test

Sun OpenSSO Enterprise 8.0 Deployment Planning Guide

ProcedureTo Configure a UNIX Kerberos Domain Controller

Edit the krb5.conf and kdc.conf files to specify where and how the Kerberos Domain Controller is running.

  1. Modify the krb5.conf file.

    For detailed information about the krb5.conf, see the Kerberos V5 Administrator's Guide.

    Example:


    [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5/krb5.keytab
default_realm = DEMO.IDENTITY.COM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
default_checksum = rsa-md5
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 300
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000
[realms]
DEMO.IDENTITY.COM = {
kdc = demo1.identity.com:88
admin_server = demo1.identity.com:749
default_domain = identity.com
}
[domain_realm]
.identity.com = DEMO.IDENTITY.COM
identity.com = DEMO.IDENTITY.COM
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000d
forwardable = true
krb4_convert = false
}

  2. Modify the kdc.conf file.

    For detailed information about the kdc.conf file, see the Kerberos V5 Administrator's Guide.

    Example:


    [kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
[realms]
DEMO.IDENTITY.COM = {
master_key_type = des-cbc-crc
supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfourhmac:
onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbcmd5:
normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}

  3. Create the Kerberos Domain Controller database using the kdb5_util command.

    This database will store information about all the principals and associated secrets contained in the realm.

    Example:


    /etc/krb5/% kdb5_util create -s 
Initializing database '/var/krb5/principal' for realm 'DEMO.IDENTITY.COM', 
master key name 'K/M@DEMO.IDENTITY.COM' 
You will be prompted for the database Master Password. 
It is important that you NOT FORGET this password. 
Enter KDC database master key: 
Re-enter KDC database master key to verify:

  4. Create a new user account.

    1. Add a user principal with kadmin.localcommand.


      # kadmin.local 
Authenticating as principal admin/admin@DEMO.IDENTITY.COM with password. 
kadmin.local: addprinc demouser1 
WARNING: no policy specified for demouser1@ DEMO.IDENTITY.COM; 
defaulting to no policy 
Enter password for principal "demouser1@ DEMO.IDENTITY.COM ": 
Re-enter password for principal "demouser1@ DEMO.IDENTITY.COM ": 
Principal "demouser1@ DEMO.IDENTITY.COM " created.

    2. Verify that the user account is added correctly to the database.

      Authenticate the user to the Kerberos domain. Example: 


      # kinit demouser1
Password for demouser1@ DEMO.IDENTITY.COM:

    3. Validate the user's Kerberos ticket in the ticket cache. 


      # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: demouser1@ DEMO.IDENTITY.COM
Valid starting Expires Service principal
06/22/07 11:10:16 06/23/07 11:10:16 krbtgt/ DEMO.IDENTITY.COM @
DEMO.IDENTITY.COMM

  5. Create a new user account for the Kerberos service user.

    1. Add a service principal for OpenSSO Enterprise.

      Example:


      # kadmin.local: addprinc -randkey HTTP/amserver.identity.com 
WARNING: no policy specified for HTTP/amserver.identity.com@DEMO.IDENTITY.COM; 
defaulting to no policy Principal 
"HTTP/amserver.identity.com@ DEMO.IDENTITY.COM" created.

    2. Generate a keytab file for OpenSSO Enterprise.


       # kadmin.local: ktadd -k amserver1.HTTP.keytab HTTP/amserver.identity.com
Entry for principal HTTP/amserver.identity.com with kvno 4, 
encryption type ArcFour with HMAC/md5 added to keytab 
WRFILE:amserver1.HTTP.keytab. 
Entry for principal HTTP/amserver.identity.com with kvno 4, 
encryption type Triple DES cbc mode with HMAC/sha1 added to 
keytab WRFILE:amserver1.HTTP.keytab. 
Entry for principal HTTP/amserver.identity.com with kvno 4, 
encryption type DES with HMAC/sha1 added to 
keytab WRFILE:amserver1.HTTP.keytab. 
Entry for principal HTTP/amserver.identity.com with kvno 4, 
encryption type DES cbc mode with RSA-MD5 added to keytab 
WRFILE:amserver1.HTTP.keytab.

    3. Verify that the Kerberos service account is added correctly to the database.

      Use the kinit and klist commands to validate the Kerberos service account. Authenticate the service principal to the Kerberos domain with the keytab file. Example:


      - # kinit ?k ?t amserver1.HTTP.keytab HTTP/amserver.identity.com

    4. Validate the keytab file for the Kerberos service principal.

      Example:


       # klist -k amserver1.HTTP.keytab 
Keytab name: FILE:amserver1.HTTP.keytab 
KVNO Principal 
------------------------------------------------ 
4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM 
4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM 
4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM 
4 HTTP/amserver.identity.com@DEMO.IDENTITY.COM