fluxcoil wiki

• Setup of linux: using Fedora 10 beta i386 since it will provide all needed software as packages. Already did all this compiling the software myself, this time will use it off the shelf.
• make sure the host is resolvable via files: echo '10.0.22.19 fed10 fed10.fluxcoil.net' >>/etc/hosts
• setup in a vmware 2.0 virtual machine
• update to latest versions

vi /etc/krb5.conf
------------------
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = FLUXCOIL.NET
        default_etypes = des3-hmac-sha1
        default_tkt_enctypes = des3-hmac-sha1
        default_tgs_enctypes = des3-hmac-sha1
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        forwardable = yes
#        permitted_enctypes = des3-hmac-sha1 rc4-hmac des-cbc-crc

[realms]
        FLUXCOIL.NET = {
                admin_server = fed10.fluxcoil.net:749
                default_domain = fluxcoil.net
                kdc = fed10.fluxcoil.net:88
        }

[domain_realm]
        .fluxcoil.net = FLUXCOIL.NET
        fluxcoil.net = FLUXCOIL.NET

[appdefaults]
        pam = {
                validate = true # yes, we want mutual authentication
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }
        kinit = {
                forwardable = true
        }

yum update
yum install krb5-server

vi /opt/soft_krb5-1.6.1/var/krb5kdc/kdc.conf
------------------
[kdcdefaults]
        kdc_ports = 750,88

[realms]
        FLUXCOIL.NET = {
                database_name = /opt/soft_krb5-1.6.1/var/krb5kdc/principal
                admin_keytab = FILE:/opt/soft_krb5-1.6.1/var/krb5kdc/kadm5.keytab
                acl_file = /opt/soft_krb5-1.6.1/var/krb5kdc/kadm5.acl
                key_stash_file = /opt/soft_krb5-1.6.1/var/krb5kdc/.k5.FLUXCOIL.NET
                master_key_type = des3-hmac-sha1
                kdc_ports = 750,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                # no longer needed: default_policy_flags += preauth
                supported_enctypes = des3-hmac-sha1:normal rc4-hmac:normal
                # used this for crossrealm-setup with windows:
                # supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
        }

# rhel4: supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal 
#    des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
# sol10: supported_enctypes = des3-hmac-sha1:normal rc4-hmac:normal aes128-cts-hmac-sha1-96 des-cbc-crc des-cbc-md5
#    (aes256-cts-hmac-sha1 through SUNWcry package)
# windows xp sp2 supports: rc4-hmac:normal des-cbc-crc:normal
# others: des-cbc-md5:normal des-cbc-crc:normal des3-cbc-sha1:normal arcfour-hmac:normal aes256-cts:normal
------------------

# initialize kerberos-db
kdb5_util create -r FLUXCOIL.NET -s

# set proper permissions for admins
echo '*/admin@FLUXCOIL.NET  *' >/var/kerberos/krb5kdc/kadm5.acl

# add a principal for your user
kadmin.local
> addprinc chorn/admin@FLUXCOIL.NET
> exit

# start services
service krb5kdc start; chkconfig krb5kdc on
service kadmin start; chkconfig kadmin on

# watch logs
tail -f /var/log/k* &

# create hosts principal
kadmin.local
> addprinc -randkey host/fed10.fluxcoil.net
> ktadd -k /etc/krb5.keytab host/fed.fluxcoil.net
> addprinc user0