1.3. Creating the Database and Setting Up the First Administrator

  1. Use the utility kdb5_util to create the Kerberos database.

     [on RHEL or CentOS]
    /usr/sbin/kdb5_util create -s
    [on SLES]
     kdb5_util create -s
    [on Ubuntu]
     kdb5_util -s create

    The -s option allows you to store the master server key for the database in a stash file. If the stash file is not present, you will need to log into the KDC with the master password (specified during installation) each time it starts. This will automatically regenerate the master server key.

  2. Edit the Access Control List (/var/kerberos/krb5kdc/kadm5.acl in RHEL or CentOS and /var/lib/kerberos/krb5kdc/kadm5.acl in SLES )  to define the principals that have admin (modifying) access to the database. A simple example would be a single entry:

    */admin@EXAMPLE.COM  *

    This specifies that all principals with the /admin instance extension have full access to the database. You must restart kadmin for the change to take effect.

  3. Create the first user principal. This must be done at a terminal window on the KDC machine itself, while you are logged in as root. Notice the .local. Normal kadmin usage requires that a principal with appropriate access already exist.The kadmin.local command can be used even if no principals exist.

    /usr/sbin/kadmin.local -q "addprinc <username>/admin"

    Other principals can now be created either on the KDC machine itself or through the network, using this principal. The following instruction assume you are using the KDC machine.

  4. Start Kerberos.

    [on RHEL/CentOS/Oracle Linux]
    /sbin/service krb5kdc start
    /sbin/service kadmin start
    [on SLES]
    rckrb5kdc start
    rckadmind start
    [On Ubuntu]
    /etc/init.d/krb5-kdc start
    /etc/init.d/kadmin start 
                        

loading table of contents...