Tuesday, December 28, 2004

Configuring Kerberos Server

Ok. Guys, this is how I configure Kerberos 5

1) /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5li bs.log
kdc = FILE:/var/log/krb5kd c.log
admin_server = FILE:/var/log/kadmin d.log

[libdefaults]
ticket_lifetime = 24000
default_realm = INDEX.COM
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
INDEX.COM = {
kdc = muruga.index.com:88
admin_server = muruga.index.com:749
default_domain = index.com
}

[domain_realm]
.index.com = INDEX.COM
index.com = INDEX.COM
[kdc]
profile = /var/kerberos/krb5kd c/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

2) /etc/krb.conf
INDEX.COM
INDEX.COM muruga.index.com:88
INDEX.COM kerberos.index.com:7 50 admin server

3) /etc/krb.realms
.index.com INDEX.COM

4) /var/kerberos/krb5kd c/kdc.conf

[kdcdefaults]
acl_file = /var/kerberos/krb5kd c/kadm5.acl
dict_file = /usr/share/dict/word s
admin_keytab = /var/kerberos/krb5kd c/kadm5.keytab
v4_mode = nopreauth
kdc_ports = 88,749

[realms]
INDEX.COM = {
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrea lm des3-hmac-sha1:norma l des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

6) /var/kerberos/krb5kd c/kadm5.acl
root@INDEX.COM *

The log files are /var/log/kadmind.log , krb5kdc.log and /krb5libs.log

7) First we create the database with this command

krb5_util create -s

This will ask for password. Enter it.

8) Now enter following

kadmil.local -p root@INDEX.COM

It takes us to kadmin console. Do as follows

kadmin.local: addprinc root@INDEX.COM

It asks for password. Enter it.

9) Now we need to add host.

kadmin.local: addprinc -randkey host/muruga.index.co m

10) Now start server kerberos.

krb5kdc start
kadmin start

11) Next we need to setup keytab file as follows.

kadmin -p root@INDEX.COM
kadmin5: ktadd host/muruga.index.co m

12) In workstation copy the krb5.conf from server to client & used kerberised client like telnet and ftp.

Ok boys thats it for now

No comments: