June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
4.11. Getting Started with Kerberos
Problem
You want to set up an MIT Kerberos-5 Key Distribution Center (KDC).
Solution
Confirm that Kerberos is installed; if not, install the necessary Red Hat packages:
$ rpm -q krb5-server krb5-workstation
Add /usr/kerberos/bin and /usr/kerberos/sbin to your search path.
Choose a realm name (normally your DNS domain), and in the following files:
/etc/krb5.conf /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl replace all occurrences of
EXAMPLE.COMwith your realm and domain.Create the KDC principal database, and choose a master password:
# kdb5_util create
Start the KDC:
# krb5kdc [-m]
Set up a Kerberos principal for yourself with administrative privileges, and a host principal for the KDC host. (Note the prompt is “kadmin.local:”.) Suppose your KDC host is kirby.dogood.org:
# kadmin.local [-m] kadmin.local:
addpol userskadmin.local:addpol adminkadmin.local:addpol hostskadmin.local:ank -policy usersusernamekadmin.local:ank -policy adminusername/adminkadmin.local:ank -randkey -policy hosts host/kirby.dogood.orgkadmin.local:ktadd -k /var/kerberos/krb5kdc/kadm5.keytab \kadmin/admin kadmin/changepwkadmin.local:quitStart up the kadmin service:
# kadmind [-m]
Test by obtaining your own Kerberos user credentials, and listing them:
$ kinit $ klist
Test the Kerberos administrative system (note the prompt is “kadmin:”):
$ kadmin kadmin:
listprincskadmin:quit
Discussion
When choosing a realm name, normally you should use the ...