Filter
Top Products
Administering the Kerberos Server
Principals
Chapter 8 125
the database secret key. All records in the principal database are
encrypted using this key. The key for this principal is stored on each
Kerberos server in the .k5.realm file.
IMPORTANT Do not remove, modify, or change the key type for this principal. Do not
generate a new key for this principal.
default@REALM: The default@REALM principal name contains the
default group principal attributes for the realm. This principal is
required in each realm. This principal, called the default group, is
automatically created when a realm is added to the database.
The attributes and properties of this principal act as a template for
adding principals to a realm in the principal database of the Kerberos
server. This principal uses a random key. However, you must not extract
this key to a service key table file. This principal is locked by default,
eliminating the security risk of an external attack to authenticate using
this principal account.
IMPORTANT Do not remove this principal entry or unlock this principal account.
krbtgt/REALM@REALM: You can use the secret key of the
krbtgt/REALM@REALM principal to encrypt and decrypt ticket-granting
tickets (TGTs) issued by the Kerberos server for principals in the REALM.
IMPORTANT Do not remove or modify this principal entry, except when adding a
3DES key if you need to add support for this encryption type.
To configure interrealm authentication, create distinct reserved
principals with the prefix name krbtgt/ for each realm.
If you change any attribute or password of the krbtgt/REALM@REALM
principal for the default realm, that is, the realm that contains the
K/M@REALM principal, you must close all administrative programs,
including kadmin, kadminl_ui, and kdcd. Then, restart all
administrative services and daemons in that realm for the changes to
take effect.