Next: , Previous: Configuration file, Up: Setting up a realm


4.2 Creating the database

The database library will look for the database in the directory /var/heimdal, so you should probably create that directory. Make sure the directory has restrictive permissions.

     # mkdir /var/heimdal

The keys of all the principals are stored in the database. If you choose to, these can be encrypted with a master key. You do not have to remember this key (or password), but just to enter it once and it will be stored in a file (/var/heimdal/m-key). If you want to have a master key, run `kstash' to create this master key:

     # kstash
     Master key:
     Verifying password - Master key:

If you want to generate a random master key you can use the --random-key flag to kstash. This will make sure you have a good key on which attackers can't do a dictionary attack.

If you have a master key, make sure you make a backup of your master key file; without it backups of the database are of no use.

To initialise the database use the kadmin program, with the -l option (to enable local database mode). First issue a init MY.REALM command. This will create the database and insert default principals for that realm. You can have more than one realm in one database, so `init' does not destroy any old database.

Before creating the database, `init' will ask you some questions about maximum ticket lifetimes.

After creating the database you should probably add yourself to it. You do this with the `add' command. It takes as argument the name of a principal. The principal should contain a realm, so if you haven't set up a default realm, you will need to explicitly include the realm.

     # kadmin -l
     kadmin> init MY.REALM
     Realm max ticket life [unlimited]:
     Realm max renewable ticket life [unlimited]:
     kadmin> add me
     Max ticket life [unlimited]:
     Max renewable life [unlimited]:
     Attributes []:
     Password:
     Verifying password - Password:

Now start the KDC and try getting a ticket.

     # kdc &
     # kinit me
     me@MY.REALMS's Password:
     # klist
     Credentials cache: /tmp/krb5cc_0
             Principal: me@MY.REALM
     
       Issued           Expires          Principal
     Aug 25 07:25:55  Aug 25 17:25:55  krbtgt/MY.REALM@MY.REALM

If you are curious you can use the `dump' command to list all the entries in the database. It should look something similar to the following example (note that the entries here are truncated for typographical reasons):

     kadmin> dump
     me@MY.REALM 1:0:1:0b01d3cb7c293b57:-:0:7:8aec316b9d1629e3baf8 ...
     kadmin/admin@MY.REALM 1:0:1:e5c8a2675b37a443:-:0:7:cb913ebf85 ...
     krbtgt/MY.REALM@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ...
     kadmin/changepw@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ...