From Fedora Project Wiki
This document was created during the NFSv4 Test Day held on 2010-02-04 to detail how participants could setup their own kerberos KDC server.
- Install the
krb5-libs- yum -y install krb5-libs krb5-server krb5-workstation
- Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings. For example, for domain .redhat.com.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
- [libdefaults]
- default_realm = REDHAT.COM
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = yes
- [realms]
- REDHAT.COM = {
- kdc = <KDC server hostname>:88
- admin_server = <KDC server hostname>:749
- }
- [domain_realm]
- .redhat.com = REDHAT.COM
- redhat.com = REDHAT.COM
- Create the database using the kdb5_util utility from a shell prompt:
- /usr/kerberos/sbin/kdb5_util create -s
- Configure the KDC server to sync time using NTP to sync the clock for later kerberos communications.
- service ntpd restart
- Edit the /var/kerberos/krb5kdc/kadm5.acl file to have only this line.
- */admin *
- Type the following kadmin.local command at the KDC terminal to create the first principal:
- /usr/kerberos/sbin/kadmin.local -q "addprinc root/admin"
- Modify the firewall rule to allow kerberos communications, or disable the firewall temporarily.
- iptables -F
- ip6tables -F
- Start Kerberos using the following commands:
- /sbin/service krb5kdc start
- /sbin/service kadmin start
