Confguration of Kerberos V5
1. Install krb5-libs, krb5-server, and krb5-workstation packages
2. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf to reflect your realm name and domain to realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with your domain name (making sure you keep the same case), and by changing kerberos.example.com to the fully qualified hostname of the server.
For example:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = UK.ORACLE.COM
[realms]
UK.ORACLE.COM = {
kdc = ukp9174.uk.oracle.com:88
admin_server = ukp9174.uk.oracle.com:749
default_domain = uk.oracle.com
}
[domain_realm]
.uk.oracle.com = UK.ORACLE.COM
uk.oracle.com = UK.ORACLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false # cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
[realms]
UK.ORACLE.COM = {
master_key_type = des-cbc-crc
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:norm
al des-cbc-crc:v4 des-cbc-crc:afs3
kadmind_port = 749
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/dict/words
} 3. Edit the /var/kerberos/krb5kdc/kadm5.acl to determine which principals have access to the kerberos database
# vi /var/kerberos/krb5kdc/kadm5.acl */admin@UK.ORACLE.COM *
4. Create the kerberos database using the kdb5_util command:
# kdb5_util create -s Initializing database '/var/kerberos/krb5kdc/principal' for realm 'UK.ORACLE.COM', master key name 'K/M@UK.ORACLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: admin Re-enter KDC database master key to verify: admin
5. Start the Kerberos services:
# service krb5kdc start Starting Kerberos 5 KDC: [ OK ]
# service kadmin start
Extracting kadm5 Service Keys
Authenticating as principal root/admin@UK.ORACLE.COM with password.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to
keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode raw added to
keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added
to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode raw added
to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
[ OK ]
Starting Kerberos 5 Admin Server [ OK ] # service krb524 start Starting Kerberos 5-to-4 Server: [ OK ]
6. Add Kerberos principals:
# kadmin.local Authenticating as principal root/admin@UK.ORACLE.COM with password. > kadmin.local: addprinc host/ukp9174.uk.oracle.com WARNING: no policy specified for host/ukp9174.uk.oracle.com@UK.ORACLE.COM; defaulting to no policy Enter password for principal "host/ukp9174.uk.oracle.com@UK.ORACLE.COM": admin Re-enter password for principal "host/ukp9174.uk.oracle.com@UK.ORACLE.COM": admin Principal "host/ukp9174.uk.oracle.com@UK.ORACLE.COM" created.
Note host is the word “host” not the hostname of the server and ukp9174.uk.oracle.com is the fully qualified host name of the server.
> kadmin.local: addprinc root WARNING: no policy specified for root@UK.ORACLE.COM; defaulting to no policy Enter password for principal "root@UK.ORACLE.COM": admin Re-enter password for principal "root@UK.ORACLE.COM": admin Principal "root@UK.ORACLE.COM" created.
7. Add the host to the keytab:
# kadmin.local: ktadd -k /etc/krb5.keytab host/ukp9174.uk.oracle.com Entry for principal host/ukp9174.uk.oracle.com with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/ukp9174.uk.oracle.com with kvno 2, encryption type Triple DES cbc mode raw added to keytab WRFILE:/etc/krb5.keytab. > kadmin.local: exit
8. Test you can get a ticket:
# kinit Password for root@UK.ORACLE.COM: admin
9. Prove you have a ticket:
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root@UK.ORACLE.COM Valid starting Expires Service principal 01/02/01 11:14:15 01/02/01 21:14:15 krbtgt/UK.ORACLE.COM@UK.ORACLE.COM Kerberos 4 ticket cache: /tmp/tkt0
Once this is working you have it set up properly.