This document describes how to rebuild and recreate the Kerberos database on an IBM RS/6000 SP Control Workstation.
This procedure applies to:
splstdata -b will show what the nodes' current bootp_response was set to. All of the nodes' bootp_response should be set to disk. If the nodes are NOT set to disk, accomplish step 2. If the nodes ARE set to disk, proceed to step 3.
The spbootins command will set all of the nodes to disk. Either specify <start_frame#> equal to the first frame's number (usually 1), the <start_slot> equal to the slot number of the first node in the first frame (usually 1), the <node_count> equal to the total number of nodes, or specify the -l with the list of node numbers that need to be changed, separated by commas.
The kdestroy command destroys the user's authentication tickets, which are located in the file specified by the KRBTKFILE environment variable, or /tmp/tkt<uid> by default.
The kdb_destroy command destroys the kerberos authentication database, which is located in the /var/kerberos* directory. This will ask you if you want to contiue, press Y to continue.
This will create a backup of the /etc/krb.conf file, which contains the name of the local realm for your SP system and identifies the host names of all of the authentication servers for all kerberos realms known to the local realm.
This will create a backup of the /etc/krb.realms file, which maps network interface (host) names to kerberos realms.
This will create a backup of the /.klogin file, which contains a list of principals that are authorized to invoke the process as root on the control workstation.
This will remove the /etc/krb-srvtab file, which contains the control workstation's service keys.
This will remove the /.k file, which contains the kerberos database's master password in an encrypted format.
This will remove all kerberos database files that may not have been removed by the kdb_destroy command.
NOTE: If your kerberos realm name is the same as your domain (in capital letters only), continue with step 11. If your kerberos realm name is different, or you have a secondary authentication server defined, you will need to copy the /etc/krb.conf.bak file to /etc/krb.conf (/usr/bin/cp /etc/krb.conf.bak /etc/krb.conf), prior to step 11.
This command configures SP authentication services. Executing this command invokes an interactive dialog in which various utility programs are invoked to accomplish this configuration. (Refer to Chapter 2, step 19.1 "Initializing as the Primary Authentication Server," in Parallel System Support Programs for AIX Installation and Migration Guide, Version 3, Release 1.1.)
You will be prompted for the following:
Enter Kerberos master key: <your database passwd> Enter Kerberos master key: <retype above passwd> Principal name: root Instance: admin Principal not found, create [y]? y New Password: <your root.admin passwd> Verifying, please re-enter New Password: <retype above passwd> Expiration Date (enter yyyy-mm-dd) [2037-12-31]? <enter> Max Ticket Lifetime [255]? <enter> Attributes [0]? <enter> Principal name: <enter>
Next you will see:
Kerberos Initialization for "root.admin" Password: <your root.admin passwd>
You will now return to the AIX prompt.
This command will recycle the hardmon daemon and allow it to retrieve a new hardmon ticket so that it can monitor the hardware properly.
splstdata -b will show what the nodes' current bootp_response was set to. All of the nodes' bootp_response need to be set to customize. If the nodes are not set to customize, accomplish step 14, otherwise proceed to step 15.
The spbootins command will set all of the nodes to customize. Either specify <start_frame#> equal to the first frame's number (usually 1), <start_slot> equal to the slot number of the first node in the first frame (usually 1), the <node_count> equal to the total number of nodes, or specify -l with the list of node numbers that need to be changed, separated by commas.
Telnet to each node and issue a shutdown -Fr. During the reboot of each node, the /usr/lpp/ssp/install/bin/pssp_script will be executed. Upon successful completion of the pssp_script, the node will be put back to disk on the control workstation. Use the splstdata -b to command to verify.
Return all nodes to disk after completing the above procedure. Use the spbootins command to do this, as detailed below.
The spbootins command will set all the nodes to disk. Either specify <start_frame#> equal to the first frame's number (usually 1), <start_slot#>
equal to the slot number of the first node in the first frame (usually 1), <node_count> equal to the total number of nodes, or specify the -l with the
list of node numbers that need to be changed, separated by commas.
[ Doc Ref: 90605220614592 Publish Date: Oct. 27, 2000 4FAX Ref: 1073 ]