Commands Reference, Volume 3

mkkrb5srv Command

Purpose

Configures a Kerberos server.

Syntax

mkkrb5srv -h | [ -r Realm [ -s Server ] -d Domain -a AdminName ] [ -l ldapserver | ldapserver:port ] [-u ldap_DN ] [ -p ldap_DN_pw ] [ -f {keyring | keyring:entry_dn} ] [ -k keyring_pw ] [ -b bind_type ] [-m masterkey_location ] [ -U ]

Description

The mkkrb5srv command configures the Kerberos server. This command creates the kadm5.acl file, the kdc.conf file, and the Kerberos database. It also adds the administrator to the database and updates the /etc/inittab file with Kerberos daemons. This command does the initial configuration once the variables are set. They can be modified by editing the following files:

/etc/krb5/krb5.conf:	Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files.
/var/krb5/krb5kdc/kdc.conf	This command sets the value for kdc_ports. Paths for database name, admin_keytab, acl_file, dict_file, key_stash_file. Values for kadmin_port, max_life, max_renewable_life, master_key_type, and supported_enctypes.
/var/krb5/krb5kdc/kadm5.acl	Sets up the acls for admin, root, and host principals.

If DCE is not configured, this command creates a link to /etc/krb5/krb5.conf from /etc/krb5.conf.

Standard Output	Consists of information messages when the -h flag is used.
Standard Error	Consists of error messages when the command cannot complete successfully.

Flags

-a AdminName	Specifies the Kerberos Principal name for the administrator.
-b bind_type	Specifies the LDAP bind type. Supported values are the following: simple cram-md5 external These bind types can be specified in either upper case or lower case.
-d Domain	Specifies the domain name for the Kerberos realm.
-f {keyring \| keyring:entry_dn}	Specifies the LDAP keyring database file name if you are using SSL communication.
-h	Specifies that the command is only to display the valid command syntax.
-kkeyring_pw	Specifies the password for the LDAP keyring database file. If not specified, SSL uses the password that is encrypted in the appropriate password stash file.
-l ldapserver \| ldapserver:port	For servers, specifies the LDAP directory used to store the Network Authentication Service principal and policy information. For clients, specifies the LDAP directory server to use for Administration server and KDC discovery using LDAP. If the -l flag is used, then the KDC and server flags are optional. If the -l option is not used, the KDC and server flags must be specified. The port number can optionally be specified. For clients and servers, the port number can optionally be specified. If the port number is not specified, the client connects to the default LDAP server port 389 or 636 for SSL connections. Note Only the client configuration is updated.
-m masterkey_location	Specifies the fully qualified file name for storing the master key in the local file system when using LDAP to store data. Note This flag is only for use with the LDAP directory.
-p ldap_DN_pw	Specifies the password for the entry being used for the ldap_DN_pw.
-r Realm	Specifies the realm for which the Kerberos server is to be configured.
-s Server	Specifies the fully qualified name of Kerberos Admin Server.
-u ldap_DN	Specifies the LDAP entry to be used as the ldap_DN. Note With external bind, the -u and -p flags are not required, and the values come form the certificate.
-U	Undo the setup from the previous configuration command.

Exit Status

Failure of this command to execute successfully results in incomplete server configuration.

0	Indicates the successful completion of the command.
1	Indicates that an error occurred.

Security

Only the root user is authorized to use this command.

Examples

To display the command syntax, type:
```
mkkrb5srv -h
```

To configure sundial as a Kerberos server, type:

mkkrb5srv -r UD3A.AUSTIN.IBM.COM -s sundial.austin.ibm.com -d austin.ibm.com

Files

/usr/sbin/mkkrb5srv

Contains the mkkrb5srv command.