Creating the initial database
First make sure that you don't have any old kerberos
databases around. You should change to the directory
/etc/kerberosIV and check that only the
following files are present:
mideon# cd /etc/kerberosIV
mideon# ls
README krb.conf krb.realms register_keys
If any additional files (such as principal.dir) exist,
then use the kdb_destroy command to destroy the
old kerberos database.
You should now edit the krb.conf and
krb.realms files to define your kerberos realm.
In this case the realm will be BSC.NO and the
server is mideon.bsc.no. We would edit the
krb.conf file to be as follows:
mideon# cat krb.conf
BSC.NO
BSC.NO mideon.bsc.no admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
Now we have to add mideon.bsc.no to the
BSC.NO realm and also add an entry to put all
hosts in the .bsc.no domain in the
BSC.NO realm. The krb.realms file
would be updated as follows:
mideon# cat krb.realms
mideon.bsc.no BSC.NO
.bsc.no BSC.NO
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDU
Now we're ready to create the database, issue the
kdb_init command to do this:
mideon# kdb_init
Realm name [default CS.BERKELEY.EDU ]: BSC.NO
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:
Now we have to save the key so that servers on the local
machine can pick it up. Use the kstash command to
do this.
mideon# kstash
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Populating the database
We now have to add some entries into the database.
First lets create an entry for the user md. Use
the kdb_edit command to do this:
mideon# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: md
Instance:
md. not found, Create [y] ?
Principal: md, Instance: , kdc_key_ver: 1
New Password:
New Password:
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ? 100
Attributes [ 0 ] ?
Edit O.K.
Now lets add an entry for the password changing daemon,
kpasswd. The principal name must be kpasswd and
the instance must be the name of the local machine,
mideon in this case. Similarily, we must also
add an entry for the principal rcmd with an
instance equal to the hostname of the local machine.
Principal name: kpasswd
Instance: mideon
kpasswd.mideon not found, Create [y] ?
Principal: kpasswd, Instance: mideon, kdc_key_ver: 1
New Password: <---- enter RANDOM here
New Password: <---- and here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: rcmd
Instance: mideon
rcmd.mideon not found, Create [y] ?
Principal: rcmd, Instance: mideon, kdc_key_ver: 1
New Password: <---- enter RANDOM here
New Password: <---- and here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exit
Creating the server file
We now have to extract all the instances which define
the services on this machine. For this we use the
ext_srvtab command.
mideon# ext_srvtab mideon
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'mideon-new-srvtab'....
Now, this command only generates a temporary file
which must be renamed to srvtab so that all the
server can pick it up. Use the mv command to move it
into place:
mideon# mv mideon-new-srvtab srvtab
Testing it all out
First we have to start the kerberos daemon:
mideon# kerberos &
[1] 774
mideon# Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: BSC.NO
Now we can try using the kinit command to get
tokens for the id md that we created above:
mideon# kinit md
Kerberos Initialization for "md"
Kerberos Password:
Try listing the tokens using klist to see if we
really have them:
mideon# klist
Ticket file: /tmp/tkt0
Principal: md@BSC.NO
Issued Expires Principal
Mar 23 21:06:52 Mar 24 05:06:52 krbtgt.BSC.NO@BSC.NO
And now try changing the password using passwd
to check if the kpasswd daemon can get authorisation to
the kerberos database:
mideon# passwd md
Changing Kerberos password for md.@BSC.NO.
Old Kerberos password:
New Kerberos password:
Retype new Kerberos password:
Update complete.
Adding su priviledges
We should now add an id which is authorised to su to
root. This is controlled by having an instance of
root associated with a principal. Using
kdb_edit we can create the entry
md.root in the kerberos database:
mideon# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: md
Instance: root
md.admin not found, Create [y] ?
Principal: md, Instance: admin, kdc_key_ver: 1
New Password:
New Password:
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ? 12
Attributes [ 0 ] ?
Edit O.K.
Principal name:
Now try getting tokens for it to make sure it works:
mideon# kinit md.root
Kerberos Initialization for "md.root"
Kerberos Password:
And list them to check expiry times:
mideon# klist
Ticket file: /tmp/tkt0
Principal: md.root@BSC.NO
Issued Expires Principal
Mar 23 21:08:47 Mar 23 22:08:47 krbtgt.BSC.NO@BSC.NO
mideon#
Now we need to add the user to root's .klogin file:
mideon# cat /root/.klogin
md.root@BSC.NO
Now try doing the su:
[md@mideon.bsc.no 10407] su
Kerberos Password:
Warning: tgt not verified.
and take a look at what tokens we have:
mideon# klist
Ticket file: /tmp/tkt_root_1250
Principal: md.root@BSC.NO
Issued Expires Principal
Mar 23 22:09:59 Mar 23 22:19:59 krbtgt.BSC.NO@BSC.NO
mideon#
Notice that with this setup each user has their own entry
for su'ing to root (the user.root entry
in kerberos). This can allow you to give root access to
multiple users without the need to share a common root
password.