Versions Compared

Old Version 7

changes.mady.by.user Christine Koppelt

Saved on

compared with

New Version 8

changes.mady.by.user Michael E. Rodriguez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

On most UNIX platforms Kerberos clients look for the /etc/krb5.conf file located in the /etc directory of the host. This file contains configuration settings for both servers and clients however we're only concerned with the client configuration aspect.The

Minimum config file

...

At a minimum, you must onfigure your host so that it knows where to get Kerberos tickets. The minimum config file must list the default Kerberos realm and the location of at least one key distribution center (KDC).

Note that these configuration examples assume hostnames such as kdc.example.com will resolve on your network. If kdc.example.com is not found, you may see the error Error getting credentials: Cannot resolve network address for KDC in requested realm. Assuming you are running Kerberos on IP address '10.0.0.2', you can correct this with the following /etc/hosts entry.

Code Block

10.0.0.2       kdc.example.com

Wiki Markup
In the \[libdefaults] section the most important parameter to configure is the default_realm.

Wiki Markup
In the \[realms\] section you want to configure the EXAMPLE.COM realm.  Remember case makes a difference and realm names need to be in all uppercase.  In this section you can configure the server and port for the KDC.  Apache Directory is the KDC and Kerberos by default runs on port 88.

No Format

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

 ticket_lifetime = 24h
 forwardable = yes 

 default_tgs_enctypes = des-cbc-md5
 default_tkt_enctypes = des-cbc-md5
 preferred_enctypes = des-cbc-md5
 permitted_enctypes = des-cbc-md5 

[realms]
 EXAMPLE.COM = {
  kdc = localhost:88
  kpasswd_server = localhost:464
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   forwardable = true
   krb4_convert = false
 }

The logging section should be left as is. In the defaults section the most important parameter to configure is the default_realm.

Note
title"Do not configure ticket_lifetime and renew_lifetime"

Presently found some issues with pam authentication when setting ticket and renew lifetimes. If you get the following error then you might try removing these properties from your pam section in the krb5.conf file: Authentication failure (KDC reply did not match expectations).

Wiki Markup
In the \[realmsdomain_realm\] section you want we map the DNS domain name to againthe substituteKerberos your realm name.  Note that the first line has a '.' in front of the domain name.

Below is a minimal example krb5.conf configuration file from a Linux workstation setup for the EXAMPLE.COM realm:

No Format

[libdefaults]
 default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = kdc.example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
Slightly more advanced configuration

The last section that we're concerned with is the \[domain_realm\] section. Here we map the DNS domain name to the Kerberos realm name. Note that the first line has a '.' in front of the domain name. You must also add a dot and substitute the search domain for the kdc and the kpasswd_server
Wiki Markup
The \[realms] section here demonstrates a few configuration options.  First, you can adjust the service ports to connect to.  Second, you can configure a *kpasswd_server*.  Thisfor EXAMPLE.COM.  Remember case makes a difference and realm names need to be in all uppercase.  In this section you configure the server and port for the KDC.  Apache Directory is the KDC and its Kerberos port by default runs on port 88.  The next parameter is, *kpasswd_server*, this is for the changepwChange Password protocol service which also runs on Apache Directory.  The default port for Change Password is 464 for this protocol and Apache Directory runs the service by default on this port.  The last parameter in this section is the *default_domain*.  This is the DNS domain name to use to locate the *kdc* and the *kpasswd_server* if they cannot be resolved by the non-qualified host name specified.
Wiki Markup

No Format

[libdefaults]
 default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = kdc.example.com:88
  kpasswd_server = kdc.example.com:464
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
Most advanced Linux configuration

You shouldn't have to get more advanced than this. While you can configure many parameters of tickets, like various times and encryption types, you shouldn't ever have to. You are better off setting realm-wide configuration on the KDC.

This example demonstrates how to configure resolution of KDC's in 2 realms. You would use a client configuration like this when you have configured cross-realm authentication, aka a "trust relationship."

No Format

[libdefaults]
 default_realm = EXAMPLE.COM

[realms]
 EXAMPLE.COM = {
  kdc = kdc.example.com
  kpasswd_server = kdc.example.com
 }

 EU.EXAMPLE.COM = {
  kdc = kdc.eu.example.com
 }
 
[domain_realm]
 .example.com = EXAMPLE.COM
 .eu.example.com = EU.EXAMPLE.COM
Some Kerberos clients

You can install kerberos clients from the apt repositories. A working GUI client is gnome-kerberos and the command-line tools can be found as krb5-workstation.

Code Block

$ apt-get install gnome-kerberos

or

Code Block

$ apt-get install krb5-workstation

When you run the gnome-kerberos client (/usr/bin/krb5) after a fresh install, you will see that the EXAMPLE.COM domain is already configured.

Windows krb5.ini Configuration

...

There is however a fallback ot to use a krb5.conf file in /etc for UNIX compatibility mode.