Kerberos
From ProgClub
This page details the Kerberos configuration at ProgClub. Check out Network administration for other network admin related material. See Single sign-on for other SSO related material.
Project status
Complete! Charity is now configured as the KDC. We're still pending SSH integration, and there are a few more things to do for Single sign-on, but Kerberos is functional.
DNS configuration
See Hostnames for the Master and Slave KDCs for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:
progclub.org
$ORIGIN progclub.org. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.com
$ORIGIN progclub.com. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.info
$ORIGIN progclub.info. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.net
$ORIGIN progclub.net. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.co
$ORIGIN progclub.co. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.mobi
$ORIGIN progclub.mobi. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
KDC configuration
The KDC (Key Distribution Centre) for ProgClub is charity.progclub.org, aliased as kerberos.progclub.*.
Configuration
root@charity:/etc# ll kr* -rw-r--r-- 1 root root 1755 2011-08-05 02:36 krb5.conf krb5kdc: total 20 drwx------ 2 root root 4096 2011-08-04 11:57 ./ drwxr-xr-x 78 root root 4096 2011-08-05 02:37 ../ -rw-r--r-- 1 root root 353 2011-08-04 11:53 kadm5.acl -rw-r--r-- 1 root root 640 2011-08-04 11:49 kdc.conf -rw------- 1 root root 65 2011-08-04 11:57 stash
root@charity:/etc# cat krb5.conf [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = PROGCLUB.ORG # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PROGCLUB.ORG = { kdc = kerberos.progclub.org:88 admin_server = kerberos.progclub.org default_domain = progclub.org } [domain_realm] .progclub.org = PROGCLUB.ORG progclub.org = PROGCLUB.ORG .progclub.com = PROGCLUB.ORG progclub.com = PROGCLUB.ORG .progclub.info = PROGCLUB.ORG progclub.info = PROGCLUB.ORG .progclub.net = PROGCLUB.ORG progclub.net = PROGCLUB.ORG .progclub.co = PROGCLUB.ORG progclub.co = PROGCLUB.ORG .progclub.mobi = PROGCLUB.ORG progclub.mobi = PROGCLUB.ORG [login] krb4_convert = true krb4_get_tickets = false
root@charity:/etc# cat krb5kdc/kadm5.acl # This file is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@PROGCLUB.ORG *
root@charity:/etc# cat krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 default_realm = PROGCLUB.ORG [realms] PROGCLUB.ORG = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }
Database
root@charity:/etc# cd /var/lib/krb5kdc/ root@charity:/var/lib/krb5kdc# ll total 24 drwx------ 2 root root 4096 2011-08-04 11:57 ./ drwxr-xr-x 30 root root 4096 2011-08-04 11:37 ../ -rw------- 1 root root 8192 2011-08-05 02:55 principal -rw------- 1 root root 8192 2011-08-04 11:57 principal.kadm5 -rw------- 1 root root 0 2011-08-04 11:57 principal.kadm5.lock -rw------- 1 root root 0 2011-08-05 02:55 principal.ok
Keytab files
root@charity:/var/lib/krb5kdc# cd /etc root@charity:/etc# find -name "*.keytab" ./apache2/apache2.keytab