From Fedora Project Wiki

m (wording)
m (Markup fixes)
Line 1: Line 1:
 
This document describes the steps to configure and run a kerberos KDC server.  The document was created during the [[Test_Day:2010-02-04_NFS|NFSv4 Test Day]] held on 2010-02-04 to help participants who chose to create their own KDC server.
 
This document describes the steps to configure and run a kerberos KDC server.  The document was created during the [[Test_Day:2010-02-04_NFS|NFSv4 Test Day]] held on 2010-02-04 to help participants who chose to create their own KDC server.
  
# Install the {{package|krb5-libs}}, {{package|krb5-server}}, and {{package|krb5-workstation}} if have not done so.
+
Install the {{package|krb5-libs}}, {{package|krb5-server}}, and {{package|krb5-workstation}} if have not done so.
#: <pre>
+
<pre>
#: yum -y install krb5-libs krb5-server krb5-workstation </pre>
+
yum -y install krb5-libs krb5-server krb5-workstation
# Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
+
</pre>
#: <pre>
+
Edit the <code>/etc/krb5.conf</code> and <code>/var/kerberos/krb5kdc/kdc.conf</code> configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
#: [logging]
+
<pre>
#:  default = FILE:/var/log/krb5libs.log
+
[logging]
#:  kdc = FILE:/var/log/krb5kdc.log
+
default = FILE:/var/log/krb5libs.log
#: admin_server = FILE:/var/log/kadmind.log
+
kdc = FILE:/var/log/krb5kdc.log
#:
+
  admin_server = FILE:/var/log/kadmind.log
#: [libdefaults]
+
 
#:  default_realm = REDHAT.COM
+
[libdefaults]
#: dns_lookup_realm = false
+
default_realm = REDHAT.COM
#: dns_lookup_kdc = false
+
  dns_lookup_realm = false
#: ticket_lifetime = 24h
+
  dns_lookup_kdc = false
#: renew_lifetime = 7d
+
  ticket_lifetime = 24h
#: forwardable = yes
+
  renew_lifetime = 7d
#:
+
  forwardable = yes
#: [realms]
+
 
#: REDHAT.COM = {
+
[realms]
#:   kdc = <KDC server hostname>:88
+
  REDHAT.COM = {
#:   admin_server = <KDC server hostname>:749
+
   kdc = <KDC server hostname>:88
#: }
+
   admin_server = <KDC server hostname>:749
#:
+
  }
#: [domain_realm]
+
 
#: .redhat.com = REDHAT.COM
+
[domain_realm]
#: redhat.com = REDHAT.COM</pre>
+
  .redhat.com = REDHAT.COM
# Create the database using the kdb5_util utility from a shell prompt:
+
  redhat.com = REDHAT.COM
#: <pre>
+
</pre>
#: /usr/kerberos/sbin/kdb5_util create -s</pre>
+
Create the database using the <code>kdb5_util</code> utility from a shell prompt:
# Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
+
<pre>
#: <pre>
+
/usr/kerberos/sbin/kdb5_util create -s
#: service ntpd restart</pre>
+
</pre>
# Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
+
Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
#: <pre>
+
<pre>
#: */admin *</pre>
+
service ntpd restart
# Type the following kadmin.local command at the KDC terminal to create the first principal:
+
</pre>
#: <pre>
+
Edit the <code>/var/kerberos/krb5kdc/kadm5.acl</code> file to have only this line.
#: /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"</pre>
+
<pre>
# Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
+
*/admin *
#: <pre>
+
</pre>
#: iptables -F
+
Type the following kadmin.local command at the KDC terminal to create the first principal:
#: ip6tables -F</pre>
+
<pre>
# Start Kerberos using the following commands:
+
/usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
#: <pre>
+
</pre>
#: /sbin/service krb5kdc start
+
Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
#: /sbin/service kadmin start</pre>
+
<pre>
 +
iptables -F
 +
ip6tables -F
 +
</pre>
 +
Start Kerberos using the following commands:
 +
<pre>
 +
/sbin/service krb5kdc start
 +
/sbin/service kadmin start
 +
</pre>

Revision as of 09:41, 27 June 2018

This document describes the steps to configure and run a kerberos KDC server. The document was created during the NFSv4 Test Day held on 2010-02-04 to help participants who chose to create their own KDC server.

Install the Package-x-generic-16.pngkrb5-libs, Package-x-generic-16.pngkrb5-server, and Package-x-generic-16.pngkrb5-workstation if have not done so.

yum -y install krb5-libs krb5-server krb5-workstation

Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes

[realms]
 REDHAT.COM = {
  kdc = <KDC server hostname>:88
  admin_server = <KDC server hostname>:749
 }

[domain_realm]
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

Create the database using the kdb5_util utility from a shell prompt:

/usr/kerberos/sbin/kdb5_util create -s

Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.

service ntpd restart

Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.

*/admin *

Type the following kadmin.local command at the KDC terminal to create the first principal:

/usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"

Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.

iptables -F
ip6tables -F

Start Kerberos using the following commands:

/sbin/service krb5kdc start
/sbin/service kadmin start