Difference between revisions of "MIT krb5"
(rearrange commands) |
|||
(27 intermediate revisions by 3 users not shown) | |||
Line 7: | Line 7: | ||
---- | ---- | ||
− | {{ | + | {{Package-Introduction|Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology.|http://web.mit.edu/Kerberos/}} |
== Dependencies == | == Dependencies == | ||
+ | |||
+ | === !!!HIGHLY RECOMMENDED!!! === | ||
+ | * [[NTP]] | ||
=== Optional === | === Optional === | ||
Line 24: | Line 27: | ||
cd src && CPPFLAGS="-DEAI_NODATA=EAI_NONAME" \ | cd src && CPPFLAGS="-DEAI_NODATA=EAI_NONAME" \ | ||
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ||
− | --enable-dns --mandir=/usr/share/man && | + | --enable-dns-for-realm --mandir=/usr/share/man && |
make | make | ||
Line 30: | Line 33: | ||
make install && | make install && | ||
− | chmod -v 755 /usr/lib/lib{com_err, | + | chmod -v 755 /usr/lib/lib{krb5support,com_err,k5crypto,krb5}.so* && |
− | chmod -v 755 /usr/lib/lib{ | + | chmod -v 755 /usr/lib/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && |
− | chmod -v 755 /usr/lib/krb5/plugins/ | + | chmod -v 755 /usr/lib/krb5/plugins/*/*.so && |
mv -v /usr/lib/libcom_err.so.3* /lib && | mv -v /usr/lib/libcom_err.so.3* /lib && | ||
− | |||
mv -v /usr/lib/libgssapi_krb5.so.2* /lib && | mv -v /usr/lib/libgssapi_krb5.so.2* /lib && | ||
mv -v /usr/lib/libgssrpc.so.4* /lib && | mv -v /usr/lib/libgssrpc.so.4* /lib && | ||
mv -v /usr/lib/libk5crypto.so.3* /lib && | mv -v /usr/lib/libk5crypto.so.3* /lib && | ||
− | mv -v /usr/lib/libkadm5clnt.so. | + | mv -v /usr/lib/libkadm5clnt.so.6* /lib && |
− | mv -v /usr/lib/libkadm5srv.so. | + | mv -v /usr/lib/libkadm5srv.so.6* /lib && |
mv -v /usr/lib/libkdb5.so.4* /lib && | mv -v /usr/lib/libkdb5.so.4* /lib && | ||
− | |||
mv -v /usr/lib/libkrb5.so.3* /lib && | mv -v /usr/lib/libkrb5.so.3* /lib && | ||
mv -v /usr/lib/libkrb5support.so.0* /lib && | mv -v /usr/lib/libkrb5support.so.0* /lib && | ||
ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so && | ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so && | ||
− | |||
ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && | ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && | ||
ln -v -sf ../../lib/libgssrpc.so.4 /usr/lib/libgssrpc.so && | ln -v -sf ../../lib/libgssrpc.so.4 /usr/lib/libgssrpc.so && | ||
ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so && | ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so && | ||
− | ln -v -sf ../../lib/libkadm5clnt.so. | + | ln -v -sf ../../lib/libkadm5clnt.so.6 /usr/lib/libkadm5clnt.so && |
− | ln -v -sf ../../lib/libkadm5srv.so. | + | ln -v -sf ../../lib/libkadm5srv.so.6 /usr/lib/libkadm5srv.so && |
ln -v -sf ../../lib/libkdb5.so.4 /usr/lib/libkdb5.so && | ln -v -sf ../../lib/libkdb5.so.4 /usr/lib/libkdb5.so && | ||
− | |||
ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so && | ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so && | ||
− | ln -v -sf ../../lib/libkrb5support.so.0 | + | ln -v -sf ../../lib/libkrb5support.so.0 /usr/lib/libkrb5support.so && |
mv -v /usr/bin/ksu /bin && | mv -v /usr/bin/ksu /bin && | ||
ldconfig | ldconfig | ||
Line 67: | Line 66: | ||
CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILD32}" USE_ARCH=32 \ | CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILD32}" USE_ARCH=32 \ | ||
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ||
− | --enable-dns --mandir=/usr/share/man && | + | --enable-dns-for-realm --mandir=/usr/share/man && |
make | make | ||
Line 73: | Line 72: | ||
make install && | make install && | ||
− | chmod -v 755 /usr/lib/lib{com_err, | + | chmod -v 755 /usr/lib/lib{krb5support,com_err,k5crypto,krb5}.so* && |
− | chmod -v 755 /usr/lib/lib{ | + | chmod -v 755 /usr/lib/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && |
− | chmod -v 755 /usr/lib/krb5/plugins/ | + | chmod -v 755 /usr/lib/krb5/plugins/*/*.so && |
− | mv -v /usr/lib/ | + | mv -v /usr/lib/libcom_err.so.3* /lib && |
+ | mv -v /usr/lib/libgssapi_krb5.so.2* /lib && | ||
+ | mv -v /usr/lib/libgssrpc.so.4* /lib && | ||
mv -v /usr/lib/libk5crypto.so.3* /lib && | mv -v /usr/lib/libk5crypto.so.3* /lib && | ||
+ | mv -v /usr/lib/libkadm5clnt.so.6* /lib && | ||
+ | mv -v /usr/lib/libkadm5srv.so.6* /lib && | ||
+ | mv -v /usr/lib/libkdb5.so.4* /lib && | ||
mv -v /usr/lib/libkrb5.so.3* /lib && | mv -v /usr/lib/libkrb5.so.3* /lib && | ||
− | |||
− | |||
− | |||
mv -v /usr/lib/libkrb5support.so.0* /lib && | mv -v /usr/lib/libkrb5support.so.0* /lib && | ||
− | |||
− | |||
− | |||
ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so && | ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so && | ||
− | |||
ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && | ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && | ||
+ | ln -v -sf ../../lib/libgssrpc.so.4 /usr/lib/libgssrpc.so && | ||
+ | ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so && | ||
+ | ln -v -sf ../../lib/libkadm5clnt.so.6 /usr/lib/libkadm5clnt.so && | ||
+ | ln -v -sf ../../lib/libkadm5srv.so.6 /usr/lib/libkadm5srv.so && | ||
+ | ln -v -sf ../../lib/libkdb5.so.4 /usr/lib/libkdb5.so && | ||
+ | ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so && | ||
ln -v -sf ../../lib/libkrb5support.so.0 /usr/lib/libkrb5support.so && | ln -v -sf ../../lib/libkrb5support.so.0 /usr/lib/libkrb5support.so && | ||
mv -v /usr/bin/ksu /bin && | mv -v /usr/bin/ksu /bin && | ||
Line 101: | Line 104: | ||
CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILDN32}" USE_ARCH=n32 \ | CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILDN32}" USE_ARCH=n32 \ | ||
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ||
− | --enable-dns --mandir=/usr/share/man --libdir=/usr/lib32 && | + | --enable-dns-for-realm --mandir=/usr/share/man --libdir=/usr/lib32 && |
make | make | ||
Line 107: | Line 110: | ||
make install && | make install && | ||
− | chmod -v 755 /usr/lib32/lib{com_err, | + | chmod -v 755 /usr/lib32/lib{krb5support,com_err,k5crypto,krb5}.so* && |
− | chmod -v 755 /usr/lib32/lib{ | + | chmod -v 755 /usr/lib32/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && |
− | chmod -v 755 /usr/lib32/krb5/plugins/ | + | chmod -v 755 /usr/lib32/krb5/plugins/*/*.so && |
− | mv -v /usr/lib32/ | + | mv -v /usr/lib32/libcom_err.so.3* /lib32 && |
+ | mv -v /usr/lib32/libgssapi_krb5.so.2* /lib32 && | ||
+ | mv -v /usr/lib32/libgssrpc.so.4* /lib32 && | ||
