Installation Guide

Appendix D. Installing Kerberos Version 5

To install the Kerberos V5 package, do the following:

• For client software, install fileset bos.security.krb5.client
• For server software, install fileset bos.security.krb5.server
• For the full package, install bos.security.krb5

To avoid namespace collisions between DCE and Kerberos commands (that is, between the klist, kinit, and kdestroy commands), the Kerberos commands are installed in the /usr/krb5/bin and /usr/krb5/sbin directories. You can add these directories to your PATH definition. Otherwise, to execute the Kerberos commands, you must specify fully qualified command pathnames.

Configuring the Kerberos V5 KDC and kadmin Servers

Notes:

1. It is not recommend that both DCE and Kerberos server software be installed on the same physical system. If you must do so, then the normal (default) operational internet port numbers must be changed for either the DCE clients/server or for the Kerberos clients/server. In either case, such a change can affect interoperability with existing DCE and Kerberos deployments in your environment.
2. Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the Kerberos Domain Controller (KDC). The default value for maximum clock skew is 300 seconds (five minutes). Kerberos requires that some form of time synchronization is configured between the servers and the clients.

   It is recommended that you use xntpd or timed for time synchronization. One method for time synchronization is to use the timed daemon as follows:

   1. Set up the KDC server as a time server by starting the timed daemon.

      # timed -M
      

   2. Start the the timed daemon on each Kerberos client.

      # timed -t
      

To configure the Kerberos KDC and kadmin servers, run the mkkrb5srv command. For normal use of Kerberos integrated with existing security functionality, use the mkkrb5srv command with the following parameters:

mkkrb5srv -r realm -s server -d domain

Example:

For example, to configure Kerberos for realm UD3A, server sundial, and domain austin.ibm.com, type the following:

  mkkrb5srv -r UD3A.AUSTIN.IBM.COM -s sundial.austin.ibm.com \
    -d austin.ibm.com

Note: Wait a few minutes for kadmind and krb5kdc to start from /etc/inittab.

The command goes through the following sequence:

1. Create the /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files.
2. Create the /var/krb5/krb5kdc/kdc.conf file. This command sets the value for kdc_ports. Paths for database name, admin_keytab, acl_file, dict_file, key_stash_file. Values for kadmin_port, max_life, max_renewable_life, master_key_type, and supported_enctypes.
3. Create the /var/krb5/krb5kdc/kadm5.acl file. Sets up the access control for admin, root, and host principals.
4. Create the database and one admin principal. You are asked to set a Kerberos master key and to name and set the password for a Kerberos administrative principal identity. It is critical that the master key and administrative principal identity and password are securely stored away for disaster-recovery purposes.

If you have problems, see Sample Runs or Error Messages and Recovery Actions.

Configuring the Kerberos V5 Clients

After installation is complete, it is transparent to normal users that the Kerberos technology is in use. The login process to the operating system remains unchanged. However, there is a side benefit that users have Kerberos ticket-granting tickets (TGTs) associated with their running processes. To configure systems to use Kerberos as the primary means of user authentication, run the mkkrb5clnt command with the following parameters:

mkkrb5clnt -c KDC -r realm -s admin server -d domain -A \
            -i database -K -T

Example:

mkkrb5clnt -c sundial.austin.ibm.com -r UD3A.AUSTIN.IBM.COM \
           -s sundial.austin.ibm.com -d austin.ibm.com \
	   -A -i files -K -T

The above command causes the following actions:

Create /etc/krb5/krb5.conf file. Values for realm name, Kerberos admin server, and domain name are set as specified on the command line. Also updates the paths for default_keytab_name, kdc, and kadmin log files.

Because the -i flag was specified, configure fully integrated login. The database entered is the location where Kerberos principals are stored.

With the -K flag specified, configure the Kerberos as the default authentication scheme. This allows the users to get authenticated with Kerberos at login time.

The -A flag adds an entry in the Kerberos Database to make root an admin user for Kerberos.

The -T flag acquires the server admin TGT-based admin ticket.

If a system is installed that resides in a different DNS domain than the KDC, the following additional actions must be performed.

