Adding i5/OS principals to the Kerberos server

 

After you configure network authentication service on your System i™ platform, add your i5/OS® principals to the Kerberos server.

Network authentication service provides an i5/OS principal name, krbsvr400, for the system and the i5/OS applications. The name of the principal that represents i5/OS is krbsrv400/System i host name@REALM NAME, where System i host name is either the fully qualified host name or the short host name for the System i platform. This principal name needs to be added to the Kerberos server so that Kerberos client applications can request and receive service tickets. For example, in our configuration scenarios, the administrator for MyCo added the service principal krbsvr400/systema.myco.com@MYCO.COM to the company's Kerberos server.

Depending on the operating system on which you have configured a Kerberos server, the steps for adding the i5/OS principal are different. This information provides instructions on adding the i5/OS principals to a Kerberos server in i5/OS PASE or a Windows® 2000 domain. If you have optionally created service principals for either IBM® Directory Server for iSeries™ (LDAP), iSeries NetServer™, or HTTP Server also add those service principals to the Kerberos server.

  1. i5/OS PASE If your Kerberos server is located in i5/OS PASE, you can add i5/OS service principals by using the QP2TERM command, which opens an interactive shell environment that allows you to work with i5/OS PASE applications. To add an i5/OS service principal to a Kerberos server in i5/OS PASE, complete these steps:

    1. In a character-based interface, type call QP2TERM.

    2. At the command line, enter export PATH=$PATH:/usr/krb5/sbin. This command points to the Kerberos scripts that are necessary to run the executable files.

    3. At the command line, type kadmin -p admin/admin.

    4. Log on with your user name and password.

    5. At the kadmin command line, enter addprinc -pw secret krbsvr400/System i fully qualified host name@REALM, where secret is the password for the i5/OS service principal. For example, krbsvr400/systema.myco.com@MYCO.COM might be a valid i5/OS service principal name.

  2. Microsoft® Windows Active Directory

    To add an i5/OS service principal to a Kerberos server, you have two options: Allow the Network Authentication Service wizard to add the principals or add them manually.

    The Network Authentication Service wizard allows you to optionally create a batch file, called NASConfig.bat. This batch file contains all of the principal names for the services that you selected during configuration. You can also choose to add their associated passwords in this batch file.

    If you include the password, anyone with read access to the batch file can view the passwords. IBM recommends that if you include the password, that you delete the batch file from the Kerberos server and from your PC immediately after use. If you do not include the password in the batch file, you will be prompted for a password when the batch file is run on the Windows server. Using the batch file generated by the Network Authentication Service wizard

    1. Using FTP on the Windows 2000 workstation that the administrator used to configure network authentication service, open a command prompt and type ftp server where server is the host name for the Kerberos server. This will start an FTP session on your PC. You will be prompted for the administrator's user name and password.
    2. At the FTP prompt, type lcd "C:\Documents and Settings\All Users\Documents\IBM\Client Access". Press Enter.

      This is an example of a directory that might contain the batch file. You should receive the message Local directory now C:\Documents and Settings\All Users\Documents\IBM\Client Access.

    3. At the FTP prompt, type binary. This indicates that the file to be transferred is binary.
    4. At the FTP prompt, type cd \mydirectory, where mydirectory is a directory on the Windows server where you want to place the batch file.
    5. At the FTP prompt, type put NASConfig.bat. You should receive this message: 226 Transfer complete.
    6. On your Windows 2000 server, open the directory where you transferred the batch file.
    7. Find the NASConfig.bat file and double-click the file to run it.
    8. After the file runs, verify that the i5/OS principal name has been added to the Microsoft Windows Active Directory by completing the following steps:

      1. On your Windows 2000 server, expand Start > Programs > Administrative Tools > Active Directory Users and Computers > Users.

      2. Verify the System i platform has a user account by selecting the appropriate Windows 2000 domain.

        This Windows domain should be the same as the default realm name that you specified network authentication service configuration.

      3. In the list of users that displays, find the name that corresponds with the service principal that you just added.

      4. Access the properties on your Active Directory users. From the Account tab, select the Account is trusted for delegation.

        This optional step enables your system to delegate, or forward, a user's credentials to other systems. As a result, the i5/OS service principal can access services on multiple systems on behalf of the user. This is useful in a multi-tier network.

    Manually adding the service principal to Microsoft Windows Active Directory You can also add i5/OS principals to the Microsoft Windows Active Directory manually by using the ktpass command. This command is shipped with Windows Support Tools and must be installed on the system being used as the Kerberos server.

    1. On your Windows 2000 server, expand Start > Programs > Administrative Tools > Active Directory Users and Computers.
    2. Select the Windows 2000 domain to which you want to add the i5/OS user account and expand Action > New > User.

      This Windows 2000 domain should be the same as the default realm name that you specified for network authentication service configuration.

    3. In the Name field, enter a name that will identify the System i platform to this Windows 2000 domain. This will add a new user account for the System i platform. For example, you might enter the name krbsvr400systema or httpsystema as a valid user account name.
    4. Access the properties on the Active Directory user that you created in Step 3. From the Account tab, select the Account is trusted for delegation. This allows the i5/OS service principal to access other services on behalf of a signed-in user.
    5. You need to map the user account you just created to the i5/OS service principal by using the ktpass command. The ktpass tool is provided in the Service Tools folder on the Windows 2000 Server installation CD. To map the user account, complete the following task:

      1. At a command prompt, enter
        ktpass -mapuser krbsvr400systema -pass secret -princ krbsvr400/system-domain-name@REALM 
            -mapop set

        In the command, krbsvr400systema represents the user account name that was created in step 3 and secret is the password that you entered during network authentication service configuration for the i5/OS principal.

 

Parent topic:

Configuring network authentication service