2 .\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH KDCMGR 8 "Sep 19, 2007"
8 kdcmgr \- set up a Kerberos Key Distribution Center (KDC)
12 \fB/usr/sbin/kdcmgr\fR [\fB-a\fR \fIadmprincipal\fR] [\fB-e\fR \fIenctype\fR]
13 [\fB-h\fR] [\fB-p\fR \fIpwfile\fR] [\fB-r\fR \fIrealm\fR] \fIsubcommand\fR
19 Use the \fBkdcmgr\fR utility to do the following:
24 Configure a master Key Distribution Center (KDC) server.
30 Configure a slave KDC. This assumes that a master KDC has already been
31 configured. The default propagation method configured is incremental
32 propagation. See \fBkpropd\fR(8).
38 Specify a list of slave KDCs to configure service principals and create access
39 control list for those slaves on the master KDC.
43 If you specify no options, \fBkdcmgr\fR prompts you for required information,
44 including a password to generate the master key and a password for the
45 administrative principal. When you specify sufficient options, you are still
46 prompted for these passwords, unless you specified the \fB-p\fR \fIpwfile\fR
50 The \fBkdcmgr\fR utility must be run as superuser or by someone who has the
51 Primary Administrator role. The command must be run on the server from which it
55 Note that \fBkdcmgr\fR requires the user to enter sensitive information, such
56 as the password used to generate the database's master key and the password for
57 the administrative principal. Great care must be taken to ensure that the
58 connection to the server is secured over the network, by using a protocol such
62 You must also exercise great care when selecting the administrative and master
63 key passwords. They should be derived from non-dictionary words and a long
64 string of characters consisting of all of the following character classes:
69 special characters (for example, !@#$%^&*)
92 The following options are supported:
96 \fB\fB-a\fR \fIadmprincipal\fR\fR
100 When creating a master KDC, specifies the administrative principal,
101 \fIadmprincipal\fR, that will be created.
103 When creating a slave KDC, \fIadmprincipal\fR is used to authenticate as the
104 administrative principal.
106 If you omit \fB-a\fR, the suggested default administrative principal name is
107 the output of \fBlogname\fR(1) appended by \fB/admin\fR.
113 \fB\fB-e\fR \fIenctype\fR\fR
117 Specifies the encryption type to be used when creating the key for the master
118 key, which is used to encrypt all principal keys in the database. The set of
119 valid encryption types used here are described in \fBkrb5.conf\fR(4) under the
120 \fBpermitted_enctypes\fR option. Note that the encryption type specified here
121 must be supported on all KDCs or else they will not be able to decrypt any of
122 the principal keys. Solaris 9 and earlier releases support only the
123 \fBdes-cbc-crc\fR encryption type for the master key. Therefore, if any of the
124 master or slave KDCs are of these older releases, then \fB-e\fR
125 \fBdes-cbc-crc\fR would need to be specified on all KDCs configured with
128 The default encryption type is \fBaes128-cts-hmac-sha1-96\fR.
138 Displays usage information for \fBkdcmgr\fR.
144 \fB\fB-p\fR \fIpwfile\fR\fR
148 Provides the location of the password file that contains the password used to
149 create the administrative principal and/or master key.
151 \fBWarning:\fR This option should be used with great care. Make sure that this
152 \fIpwfile\fR is accessible only by a privileged user and on a local file
153 system. Once the KDC has been configured, you should remove \fIpwfile\fR.
159 \fB\fB-r\fR \fIrealm\fR\fR
163 Set the default realm for this server.
165 If the \fB-r\fR option is not specified, \fBkdcmgr\fR attempts to obtain the
166 machine's local domain name by submitting the canonical form of the machine's
167 host name to DNS and using the return value to derive the domain name. If
168 successful, the domain name is converted to uppercase and proposed as the
175 The following subcommands are supported:
179 \fB\fBcreate\fR [ \fImaster\fR ]\fR
183 \fB\fBcreate\fR [ \fB-m\fR \fImasterkdc\fR ] slave\fR
187 Creates a KDC. If no option is specified, an attempt to create a master KDC is
192 \fB\fBcreate\fR [ \fImaster\fR ]\fR
196 Create a master KDC. Upon successful configuration the \fBkrb5kdc\fR(8) and
197 \fBkadmind\fR(8) are enabled on the machine.
203 \fB\fBcreate\fR [ \fB-m\fR \fImasterkdc\fR ] slave\fR
207 Configures a slave KDC. After configuration, the \fBkrb5kdc\fR(8) and
208 \fBkpropd\fR(8) services are enabled on the machine.
210 \fImasterkdc\fR specifies the master KDC to authenticate and with which to
211 perform administrative tasks. If the \fB-m\fR option is not specified, you are
212 prompted for a master KDC host name.
224 Remove all Kerberos configuration and database files associated with the KDC
225 server. A confirmation is required before these files are deleted.
235 Determines the role of the KDC, master or slave, and outputs this and the state
236 of such associated processes as:
255 The subcommand also displays information on incremental propagation if the
256 configuration has this feature enabled, as well as any issues with dependent
262 \fBExample 1 \fRSetting up a Master KDC
265 The following command configures a master KDC with the administrative principal
266 \fBuser1/admin\fR and with the realm name \fBEXAMPLE.COM\fR:
271 $ \fBkdcmgr -a user1/admin -r EXAMPLE.COM create\fR
278 Note that a password will be required to assign to the newly created
279 \fBuser1/admin\fR principal. The password for the master key will also need to
283 \fBExample 2 \fRSetting up a Slave KDC
286 The following command configures a slave KDC, authenticates with the
287 administrative principal \fBuser1/admin\fR, specifies \fBkdc1\fR as the master,
288 and uses the \fBEXAMPLE.COM\fR realm name:
293 $ \fBkdcmgr -a user1/admin -r EXAMPLE.COM create -m kdc1 slave\fR
300 Note that you must enter the correct password for \fBuser1/admin\fR and that
301 the master KDC must already have been created before entering this command. The
302 correct password for the master key is also required.
308 \fB\fB/etc/krb5/krb5.conf\fR\fR
312 Main Kerberos configuration file.
318 \fB\fB/etc/krb5/kdc.conf\fR\fR
322 KDC configuration, used by both master and slave servers.
328 \fB\fB/etc/krb5/krb5.keytab\fR\fR
332 Default location of the local host's service keys.
338 \fB\fB/etc/krb5/kadm5.acl\fR\fR
342 Kerberos administrative access control list (ACL).
348 \fB\fB/etc/krb5/kadm5.keytab\fR\fR
352 Service keys specific to \fBkadmind\fR(8).
358 \fB\fB/var/krb5/principal\fR\fR
362 Kerberos principal database.
368 \fB\fB/var/krb5/principal.kadm5\fR\fR
372 Kerberos policy database.
378 \fB\fB/etc/krb5/kpropd.acl\fR\fR
382 Used by slaves to indicate from which server to receive updates.
388 See \fBattributes\fR(5) for descriptions of the following attributes:
396 ATTRIBUTE TYPE ATTRIBUTE VALUE
398 Interface Stability See below
403 The command line interface (CLI) is Uncommitted. The CLI output is Not an
408 \fBlogname\fR(1), \fBssh\fR(1), \fBkadmin\fR(8), \fBkadmind\fR(8),
409 \fBkdb5_util\fR(8), \fBkdb5_ldap_util\fR(8), \fBkpropd\fR(8),
410 \fBkrb5kdc\fR(8), \fBping\fR(8), \fBsvcadm\fR(8), \fBkdc.conf\fR(4),
411 \fBkrb5.conf\fR(4), \fBattributes\fR(5)