How to Manually Configure a Master KDC

Language:

In this procedure, incremental propagation is configured. This procedure uses the following configuration parameters:

Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
admin principal = kws/admin
Online help URL = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html

Note - Adjust the URL to point to the location of the online help, as described in gkadmin GUI.

Before You Begin

The host is configured to use DNS. For specific naming instructions if this master is to be swappable, see Swapping a Master KDC and a Slave KDC.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Install the KDC package.
Follow the instructions in How to Install the KDC Package.
Edit the Kerberos configuration file, krb5.conf.
For a description of this file, see the krb5.conf(4) man page.

In this example, the administrator changes the lines for default_realm, kdc, admin_ server, and all domain_realm entries, and edits the help_url entry.
```
kdc1 # pfedit /etc/krb5/krb5.conf
...
[libdefaults]
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
admin_server = kdc1.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
#
# if the domain name and realm name are equivalent,
# this entry is not needed
#
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log

[appdefaults]
gkadmin = {
help_url = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html
}
```
Note - If you must communicate with an older Kerberos system, you might need to restrict the encryption types. For a description of the issues involved with restricting the encryption types, see Kerberos Encryption Types.
Name the realm in the KDC configuration file, kdc.conf.
For a description of this file, see the kdc.conf(4) man page.

In this example, in addition to the realm name definition, the administrator changes incremental propagation and logging defaults.
```
kdc1 # pfedit /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750

[realms]
EXAMPLE.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}
```
Note - If you must communicate with an older Kerberos system, you might need to restrict the encryption types. For a description of the issues involved with restricting the encryption types, see Kerberos Encryption Types.

Create the KDC database by using the kdb5_util command.

The kdb5_util command creates the KDC database. Also, when used with the –s option, this command creates a stash file that is used to authenticate the KDC to itself before the kadmind and krb5kdc daemons are started. For more information, see the kdb5_util(1M), kadmind(1M), and krb5kdc(1M) man pages.

kdc1 # /usr/sbin/kdb5_util create -s
Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM'
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:/** Type strong password **/
Re-enter KDC database master key to verify: xxxxxxxx

Tip - If this step fails, verify that the KDC principal is identified by its FQDN.

# getent hosts IP-address-of-KDC
IP-address-of-KDC kdc/** This entry does not include FQDN **/

Then, add the FQDN as the first KDC entry in your /etc/hosts file, for example:

IP-address-of-KDC kdc.kdc-principal.example.com kdc

Edit the Kerberos access control list file, kadm5.acl.
Once populated, the /etc/krb5/kadm5.acl file must contain all principal names that are allowed to administer the KDC.
```
kws/admin@EXAMPLE.COM   *
```
The preceding entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals and policies in the KDC. The default principal entry is an asterisk (*), which matches all admin principals. This entry can be a security risk. Modify the file to explicitly list every admin principal and their rights. For more information, see the kadm5.acl(4) man page.
Add administration principals to the database.
You can add as many admin principals as you need. You must add at least one admin principal to complete the KDC configuration process. For this example, a kws/admin principal is added. You can substitute an appropriate principal name instead of “kws”.
```
kadmin.local: addprinc kws/admin
Enter password 
for principal kws/admin@EXAMPLE.COM:/** Type strong password **/
Re-enter password 
for principal kws/admin@EXAMPLE.COM: xxxxxxxx
Principal "kws/admin@EXAMPLE.COM" created.
kadmin.local: 
```
For more information, see the kadmin(1M) man page.

Start the Kerberos daemons.

kdc1 # svcadm enable -r network/security/krb5kdc
kdc1 # svcadm enable -r network/security/kadmin

Start kadmin and add more principals.
```
kdc1 # /usr/sbin/kadmin -p kws/admin
Enter password: xxxxxxxx
kadmin:
```
1. Create the master KDC host principal.
  The host principal is used by Kerberized applications, such as kprop, to propagate changes to the slave KDCs. This principal is also used to provide secure remote access to the KDC server by using network applications, such as ssh. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.
```
kadmin: addprinc -randkey host/kdc1.example.com
Principal "host/kdc1.example.com@EXAMPLE.COM" created.
kadmin: 
```
2. (Optional) Create the kclient principal.
  This principal is used by the kclient utility during the installation of a Kerberos client. If you do not plan on using this utility, then you do not need to add the principal. The users of the kclient utility need to use this password. For more information, see the kclient(1M) man page.
```
kadmin: addprinc clntconfig/admin
Enter password for principal clntconfig/admin@EXAMPLE.COM:/** Type strong  password **/
Re-enter password for principal clntconfig/admin@EXAMPLE.COM: xxxxxxxx
Principal "clntconfig/admin@EXAMPLE.COM" created.
kadmin: 
```
  Note - Save and store this password in a safe location.
3. Add privileges to the clntconfig/admin principal.
  Edit the kadm5.acl file to grant the clntconfig principal enough privileges to perform kclient installation tasks.
```
# pfedit /etc/krb5/kadm5.acl
...
clntconfig/admin@EXAMPLE.COM  acdilm 
```
4. Add the master KDC's host principal to the master KDC's keytab file.
  Adding the host principal to the keytab file enables this principal to be used by application servers, like sshd, automatically.
```
kadmin: ktadd host/kdc1.example.com
Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/kdc1.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: 
```
5. Quit kadmin.
```
kadmin: quit
```

Synchronize this system's clock with other clocks in the realm by using NTP or another mechanism.
For authentication to succeed, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file. For more information, see the krb5.conf(4) man page. For information about the Network Time Protocol (NTP), see Synchronizing Clocks Between KDCs and Kerberos Clients.

Note - The master KDC cannot be the NTP server. If you do not have an NTP server, return to the master KDC after the NTP server is installed, and make the master KDC a client of the NTP server.
Configure Slave KDCs.
To provide redundancy, make sure to install at least one slave KDC. Follow the instructions in How to Use kdcmgr to Configure a Slave KDC or How to Manually Configure a Slave KDC.