Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

141

142

143

144

145

146

147

148

149

150

Chapter 10. Kerberos 141

KDC from kerberos.example.com to the name of your Kerberos server. By convention,

all realm names are uppercase and all DNS hostnames and domain names are lowercase. For

full details on the formats of these ﬁles, see their respective man pages.

4. Create the database using the kdb5_util utility from a shell prompt:

/usr/kerberos/sbin/kdb5_util create -s

The create command creates the database that will be used to store keys for your Kerberos

realm. The -s switch forces creation of a stash ﬁle in which the master server key is stored. If

no stash ﬁle is present from which to read the key, the Kerberos server (krb5kdc) will prompt

the user for the master server password (which can be used to regenerate the key) every time it

starts.

5. Edit the /var/kerberos/krb5kdc/kadm5.acl ﬁle. This ﬁle is used by kadmind to deter-

mine which principals have access to the Kerberos database and their level of access. Most

organizations will be able to get by with a single line:

*/admin@EXAMPLE.COM *

Most users will be represented in the database by a single principal (with a NULL, or empty,

instance, such as joe@EXAMPLE.COM). With this conﬁguration, users with a second principal

with an instance of admin (for example, joe/admin@EXAMPLE.COM) will be able to wield full

power over the realm’s Kerberos database.

Once kadmind is started on the server, any user will be able to access its services by run-

ning kadmin on any of the clients or servers in the realm. However, only users listed in the

kadm5.acl ﬁle will be able to modify the database in any way, except for changing their own

passwords.

Note

The kadmin utility communicates with the kadmind server over the network, and they use

Kerberos to handle authentication. Of course, you need to create the ﬁrst principal before you

can connect to the server over the network to administer it. Create the ﬁrst principal with the

kadmin.local command, which is speciﬁcally designed to be used on the same host as the

KDC and does not use Kerberos for authentication.

Type the following kadmin.local command at the KDC terminal to create the ﬁrst principal:

/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"

6. Start Kerberos using the following commands:

/sbin/service krb5kdc start

/sbin/service kadmin start

/sbin/service krb524 start

7. Add principals for your users using the addprinc command with kadmin. kadmin and kad-

min.local on the master KDC are a command line interfaces to the Kerberos administration

system. As such, many commands are available after launching the kadmin program. Please

see the kadmin man page for more information.

8. Verify that your server will issue tickets. First, run kinit to obtain a ticket and store it in

a credential cache ﬁle. Then use klist to view the list of credentials in your cache and use

kdestroy to destroy the cache and the credentials it contains.

Note

By default, kinit attempts to authenticate using the login user name of the account you used

when you ﬁrst logged into your system (not the Kerberos server). If that system user name does

not correspond to a principal in the Kerberos database, you will receive an error message. If

that happens, supply kinit with the name of your principal as an argument on the command

line (kinit principal).