The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
If you want to configure any client systems to use Kerberos authentication, it is recommended that you first configure a Kerberos server. You can then configure any clients that you require.
Keep any system that you configure as a Kerberos server very secure, and do not configure it to perform any other service function.
To configure a Kerberos server that can act as a key distribution center (KDC) and a Kerberos administration server:
Configure the server to use DNS and that both direct and reverse name lookups of the server's domain name and IP address work.
For more information about configuring DNS, see Chapter 13, Name Service Configuration.
Configure the server to use network time synchronization mechanism such as the Network Time Protocol (NTP) or Precision Time Protocol (PTP). Kerberos requires that the system time on Kerberos servers and clients are synchronized as closely as possible. If the system times of the server and a client differ by more than 300 seconds (by default), authentication fails.
For more information, see Chapter 14, Network Time Configuration.
Install the
krb5-libs
,krb5-server
, andkrb5-workstation
packages:#
yum install krb5-libs krb5-server krb5-workstation
Edit
/etc/krb5.conf
and configure settings for the Kerberos realm, for example:[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm =
MYDOM.COM
dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms]MYDOM.COM
= { kdc =krbsvr.mydom.com
admin_server =krbsvr.mydom.com
} [domain_realm].mydom.com
=MYDOM.COM
mydom.com
=MYDOM.COM
[appdefaults] pam = { debug = true validate = false }In this example, the Kerberos realm is
MYDOM.COM
in the DNS domain mydom.com andkrbsvr.mydom.com
(the local system) acts as both a KDC and an administration server. The[appdefaults]
section configures options for thepam_krb5.so
module.For more information, see the
krb5.conf(5)
andpam_krb5(5)
manual pages.Edit
/var/kerberos/krb5kdc/kdc.conf
and configure settings for the key distribution center, for example:kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms]
MYDOM.COM
= { #master_key_type = aes256-cts master_key_type = des-hmac-sha1 default_principal_flags = +preauth acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /etc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal \ arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }For more information, see the
kdc.conf(5)
manual page.Create the Kerberos database and store the database password in a stash file:
#
/usr/sbin/kdb5_util create -s
Edit
/var/kerberos/krb5kdc/kadm5.acl
and define the principals who have administrative access to the Kerberos database, for example:*/admin@EXAMPLE.COM *
In this example, any principal who has an instance of
admin
, such asalice/admin@MYDOM.COM
, has full administrative control of the Kerberos database for theMYDOM.COM
domain. Ordinary users in the database usually have an empty instance, for examplebob@MYDOM.COM
. These users have no administrative control other than being able to change their password, which is stored in the database.Create a principal for each user who should have the
admin
instance, for example:#
kadmin.local -q "addprinc alice/admin"
Cache the keys that
kadmind
uses to decrypt administration Kerberos tickets in/etc/kadm5.keytab
:#
kadmin.local -q "ktadd -k /etc/kadm5.keytab kadmin/admin"
#kadmin.local -q "ktadd -k /etc/kadm5.keytab kadmin/changepw"
Start the KDC and administration services and configure them to start following system reboots:
#
service krb5kdc start
#service kadmin start
#chkconfig krb5kdc on
#chkconfig kadmin on
Add principals for users and the Kerberos server and cache the key for the server's host principal in
/etc/kadm5.keytab
by using either kadmin.local or kadmin, for example:#
kadmin.local -q "addprinc bob"
#kadmin.local -q "addprinc -randkey host/krbsvr.mydom.com"
#kadmin.local -q "ktadd -k /etc/kadm5.keytab host/krbsvr.mydom.com"
Allow incoming TCP connections to ports 88, 464, and 749 and UDP datagrams on UDP port 88, 464, and 749:
#
iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 88 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 464 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 749 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport 88 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport 464 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport 749 -j ACCEPT
#service iptables save
In the example,
subnet_addr
/
prefix_length
specifies the network address, for example192.168.1.0/24
.krb5kdc
services requests on TCP port 88 and UDP port 88;kadmind
services requests on TCP ports 464 and 749 and UDP ports 464 and 749.In addition, you might need to allow TCP and UDP access on different ports for other applications.
For more information, see the kadmin(1)
manual page.