linux kerberos server/client

Kerberos Server
[root@centos]# yum install krb5-server krb5-libs krb5-workstation
Edit /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf
[quick@centos ~]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LINUXPROBLEMS.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
LINUXPROBLEMS.ORG = {
kdc = centos.linuxproblems.org
admin_server = centos.linuxproblems.org
}

[domain_realm]
.linuxproblems.org = LINUXPROBLEMS.ORG
linuxproblems.org = LINUXPROBLEMS.ORG
[root@centos tmp]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
LINUXPROBLEMS.ORG = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Create the kerberos database
[root@centos]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LINUXPROBLEMS.ORG',
master key name 'K/M@LINUXPROBLEMS.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Update /var/kerberos/krb5kdc/kadm5.acl for principals who have administrative access to the Kerberos database
[root@centos ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@LINUXPROBLEMS.ORG *
[root@centos ~]# service kadmin status
kadmind is stopped
[root@centos ~]# service kadmin start
Starting Kerberos 5 Admin Server: [ OK ]
Create the first administrator principal
[root@centos ~]# kadmin.local -q "addprinc quick/admin"
Authenticating as principal root/admin@LINUXPROBLEMS.ORG with password.
WARNING: no policy specified for quick/admin@LINUXPROBLEMS.ORG; defaulting to no policy
Enter password for principal "quick/admin@LINUXPROBLEMS.ORG":
Re-enter password for principal "quick/admin@LINUXPROBLEMS.ORG":
Principal "quick/admin@LINUXPROBLEMS.ORG" created.
Start kerberos running
[root@centos ~]# /sbin/service krb5kdc start
Starting Kerberos 5 KDC: [ OK ]
Test the Administrator login locally
[root@centos ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

[root@centos ~]# kinit quick/admin
Password for quick/admin@LINUXPROBLEMS.ORG:

[root@centos ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: quick/admin@LINUXPROBLEMS.ORG
Valid starting Expires Service principal
04/21/12 11:29:27 04/22/12 11:29:27 krbtgt/LINUXPROBLEMS.ORG@LINUXPROBLEMS.ORG

[root@centos ~]# kdestroy
[root@centos ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos Client
[root@localhost ~]# yum install krb5-libs and krb5-workstation
Update /etc/krb5.conf
[quick@localhost ~]$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LINUXPROBLEMS.ORG
dns_lookup_kdc = false
forwardable=true

[realms]
LINUXPROBLEMS.ORG = {
default_domain = linuxproblems.org
kdc = centos.linuxproblems.org
admin_server = centos.linuxproblems.org
}

[domain_realm]
linuxproblems.org = LINUXPROBLEMS.ORG
From the client host, log in as the kerberos administrator and add a principal for your client user (in my case quick) and client host (laptop.linuxproblems.org)
[root@localhost ~]# kadmin quick/admin
Authenticating as principal quick/admin@LINUXPROBLEMS.ORG with password.
Password for quick/admin@LINUXPROBLEMS.ORG:

kadmin: addprinc quick
WARNING: no policy specified for quick@LINUXPROBLEMS.ORG; defaulting to no policy
Enter password for principal "quick@LINUXPROBLEMS.ORG":
Re-enter password for principal "quick@LINUXPROBLEMS.ORG":
Principal "quick@LINUXPROBLEMS.ORG" created.

kadmin: addprinc -randkey host/laptop.linuxproblems.org
WARNING: no policy specified for host/laptop.linuxproblems.org@LINUXPROBLEMS.ORG; defaulting to no policy
Principal "host/laptop.linuxproblems.org@LINUXPROBLEMS.ORG" created.

kadmin: listprincs
K/M@LINUXPROBLEMS.ORG
host/laptop.linuxproblems.org@LINUXPROBLEMS.ORG
kadmin/admin@LINUXPROBLEMS.ORG
kadmin/changepw@LINUXPROBLEMS.ORG
krbtgt/LINUXPROBLEMS.ORG@LINUXPROBLEMS.ORG
quick/admin@LINUXPROBLEMS.ORG
Kerberos Client Log in
[quick@localhost ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)
[quick@localhost ~]$ kinit
Password for quick@LINUXPROBLEMS.ORG:
[quick@localhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: quick@LINUXPROBLEMS.ORG

Valid starting Expires Service principal
05/07/12 10:04:55 05/08/12 10:04:14 krbtgt/LINUXPROBLEMS.ORG@LINUXPROBLEMS.ORG

This entry was posted in linux. Bookmark the permalink.

Comments are closed.