To install the Kerberos V5 package, do the following:
To avoid namespace collisions between DCE and Kerberos commands (that is, between the klist, kinit, and kdestroy commands), the Kerberos commands are installed in the /usr/krb5/bin and /usr/krb5/sbin directories. You can add these directories to your PATH definition. Otherwise, to execute the Kerberos commands, you must specify fully qualified command pathnames.
- It is not recommend that both DCE and Kerberos server software be installed on the same physical system. If you must do so, then the normal (default) operational internet port numbers must be changed for either the DCE clients/server or for the Kerberos clients/server. In either case, such a change can affect interoperability with existing DCE and Kerberos deployments in your environment.
- Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the Kerberos Domain Controller (KDC). The default value for maximum clock skew is 300 seconds (five minutes). Kerberos requires that some form of time synchronization is configured between the servers and the clients.
It is recommended that you use xntpd or timed for time synchronization. One method for time synchronization is to use the timed daemon as follows:
- Set up the KDC server as a time server by starting the timed daemon.
# timed -M
- Start the the timed daemon on each Kerberos client.
# timed -t
To configure the Kerberos KDC and kadmin servers, run the mkkrb5srv command. For normal use of Kerberos integrated with existing security functionality, use the mkkrb5srv command with the following parameters:
mkkrb5srv -r realm -s server -d domain
For example, to configure Kerberos for realm UD3A, server sundial, and domain austin.ibm.com, type the following:
mkkrb5srv -r UD3A.AUSTIN.IBM.COM -s sundial.austin.ibm.com \ -d austin.ibm.com
Note: Wait a few minutes for kadmind and krb5kdc to start from /etc/inittab.
The command goes through the following sequence:
If you have problems, see Sample Runs or Error Messages and Recovery Actions.
After installation is complete, it is transparent to normal users that the Kerberos technology is in use. The login process to the operating system remains unchanged. However, there is a side benefit that users have Kerberos ticket-granting tickets (TGTs) associated with their running processes. To configure systems to use Kerberos as the primary means of user authentication, run the mkkrb5clnt command with the following parameters:
mkkrb5clnt -c KDC -r realm -s admin server -d domain -A \ -i database -K -T
mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \ -s sundial.austin.ibm.com -d austin.ibm.com \ -A -i files -K -T
The above command causes the following actions:
Create /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files.
Because the -i flag was specified, configure fully integrated login. The database entered is the location where Kerberos principals are stored.
With the -K flag specified, configure the Kerberos as the default authentication scheme. This allows the users to get authenticated with Kerberos at login time.
The -A flag adds an entry in the Kerberos Database to make root an admin user for Kerberos.
The -T flag acquires the server admin TGT-based admin ticket.
If a system is installed that resides in a different DNS domain than the KDC, the following additional actions must be performed.
For example, if you want to include a machine trojan.pok.ibm.com in your realm UD3A, the /etc/krb5/krb5.conf would include the following additional entry:
[domain realm] .pok.ibm.com = UD3A.AUSTIN.IBM.COM
Errors that can occur when using the mkkrb5srv command include the following:
Errors that can occur when using the mkkrb5clnt command include the following:
The mkkrb5srv command creates:
The mkkrb5clnt command creates:
The following is an example of the mkkrb5srv command:
Fileset Level State Description ---------------------------------------------------------------------------- Path: /usr/lib/objrepos bos.security.krb5.server 5.1 COMMITTED Network Authentication Privacy Services Server Path: /etc/objrepos bos.security.krb5.server 5.1 COMMITTED Network Authentication Privacy Services Server Creating /etc/krb5/krb5.conf Creating /var/krb5/krb5kdc/kadm5.acl Creating /var/krb5/krb5kdc/kdc.conf Initializing database '/var/krb5/krb5kdc/principal' for realm 'UD3A.AUSTIN.IBM.COM' master key name 'K/M@UD3A.AUSTIN.IBM.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Authenticating as principal root/admin@UD3A.AUSTIN.IBM.COM with password. WARNING: no policy specified for admin/admin@UD3A.AUSTIN.IBM.COM; defaulting to no policy Enter password for principal "admin/admin@UD3A.AUSTIN.IBM.COM": Re-enter password for principal "admin/admin@UD3A.AUSTIN.IBM.COM": Principal "admin/admin@UD3A.AUSTIN.IBM.COM" created. Authenticating as principal root/admin@UD3A.AUSTIN.IBM.COM with password.
The following is an example of the mkkrb5clnt command:
Creating /etc/krb5/krb5.conf Password for admin/admin@UD3A.AUSTIN.IBM.COM: Configuring fully integrated login Authenticating as principal admin/admin with existing credentials. WARNING: no policy specified for host/diana@UD3A.AUSTIN.IBM.COM; defaulting to no policy Principal "host/diana@UD3A.AUSTIN.IBM.COM" created. Administration credentials NOT DESTROYED. Authenticating as principal admin/admin with existing credentials. Administration credentials NOT DESTROYED. Authenticating as principal admin/admin with existing credentials. Principal "kadmin/admin@UD3A.AUSTIN.IBM.COM" modified. Administration credentials NOT DESTROYED. Configuring Kerberos as the default authentication scheme Making root a Kerberos administrator Authenticating as principal admin/admin with existing credentials. WARNING: no policy specified for root/diana@UD3A.AUSTIN.IBM.COM; defaulting to no policy Enter password for principal "root/diana": Re-enter password for principal "root/diana": Principal "root/diana@UD3A.AUSTIN.IBM.COM" created. Administration credentials NOT DESTROYED. Cleaning administrator credentials and exiting.