IBM Books

Installation and Migration Guide

Task C. Update Kerberos V4 SP authentication services on the backup control workstation

This section describes the steps you take to update Kerberos V4 on the backup control workstation.

Step 12: Configure the backup control workstation as a secondary Kerberos V4 authentication server or client

If the primary control workstation is either a primary or secondary Kerberos V4 authentication server, then the backup control workstation must be configured as a secondary authentication server. If the primary control workstation is an authentication client, the backup control workstation must also be configured as an authentication client.

Follow the instructions in Step 12.1: Initializing as a secondary Kerberos V4 authentication server or in Step 12.2: Initializing as an authentication client system to configure the backup control workstation as either a secondary authentication server or as an authentication client.

Step 12.1: Initializing as a secondary Kerberos V4 authentication server

Note:
If you perform this step, do not perform Step 12.2: Initializing as an authentication client system.

The following example illustrates the procedure you should follow to initialize the backup control workstation as a secondary authentication server.

  1. Copy the /etc/krb.conf file from the primary authentication server to the backup control workstation.
  2. Add a line to the /etc/krb.conf file on both control workstations, listing the backup control workstation (by its full host name) as a secondary server for the local authentication realm.

    For example, to add sp2cw.xyz.com as a secondary server for the authentication realm XYZ.COM, add this line to /etc/krb.conf:

    XYZ.COM sp2cw.xyz.com

  3. Copy the /etc/krb.realms file from the primary server to the backup control workstation.
  4. On the backup control workstation, run the setup_authent program.

    setup_authent requires you to login to the authentication service using the same administrative principal name that was defined when the primary server was set up. The remainder of the initialization of authentication services on this secondary local system takes place automatically.

    The following example shows the interaction you can expect when you run setup_authent when initializing as a secondary authentication server. 

    #setup_authent
<screenclear>
************************************************************************
Logging into Kerberos as an admin user
 
 You must assume the role of a Kerberos administrator <user> to
 complete the initialization of Kerberos on the local system. The k4init
 command is invoked and will prompt you for the password. If you are
 setting up your primary server here, you have just defined it. If you
 have defined multiple administrative principals, or if your primary
 authentication server is on another system, you must first enter the
 name of an administrative principal who has root privilege (UID 0). You
 need to be authenticated as this administrator so that this program
 can create the principals and service key files for the authenticated
 services that run on the SP system.
 
 For more information, see the k4init man page.
************************************************************************
 
setup_authent: Enter name of admin user: root
 
Kerberos Initialization for "root.admin"
 
Password: rootPassword sp2cw.xyz.com: success.
 
sp2cw.xyz.com:       Succeeded
#
    Note:
    The last two messages shown in the example above are issued by the programs that transfer the database from primary to secondary servers, to indicate that the backup database has been installed. 
    # k4list
Ticket file:    /tmp/tkt0
Principal:  root.admin@XYZ.COM
 
Issued           Expires          Principal
Nov 11 16:26:11  Dec 12 16:26:11  krbtgt.XYZ.COM@XYZ.COM
#
<end_of_example>
  5. After setup_authent completes, add an entry for the secondary authentication server to the /etc/krb.conf file on all SP nodes on which you have already initialized authentication.
  6. If this is the first secondary authentication server, you should create a root crontab entry on the primary authentication server that invokes the script /usr/kerberos/etc/push-kprop. This periodically propagates database changes from the primary to the secondary authentication server.

Step 12.2: Initializing as an authentication client system

Note:
If you perform this step, do not perform Step 12.1: Initializing as a secondary Kerberos V4 authentication server.

The following example illustrates the procedure you should follow to initialize the backup control workstation as an authentication client.

  1. Copy the /etc/krb.conf file from the primary authentication server to this system (the backup control workstation).
  2. Copy the /etc/krb.realms file from the primary server.
    Note:
    If the new workstation is outside the realm of the primary server, you must add this new workstation to the /etc/krb.realms file on the primary server before you copy the /etc/krb.realms file from the primary server to the new workstation. Otherwise, the next step will fail.
  3. Run the setup_authent program.

    setup_authent requires you to login to the authentication service using the same administrative principal name that was defined when the primary server was set up. The remainder of the initialization of authentication services on the local system takes place automatically.

  4. The root .klogin file on a client workstation contains just the administrative principal name you used to install authentication. You may want to edit the .klogin file to add other principals in your configuration.
  5. Enter the /usr/lpp/ssp/kerberos/bin/k4list command to make sure a ticket exists for the account.

The following example shows the interaction you can expect when you run setup_authent when initializing as an authentication client system.

Note:
The initial warning message shown in the example is issued if you have installed the ssp.authent option on a system configured as a client rather than a server. 
#setup_authent
<screenclear>
************************************************************************
Logging into Kerberos as an admin user
 
You must assume the role of a Kerberos administrator <user>.admin to
complete the initialization of Kerberos on the local system. The k4init
command is invoked and will prompt you for the password. If you are
setting up your primary server here, you have just defined it. If you
have defined multiple administrative principals, or if your primary
authentication server is on another system, you must first enter the
name of an administrative principal who has root privilege (UID 0). You
need to be authenticated as this administrator so that this program
can create the principals and service key files for the authenticated
services that run on the SP system.
 
For more information, see the k4init man page.
 
************************************************************************
 
setup_authent: Enter name of admin user: root
 
Kerberos Initialization for "root.admin"
 
Password: rootPassword
 
# k4list
Ticket file:    /tmp/tkt0
Principal:  root.admin@XYZ.COM
 
Issued           Expires          Principal
Nov 11 16:26:11  Dec 12 16:26:11  krbtgt.XYZ.COM@XYZ.COM
#
 
# <end_of_example>

Step 13: Copy Kerberos V4 keys to the backup control workstation

When control workstation services move back and forth between the two control workstations, the Kerberos V4 service keys must remain the same. The krb_srvtab file should be the same on both the primary and secondary authentication servers.

Enter the following commands on the backup control workstation: 

/usr/lpp/ssp/rcmd/bin/rcp -p <primary_name>:/etc/krb-srvtab \
    /etc/krb-srvtab.primary
cp -p /etc/krb-srvtab /etc/krb-srvtab.backup
cat /etc/krb-srvtab.primary >>/etc/krb-srvtab

Repeat this procedure whenever you change Kerberos V4 service keys on either of the two control workstations.

Step 14: Verify Kerberos V4 data

Make sure a Kerberos V4 principal and rcmd service key exist for the network address that matches the host name of the backup control workstation.

Run the /usr/lpp/ssp/kerberos/bin/kadmin command on the backup control workstation as follows: 

Welcome to the Kerberos Administration Program, version 2
Type "help" if you need it.

admin: get_entry rcmd.BackupControlWorkstation

Admin password:

Info in Database for rcmd.BackupControlWorkstation: 

Max Life: 255   Exp Date: Fri Apr 28 22:59:59 2000
 
Attribs: 00  key: 0 0
admin:  q
Cleaning up and exiting.
 
# <end_of_example>

To verify the information, run the /usr/lpp/ssp/kerberos/bin/ksrvutil list command on the backup control workstation. The system will display information similar to the following: 

Version    Principal
2     rcmd.k21sha@PPD.POK.IBM.COM
2     hardmon.k21sha@PPD.POK.IBM.COM
2     rcmd.k21shacw@PPD.POK.IBM.COM
2     hardmon.k21shacw@PPD.POK.IBM.COM
1     hardmon.k21cw@PPD.POK.IBM.COM
1     rcmd.k21cw@PPD.POK.IBM.COM
1     rcmd.k21s@PPD.POK.IBM.COM
1     hardmon.k21s@PPD.POK.IBM.COM
1     rcmd.k21cw_bt@PPD.POK.IBM.COM
1     rcmd.k21s_bt@PPD.POK.IBM.COM
#
 
# <end_of_example>

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]