Difference between revisions of "Kerberos"

From ProgClub
Jump to: navigation, search
(Just how to Jam on Guitar - Jamming For Beginners)
m (Reverted edits by 91.121.27.33 (talk) to last revision by John)
 
Line 1: Line 1:
The Myth with the Tea Cup Pomeranian
+
This page details the Kerberos configuration at ProgClub. Check out [[Network administration]] for other network admin related material. See [[Single sign-on]] for other SSO related material. See [[Projects]] for other projects.
 +
 
 +
== Project status ==
 +
 
 +
Complete! [[Charity]] is now [[#KDC_configuration|configured]] as the KDC. We've even finished SSH integration, and other things for [[Single sign-on]].
 +
 
 +
== Contributors ==
 +
 
 +
Members who have contributed to this project. Newest on top.
 +
 
 +
* [[User:John|John]]
 +
 
 +
All contributors have agreed to the terms of the [[ProgClub:Copyrights#ProgClub_projects|Contributor License Agreement]]. This excludes any upstream contributors who tend to have different administrative frameworks.
 +
 
 +
== Copyright ==
 +
 
 +
Copyright 2011, [[Kerberos#Contributors|Contributors]]. Licensed under the [[New BSD]] license.
 +
 
 +
== Links ==
 +
 
 +
* [http://web.mit.edu/Kerberos/ Kerberos]
 +
* [http://www.kerberos.org/ Kerberos consortium]
 +
* [http://en.wikipedia.org/wiki/Kerberos_%28protocol%29 Kerberos on Wikipedia]
 +
 
 +
== TODO ==
 +
 
 +
Nothing to see here, it's all done!
 +
 
 +
== Done ==
 +
 
 +
See [[Network administration]] and [[Charity admin]].
 +
 
 +
== DNS configuration ==
 +
 
 +
See [http://web.mit.edu/Kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs Hostnames for the Master and Slave KDCs] for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:
 +
 
 +
=== progclub.org ===
 +
 
 +
    $ORIGIN progclub.org.
 +
    _kerberos              TXT      "PROGCLUB.ORG"
 +
    kerberos                CNAME    charity
 +
    _kerberos._udp          SRV      0 0 88 charity
 +
    _kerberos-adm._tcp      SRV      0 0 749 charity
 +
    _kpasswd._udp          SRV      0 0 464 charity
 +
 
 +
=== progclub.com ===
 +
 
 +
    $ORIGIN progclub.com.
 +
    _kerberos              TXT      "PROGCLUB.ORG"
 +
    kerberos                CNAME    charity
 +
    _kerberos._udp          SRV      0 0 88 charity
 +
    _kerberos-adm._tcp      SRV      0 0 749 charity
 +
    _kpasswd._udp          SRV      0 0 464 charity
 +
 
 +
=== progclub.info ===
 +
 
 +
    $ORIGIN progclub.info.
 +
    _kerberos              TXT      "PROGCLUB.ORG"
 +
    kerberos                CNAME    charity
 +
    _kerberos._udp          SRV      0 0 88 charity
 +
    _kerberos-adm._tcp      SRV      0 0 749 charity
 +
    _kpasswd._udp          SRV      0 0 464 charity
 +
 
 +
=== progclub.net ===
 +
 
 +
    $ORIGIN progclub.net.
 +
    _kerberos              TXT      "PROGCLUB.ORG"
 +
    kerberos                CNAME    charity
 +
    _kerberos._udp          SRV      0 0 88 charity
 +
    _kerberos-adm._tcp      SRV      0 0 749 charity
 +
    _kpasswd._udp          SRV      0 0 464 charity
 +
 
 +
=== progclub.co ===
 +
 
 +
    $ORIGIN progclub.co.
 +
    _kerberos              TXT      "PROGCLUB.ORG"
 +
    kerberos                CNAME    charity
 +
    _kerberos._udp          SRV      0 0 88 charity
 +
    _kerberos-adm._tcp      SRV      0 0 749 charity
 +
    _kpasswd._udp          SRV      0 0 464 charity
 +
 
