At first you have to decide if you want to use the heimdal or mit-krb5 implementation. As there are still some compatibility issues with heimdal I've choosen to use the mit implementation. Let's install the server:
aptitude install krb5-kdc krb5-admin-server
There are two important configuration files:
- client side:
/etc/krb5.conf - server side:
- gentoo:
/etc/kdc.conf - debian:
/etc/krb5kdc/kdc.conf
- gentoo:
On Gentoo you can create the directory /etc/krb5kdc to use the
following configuration suggestions. You can also put the KDC files
into /var/lib/krb5kdc which is Gentoo default.
At first we configure the client side (this has also to be done on all clients). For this howto I assume:
${REALM} = <the real name> e.g. FOO.BAR.COM
${DOMAIN} = <dns domain> e.g. foo.bar.com
${KERBEROS_SERVER} = <the server host name> e.g. kerberos.foo.bar.com
Here is the /etc/krb5.conf:
[libdefaults]
debug = true
default_realm = ${REALM}
kdc_timesync = 1
forwardable = true
proxiable = true
forward = true
renewable = true
encrypt = true
krb4_get_tickets = false
krb4_convert = false
krb5_get_tickets = true
[realms]
${REALM} = {
kdc = ${KERBEROS_SERVER}:88
admin_server = ${KERBEROS_SERVER}:749
default_domain = ${DOMAIN}
}
[domain_realm]
.${DOMAIN} = ${REALM}
${DOMAIN} = ${REALM}
To get the whole thing working we also need to configure the server:
[libdefaults]
debug = true
[kdcdefaults]
kdc_ports = 750,88
[realms]
${REALM} = {
database_name = /etc/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/.k5.${REALM}
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 8d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Please be aware of debug = true statement which can easily be
removed in both files if the configuration works.
Now it's time to create the kerberos database:
kdb5_util create -s
The -s flag creates the stash file for the master keyfile of the
database which is used to authenticate the KDC to itself. Of course
that's a possible security problem. Make sure that the stash file is
only readable by root and it's always a good advice to hardly restrict
the acces to the kerberos machine - e.g. the remote ssh access.
The next step is to create an admin user. As I am using my kerberos
database especially to OpenAFS authentication I am creating an
afsadmin user, but you may also call it root:
kdc# kadmin.local
kadmin.local: addprinc afsadmin/admin
kadmin.local: listprincs
kadmin.local: quit
If not already done we should now start the KDC. @Debian I'd recommend
to disable the krb524d (translates krbv5 to krbv4 tickets - we
definitly don't want to use and event don't want to support krbv4) by
editing /etc/defaults/krb5-kdc and setting RUN_KRB524D=false.
/etc/init.d/krb5-kdc start
Now we should already be able to retrieve a ticket:
kinit afsadmin/admin
klist -f
We have configured an ACL file acl_file = /etc/krb5kdc/kadm5.acl in
the kdc.conf and there we give our new principal admin rights by
adding the following line:
afsadmin/admin@${REALM} *
and now restart the KDC with /etc/init.d/krb5-kdc restart
Attention
The following things should always be kept in mind:
reverse DNS lookup of the
KDCclient's ip address must match the fully qualified hostname. (might be a problem with NAT - take care of it already during design of network structure) That's needed to make utils likekpasswdwork.time of client and server must be in sync - therefore use
ntpon client and server