Setting up Simple MIT KDC Server - CentOS and RHEL Environments
Here are the precise steps for configuring MIT Kerberos server on CentOS, You can follow the same steps for configuring in RHEL servers as well
Prerequisites
1. Make sure you have proper FQDN (Fully Qualified Domain Name ) present on your servers, (Example: myhost.mydomain.com)
2. This can be verified by issuing (hostname -f) and (hostname) commands
3. Additionally make sure your have proper DNS resolution for the Hosts (If present)
4. If DNS is not configured on those nodes, make sure there is valid (/etc/hosts) file pointing correct hostnames
5. Make sure you have either local yum repository / Internet repository access
Installation
1. Install packages
yum install krb5-libs krb5-server krb5-workstation
Here krb5-server is actual kerberos server and krb5-workstation is your client package which needs to be installed on client nodes (Example: Nodemanagers, Datanodes etc.,)
2. Configure KDC server
Edit /etc/krb5.conf as follows
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SATZ.COM
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SATZ.COM = {
kdc = kerb.satz.com
admin_server = kerb.satz.com
}
[domain_realm]
.satz.com = SATZ.COM
satz.com = SATZ.COM
Here in above configuration snippet, make sure you have mentioned correct Host names and REALM names in below sections
[ default_realm , kdc = (your server name FQDN ), admin_server=(your server name FQDN) and domain_realm (last block ]
3. Edit [ /var/kerberos/krb5kdc/kdc.conf ] file
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SATZ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour- hmac:normal camellia256-cts:normal camellia128-cts
:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
In above configuration snippet make sure you have valid realm name under [realms] block
4. Edit [ /var/kerberos/krb5kdc/kadm5.acl ] file and grant access
Example: */admin@SATZ.COM *
Replace SATZ.COM with your realm name
5. Create KDC database as below
/usr/sbin/kdb5_util create -s
This will prompt for password, to create database
6. Start KDC
krb5kdc start
kadmin start
7. Add root principal to manage KDC (This is mandatory) and make sure you remember this password
/usr/sbin/kadmin.local -q "addprinc root/admin"
8. Now you should be able to login to your KDC by using below command to manage.
kadmin.local (or) kadmin
Prerequisites
1. Make sure you have proper FQDN (Fully Qualified Domain Name ) present on your servers, (Example: myhost.mydomain.com)
2. This can be verified by issuing (hostname -f) and (hostname) commands
3. Additionally make sure your have proper DNS resolution for the Hosts (If present)
4. If DNS is not configured on those nodes, make sure there is valid (/etc/hosts) file pointing correct hostnames
5. Make sure you have either local yum repository / Internet repository access
Installation
1. Install packages
yum install krb5-libs krb5-server krb5-workstation
Here krb5-server is actual kerberos server and krb5-workstation is your client package which needs to be installed on client nodes (Example: Nodemanagers, Datanodes etc.,)
2. Configure KDC server
Edit /etc/krb5.conf as follows
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SATZ.COM
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SATZ.COM = {
kdc = kerb.satz.com
admin_server = kerb.satz.com
}
[domain_realm]
.satz.com = SATZ.COM
satz.com = SATZ.COM
Here in above configuration snippet, make sure you have mentioned correct Host names and REALM names in below sections
[ default_realm , kdc = (your server name FQDN ), admin_server=(your server name FQDN) and domain_realm (last block ]
3. Edit [ /var/kerberos/krb5kdc/kdc.conf ] file
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SATZ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour- hmac:normal camellia256-cts:normal camellia128-cts
:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
In above configuration snippet make sure you have valid realm name under [realms] block
4. Edit [ /var/kerberos/krb5kdc/kadm5.acl ] file and grant access
Example: */admin@SATZ.COM *
Replace SATZ.COM with your realm name
5. Create KDC database as below
/usr/sbin/kdb5_util create -s
This will prompt for password, to create database
6. Start KDC
krb5kdc start
kadmin start
7. Add root principal to manage KDC (This is mandatory) and make sure you remember this password
/usr/sbin/kadmin.local -q "addprinc root/admin"
8. Now you should be able to login to your KDC by using below command to manage.
kadmin.local (or) kadmin
Comments
Post a Comment