All Kerberos clients including the Java Krb5LoginModule require OS configuration. The SafehausLoginModule which depends on the Krb5LoginModule also requires OS configuration. Luckily this is pretty easy to do but is platform specific. This HOWTO covers OS configurations of the Kerberos client subystem of various operating systems.
...
The file contains a section for logging configuration, default settings, realms and DNS to domain mappings to easily locate the Kerberos Distribution Center (KDC). Below is an example krb5.conf configuration file from my a Linux workstation setup for the EXAMPLE.COM realm:
No Format |
---|
[DIRxTRIPLESEC:logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [DIRxTRIPLESEC:libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 preferred_enctypes = des-cbc-md5 permitted_enctypes = des-cbc-md5 [DIRxTRIPLESEC:realms] EXAMPLE.COM = { kdc = localhost:88 adminkpasswd_server = localhost:749464 default_domain = karasuluexample.homeip.netcom } [DIRxTRIPLESEC:domain_realm] .karasuluexample.homeip.netcom = EXAMPLE.COM karasuluexample.homeip.netcom = EXAMPLE.COM [DIRxTRIPLESEC:kdc] profile = /var/kerberos/krb5kdc/kdc.conf [DIRxTRIPLESEC:appdefaults] pam = { debug = false forwardable = true krb4_convert = false } |
The logging section should be left as is. In the defaults section the most important parameters parameter to configure is the default_realm. In the place of EXAMPLE.COM substitute in the capitalized Kerberos realm name which you setup for Triplesec in the configuration wizard.
Note | ||
---|---|---|
| ||
Presently found some issues with pam authentication when setting ticket and renew lifetimes. If you |
Wiki Markup |
---|
In the \[DIRxTRIPLESEC:realms\] section you want to again substitute your realm name for EXAMPLE.COM. Remember case makes a difference and realm names need to be in all uppercase. In this section you configure the server and port for the KDC. TriplesecApache Directory is the KDC and it'sits Kerberos port by default runs on port 88. The next parameter is, *adminkpasswd_server*, this is for the changepw protocol service which also runs on Apache TriplesecDirectory. The default port is 749464 for this protocol and Apache TriplsecDirectory runs the service by default on this port. The last parameter in this section is the *default_domain*. This is the DNS domain name to use to locate the *kdc* and the *adminkpasswd_server* if they cannot be resolved by the non-qualified host name specified. |
Wiki Markup |
---|
The last section that we're concerned with is the \[DIRxTRIPLESEC:domain_realm\] section. Here we map the DNS domain name to the Kerberos realm name. Note that the first line has a '.' in front of the domain name. You must also add a dot and substitute the search domain for the kdc and the adminkpasswd_server. |
Windows krb5.ini Configuration
...