How To Notes

# ################################################################################
# KERBEROS MINI-HOWTO:
#
# KADMIN:
#
# kadmin.local/kadmin commands:
#
# Once in kadmin you can press '?' for a list of commands.
# You can also type the command and see a list of valid options.
#
# listprincs - List principles in KDC DB. e.g. listprincs
# getprincs - Lists principles in KDC DB e.g. getprincs
# getprinc - Lists user information. e.g. getprinc
# addprinc - Adds new principle to KDC DB. e.g. addprinc
# modprinc - Modifies attributes for principle. e.g. modprinc
# cpw - Change principle password e.g. cpw
# delprinc - Deletes a principle from the KDC DB. e.g. delprinc
#
# ktadd - Creates keytabs for service and host principles in the KDC DB.
#
#
# CREATING POLICIES
#
# To add a policy:
# add_policy [options] policy
# options are:
# [-maxlife time] [-minlife time] [-minlength length]
# [-minclasses number] [-history number]
#
# To modify a policy:
# modify_policy [options] policy
# options are:
# [-maxlife time] [-minlife time] [-minlength length]
# [-minclasses number] [-history number]
#
# -maxlife Lifetime of password. e.g. -maxlife "45 days"
# -minlife Minimum life of password e.g. -minlife "1 day"
# -minlength Minimum length of password. e.g. -minlength 8
# -history Passwords to remember before can be used again. e.g. -history 3
# -minclasses Minimum number of [classes] for password strength. e.g. -minclasses 3
#
# [classes]
# Lowercase letters
# Uppercase letters
# Numbers
# Puncuation
# Other charatcters
#
#
# KTUTIL COMMAND
#
# # The ktutil command is not run inside of kadmin, it is a seperate utility run from the CLI.
#
# ktutil - Allows administrators to manipulate keytab files.
# clear - Clears the current keylist held in memory.
# list - Displays the principles whose keys are stored in the keytab file.
# rkt - Appends the contents of a keytab file and appends the keys in the keytab to the keylist.
# addent - Adds an entry to the keylist manually.
# delent - Deletes an entry from the internal keylist.
# wkt - Writes the contents of the keylist into a keytab file.
#
#
# ADDING A SLAVE FOR DB PROPAGATION AND LOGIN FAILOVER
#
# In the /etc/krb5.conf file under [realms] you will need to add both servers.
#
# kdc = kdc1.domain.net:88
# kdc = kdc2.domain.net:88
#
# This is done so that if the master should fail,
# kerberos will know where else to look for authentication.
# If you are using DNS all you need in the [realms] section is:
#
# admin_server = dns1.domain.net:749
#
# Even though this service is in DNS it is not yet implemented.
#
#
# #### On the master KDC. ####
#
# Login into kadmin.local and add the KDC slave into the KDC DB.
# addprinc -randkey host/kdc2.domain.net
#
# While still in kadmin.local, add the slaves key into the keytab.
# ktadd host/kdc2.domain.net
#
#
# #### On both the master and the slave. ####
#
# Add a kpropd.acl file to each KDC server with all servers listed in /var/krb5kdc/kpropd.acl.
# The format of the file is as follows:
# host/kdc1.domain.net@DOMAIN.NET
# host/kdc2.domain.net@DOMAIN.NET
#
#
# #### On the slave server. ####
#
# ##Add this to the /etc/services file.
#
# krb5_prop 754/tcp # kprop
#
#
# ##Add this to /etc/rc.d/init.d/krb5-slave
#
# # krb5-slave template
# #
# # $Id: TipsAndTricks,v 1.10 2007/06/21 00:13:38 jreynolds Exp $
# #
#
# start: /usr/sbin/krb5kdc
# start: /usr/sbin/kpropd
# stop: killall krb5kdc
# stop: killall kpropd
# status: ps -aef | grep /usr/sbin/krb5kdc | grep -v grep
# status: ps -aef | grep /usr/sbin/kpropd | grep -v grep
#
#
# ##Add this to /etc/sysconf/services.conf
#
# krb5-slave 3
#
# ##Now start the slave.
# services start krb5-slave
# ######################################################
#
# #### On the master ####
#
# ##Dump the KDC DB.
#
# kdb5_util dump
#
# ##Propogate the DB to the slave.
#
# kprop -f kdc2.domain.net
#
# #####################################################
#
# #### On the slave ####
#
# kdb5_util stash
#
# Enter the DB key created when the DB was initially built.
#
# The last thing to do is set up a cron job to propagate the DB...
#
# END KERBEROS MINI-HOWTO
# 103################################################################################