mv -v /usr/lib32/libk5crypto.so.3* /lib32 && | mv -v /usr/lib32/libk5crypto.so.3* /lib32 && | ||
+ | mv -v /usr/lib32/libkadm5clnt.so.6* /lib32 && | ||
+ | mv -v /usr/lib32/libkadm5srv.so.6* /lib32 && | ||
+ | mv -v /usr/lib32/libkdb5.so.4* /lib32 && | ||
mv -v /usr/lib32/libkrb5.so.3* /lib32 && | mv -v /usr/lib32/libkrb5.so.3* /lib32 && | ||
− | |||
− | |||
− | |||
mv -v /usr/lib32/libkrb5support.so.0* /lib32 && | mv -v /usr/lib32/libkrb5support.so.0* /lib32 && | ||
− | |||
− | |||
− | |||
ln -v -sf ../../lib32/libcom_err.so.3 /usr/lib32/libcom_err.so && | ln -v -sf ../../lib32/libcom_err.so.3 /usr/lib32/libcom_err.so && | ||
− | |||
ln -v -sf ../../lib32/libgssapi_krb5.so.2 /usr/lib32/libgssapi_krb5.so && | ln -v -sf ../../lib32/libgssapi_krb5.so.2 /usr/lib32/libgssapi_krb5.so && | ||
+ | ln -v -sf ../../lib32/libgssrpc.so.4 /usr/lib32/libgssrpc.so && | ||
+ | ln -v -sf ../../lib32/libk5crypto.so.3 /usr/lib32/libk5crypto.so && | ||
+ | ln -v -sf ../../lib32/libkadm5clnt.so.6 /usr/lib32/libkadm5clnt.so && | ||
+ | ln -v -sf ../../lib32/libkadm5srv.so.6 /usr/lib32/libkadm5srv.so && | ||
+ | ln -v -sf ../../lib32/libkdb5.so.4 /usr/lib32/libkdb5.so && | ||
+ | ln -v -sf ../../lib32/libkrb5.so.3 /usr/lib32/libkrb5.so && | ||
ln -v -sf ../../lib32/libkrb5support.so.0 /usr/lib32/libkrb5support.so && | ln -v -sf ../../lib32/libkrb5support.so.0 /usr/lib32/libkrb5support.so && | ||
mv -v /usr/bin/ksu /bin && | mv -v /usr/bin/ksu /bin && | ||
Line 135: | Line 142: | ||
CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILD64}" USE_ARCH=64 \ | CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILD64}" USE_ARCH=64 \ | ||
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ | ||
− | --enable-dns --mandir=/usr/share/man --libdir=/usr/lib64 && | + | --enable-dns-for-realm --mandir=/usr/share/man --libdir=/usr/lib64 && |
make | make | ||
Line 141: | Line 148: | ||
make install && | make install && | ||
− | chmod -v 755 /usr/lib64/lib{com_err, | + | chmod -v 755 /usr/lib64/lib{krb5support,com_err,k5crypto,krb5}.so* && |
− | chmod -v 755 /usr/lib64/lib{ | + | chmod -v 755 /usr/lib64/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && |
− | chmod -v 755 /usr/lib64/krb5/plugins/ | + | chmod -v 755 /usr/lib64/krb5/plugins/*/*.so && |
− | mv -v /usr/lib64/ | + | mv -v /usr/lib64/libcom_err.so.3* /lib64 && |
+ | mv -v /usr/lib64/libgssapi_krb5.so.2* /lib64 && | ||
+ | mv -v /usr/lib64/libgssrpc.so.4* /lib64 && | ||
mv -v /usr/lib64/libk5crypto.so.3* /lib64 && | mv -v /usr/lib64/libk5crypto.so.3* /lib64 && | ||
+ | mv -v /usr/lib64/libkadm5clnt.so.6* /lib64 && | ||
+ | mv -v /usr/lib64/libkadm5srv.so.6* /lib64 && | ||
+ | mv -v /usr/lib64/libkdb5.so.4* /lib64 && | ||
mv -v /usr/lib64/libkrb5.so.3* /lib64 && | mv -v /usr/lib64/libkrb5.so.3* /lib64 && | ||
− | |||
− | |||
− | |||
mv -v /usr/lib64/libkrb5support.so.0* /lib64 && | mv -v /usr/lib64/libkrb5support.so.0* /lib64 && | ||
− | |||
− | |||
− | |||
ln -v -sf ../../lib64/libcom_err.so.3 /usr/lib64/libcom_err.so && | ln -v -sf ../../lib64/libcom_err.so.3 /usr/lib64/libcom_err.so && | ||
− | |||
ln -v -sf ../../lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so && | ln -v -sf ../../lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so && | ||
+ | ln -v -sf ../../lib64/libgssrpc.so.4 /usr/lib64/libgssrpc.so && | ||
+ | ln -v -sf ../../lib64/libk5crypto.so.3 /usr/lib64/libk5crypto.so && | ||
+ | ln -v -sf ../../lib64/libkadm5clnt.so.6 /usr/lib64/libkadm5clnt.so && | ||
+ | ln -v -sf ../../lib64/libkadm5srv.so.6 /usr/lib64/libkadm5srv.so && | ||
+ | ln -v -sf ../../lib64/libkdb5.so.4 /usr/lib64/libkdb5.so && | ||
+ | ln -v -sf ../../lib64/libkrb5.so.3 /usr/lib64/libkrb5.so && | ||
ln -v -sf ../../lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so && | ln -v -sf ../../lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so && | ||
mv -v /usr/bin/ksu /bin && | mv -v /usr/bin/ksu /bin && | ||
Line 165: | Line 176: | ||
== Configuring == | == Configuring == | ||
− | + | {{Note|'''login.krb5''' does not support shadow passwords. So, when the Kerberos server is unavailable, the default use of '''/etc/passwd''' will not work because the passwords are now in '''/etc/shadow''' (where they were put while building CLFS). Entering the following commands without moving the passwords back to '''/etc/passwd''' could prevent any logins.}} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | If you understand the above warning and [[Linux-PAM]] is not installed, the following commands can be used: | + | If you have [[Linux-PAM]] installed then you can authenticate using the login provided by shadow through the [[Pam-krb5]] module (Recommended). If you understand the above warning and [[Linux-PAM]] is not installed, the following commands can be used: |
mv -v /bin/login /bin/login.shadow && | mv -v /bin/login /bin/login.shadow && | ||
cp -v /usr/sbin/login.krb5 /bin/login | cp -v /usr/sbin/login.krb5 /bin/login | ||
− | + | The information in the sections below are based off information from the following pages: | |
+ | |||
+ | http://www.bayour.com/LDAPv3-HOWTO.html | ||
+ | http://aput.net/~jheiss/krbldap/ | ||
+ | |||
+ | === Creating a Kerberos Realm === | ||
+ | |||
+ | {{Note|At this point it is strongly recommended that you have a working DNS Server. After setting up a login with Kerberos failure to resolve the name of the KDC server will result in login failures.}} | ||
+ | |||
+ | Create the db directory exists with the following command: | ||
+ | |||
+ | install -dv -m755 /var/lib/krb5kdc | ||
+ | |||
+ | Create the Kerberos configuration with the following command. It's recommended that the Kerberos Realm be all uppercase. | ||
+ | |||
+ | cat > /etc/krb5.conf << "EOF" | ||
+ | # Begin /etc/krb5.conf | ||
+ | |||
+ | [libdefaults] | ||
+ | default_realm = ''<REALMNAME.COM>'' | ||
+ | encrypt = true | ||
+ | |||
+ | [kdc] | ||
+ | profile = /var/lib/krb5kdc/kdc.conf | ||
+ | |||
+ | [appdefaults] | ||
+ | pam = { | ||
+ | ''<REALMNAME.COM>'' = { | ||
+ | minimum_uid = 5000 | ||
+ | } | ||
+ | } | ||
+ | |||
+ | [realms] | ||
+ | ''<REALMNAME.COM>'' = { | ||
+ | kdc = ''<servername.realmname.com>'' | ||
+ | admin_server = ''<servername.realmname.com>'' | ||
+ | dict_file = /usr/share/dict/words | ||
+ | } | ||
+ | |||
+ | [domain_realm] | ||
+ | .''<realmname.com>'' = ''<REALMNAME.COM>'' | ||
+ | ''<realmname.com>'' = ''<REALMNAME.COM>'' | ||
+ | |||
+ | [logging] | ||
+ | <nowiki> kdc = SYSLOG[:INFO[:AUTH]]</nowiki> | ||
+ | <nowiki> admin_server = SYSLOG[INFO[:AUTH]]</nowiki> | ||
+ | <nowiki> default = SYSLOG[[:SYS]]</nowiki> | ||
+ | |||
+ | # End /etc/krb5.conf | ||
+ | EOF | ||
+ | |||
+ | On the Kerberos Server create the KDC Configuration File: | ||
+ | |||
+ | cat > /var/lib/krb5kdc/kdc.conf << "EOF" | ||
+ | # Begin /var/lib/krb5kdc/kdc.conf | ||
+ | |||
+ | [kdcdefaults] | ||
+ | kdc_ports = 750,88 | ||
+ | |||
+ | [realms] | ||
+ | ''<REALMNAME.COM>'' = { | ||
+ | database_name = /var/lib/krb5kdc/principal | ||
+ | admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab | ||
+ | acl_file = /var/lib/krb5kdc/krb5_adm.acl | ||
+ | key_stash_file = /var/lib/krb5kdc/.k5.''<REALMNAME.COM>'' | ||
+ | kdc_ports = 750,88 | ||
+ | max_life = 10h 0m 0s | ||
+ | max_renewable_life = 7d 0h 0m 0s | ||
+ | } | ||
+ | |||
+ | # End /var/lib/krb5kdc/kdc.conf | ||
+ | EOF | ||
+ | |||
+ | Execute the following command to initialize the Krb5 database: | ||
+ | |||
+ | kdb5_util create -r ''REALMNAME.COM'' -s | ||
+ | |||
+ | Create the Admin Service Keytab: | ||
+ | |||
+ | kadmin.local -q "ktadd -k /var/lib/krb5kdc/kadm5.keytab kadmin/admin" && | ||
+ | kadmin.local -q "ktadd -k /var/lib/krb5kdc/kadm5.keytab kadmin/changepw" && | ||
+ | chmod 600 /var/lib/krb5kdc/kadm5.keytab | ||
+ | |||
+ | Create a user to administer Kerberos with: | ||
+ | |||
+ | kadmin.local -q "addprinc krbadm@''<REALMNAME.COM>''" | ||
+ | kadmin.local -q "addprinc krbadm/admin@''<REALMNAME.COM>''" | ||
+ | |||
+ | Create a basic acl file: | ||
+ | |||
+ | cat > /var/lib/krb5kdc/krb5_adm.acl << "EOF" | ||
+ | kadmin/admin@''<REALMNAME.COM>'' * | ||
+ | */admin@''<REALMNAME.COM>'' * | ||
+ | krbadm@''<REALMNAME.COM>'' * | ||
+ | */*@''<REALMNAME.COM>'' i | ||
+ | EOF | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Start the kdc service with the following command: | ||
+ | |||
+ | /usr/sbin/krb5kdc & | ||
+ | |||
+ | The following command will simulate a login: | ||
+ | |||
+ | kinit ''<principle name>'' | ||
− | + | To list your current tickets: | |
− | |||
− | + | klist | |
− | + | === Bootscript === | |
+ | |||
+ | Install the init script included in the [[bootscripts]] package. | ||
+ | |||
+ | make install-kerberos | ||
+ | |||
+ | === Configuring Kerberos Clients === | ||
+ | |||
+ | Securly copy '''/etc/krb5.conf''' from one of the Kerberos Servers to each of the clients. You should now be able to get a ticket from the KDC. Now would be a good time to test this: | ||
+ | |||
+ | kinit ''<principal name>'' | ||
+ | |||
+ | List your tickets with the following command: | ||
+ | |||
+ | klist | ||
= Contents = | = Contents = | ||
Line 300: | Line 424: | ||
| is an all-purpose Kerberos 5 library. | | is an all-purpose Kerberos 5 library. | ||
|} | |} | ||
+ | |||
+ | [[Category:General Libs]] |
Latest revision as of 09:36, 20 September 2009
Download Source: | http://web.mit.edu/kerberos/www/dist/krb5/1.7/krb5-1.7-signed.tar |
---|
Contents
Introduction to MIT krb5
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology.
Project Homepage: http://web.mit.edu/Kerberos/
Dependencies
!!!HIGHLY RECOMMENDED!!!
