From Fedora Project Wiki

m (Fix path)
m (Fix path)
 
Line 44: Line 44:
Type the following kadmin.local command at the KDC terminal to create the first principal:
Type the following kadmin.local command at the KDC terminal to create the first principal:
<pre>
<pre>
/usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
/usr/sbin/kadmin.local -q "addprinc root/admin"
</pre>
</pre>
Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.

Latest revision as of 11:32, 27 June 2018

This document describes the steps to configure and run a kerberos KDC server. The document was created during the NFSv4 Test Day held on 2010-02-04 to help participants who chose to create their own KDC server.

Install the Package-x-generic-16.pngkrb5-libs, Package-x-generic-16.pngkrb5-server, and Package-x-generic-16.pngkrb5-workstation if have not done so.

yum -y install krb5-libs krb5-server krb5-workstation

Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes

[realms]
 REDHAT.COM = {
  kdc = <KDC server hostname>:88
  admin_server = <KDC server hostname>:749
 }

[domain_realm]
 .redhat.com = REDHAT.COM
 redhat.com = REDHAT.COM

Create the database using the kdb5_util utility from a shell prompt:

/usr/sbin/kdb5_util create -s

Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.

service ntpd restart

Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.

*/admin *

Type the following kadmin.local command at the KDC terminal to create the first principal:

/usr/sbin/kadmin.local -q "addprinc root/admin"

Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.

iptables -F
ip6tables -F

Start Kerberos using the following commands:

/sbin/service krb5kdc start
/sbin/service kadmin start