System Administration Guide: Security Services

ProcedureHow to Manually Configure a Master KDC

In this procedure, incremental propagation is configured. In addition, the following configuration parameters are used:

Before You Begin

This procedure requires that the host is configured to use DNS. For specific naming instructions if this master is to be swappable, see Swapping a Master KDC and a Slave KDC.

  1. Become superuser on the master KDC.

  2. Edit the Kerberos configuration file (krb5.conf).

    You need to change the realm names and the names of the servers. See the krb5.conf(4) man page for a full description of this file.


    kdc1 # cat /etc/krb5/krb5.conf
    [libdefaults]
            default_realm = EXAMPLE.COM
    
    [realms]
            EXAMPLE.COM = {
            kdc = kdc1.example.com
            admin_server = kdc1.example.com
            }
    
    [domain_realm]
            .example.com = EXAMPLE.COM
    #
    # if the domain name and realm name are equivalent, 
    # this entry is not needed
    #
    [logging]
            default = FILE:/var/krb5/kdc.log
            kdc = FILE:/var/krb5/kdc.log
    
    [appdefaults]
        gkadmin = {
            help_url = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
            }

    In this example, the lines for default_realm, kdc, admin_server, and all domain_realm entries were changed. In addition, the line that defines the help_url was edited.


    Note –

    If you want to restrict the encryption types, you can set the default_tkt_enctypes or default_tgs_enctypes lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting the encryption types.


  3. Edit the KDC configuration file (kdc.conf).

    You need to change the realm name. See the kdc.conf(4) man page for a full description of this file.


    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM = {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
                    sunw_dbprop_master_ulogsize = 1000
                    }

    In this example, the realm name definition in the realms section was changed. Also, in the realms section, lines to enable incremental propagation and to select the number of updates the KDC master keeps in the log were added.


    Note –

    If you want to restrict the encryption types, you can set the permitted_enctypes, supported_enctypes, or master_key_type lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting the encryption types.


  4. Create the KDC database by using the kdb5_util command.

    The kdb5_util command creates the KDC database. Also, when used with the -s option, this command creates a stash file that is used to authenticate the KDC to itself before the kadmind and krb5kdc daemons are started.


    kdc1 # /usr/sbin/kdb5_util create -s
    Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM'
    master key name 'K/M@EXAMPLE.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key: <Type the key>
    Re-enter KDC database master key to verify: <Type it again>
    
  5. Edit the Kerberos access control list file (kadm5.acl).

    Once populated, the /etc/krb5/kadm5.acl file should contain all principal names that are allowed to administer the KDC.


    kws/admin@EXAMPLE.COM   *

    The entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals or policies in the KDC. The default installation includes an asterisk (*) to match all admin principals. This default could be a security risk, so it is more secure to include a list of all of the admin principals. See the kadm5.acl(4) man page for more information.

  6. Start the kadmin.local command and add principals.

    The next substeps create principals that are used by the Kerberos service.


    kdc1 # /usr/sbin/kadmin.local
    kadmin.local: 
    1. Add administration principals to the database.

      You can add as many admin principals as you need. You must add at least one admin principal to complete the KDC configuration process. For this example, a kws/admin principal is added. You can substitute an appropriate principal name instead of “kws.”


      kadmin.local: addprinc kws/admin
      Enter password for principal kws/admin@EXAMPLE.COM:<Type the password>
      Re-enter password for principal kws/admin@EXAMPLE.COM: <Type it again>
      Principal "kws/admin@EXAMPLE.COM" created.
      kadmin.local: 
    2. Create the kiprop principals.

      The kiprop principal is used to authorize updates from the master KDC.


      kadmin.local: addprinc -randkey kiprop/kdc1.example.com
      Principal "kiprop/kdc1.example.com@EXAMPLE.COM" created.
      kadmin.local:
    3. Quit kadmin.local.

      You have added all of the required principals for the next steps.


      kadmin.local: quit
      
  7. Start the Kerberos daemons.


    kdc1 # svcadm enable -r network/security/krb5kdc
    kdc1 # svcadm enable -r network/security/kadmin
    
  8. Start kadmin and add more principals.

    At this point, you can add principals by using the Graphical Kerberos Administration Tool. To do so, you must log in with one of the admin principal names that you created earlier in this procedure. However, the following command-line example is shown for simplicity.


    kdc1 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: 
    1. Create the master KDC host principal.

      The host principal is used by Kerberized applications, such as kprop to propagate changes to the slave KDCs. This principal is also used to provide secure remote access to the KDC server using applications, like ssh. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.


      kadmin: addprinc -randkey host/kdc1.example.com
      Principal "host/kdc1.example.com@EXAMPLE.COM" created.
      kadmin: 
    2. (Optional) Create the kclient principal.

      This principal is used by the kclient utility during the installation of a Kerberos client. If you do not plan on using this utility, then you do not need to add the principal. The users of the kclient utility need to use this password.


      kadmin: addprinc clntconfig/admin
      Enter password for principal clntconfig/admin@EXAMPLE.COM:<Type the password>
      Re-enter password for principal clntconfig/admin@EXAMPLE.COM: <Type it again>
      Principal "clntconfig/admin@EXAMPLE.COM" created.
      kadmin: 
    3. Add the master KDC's host principal to the master KDC's keytab file.

      Adding the host principal to the keytab file allows this principal to be used by application servers, like sshd, automatically.


      kadmin: ktadd host/kdc1.example.com
      Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 
    4. Quit kadmin.


      kadmin: quit
      
  9. (Optional) Synchronize the master KDCs clock by using NTP or another clock synchronization mechanism.

    Installing and using the Network Time Protocol (NTP) is not required. However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file for authentication to succeed. See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.

  10. Configure Slave KDCs.

    To provide redundancy, make sure to install at least one slave KDC. See How to Manually Configure a Slave KDC for specific instructions.