OnWorks Linux and Windows Online WorkStations

Logo

Free Hosting Online for WorkStations

< Previous | Contents | Next >

4.2. Primary KDC Configuration


With OpenLDAP configured it is time to configure the KDC.

• First, install the necessary packages, from a terminal enter:


sudo apt install krb5-kdc krb5-admin-server krb5-kdc-ldap

• Now edit /etc/krb5.conf adding the following options to under the appropriate sections:


[libdefaults]

default_realm = EXAMPLE.COM


...


[realms]

EXAMPLE.COM = {

kdc = kdc01.example.com kdc = kdc02.example.com

admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf

}


...


[domain_realm]

.example.com = EXAMPLE.COM



...


[dbdefaults]

ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com


[dbmodules]

openldap_ldapconf = {

db_library = kldap

ldap_kdc_dn = "cn=admin,dc=example,dc=com"


# this object needs to have read rights on

# the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com"


# this object needs to have read and write rights on

# the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5

}


image

Change example.com, dc=example,dc=com, cn=admin,dc=example,dc=com, and

ldap01.example.com to the appropriate domain, LDAP object, and LDAP server for your network.

• Next, use the kdb5_ldap_util utility to create the realm:


sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

• Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn

and ldap_kadmin_dn options in /etc/krb5.conf:


sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \

/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

• Copy the CA certificate from the LDAP server:


scp ldap01:/etc/ssl/certs/cacert.pem . sudo cp cacert.pem /etc/ssl/certs


And edit /etc/ldap/ldap.conf to use the certificate:


TLS_CACERT /etc/ssl/certs/cacert.pem


image

The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS.

• Start the Kerberos KDC and admin server:


sudo systemctl start krb5-kdc.service



sudo systemctl start krb5-admin-server.service


You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the kadmin.local utility enter:


sudo kadmin.local

Authenticating as principal root/[email protected] with password. kadmin.local: addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve WARNING: no policy specified for [email protected]; defaulting to no policy Enter password for principal "[email protected]":

Re-enter password for principal "[email protected]": Principal "[email protected]" created.


There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the uid=steve,ou=people,dc=example,dc=com user object. Use the kinit and klist utilities to test that the user is indeed issued a ticket.


image

If the user object is already created the -x dn="..." option is needed to add the Kerberos attributes. Otherwise a new principal object will be created in the realm subtree.


Top OS Cloud Computing at OnWorks: