How to Rebuild the Kerberos Database on an IBM RS/6000 SP Control Workstation


Contents

About this document
About this procedure
Procedure

About this document

This document describes how to rebuild and recreate the Kerberos database on an IBM RS/6000 SP Control Workstation.

This procedure applies to:


About this procedure

Following is a list of possible reasons for rebuilding the Kerberos database:


Procedure

At the control workstation (CWS), log in as root and execute the following commands:

  1. /usr/lpp/ssp/bin/splstdata -b

    splstdata -b will show what the nodes' current bootp_response was set to. All of the nodes' bootp_response should be set to disk. If the nodes are NOT set to disk, accomplish step 2. If the nodes ARE set to disk, proceed to step 3.

  2. /usr/lpp/ssp/bin/spbootins -r disk {<start_frame#> <start_slot#> <node_count> | -l <node#>, <node#>, ...}

    The spbootins command will set all of the nodes to disk. Either specify <start_frame#> equal to the first frame's number (usually 1), the <start_slot> equal to the slot number of the first node in the first frame (usually 1), the <node_count> equal to the total number of nodes, or specify the -l with the list of node numbers that need to be changed, separated by commas.

  3. /usr/lpp/ssp/kerberos/bin/kdestroy

    The kdestroy command destroys the user's authentication tickets, which are located in the file specified by the KRBTKFILE environment variable, or /tmp/tkt<uid> by default.

  4. /usr/lpp/ssp/kerberos/etc/kdb_destroy

    The kdb_destroy command destroys the kerberos authentication database, which is located in the /var/kerberos* directory. This will ask you if you want to contiue, press Y to continue.

  5. /usr/bin/mv /etc/krb.conf /etc/krb.conf.bak

    This will create a backup of the /etc/krb.conf file, which contains the name of the local realm for your SP system and identifies the host names of all of the authentication servers for all kerberos realms known to the local realm.

  6. /usr/bin/mv /etc/krb.realms /etc/krb.realms.bak

    This will create a backup of the /etc/krb.realms file, which maps network interface (host) names to kerberos realms.

  7. /usr/bin/mv /.klogin /.klogin.bak

    This will create a backup of the /.klogin file, which contains a list of principals that are authorized to invoke the process as root on the control workstation.

  8. /usr/bin/rm /etc/krb-srvtab

    This will remove the /etc/krb-srvtab file, which contains the control workstation's service keys.

  9. /usr/bin/rm /.k

    This will remove the /.k file, which contains the kerberos database's master password in an encrypted format.

  10. /usr/bin/rm /var/kerberos/databse/*

    This will remove all kerberos database files that may not have been removed by the kdb_destroy command.

    NOTE: If your kerberos realm name is the same as your domain (in capital letters only), continue with step 11. If your kerberos realm name is different, or you have a secondary authentication server defined, you will need to copy the /etc/krb.conf.bak file to /etc/krb.conf (/usr/bin/cp /etc/krb.conf.bak /etc/krb.conf), prior to step 11.

  11. /usr/lpp/ssp/bin/setup_authent

    This command configures SP authentication services. Executing this command invokes an interactive dialog in which various utility programs are invoked to accomplish this configuration. (Refer to Chapter 2, step 19.1 "Initializing as the Primary Authentication Server," in Parallel System Support Programs for AIX Installation and Migration Guide, Version 3, Release 1.1.)

    You will be prompted for the following:

    	Enter Kerberos master key:    <your database passwd>
    	Enter Kerberos master key:    <retype above passwd>
    	Principal name:   root
    	Instance:    admin
    	Principal not found, create [y]? y
    	New Password:    <your root.admin passwd>
    	Verifying, please re-enter New Password:    <retype above passwd>
    	Expiration Date (enter yyyy-mm-dd) [2037-12-31]?    <enter>
    	Max Ticket Lifetime [255]?    <enter>
    	Attributes [0]?    <enter>
    	Principal name:    <enter>
    

    Next you will see:

    	Kerberos Initialization for "root.admin"
    	Password:    <your root.admin passwd>
    

    You will now return to the AIX prompt.

  12. stopsrc -s hardmon;startsrc -s hardmon

    This command will recycle the hardmon daemon and allow it to retrieve a new hardmon ticket so that it can monitor the hardware properly.

  13. /usr/lpp/ssp/bin/splstdata -b

    splstdata -b will show what the nodes' current bootp_response was set to. All of the nodes' bootp_response need to be set to customize. If the nodes are not set to customize, accomplish step 14, otherwise proceed to step 15.

  14. /usr/lpp/ssp/bin/spbootins -r customize {<start_frame#> <start_slot#> <node_count> | -l <node#>, <node#>, ...}

    The spbootins command will set all of the nodes to customize. Either specify <start_frame#> equal to the first frame's number (usually 1), <start_slot> equal to the slot number of the first node in the first frame (usually 1), the <node_count> equal to the total number of nodes, or specify -l with the list of node numbers that need to be changed, separated by commas.

  15. This final step involves propagating the /.klogin, /etc/krb.conf, /etc/krb.realms and the /etc/krb-srvtab files from the control workstation to the nodes. This must be accomplished on all of the nodes. Three possible methods exist to propagate the /etc/krb-srvtab files onto the nodes: reboot all of the nodes, run the pssp_script on all of the nodes, or ftp the files to all of the nodes. Each of these three methods is described below.

    • Reboot

      Telnet to each node and issue a shutdown -Fr. During the reboot of each node, the /usr/lpp/ssp/install/bin/pssp_script will be executed. Upon successful completion of the pssp_script, the node will be put back to disk on the control workstation. Use the splstdata -b to command to verify.

    • pssp_script

      Telnet to each node and issue /usr/lpp/ssp/install/bin/pssp_script. Upon successful completion of the pssp_script, the node will be put back to disk on the control workstation. Use the splstdata -b to verify.

    • ftp

          For each node, accomplish each of the following steps from the control workstation.
      1. ftp <nodename>
      2. log in as root
      3. put /tftpboot/<nodename>-new-srvtab /etc/krb-srvtab
      4. put /.klogin /.klogin
      5. put /etc/krb.realms /etc/krb.realms
      6. put /etc/krb.conf /etc/krb.conf
      7. quit
      8. tn <nodename>
      9. log in as root
      10. chmod 600 /etc/krb-srvtab
      11. chmod 644 /.klogin
      12. chmod 644 /etc/krb.realms
      13. chmod 644 /etc/krb.conf
      14. exit

Return all nodes to disk after completing the above procedure. Use the spbootins command to do this, as detailed below.

The spbootins command will set all the nodes to disk. Either specify <start_frame#> equal to the first frame's number (usually 1), <start_slot#> equal to the slot number of the first node in the first frame (usually 1), <node_count> equal to the total number of nodes, or specify the -l with the list of node numbers that need to be changed, separated by commas.


[ Doc Ref: 90605220614592     Publish Date: Oct. 27, 2000     4FAX Ref: 1073 ]