SERVER auth.example.com
* yum install krb5-server krb5-workstation pam_krb5
* conf files
– /etc/krb5.conf
– /var/kerberos/krb5kdc/kdc.conf
– /var/kerberos/krb5kdc/kadm5.acl
– /etc/pam.d/system-auth
* kdb5_util create -r EXAMPLE.COM -s
* kadmin.local -q “addprinc admin/admin”
* kadmin.local -q \
“ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw”
* kadmin.local -q “addprinc testuser”
* kadmin.local -q “addprinc -randkey host/auth.example.com”
* kadmin.local -q “ktadd -k /etc/krb5.keytab host/auth.example.com”
* chkconfig kadmin on
* chkconfig krb5kdc on
* service kadmin start
* service krb5kdc start
* replication
– http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/install.html#SEC48
* LDAP keytab if needed
– kadmin.local -q “addprinc -randkey ldap/auth.example.com”
– kadmin.local -q “ktadd -k /etc/openldap/ldap.keytab ldap/auth.example.com”
* HTTP keytab if needed (case sensitive)
– kadmin.local -q “addprinc -randkey HTTP/auth.example.com”
– kadmin.local -q “ktadd -k /etc/httpd/httpd.keytab HTTP/auth.example.com”
* Firefox with Kerberos:
– From about:config set to .example.com
– network.negotiate-auth.delegation-uris
– network.negotiate-auth.trusted-uris
– run kinit and restart firefox
CLIENT test.example.com
* yum install krb5-workstation pam_krb5
* conf files
– /etc/krb5.conf
– /etc/pam.d/system-auth
* host keytab if needed for ssh
– kinit admin/admin
– kadmin -q “addprinc -randkey host/test.example.com”
– kadmin -q “ktadd -k /etc/krb5.keytab host/test.example.com”
CROSS REALM
* On both KDCs for SUB.EXAMPLE.COM to trust EXAMPLE.COM (one-way trust):
– kinit admin/admin
– kadmin -q “addprinc krbtgt/SUB.EXAMPLE.COM@EXAMPLE.COM”
* echo user@EXAMPLE.COM >> ~user/.k5login on each SUB.EXAMPLE.COM realm host
* use pam_access.so in /etc/pam.d/system-auth to limit access as needed
* add EXAMPLE.COM into [realms] and [domain_realm] in krb5.conf
in SUB.EXAMPLE.COM as needed
Recent Comments