< Previous | Contents | Next >
3.2.2. Configuration
The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon. If you need to reconfigure Kerberos from scratch, perhaps to change the realm name, you can do so by typing
sudo dpkg-reconfigure krb5-kdc
1. Once the KDC is properly running, an admin user -- the admin principal -- is needed. It is recommended to use a different username from your everyday username. Using the kadmin.local utility in a terminal prompt enter:
sudo kadmin.local
Authenticating as principal root/[email protected] with password. kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/[email protected]; defaulting to no policy Enter password for principal "steve/[email protected]":
Re-enter password for principal "steve/[email protected]": Principal "steve/[email protected]" created.
kadmin.local: quit
In the above example steve is the Principal, /admin is an Instance, and @EXAMPLE.COM signifies the realm. The "every day" Principal, a.k.a. the user principal, would be [email protected], and should have only normal user rights.
Replace EXAMPLE.COM and steve with your Realm and admin username.
2. Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. The permissions are configured in the /etc/krb5kdc/kadm5.acl file:
steve/[email protected] *
This entry grants steve/admin the ability to perform any operation on all principals in the realm. You can configure principals with more restrictive privileges, which is convenient if you need an admin principal that junior staff can use in Kerberos clients. Please see the kadm5.acl man page for details.
3. Now restart the krb5-admin-server for the new ACL to take affect:
sudo systemctl restart krb5-admin-server.service
4. The new user principal can be tested using the kinit utility:
kinit steve/admin
steve/[email protected]'s Password:
After entering the password, use the klist utility to view information about the Ticket Granting Ticket (TGT):
klist
Credentials cache: FILE:/tmp/krb5cc_1000 Principal: steve/[email protected]
Issued Expires Principal
Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/[email protected]
Where the cache filename krb5cc_1000 is composed of the prefix krb5cc_ and the user id (uid), which in this case is 1000. You may need to add an entry into the /etc/hosts for the KDC so the client can find the KDC. For example:
192.168.0.1 kdc01.example.com kdc01
Replacing 192.168.0.1 with the IP address of your KDC. This usually happens when you have a Kerberos realm encompassing different networks separated by routers.
5. The best way to allow clients to automatically determine the KDC for the Realm is using DNS SRV records. Add the following to /etc/named/db.example.com:
_kerberos._udp.EXAMPLE.COM. | IN | SRV | 1 | 0 | 88 | kdc01.example.com. |
_kerberos._tcp.EXAMPLE.COM. | IN | SRV | 1 | 0 | 88 | kdc01.example.com. |
_kerberos._udp.EXAMPLE.COM. | IN | SRV | 10 | 0 | 88 | kdc02.example.com. |
_kerberos._tcp.EXAMPLE.COM. | IN | SRV | 10 | 0 | 88 | kdc02.example.com. |
_kerberos-adm._tcp.EXAMPLE.COM. | IN | SRV | 1 | 0 | 749 | kdc01.example.com. |
_kpasswd._udp.EXAMPLE.COM. | IN | SRV | 1 | 0 | 464 | kdc01.example.com. |
Replace EXAMPLE.COM, kdc01, and kdc02 with your domain name, primary KDC, and secondary KDC.
See Chapter 8, Domain Name Service (DNS) [p. 166] for detailed instructions on setting up DNS. Your new Kerberos Realm is now ready to authenticate clients.