Filter
Top Products
Administering the Kerberos Server
Principals
Chapter 8 123
Adding User Principals
The Kerberos server enables you to add user principals to the principal
database. The only limit on the number of principals in the database is
the disk space available on the primary security server and on each of
the secondary security servers.
When adding a user principal to the database, assign the principal
identifier, instances (if used), and the realm name. You must also
designate a temporary password for the principal. You may assign
specific attributes and properties to the account. Any attributes and
properties that are not specifically set for the principal are inherited
from the default group principal.
Establish a secure method for transferring the temporary password
information to the user to avoid a security breach. Communicate the
temporary password before the user authenticates with the new
principal account. Make sure the user knows that he or she is required to
change the password during the first authentication attempt.
Adding New Service Principals
The Kerberos server enables you to add service principals to the
principal database. Use service principal accounts for a UNIX host
system, a Kerberos-secured service, or an application that is available to
user principals in the network.
When the Kerberos server software is installed, the Kerberos server
requires certain service principals that are automatically added to the
principal database. You must manually add the service principal
accounts used by the optional secured service applications to the
principal database.
Each Kerberos-secured service or application must have the ability to
provide its secret key during authentication. Therefore, service principal
accounts must have the following specific attributes and properties,
depending on the requirements of the application:
• The application must be able to provide its unique principal name
during authentication.