 +
=== progclub.mobi ===
 +
 
 +
    $ORIGIN progclub.mobi.
 +
    _kerberos              TXT      "PROGCLUB.ORG"
 +
    kerberos                CNAME    charity
 +
    _kerberos._udp          SRV      0 0 88 charity
 +
    _kerberos-adm._tcp      SRV      0 0 749 charity
 +
    _kpasswd._udp          SRV      0 0 464 charity
 +
 
 +
== KDC configuration ==
 +
 
 +
The KDC (Key Distribution Centre) for ProgClub is [[Charity|charity.progclub.org]], aliased as kerberos.progclub.*.
 +
 
 +
=== Configuration ===
 +
 
 +
root@charity:/etc# ll kr*
 +
-rw-r--r-- 1 root root 1755 2011-08-05 02:36 krb5.conf
 
   
 
   
Let's get 1 thing straight coming from the beginning, there is truly no this sort of thing since a tea cup Pomeranian. Nor perhaps there is a toy, pants pocket or miniature pom. Any individual selling you pom with the above labels is actually a fraud more involved in making money than ensuring that his/her puppies go to your good family.  
+
krb5kdc:
 +
total 20
 +
drwx------  2 root root 4096 2011-08-04 11:57 ./
 +
drwxr-xr-x 78 root root 4096 2011-08-05 02:37 ../
 +
-rw-r--r--  1 root root  353 2011-08-04 11:53 kadm5.acl
 +
-rw-r--r--  1 root root  640 2011-08-04 11:49 kdc.conf
 +
-rw-------  1 root root  65 2011-08-04 11:57 stash
 +
 
 +
root@charity:/etc# cat krb5.conf
 +
[logging]
 +
        default = FILE:/var/log/krb5.log
 
   
 
   
A Pomeranian should way 3 to 7lbs, based on no matter if it'ersus a male or a female. The height varies between 8 to 11 inches. The weight and size is defined by the AKC. If the breeder statements whatever else, think twice about buying there.  
+
[libdefaults]
 +
        default_realm = PROGCLUB.ORG
 
   
 
   
This specific small but feisty dog is actually one of the smallest dog breeds available. It's about the same size because a chihuahua. Breeding dogs that are any smaller would always be inhuman. Many so called "toy" dog breeds suffer from just about all kinds of health symptoms. Chihuahuas for example can develop serious symptoms like their brains can grow more substantial than their skulls.  
+
# The following krb5.conf variables are only for MIT Kerberos.
 +
        krb4_config = /etc/krb.conf
 +
        krb4_realms = /etc/krb.realms
 +
        kdc_timesync = 1
 +
        ccache_type = 4
 +
        forwardable = true
 +
        proxiable = true
 
   
 
   
After which there'utes the added risk of broken bones. Plenty of tiny dogs have broken bones while jumping of their proprietor'utes lap or couch. Their tiny bones are so fragile, tripping over your dog could be considered a death sentence.  
+
# The following encryption type specification will be used by MIT Kerberos
 +
# if uncommented.  In general, the defaults in the MIT Kerberos code are
 +
# correct and overriding these specifications only serves to disable new
 +
# encryption types as they are added, creating interoperability problems.
 +
#
 +
# Thie only time when you might need to uncomment these lines and change
 +
# the enctypes is if you have local software that will break on ticket
 +
# caches containing ticket encryption types it doesn't know about (such as
 +
# old versions of Sun Java).  
 
