ACD Linux System Administration

Kerberos Notes

Setting up a Redhat Linux Kerberos Server

diskserver2:/etc/rc.d/init.d> rpm -a -q | grep krb
krb5-workstation-1.2.4-1
krb5-libs-1.2.4-1
krb5-devel-1.2.4-1
krb5-server-1.2.4-1
krbafs-1.1.1-1
pam_krb5-1.55-1
krbafs-devel-1.1.1-1
krbafs-utils-1.1.1-1

What I did was:

1. edit /etc/krb5.conf: This provides configuration information needed by the Kerberos v5 library. It includes information describing the default realm, and the location of its key distribution centers:

   [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
   
   [libdefaults]
    ticket_lifetime = 24000
    default_realm = ACD.UCAR.EDU
    dns_lookup_realm = false
    dns_lookup_kdc = false
   
   [realms]
    ACD.UCAR.EDU = {
     kdc = diskserver2.acd.ucar.edu:88
     admin_server = diskserver2.acd.ucar.edu:749
     default_domain = acd.ucar.edu
    }
   
   [domain_realm]
    .acd.ucar.edu = ACD.UCAR.EDU
   
   [kdc]
    profile = /var/kerberos/krb5kdc/kdc.conf
   
   [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
    }
   
   

2. Make sure time is in sync: For information on NTP see http://www.eecis.udel.edu/~ntp/.
3. edit /var/kerberos/krb5kdc/kdc.conf: We define the realm and what encryption keys it supports:

   [kdcdefaults]
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    v4_mode = nopreauth
   
   [realms]
    ACD.UCAR.EDU = {
     master_key_type = des-cbc-crc
     supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm des3-cbc-raw:onlyrealm des3-cbc-sha1:normal des3-cbc
   -sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc
   -crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-
   md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-raw:v4 des-cbc-raw:afs3
    des-cbc-raw:normal des-cbc-raw:norealm des-cbc-raw:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal 
   des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
    }
   
   

4. Create the database: /usr/kerberos/sbin/kdb5_util create -s
5. Create the 1st principal: /usr/kerberos/sbin/kadmin.local -q "addprinc fredrick/admin"
6. Add a principle for doe: /usr/kerberos/sbin/kadmin.local -q "addprinc doe"
7. Start up kerberos server:

         cd /etc/rc.d/init.d
         sudo ./krb5kdc start
         sudo ./kadmin start
         sudo ./krb524 start
   
   

8. Set for permanent startup:

         sudo chkconfig --level 345 krb5kdc on
         sudo chkconfig --level 345 kadmin on
         sudo chkconfig --level 345 krb524 on
   
   

[libdefaults]
 ticket_lifetime = 24000
 default_realm = ACD.UCAR.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 ACD.UCAR.EDU = {
  kdc = diskserver2.acd.ucar.edu:88
  admin_server = diskserver2.acd.ucar.edu:749
  default_domain = cit.ucar.edu
 }

[domain_realm]
 .acd.ucar.edu = ACD.UCAR.EDU

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_krb5.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so