Configuring a Kerberos 5 Server

When you're setting up Kerberos, install the server(s) first. If you need to set up slave servers, the details of setting up relationships between master and slave servers are covered in the Kerberos 5 Installation Guide (in the /usr/share/doc/krb5-server-<version-number> directory).

To install a Kerberos server:

1. Be sure that you have clock synchronization and DNS working on your server before installing Kerberos 5. Pay particular attention to time synchronization between the Kerberos server and its various clients. If the server and client clocks are different by more than five minutes (this default amount is configurable in Kerberos 5), Kerberos clients will not be able to authenticate to the server. This clock synchronization is necessary to prevent an attacker from using an old authenticator to masquerade as a valid user.

   You should set up a Network Time Protocol (NTP) compatible client/server network using Red Hat Linux, even if you aren't using Kerberos. Red Hat Linux 7.2 includes the ntp package for easy installation. See http://www.eecis.udel.edu/~ntp for additional information on NTP.

2. Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which will run your KDC. This machine needs to be secure — if possible, it should not run any services other than the KDC.

   If you would like to use a Graphical User Interface (GUI) utility to administrate Kerberos, you should also install the gnome-kerberos package. It contains krb5, a GUI tool for managing tickets, and gkadmin, a GUI tool for managing Kerberos realms.

3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect your realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with your domain name (be sure to keep uppercase and lowercase names in the correct format) and by changing the KDC from kerberos.example.com to the name of your Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. For full details on the formats of these files, see their respective man pages.

4. Create the database using the kdb5_util utility from a shell prompt:

   /usr/kerberos/sbin/kdb5_util create -s

   The create command creates the database that will be used to store keys for your Kerberos realm. The -s switch forces creation of a stash file in which the master server key is stored. If no stash file is present from which to read the key, the Kerberos server (krb5kdc) will prompt the user for the master server password (which can be used to regenerate the key) every time it is started.

5. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have access to the Kerberos database and their level of access. Most organizations will be able to get by with a single line:

   */admin@EXAMPLE.COM  *

   Most users will be represented in the database by a single principal (with a NULL, or empty, instance, such as joe@EXAMPLE.COM). With this configuration, users with a second principal with an instance of admin (for example, joe/admin@EXAMPLE.COM) will be able to wield full power over the realm's Kerberos database.

   Once kadmind is started on the server, any user will be able to access its services by running kadmin or gkadmin on any of the clients or servers in the realm. However, only users listed in the kadm5.acl file will be able to modify the database in any way, except for changing their own passwords.

   Note

   The kadmin and gkadmin utilities communicate with the kadmind server over the network, and they use Kerberos to handle authentication. Of course, you need to create the first principal before you can connect to the server over the network to administer it. Create the first principal with the kadmin.local command, which is specifically designed to be used on the same host as the KDC and doesn't use Kerberos for authentication.

   Type the following kadmin.local command at the KDC terminal to create the first principal:

   /usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"

6. Start Kerberos using the following commands:

   /sbin/service krb5kdc start /sbin/service kadmin start /sbin/service krb524 start

7. Add principals for your users using the addprinc command with kadmin or using the Principal => Add menu option in gkadmin. kadmin (and kadmin.local on the master KDC) is a command line interface to the Kerberos administration system. As such, many commands are available after launching the kadmin program. Please see the kadmin man page for more information.

8. Verify that your server will issue tickets. First, run kinit to obtain a ticket and store it in a credential cache file. Then use klist to view the list of credentials in your cache and use kdestroy to destroy the cache and the credentials it contains.

   	Note
   	By default, kinit attempts to authenticate you using the login username of the account you used when you first logged into your system (not the Kerberos server). If that system username does not correspond to a principal in your Kerberos database, you will get an error message. If that happens, just give kinit the name of your principal as an argument on the command line (kinit principal).

Once you have completed the steps listed above, your Kerberos server should be up and running. Next, you will need to set up your Kerberos clients.