IBM RELEASE 7.3 3.3.2.3.1. Keytabs for Kerber os Authentication: hpss _krb5_keytab, 3.3.2.3.2. Keytabs for UNIX Authentication: hpss_uni x

Keytabs are created for the user by the hpssuser utility when the krb5keytab or unixkeytab

authentication type is specified. Keytabs may also be created manually with the hpss_krb5_keytab or

hpss_unix_keytab utility, as described below.

3.3.2.3.1. Keytabs for Kerber os Authentication: hpss _krb5_keytab

The hpss_krb5_keytab utility may be used to generate a keytab with Kerberos authentication in the

form usable by the hpssadm program. See the hpss_krb5_keytab man page for details.

The Kerberos keytab is interpreted by the KDC of the Kerberos realm specified by the hpssadm utility

(see the -k and -u options on the hpssadm man page). This must be the same Kerberos realm as that

used by the System Manager. This means the hpss_krb5_keytab utility must be executed on a host in

the same realm as the System Manager.

This example for a user named “joe” on host "pegasus" creates a Kerberos keytab fi le named

“keytab.joe.pegasus”:

% /opt/hpss/bin/hpss_krb5_keytab

HPSS_ROOT is not set; using /opt/hpss

KRB5_INSTALL_PATH is not set; using /krb5

password:

Your keytab is stored at /tmp/keytab.joe.pegasus

Note that under AIX, hpss_krb5_keytab will not write to an NFS-mounted filesystem. That's why the

utility insists on writing the keytab file in /tmp. Once the keytab is generated, it can be copied and used

elsewhere, but care should be taken to keep it secure.

3.3.2.3.2. Keytabs for UNIX Authentication: hpss_uni x_keytab

The hpss_unix_keytab utility may be used to generate a keytab with UNIX authentication in the form

usable by the hpssadm program. See the hpss_unix_keytab man page for details.

The UNIX keytab is interpreted on the host on which the System Manager runs, not the host on which the

hpssadm client utility runs. The encrypted password in the keytab must match the encrypted passwor d

in the password file on the System Manager host. Therefore, the hpss_unix_keytab utilit y must be

executed on the host on which the System Manager runs.

The hpss_unix_keytab utility must be able to read the user's encrypted password from the password fil e.

If system password files are being used, this means the utility must be executed as root.

This example for a user named “joe” creates a UNIX keytab file named “joe.keytab.unix”:

% /opt/hpss/bin/hpss_unix_keytab -f joe.keytab.unix add joe

This command copies the encrypted password from the password file into the keytab.

Do not use the -r option of the hpss_unix_keytab utility; this places a random password into the keytab

file. Do not use the -p option to specify the password; this encrypts the password specifi ed on the

command line using a different salt than what was used in the password file, so that the result will not

match.

HPSS Management Guide November 2009

Release 7.3 (Revision 1.0) 38