1kdcmgr(1M) System Administration Commands kdcmgr(1M)
2
6 kdcmgr - set up a Kerberos Key Distribution Center (KDC)
7
9 /usr/sbin/kdcmgr [-a admprincipal] [-e enctype]
10 [-h] [-p pwfile] [-r realm] subcommand
11
14 Use the kdcmgr utility to do the following:
15 o Configure a master Key Distribution Center (KDC) server.
17 o Configure a slave KDC. This assumes that a master KDC has
19 already been configured. The default propagation method con‐
20 figured is incremental propagation. See kpropd(1M).
21 o Specify a list of slave KDCs to configure service principals
23 and create access control list for those slaves on the mas‐
24 ter KDC.
25 If you specify no options, kdcmgr prompts you for required information,
28 including a password to generate the master key and a password for the
29 administrative principal. When you specify sufficient options, you are
30 still prompted for these passwords, unless you specified the -p pwfile
31 option.
32 The kdcmgr utility must be run as superuser or by someone who has the
35 Primary Administrator role. The command must be run on the server from
36 which it is invoked.
37 Note that kdcmgr requires the user to enter sensitive information, such
40 as the password used to generate the database's master key and the
41 password for the administrative principal. Great care must be taken to
42 ensure that the connection to the server is secured over the network,
43 by using a protocol such as ssh(1).
44 You must also exercise great care when selecting the administrative and
47 master key passwords. They should be derived from non-dictionary words
48 and a long string of characters consisting of all of the following
49 character classes:
50 o special characters (for example, !@#$%^&*)
52 o numerals (0-9)
54 o uppercase letters
56 o lowercase letters
58
60 The following options are supported:
61 -a admprincipal
63 When creating a master KDC, specifies the administrative principal,
65 admprincipal, that will be created.
66 When creating a slave KDC, admprincipal is used to authenticate as
68 the administrative principal.
69 If you omit -a, the suggested default administrative principal name
71 is the output of logname(1) appended by /admin.
72 -e enctype
75 Specifies the encryption type to be used when creating the key for
77 the master key, which is used to encrypt all principal keys in the
78 database. The set of valid encryption types used here are described
79 in krb5.conf(4) under the permitted_enctypes option. Note that the
80 encryption type specified here must be supported on all KDCs or
81 else they will not be able to decrypt any of the principal keys.
82 Solaris 9 and earlier releases support only the des-cbc-crc encryp‐
83 tion type for the master key. Therefore, if any of the master or
84 slave KDCs are of these older releases, then -e des-cbc-crc would
85 need to be specified on all KDCs configured with kdcmgr.
86 The default encryption type is aes128-cts-hmac-sha1-96.
88 -h
91 Displays usage information for kdcmgr.
93 -p pwfile
96 Provides the location of the password file that contains the pass‐
98 word used to create the administrative principal and/or master key.
99 Warning: This option should be used with great care. Make sure that
101 this pwfile is accessible only by a privileged user and on a local
102 file system. Once the KDC has been configured, you should remove
103 pwfile.
104 -r realm
107 Set the default realm for this server.
109 If the -r option is not specified, kdcmgr attempts to obtain the
111 machine's local domain name by submitting the canonical form of the
112 machine's host name to DNS and using the return value to derive the
113 domain name. If successful, the domain name is converted to upper‐
114 case and proposed as the default realm name.
115
118 The following subcommands are supported:
119 create [ master ]
121 create [ -m masterkdc ] slave
122 Creates a KDC. If no option is specified, an attempt to create a
124 master KDC is made.
125 create [ master ]
127 Create a master KDC. Upon successful configuration the
129 krb5kdc(1M) and kadmind(1M) are enabled on the machine.
130 create [ -m masterkdc ] slave
133 Configures a slave KDC. After configuration, the krb5kdc(1M)
135 and kpropd(1M) services are enabled on the machine.
136 masterkdc specifies the master KDC to authenticate and with
138 which to perform administrative tasks. If the -m option is not
139 specified, you are prompted for a master KDC host name.
140 destroy
144 Remove all Kerberos configuration and database files associated
146 with the KDC server. A confirmation is required before these files
147 are deleted.
148 status
151 Determines the role of the KDC, master or slave, and outputs this
153 and the state of such associated processes as:
154 o krb5kdc(1M)
156 o kadmind(1M)
158 o kpropd(1M)
160 The subcommand also displays information on incremental propagation
161 if the configuration has this feature enabled, as well as any
162 issues with dependent files.
163
166 Example 1 Setting up a Master KDC
167 The following command configures a master KDC with the administrative
170 principal user1/admin and with the realm name EXAMPLE.COM:
171 $ kdcmgr -a user1/admin -r EXAMPLE.COM create
174 Note that a password will be required to assign to the newly created
179 user1/admin principal. The password for the master key will also need
180 to be provided.
181 Example 2 Setting up a Slave KDC
184 The following command configures a slave KDC, authenticates with the
187 administrative principal user1/admin, specifies kdc1 as the master, and
188 uses the EXAMPLE.COM realm name:
189 $ kdcmgr -a user1/admin -r EXAMPLE.COM create -m kdc1 slave
192 Note that you must enter the correct password for user1/admin and that
197 the master KDC must already have been created before entering this com‐
198 mand. The correct password for the master key is also required.
199
202 /etc/krb5/krb5.conf
203 Main Kerberos configuration file.
205 /etc/krb5/kdc.conf
208 KDC configuration, used by both master and slave servers.
210 /etc/krb5/krb5.keytab
213 Default location of the local host's service keys.
215 /etc/krb5/kadm5.acl
218 Kerberos administrative access control list (ACL).
220 /etc/krb5/kadm5.keytab
223 Service keys specific to kadmind(1M).
225 /var/krb5/principal
228 Kerberos principal database.
230 /var/krb5/principal.kadm5
233 Kerberos policy database.
235 /etc/krb5/kpropd.acl
238 Used by slaves to indicate from which server to receive updates.
240
243 See attributes(5) for descriptions of the following attributes:
244 ┌─────────────────────────────┬─────────────────────────────┐
249 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
250 ├─────────────────────────────┼─────────────────────────────┤
251 │Availability │SUNWkdcu │
252 ├─────────────────────────────┼─────────────────────────────┤
253 │Interface Stability │See below │
254 └─────────────────────────────┴─────────────────────────────┘
255 The command line interface (CLI) is Uncommitted. The CLI output is Not
258 an Interface.
259
261 logname(1), ssh(1), kadmin(1M), kadmind(1M), kdb5_util(1M),
262 kdb5_ldap_util(1M), kpropd(1M), krb5kdc(1M), ping(1M), svcadm(1M),
263 kdc.conf(4), krb5.conf(4), attributes(5)
264SunOS 5.11 19 Sep 2007 kdcmgr(1M)