Purpose
ifconfig - Configures or displays network interface parameters for a network using TCP/IP.
Syntax
Flags
None.
Operands
Include a numeral after the abbreviation to identify the specific interface (for example, tr0).
The mask variable includes both the network part of the local address and the subnet part, which is taken from the host field of the address. The mask can be specified as a single hexadecimal number beginning with 0x, in standard Internet dotted decimal notation, or beginning with a name or alias that is listed in the /etc/networks file.
The mask contains 1's (ones) for the bit positions in the 32-bit address that are reserved for the network and subnet parts, and 0's (zeros) for the bit positions that specify the host. The mask should contain at least the standard network portion, and the subnet segment should be contiguous with the network segment.
Description
The ifconfig command has been modified to add support for the switch. This command is valid only on an SP system.
The ifconfig command can be used from the command line either to assign an address to a network interface, or to configure or display the current network interface configuration information. The ifconfig command must be used at system start up to define the network address of each interface present on a machine. It can also be used at a later time to redefine an interface's address or other operating parameters. The network interface configuration is held on the running system and must be reset at each system restart.
An interface can receive transmissions in differing protocols, each of which may require separate naming schemes. It is necessary to specify the address_family parameter, which can change the interpretation of the remaining parameters. The address families currently supported are inet and ns.
For the DARPA Internet family, inet, the address is either a host name present in the host name database, that is, the /etc/hosts file, or a DARPA Internet address expressed in the Internet standard dotted decimal notation.
For the Xerox Network Systems (XNS) family, ns, addresses are net:a.b.c.d.e.f., where net is the assigned network number (in decimal), and each of the six bytes of the host number, a through f, are specified in hexadecimal. The host number can be omitted on 10-Mbps Ethernet interfaces, which use the hardware physical address, and on interfaces other than the first interface.
While any user can query the status of a network interface, only a user who has administrative authority can modify the configuration of those interfaces.
Related Information
AIX commands: netstat
AIX files: /etc/host, /etc/networks
Refer to PSSP: Administration Guide for additional information on the SP Switch.
Refer to AIX System Management Guide: Communications and Networks for additional information on TCP/IP protocols.
Refer to AIX General Programming Concepts: Writing and Debugging Programs for an overview on Xerox Network Systems (XNS).
Location
/usr/lpp/ssp/css/ifconfig
Examples
The following are examples using the ifconfig command on a TCP/IP network and an XNS network, respectively:
Inet Examples
ifconfig sl1
In this example, the interface to be queried is sl1. The result of the command looks similar to the following:
sl1: flags=51<UP,POINTOPOINT,RUNNING>
inet 192.9.201.3 --> 192.9.354.7 netmask ffffff00
ifconfig lo0 inet 127.0.0.1 up
ifconfig tr0 inet down
In this example, the interface to be marked is token0.
ifconfig css0 inet 127.0.0.1 netmask 255.255.255.0 alias
XNS Examples
ifconfig en0 ns 110:02.60.8c.2c.a4.98 up
In this example, ns is the XNS address family, 110 is the network number and 02.60.8c.2c.a4.98 is the host number, which is the Ethernet address unique to each individual interface. Specify the host number when there are multiple Ethernet hardware interfaces, as the default may not correspond to the proper interface. The Ethernet address can be obtained by the commands:
ifconfig en0 netstat -v
The XNS address can be represented by several means, as can be seen in the following examples:
123#9.89.3c.90.45.56 5-124#123-456-900-455-749 0x45:0x9893c9045569:90 0456:9893c9045569H
The first example is in decimal format, and the second example, using minus signs, is separated into groups of three digits each. The 0x and H examples are in hexadecimal format. Finally, the 0 in front of the last example indicates that the number is in octal format.
ifconfig et0 ns 120:02.60.8c.2c.a4.98 up
The en0 and et0 interfaces are considered as separate interfaces even though the same Ethernet adapter is used. Two separate networks can be defined and used at the same time as long as they have separate network numbers. Multiple Ethernet adapters are supported.
ifconfig en0 inet 11.0.0.1 up ifconfig en0 ns 110:02.60.8c.2c.a4.98 up ifconfig en0 ns 130:02.60.8c.34.56.78 ipdst 11.0.0.10
The first command brings up the Internet with the inet address 11.0.0.1. The second command configures the en0 interface to be network 110 and host number 02.60.8c.2c.a4.98 in the ns address family. This defines the host number for use when the XNS packet is encapsulated within the Internet packet. The last command defines network 130, host number 02.60.8c.34.56.78, and destination Internet address 11.0.0.10. This last entry creates a new network interface, nsip. Use the netstat -i command for information about this interface.
