Configures a Kerberos server.
mkkrb5srv -h | [ -r Realm -d Domain -a AdminName ] [ -l ldapserver | ldapserver:port ] [-u ldap_DN ] [ -p ldap_DN_pw ] [ -f {keyring | keyring:entry_dn} ] [ -k keyring_pw ] [ -b bind_type ] [-m masterkey_location ] [ -U ]
The mkkrb5srv command configures the Kerberos server. This command creates the kadm5.acl file, the kdc.conf file, and the Kerberos database. It also adds the administrator to the database and updates the /etc/inittab file with Kerberos daemons. This command does the initial configuration once the variables are set. They can be modified by editing the following files:
Item | Description |
---|---|
/etc/krb5/krb5.conf: | Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files. |
/var/krb5/krb5kdc/kdc.conf | This command sets the value for kdc_ports. Paths for database name, admin_keytab, acl_file, dict_file, key_stash_file. Values for kadmin_port, max_life, max_renewable_life, master_key_type, and supported_enctypes. |
/var/krb5/krb5kdc/kadm5.acl | Sets up the acls for admin, root, and host principals. |
If DCE is not configured, this command creates a link to /etc/krb5/krb5.conf from /etc/krb5.conf.
Item | Description |
---|---|
Standard Output | Consists of information messages when the -h flag is used. |
Standard Error | Consists of error messages when the command cannot complete successfully. |
Item | Description |
---|---|
-a AdminName | Specifies the Kerberos Principal name for the administrator. |
-b bind_type | Specifies the LDAP bind type. Supported values are the following:
|
-d Domain | Specifies the domain name for the Kerberos realm. |
-f {keyring | keyring:entry_dn} | Specifies the LDAP keyring database file name if you are using SSL communication. |
-h | Specifies that the command is only to display the valid command syntax. |
-kkeyring_pw | Specifies the password for the LDAP keyring database file. If not specified, SSL uses the password that is encrypted in the appropriate password stash file. |
-l ldapserver | ldapserver:port | For servers, specifies the LDAP directory used to store the
Network Authentication Service principal and policy information. For clients, specifies the LDAP directory server to use for Administration server and KDC discovery using LDAP. If the -l flag is used, then the KDC and server flags are optional. If the -l option is not used, the KDC and server flags must be specified. The port number can optionally be specified. For clients and servers, the port number can optionally be specified. If the port number is not specified, the client connects to the default LDAP server port 389 or 636 for SSL connections. Note: Only the client configuration
is updated.
|
-m masterkey_location | Specifies the fully qualified file name for storing the master
key in the local file system when using LDAP to store data. Note: This
flag is only for use with the LDAP directory.
|
-p ldap_DN_pw | Specifies the password for the entry being used for the ldap_DN_pw. |
-r Realm | Specifies the realm for which the Kerberos server is to be configured. |
-u ldap_DN | Specifies the LDAP entry to be used as the ldap_DN. Note: With
external bind, the -u and -p flags are not required,
and the values come form the certificate.
|
-U | Undo the setup from the previous configuration command. |
Failure of this command to execute successfully results in incomplete server configuration.
Item | Description |
---|---|
0 | Indicates the successful completion of the command. |
1 | Indicates that an error occurred. |
A user with the aix.security.kerberos authorization is authorized to use this command.
mkkrb5srv -h
mkkrb5srv -r UD3A.AUSTIN.IBM.COM -d austin.ibm.com
Item | Description |
---|---|
/usr/sbin/mkkrb5srv | Contains the mkkrb5srv command. |