How to Rebuild the Kerberos Database
About this document
The following procedure outlines how to destroy the Kerberos database on the IBM RS/6000 Scalable POWERparallel System and then rebuild it.
This procedure applies to:
· Parallel System Support Programs Version 2.1 or later
· AIX Version 4.1.3 and later
About this procedure
Following is a list of possible reasons for rebuilding the Kerberos database:
· if the database becomes corrupted
· if problems occur when configuring the database with /usr/lpp/ssp/bin/setup_authent
· when changing the host names of any of the nodes or the control workstation
· when switching name resolution from DNS to /etc/hosts or vice versa
Procedure
At the control workstation (CW), log in as root and execute the following commands:
/usr/lpp/ssp/kerberos/bin/kdestroy
The kdestroy command destroys the user's authentication tickets, which are located in /tmp/tkt<uid>.
/usr/lpp/ssp/kerberos/etc/kdb_destroy
The kdb_destroy command destroys the kerberos authentication database, which is located in /var/kerberos/*.
rm /etc/krb*
This removes the following files:
· krb-srvtab: contains the keys for services on the nodes
· krb.conf: contains the SP authentication configuration
· krb.realms: specifies the translations from host names to authentication realms
rm /.klogin
This removes the .klogin file which contains a list of principals that are authorized to invoke processes as the root user with the SP-authenticated remote commands [rsh,rcp].
rm /.k
This removes the Kerberos Master key cache file.
rm /var/kerberos/database/*
This command insures that the authentication database files are completely removed.
/usr/lpp/ssp/bin/setup_authent
This command configures SP authentication services. Executing this command invokes an interactive dialog in which various utility programs are invoked to accomplish this configuration. (Refer to Chapter 1, the "Understanding RS/6000 SP Installation" section of the IBM RISC System/6000 Scalable POWERparallel Systems Installation Guide.)
NOTE: In PSSP 2.3 and later this step will also perform the actions listed in steps 9 and 10.
/usr/lpp/ssp/install/bin/hmreinit
This command will recycle the hardmon daemon and let it get a new hardmon ticket so it can monitor the hardware properly.
NOTE: if you are running PSSP 2.3 or later you may skip to step 11 after completing step 8.
/usr/lpp/ssp/bin/setup_server
This command will add the necessary remote command (RCMD) principals for the nodes to the Kerberos database based on what is defined in the SDR for those nodes.
Set the nodes to customize to create the new srvtab files.
Execute the command smitty node_data.
Select BOOT/INSTALL/USR SERVER INFORMATION.
Enter START FRAME, START SLOT and NODE COUNT or NODE LIST.
Set RESPONSE FROM SERVER TO BOOTP REQUEST to customize.
Verify that RUN SETUP SERVER ON THE CW is set to yes.
Press Enter to execute setup_server.
The final step involves propagating the /etc/krb-srvtab files onto the nodes. This can be done automatically or manually as described below.
AUTOMATICALLY (requires a reboot of the nodes):
Shut down and reboot the nodes (do not use netboot).
MANUALLY (reboot of the nodes is not required):
On the CW, cd into the /tftpboot directory and verify that there is a <node_name>-new-srvtab file for each node.
ftp each node's respective /tftpboot/<node-name>-new-srvtab file from the CW to the node and rename the file to /etc/krb-srvtab.
Compare the following files located on the control workstation to those located on the nodes:
· /etc/krb.realms (may be zero length, but must exist)
· /etc/krb.conf
· /.klogin (must be in $HOME for every Kerberos user)
If they differ, ftp the files from the control workstation out to the nodes.
Set the nodes back to disk via smit node_data on the control workstation.
Once the nodes are customized with the new /etc/krb-srvtab, you can test the functionality of Kerberos by obtaining a ticket (kinit root.admin) and executing the /usr/lpp/ssp/rcmd/bin/rsh <any_node> date command.