Purpose
install_cw - Completes the installation of system support programs in the control workstation.
Syntax
install_cw
Flags
None.
Operands
None.
Description
Use this command at installation to perform the following tasks:
Security
You must have root privilege to run this command. You must also have SDR administrator and write access to run this command.
Location
/usr/lpp/ssp/bin/install_cw
Examples
To complete system support programs installation on the control workstation, enter:
install_cw
Purpose
install_hacws - Creates and configures a High Availability Control Workstation (HACWS) configuration from a regular control workstation configuration.
Syntax
install_hacws -p host_name -b host_name [-s]
Flags
Operands
None.
Description
Use this command to perform configuration and installation tasks on HACWS. This command is used instead of install_cw once the configuration has been made an HACWS configuration. This command is valid only when issued on the control workstation. When the command is executed and the calling process is not on a control workstation, an error occurs.
Both the primary and backup control workstations must be running and capable of executing remote commands.
Exit Values
Standard output consists of messages indicating the progress of the command as it configures the control workstations.
Security
You must have root privilege to run this command. You must also have SDR administrator and write access to run this command.
| Restricted Root Access |
|---|
|
As of PSSP 3.2, you have the option of running your SP system with an enhanced level of security. With the restricted root access (RRA) option enabled, PSSP does not internally issue rsh and rcp commands as a root user from a node. Also, PSSP does not automatically grant authorization for a root user to issue rsh and rcp commands from a node. If you enable this option, some procedures might not work as documented. For example, to run HACMP, an administrator must grant the authorizations for a root user to issue rsh and rcp commands that PSSP otherwise grants automatically. See the "Planning for security" chapter in IBM RS/6000 SP: Planning, Volume 2, Control Workstation and Software Environment for a description of this function and a complete list of limitations. |
Prerequisite Information
Refer to PSSP: Administration Guide for information on the HACWS option.
Location
/usr/sbin/hacws/install_hacws
Related Information
PSSP commands: install_cw, setup_logd
AIX commands: rsh
Examples
install_hacws -p primary_cw -b backup_cw -s
On the primary control workstation, enter:
install_hacws -p primary_cw -b backup_cw
After the preceding command completes on the primary control workstation, enter the following on the backup control workstation:
install_hacws -p primary_cw -b backup_cw
Purpose
kadmin - Provides network access to Kerberos Version 4 authentication database administration functions.
Syntax
kadmin [-u admin_name] [-r default_realm] [-m]
Flags
Operands
None.
Description
This command provides an interactive interface to the primary Kerberos Version 4 authentication database. Administrators use kadmin to add new users and services to the database, and to change information about existing database entries. For example, an administrator can use kadmin to change a user's password. An administrator is a user with an admin instance whose name appears in at least one of the authentication administration Access Control Lists (ACLs).
The kadmin program communicates over the network with the kadmind program, which runs on the machine housing the primary authentication database. The kadmind program creates new entries and makes modifications to the database.
When you enter the kadmin command, the program displays a message that welcomes you and explains how to ask for help. Then kadmin waits for you to enter commands. After you enter a command, you are prompted to enter your admin password. If the -m option is used, you are prompted for your admin password only for the first command entered. You do not need to issue the k4init command prior to running this command because the necessary tickets are obtained automatically.
When using the kadmin command, the principal's expiration date and maximum ticket lifetime are set to the default values. To override the defaults, the root user must run the kdb_edit command to modify those attributes.
Use the add_new_key (or ank for short) command to add a new principal to the authentication database. The command requires the principal identifier as an argument. The identifier given can be fully qualified using the standard name.instance@realm convention. You are asked to enter your admin password and are then prompted twice to enter the principal's new password. If a realm is not specified, the local realm is used unless another was given on the command line with the r flag. If no instance is specified, a null instance is used. If a realm other than the default realm is specified, you need to supply your admin password for the specified realm.
Use change_password to change a principal's password. The command requires the principal identifier as an argument. You are asked to enter your admin password and are then prompted twice to enter the principal's new password. The identifier given can be fully qualified using the standard name.instance@realm convention.
Use the change_admin_password to change your admin instance password. This command requires no arguments. It prompts you for your old admin password, then prompts you twice to enter the new admin password. If this is your first command, the default realm is used. Otherwise, the realm used in the last command is used.
Use destroy_tickets to destroy any admin tickets obtained by the kadmin command.
Use list_requests to get a list of possible commands.
Use help to display various kadmin help messages. If entered without an argument, help displays a general help message. You can get detailed information on specific kadmin commands by entering help command_name.
To quit the program, type quit.
To invoke a shell command, precede the command with an exclamation point.
Files
Location
/usr/kerberos/bin/kadmin
Related Information
Commands: add_principal, kadmind, kpasswd, ksrvutil
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
The following contains an example of adding a user. To add a user, enter:
kadmin Welcome to the Kerberos Administration Program, version 4 Type "help" if you need it. admin: help Welcome to the Kerberos administration program.Type "?" to get a list of requests that are available. You can get help on each of the commands by typing "help command_name". Some functions of this program requires an "admin" password from you. This is a password private to you, that is used to authenticate requests from this program. You can change this password with the "change_admin_password" (or short form "cap") command. Good Luck! admin: ? Available admin requests: change_password, cpw Change a user's password change_admin_password, cap Change your admin password add_new_key, ank Add new user to kerberos database get_entry, get Get entry from kerberos database destroy_tickets, dest Destroy admin tickets help Request help with this program list_requests, lr, ? List available requests. quit, exit, q Exit program. admin: ank mroz Admin password: Password for mroz: Verifying, please re-enter Password for mroz: mroz added to database. admin: q Cleaning up and exiting.
Purpose
kadmind - Contains the daemon for Kerberos Version 4 authentication database administration.
Syntax
kadmind [-h] [-n] [-r realm] [-d db_name] [-f file_name] [ -a acldir]
Flags
Operands
None.
Description
The kadmind daemon is the Kerberos Version 4 authentication database server for the password-changing and administration tools. It uses the master key for authorization.
The kadmind daemon listens for requests on the kerberos_master/tcp port. If this port is not defined in the /etc/services file, it uses port 751.
When performing requests on behalf of clients, kadmind checks access control lists (ACLs) to determine the authorization of the client to perform the requested action. Currently three distinct access types are supported:
Principals are always granted authorization to change their own password.
Files
Location
/usr/lpp/ssp/kerberos/etc/kadmind
Related Information
Commands: add_principal, kadmin, kpasswd
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
To see how kadmind is started, display the subsystem definition by issuing:
odmget -q subsysname=kadmind SRCsubsys
Output will resemble:
SRCsubsys:
subsysname = "kadmind"
synonym = ""
cmdargs = "-n"
path = "/usr/lpp/ssp/kerberos/etc/kadmind"
uid = 0
auditid = 0
standin = "/dev/null"
standout = "/dev/console"
standerr = "/dev/console"
action = 1
multi = 0
contact = 2
svrkey = 0
svrmtype = 0
priority = 20
signorm = 15
sigforce = 15
display = 1
waittime = 20
grpname = ""
Purpose
kdb_destroy - Destroys the Kerberos Version 4 authentication database.
Syntax
kdb_destroy
Flags
None.
Operands
None.
Description
The kdb_destroy command removes the Kerberos Version 4 authentication database.
You first must reply y or Y to a prompt to confirm the request, or kdb_destroy exits without removing the database files.
This command can only be issued on the system on which the authentication database resides.
Files
Security
You must have root privilege to run this command.
Location
/usr/lpp/ssp/kerberos/etc/kdb_destroy
Related Information
Commands: kdb_init
Examples
To destroy the Kerberos Version 4 authentication database, enter:
kdb_destroy
Purpose
kdb_edit - Edits the Kerberos Version 4 authentication database.
Syntax
kdb_edit [-n]
Flags
Operands
None.
Description
The kdb_edit command is used to create or change principals in the Kerberos Version 4 authentication database. It uses the master key for authorization.
After the master key is verified, kdb_edit begins a prompt loop. The user is prompted for the principal name and instance to be modified. If the entry is not found, the user can create it. After an entry is found or created, the user can set the password, expiration date, maximum ticket lifetime, and attributes. Default expiration dates, maximum ticket lifetimes, and attributes are presented in brackets. If the user presses return, the default is selected. There is no default password. The password RANDOM is interpreted specially, and if entered, the program selects a random key for the principal.
You should use random key generation only if you use the kdb_edit command to replace a deleted service principal (for example, rcmd.host_name).
If you enter a ticket lifetime value, it must be a number between 0 and 255. The actual maximum lifetime value that you choose will be between five minutes and 30 days. Refer to PSSP: Administration Guide for a complete list of the possible Kerberos Version 4 ticket lifetime values you can enter and the corresponding durations in days, hours, and minutes. The following list shows a representative sample with approximate durations:
Response to kdb_edit Approximate Duration
141 1 day
151 2 days
170 1 week
180 2 weeks
191 1 month
After the entry has been created or changed, "Edit O.K." is printed.
Files
Security
You must have root privilege to run this command.
Location
/usr/lpp/ssp/kerberos/etc/kdb_edit
Related Information
Commands: kadmin, kdb_init
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
To add a service from host mroz, enter:
kdb_edit -n
Opening database... Previous or default values are in [brackets], enter return to leave the same, or new value. Principal name: rcmd Instance: mroz <Not found>, Create [y] ? Y Principal: rcmd, Instance: mroz, kdc_key_ver: 1 New Password: Verifying, please re-enter New Password: Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [1999-12-31] ? Max ticket lifetime [255] ? Attributes [0] ? Edit O.K. Program re-prompts for another principal "principal name:" Principal name: The program exits when no principal name is entered.
Purpose
kdb_init - Initializes the Kerberos Version 4 authentication database.
| Attention |
|---|
|
This command is normally used internally by the setup_authent script, and should not be needed otherwise. |
Syntax
kdb_init [realm]
Flags
None.
Operands
Description
Use this command to initialize the Kerberos Version 4 authentication database, creating the necessary initial system principals.
After determining the realm to be created, the command prompts for a master key password. The user should choose a nontrivial, not easily-guessable password. The user must remember this password because it is used for other commands. The master key password is used to encrypt every encryption key stored in the database.
Files
Security
You must have root privilege to run this command.
Location
/usr/lpp/ssp/kerberos/etc/kdb_init
Related Information
Commands: kdb_destroy, kdb_edit, kdb_util
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
To initialize a Kerberos Version 4 database for realm "ABC.ORG", enter:
kdb_init ABC.ORG
Purpose
kdb_util - The utility program for managing the Kerberos Version 4 authentication database.
Syntax
kdb_util operation file_name
Flags
None.
Operands
Description
The kdb_util command allows the user to perform various utility operations on the Kerberos Version 4 authentication database.
Files
Security
You must have root privilege to run this command.
Location
/usr/lpp/ssp/kerberos/etc/kdb_util
Related Information
Commands: kdb_init, kprop, kpropd
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
To dump the contents of the Kerberos Version 4 database in readable ASCII, enter:
kdb_util dump /tmp/KerbDump
Purpose
k4destroy - Destroys Kerberos Version 4 authentication tickets.
Syntax
k4destroy [-f] [-q]
Flags
Operands
None.
Description
IBM strongly suggests using the k4destroy form. DCE includes the kdestroy command, so using kdestroy instead of k4destroy may produce unexpected results if DCE is installed.
The k4destroy command destroys the user's Kerberos Version 4 authentication tickets. The command writes zeros to the user's current ticket cache file and then removes the file from the file system. If the file does not exist or if an error occurs, a message is displayed. The current ticket file is determined by the KRBTKFILE environment variable. If the KRBTKFILE environment variable is undefined, the current ticket file is /tmp/tktuid, where uid specifies your user identification number. If k4destroy cannot destroy the ticket file, the command warns you by making your terminal beep. You can place the k4destroy command in your .logout file (C shell only) so that your tickets are destroyed automatically when you log out.
