login about faq

How do I set up GSSAPI authentication with MIT Kerberos as Key Distribution Center (KDC)?

asked Dec 22 '10 at 19:56

SSH%20KB's gravatar image

SSH KB ♦
509249246237


Setting up a MIT Kerberos Key Distribution Center (KDC)

Based on: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-kerberos-server.html 1. Install the MIT Kerberos software on the KDC host. 2. Configure the KDC. The kdc.conf file (usually in /var/kerberos/krb5kdc/kdc.conf) should be similar to the following:
[kdcdefaults]
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

[realms]
EXAMPLE.COM = {
  master_key_type = des-cbc-crc
  supported_enctypes = des-cbc-crc:normal
  allow-null-ticket-addresses = true
}
3. Configure krb5. The krb5.conf file (usually in /etc/krb5.conf) should be similar to the following:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes =  des-cbc-crc
 default_tgs_enctypes =  des-cbc-crc
 default_etypes = des-cbc-crc
 default_etypes_des = des-cbc-crc

[realms]
 EXAMPLE.COM = {
  master_key_type = des-cbc-crc
  supported_enctypes = des-cbc-crc:normal
  allow-null-ticket-addresses = true
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[login]
krb5_get_tickets = true
4. Create the database using kdb5_util.
$ /usr/kerberos/sbin/kdb5_util create -s
5. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations will be able to get by with a single line:
*/admin@EXAMPLE.COM  *
6. Create an admin user:
$/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"
7. Start the kadmin, krb524 and krb5kdc processes:
$/etc/init.d/kadmin start
$/etc/init.d/krb524 start
$/etc/init.d/krb5kdc start
8. Add principals for your users using the addprinc command with kadmin. You will need a principal for the users and also for the server. See the kadmin man page for more information. Below is an example on how to use kadmin:
Start kadmin:

$ kadmin 
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter password:
kadmin:  

Check that the ticket granting service has a principal exists:
kadmin:  listprincs
....
krbtgt/EXAMPLE.COM@EXAMPLE.COM
....
kadmin: addprinc -randkey host/<server.example.com>
kadmin: addprinc -pw <password> <username>

When adding a principal for windows use the following command:
kadmin: addprinc +requires_preauth -pw <password> <username> 
9. Add the principals you created to the keytab (default location /etc/krb5.keytab). Use kadmin:
kadmin: ktadd host/<server.example.com>
kadmin: ktadd <username/>

Setting up the MIT Kerberos Client (Unix)

Based on: http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-kerberos-clients.html 1. Install the krb5-libs and krb5-workstation packages on all client machines. 2. Copy the /etc/krb5.conf file from the KDC machine. 3. Run klist, there should be no tickets in your cache. 4. Run kinit and enter your password, then run klist again, you should now have a TGT:
$ kinit user
Password for user@EXAMPLE.COM: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: user@EXAMPLE.COM

Valid starting     Expires            Service principal
08/24/11 16:42:07  08/25/11 02:42:07  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/24/11 16:42:07

Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
5. Now you should be able to log in to the server you added to the KDC:
$ ssh2 -oAllowedAuthentications=gssapi <username>@<server.example.com>

Setting up the MIT Kerberos Client (Windows)

Based on: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp 1. In the Kerberos realm, create a host principal for the computer. Use the following commands to add the principal on the Unix KDC kadmin:
kadmin: addprinc +require_preauth -randkey host/<host.example.com>
kadmin: ktadd  host/<host.example.com>
Since a Kerberos realm is not a Windows 2000 domain, the computer must be configured as a member of a workgroup. This is automatic when you set the Kerberos realm and add a KDC server as follows:
C:> Ksetup /setdomain EXAMPLE.COM
C:> Ksetup /addkdc EXAMPLE.COM kdc.example.com 
Set the local machine account password as follows:
C:> Ksetup /setmachpassword password 
2. Restart your computer for the changes to take effect. (This is a required step.) Whenever changes are made to the external KDC and realm configuration, a restart is required. 3. Use Ksetup to configure single sign-on to local workstation accounts. Define the account mappings; this will map local machine accounts to Kerberos principals. For example:
C:> Ksetup /mapuser user@EXAMPLE.COM guest 
C:> Ksetup /mapuser * * 
Note that the second command maps clients to local accounts of the same name. 4. Use Ksetup with no arguments to see the current settings. (Note that the KDC servers are not shown.) 5. You should now be able to login from the terminal (select the Kerberos domain) or over an ssh connection.
link

answered Dec 22 '10 at 20:00

Alan%20-%20Tectia%20Support's gravatar image

Alan - Tectia Support ♦
236335

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×38
×5
×2
×2

Asked: Dec 22 '10 at 19:56

Seen: 7,614 times

Last updated: Mar 02 '11 at 21:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.