12/10/96, 4FAX# 1073 How to Rebuild the Kerberos Database SPECIAL NOTICES Information in this document is correct to the best of our knowledge at the time of this writing. Please send feedback by fax to "AIXServ Information" at (512) 823-4009. Please use this information with care. IBM will not be responsible for damages of any kind resulting from its use. The use of this information is the sole responsibility of the customer and depends on the customer's ability to eval- uate and integrate this information into the customer's operational environment. ABOUT THIS DOCUMENT The following procedure outlines how to destroy the kerberos database on the IBM RISC System/6000 Scalable POWERparallel System and then rebuild it. This procedure applies to: o Parallel System Support Programs Version 1.2 o Parallel System Support Programs Version 2.1 o AIX 3.2.5 and later o AIX 4.1.3 and later ABOUT THIS PROCEDURE The following list possible reasons for rebuilding the Kerberos database: o if the database becomes corrupted o if problems occur when configuring the database with /usr/lpp/ssp/bin/setup_authent o when changing the hostnames of any of the nodes or the control workstation o when switching name resolution from DNS to /etc/hosts or vice versa STEPS At the control workstation(CW), login as root and execute the following commands: 1. /usr/lpp/ssp/kerberos/bin/kdestroy The kdestroy command destroys the user's authentication tickets which are located in /tmp/tkt¤uid‡. 2. /usr/lpp/ssp/kerberos/etc/kdb_destroy How to Rebuild the Kerberos Database 1 12/10/96, 4FAX# 1073 The kdb_destroy command destroys the kerberos authentication database which is located in /var/kerberos/* 3. rm /etc/krb* This removes the following files: o krb-srvtab: contains the keys for services on the nodes o krb.conf: contains the SP authentication configura- tion o krb.realms: specifies the translations from host names to authentication realms 4. rm /.klogin This removes the .klogin file which contains a list of principals that are authorized to invoke processes as the root user with the SP authenticated remote commands[rsh,rcp]. 5. rm /.k This removes the Kerberos Master key cache file. 6. rm /var/kerberos/database/* This command insures that the authentication database files are completely removed. 7. /usr/lpp/ssp/bin/setup_authent This command configures SP authentication services. Executing this command invokes an interactive dialog, in which various utility programs are invoked to accomplish this configuration. (Refer to Chapter 1, "Understanding RS/6000 SP Installation" section of the IBM RISC System/6000 Scalable POWERparallel Systems Installation Guide) 8. /usr/lpp/ssp/bin/setup_server This command will add the necessary remote command (RCMD) principals for the nodes to the Kerberos database based on what is defined in the SDR for those nodes. 9. The final step involves propagating the /etc/krb-srvtab files onto the nodes. This can be done automatically (requires a netboot of AIX 3.2.5 nodes or a reboot of AIX 4.1 nodes) or manually as described below. AUTOMATICALLY(requires a net boot of the nodes): a. execute "smitty node_data" command b. select BOOT/INSTALL/usr SERVER INFORMATION How to Rebuild the Kerberos Database 2 12/10/96, 4FAX# 1073 c. enter START FRAME, START SLOT, and NODE COUNT or NODE LIST d. set RESPONSE FROM SERVER TO BOOTP REQUEST to "cus- tomize" e. verify that RUN SETUP SERVER ON THE CW is set to "yes" f. press enter to execute setup_server FOR AIX 3.2.5 NODES a. use the System Monitor GUI to shutdown the nodes b. use the System Monitor GUI to netboot the nodes (steps g & h are detailed in Chapter 1, "Under- standing RS/6000 SP Installation" section of the IBM RISC System/6000 Scalable POWERparallel Systems Installation Guide). FOR AIX 4.1 NODES a. Shutdown and reboot the nodes (DO NOT use netboot). MANUALLY(reboot of the nodes is NOT required): a. execute "smitty node_data" command b. select BOOT/INSTALL/usr SERVER INFORMATION c. enter START FRAME, START SLOT, and NODE COUNT or NODE LIST d. set RESPONSE FROM SERVER TO BOOTP REQUEST to "cus- tomize" e. verify that RUN SETUP SERVER ON THE CW is set to "yes" f. press enter to execute setup_server g. on the CW, cd into the /tftpboot directory and verify that there is a -new-srvtab file for each node h. ftp each node's respective /tftpboot/ -new-srvtab file from the CW to the node and rename the file to /etc/krb-srvtab i. set the nodes back to disk via SMIT node_data on the Control Workstation NOTE when using FTP, make sure to do the transfer in binary mode How to Rebuild the Kerberos Database 3 12/10/96, 4FAX# 1073 Once the nodes are customized with the new /etc/krb- srvtab then you can test the functionality of kerberos by obtaining a ticket (kinit root.admin) and executing the "/usr/lpp/ssp/rcmd/bin/rsh date" command. How to Rebuild the Kerberos Database 4 12/10/96, 4FAX# 1073 READER'S COMMENTS Please fax this form to (512) 823-4009, attention "AIXServ Informa- tion". You may also e-mail comments to: elizabet@austin.ibm.com. These comments should include the same customer information requested below. Use this form to tell us what you think about this document. If you have found errors in it, or if you want to express your opinion about it (such as organization, subject matter, appearance) or make sug- gestions for improvement, this is the form to use. If you need technical assistance, contact your local branch office, point of sale, or 1-800-CALL-AIX (for information about support offer- ings). These services may be billable. Faxes on a variety of sub- jects may be ordered free of charge from 1-800-IBM-4FAX. Outside the U.S. call 415-855-4329 using a fax machine phone. When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any way it believes appropriate without incurring any obligation to you. NOTE: If you have a problem report or item number, supplying that number may help us determine why a procedure did or did not work in your specific situation. Problem Report or Item #: Branch Office or Customer #: Be sure to print your name and fax number below if you would like a reply: Name: Fax Number: ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ END OF DOCUMENT (rebuild.kerberos.sp, 4FAX 1073) How to Rebuild the Kerberos Database 5