lowercase. For full details about the formats of these configuration files, refer to theirrespective man pages.4. Create the database using the kdb5_util utility from a shell prompt:/usr/kerberos/sbin/kdb5_util create -sThe create command creates the database that stores keys for the Kerberos realm. The -sswitch forces creation of a stash file in which the master server key is stored. If no stash fileis present from which to read the key, the Kerberos server (krb5kdc) prompts the user for themaster server password (which can be used to regenerate the key) every time it starts.5. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determinewhich principals have administrative access to the Kerberos database and their level ofaccess. Most organizations can get by with a single line:*/admin@EXAMPLE.COM *Most users are represented in the database by a single principal (with a NULL, or empty,instance, such as joe@EXAMPLE.COM). In this configuration, users with a second principalwith an instance of admin (for example, joe/admin@EXAMPLE.COM) are able to wield fullpower over the realm's Kerberos database.Once kadmind is started on the server, any user can access its services by running kadminon any of the clients or servers in the realm. However, only users listed in the kadm5.acl filecan modify the database in any way, except for changing their own passwords.NoteThe kadmin utility communicates with the kadmind server over the network, anduses Kerberos to handle authentication. For this reason, the first principal mustalready exist before connecting to the server over the network to administer it.Create the first principal with the kadmin.local command, which is specificallydesigned to be used on the same host as the KDC and does not use Kerberosfor authentication.Type the following kadmin.local command at the KDC terminal to create the first principal:/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"6. Start Kerberos using the following commands:/sbin/service krb5kdc start/sbin/service kadmin start/sbin/service krb524startConfiguring a Kerberos 5 Server349
