From Fedora Project Wiki
(Initial draft) |
m (Fix path) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
This document was created during the [[Test_Day:2010-02-04_NFS|NFSv4 Test Day]] held on 2010-02-04 to | This document describes the steps to configure and run a kerberos KDC server. The document was created during the [[Test_Day:2010-02-04_NFS|NFSv4 Test Day]] held on 2010-02-04 to help participants who chose to create their own KDC server. | ||
Install the {{package|krb5-libs}}, {{package|krb5-server}}, and {{package|krb5-workstation}} if have not done so. | |||
<pre> | |||
yum -y install krb5-libs krb5-server krb5-workstation | |||
</pre> | |||
Edit the <code>/etc/krb5.conf</code> and <code>/var/kerberos/krb5kdc/kdc.conf</code> configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com. | |||
<pre> | |||
[logging] | |||
default = FILE:/var/log/krb5libs.log | |||
kdc = FILE:/var/log/krb5kdc.log | |||
admin_server = FILE:/var/log/kadmind.log | |||
[libdefaults] | |||
default_realm = REDHAT.COM | |||
dns_lookup_realm = false | |||
dns_lookup_kdc = false | |||
ticket_lifetime = 24h | |||
renew_lifetime = 7d | |||
forwardable = yes | |||
[realms] | |||
REDHAT.COM = { | |||
kdc = <KDC server hostname>:88 | |||
admin_server = <KDC server hostname>:749 | |||
} | |||
[domain_realm] | |||
.redhat.com = REDHAT.COM | |||
redhat.com = REDHAT.COM | |||
</pre> | |||
Create the database using the <code>kdb5_util</code> utility from a shell prompt: | |||
<pre> | |||
/usr/sbin/kdb5_util create -s | |||
</pre> | |||
Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications. | |||
<pre> | |||
service ntpd restart | |||
</pre> | |||
Edit the <code>/var/kerberos/krb5kdc/kadm5.acl</code> file to have only this line. | |||
<pre> | |||
*/admin * | |||
</pre> | |||
Type the following kadmin.local command at the KDC terminal to create the first principal: | |||
<pre> | |||
/usr/sbin/kadmin.local -q "addprinc root/admin" | |||
</pre> | |||
Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily. | |||
<pre> | |||
iptables -F | |||
ip6tables -F | |||
</pre> | |||
Start Kerberos using the following commands: | |||
<pre> | |||
/sbin/service krb5kdc start | |||
/sbin/service kadmin start | |||
</pre> | |||
Latest revision as of 11:32, 27 June 2018
This document describes the steps to configure and run a kerberos KDC server. The document was created during the NFSv4 Test Day held on 2010-02-04 to help participants who chose to create their own KDC server.
Install the 
krb5-libs
yum -y install krb5-libs krb5-server krb5-workstation
Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REDHAT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
REDHAT.COM = {
kdc = <KDC server hostname>:88
admin_server = <KDC server hostname>:749
}
[domain_realm]
.redhat.com = REDHAT.COM
redhat.com = REDHAT.COM
Create the database using the kdb5_util utility from a shell prompt:
/usr/sbin/kdb5_util create -s
Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
service ntpd restart
Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
*/admin *
Type the following kadmin.local command at the KDC terminal to create the first principal:
/usr/sbin/kadmin.local -q "addprinc root/admin"
Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
iptables -F ip6tables -F
Start Kerberos using the following commands:
/sbin/service krb5kdc start /sbin/service kadmin start