2/26/2010

Kerberos Quick Setup

I used notes that I had from writing a course on Directory Services and Authentication to do this quick Kerberos setup. For a better install guide you may want to reference http://web.mit.edu/kerberos/www/krb5-1.7/krb5-1.7.1/doc/krb5-install.html.

Kerberos Packages from Fedora
Having gotten my LDAP working to provide user information, I wanted to go further to have Kerberos provide authentication. Here's the list of the packages I installed to get going:

krb5-server-1.7.1-2.fc12.i686
krb5-workstation-1.7.1-2.fc12.i686
pam_krb5-2.3.7-2.fc12.i686

The package krb5-libs was already on my system, but is a dependency of the other three. The pam_krb5 package wasn't a dependency, but without it, the ability to use authentication using Kerberos was disabled.

Configuring the Kerberos Library (Client and Server)
First, for either a client or a server, the krb5-libs need to be configured for the realm, which is sort of like a domain. Since I'm in the domain called fedora.test. here was my configuration in /etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FEDORA.TEST
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

[realms]
FEDORA.TEST = {
kdc = krb5.fedora.test:88
admin_server = krb5.fedora.test:749
}

[domain_realm]
.fedora.test = FEDORA.TEST
fedora.test = FEDORA.TEST

I made only a few changes to this file. Under the [realms] section, I changed the realm name from EXAMPLE.COM to FEDORA.TEST. Also, I changed the hostnames for the kdc and admin_server entries to the CNAME hostname of the machine that will be running the Kerberos service.

Beneath the [domain_realm] section, I changed all the example.com and EXAMPLE.COM entries to fedora.test and FEDORA.TEST. Don't forget to configure this file for all clients and servers that will be a part of your realm.

Configuring Access (Server)
If you want different users or principals to have different levels of access then the /var/kerberbos/krb5kdc/kadm5.acl can be used to do that. By default, it permits all admin users to have full access. The only change needed is to make sure that the realm name configured in the previous file /etc/krb5.conf is also configured in this file. So here's what I have in /var/kerberbos/krb5kdc/kadm5.acl:

*/admin@FEDORA.TEST *

Configuring the KDC (Server)

In configuring the /var/kerberos/krb5kdc/kdc.conf file, again you need to make sure that it agrees with the realm name and ports listed in the /etc/krb5.conf. If you are satisfied with the other settings, like the encryption to be used, this usually means a simple search and replace of the realm names (one more time!):

[kdcdefaults]
v4_mode = nopreauth
kdc_ports = 88,750
kdc_tcp_ports = 88

[realms]
FEDORA.TEST = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

Creating the Principal Database (Server)
If all the files are properly configured, then on the server create the database to store the principal accounts:

kdb5_util create -s


Configure root/admin Principal
The first principal that you should create will be one that you will be able to authenticate as in order to do administration of the Kerberos server. Use this command to do that:

kadmin.local -q "addprinc root/admin"


Configure Startup and Start Services
Kerberos runs as two separate services that need to be configured to start up at boot time, and you probably want to start them immediately to use them without rebooting:

# chkconfig krb5kdc on

# chkconfig kadmin on

# service krb5kdc start

# service kadmin start


Using either kadmin or kadmin.local you can then add additional principals for user and server accounts to authenticate. Servers are added as principals just like users, except the ktadd command is used to add to a keytab file (/etc/krb5.keytab) their secret credentials. This file will then need to be copied and included in the configuration of the Kerberized services:
kadmin.local: addprinc ldap/earth.fedora.test
WARNING: no policy specified for ldap/earth.fedora.test@FEDORA.TEST; defaulting to no policy
Enter password for principal "ldap/earth.fedora.test@FEDORA.TEST":
Re-enter password for principal "ldap/earth.fedora.test@FEDORA.TEST":
add_principal: Principal or policy already exists while creating "ldap/earth.fedora.test@FEDORA.TEST".
kadmin.local: ktadd ldap/earth.fedora.test
...
Entry for principal ldap/earth.fedora.test with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab.



No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.