Kerberos Setup

# Installing KDCs

When setting up Kerberos in a production environment, it is best to have multiple slave KDCs alongside with a master KDC to ensure the continued availability of the Kerberized services.

Each KDC contains a copy of the Kerberos database. The master KDC contains the writable copy of the realm database, which it replicates to the slave KDCs at regular intervals. All database changes (such as password changes) are made on the master KDC. Slave KDCs provide Kerberos ticket-granting services, but not database administration, when the master KDC is unavailable.

## Install and configure the master KDC

For the purpose of this document we will use the following names:

kerberos.mit.edu    - master KDC
    kerberos-1.mit.edu  - slave KDC
    ATHENA.MIT.EDU      - realm name
    .k5.ATHENA.MIT.EDU  - stash file
    admin/admin         - admin principal

See [MIT Kerberos defaults](http://web.mit.edu/Kerberos/krb5-latest/doc/mitK5defaults.html#mitk5defaults) for the default names and locations of the relevant to this topic files.

## Configer hosts

vi /etc/hosts
    
    172.104.107.179  kerberos.mit.edu
    172.104.125.165  kerberos-1.mit.edu

## Install Dependencies

yum install gcc gcc-c++ byacc -y

### Download and Build source file

wget http://web.mit.edu/kerberos/dist/krb5/1.15/krb5-1.15.1.tar.gz
    tar zxvf krb5-1.15.1.tar.gz 
    cd krb5-1.15.1/src
    ./configure --prefix=/root/kdc
    make install   # DESTDIR=/root/kd
    
### Edit KDC configuration files

Modify the configuration files, krb5.conf and kdc.conf, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm.

If the locations for these configuration files differs from the default ones, set KRB5_CONFIG and KRB5_KDC_PROFILE environment variables to point to the krb5.conf and kdc.conf respectively. For example:

export KRB5_CONFIG=/yourdir/krb5.conf
    export KRB5_KDC_PROFILE=/yourdir/kdc.conf

**krb5.conf**

If you are not using DNS TXT records (see Mapping hostnames onto Kerberos realms), you must specify the default_realm in the [libdefaults] section.

If you are not using DNS URI or SRV records (see Hostnames for KDCs and KDC Discovery), you must include the kdc tag for each realm in the [realms] section.

To communicate with the kadmin server in each realm, the admin_server tag must be set in the [realms] section.

mkdir etc
    vi etc/krb5.conf

[libdefaults]
        default_realm = ATHENA.MIT.EDU
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        
    [realms]
        ATHENA.MIT.EDU = {
            kdc = kerberos.mit.edu
            kdc = kerberos-1.mit.edu
            admin_server = kerberos.mit.edu
        }

**kdc.conf**

The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging.

vi var/krb5kdc/kdc.conf

[kdcdefaults]
        kdc_listen = 88
        kdc_tcp_listen = 88
    
    [realms]
        ATHENA.MIT.EDU = {
            kadmind_port = 749
            max_life = 12h 0m 0s
            max_renewable_life = 7d 0h 0m 0s
            master_key_type = aes256-cts
            supported_enctypes = aes256-cts:normal aes128-cts:normal
            # If the default location does not suit your setup,
            # explicitly configure the following values:
            #    database_name = /var/krb5kdc/principal
            #    key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
            #    acl_file = /var/krb5kdc/kadm5.acl
        }
    
    [logging]
        # By default, the KDC and kadmind will log output using
        # syslog.  You can instead send log output to files like this:
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

**Note**

You have to have write permission on the target directories (these directories must exist) used by database_name, key_stash_file, and acl_file.

### Create the KDC database

You will use the kdb5_util command on the master KDC to create the Kerberos database and the optional stash file.

The following is an example of how to create a Kerberos database and stash file on the master KDC, using the kdb5_util command. Replace ATHENA.MIT.EDU with the name of your Kerberos realm:

./sbin/kdb5_util create -r ATHENA.MIT.EDU -s
    # use 123456 as password for test
    
This will create five files in LOCALSTATEDIR/krb5kdc(/root/kdc/var/krb5kdc/):

- two Kerberos database files, principal, and principal.ok
 - the Kerberos administrative database file, principal.kadm5
 - the administrative database lock file, principal.kadm5.lock
 - the stash file, in this example .k5.ATHENA.MIT.EDU. If you do not want a stash file, run the above command without the -s option.
    
### Add administrators to the ACL file

Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the kadmind daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the acl_file variable in kdc.conf; the default is LOCALSTATEDIR/krb5kdc/kadm5.acl.

#### SYNTAX

Empty lines and lines starting with the sharp sign (#) are ignored. Lines containing ACL entries have the format:

principal  permissions  [target_principal  [restrictions] ]
    
Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal.

see http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/kadm5_acl.html#kadm5-acl-5

vi var/krb5kdc/kadm5.acl
    //add
    */admin@ATHENA.MIT.EDU    *

### Add administrators to the Kerberos database

you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database.

To do this, use the kadmin.local utility on the master KDC.

export KRB5CCNAME=DIR:/mydir/
    ./sbin/kadmin.local 
    addprinc admin/admin@ATHENA.MIT.EDU
    # use password admin for test
    
### Start the Kerberos daemons on the master KDC

At this point, you are ready to start the Kerberos KDC (krb5kdc) and administrative daemons on the Master KDC. To do so, type:

./sbin/krb5kdc
     ./sbin/kadmind
     
Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC’s /etc/rc or /etc/inittab file. You need to have a stash file in order to do this.

You can verify that they started properly by checking for their startup messages in the logging locations you defined in krb5.conf (see [logging]). For example:

tail /var/log/krb5kdc.log
    tail /var/log/kadmin.log
    
check if kinit succeeds against the principals that you have created on the previous step . Run:

./bin/kinit admin/admin@ATHENA.MIT.EDU

## Install the slave KDCs

you should perform each of these steps on the master KDC as well as the slave KDCs, unless these instructions specify otherwise.

### Create host keytabs for slave KDCs

Each KDC needs a host key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the master KDC to the secondary KDC servers.

On the master KDC, connect to administrative interface and create the host principal for each of the KDCs’ host services. For example, if the master KDC were called kerberos.mit.edu, and you had a slave KDC named kerberos-1.mit.edu, you would type the following:

./bin/kadmin 
    
    addprinc -randkey host/kerberos.mit.edu
    
Next, extract host random keys for all participating KDCs and store them in each host’s default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab directly on a slave KDC called kerberos-1.mit.edu, you would execute the following command:

./bin/kadmin 
    
    ktadd host/kerberos-1.mit.edu

If you are instead extracting a keytab for the slave KDC called kerberos-1.mit.edu on the master KDC, you should use a dedicated temporary keytab file for that machine’s keytab:

./bin/kadmin 
    
    ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu

Navigation

Recent Posts

Friend Links