[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

¡Esta es una revisión vieja del documento!


En proceso. Victor

Instalar y configurar kerberos en Slackware sin PAM

El KDC

Este procedimiento dará lugar a un nuevo dominio de Kerberos. Si ya tiene acceso a un KDC de Kerberos, puede saltar a las partes del cliente y del servidor de aplicaciones. Además, el siguiente procedimiento es muy breve y no sustituye la lectura de la documentación suministrada en el paquete o en el sitio web de MIT Kerberos.

  1. Instale krb (puede descargarlo y compilarlo desde http://slackbuilds.org/repository/14.1/network/krb5/)
  2. Configure /etc/krb5.conf, /var/krb5kdc/kdc.conf y /var/krb5kdc/kadm5.acl. Estos archivos son ejemplos que debe ajustar después de leer la documentación de Kerberos.

krb5.conf

 [domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_kdc_lookup = true
        dns_realm_lookup = true
        forwardable = true
        renewable = true
        [realms]

EXAMPLE.COM = {
	kdc = kerberos-1.example.com:88
	kdc = kerberos-2.example.com:88
        admin_server = kerberos-1.example.com:749
        }
        

kdc.conf

[kdcdefaults]
        kdc_ports = 749,88

[realms]
        EXAMPLE.COM = {
                database_name = /var/krb5kdc/principal
                admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
                acl_file = /var/krb5kdc/kadm5.acl
                key_stash_file = /var/krb5kdc/.k5.EXAMPLE.COM
                kdc_ports = 749,88
                max_life = 10h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5
        }

kadm5.acl

krb5adminprinc/admin   *

3. Crear base de datos

/usr/kerberos/sbin/kdb5_util create -r EXAMPLE.COM -s

4.Extraiga las claves del servidor de administración para /var/krb5kdc/kadm5.keytab.

/usr/kerberos/sbin/kadmin.local
kadmin.local: xst -k /var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw

5. Crear host y otros principios; extraer a /etc/krb5.keytab

kadmin.local: ank -randkey host/fully.qualified.domain.name
kadmin.local: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
**6.** Crear admin, usuarios principales
kadmin.local: ank krb5adminprinc/admin
kadmin.local: ank krb5userprinc
kadmin.local: quit

7. Crear script de inicio/etc/rc.d/rc.krb5

rc.krb5 - shamelessly ripped off from rc.samba from Slackware 13.0
#!/bin/sh
#
# /etc/rc.d/rc.krb5
#
# Start/stop/restart the MIT Kerberos V KDC
#
# To make Kerberos start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.krb5
#

krb5_start() {
  if [ -x /usr/kerberos/sbin/krb5kdc -a -x /usr/kerberos/sbin/kadmind -a -r /etc/krb5.conf -a -r /var/krb5kdc/kdc.conf ]; then
    echo "Starting Kerberos:  /usr/kerberos/sbin/krb5kdc"
    /usr/kerberos/sbin/krb5kdc
    echo "                 /usr/kerberos/sbin/kadmind"
    /usr/kerberos/sbin/kadmind
  fi
}

krb5_stop() {
  killall krb5kdc kadmind
}

krb5_restart() {
  krb5_stop
  sleep 2
  krb5_start
}

case "$1" in
'start')
  krb5_start
  ;;
'stop')
  krb5_stop
  ;;
'restart')
  krb5_restart
  ;;
*)
  # Default is "start", for backwards compatibility with previous
  # Slackware versions.  This may change to a 'usage' error someday.
  krb5_start
esac

8. Arrancar demonio KDC:

# chmod +x /etc/rc.d/rc.krb5
# /etc/rc.d/rc.krb5 start

9. Recuerde hacer que el script rc.krb5 sea ejecutable si desea que el KDC se inicie automáticamente en el arranque. Verifique la conectividad a KDC con kadmin, kinit:

$ kinit krb5userprinc
$ klist
$ kadmin -p krb5adminprinc/admin

The Client

This procedure will result in a client capable of retrievving Kerberos tickets from a KDC and allow Kerberos principals to login at the console. Successful console login by a principal will generate tickets in the user's cache. Failed login by a principal (because the principal doesn't exist, or the wrong password was supplied) should fall through to local authentications (/etc/shadow). Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP.

1. Install krb5 always http://slackbuilds.org/repository/14.1/network/krb5/ :-). 2. Setup /etc/krb5.conf: krb5.conf

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_kdc_lookup = true
        dns_realm_lookup = true
        forwardable = true
        renewable = true

[realms]

EXAMPLE.COM = {
			kdc = kerberos-1.example.com:88
			kdc = kerberos-2.example.com:88
			admin_server = kerberos-1.example.com:749
        }

3. Verify kadmin, kinit working

$ kinit krb5userprinc
$ klist
$ kadmin -p krb5adminprinc/admin

4. Add host principal, and extract host principal to /etc/krb5.keytab using kadmin and admin principal:

# kadmin -p krb5adminprinc/admin
kadmin: ank -randkey host/fully.qualified.domain.name
kadmin: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
kadmin: quit

Sources

 es:howtos:network_services:kerberizing_slackware_without_pam ()
Esta traducción es más antigua que la página original y podría estar obsoleta. Ver lo que ha cambiado.