Use the utility
kdb5_util
to create the Kerberos database.[on RHEL or CentOS] /usr/sbin/kdb5_util create -s
[on SLES] kdb5_util create -s
[on Ubuntu] kdb5_util -s create
The -s option allows you to store the master server key for the database in a stash file. If the stash file is not present, you will need to log into the KDC with the master password (specified during installation) each time it starts. This will automatically regenerate the master server key.
Edit the Access Control List (
/var/kerberos/krb5kdc/kadm5.acl
in RHEL or CentOS and/var/lib/kerberos/krb5kdc/kadm5.acl
in SLES ) to define the principals that have admin (modifying) access to the database. A simple example would be a single entry:*/admin@EXAMPLE.COM *
This specifies that all principals with the
/admin
instance extension have full access to the database. You must restartkadmin
for the change to take effect.Create the first user principal. This must be done at a terminal window on the KDC machine itself, while you are logged in as
root
. Notice the.local
. Normalkadmin
usage requires that a principal with appropriate access already exist.Thekadmin.local
command can be used even if no principals exist./usr/sbin/kadmin.local -q "addprinc <username>/admin"
Other principals can now be created either on the KDC machine itself or through the network, using this principal. The following instruction assume you are using the KDC machine.
Start Kerberos.
[on RHEL/CentOS/Oracle Linux] /sbin/service krb5kdc start /sbin/service kadmin start
[on SLES] rckrb5kdc start rckadmind start
[On Ubuntu] /etc/init.d/krb5-kdc start /etc/init.d/kadmin start