Ok. Guys, this is how I configure Kerberos 5
1) Files needed /etc/krb5.conf, /var/kerberos/krb5kd c/kdc.conf, /var/kerberos/krb5kd c/kadm5.acl
First add the realm to /etc/krb.cond
ENGINEER.NET.IN
Then to /etc/krb.realms
.ENGINEER.NET.IN
Watchout there is a leading DOT there.
2) Log files are /var/log/kadmind.log , krb5kdc.log, /var/log/krb5libs.lo g
3) First we have to create a database file. Assume engineer.net.in is realm. Issue the following command
kdb5_util create -s -r engineer.net.in
This will create database /var/kerberos/krb5kd c/principal for the realm. Master ket name will be like K/M@engineer.net.in, and it will prompt for a master password. Enter it. Now realm is created. The -s option creates the stash file which is needed by kerberos to authinticate itself at boot time
4) Now issue
kdb5_util stash
It will prompt for KDC database master key. Enter password correctly. Stash file is created. Now reboot and look at logs. It should show kadmind starting "krb5kdc settingup network" and lisitning on port 88 (kdc), 750 (admin server)
5) Now we need to add administrators to database as follows
/sbin/kadmin.local
This command takes us to a kadmin.local prompt. Do as follows
kadmin.local: addprinc root/admin@ENGINEER.NET.IN
This command will give us some warning. For the first time ignore it and give a password for this account. If correct password is added and shows principal created
6) Now we need to create special entries for kadmin/admin and kadmin/changepw. This is used by administrators so he need it on kadmin keytab. Give command as follows
/sbin/kadmin.local
kadmin.local: ktadd -k /var/kerberos/krb5kd c/kadm5.keytab
7) Now we are ready to start kerberos daemon on Master KDC and also kadmin daemon
/etc/init.d/krb5kdc restart
/etc/init.d/kadmind restart
8) To add a host first on the server go to kadmin and issue following command
addprinc -randkey host/pattabi.enginee r.net.in
Then go to the workstation called pattabi andkadmin which can be had after kinit
ktadd -k /etc/krb5.keytab host/pattabi.enginee r.net.in
Ok boys thats it for now
No comments:
Post a Comment