From Fedora Project Wiki

Revision as of 16:05, 3 February 2010 by Jlaska (talk | contribs) (wording)

This document describes the steps to configure and run a kerberos KDC server. The document was created during the NFSv4 Test Day held on 2010-02-04 to help participants who chose to create their own KDC server.

  1. Install the krb5-libs, krb5-server, and krb5-workstation if have not done so.
    yum -y install krb5-libs krb5-server krb5-workstation
  2. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
    default_realm = REDHAT.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = yes
    [realms]
    REDHAT.COM = {
    kdc = <KDC server hostname>:88
    admin_server = <KDC server hostname>:749
    }
    [domain_realm]
    .redhat.com = REDHAT.COM
    redhat.com = REDHAT.COM
  3. Create the database using the kdb5_util utility from a shell prompt:
    /usr/kerberos/sbin/kdb5_util create -s
  4. Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
    service ntpd restart
  5. Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
    */admin *
  6. Type the following kadmin.local command at the KDC terminal to create the first principal:
    /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
  7. Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
    iptables -F
    ip6tables -F
  8. Start Kerberos using the following commands:
    /sbin/service krb5kdc start
    /sbin/service kadmin start