1. Edit the /etc/krb5/krb5.conf file and add another entry after [domain realm].
2. Map the different domain to your realm.

For example, if you want to include a machine trojan.pok.ibm.com in your realm UD3A, the /etc/krb5/krb5.conf would include the following additional entry:

[domain realm]
     .pok.ibm.com = UD3A.AUSTIN.IBM.COM

Error Messages and Recovery Actions

Errors that can occur when using the mkkrb5srv command include the following:

• If the krb5.conf, kdc.conf, or kadm5.acl files already exists, this command does not modify the values. You receive a warning message that the file already exists. Any of the configuration values can be changed by editing the krb5.conf, kdc.conf, or kadm5.acl file.
• If you mistype and no database is created, remove the configuration files created and rerun the command.
• If there is inconsistency between the database and configuration values, remove the database in /var/krb5/krb5kdc/* and rerun the command.
• Make sure kadmind and krb5kdc are started on your machine. Use the ps command to verify that the daemons are running. Check the log file if these daemons have not started.

Errors that can occur when using the mkkrb5clnt command include the following:

• Incorrect values for krb5.conf can be fixed by editing the /etc/krb5/krb5.conf file.
• Incorrect values for the -i flag can be fixed by editing the /usr/lib/security/methods.cfg file.

Files Created

The mkkrb5srv command creates:

• /etc/krb5/krb5.conf
• /var/krb5/krb5kdc/kadm5.acl
• /var/krb5/krb5kdc/kdc.conf

The mkkrb5clnt command creates:

• /etc/krb5/krb5.conf

Sample Runs

The following is an example of the mkkrb5srv command:

Fileset                      Level  State      Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.security.krb5.server   5.1      COMMITTED  Network Authentication Privacy
                                                 Services Server
 
Path: /etc/objrepos
  bos.security.krb5.server   5.1      COMMITTED  Network Authentication Privacy
                                                 Services Server
Creating /etc/krb5/krb5.conf
Creating /var/krb5/krb5kdc/kadm5.acl
Creating /var/krb5/krb5kdc/kdc.conf
Initializing database
'/var/krb5/krb5kdc/principal' for realm
 'UD3A.AUSTIN.IBM.COM'
master key name 'K/M@UD3A.AUSTIN.IBM.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Authenticating as principal root/admin@UD3A.AUSTIN.IBM.COM with
password.
WARNING: no policy specified for admin/admin@UD3A.AUSTIN.IBM.COM;
defaulting to
no policy
Enter password for principal "admin/admin@UD3A.AUSTIN.IBM.COM":
Re-enter password for principal "admin/admin@UD3A.AUSTIN.IBM.COM":
Principal "admin/admin@UD3A.AUSTIN.IBM.COM" created.
Authenticating as principal root/admin@UD3A.AUSTIN.IBM.COM with
password.

The following is an example of the mkkrb5clnt command:

Creating /etc/krb5/krb5.conf
Password for admin/admin@UD3A.AUSTIN.IBM.COM:
Configuring fully integrated login
Authenticating as principal admin/admin with existing credentials.
WARNING: no policy specified for host/diana@UD3A.AUSTIN.IBM.COM; defaulting to no policy
Principal "host/diana@UD3A.AUSTIN.IBM.COM" created.
 
Administration credentials NOT DESTROYED.
Authenticating as principal admin/admin with existing credentials.
 
Administration credentials NOT DESTROYED.
Authenticating as principal admin/admin with existing credentials.
Principal "kadmin/admin@UD3A.AUSTIN.IBM.COM" modified.
 
Administration credentials NOT DESTROYED.
Configuring Kerberos as the default authentication scheme
 
Making root a Kerberos administrator
Authenticating as principal admin/admin with existing credentials.
WARNING: no policy specified for root/diana@UD3A.AUSTIN.IBM.COM; defaulting to no policy
Enter password for principal "root/diana":
Re-enter password for principal "root/diana":
Principal "root/diana@UD3A.AUSTIN.IBM.COM" created.
 
Administration credentials NOT DESTROYED.
 
Cleaning administrator credentials and exiting.