Filter
Top Products
Administering the Kerberos Server
Kerberos Database Utilities
Chapter 8 227
Adding principals to database...
Cleaning up....
shell%
The kdb_create command creates the following principals:
• K/M@<REALM NAME>
This is the default key name. However, you can configure this key
name.
• default@<REALM NAME>
• kadmin/<REALM NAME>@<REALM NAME>
• kcpwd/<REALM NAME>@<REALM NAME>
• krbtgt/<REALM NAME>@<REALM NAME>
IMPORTANT Do not delete these principals.
The K/M keyname is the default master key name. However, you can
change the master key name by specifying the tag while using the -M
mkeyname option in kdb_create command.
The stash file is a local copy of the master key that resides on the local
disk of the primary security server in an encrypted format. This stash
file is usually located in the same directory as the Kerberos database. By
default, kdb_create does not create a stash file. A stash file allows the
database utilities, such as kadmind, kadminl, kdcd and others, to
authenticate themselves.
Occasionally, however, you may have to restart the machine on which the
KDC runs, and if a stash file is present, you can configure KDC to start
automatically without any human intervention whenever the machine is
rebooted. The stash file, like the keytab file, is a potential point-of-entry
for a break-in, and if compromised, allows unrestricted access to the
Kerberos database. For more information, see “Service Key Table” on
page 244.
Database Encryption
The Kerberos server supports the following encryption types:
• DES3