Lesson 9

Date: 3/30/2011
Kerberos Authentication
Linux for Engineering and IT Applications


Kerberos server configuration


  • Configuration file /etc/krb5.conf defines realms, the default realm, the KDC servers for the realms, encryption algorithms, log file location. 
    [libdefaults]
        default_realm = ONE.LINUX.CLASS
        forwardable = true
        proxiable = true
        allow_weak_crypto = true
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc
        default_keytab_name = FILE:/etc/krb5.keytab

[realms]
ONE.LINUX.CLASS = {
        kdc = node06.linux.class
        admin_server = node06.linux.class
        kpasswd_protocol = SET_CHANGE
        default_domain = linux.class
}

[domain_realm]
        .linux.class = ONE.LINUX.CLASS
        linux.class = ONE.LINUX.CLASS

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

  • Configuration file /etc/krb5kdc/kdc.conf defaines realms to served by the KDC, and the location of the principal's database. 
    [kdcdefaults]
        kdc_ports = 88

[realms]
ONE.LINUX.CLASS = {
                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
                acl_file = /etc/krb5kdc/kadm5.acl
                key_stash_file = /etc/krb5kdc/stash
                kdc_ports = 88
                kadmin_port = 749
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des-cbc-crc
                supported_enctypes = des-cbc-crc:normal 
                default_principal_flags = +preauth
        }


  • Modify the entropy source, needed for creating the Kerberos database: 
    apt-get install rng-tools
rngd -r /dev/urandom -o /dev/random -b -t 1
  • Initialize the Kerberos database 
    kdb5_util create -s


    • Take me to the Course Website