Chapter 10. Kerberos
141
KDC from kerberos.example.com to the name of your Kerberos server. By convention,
all realm names are uppercase and all DNS hostnames and domain names are lowercase. For
full details on the formats of these files, see their respective man pages.
4. Create the database using the
kdb5_util
utility from a shell prompt:
/usr/kerberos/sbin/kdb5_util create s
The
create
command creates the database that will be used to store keys for your Kerberos
realm. The
s
switch forces creation of a stash file in which the master server key is stored. If
no stash file is present from which to read the key, the Kerberos server (
krb5kdc
) will prompt
the user for the master server password (which can be used to regenerate the key) every time it
starts.
5. Edit the
/var/kerberos/krb5kdc/kadm5.acl
file. This file is used by
kadmind
to deter
mine which principals have access to the Kerberos database and their level of access. Most
organizations will be able to get by with a single line:
*/admin@EXAMPLE.COM
*
Most users will be represented in the database by a single principal (with a NULL, or empty,
instance, such as joe@EXAMPLE.COM). With this configuration, users with a second principal
with an instance of admin (for example, joe/admin@EXAMPLE.COM) will be able to wield full
power over the realm's Kerberos database.
Once
kadmind
is started on the server, any user will be able to access its services by run
ning
kadmin
on any of the clients or servers in the realm. However, only users listed in the
kadm5.acl
file will be able to modify the database in any way, except for changing their own
passwords.
Note
The kadmin utility communicates with the kadmind server over the network, and they use
Kerberos to handle authentication. Of course, you need to create the first principal before you
can connect to the server over the network to administer it. Create the first principal with the
kadmin.local command, which is specifically designed to be used on the same host as the
KDC and does not use Kerberos for authentication.
Type the following
kadmin.local
command at the KDC terminal to create the first principal:
/usr/kerberos/sbin/kadmin.local q "addprinc username/admin"
6. Start Kerberos using the following commands:
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start
7. Add principals for your users using the
addprinc
command with
kadmin
.
kadmin
and
kad
min.local
on the master KDC are a command line interfaces to the Kerberos administration
system. As such, many commands are available after launching the
kadmin
program. Please
see the
kadmin
man page for more information.
8. Verify that your server will issue tickets. First, run
kinit
to obtain a ticket and store it in
a credential cache file. Then use
klist
to view the list of credentials in your cache and use
kdestroy
to destroy the cache and the credentials it contains.
Note
By default, kinit attempts to authenticate using the login user name of the account you used
when you first logged into your system (not the Kerberos server). If that system user name does
not correspond to a principal in the Kerberos database, you will receive an error message. If
that happens, supply kinit with the name of your principal as an argument on the command
line (kinit principal).
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved