Versions Compared

Old Version 1

changes.mady.by.user Michael E. Rodriguez

Saved on

compared with

New Version 2

changes.mady.by.user Michael E. Rodriguez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The file contains a section for logging configuration, default settings, realms and DNS to domain mappings to easily locate the Kerberos Distribution Center (KDC). Below is an example krb5.conf configuration file from my Linux workstation setup for the EXAMPLE.COM realm:

No Format
[DIRxTRIPLESEC:logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[DIRxTRIPLESEC:libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

 ticket_lifetime = 24h
 forwardable = yes 

 default_tgs_enctypes = des-cbc-md5
 default_tkt_enctypes = des-cbc-md5
 preferred_enctypes = des-cbc-md5
 permitted_enctypes = des-cbc-md5 

[DIRxTRIPLESEC:realms]
 EXAMPLE.COM = {
  kdc = localhost:88
  admin_server = localhost:749
  default_domain = karasulu.homeip.net
 }

[DIRxTRIPLESEC:domain_realm]
 .karasulu.homeip.net = EXAMPLE.COM
 karasulu.homeip.net = EXAMPLE.COM

[DIRxTRIPLESEC:kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[DIRxTRIPLESEC:appdefaults]
 pam = {
   debug = false
   forwardable = true
   krb4_convert = false
 }

...

Note
title"Do not configure ticket_lifetime and renew_lifetime"

Presently found some issues with pam authentication when setting ticket and renew lifetimes. If you
get the following error then you might try removing these properties from your pam section in the krb5.conf file: Authentication failure (KDC reply did not match expectations).

Wiki Markup
In the \[DIRxTRIPLESEC:realms\] section you want to again substitute your realm name for EXAMPLE.COM.  Remember case makes a difference and realm names need to be in all uppercase.  In this section you configure the server and port for the KDC.  Triplesec is the KDC and it's Kerberos port by default runs on port 88.  The next parameter is, *admin_server*, this is for the changepw protocol service which also runs on Triplesec.  The default port is 749 for this protocol and Triplsec runs the service by default on this port.  The last parameter in this section is the *default_domain*.  This is the DNS domain name to use to locate the *kdc* and the *admin_server* if they cannot be resolved by the non-qualified host name specified.

Wiki Markup
The last section that we're concerned with is the \[DIRxTRIPLESEC:domain_realm\] section.  Here we map the DNS domain name to the Kerberos realm name.  Note that the first line has a '.' in front of the domain name.  You must also add a dot and substitute the search domain for the kdc and the admin_server.

...