Files
Location
/usr/bin/k4destroy
/usr/lpp/ssp/kerberos/bin/kdestroy
Related Information
Commands: k4init, k4list
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
This example shows destroying cached Kerberos Version 4 tickets:
$k4destroy Tickets destroyed.
Purpose
kerberos - The Kerberos Version 4 authentication ticket-granting service daemon.
Syntax
Flags
Operands
Description
kerberos is the daemon program that provides the Authentication Service and the Ticket Granting Service to client programs that want to obtain tickets for authenticated services.
The kerberos daemon listens for requests on the kerberos4/upd port. If this port is not defined in the /etc/services file, it uses port 750.
When you start the server (normally from init), you can specify a maximum age for the database files. This can be used to ensure that you do not start a secondary server with out-of-date information. This could occur in a situation where a secondary server system was down when a database update was scheduled.
Files
Location
/usr/lpp/ssp/kerberos/etc/kerberos
Related Information
Commands: kdb_init, kprop, kpropd
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
To see how kerberos is started, display the subsystem definition by issuing:
odmget -q subsysname=kerberos SRCsubsys
Output should resemble:
SRCsubsys: subsysname = "kerberos" synonym = "" cmdargs = "" path = "/usr/lpp/ssp/kerberos/etc/kerberos" uid = 0 auditid = 0 standin = "/dev/null" standout = "/dev/console" standerr = "/dev/console" action = 1 multi = 0 contact = 2 svrkey = 0 svrmtype = 0 priority = 20 signorm = 15 sigforce = 15 display = 1 waittime = 20 grpname = ""
Purpose
kfserver - Sends keyfiles to requesting node over the s1term.
Syntax
kfserver
Flags
None.
Operands
None.
Description
The kfserver script is run from inetd.conf upon request from a node for its Kerberos V4 srvtab file. When the client connects to the server, kfserver queries the socket for the node's IP address requesting its srvtab file. kfserver locates the srvtab file and sends it over the s1term in write mode.
Files
The log file /var/adm/SPlogs/kfserver/kfserver.log.pid is created.
Exit Values
An unsuccessful run of this command, depending on where an error occurred, will result in the keyfile transfer being unsuccessful.
Security
You must have root privilege to run this command.
Restrictions
This command runs only on the control workstation. This command is not intended to be run manually; it requires a socket opened to it.
This command uses the s1term in write mode. Only one s1term session in write mode is allowed per node, at a time.
Location
/usr/lpp/ssp/install/bin/kfserver
Purpose
k4init - Obtains a Kerberos Version 4 authentication ticket.
Syntax
k4init [-i] [-l] [-r] [-v] [name]
Flags
Operands
Description
IBM strongly suggests using the k4init form. DCE includes the kinit command, so using kinit instead of k4init may produce unexpected results if DCE is installed.
The k4init command is used to authenticate the user's identify to the SP authentication service. All previous tickets are discarded.
When you use the k4init command without options, it prompts for your principal name and password, and tries to authenticate your identity within the local realm. If the specified principal name and password are correct, k4init retrieves your initial ticket and puts it in the ticket file specified by your KRBTKFILE environment variable. If the KRBTKFILE variable is undefined, your ticket is stored in the /tmp/tktuid file, where uid specifies your user identification number.
If you specify the -l flag, the command prompts you to enter a ticket lifetime, in minutes. The actual value you enter will differ somewhat from the actual lifetime, because lifetimes are set to one of a discrete set of values ranging from five minutes to 30 days. k4init rounds the value you enter up to the next higher limit, and applies the maximum that is defined for your Kerberos principal. If you enter a value higher than your allowed limit, k4init does not indicate an error, but simply assigns your maximum lifetime in the ticket it creates. Refer to PSSP: Administration Guide for the complete list of maximum lifetime values that the administrator can set. The following list shows a representative sample of lifetimes you can request:
Response to k4init prompt Approximate duration
1500 1 day
3000 2 days
10000 1 week
20000 2 weeks
43000 1 month
Depending on your security policy, you may want to use the k4destroy command to destroy any active tickets before you end your login session. You can place the k4destroy command in your .logout file (C shell only) so that your tickets are destroyed automatically when you logout.
