Configure the Kerberos KDC Server


Configure the Kerberos KDC Server

To configure the first Kerberos KDC, follow these steps:

1. Ensure that time synchronization and DNS are functioning correctly on all client and server machines before configuring Kerberos. Pay particular attention to time synchronization between the Kerberos server and its clients. If the time difference between the server and client is greater than five minutes (this is configurable in Kerberos 5), Kerberos clients cannot authenticate to the server. This time synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user.

It is advisable to set up a Network Time Protocol (NTP) compatible client/server network even if Kerberos is not being used. Fedora includes the ntp package for this purpose. Refer to /usr/share/doc/ntp-version-number/index.html (where version-number is the version number of the

ntp package installed on your system) for details about how to set up Network Time Protocol servers, and for more information about NTP.

2. Install the krb5-libs (already installed on Fedora 19), krb5-server, and krb5-workstation packages on the dedicated machine which runs the KDC. This machine needs to be very secure — if possible; it should not run any services other than the KDC.

# yum install krb5-server

# yum install krb5-workstation

Change your KDC server hostname:

hostnamectl set-hostname <user – hostname>

# hostnamectl set-hostname mlfcompany

Change the /etc/hosts file to a FQDN:

# vi /etc/hosts

ipaddress <alias hostname>

What I entered was the IP of the computer name, domain, and the alias at the end for both the KDC server and client computer. mlfcompany mlfclient

Now enter # hostname -f to return the FQDN as shown below.

3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of EXAMPLE.COM and with the correct domain name — being certain to keep uppercase and lowercase names in the correct format — and by changing the KDC from to the name of the Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase.

Please note that each line that has a # character is only commented and this usually indicates a pattern to follow when entering server realm names for each line in the file.

Please note in the [realms] section IP address are used for the kdc and admin server entry including the port number. The IP addresses should reflect your own LAN private addresses. The [domain_realm] uses the FQDN for both the KDC server and client computer. The [appdefaults] section should be included as well.

# vi /etc/krb5.conf

The kdc.conf should have your domain name and include the line for:

 default_principal_flags = +preauth

# vi /var/kerberos/krb5kdc/kdc.conf

4. Create the database using the kdb5_util utility from a shell prompt:

# kdb5_util create -r EXAMPLE.COM -s

Please disregard the pictured command and follow the one above as it works much better. 

The create command creates the database that stores keys for the Kerberos realm. The -s

switch forces creation of a stash file in which the master server key is stored. If no stash file is present from which to read the key, the Kerberos server (krb5kdc) prompts the user for the master server password (which can be used to regenerate the key) every time it starts.

5. Edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations can get by with a single line:

*/admin@EXAMPLE.COM   *

Most users are represented in the database by a single principal (with a NULL, or empty,

instance, such as joe@EXAMPLE.COM ). In this configuration, users with a second principal with an instance of admin (for example, joe/admin@EXAMPLE.COM) are able to use full access over the realm's Kerberos database. Open a terminal and enter (Do not remove the asterisks):

# vi /var/kerberos/krb5kdc/kadm5.acl

After kadmind has been started on the server, any user can access its services by running

kadmin on any of the clients or servers in the realm. However, only users listed in the

kadm5.acl file can modify the database in any way, except for changing their own passwords.

Type the following kadmin.local command at the KDC terminal to create the first principal:

# kadmin.local -q “addprinc <username>/admin”

On the KDC server create a principal for the admin and client computer by entering:

# kadmin.local

kadmin.local: addprinc root/admin

kadmin.local: addprinc <clientcomputer>

Then set the keytab for kadmin:

kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin

kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw

5. Start Kerberos using the following commands:

# /sbin/service krb5kdc start

# /sbin/service kadmin start

Now that the administration is complete create a pricipal for the KDC server and give it a keytab:

# kadmin.local

kadmin.local: addprinc -randkey host/<KDCserver>.<domain>.com

kadmin.local: ktadd host/<KDCserver>.<domain>.com

kadmin.local: exit

***Very important! Restart the Linux server now.

7. (Optional) Add principals for other users using the addprinc command within kadmin. Kadmin and kadmin.local are command line interfaces to the KDC. As such, many commands — such as

addprinc are available after launching the kadmin program.

8. Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a credential cache file. Next, use klist to view the list of credentials in the cache and use kdestroy to destroy the cache and the credentials it contains. Test the Administrator log in locally:

Check the kadmin status to be sure it is active. If it is not then start the krb5kdc and kadmin services:

# service kadmin status         # /sbin/service krb5kdc start            # /sbin/service kadmin start