Installation and Migration Guide

|Procedure for changing an SP system set up with dce:compat to dce only

|This procedure can be used for any system partition whose security values |match either system partition shown in the following example.

|splstdata -p

|You should receive output similar to the following:

|List System Partition Information
| 
|System Partitions:
|-------------------------------------------------
|c186s
|c186sp1
| 
|Syspar: c186s
|-------------------------------------------------
|syspar_name        c186s
|...
|auth_install       dce:k4
|auth_root_rcmd     dce:k4
|ts_auth_methods    dce:compat
|auth_methods       k5:k4
| 
|Syspar: c186sp1
|-------------------------------------------------
|syspar_name        c186sp1
|...
|auth_install       dce:k4
|auth_root_rcmd     dce:k4
|ts_auth_methods    dce:compat
|auth_methods       k5:k4

|Note:

|This procedure can be used if auth_methods contains |std. However, you will need to include std as an |operand on the chauthpar and chauthent commands. |

|You should perform the following steps. In this example, |k4 and compat are being removed from the c186sp1 |partition. |

1. |Ensure that there is an SP administrative principal defined to DCE. |Step 22.3: Create SP administrative principals describes how to create this principal in DCE. Ensure |that the administrative principal is in the /.k5login file for |all of the nodes. In the examples that follow, "atest" was used as the |principal and "atest" appears in /.k5login as |"atest@fvtdcecell".
2. |On the control workstation, login to the administrative principal and |ensure that it is working correctly.

   |dce_login atest
   |Enter Password:
   |dsh -avG date

   If all of the nodes respond with the date, everything is defined |correctly.
3. |Remove compat from SP Trusted Services as follows:
   |

   If using:	Do this:
   SMIT	TYPE smit spauth_config The RS/6000 SP Security menu appears SELECT Enable Authentication Methods for SP Trusted Services The Enable Authentication Methods for SP Trusted Services menu appears. [Entry Fields] Enable on Control Workstation Only no Force change on nodes no You cannot select YES for both of the previous entries. System Partition Name c186s Authentication Methods dce
   chauthpts	Issue the following command: chauthpts -p c186sp1 dce

   | Verify that everything is correct. First, check the local SP Trusted |Services security setting on each node, then check that the high availability |daemons (haem specifically) have responded correctly. The |security settings should no longer contain compat. |Issue:

   |dsh -avG lsauthts

   You should receive output similar to the following:

   |c186n01,ppd.pok.ibm.com: DCE
   |...

   Issue:

   |dsh -avG "lssrc -ls haem | grep secure"

   You should receive output similar to the following:

   |c186n01,ppd.pok.ibm.com: Daemon security:             DCE
   |...

   If k4 was removed from all system partitions, |chauthpts will set the local SP Trusted Services setting on the |control workstation to include just DCE. To verify, issue:

   |lsauthts

   You should receive output similar to the following:

   |DCE

4. |Remove k4 from the authentication methods for AIX remote |commands.
   |

   If using:	Do this:
   SMIT	TYPE smit spauth_config The RS/6000 SP Security menu appears SELECT Enable Authentication Methods for AIX Remote Commands The Enable Authentication Methods for AIX Remote Commands menu appears. [Entry Fields] Enable on Control Workstation Only no Force change on nodes no You cannot select YES for both of the previous entries. System Partition Name c186s Authentication Methods k5
   chauthpar	Issue the following command: chauthpar -p c186sp1 k5

   | To verify, issue:

   |dsh -avG lsauthent
   |c186n01.ppd.pok.ibm.com: Kerberos 5
   |c186n02.ppd.pok.ibm.com: Kerberos 5
   |...

5. |To verify your system partition security setting, enter:

   |splstdata -p

   |You should receive output similar to the following:

   |List System Partition Information
   | 
   |System Partitions:
   |-------------------------------------------------
   |c186s
   |c186sp1
   | 
   |Syspar: c186s
   |-------------------------------------------------
   |syspar_name        c186s
   |...
   |auth_install       dce:k4
   |auth_root_rcmd     dce:k4
   |ts_auth_methods    dce
   |auth_methods       k5
   | 
   |Syspar: c186sp1
   |-------------------------------------------------
   |syspar_name        c186sp1
   |...
   |auth_install       dce
   |auth_root_rcmd     dce
   |ts_auth_methods    dce
   |auth_methods       k5

6. |After Kerberos 4 has been removed from all of the system partitions on the |SP, it should be removed from the local settings on the control |workstation. Issue:

   |lsauthent

   You should receive output similar to the following:

   |Kerberos 5
   |Kerberos 4

   Issue:

   |chauthent -k5
   |lsauthent

   You should receive output similar to the following:

   |Kerberos 5

7. |Once k4 is removed from all of the system partitions on |the SP, the Kerberos daemons can be stopped and removed from |inittab. To determine the daemon names, issue:

   |lssrc -a | grep k

   You should receive output similar to the following:

   |kerberos                      15872     active
   |kadmind                       11558     active

   To stop the daemons, issue:

   |stopsrc -s Kerberos
   |stopsrc -s kadmind

   To remove the daemons from inittab, issue:

   |rmitab kerb
   |rmitab kadmind

   The Kerberos configuration files must also be removed or |renamed. These files are: |

   |

   krb-srvtab

   |

   krb-srvtab.save

   |

   krb.realms |

   |

   |Note:

   These files should be saved until you are absolutely certain you will not be |going back to k4. |

   Removing the krb-srvtab files is particularly important because |the setup_server command uses it as an indicator that Kerberos V4 |processing is required. If the krb-srvtab file is present, but |the Kerberos daemons are not running, setup_server will fail.