SERVER auth.example.com
\n* yum install krb5-server krb5-workstation pam_krb5
\n* conf files
\n – \/etc\/krb5.conf
\n – \/var\/kerberos\/krb5kdc\/kdc.conf
\n – \/var\/kerberos\/krb5kdc\/kadm5.acl
\n – \/etc\/pam.d\/system-auth<\/p>\n
* kdb5_util create -r EXAMPLE.COM -s
\n* kadmin.local -q “addprinc admin\/admin”
\n* kadmin.local -q \\
\n “ktadd -k \/var\/kerberos\/krb5kdc\/kadm5.keytab kadmin\/admin kadmin\/changepw”
\n* kadmin.local -q “addprinc testuser”
\n* kadmin.local -q “addprinc -randkey host\/auth.example.com”
\n* kadmin.local -q “ktadd -k \/etc\/krb5.keytab host\/auth.example.com”
\n* chkconfig kadmin on
\n* chkconfig krb5kdc on
\n* service kadmin start
\n* service krb5kdc start
\n* replication
\n – http:\/\/web.mit.edu\/kerberos\/www\/krb5-1.2\/krb5-1.2.5\/doc\/install.html#SEC48<\/p>\n
* LDAP keytab if needed
\n – kadmin.local -q “addprinc -randkey ldap\/auth.example.com”
\n – kadmin.local -q “ktadd -k \/etc\/openldap\/ldap.keytab ldap\/auth.example.com”
\n* HTTP keytab if needed (case sensitive)
\n – kadmin.local -q “addprinc -randkey HTTP\/auth.example.com”
\n – kadmin.local -q “ktadd -k \/etc\/httpd\/httpd.keytab HTTP\/auth.example.com”
\n* Firefox with Kerberos:
\n – From about:config set to .example.com
\n – network.negotiate-auth.delegation-uris
\n – network.negotiate-auth.trusted-uris
\n – run kinit and restart firefox<\/p>\n
CLIENT test.example.com
\n* yum install krb5-workstation pam_krb5
\n* conf files
\n – \/etc\/krb5.conf
\n – \/etc\/pam.d\/system-auth<\/p>\n
* host keytab if needed for ssh
\n – kinit admin\/admin
\n – kadmin -q “addprinc -randkey host\/test.example.com”
\n – kadmin -q “ktadd -k \/etc\/krb5.keytab host\/test.example.com”<\/p>\n
CROSS REALM
\n* On both KDCs for SUB.EXAMPLE.COM to trust EXAMPLE.COM (one-way trust):
\n – kinit admin\/admin
\n – kadmin -q “addprinc krbtgt\/SUB.EXAMPLE.COM@EXAMPLE.COM”
\n* echo user@EXAMPLE.COM >> ~user\/.k5login on each SUB.EXAMPLE.COM realm host
\n* use pam_access.so in \/etc\/pam.d\/system-auth to limit access as needed
\n* add EXAMPLE.COM into [realms] and [domain_realm] in krb5.conf
\n in SUB.EXAMPLE.COM as needed<\/p>\n","protected":false},"excerpt":{"rendered":"
SERVER auth.example.com * yum install krb5-server krb5-workstation pam_krb5 * conf files – \/etc\/krb5.conf – \/var\/kerberos\/krb5kdc\/kdc.conf – \/var\/kerberos\/krb5kdc\/kadm5.acl – \/etc\/pam.d\/system-auth<\/p>\n
* kdb5_util create -r EXAMPLE.COM -s * kadmin.local -q “addprinc admin\/admin” * kadmin.local -q \\ “ktadd -k \/var\/kerberos\/krb5kdc\/kadm5.keytab kadmin\/admin kadmin\/changepw” * kadmin.local -q “addprinc testuser” * kadmin.local -q “addprinc -randkey host\/auth.example.com” * kadmin.local -q “ktadd -k […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2351"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2351"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2351\/revisions"}],"predecessor-version":[{"id":2390,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2351\/revisions\/2390"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}