From Fedora Project Wiki

Revision as of 10:09, 27 June 2018 by Smani (talk | contribs) (Fix path)

This document describes the steps to configure and run a kerberos KDC server. The document was created during the NFSv4 Test Day held on 2010-02-04 to help participants who chose to create their own KDC server.

Install the krb5-libs, krb5-server, and krb5-workstation if have not done so.

yum -y install krb5-libs krb5-server krb5-workstation

Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes

[realms]
 REDHAT.COM = {
  kdc = <KDC server hostname>:88
  admin_server = <KDC server hostname>:749
 }

[domain_realm]
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

Create the database using the kdb5_util utility from a shell prompt:

/usr/sbin/kdb5_util create -s

Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.

service ntpd restart

Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.

*/admin *

Type the following kadmin.local command at the KDC terminal to create the first principal:

/usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"

Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.

iptables -F
ip6tables -F

Start Kerberos using the following commands:

/sbin/service krb5kdc start
/sbin/service kadmin start