Kerberos Install
Home Up Who is running SUID NIS+ and Trusted Sys AAA Server Intro NIS+ Passwd Tbl umask NIS+ Support Kerberos Install Kerberos Config Boot Authenticator Shadow Password Bundle



UPDATE to Section 9.2

Prior to the publication of this book, HP did not provide a Kerberos server for HP-UX.
The instructions in the book explain how to install Kerberos using the source from . 
HP now provides a Kerberos server. The software is available at and is free. 

Follow the information in section 9.2 regarding creating an alias named kerberos.

After installing the Kerberos Server using swinstall you can run krbsetup (HP recommended) or manually configure the server. 
Detailed instructions can be found in the on-line documentation: .

ctg800#: /opt/krb5/sbin/krbsetup

Kerberos Server Configuration - Main Menu 
         Select one of the options below: 

         1) Configure the Server
         2) Start the Kerberos daemons
         3) Stop the Kerberos daemons
         4) Un-configure the Server
         5) Exit
         6) Help

         Selection: 1

The setup program is going to use your hostname as the realm name. If you don’t want this, be sure to change it here:

Enter the realm name (the allowed chars are "a-z""A-Z""0-9" "." "-" "_")

If nothing is typed the default name [ CTG800.CERIUS.COM ] will be considered: SEATTLE.CERIUS.COM

        You will be prompted for the database Master Password
        It is important that you NOT FORGET this password

        Enter KDC database master key: 

        Re-enter KDC database master key to verify: 

        Enter the principal name for Admin. (If nothing is entered, the default 

        name [admin/admin@SEATTLE.CERIUS.COM] is considered) : [press enter]

Enter password for the Kerberos Server Administrator: 

            Re-enter password:

Kerberos server is configured

Press enter Key to go back to the main menu...

 Press 5 to Exit

The following files are placed in the /var/adm/krb5/krb5kdc directory:

ctg800#: pwd


ctg800#: ll
total 32
-rw-------   1 root sys      14 Mar 28 08:38 .k5.SEATTLE.CERIUS.COM
-rw-r--r--   1 root sys      10 Mar 28 08:39 kadm5.acl
-rw-------   1 root sys     129 Mar 28 08:39 kadm5.keytab
-rw-r--r--   1 root sys     556 Mar 28 08:37 kdc.conf
-r--r--r--   1 root sys     618 Jul  4  2001 kdc.conf.sample
-r--r--r--   1 root sys     659 Jun 25  2001 krb5.conf.sample
-rw-------   1 root sys    8192 Mar 28 08:39 principal
-rw-------   1 root sys 1049088 Mar 28 08:39 principal.kadm5
-rw-------   1 root sys       0 Mar 28 08:38 principal.kadm5.lock
-rw-------   1 root sys       0 Mar 28 08:39 principal.ok

ctg800#: more kdc.conf
        kdc_ports = 88, 750 
           SEATTLE.CERIUS.COM = {
            database_name = /var/adm/krb5/krb5kdc/principal
            admin_keytab = /var/adm/krb5/krb5kdc/kadm5.keytab
            acl_file = /var/adm/krb5/krb5kdc/kadm5.acl
            dict_file = /var/adm/krb5/krb5kdc/kadm5.dict
            key_stash_file = /var/adm/krb5/krb5kdc/.k5.SEATTLE.CERIUS.COM
            kadmind_port = 749
            max_life = 10h 0m 0s
            max_renewable_life = 7d 0h 0s
            master_key_type = des-cbc-crc
            default_principal_flags = renewable
            supported_enctypes = des-cbc-crc:normal 
ctg800#: more /etc/krb5.conf 
# Kerberos configuration
# see krb5.conf(4) for more details
        default_realm = SEATTLE.CERIUS.COM
        default_tkt_enctypes = DES-CBC-CRC
        default_tgs_enctypes = DES-CBC-CRC
        ccache_type = 2
           kdc =
           admin_server =
[domain_realm] = SEATTLE.CERIUS.COM
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log
I like to change the above 3 entries to point to the /var/opt/krb5 directory. (In the book I used /var/opt/kerb5).
Also, you don’t want to use your hostname in this file. In the above example, the hostname “ctg800” was used.
However, if I ever move my KDC, I will be sorry this was used. Change the entries to “kerberos”.


 Copyright © 2007 NEWFDAWG.COM All rights reserved.     Last modified: 02/03/07.