The KRBTKFILE environment variable is used to specify the ticket cache file used by k4init to store authentication tickets.
Files
Location
/usr/bin/k4init
/usr/lpp/ssp/kerberos/bin/kinit
Related Information
Commands: k4destroy, k4list
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Examples
This example shows logging into Kerberos Version 4 as the principal "richard":
$k4init richard kerberos Initialization for "richard" Password: $
Purpose
k4list - Lists currently held Kerberos Version 4 authentication tickets.
Syntax
k4list [-s | -t] [-file name] [-srvtab]
Operands
Operands
None.
Description
IBM strongly suggests using the k4list form. DCE includes the klist command, so using klist instead of k4list may produce unexpected results if DCE is installed.
The k4list command prints the principal name and the name of the file containing the user's tickets. It also lists the principal name, issue time, and expiration time for each service ticket held by the user. Principal names are listed in the form name.instance@realm. The period (.) is omitted if the instance is null and the at sign (@) is omitted if the realm is null.
Files
Location
/usr/bin/k4list
/usr/lpp/ssp/kerberos/bin/klist
Related Information
Commands: k4destroy, kerberos, k4init
Examples
# k4list Ticket file: /tmp/tkt0 Principal: root.admin@XYZ.ABC.COM Issued Expires Principal Nov 12 16:26:11 Dec 12 16:26:11 krbtgt.XYZ.ABC.COM@XYZ.ABC.COM Nov 12 16:26:46 Dec 12 16:26:46 hardmon.cwksta@XYZ.ABC.COM Nov 12 16:45:15 Dec 12 16:45:15 rcmd.cwksta@XYZ.ABC.COM #
The second line shows the Kerberos principal acting as client, to whom the tickets belong. This is the user principal you supplied to the k4init command, or the rcmd.instance service principal used by rcmdtgt. The list of tickets always begins with the ticket-granting-ticket. The others are service tickets; in this case for the System Monitor service on the control workstation (hardmon) and the SP Remote Command service also on the control workstation (rcmd).
# k4list -srvtab Server key file: /etc/krb-srvtab Service Instance Realm Key Version ------------------------------------------------------ rcmd node3fi XYZ.ABC.COM 1 rcmd node3tr XYZ.ABC.COM 1 rcmd node3sw XYZ.ABC.COM 1 rcmd node3en XYZ.ABC.COM 1 #
You can determine the versions of service keys in the authentication database by locating the entry for the target service principal in a dump of the SP authentication database. If you have secondary authentication servers, or if you use the procedure for backing up your database that IBM suggests using in PSSP: Administration Guide, the database dump can be found in file /var/kerberos/database/slavesave on the primary server host.
Purpose
kpasswd - Changes the Kerberos Version 4 principal's password.
Syntax
kpasswd [-h] [-n user] [-i instance] [-r realm] [-u full_name]
Flags
Operands
None.
Description
The kpasswd command changes a principal's password.
It prompts for the principal's current password. If the old password is correct, the user is prompted twice for a new password. A message is printed indicating whether or not the password changing operation was successful.
Location
/usr/kerberos/bin/kpasswd
Related Information
Commands: kadmin, k4init, passwd
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Purpose
kprop - The network utility to propagate the Kerberos Version 4 authentication database to secondary servers.
Syntax
kprop [-force] [-realm realm_name] data_file hosts_file
Flags
Operands
Description
The kprop command reads a list of secondary host names and connects to each one in turn using the kprop service provided by the kpropd program. The data_file (the Kerberos Version 4 authentication database) is transferred if it has been modified since it was last sent successfully.
Files
Security
You must have root privilege to run this command.
Location
/usr/lpp/ssp/kerberos/etc/kprop
Related Information
Commands: kdb_util, kerberos, kpropd
Examples
To force propagation from the primary server to a backup, enter:
rm /var/kerberos/database/slavesave.dump_ok kdb_util slave_dump /var/kerberos/database/slavesave kprop /var/kerberos/database/slavesave /var/kerberos/database/slavelist
Purpose
kpropd - The daemon that receives updates for a secondary Kerberos Version 4 authentication database.
