In this procedure, incremental propagation is configured. This procedure uses the following configuration parameters:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Master KDC = kdc1.example.com
admin principal = kws/admin
Online help URL = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html
Before You Begin
The host is configured to use DNS. For specific naming instructions if this master is to be swappable, see Swapping a Master KDC and a Slave KDC.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Follow the instructions in How to Install the KDC Package.
For a description of this file, see the krb5.conf(4) man page.
In this example, the administrator changes the lines for default_realm, kdc, admin_ server, and all domain_realm entries, and edits the help_url entry.
kdc1 # pfedit /etc/krb5/krb5.conf ... [libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kdc1.example.com admin_server = kdc1.example.com } [domain_realm] .example.com = EXAMPLE.COM # # if the domain name and realm name are equivalent, # this entry is not needed # [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log [appdefaults] gkadmin = { help_url = http://docs.oracle.com/cd/E23824_01/html/821-1456/aadmin-23.html }
For a description of this file, see the kdc.conf(4) man page.
In this example, in addition to the realm name definition, the administrator changes incremental propagation and logging defaults.
kdc1 # pfedit /etc/krb5/kdc.conf [kdcdefaults] kdc_ports = 88,750 [realms] EXAMPLE.COM = { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s sunw_dbprop_enable = true sunw_dbprop_master_ulogsize = 1000 }
The kdb5_util command creates the KDC database. Also, when used with the –s option, this command creates a stash file that is used to authenticate the KDC to itself before the kadmind and krb5kdc daemons are started. For more information, see the kdb5_util(1M), kadmind(1M), and krb5kdc(1M) man pages.
kdc1 # /usr/sbin/kdb5_util create -s Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM' master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key:/** Type strong password **/ Re-enter KDC database master key to verify: xxxxxxxx
# getent hosts IP-address-of-KDC IP-address-of-KDC kdc/** This entry does not include FQDN **/Then, add the FQDN as the first KDC entry in your /etc/hosts file, for example:
IP-address-of-KDC kdc.kdc-principal.example.com kdc
Once populated, the /etc/krb5/kadm5.acl file must contain all principal names that are allowed to administer the KDC.
kws/admin@EXAMPLE.COM *
The preceding entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals and policies in the KDC. The default principal entry is an asterisk (*), which matches all admin principals. This entry can be a security risk. Modify the file to explicitly list every admin principal and their rights. For more information, see the kadm5.acl(4) man page.
You can add as many admin principals as you need. You must add at least one admin principal to complete the KDC configuration process. For this example, a kws/admin principal is added. You can substitute an appropriate principal name instead of “kws”.
kadmin.local: addprinc kws/admin Enter password for principal kws/admin@EXAMPLE.COM:/** Type strong password **/ Re-enter password for principal kws/admin@EXAMPLE.COM: xxxxxxxx Principal "kws/admin@EXAMPLE.COM" created. kadmin.local:
For more information, see the kadmin(1M) man page.
kdc1 # svcadm enable -r network/security/krb5kdc kdc1 # svcadm enable -r network/security/kadmin
kdc1 # /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin:
The host principal is used by Kerberized applications, such as kprop, to propagate changes to the slave KDCs. This principal is also used to provide secure remote access to the KDC server by using network applications, such as ssh. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters regardless of the case of the domain name in the name service.
kadmin: addprinc -randkey host/kdc1.example.com Principal "host/kdc1.example.com@EXAMPLE.COM" created. kadmin:
This principal is used by the kclient utility during the installation of a Kerberos client. If you do not plan on using this utility, then you do not need to add the principal. The users of the kclient utility need to use this password. For more information, see the kclient(1M) man page.
kadmin: addprinc clntconfig/admin Enter password for principal clntconfig/admin@EXAMPLE.COM:/** Type strong password **/ Re-enter password for principal clntconfig/admin@EXAMPLE.COM: xxxxxxxx Principal "clntconfig/admin@EXAMPLE.COM" created. kadmin:
Edit the kadm5.acl file to grant the clntconfig principal enough privileges to perform kclient installation tasks.
# pfedit /etc/krb5/kadm5.acl ... clntconfig/admin@EXAMPLE.COM acdilm
Adding the host principal to the keytab file enables this principal to be used by application servers, like sshd, automatically.
kadmin: ktadd host/kdc1.example.com Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin:
kadmin: quit
For authentication to succeed, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file. For more information, see the krb5.conf(4) man page. For information about the Network Time Protocol (NTP), see Synchronizing Clocks Between KDCs and Kerberos Clients.
To provide redundancy, make sure to install at least one slave KDC. Follow the instructions in How to Use kdcmgr to Configure a Slave KDC or How to Manually Configure a Slave KDC.