   
 
   
Don'big t get me wrong, I think poms are a great breed. I would like to warn you for scrupulous breeders trying to make a buck in the latest rage.
+
#      default_tgs_enctypes = des3-hmac-sha1
 +
#      default_tkt_enctypes = des3-hmac-sha1
 +
#      permitted_enctypes = des3-hmac-sha1
 
   
 
   
Search for a reputable breeder. One that raises the puppies in the/her property and lets you visit them several times. Make sure the breeder selects on character and health, not just attractiveness. Would you fairly have a wholesome pom that'utes maybe a little on the large side, or one which would become considered a tea cup Pomeranian which you have to take to the vet every single other week? If you care about your future dog, and I'm positive you carry out, I know you'll make the right decision.  
+
# The following libdefaults parameters are only for Heimdal Kerberos.
http://magpediarocksballs.com/index.php?title=HuppBettencourt298&action=edit
+
        v4_instance_resolve = false
 +
        v4_name_convert = {
 +
                host = {
 +
                        rcmd = host
 +
                        ftp = ftp
 +
                }
 +
                plain = {
 +
                        something = something-else
 +
                }
 +
        }
 +
        fcc-mit-ticketflags = true
 +
 +
[realms]
 +
        PROGCLUB.ORG = {
 +
                kdc = kerberos.progclub.org:88
 +
                admin_server = kerberos.progclub.org
 +
                default_domain = progclub.org
 +
        }
 +
 +
[domain_realm]
 +
        .progclub.org = PROGCLUB.ORG
 +
        progclub.org = PROGCLUB.ORG
 +
        .progclub.com = PROGCLUB.ORG
 +
        progclub.com = PROGCLUB.ORG
 +
        .progclub.info = PROGCLUB.ORG
 +
        progclub.info = PROGCLUB.ORG
 +
        .progclub.net = PROGCLUB.ORG
 +
        progclub.net = PROGCLUB.ORG
 +
        .progclub.co = PROGCLUB.ORG
 +
        progclub.co = PROGCLUB.ORG
 +
        .progclub.mobi = PROGCLUB.ORG
 +
        progclub.mobi = PROGCLUB.ORG
 +
 +
[login]
 +
        krb4_convert = true
 +
        krb4_get_tickets = false
 +
 
 +
root@charity:/etc# cat krb5kdc/kadm5.acl
 +
# This file is the access control list for krb5 administration.
 +
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
 +
# One common way to set up Kerberos administration is to allow any principal
 +
# ending in /admin  is given full administrative rights.
 +
# To enable this, uncomment the following line:
 +
*/admin@PROGCLUB.ORG    *
 +
 
 +
root@charity:/etc# cat krb5kdc/kdc.conf
 +
[kdcdefaults]
 +
    kdc_ports = 750,88
 +
    default_realm = PROGCLUB.ORG
 +
 +
[realms]
 +
    PROGCLUB.ORG = {
 +
        database_name = /var/lib/krb5kdc/principal
 +
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
 +
        acl_file = /etc/krb5kdc/kadm5.acl
 +
        key_stash_file = /etc/krb5kdc/stash
 +
        kdc_ports = 750,88
 +
        max_life = 10h 0m 0s
 +
        max_renewable_life = 7d 0h 0m 0s
 +
        master_key_type = des3-hmac-sha1
 +
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
 +
        default_principal_flags = +preauth
 +
    }
 +
 
 +
=== Database ===
 +
 
 +
root@charity:/etc# cd /var/lib/krb5kdc/
 +
root@charity:/var/lib/krb5kdc# ll
 +
total 24
 +
drwx------  2 root root 4096 2011-08-04 11:57 ./
 +
drwxr-xr-x 30 root root 4096 2011-08-04 11:37 ../
 +
-rw-------  1 root root 8192 2011-08-05 02:55 principal
 +
-rw-------  1 root root 8192 2011-08-04 11:57 principal.kadm5
 +
-rw-------  1 root root    0 2011-08-04 11:57 principal.kadm5.lock
 +
-rw-------  1 root root    0 2011-08-05 02:55 principal.ok
 +
 
 +
=== Keytab files ===
 +
 
 +
root@charity:/var/lib/krb5kdc# cd /etc
 +
root@charity:/etc# find -name "*.keytab"
 +
./apache2/apache2.keytab

Latest revision as of 18:10, 2 July 2012

This page details the Kerberos configuration at ProgClub. Check out Network administration for other network admin related material. See Single sign-on for other SSO related material. See Projects for other projects.

