Red Hat Linux 7.0: The Official Red Hat Linux Reference Guide | ||
---|---|---|
Prev | Chapter 8. Using Kerberos 5 on Red Hat Linux | Next |
When you're setting up Kerberos, install the server(s) first. If you need to set up slave servers, the details of setting up relationships between master and slave servers are covered in the Kerberos 5 Installation Guide (in /usr/share/doc/krb5-server-versionnumber/).
To install a Kerberos server:
Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which will run your KDC. This machine needs to be secure — if possible, it shouldn't run any services besides the KDC.
If you'd like to use a Graphical User Interface (GUI) utility to administrate Kerberos, you should also install the gnome-kerberos package. gnome-kerberos contains krb5, a GUI tool for managing tickets, and gkadmin, a GUI tool for managing Kerberos realms.
Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect your realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with your domain name (keeping uppercase names uppercase and lowercase names lowercase) and by changing the KDC from kerberos.example.com to the name of your Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. For full details on the formats of these files, see their respective man pages.
Create the database using the kdb5_util utility from a shell prompt:
/usr/kerberos/sbin/kdb5_util create -s |
The create command creates the database that will be used to store keys for your Kerberos realm. The -s switch forces creation of a stash file in which the master server key is stored. If no stash file is present to read the key from, the Kerberos server (krb5kdc) will prompt the user for the master server password (which can be used to regenerate the key) every time it is started.
Edit the /var/kerberos/krb5kdc/kadm5.acl file. kadmind uses this file to determine which principals have access to the Kerberos database, and what kind of access they have. Most organizations will be able to get by with a single line:
*/admin@EXAMPLE.COM * |
Most users will be represented in the database by a single principal (with a NULL instance, i.e., joe@EXAMPLE.COM). With this configuration, users with a second principal with an instance of admin (for example, joe/admin@EXAMPLE.COM) will be able to wield full power over the realm's Kerberos database.
Once kadmind is started on the server, any user will be able to access its services by running kadmin or gkadmin on any of the clients or servers in the realm. However, only users listed in the kadm5.acl file will be able to modify the database in any way except for changing their own passwords.
Please note | |
---|---|
The kadmin and gkadmin utilities communicate with the kadmind server over the network. Of course, you need to create a principal before you can connect to the server over the network to administer it, so do that with the kadmin.local command: |
/usr/kerberos/sbin/kadmin.local -q addprinc joeuser/admin |
Start Kerberos using the following commands:
krb5kdc start kadmin start krb524 start |
Add principals for your users using kadmin's addprinc command, or using gkadmin's Principal => Add menu option.
Verify that your server will issue tickets. First, run kinit to obtain a ticket and store it in a credential cache file. Then use klist to view the list of credentials in your cache and use kdestroy to destroy the cache and the credentials it contains.
Please note | |
---|---|
By default, kinit attempts to authenticate you using the login name of the user you're currently logged in as. If that user doesn't correspond to a principal in your Kerberos database, you will get an error message. If that happens, just give kinit the name of your principal as an argument on the command line. |
Once you've completed the steps listed above, your Kerberos server should be up and running. Next, you'll need to set up your Kerberos clients.