Syntax
kpropd [-r realm] [-s srvtab] [-l log_file] [ -d database_name] file_name
Flags
Operands
Description
kpropd runs as a daemon on secondary Kerberos Version 4 authentication database server hosts, listening for a TCP connection on the krb_prop service.
The kpropd daemon listens for requests on the krb_prop/tcp port. If this port is not defined in the /etc/services file, it uses port 754. It validates the connection, which must be from an administrative host as defined in the krb.conf file for the local realm. The service name used for mutual authentication is rcmd.
Files
Location
/usr/lpp/ssp/kerberos/etc/kpropd
Related Information
Commands: kdb_util, kerberos, kprop
Examples
To see how kpropd is started, display the subsystem definition by issuing:
odmget -q subsysname=kerberos SRCsubsys
Ouput should resemble:
SRCsubsys: subsysname = "kpropd" synonym = "" cmdargs = "/var/kerberos/database/slavesave" path = "/usr/lpp/ssp/kerberos/etc/kpropd" uid = 0 auditid = 0 standin = "/dev/null" standout = "/dev/console" standerr = "/dev/console" action = 1 multi = 0 contact = 2 svrkey = 0 svrmtype = 0 priority = 20 signorm = 15 sigforce = 15 display = 1 waittime = 20 grpname = ""
Purpose
ksrvtgt - Obtains a Kerberos Version 4 authentication ticket with a maximum allowed lifetime.
Syntax
ksrvtgt name instance [[ realm] srvtab]
Flags
None.
Operands
Description
The ksrvtgt command retrieves Kerberos Version 4 authentication with a maximum lifetime, decrypts the response using the service key found in the service key file, and stores the ticket in the ticket cache file. |When using SP authentication services, these tickets have an |unlimited lifetime.
This command is intended primarily for use in shell scripts and other batch-type facilities.
The KRBTKFILE environment variable is used to specify the ticket cache file used by ksrvtgt to store authentication tickets.
If Kerberos Version 4 is not an active authentication method for AIX remote commands, and Compatibility is not an active authentication method for SP trusted services, this command performs no function but returns successfully.
Environment Variables
Files
Standard Error
Output consists of error messages, when the command cannot complete successfully.
Exit Values
Security
The ksrvtgt command can be run by any user who owns a service key file.
Location
/usr/kerberos/bin/ksrvtgt
Related Information
Commands: ksrvutil, k4destroy , k4init
Refer to the "RS/6000 SP files and other technical information" section of PSSP: Command and Technical Reference for additional Kerberos information.
Purpose
ksrvutil - Manipulates a server Kerberos Version 4 key file.
Syntax
ksrvutil [-afs | -krb] [-k ] [ -i] [-f file_name] operation
Flags
If neither -afs nor -krb are specified, the value of the System Data Repository (SDR) authent_server attribute is used. If the value of the SDR authent_server attribute cannot be obtained, the default is -krb.
Operands
Description
The ksrvutil command allows an administrator to list or change keys currently in the key file or to add new keys to the key file.
The ksrvutil command always backs up the key file before making any changes. If ksrvutil is unsuccessful during a change or add operation, you can recover a usable key file by appending the workfile containing the new and changed keys, file_name.work to the backup copy or the original, file_name.old, and replacing the key file file_name with the result, for example:
cat /etc/krb-srvtab.old /etc/krb-srvtab.work >/etc/krb-srvtab
The recovered key file can be used, but it may contain some out-of-date keys.
Files
Security
You must have root privilege to run this command.
Location
/usr/kerberos/bin/ksrvutil
Related Information
Commands: kadmin, ksrvtgt, rcmdtgt
Purpose
kstash - Saves the system's Kerberos Version 4 authentication master key.
Syntax
kstash
Flags
None.
Operands
None.
Description
The kstash command saves the system's Kerberos Version 4 authentication database master key in the master key cache file. The user is prompted to enter the master key (the same one as specified to kdb_init) to verify the authenticity of the key and authorize caching it.
Files
Security
You must have root privilege to run this command.
Related Information
Command: kdb_init