< Previous | Contents | Next >
4.2. Primary KDC Configuration
With OpenLDAP configured it is time to configure the KDC.
• First, install the necessary packages, from a terminal enter:
sudo apt install krb5-kdc krb5-admin-server krb5-kdc-ldap
• Now edit /etc/krb5.conf adding the following options to under the appropriate sections:
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com kdc = kdc02.example.com
admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5
}
Change example.com, dc=example,dc=com, cn=admin,dc=example,dc=com, and
ldap01.example.com to the appropriate domain, LDAP object, and LDAP server for your network.
• Next, use the kdb5_ldap_util utility to create the realm:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com
• Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn
and ldap_kadmin_dn options in /etc/krb5.conf:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f
/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com
• Copy the CA certificate from the LDAP server:
scp ldap01:/etc/ssl/certs/cacert.pem . sudo cp cacert.pem /etc/ssl/certs
And edit /etc/ldap/ldap.conf to use the certificate:
TLS_CACERT /etc/ssl/certs/cacert.pem
The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS.
• Start the Kerberos KDC and admin server:
sudo systemctl start krb5-kdc.service
sudo systemctl start krb5-admin-server.service
You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the kadmin.local utility enter:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy Enter password for principal "steve@EXAMPLE.COM":
Re-enter password for principal "steve@EXAMPLE.COM": Principal "steve@EXAMPLE.COM" created.
There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the uid=steve,ou=people,dc=example,dc=com user object. Use the kinit and klist utilities to test that the user is indeed issued a ticket.
If the user object is already created the -x dn="..." option is needed to add the Kerberos attributes. Otherwise a new principal object will be created in the realm subtree.