22.6.1 Configuring a Kerberos Server

If you want to configure any client systems to use Kerberos authentication, it is recommended that you first configure a Kerberos server. You can then configure any clients that you require.

Note

Keep any system that you configure as a Kerberos server very secure, and do not configure it to perform any other service function.

To configure a Kerberos server that can act as a key distribution center (KDC) and a Kerberos administration server:

  1. Configure the server to use DNS and that both direct and reverse name lookups of the server's domain name and IP address work.

    For more information about configuring DNS, see Chapter 12, Name Service Configuration.

  2. Configure the server to use network time synchronization mechanism such as the Network Time Protocol (NTP) or Precision Time Protocol (PTP). Kerberos requires that the system time on Kerberos servers and clients are synchronized as closely as possible. If the system times of the server and a client differ by more than 300 seconds (by default), authentication fails.

    For more information, see Chapter 13, Network Time Configuration.

  3. Install the krb5-libs, krb5-server, and krb5-workstation packages:

    # yum install krb5-libs krb5-server krb5-workstation
  4. Edit /etc/krb5.conf and configure settings for the Kerberos realm, for example:

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = MYDOM.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
    
    [realms]
     MYDOM.COM = {
      kdc = krbsvr.mydom.com
      admin_server = krbsvr.mydom.com
     }
    
    [domain_realm]
     .mydom.com = MYDOM.COM
     mydom.com = MYDOM.COM
    
    [appdefaults]
     pam = {
       debug = true
       validate = false
     }

    In this example, the Kerberos realm is MYDOM.COM in the DNS domain mydom.com and krbsvr.mydom.com (the local system) acts as both a KDC and an administration server. The [appdefaults] section configures options for the pam_krb5.so module.

    For more information, see the krb5.conf(5) and pam_krb5(5) manual pages.

  5. Edit /var/kerberos/krb5kdc/kdc.conf and configure settings for the key distribution center, for example:

    kdcdefaults]
     kdc_ports = 88
     kdc_tcp_ports = 88
    
    [realms]
     MYDOM.COM = {
      #master_key_type = aes256-cts
      master_key_type = des-hmac-sha1
      default_principal_flags = +preauth
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /etc/kadm5.keytab
      supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal \
      arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
     }

    For more information, see the kdc.conf(5) manual page.

  6. Create the Kerberos database and store the database password in a stash file:

    # /usr/sbin/kdb5_util create -s
  7. Edit /var/kerberos/krb5kdc/kadm5.acl and define the principals who have administrative access to the Kerberos database, for example:

    */admin@EXAMPLE.COM     *

    In this example, any principal who has an instance of admin, such as alice/admin@MYDOM.COM, has full administrative control of the Kerberos database for the MYDOM.COM domain. Ordinary users in the database usually have an empty instance, for example bob@MYDOM.COM. These users have no administrative control other than being able to change their password, which is stored in the database.

  8. Create a principal for each user who should have the admin instance, for example:

    # kadmin.local -q "addprinc alice/admin"
  9. Cache the keys that kadmind uses to decrypt administration Kerberos tickets in /etc/kadm5.keytab:

    # kadmin.local -q "ktadd -k /etc/kadm5.keytab kadmin/admin"
    # kadmin.local -q "ktadd -k /etc/kadm5.keytab kadmin/changepw"
  10. Start the KDC and administration services and configure them to start following system reboots:

    # service krb5kdc start
    # service kadmin start
    # chkconfig krb5kdc on
    # chkconfig kadmin on 
  11. Add principals for users and the Kerberos server and cache the key for the server's host principal in /etc/kadm5.keytab by using either kadmin.local or kadmin, for example:

    # kadmin.local -q "addprinc bob"
    # kadmin.local -q "addprinc -randkey host/krbsvr.mydom.com"
    # kadmin.local -q "ktadd -k /etc/kadm5.keytab host/krbsvr.mydom.com"
  12. Allow incoming TCP connections to ports 88, 464, and 749 and UDP datagrams on UDP port 88, 464, and 749:

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp --dport 88 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp --dport 464 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp --dport 749 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp --dport 88 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp --dport 464 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp --dport 749 -j ACCEPT
    # service iptables save

    where subnet_addr/prefix_length specifies the network address, for example 192.168.1.0/24.

    krb5kdc services requests on TCP port 88 and UDP port 88, and kadmind services requests on TCP ports 464 and 749 and UDP ports 464 and 749.

    In addition, you might need to allow TCP and UDP access on different ports for other applications.

For more information, see the kadmin(1) manual page.