how to install and configure kerberos server

Sarath Pillai's picture
kerberos in linux

Hi all...In this post we will be installing and configuring kerberos infrastructure. I recommend going through the below posts  as basic requirement for understanding this post.

Needham-Schroeder protocol Explained

What is kerberos and how does kerberos work

Recommendations for Kerberos Server:

  1. Kerberos infrastructure does not require a high profile hardware. But still keeping a good fair enough server configuration as KDC server is recommended.
  2. Having single IP address assigned to the KDC server is recommended, as KDC tickets offered by the server, includes the IP address of the server. If the server is configured with multiple NIC cards at the same time, then Kerberos clients might encounter issues because of contacting KDC server with different IP addresses.
  3. There should not be any other service running on the KDC server machine, as compromise of any other service on the KDC server might put the whole infrastructure under risk.
  4. Deploying one master and slave KDC server, will be an added advantage for redundancy.

Installing Kerberos

In centos/RHEL the packages required for Kerberos server are as follows.

  1.   krb5−server (http://rpmfind.net/linux/rpm2html/search.php?query=krb5-server)
  2.   krb5−libs(http://rpmfind.net/linux/rpm2html/search.php?query=krb5-libs)

You can download the below versions for Centos 5/Rhel 5.

krb5-libs-1.6.1-70.el5.i386.rpm
krb5-server-1.6.1-70.el5.i386.rpm

 

Install them properly and before configuring lets make sure the following things.

  1. There should not be any unwanted port open on the KDC server for security reasons. Make sure that by running NMAP or by Doing A netstat.
  2. Restrict all other subnet/IP's that do not require access/authentication to this KDC machine.

Setting REALM for Kerberos

Its a common convention in kerberos deloyment to select the domain name in all CAPS as the Kerberos REALM. One important thing to note here is that REALM Name's are always case sensitive.

The first step in configuring Kerberos is editing the file, /etc/krb5.conf as follows. Suppose we need to configure our REALM for the domain slashroot.in, lets keep our REALM name as SLASHROOT.IN and our /etc/krb5.conf will be as follows.

[root@myvm1 ~]# cat /etc/krb5.conf
 default_realm = SLASHROOT.IN
[realms]
 SLASHROOT.IN = {
  kdc = kerberos.slashroot.in:88     #this lists the kdc server for the realm
  admin_server = kerberos.slashroot.in:749 #admin server where all database modifications are done
  default_domain = slashroot.in
 }
[domain_realm]
 .slashroot.in = SLASHROOT.IN
 slashroot.in = SLASHROOT.IN

Most of the above mentioned entries are self explanatory.

default_realm (this is the local realm or default realm)

kdc (this option specifies the KDC servers in the realm,. You can add multiple KDC servers with different kdc argument.)

 

Now lets create the kerberos database

this can be done as shown below.

[root@myvm1 ~]# /usr/kerberos/sbin/kdb5_util create -s
Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SLASHROOT.IN', master key name 'K/M@SLASHROOT.IN' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:

the -s option creates a stash file, which will be helpful in automatically authenticate.

You can also use -r option to specify REALM, but that is not required if you only have one REALM mentioned in krb5.conf file.

Kerberos will ask for a master password for the database.

Our Next step is editing the acl file /var/Kerberos/krb5kdc/kadm5.acl.  by default this file will contain something like the following.

*/admin@EXAMPLE.COM     *

We need to edit it to suite our REALM,

*/admin@SLASHROOT.IN     *

this is the permission for accessing the database. the entry means that the user accounts whoes entry ends with  /admin in our SLASHROOT.IN realm will be getting full permission for access to KDC.

Now lets create that /admin user for our realm SLASHROOT.IN.

this can be done by the following method.

[root@myvm1 ~]# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@SLASHROOT.IN with password.
WARNING: no policy specified for admin/admin@SLASHROOT.IN; defaulting to no policy
Enter password for principal "admin/admin@SLASHROOT.IN":
Re-enter password for principal "admin/admin@SLASHROOT.IN":
Principal "admin/admin@SLASHROOT.IN" created.

the "kadmin.local" command will run only on the root console of the KDC server. addprinc stands for add principal(if you remember we explained it in our previous posts what is principals in kerberos). Even admin user is also a principal.

Kerberos Server Process

the daemons that require to be running on the kerberos server are as follows.

  1. krb5kdc
  2. kadmin

both of them must be configured to start on boot with chkconfig command as follows.

chkconfig kadmin on

chkconfig krb5kdc on

[root@myvm1 ~]# /etc/init.d/krb5kdc start
Starting Kerberos 5 KDC:                                   [  OK  ]
[root@myvm1 ~]# /etc/init.d/kadmin start
Starting Kerberos 5 Admin Server:                          [  OK  ]
[root@myvm1 ~]#

Now after starting both these above process we are done with configuring KDC.

Creating Users Or Principals in Kerberos

creating users or principals in kerberos can be done as below.

[root@myvm1 ~]# kadmin.local
Authenticating as principal root/admin@SLASHROOT.IN with password.
kadmin.local:  addprinc sarath
WARNING: no policy specified for sarath@SLASHROOT.IN; defaulting to no policy
Enter password for principal "sarath@SLASHROOT.IN":
Re-enter password for principal "sarath@SLASHROOT.IN":
Principal "sarath@SLASHROOT.IN" created.

adding a script to create large number of user is advisable. Our KDC server is ready with almost all the configuration.. In the next post we will be discussing NTP configuration, and client configuration..

Rate this article: 
Average: 3.8 (40 votes)

Comments

Post the setting-up Client & NTP.

hello my question is i have a kerberos server setup and 2 machines of kerberos client machine and i have a two user in a kerberos server name is abc user and second is xyz and i need that abc user is able to login to client machine 1 but not able to login to client machine 2 and same with as xyz user that xyz user is able to login to client machine 2 but not able to login to client machine 1 via kerberos server .Please tell me how to do this.

Hello,
Can you please point me to any sample code for C++ kerberos authentication login with SQL Server?

Thanks,
Vyomkesh

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.