Creating your realm

In this step, we will create the skeleton database files that will define the principals in our new realm. These steps are only performed on the master KDC server.

Just like with MIT Kerberos, we must create a few configuration files before we continue. Also, these configuration files are similar to the ones we use with MIT. They are broken into stanzas, or categories, contained in brackets, with key/value pairs separated by an equal sign. Our first file is /etc/krb5.conf . Here is a sample /etc/krb5.conf:

[libdefaults]
        default_realm = WEDGIE.ORG

[realms]
        WEDGIE.ORG = {
                kdc = 192.168.0.4
                admin_server = 192.168.0.4
        }

[domain_realm]
        .wedgie.org = WEDGIE.ORG

We’ll come back to examine the krb5.conf file format in more detail in the Appendix. For now, you’ll want to ensure that your default_realm parameter is set to the realm name you’re about to set up. Define your KDC address in the realms stanza, and that domain_realm contains a mapping from your KDC’s domain name (with a leading dot prepended) to your new realm name.

If your KDCs’ domain name is equal to the realm name (ignoring case), then you can omit the libdefaults and domain_realm stanzas, since the Kerberos libraries will be smart enough to figure those out on their own.

Heimdal can encrypt the KDC database on disk with a master key. Heimdal will save the password to a stash file also located in /var/heimdal. This feature is mostly used to protect backups of the KDC database from being easily readable by attackers, ...

Get Kerberos: The Definitive Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial