...
On most UNIX platforms Kerberos clients look for the /etc/krb5.conf file located in the /etc directory of the host. This file contains configuration settings for both servers and clients however we're only concerned with the client configuration aspect.The
Minimum config file
...
At a minimum, you must onfigure your host so that it knows where to get Kerberos tickets. The minimum config file must list the default Kerberos realm and the location of at least one key distribution center (KDC).
Note that these configuration examples assume hostnames such as kdc.example.com will resolve on your network. If kdc.example.com is not found, you may see the error Error getting credentials: Cannot resolve network address for KDC in requested realm. Assuming you are running Kerberos on IP address '10.0.0.2', you can correct this with the following /etc/hosts entry.
Code Block |
---|
10.0.0.2 kdc.example.com
|
Wiki Markup |
---|
In the \[libdefaults] section the most important parameter to configure is the default_realm. |
Wiki Markup |
---|
In the \[realms\] section you want to configure the EXAMPLE.COM realm. Remember case makes a difference and realm names need to be in all uppercase. In this section you can configure the server and port for the KDC. Apache Directory is the KDC and Kerberos by default runs on port 88. |
No Format |
---|
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
preferred_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
[realms]
EXAMPLE.COM = {
kdc = localhost:88
kpasswd_server = localhost:464
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
forwardable = true
krb4_convert = false
}
|
The logging section should be left as is. In the defaults section the most important parameter to configure is the default_realm.
Note | ||
---|---|---|
| ||
Presently found some issues with pam authentication when setting ticket and renew lifetimes. If you get the following error then you might try removing these properties from your pam section in the krb5.conf file: Authentication failure (KDC reply did not match expectations). |
Wiki Markup |
---|
In the \[realmsdomain_realm\] section you want we map the DNS domain name to againthe substituteKerberos your realm name. Note that the first line has a '.' in front of the domain name. |
Below is a minimal example krb5.conf configuration file from a Linux workstation setup for the EXAMPLE.COM realm:
No Format |
---|
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
|
Slightly more advanced configuration
Wiki Markup |
---|
The \[realms] section here demonstrates a few configuration options. First, you can adjust the service ports to connect to. Second, you can configure a *kpasswd_server*. Thisfor EXAMPLE.COM. Remember case makes a difference and realm names need to be in all uppercase. In this section you configure the server and port for the KDC. Apache Directory is the KDC and its Kerberos port by default runs on port 88. The next parameter is, *kpasswd_server*, this is for the changepwChange Password protocol service which also runs on Apache Directory. The default port for Change Password is 464 for this protocol and Apache Directory runs the service by default on this port. The last parameter in this section is the *default_domain*. This is the DNS domain name to use to locate the *kdc* and the *kpasswd_server* if they cannot be resolved by the non-qualified host name specified. |
Wiki Markup |
No Format |
---|
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com:88
kpasswd_server = kdc.example.com:464
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
|
Most advanced Linux configuration
You shouldn't have to get more advanced than this. While you can configure many parameters of tickets, like various times and encryption types, you shouldn't ever have to. You are better off setting realm-wide configuration on the KDC.
This example demonstrates how to configure resolution of KDC's in 2 realms. You would use a client configuration like this when you have configured cross-realm authentication, aka a "trust relationship."
No Format |
---|
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
kpasswd_server = kdc.example.com
}
EU.EXAMPLE.COM = {
kdc = kdc.eu.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
.eu.example.com = EU.EXAMPLE.COM
|
Some Kerberos clients
You can install kerberos clients from the apt repositories. A working GUI client is gnome-kerberos and the command-line tools can be found as krb5-workstation.
Code Block |
---|
$ apt-get install gnome-kerberos
|
or
Code Block |
---|
$ apt-get install krb5-workstation
|
When you run the gnome-kerberos client (/usr/bin/krb5) after a fresh install, you will see that the EXAMPLE.COM domain is already configured.
Windows krb5.ini Configuration
...
There is however a fallback ot to use a krb5.conf file in /etc for UNIX compatibility mode.