Kerberos Installation Notes

From NBSWiki

Jump to: navigation, search

Contents

Configure Kerberos

Here is an example configuration of app-crypt/mit-krb5. My domain is NEURALBS.COM and the auth server is kyron.neuralbs.com. This seems like a quite good reference...I refer to it from time to time during the procedure as an alternative reference.

Edit /etc/krb5.conf

[libdefaults]
    ticket_lifetime = 600
    default_realm = NEURALBS.COM
    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
    NEURALBS.COM = {
    kdc = kyron.neuralbs.com:88
    admin_server = kyron.neuralbs.com:749
    default_domain = neuralbs.com
    }

[domain_realm]
    .neuralbs.com = NEURALBS.COM
    neuralbs.com = NEURALBS.COM

[kdc]
    profile = /etc/krb5kdc/kdc.conf

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = false

[kdcdefaults]
    kdc_ports = 88,750

Edit /etc/kdc.conf

Important: note the change to /var/lib/krb5kdc/ in the kdc.conf file. The Gentoo provided file and/or templates seem to insist that the files are created in /etc/krb5kdc while they are not! 

[kdcdefaults]
    kdc_ports = 88,750

[realms]
    NEURALBS.COM = {
    database_name = /var/lib/krb5kdc/principal
    admin_keytab = /var/lib/krb5kdc/kadm5.keytab
    acl_file = /var/lib/krb5kdc/kadm5.acl
    dict_file = /var/lib/krb5kdc/kadm5.dict
    key_stash_file = /var/lib/krb5kdc/.k5.NEURALBS.COM
    kadmind_port = 749
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
    master_key_type = des3-hmac-sha1
    supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
    }

Initialize the Database 

mkdir /etc/krb5kdc
kdb5_util create -r NEURALBS.COM -s

Add Administrators

Add the following to your ACL file (note that this ACL file is the one listed in the kdc.conf above!): 

*/admin@NEURALBS.COM     *

In the present case, the ACL file is: /var/lib/krb5kdc/kadm5.acl. Then add the actual administrator principle: 

kyron ~ # kadmin.local
Authenticating as principal root/admin@NEURALBS.COM with password.
kadmin.local:  addprinc admin/admin@NEURALBS.COM
WARNING: no policy specified for admin/admin@NEURALBS.COM; defaulting to no policy
Enter password for principal "admin/admin@NEURALBS.COM":
Re-enter password for principal "admin/admin@NEURALBS.COM":
Principal "admin/admin@NEURALBS.COM" created.

Add Yourself

Not time to add yourself to the database. Here is how I (kyron) added myself using kadmin.local 

kadmin.local:  addprinc kyron/admin
WARNING: no policy specified for kyron/admin@NEURALBS.COM; defaulting to no policy
Enter password for principal "kyron/admin@NEURALBS.COM":
Re-enter password for principal "kyron/admin@NEURALBS.COM":
Principal "kyron/admin@NEURALBS.COM" created.
kadmin.local:  quit

Start Kerberos

/etc/init.d/mit-krb5kadmind restart

And add it to the RC list: 

rc-update add mit-krb5kadmind default

Test it

Use kinit and klist to test that you are recognized by Kerberos: 

kyron@kyron ~ $ kinit kyron/admin
Password for kyron/admin@NEURALBS.COM:
kyron@kyron ~ $ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: kyron/admin@NEURALBS.COM

Valid starting     Expires            Service principal
05/21/07 16:52:57  05/21/07 17:02:57  krbtgt/NEURALBS.COM@NEURALBS.COM

Add it to the system auth

In my case, I want it to be integrated to PAM authentifications. This is accomplished by adding the krb5 lines to /etc/pam.d/system-auth as below: 

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_krb5.so use_first_pass
auth       required     pam_deny.so

account    required     pam_unix.so
account    sufficient   pam_krb5.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_krb5.so use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
session    optional     pam_krb5.so

Adding the necessary so LDAP can connect to Kerberos

As per the abovementionned link, we create a principle and then a key for LDAP's access to Kerberos: 

kyron ~ # kadmin.local
Authenticating as principal root/admin@NEURALBS.COM with password.
kadmin.local:  addprinc -randkey ldap/kyron.neuralbs.com
WARNING: no policy specified for ldap/kyron.neuralbs.com@NEURALBS.COM; defaulting to no policy
Principal "ldap/kyron.neuralbs.com@NEURALBS.COM" created.
kadmin.local:  ktadd -k /etc/openldap/ldap.keytab ldap/kyron.neuralbs.com
Entry for principal ldap/kyron.neuralbs.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/openldap/ldap.keytab.
Entry for principal ldap/kyron.neuralbs.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/openldap/ldap.keytab.
kadmin.local:  quit

.... incomplete...might not really be needed...we'll see

Retrieved from "http://www.neuralbs.com/index.php/Kerberos_Installation_Notes"
Personal tools