Optional
- xinetd (services servers only)
- Linux-PAM (for xdm based logins)
- OpenLDAP (alternative for krb5kdc password database)
Non-Multilib
Build the packge:
cd src && CPPFLAGS="-DEAI_NODATA=EAI_NONAME" \ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ --enable-dns-for-realm --mandir=/usr/share/man && make
Install the package:
make install && chmod -v 755 /usr/lib/lib{krb5support,com_err,k5crypto,krb5}.so* && chmod -v 755 /usr/lib/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && chmod -v 755 /usr/lib/krb5/plugins/*/*.so && mv -v /usr/lib/libcom_err.so.3* /lib && mv -v /usr/lib/libgssapi_krb5.so.2* /lib && mv -v /usr/lib/libgssrpc.so.4* /lib && mv -v /usr/lib/libk5crypto.so.3* /lib && mv -v /usr/lib/libkadm5clnt.so.6* /lib && mv -v /usr/lib/libkadm5srv.so.6* /lib && mv -v /usr/lib/libkdb5.so.4* /lib && mv -v /usr/lib/libkrb5.so.3* /lib && mv -v /usr/lib/libkrb5support.so.0* /lib && ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so && ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && ln -v -sf ../../lib/libgssrpc.so.4 /usr/lib/libgssrpc.so && ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so && ln -v -sf ../../lib/libkadm5clnt.so.6 /usr/lib/libkadm5clnt.so && ln -v -sf ../../lib/libkadm5srv.so.6 /usr/lib/libkadm5srv.so && ln -v -sf ../../lib/libkdb5.so.4 /usr/lib/libkdb5.so && ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so && ln -v -sf ../../lib/libkrb5support.so.0 /usr/lib/libkrb5support.so && mv -v /usr/bin/ksu /bin && ldconfig
Multilib
32Bit
Build the packge:
cd src && CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILD32}" USE_ARCH=32 \ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ --enable-dns-for-realm --mandir=/usr/share/man && make
Install the package:
make install && chmod -v 755 /usr/lib/lib{krb5support,com_err,k5crypto,krb5}.so* && chmod -v 755 /usr/lib/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && chmod -v 755 /usr/lib/krb5/plugins/*/*.so && mv -v /usr/lib/libcom_err.so.3* /lib && mv -v /usr/lib/libgssapi_krb5.so.2* /lib && mv -v /usr/lib/libgssrpc.so.4* /lib && mv -v /usr/lib/libk5crypto.so.3* /lib && mv -v /usr/lib/libkadm5clnt.so.6* /lib && mv -v /usr/lib/libkadm5srv.so.6* /lib && mv -v /usr/lib/libkdb5.so.4* /lib && mv -v /usr/lib/libkrb5.so.3* /lib && mv -v /usr/lib/libkrb5support.so.0* /lib && ln -v -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so && ln -v -sf ../../lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so && ln -v -sf ../../lib/libgssrpc.so.4 /usr/lib/libgssrpc.so && ln -v -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so && ln -v -sf ../../lib/libkadm5clnt.so.6 /usr/lib/libkadm5clnt.so && ln -v -sf ../../lib/libkadm5srv.so.6 /usr/lib/libkadm5srv.so && ln -v -sf ../../lib/libkdb5.so.4 /usr/lib/libkdb5.so && ln -v -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so && ln -v -sf ../../lib/libkrb5support.so.0 /usr/lib/libkrb5support.so && mv -v /usr/bin/ksu /bin && mv -v /usr/bin/krb5-config{,-32} && ldconfig
N32
Build the packge:
cd src && CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILDN32}" USE_ARCH=n32 \ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ --enable-dns-for-realm --mandir=/usr/share/man --libdir=/usr/lib32 && make
Install the package:
make install && chmod -v 755 /usr/lib32/lib{krb5support,com_err,k5crypto,krb5}.so* && chmod -v 755 /usr/lib32/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && chmod -v 755 /usr/lib32/krb5/plugins/*/*.so && mv -v /usr/lib32/libcom_err.so.3* /lib32 && mv -v /usr/lib32/libgssapi_krb5.so.2* /lib32 && mv -v /usr/lib32/libgssrpc.so.4* /lib32 && mv -v /usr/lib32/libk5crypto.so.3* /lib32 && mv -v /usr/lib32/libkadm5clnt.so.6* /lib32 && mv -v /usr/lib32/libkadm5srv.so.6* /lib32 && mv -v /usr/lib32/libkdb5.so.4* /lib32 && mv -v /usr/lib32/libkrb5.so.3* /lib32 && mv -v /usr/lib32/libkrb5support.so.0* /lib32 && ln -v -sf ../../lib32/libcom_err.so.3 /usr/lib32/libcom_err.so && ln -v -sf ../../lib32/libgssapi_krb5.so.2 /usr/lib32/libgssapi_krb5.so && ln -v -sf ../../lib32/libgssrpc.so.4 /usr/lib32/libgssrpc.so && ln -v -sf ../../lib32/libk5crypto.so.3 /usr/lib32/libk5crypto.so && ln -v -sf ../../lib32/libkadm5clnt.so.6 /usr/lib32/libkadm5clnt.so && ln -v -sf ../../lib32/libkadm5srv.so.6 /usr/lib32/libkadm5srv.so && ln -v -sf ../../lib32/libkdb5.so.4 /usr/lib32/libkdb5.so && ln -v -sf ../../lib32/libkrb5.so.3 /usr/lib32/libkrb5.so && ln -v -sf ../../lib32/libkrb5support.so.0 /usr/lib32/libkrb5support.so && mv -v /usr/bin/ksu /bin && mv -v /usr/bin/krb5-config{,-n32} && ldconfig
64Bit
Build the packge:
cd src && CPPFLAGS="-DEAI_NODATA=EAI_NONAME" CC="gcc ${BUILD64}" USE_ARCH=64 \ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var/lib \ --enable-dns-for-realm --mandir=/usr/share/man --libdir=/usr/lib64 && make
Install the package:
make install && chmod -v 755 /usr/lib64/lib{krb5support,com_err,k5crypto,krb5}.so* && chmod -v 755 /usr/lib64/lib{gssapi_krb5,gssrpc,kdb5,kadm5clnt,kadm5srv}.so* && chmod -v 755 /usr/lib64/krb5/plugins/*/*.so && mv -v /usr/lib64/libcom_err.so.3* /lib64 && mv -v /usr/lib64/libgssapi_krb5.so.2* /lib64 && mv -v /usr/lib64/libgssrpc.so.4* /lib64 && mv -v /usr/lib64/libk5crypto.so.3* /lib64 && mv -v /usr/lib64/libkadm5clnt.so.6* /lib64 && mv -v /usr/lib64/libkadm5srv.so.6* /lib64 && mv -v /usr/lib64/libkdb5.so.4* /lib64 && mv -v /usr/lib64/libkrb5.so.3* /lib64 && mv -v /usr/lib64/libkrb5support.so.0* /lib64 && ln -v -sf ../../lib64/libcom_err.so.3 /usr/lib64/libcom_err.so && ln -v -sf ../../lib64/libgssapi_krb5.so.2 /usr/lib64/libgssapi_krb5.so && ln -v -sf ../../lib64/libgssrpc.so.4 /usr/lib64/libgssrpc.so && ln -v -sf ../../lib64/libk5crypto.so.3 /usr/lib64/libk5crypto.so && ln -v -sf ../../lib64/libkadm5clnt.so.6 /usr/lib64/libkadm5clnt.so && ln -v -sf ../../lib64/libkadm5srv.so.6 /usr/lib64/libkadm5srv.so && ln -v -sf ../../lib64/libkdb5.so.4 /usr/lib64/libkdb5.so && ln -v -sf ../../lib64/libkrb5.so.3 /usr/lib64/libkrb5.so && ln -v -sf ../../lib64/libkrb5support.so.0 /usr/lib64/libkrb5support.so && mv -v /usr/bin/ksu /bin && mv -v /usr/bin/krb5-config{,-64} && ln -sfv multiarch_wrapper /usr/bin/krb5-config && ldconfig
Configuring
If you have Linux-PAM installed then you can authenticate using the login provided by shadow through the Pam-krb5 module (Recommended). If you understand the above warning and Linux-PAM is not installed, the following commands can be used:
mv -v /bin/login /bin/login.shadow && cp -v /usr/sbin/login.krb5 /bin/login
The information in the sections below are based off information from the following pages:
http://www.bayour.com/LDAPv3-HOWTO.html http://aput.net/~jheiss/krbldap/
Creating a Kerberos Realm
Create the db directory exists with the following command:
install -dv -m755 /var/lib/krb5kdc
Create the Kerberos configuration with the following command. It's recommended that the Kerberos Realm be all uppercase.
