===== preparations =====
* Setup of linux: using Fedora 10 beta i386 since it will provide all needed software as packages. Already did all this compiling the software myself, this time will use it off the shelf.
* make sure the host is resolvable via files: %%echo '10.0.22.19 fed10 fed10.fluxcoil.net' >>/etc/hosts%%
* setup in a vmware 2.0 virtual machine
* update to latest versions
===== kerberos clientconfig =====
vi /etc/krb5.conf
------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FLUXCOIL.NET
default_etypes = des3-hmac-sha1
default_tkt_enctypes = des3-hmac-sha1
default_tgs_enctypes = des3-hmac-sha1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
# permitted_enctypes = des3-hmac-sha1 rc4-hmac des-cbc-crc
[realms]
FLUXCOIL.NET = {
admin_server = fed10.fluxcoil.net:749
default_domain = fluxcoil.net
kdc = fed10.fluxcoil.net:88
}
[domain_realm]
.fluxcoil.net = FLUXCOIL.NET
fluxcoil.net = FLUXCOIL.NET
[appdefaults]
pam = {
validate = true # yes, we want mutual authentication
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
kinit = {
forwardable = true
}
===== kerberos kdc setup =====
yum update
yum install krb5-server
vi /opt/soft_krb5-1.6.1/var/krb5kdc/kdc.conf
------------------
[kdcdefaults]
kdc_ports = 750,88
[realms]
FLUXCOIL.NET = {
database_name = /opt/soft_krb5-1.6.1/var/krb5kdc/principal
admin_keytab = FILE:/opt/soft_krb5-1.6.1/var/krb5kdc/kadm5.keytab
acl_file = /opt/soft_krb5-1.6.1/var/krb5kdc/kadm5.acl
key_stash_file = /opt/soft_krb5-1.6.1/var/krb5kdc/.k5.FLUXCOIL.NET
master_key_type = des3-hmac-sha1
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
# no longer needed: default_policy_flags += preauth
supported_enctypes = des3-hmac-sha1:normal rc4-hmac:normal
# used this for crossrealm-setup with windows:
# supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
}
# rhel4: supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal
# des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
# sol10: supported_enctypes = des3-hmac-sha1:normal rc4-hmac:normal aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
# (aes256-cts-hmac-sha1 through SUNWcry package)
# windows xp sp2 supports: rc4-hmac:normal des-cbc-crc:normal
# others: des-cbc-md5:normal des-cbc-crc:normal des3-cbc-sha1:normal arcfour-hmac:normal aes256-cts:normal
------------------
# initialize kerberos-db
kdb5_util create -r FLUXCOIL.NET -s
# set proper permissions for admins
echo '*/admin@FLUXCOIL.NET *' >/var/kerberos/krb5kdc/kadm5.acl
# add a principal for your user
kadmin.local
> addprinc chorn/admin@FLUXCOIL.NET
> exit
# start services
service krb5kdc start; chkconfig krb5kdc on
service kadmin start; chkconfig kadmin on
# watch logs
tail -f /var/log/k* &
# create hosts principal
kadmin.local
> addprinc -randkey host/fed10.fluxcoil.net
> ktadd -k /etc/krb5.keytab host/fed.fluxcoil.net
> addprinc user0