Project status

Complete! Charity is now configured as the KDC. We've even finished SSH integration, and other things for Single sign-on.

Contributors

Members who have contributed to this project. Newest on top.

All contributors have agreed to the terms of the Contributor License Agreement. This excludes any upstream contributors who tend to have different administrative frameworks.

Copyright

Copyright 2011, Contributors. Licensed under the New BSD license.

Links

TODO

Nothing to see here, it's all done!

Done

See Network administration and Charity admin.

DNS configuration

See Hostnames for the Master and Slave KDCs for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:

progclub.org

    $ORIGIN progclub.org.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.com

    $ORIGIN progclub.com.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.info

    $ORIGIN progclub.info.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.net

    $ORIGIN progclub.net.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.co

    $ORIGIN progclub.co.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

progclub.mobi

    $ORIGIN progclub.mobi.
    _kerberos               TXT       "PROGCLUB.ORG"
    kerberos                CNAME     charity
    _kerberos._udp          SRV       0 0 88 charity
    _kerberos-adm._tcp      SRV       0 0 749 charity
    _kpasswd._udp           SRV       0 0 464 charity

KDC configuration

The KDC (Key Distribution Centre) for ProgClub is charity.progclub.org, aliased as kerberos.progclub.*.

Configuration

root@charity:/etc# ll kr*
-rw-r--r-- 1 root root 1755 2011-08-05 02:36 krb5.conf

krb5kdc:
total 20
drwx------  2 root root 4096 2011-08-04 11:57 ./
drwxr-xr-x 78 root root 4096 2011-08-05 02:37 ../
-rw-r--r--  1 root root  353 2011-08-04 11:53 kadm5.acl
-rw-r--r--  1 root root  640 2011-08-04 11:49 kdc.conf
-rw-------  1 root root   65 2011-08-04 11:57 stash
root@charity:/etc# cat krb5.conf
[logging]
        default = FILE:/var/log/krb5.log

[libdefaults]
        default_realm = PROGCLUB.ORG

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true 

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java). 

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1 

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        PROGCLUB.ORG = {
                kdc = kerberos.progclub.org:88
                admin_server = kerberos.progclub.org
                default_domain = progclub.org
        }

[domain_realm]
        .progclub.org = PROGCLUB.ORG
        progclub.org = PROGCLUB.ORG
        .progclub.com = PROGCLUB.ORG
        progclub.com = PROGCLUB.ORG
        .progclub.info = PROGCLUB.ORG
        progclub.info = PROGCLUB.ORG
        .progclub.net = PROGCLUB.ORG
        progclub.net = PROGCLUB.ORG
        .progclub.co = PROGCLUB.ORG
        progclub.co = PROGCLUB.ORG
        .progclub.mobi = PROGCLUB.ORG
        progclub.mobi = PROGCLUB.ORG

[login]
        krb4_convert = true
        krb4_get_tickets = false
root@charity:/etc# cat krb5kdc/kadm5.acl
# This file is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin@PROGCLUB.ORG    *
root@charity:/etc# cat krb5kdc/kdc.conf
[kdcdefaults]
    kdc_ports = 750,88
    default_realm = PROGCLUB.ORG

[realms]
    PROGCLUB.ORG = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Database

root@charity:/etc# cd /var/lib/krb5kdc/
root@charity:/var/lib/krb5kdc# ll
total 24
drwx------  2 root root 4096 2011-08-04 11:57 ./
drwxr-xr-x 30 root root 4096 2011-08-04 11:37 ../
-rw-------  1 root root 8192 2011-08-05 02:55 principal
-rw-------  1 root root 8192 2011-08-04 11:57 principal.kadm5
-rw-------  1 root root    0 2011-08-04 11:57 principal.kadm5.lock
-rw-------  1 root root    0 2011-08-05 02:55 principal.ok

Keytab files

root@charity:/var/lib/krb5kdc# cd /etc
root@charity:/etc# find -name "*.keytab"
./apache2/apache2.keytab