Versions Compared

Old Version 2

changes.mady.by.user Michael E. Rodriguez

Saved on

compared with

New Version 3

changes.mady.by.user Michael E. Rodriguez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

All Kerberos clients including the Java Krb5LoginModule require OS configuration. The SafehausLoginModule which depends on the Krb5LoginModule also requires OS configuration. Luckily this is pretty easy to do but is platform specific. This HOWTO covers OS configurations of the Kerberos client subystem of various operating systems.

...

The file contains a section for logging configuration, default settings, realms and DNS to domain mappings to easily locate the Kerberos Distribution Center (KDC). Below is an example krb5.conf configuration file from my a Linux workstation setup for the EXAMPLE.COM realm:

No Format
[DIRxTRIPLESEC:logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[DIRxTRIPLESEC:libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

 ticket_lifetime = 24h
 forwardable = yes 

 default_tgs_enctypes = des-cbc-md5
 default_tkt_enctypes = des-cbc-md5
 preferred_enctypes = des-cbc-md5
 permitted_enctypes = des-cbc-md5 

[DIRxTRIPLESEC:realms]
 EXAMPLE.COM = {
  kdc = localhost:88
  adminkpasswd_server = localhost:749464
  default_domain = karasuluexample.homeip.netcom
 }

[DIRxTRIPLESEC:domain_realm]
 .karasuluexample.homeip.netcom = EXAMPLE.COM
 karasuluexample.homeip.netcom = EXAMPLE.COM

[DIRxTRIPLESEC:kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[DIRxTRIPLESEC:appdefaults]
 pam = {
   debug = false
   forwardable = true
   krb4_convert = false
 }

The logging section should be left as is. In the defaults section the most important parameters parameter to configure is the default_realm. In the place of EXAMPLE.COM substitute in the capitalized Kerberos realm name which you setup for Triplesec in the configuration wizard.

Note
title"Do not configure ticket_lifetime and renew_lifetime"

Presently found some issues with pam authentication when setting ticket and renew lifetimes. If you
get the following error then you might try removing these properties from your pam section in the krb5.conf file: Authentication failure (KDC reply did not match expectations).

Wiki Markup
In the \[DIRxTRIPLESEC:realms\] section you want to again substitute your realm name for EXAMPLE.COM.  Remember case makes a difference and realm names need to be in all uppercase.  In this section you configure the server and port for the KDC.  TriplesecApache Directory is the KDC and it'sits Kerberos port by default runs on port 88.  The next parameter is, *adminkpasswd_server*, this is for the changepw protocol service which also runs on Apache TriplesecDirectory.  The default port is 749464 for this protocol and Apache TriplsecDirectory runs the service by default on this port.  The last parameter in this section is the *default_domain*.  This is the DNS domain name to use to locate the *kdc* and the *adminkpasswd_server* if they cannot be resolved by the non-qualified host name specified.

Wiki Markup
The last section that we're concerned with is the \[DIRxTRIPLESEC:domain_realm\] section.  Here we map the DNS domain name to the Kerberos realm name.  Note that the first line has a '.' in front of the domain name.  You must also add a dot and substitute the search domain for the kdc and the adminkpasswd_server.

Windows krb5.ini Configuration

...