HP UX Kerberos Data Security Software manual 107

WARNING

WARNING

WARNING

Administration

Principals

Do not remove, modify, or change the key type for this principal. Do NOT generate a new key for this principal.

default@REALM The default@REALM principal name contains the default group principal attributes for REALM. This principal is required in each realm. This principal, called the default group, is automatically created when a realm is added to the database.

The attributes and properties of this principal act as a template for adding principals to a realm in a Security Server’s principal database.

This principal uses a random key. However, you should not extract this key to a service key table file. This principal is locked by default, eliminating the security risk of an attacker attempting to authenticate using this principal account.

Do NOT remove this principal entry. Do not unlock this principal account.

krbtgt/REALM@REALM The krbtgt/REALM@REALM principal’s secret key is used to encrypt and decrypt TGTs (ticket-granting tickets) issued by the security server for principals in the realm REALM.

Do NOT remove or modify this principal entry, except when adding a 3DES key if you need to add support for this encryption type.

To configure inter-realm authentication, you must create distinct reserved principals with the prefix name krbtgt/ for each realm.

If you change any attribute or the password of the krbtgt/REALM@REALM principal for the default realm, that is, the realm that contains the K/M@REALM principal, you must close all administrative programs, including kadmin, kadminl_ui and kdcd; then restart all administrative services/daemons for that realm in order for the changes to take effect.