Next: Modifying the database, Previous: Configuration file, Up: Setting up a realm [Contents]
The database library will look for the database in the directory /var, so you should probably create that directory. Make sure the directory has restrictive permissions.
# mkdir /var/heimdal # chmod og-rwx /var/heimdal
Heimdal supports various database backends: lmdb (LMDB), db3 (Berkeley DB 3.x, 4.x, or 5.x), db1 (Berkeley DB 2.x), sqlite (SQLite3), and ldap (LDAP). The default is db3, and is selected at build time from one of lmdb, db3, or db1.
These defaults can be overriden in the ’database’ key in the ‘kdc’ section of the configuration.
[kdc] database = { dbname = lmdb:/path/to/db-file realm = REALM acl_file = /path/to/kadmind.acl mkey_file = /path/to/mkey log_file = /path/to/iprop-log-file }
To use LDAP, see See Using LDAP to store the database.
The keys of all the principals are stored in the database. If you choose to, these can be encrypted with a master key. You do not have to remember this key (or password), but just to enter it once and it will be stored in a file (/var/heimdal/m-key). If you want to have a master key, run ‘kstash’ to create this master key:
# kstash Master key: Verifying password - Master key:
If you want to generate a random master key you can use the --random-key flag to kstash. This will make sure you have a good key on which attackers can’t do a dictionary attack.
If you have a master key, make sure you make a backup of your master key file; without it backups of the database are of no use.
To initialise the database use the kadmin
program, with the
-l option (to enable local database mode). First issue a
init MY.REALM command. This will create the database and insert
default principals for that realm. You can have more than one realm in
one database, so ‘init’ does not destroy any old database.
Before creating the database, ‘init’ will ask you some questions about maximum ticket lifetimes.
After creating the database you should probably add yourself to it. You do this with the ‘add’ command. It takes as argument the name of a principal. The principal should contain a realm, so if you haven’t set up a default realm, you will need to explicitly include the realm.
# kadmin -l kadmin> init MY.REALM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin> add me Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: Password: Verifying password - Password:
Now start the KDC and try getting a ticket.
# kdc & # kinit me me@MY.REALMS's Password: # klist Credentials cache: /tmp/krb5cc_0 Principal: me@MY.REALM Issued Expires Principal Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@MY.REALM
If you are curious you can use the ‘dump’ command to list all the entries in the database. It should look something similar to the following example (note that the entries here are truncated for typographical reasons):
kadmin> dump me@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ... kadmin/admin@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ... krbtgt/MY.REALM@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ... kadmin/changepw@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...
Next: Modifying the database, Previous: Configuration file, Up: Setting up a realm [Contents]