[summary] Kerberos installation in Centos 04/02 Update SLTechnology News&Howtos

[summary] Kerberos installation in Centos

2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

1. Install the software package

Install the necessary tools bison, make, binutils

Download the archive to/usr/local and extract it.

[root@localhost local]# ls krb5-1.14.tar.gz

krb5-1.14.tar.gz

2. Compiling Kerberos

Switch directories to/krb5-1.14/src

Under the/krb5-1.14/src folder,

Run configure command

[root@localhost src]# ./ configure --prefix=/usr/local/krb5-1.14

Execute the make command

[root@localhost src]# make

Execute make install

[root@localhost src]# make install

IP and Domain Name Configuration/etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

127.0.0.1 kerberos.example.com kerberos ldap.example.com

4. Configure KDC

a. Configure krb5.conf

Document description: (omitted)

Parameter Description: (omitted)

[root@localhost src]# vi /etc/krb5.conf

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

[libdefaults]

default_realm = EXAMPLE.COM

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

[realms]

EXAMPLE.COM = {

kdc = kerberos

admin_server = kerberos

}

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

[kdc]

profile = /usr/local/krb5-1.14/var/krb5kdc/kdc.conf

b. Create kdc.conf at the specified location in the krb5.conf file.

[root@localhost krb5kdc]# pwd

/usr/local/krb5-1.14/var/krb5kdc

[root@localhost krb5kdc]# vi kdc.conf

Document description: (omitted)

Parameter Description: (omitted)

[kdcdefaults]

kdc_ports = 88

[realms]

EXAMPLE.COM = {

profile = /etc/krb5.conf

database_name = /usr/local/krb5-1.14/var/krb5kdc/principal

admin_database_name = /usr/local/krb5-1.14/var/krb5kdc/kadm5_adb

admin_database_lockfile = /usr/local/krb5-1.14/var/krb5kdc/kadm5_adb.lock

admin_keytab = FILE:/usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab

acl_file = /usr/local/krb5-1.14/var/krb5kdc/kadm5.acl

key_stash_file = /usr/local/krb5-1.14/var/krb5kdc/.k5stash

kdc_ports = 88

kadmind_port = 749

max_life = 10h 0m 0s

max_renewable_life = 7d 0h 0m 0s

master_key_type = des-cbc-crc

supported_enctypes = des-cbc-crc:normal des:v4

}

Create a local database for Kerberos

[root@localhost sbin]# ./ kdb5_util create -r EXAMPLE.COM -s

Loading random data

Initializing database '/usr/local/krb5-1.14/var/krb5kdc/principal' for realm 'EXAMPLE.COM',

master key name 'K/M@EXAMPLE.COM'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:

Re-enter KDC database master key to verify:

[root@localhost sbin]# ./ kadmin.local

Authenticating as principal admin/admin@EXAMPLE.COM with password.

kadmin.local: listprincs

K/M@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/localhost@EXAMPLE.COM

kiprop/localhost@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin.local: q

Start kdc service

[root@localhost sbin]# ./ krb5kdc

5. kadmin configuration

5.1 Local kadmin.local administration program provides functionality

a. Strategy management

Add, delete, modify, query and statistic functions of policies;

add_policy, addpol Add policy

modify_policy, modpol Modify policy

delete_policy, delpol Delete policy

get_policy, getpol Get policy

list_policies, listpols, get_policies, getpols List policies

b. Personal account management

Principal add, delete, modify, query and statistics functions;

add_principal, addprinc, ank

Add principal

delete_principal, delprinc

Delete principal

modify_principal, modprinc

Modify principal

change_password, cpw Change password

get_principal, getprinc Get principal

list_principals, listprincs, get_principals, getprincs List principals

get_privs, getprivs Get privileges

c. Program registration kt management

Keytable addition and deletion;

ktadd, xst Add entry(s) to a keytab

ktremove, ktrem Remove entry(s) from a keytab

d. Lock management

lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock

e. Program function

Program commands help and exit programs.

list_requests, lr, ? List available requests. quit, exit, q Exit program.

5.2 Configure using the kadmin.local admin program

a. Add administrator account

[root@localhost sbin]# ./ kadmin.local

kadmin.local: addprinc admin/admin

WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy

Enter password for principal "admin/admin@EXAMPLE.COM": admin

Re-enter password for principal "admin/admin@EXAMPLE.COM": admin

Principal "admin/admin@EXAMPLE.COM" created.

kadmin.local: listprincs

K/M@EXAMPLE.COM

admin/admin@EXAMPLE.COM

kadmin/admin@EXAMPLE.COM

kadmin/changepw@EXAMPLE.COM

kadmin/localhost@EXAMPLE.COM

kiprop/localhost@EXAMPLE.COM

krbtgt/EXAMPLE.COM@EXAMPLE.COM

kadmin.local:

b. Test administrator account

[root@localhost bin]# ./ kinit admin/admin

Password for admin/admin@EXAMPLE.COM: admin

[root@localhost bin]# ./ klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: admin/admin@EXAMPLE.COM

Valid starting Expires Service principal

2016-01-12T14:34:33 2016-01-13T00:34:33 krbtgt/EXAMPLE.COM@EXAMPLE.COM

renew until 2016-01-19T14:34:33

c. Assign permissions to admin/admin

Note: configure acl_file = /krb5-1.14/var/krb5kdc/kadm5.acl file according to the online and official instructions in kdc.conf

It is not known in which step this file was generated.

In my above operation and did not generate kadm5.acl file, so manually create, and add permissions

The administrative account is now assigned permissions, which are determined by entries in the file/usr/local/var/krb5kdc/kadm5.acl.

Grant the admin /admin account the "Manage all clients" privilege,

This is done by adding the following line to/usr/local/var/krb5kdc/kadm5.acl and using wildcards:

admin/admin@EXAMPLE.COM *

5.3 Remote kadmin administrator configuration

Create a keytab file containing the secret key.

kadmin.local: ktadd -k /usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab kadmin/changepw

Entry for principal kadmin/changepw with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/usr/local/krb5-1.14/var/krb5kdc/kadm5.keytab.

b. Start kadmind service

[root@localhost sbin]# pwd

/usr/local/krb5-1.14/sbin

[root@localhost sbin]# ./ kadmind

[root@localhost sbin]# ps -ef | grep kadmind

root 17176 1 0 15:24 ? 00:00:00 ./ kadmind

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.