The database library will look for the database in the directory /var/heimdal, so you should probably create that directory. Make sure the directory has restrictive permissions.
# mkdir /var/heimdal
The keys of all the principals are stored in the database. If you choose to, these can be encrypted with a master key. You do not have to remember this key (or password), but just to enter it once and it will be stored in a file (/var/heimdal/m-key). If you want to have a master key, run `kstash' to create this master key:
# kstash Master key: Verifying password - Master key:
If you want to generate a random master key you can use the --random-key flag to kstash. This will make sure you have a good key on which attackers can't do a dictionary attack.
If you have a master key, make sure you make a backup of your master key file; without it backups of the database are of no use.
To initialise the database use the kadmin program, with the -l option (to enable local database mode). First issue a init MY.REALM command. This will create the database and insert default principals for that realm. You can have more than one realm in one database, so `init' does not destroy any old database.
Before creating the database, `init' will ask you some questions about maximum ticket lifetimes.
After creating the database you should probably add yourself to it. You do this with the `add' command. It takes as argument the name of a principal. The principal should contain a realm, so if you haven't set up a default realm, you will need to explicitly include the realm.
# kadmin -l kadmin> init MY.REALM Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin> add me Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes : Password: Verifying password - Password:
Now start the KDC and try getting a ticket.
# kdc & # kinit me me@MY.REALMS's Password: # klist Credentials cache: /tmp/krb5cc_0 Principal: me@MY.REALM Issued Expires Principal Aug 25 07:25:55 Aug 25 17:25:55 krbtgt/MY.REALM@MY.REALM
If you are curious you can use the `dump' command to list all the entries in the database. It should look something similar to the following example (note that the entries here are truncated for typographical reasons):
kadmin> dump me@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ... kadmin/admin@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ... krbtgt/MY.REALM@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ... kadmin/changepw@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...