Kerberos
From ProgClub
This page details the Kerberos configuration at ProgClub. Check out Network administration for other network admin related material. See Single sign-on for other SSO related material. See Projects for other projects.
Project status
Complete! Charity is now configured as the KDC. We've even finished SSH integration, and other things for Single sign-on.
Contributors
Members who have contributed to this project. Newest on top.
All contributors have agreed to the terms of the Contributor License Agreement. This excludes any upstream contributors who tend to have different administrative frameworks.
Copyright
Copyright 2011, Contributors. Licensed under the New BSD license.
Links
TODO
Nothing to see here, it's all done!
Done
See Network administration and Charity admin.
DNS configuration
See Hostnames for the Master and Slave KDCs for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:
progclub.org
$ORIGIN progclub.org.
_kerberos TXT "PROGCLUB.ORG"
kerberos CNAME charity
_kerberos._udp SRV 0 0 88 charity
_kerberos-adm._tcp SRV 0 0 749 charity
_kpasswd._udp SRV 0 0 464 charity
progclub.com
$ORIGIN progclub.com.
_kerberos TXT "PROGCLUB.ORG"
kerberos CNAME charity
_kerberos._udp SRV 0 0 88 charity
_kerberos-adm._tcp SRV 0 0 749 charity
_kpasswd._udp SRV 0 0 464 charity
progclub.info
$ORIGIN progclub.info.
_kerberos TXT "PROGCLUB.ORG"
kerberos CNAME charity
_kerberos._udp SRV 0 0 88 charity
_kerberos-adm._tcp SRV 0 0 749 charity
_kpasswd._udp SRV 0 0 464 charity
progclub.net
$ORIGIN progclub.net.
_kerberos TXT "PROGCLUB.ORG"
kerberos CNAME charity
_kerberos._udp SRV 0 0 88 charity
_kerberos-adm._tcp SRV 0 0 749 charity
_kpasswd._udp SRV 0 0 464 charity
progclub.co
$ORIGIN progclub.co.
_kerberos TXT "PROGCLUB.ORG"
kerberos CNAME charity
_kerberos._udp SRV 0 0 88 charity
_kerberos-adm._tcp SRV 0 0 749 charity
_kpasswd._udp SRV 0 0 464 charity
progclub.mobi
$ORIGIN progclub.mobi.
_kerberos TXT "PROGCLUB.ORG"
kerberos CNAME charity
_kerberos._udp SRV 0 0 88 charity
_kerberos-adm._tcp SRV 0 0 749 charity
_kpasswd._udp SRV 0 0 464 charity
KDC configuration
The KDC (Key Distribution Centre) for ProgClub is charity.progclub.org, aliased as kerberos.progclub.*.
Configuration
root@charity:/etc# ll kr* -rw-r--r-- 1 root root 1755 2011-08-05 02:36 krb5.conf krb5kdc: total 20 drwx------ 2 root root 4096 2011-08-04 11:57 ./ drwxr-xr-x 78 root root 4096 2011-08-05 02:37 ../ -rw-r--r-- 1 root root 353 2011-08-04 11:53 kadm5.acl -rw-r--r-- 1 root root 640 2011-08-04 11:49 kdc.conf -rw------- 1 root root 65 2011-08-04 11:57 stash
root@charity:/etc# cat krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = PROGCLUB.ORG
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
PROGCLUB.ORG = {
kdc = kerberos.progclub.org:88
admin_server = kerberos.progclub.org
default_domain = progclub.org
}
[domain_realm]
.progclub.org = PROGCLUB.ORG
progclub.org = PROGCLUB.ORG
.progclub.com = PROGCLUB.ORG
progclub.com = PROGCLUB.ORG
.progclub.info = PROGCLUB.ORG
progclub.info = PROGCLUB.ORG
.progclub.net = PROGCLUB.ORG
progclub.net = PROGCLUB.ORG
.progclub.co = PROGCLUB.ORG
progclub.co = PROGCLUB.ORG
.progclub.mobi = PROGCLUB.ORG
progclub.mobi = PROGCLUB.ORG
[login]
krb4_convert = true
krb4_get_tickets = false
root@charity:/etc# cat krb5kdc/kadm5.acl # This file is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@PROGCLUB.ORG *
root@charity:/etc# cat krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
default_realm = PROGCLUB.ORG
[realms]
PROGCLUB.ORG = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Database
root@charity:/etc# cd /var/lib/krb5kdc/ root@charity:/var/lib/krb5kdc# ll total 24 drwx------ 2 root root 4096 2011-08-04 11:57 ./ drwxr-xr-x 30 root root 4096 2011-08-04 11:37 ../ -rw------- 1 root root 8192 2011-08-05 02:55 principal -rw------- 1 root root 8192 2011-08-04 11:57 principal.kadm5 -rw------- 1 root root 0 2011-08-04 11:57 principal.kadm5.lock -rw------- 1 root root 0 2011-08-05 02:55 principal.ok
Keytab files
root@charity:/var/lib/krb5kdc# cd /etc root@charity:/etc# find -name "*.keytab" ./apache2/apache2.keytab
