Logo-500px-300x300
INSTALLATION:

When setting up Kerberos, install the KDC first. If it is necessary to set up slave servers, install the master first.
To configure the first Kerberos KDC, follow these steps:
that time synchronization and DNS are functioning correctly on all client and server machines Ensure before configuring Kerberos. Pay particular attention to time synchronization between the Kerberos server and its clients. If the time difference between the server and client is greater than five minutes (this is configurable in Kerberos 5), Kerberos clients can not authenticate to the server. This time synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user.
Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which runs the KDC. This machine needs to be very secure — if possible, it should not run any services other than the KDC.

 

#yum install krb5-server krb5-libs krb5-workstation

 

Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with the correct domain name — being certain to keep uppercase and lowercase names in the correct format — and by changing the KDC fromkerberos.example.com to the name of the Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase.

 

1

#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SATHISH.COM
dns_lookup_realm = false
dns_lookup_kdc = fals
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
SATHISH.COM = {
kdc = arthar1.sathish.com
admin_server = arthar1.sathish.com
}
[domain_realm]
.sathish.com = SATHISH.COM
sathish.com = SATHISH.COM

 

 


#vi /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SATHISH.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac- sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

2

Create the database using the kdb5_util utility from a shell prompt

 

#kdb5_util create –s
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘SATHISH.COM’,
master key name ‘K/M@SATHISH.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations can get by with a single line:*/admin@EXAMPLE.COM *

 

#vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@SATHISH.COM *

 

#service kadmin start

 

 

After kadmind and krb5kdc has been started on the server, any user can access its services by running kadmin on any of the clients or servers in the realm. However, only users listed in the kadm5.acl file can modify the database in any way, except for changing their own passwords.

The kadmin utility communicates with the kadmind server over the network, and uses Kerberos to handle authentication. Consequently, the first principal must already exist before connecting to the server over the network to administer it. Create the first principal with the kadmin.local command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication.
Type the following kadmin.local command at the KDC terminal to create the first principal:

 

#kadmin.local -q “addprinc root/admin”

 

#service krb5kdc start

 

Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a credential cache file. Next, use klist to view the list of credentials in the cache and use kdestroy to destroy the cache and the credentials it contains.

 

#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

 

#kinit root/admin
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root/admin@SATHISH.COM
Valid starting Expires Service principal
05/07/13 11:29:27 05/08/13 11:29:27 krbtgt/SATHISH.COM@SATHISH.COM

 

#kdestroy

3

 

Kerberos Client

Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid krb5.conf configuration file
Be sure that time synchronization is in place between the Kerberos client and the KDC, verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs
Install the krb5-libs and krb5-workstation packages on all of the client machines. Supply a valid/etc/krb5.conf file for each client

 

#yum install krb5-libs and krb5-workstation


#vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SATHISH.COM
dns_lookup_kdc = fals
forwardable = true
[realms]
SATHISH.COM = {
kdc = arthar1.sathish.com
admin_server = arthar1.sathish.com
}
[domain_realm]
arthar1.com = SATHISH.COM

 

4

Using kadmin, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the -randkey option for the kadmin’s addprinc command to create the principal and assign it a random key

 

#kadmin root/admin
Authenticating as principal root/admin@SATHISH.COM with password:
Password for root/admin@SATHISH.COM:

kadmin: addprinc arthar2
WARNING: no policy specified for arthar2@SATHISH.COM; defaulting to no policy
Enter password for principal “arthar2@SATHISH.COM”:
Re-enter password for principal “arthar2@SATHISH.COM”:
Principal “arthar2@SATHISH.COM” created.

kadmin: addprinc -randkey host/arthar2.sathish.com
WARNING: no policy specified for host/www.arthar2.com@SATHISH.COM; defaulting to no policy
Principal “host/arthar2.sathish.com@SATHISH.COM” created.

kadmin: listprincs
K/M@SATHISH.COM
arthar2@SATHISH.COM
host/arthar2.sathish.com@SATHISH.COM
kadmin/admin@SATHISH.COM
kadmin/changepw@SATHISH.COM
krbtgt/SATHISH.COM@SATHISH.COM
root/admin@SATHISH.COM

 

 

Kerberos Client Log in

#klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

#kinit
Password for arthar2@SATHISH.COM:

#klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: arthar2@SATHISH.COM
Valid starting Expires Service principal
05/05/13 10:04:55 05/06/13 10:04:14
krbtgt/SATHISH.COM@SATHISH.COM

 

5

Advertisements