Free Hosting Online for WorkStations

< Previous | Contents | Next >

3.2.2. Configuration


The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon. If you need to reconfigure Kerberos from scratch, perhaps to change the realm name, you can do so by typing


sudo dpkg-reconfigure krb5-kdc


1. Once the KDC is properly running, an admin user -- the admin principal -- is needed. It is recommended to use a different username from your everyday username. Using the kadmin.local utility in a terminal prompt enter:


sudo kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc steve/admin

WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "steve/admin@EXAMPLE.COM":

Re-enter password for principal "steve/admin@EXAMPLE.COM": Principal "steve/admin@EXAMPLE.COM" created.

kadmin.local: quit


In the above example steve is the Principal, /admin is an Instance, and @EXAMPLE.COM signifies the realm. The "every day" Principal, a.k.a. the user principal, would be steve@EXAMPLE.COM, and should have only normal user rights.


Replace EXAMPLE.COM and steve with your Realm and admin username.


2. Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. The permissions are configured in the /etc/krb5kdc/kadm5.acl file:


steve/admin@EXAMPLE.COM *


This entry grants steve/admin the ability to perform any operation on all principals in the realm. You can configure principals with more restrictive privileges, which is convenient if you need an admin principal that junior staff can use in Kerberos clients. Please see the kadm5.acl man page for details.

3. Now restart the krb5-admin-server for the new ACL to take affect:


sudo systemctl restart krb5-admin-server.service

4. The new user principal can be tested using the kinit utility:


kinit steve/admin

steve/admin@EXAMPLE.COM's Password:


After entering the password, use the klist utility to view information about the Ticket Granting Ticket (TGT):


klist

Credentials cache: FILE:/tmp/krb5cc_1000 Principal: steve/admin@EXAMPLE.COM


Issued Expires Principal



Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM


Where the cache filename krb5cc_1000 is composed of the prefix krb5cc_ and the user id (uid), which in this case is 1000. You may need to add an entry into the /etc/hosts for the KDC so the client can find the KDC. For example:


192.168.0.1 kdc01.example.com kdc01


Replacing 192.168.0.1 with the IP address of your KDC. This usually happens when you have a Kerberos realm encompassing different networks separated by routers.

5. The best way to allow clients to automatically determine the KDC for the Realm is using DNS SRV records. Add the following to /etc/named/db.example.com:



_kerberos._udp.EXAMPLE.COM.

IN

SRV

1

0

88

kdc01.example.com.

_kerberos._tcp.EXAMPLE.COM.

IN

SRV

1

0

88

kdc01.example.com.

_kerberos._udp.EXAMPLE.COM.

IN

SRV

10

0

88

kdc02.example.com.

_kerberos._tcp.EXAMPLE.COM.

IN

SRV

10

0

88

kdc02.example.com.

_kerberos-adm._tcp.EXAMPLE.COM.

IN

SRV

1

0

749

kdc01.example.com.

_kpasswd._udp.EXAMPLE.COM.

IN

SRV

1

0

464

kdc01.example.com.


Replace EXAMPLE.COM, kdc01, and kdc02 with your domain name, primary KDC, and secondary KDC.


See Chapter 8, Domain Name Service (DNS) [p. 166] for detailed instructions on setting up DNS. Your new Kerberos Realm is now ready to authenticate clients.

Top OS Cloud Computing at OnWorks: