (:). |
-clearpwddn |
List of Password service objects that need to be removed from the list. The list contains the DNs of the Administration service objects separated by a colon (:). |
-addpwddn |
List of Password service objects that need to be added to the list. The list contains the DNs of the Password service objects separated by a colon (:). |
-enctypes |
Encryption types supported by the realm.This is a colon-separated list. |
-clearenctypes |
Encryption types that need to be removed form the supported encryption types list of the realm. This is a a colon-separated list. |
-addenctypes |
Encryption types that need to be added to the supported encryption types list of the realm. This is a colon-separated list. |
-defenctype |
Default encryption type for the realm. |
-salttypes |
Salt types supported by the realm. This is a colon-separated list. |
-clearsalttypes |
Salt types that need to be removed from the supported salt types list of the realm. This is a colon-separated list. |
-addsalttypes |
Salt types that need to be added to the supported salt types list of the realm. This is a colon-separated list. |
-defsalttype |
Default salt types for the realm. |
-policy |
Reference to a policy object (dn) that is applicable to all the principals in a realm. |
-up |
Specifies to use the universal password of the user as the Kerberos password for the principals in the realm. |
-clearup |
This attribute specifies not to use the universal password of the user as the Kerberos password. |
-r |
Specifies the Kerberos realm. By default, the default_realm parameter of the krb5.conf file is used. |
iManager
-
In Novell iManager, click the Roles and Tasks button .
-
Click Kerberos Management > Edit Realm.
Refer to the iManager online help for more information.
Modifying the subtree for a realm
If you change the subtree for a realm, then the Kerberos service objects (KDC, Admin Server and Password Server) are not automatically re-assigned with the appropriate rights.
For example,
If your subtree for the realm is "ou=students,o=mit" for the realm "ATHENA.MIT.EDU" and you change it to "o=mit", then the service objects that represent the Kerberos services for your realm are not automatically assigned rights over the new subtree.
To reassign the rights over the new subtree, follow these steps:
-
Stop the Kerberos services.
-
Destroy the service objects.
-
Create the service objects again.
-
Start the Kerberos services
Modifying the search scope for a realm
If you modify the sscope for a realm, then the objects created previously under the old scope will still exist.
For example,
If your subtree is "o=mit" that has a container "ou=students,o=mit" and you change the search scope from "sub" to "one", the Kerberos principal objects that were created under "ou=students,o=mit" will still exist.
Viewing a Realm
Use the following syntax to view realms:
kdb5_util [-D user_dn] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
view [-r realm]
For more information on the parameters, refer to Table 18, Create Realm Parameter Description.
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu view -r ATHENA.MIT.EDU
Output of the above command:
Password for "cn=admin,o=org":
Realm Name: ATHENA.MIT.EDU
Subtree: ou=hr,o=org
SearchScope: SUB
KDC Services: cn=service-kdc1,o=org
Admin Services: cn=admin-service,o=org
Supported Enc Types: DES cbc mode with CRC-32
DES cbc mode with RSA-MD4
DES cbc mode with RSA-MD5
Triple DES cbc mode with HMAC/sha1
AES-128 CTS mode with 96-bit SHA-1 HMAC
AES-256 CTS mode with 96-bit SHA-1 HMAC
ArcFour with HMAC/md5
Default Enc Type: Triple DES cbc mode with HMAC/sha1
Supported Salt Types: Version 5
Version 4
Version 5 - No Realm
Version 5 - Realm Only
Special
Default Salt Type: Version 5
Destroying a Realm
You can destroy a realm using either of the following methods:
Command Line
Use the following syntax to destroy a realm:
kdb5_util [-D user_dn] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
destroy [-f] [-r realm]
For more information on the parameters, refer to Table 18, Create Realm Parameter Description.
For example:
kdb5_util -D cn=admin,o=org -h ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
Output of the above command:
Password for "cn=admin,o=org":
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? yes
OK, deleting database of 'ATHENA.MIT.EDU'...
** Database of 'ATHENA.MIT.EDU' destroyed.
The principals associated with this realm are also deleted.
iManager
-
In Novell iManager, click the Roles and Tasks button .
-
Click Kerberos Management > Delete Realm.
Refer to the iManager online help for more information.
Listing Realms
Use the following syntax to list realms:
kdb5_util [-D user_dn] [-h ldap_server]
[-p ldap_port] [-t trusted_cert]
list
For more information on the parameters, refer to Table 18, Create Realm Parameter Description.
For example:
kdb5_util -D cn=admin,o=org list
Output of the above command:
Password for "cn=admin,o=org":
NovellRealm
MYREALM
ATHENA.MIT.EDU
MEDIA-LAB.MIT.EDU