Configuring a Kerberos 5 Server
To configure a basic Kerberos server, follow these steps:
1. Be sure that you have clock synchronization and DNS working on your server before configuring Kerberos 5. Pay particular attention to time synchronization between the Kerberos server and its various clients. If the server and client clocks are different by more than five minutes (this default amount is configurable in Kerberos 5), Kerberos clients will not be able to authenticate to the server. This clock synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user.
You should set up a Network Time Protocol (NTP) compatible client/server network even if you are not using Kerberos. Red Hat Linux includes the ntp package for easy installation. See /usr/share/doc/ntp-<version-number>/index.htm for details on setting up Network Time Protocol servers and http://www.ntp.org/ for additional information on NTP.
2. Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which will run the KDC. This machine needs to be very secure — if possible, it should not run any services other than the KDC (Kerberos Server/Key distribution Center).
#yum install krb5-libs krb5-server krb5-workstation
If you would like to use a graphical user interface utility to administrate Kerberos, you should also install the gnome-kerberos package. It contains krb5, a GUI tool for managing tickets.
3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect your realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with your domain name — being certain to keep uppercase and lowercase names in the correct format — and by changing the KDC from kerberos.example.com to the name of your Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. For full details on the formats of these files, see their respective man pages
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = manoj.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
manoj.COM = {
kdc = manoj.com:88
admin_server = manoj.com:749
default_domain = manoj.com
}
[domain_realm]
.manoj.com = manoj.COM
manoj.com = manoj.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
4. Create the database using the kdb5_util utility from a shell prompt:
/usr/kerberos/sbin/kdb5_util create -s
5. The create command creates the database that will be used to store keys for your Kerberos realm. The -s switch forces creation of a stash file in which the master server key is stored. If no stash file is present from which to read the key, the Kerberos server (krb5kdc) will prompt the user for the master server password (which can be used to regenerate the key) every time it starts.
6. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations will be able to get by with a single line:
*/admin@EXAMPLE.COM * replace EXAMPLE.COM with your domain name like manoj.COM
Most users will be represented in the database by a single principal (with a NULL, or empty, instance, such as joe@EXAMPLE.COM). With this configuration, users with a second principal with an instance of admin (for example, joe/admin@EXAMPLE.COM) will be able to wield full power over the realm’s Kerberos database. Once kadmind is started on the server, any user will be able to access its services by running kadmin on any of the clients or servers in the realm. However, only users listed in the kadm5.acl file will be able to modify the database in any way, except for changing their own passwords.
Note:
The kadmin utility communicates with the kadmind server over the network, and they use Kerberos to handle authentication. Of course, you need to create the first principal before you can connect to the server over the network to administer it. Create the first principal with the kadmin.local command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication.
7. Type the following kadmin.local command at the KDC terminal to create the first principal:
#/usr/kerberos/sbin/kadmin.local -q “addprinc username/admin”
8. Start Kerberos using the following commands:
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start
kadmind
The kadmind command starts the administrative server. This administrative server runs on Kerberos server that stores the Kerberos principal database and the policy database. The kadmind accepts password change request and remote requests to administer the information in these databases.
kadmind requires the following configuration files to be set for it to work:
kdc.conf
The KDC configuration file contains configuration information for the KDC and the KADM5 system.
keytab
kadmind requires a keytab containing the keys for the kadmin/admin and kadmin/changepw principals for every realm that kadmind will answer requests for. This admin keytab can be created with the kadmin.local. The location of the keytab is determined by the admin keytab configuration variable present in the kdc.conf file.
ACL file
kadmind’s access control list (ACL) restricts it as to which principals are allowed to perform administration actions. The path of the ACL file is specified via the acl_file configuration variable in the kdc.conf file.
kadmin and kadmin.local
These utilities provide a unified administration interface for the Kerberos database. Kerberos administrators use these utilities to create new users and services for the master database, and to modify information for the existing database entries.
Both the utilities provide for maintenance of Kerberos principals, policies, and service key tables (keytabs). These utilities exist as both a Kerberos client, ‘kadmin’and a local client, ‘kadmin.local‘.
The kadmin utility uses Kerberos authentication and an Remote Procedure Call (RPC) to operate securely from anywhere on the network.
The‘kadmin.local’ is intended to run directly on the KDC without any Kerberos authentication. Normal UNIX users cannot execute this command. Executing the kadmin.local command will display the kadmin.local prompt only if you are the root user.
Getting the kadmin to work
kadmin allows you to administer the Kerberos database remotely (and securely). If you just run kadmin, you may obtain an error message as shown below:
kadmin: Client not found in Kerberos database while initializing kadmin interface
To be able to use the kadmin interface, you need to register yourself as a database administrator.
Adding of users in the Kerberos database
Adding of users in the Kerberos database
/usr/kerberos/sbin/kadmin.local -q “addprinc manoj/admin”
On the KDC machine, in kadmin.local, you can add the administrator role:
kadmin.local: addprinc jar/admin
Enter password for principal “jar/admin@finance.bambi.com”: <your_password>
Re-enter password for principal “jar/admin@finance.bambi.com”: <your_password>
Principal “jar/admin@finance.bambi.com” created
kadmin.local: quit
Now you can access kadmin on the Kerberos server. For example,
/usr/kerberos/sbin/kadmin -p jar/admin
Password for jar/admin@manoj.COM:
In the Client Side
/usr/kerberos/bin/kinit -p manoj/admin
Password for manoj/admin@manoj.COM:
How comment lines in vi
March 2nd, 2011If you need to comment the next 10 lines within vi, execute the command within the command mode:
:.,+10s/^/#
It will comment the next 10 lines, you can change the number accordingly.
View Comments »
Posted in CentOS, Linux
Tags: How comment lines in vi using vi