cat > /etc/krb5.conf << "EOF" # Begin /etc/krb5.conf [libdefaults] default_realm = <REALMNAME.COM> encrypt = true [kdc] profile = /var/lib/krb5kdc/kdc.conf [appdefaults] pam = { <REALMNAME.COM> = { minimum_uid = 5000 } } [realms] <REALMNAME.COM> = { kdc = <servername.realmname.com> admin_server = <servername.realmname.com> dict_file = /usr/share/dict/words } [domain_realm] .<realmname.com> = <REALMNAME.COM> <realmname.com> = <REALMNAME.COM> [logging] kdc = SYSLOG[:INFO[:AUTH]] admin_server = SYSLOG[INFO[:AUTH]] default = SYSLOG[[:SYS]] # End /etc/krb5.conf EOF
On the Kerberos Server create the KDC Configuration File:
cat > /var/lib/krb5kdc/kdc.conf << "EOF" # Begin /var/lib/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 [realms] <REALMNAME.COM> = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/var/lib/krb5kdc/kadm5.keytab acl_file = /var/lib/krb5kdc/krb5_adm.acl key_stash_file = /var/lib/krb5kdc/.k5.<REALMNAME.COM> kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } # End /var/lib/krb5kdc/kdc.conf EOF
Execute the following command to initialize the Krb5 database:
kdb5_util create -r REALMNAME.COM -s
Create the Admin Service Keytab:
kadmin.local -q "ktadd -k /var/lib/krb5kdc/kadm5.keytab kadmin/admin" && kadmin.local -q "ktadd -k /var/lib/krb5kdc/kadm5.keytab kadmin/changepw" && chmod 600 /var/lib/krb5kdc/kadm5.keytab
Create a user to administer Kerberos with:
kadmin.local -q "addprinc krbadm@<REALMNAME.COM>" kadmin.local -q "addprinc krbadm/admin@<REALMNAME.COM>"
Create a basic acl file:
cat > /var/lib/krb5kdc/krb5_adm.acl << "EOF" kadmin/admin@<REALMNAME.COM> * */admin@<REALMNAME.COM> * krbadm@<REALMNAME.COM> * */*@<REALMNAME.COM> i EOF
Testing
Start the kdc service with the following command:
/usr/sbin/krb5kdc &
The following command will simulate a login:
kinit <principle name>
To list your current tickets:
klist
Bootscript
Install the init script included in the bootscripts package.
make install-kerberos
Configuring Kerberos Clients
Securly copy /etc/krb5.conf from one of the Kerberos Servers to each of the clients. You should now be able to get a ticket from the KDC. Now would be a good time to test this:
kinit <principal name>
List your tickets with the following command:
klist
Contents
Installed Programs: | compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist, klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d, krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin, rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd, uuclient, uuserver, v5passwd, and v5passwdd |
---|---|
Installed Libraries: | libcom_err.{so,a}, libdes425.{so,a}, libgssapi.{so,a}, libgssrpc.{so,a}, libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkdb5.{so,a}, libkrb5.{so,a}, and libkrb4.{so,a} |
Installed Directory: | /usr/include/kerberosIV and /var/lib/krb5kdc |
Short Descriptions
compile_et | converts the table listing error-code names into a C source file. |
---|---|
ftp | is a kerberized FTP client. |
ftpd | is a kerberized FTP daemon. |
k5srvutil | is a host keytable manipulation utility. |
kadmin | is an utility used to make modifications to the Kerberos database. |
kadmind | is a server for administrative access to a Kerberos database. |
kdb5_util | is the KDC database utility. |
kdestroy | removes the current set of tickets. |
kinit | is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services. |
klist | reads and displays the current tickets in the credential cache. |
klogind | is the server that responds to rlogin requests. |
kpasswd | is a program for changing Kerberos 5 passwords. |
kprop | takes a principal database in a specified format and converts it into a stream of database records. |
kpropd | receives a database sent by kprop and writes it as a local database. |
krb5-config | gives information on how to link programs against libraries. |
krb5kdc | is a Kerberos 5 server. |
kshd | is the server that responds to rsh requests. |
ksu | is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users. |
ktutil | is a program for managing Kerberos keytabs. |
kvno | prints keyversion numbers of Kerberos principals. |
login.krb5 | is a kerberized login program. |
rcp | is a kerberized rcp client program. |
rlogin | is a kerberized rlogin client program. |
rsh | is a kerberized rsh client program. |
telnet | is a kerberized telnet client program. |
telnetd | is a kerberized telnet server. |
libcom_err.{so,a} | implements the Kerberos library error code. |
libgssapi.{so,a} | contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments. |
libkadm5clnt.{so,a} | contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs. |
libkadm5srv.{so,a} | contain the administrative authentication and password checking functions required by Kerberos 5 servers. |
libkdb5.{so,a} | is a Kerberos 5 authentication/authorization database access library. |
libkrb5.{so,a} | is an all-purpose Kerberos 5 library. |