All Kerberos clients, including the Java Krb5LoginModule, require client configuration. Unfortunately, this is platform specific. This HOWTO covers configuration of Kerberos clients on various operating systems.
*NIX /etc/krb5.conf Configuration
On most UNIX platforms Kerberos clients look for the krb5.conf file located in the /etc directory of the host. This file contains configuration settings for both servers and clients however we're only concerned with the client configuration aspect.
The file contains a section for logging configuration, default settings, realms and DNS to domain mappings to easily locate the Kerberos Distribution Center (KDC). Below is an example krb5.conf configuration file from a Linux workstation setup for the EXAMPLE.COM realm:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
preferred_enctypes = des-cbc-md5
permitted_enctypes = des-cbc-md5
[realms]
EXAMPLE.COM = {
kdc = localhost:88
kpasswd_server = localhost:464
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
forwardable = true
krb4_convert = false
}
The logging section should be left as is. In the defaults section the most important parameter to configure is the default_realm.
"Do not configure ticket_lifetime and renew_lifetime"
Presently found some issues with pam authentication when setting ticket and renew lifetimes. If you get the following error then you might try removing these properties from your pam section in the krb5.conf file: Authentication failure (KDC reply did not match expectations).
In the [realms] section you want to again substitute your realm name for EXAMPLE.COM. Remember case makes a difference and realm names need to be in all uppercase. In this section you configure the server and port for the KDC. Apache Directory is the KDC and its Kerberos port by default runs on port 88. The next parameter is, kpasswd_server, this is for the changepw protocol service which also runs on Apache Directory. The default port is 464 for this protocol and Apache Directory runs the service by default on this port. The last parameter in this section is the default_domain. This is the DNS domain name to use to locate the kdc and the kpasswd_server if they cannot be resolved by the non-qualified host name specified.
The last section that we're concerned with is the [domain_realm] section. Here we map the DNS domain name to the Kerberos realm name. Note that the first line has a '.' in front of the domain name. You must also add a dot and substitute the search domain for the kdc and the kpasswd_server.
Windows krb5.ini Configuration
Windows uses the same exact file format as does *NIX platforms (meaning syntax) except the name of the file is different and the file paths inside are Windows file paths. Other than this you can use the same information above for configuring Windows Kerberos client settings.
Even though different Windows versions have different system directories (i.e. C:\Windows or C:\WINNT) the krb5.ini file is always expected to be present within the C:\WINNT directory even if there exists a C:\Windows directory and no WINNT directory. If the C:\WINNT directory does not exist just create it and add this file.
MacOSX Kerberos Configuration
The Kerberos configuration on MacOSX is stored in a plist configuration file named edu.mit.Kerberos.KerberosLogin.plist. It contains imilar settings as the krb5.conf file however it is located in specific places. More details on how to configure MacOSX for Kerberos consult the following page:
http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx.html
There is however a fallback ot use a krb5.conf file in /etc for UNIX compatibility mode.