In Feburary 2016 16,
Before you begin setting up Kerberos on your system, you should know the name of your Kerberos, the hostname of the master and slave Key Distribution Centers (KDC) and how you are going to map your hostnames in the Kerberos realm. You will need to determine the ports that the KDCs and the database access (kadmin) services will use. You will also have to know how frequently the master and slave KDCs will fill the database.You will use the above information to configure the master KDC. The master KDC configuration files will be found at '/etc/krb5.conf' and '/usr/local/var/krb5kdc/kdc.conf' and can be edited in any text editor. The 'krb5.conf' file contains information about where to locate the KDCs and admin servers, as well as the host name mapping information. The 'kdc.conf' file contains the default information used when issuing Kerberos tickets. Open the '/etc/krb5.conf' and edit the 'login,' 'realms' and 'domain_realm' values so that they are correct for your system. Change the '/usr/local/var/krb5kdc/kdc.conf' so that it reflects the correct information for your KDC server.The next step is to create the database. Open a terminal and type the command 'kdb5_util.' You will be asked to provide a master key. This should be a string of letters, numbers and special characters similar to a password. This key will be stored in a stash file on the KDC's hard drive. If you would rather be prompted for the key whenever Kerberos starts, you can choose to not create the stash file.Finally, you will create the Access Control List (ACL) and add at least one administrator to it. The ACL is a user created text file that is called '/usr/local/var/krb5kdc/kadm5.acl.' This file should have the administrator listed in the form:
Kerberos_principal permissions [target_principal] [restrictions]
Once the ACL list is created, issue the command 'kadmin.local' and add each principal to the database. Start the Kerberos daemons with the command '/usr/local/sbin/krb5kdc; /usr/local/sbin/kadmin.'
Creating the Keytab File
The keytab file is used to decrypt the Kerberos tickets and determine whether the user should have access to the database. In order to create this file, type the command 'kadmin.local' again. This will provide you with a prompt where you will type the command: 'ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw' to create the keytab file. Replace the section '/usr/local/var/krb5kdc/kadm5.keytab' with the keytab location that was specified in the '/usr/local/var/krb5kdc/kdc.conf' file. Type 'quit' to exit the 'kadmin' utility.
Configuring the Slave KDCs
To create the slave KDCs, you will issue the 'kadmin.local' command a third time. At the prompt, issue the command 'addprinc-randkey host/example.com' for the Master and each slave. Use the host name of each KDC in place of 'example.conf.' This will create host keys for each of the KDCs. Next, extract the keys on each of the slave KDCs by starting the 'kadmin' utility on each of the slaves and issuing the command 'ktadd host/MasterKDC.com.' Replace 'MasterKDC.com' with the host name of the master KDC.For the database to be propagated from the master KDC to the slave KDCs you will have to create a file called '/usr/local/var/krb5kdc/kpropd.acl.' This file must contain the principals for each of the KDCs in the form 'host/example.com.' Each principal should be placed on its own line. Next, edit the '/etc/inetd.conf' file on each of the KDCS and add the following lines:
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
eklogin stream tcp nowait root /usr/local/sbin/klogind klogind -k -c -eEdit the '/etc/services' file on each of the KDCs and add the following lines:
kerberos 88/udp kdc # Kerberos authentication (udp)
kerberos 88/tcp kdc # Kerberos authentication (tcp)
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
eklogin 2105/tcp # Kerberos encrypted rlogin
Propagating the Database
Propagating the database is done from the Master KDC. Issue the command '/usr/local/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans' to create a dump of the database. Next, issue the command ' /usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans Slave-1.example.com' to manually propagate the database on each of the slaves. These steps will need to be completed on a regular basis. The easiest way to do this is to create as script and run the script as a cron job. The script should look like:!/bin/sh
kdclist = 'slave-1.example.com slave-2.example.com'/usr/local/sbin/kdb5_util 'dump
=> /usr/local/var/krb5kdc/slave_datatrans'for kdc in $kdclist
do
/usr/local/sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
done
Of course, change the host names to reflect the values for your system.
Create Stash Files on the Slaves
The final step to setting up Kerberos is to create stash files on the slave KDCs. On each of the slave KDCs issue the command 'kdb5_util stash' and provide the master key when prompted. Once that is completed, you can start the 'krb5kdc' daemon on each slave with the command '/usr/local/sbin/krb5kdc/.'
In Feburary 2016 16,
Showing posts with label kdb5_util. Show all posts
Showing posts with label kdb5_util. Show all posts
Tuesday, 16 February 2016
Subscribe to:
Comments (Atom)