[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- howtos:network_services:kerberizing_slackware_without_pam [2015/11/28 00:17 (UTC)] – created jamesaxl
+++ howtos:network_services:kerberizing_slackware_without_pam [2015/11/28 03:46 (UTC)] – jamesaxl
@@ Line 6: / Line 6: @@
   - Install krb (you can download and build it from http://slackbuilds.org/repository/14.1/network/krb5/)
   - Configure /etc/krb5.conf, /var/krb5kdc/kdc.conf and /var/krb5kdc/kadm5.acl . These files are examples which you should adjust after reading the Kerberos documentation.
- **krb5.conf**<code>
+**krb5.conf**<code>
  [domain_realm]
         example.com = EXAMPLE.COM
@@ Line 40: / Line 40: @@
                 max_renewable_life = 7d 0h 0m 0s
                 supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5
-        }
+        }</code>
+**kadm5.acl**
+<code>
+krb5adminprinc/admin   *</code>
+**3. ** Create DataBase
+<code>
+/usr/kerberos/sbin/kdb5_util create -r EXAMPLE.COM -s
 </code>
+**4.** Extract the admin server keys to /var/krb5kdc/kadm5.keytab.
+<code>/usr/kerberos/sbin/kadmin.local
+kadmin.local: xst -k /var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
+</code>
+**5.** Create host and other principals; extract to /etc/krb5.keytab
+<code>
+kadmin.local: ank -randkey host/fully.qualified.domain.name
+kadmin.local: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
+</code>
+<code>
+**6.** Create admin, user principals
+kadmin.local: ank krb5adminprinc/admin
+kadmin.local: ank krb5userprinc
+kadmin.local: quit
+</code>
+**7.** Create startup script /etc/rc.d/rc.krb5
+<note important>rc.krb5 - shamelessly ripped off from rc.samba from Slackware 13.0</note>
+<code>
+#!/bin/sh
+#
+# /etc/rc.d/rc.krb5
+#
+# Start/stop/restart the MIT Kerberos V KDC
+#
+# To make Kerberos start automatically at boot, make this
+# file executable:  chmod 755 /etc/rc.d/rc.krb5
+#
-====== Sources ======
+krb5_start() {
+  if [ -x /usr/kerberos/sbin/krb5kdc -a -x /usr/kerberos/sbin/kadmind -a -r /etc/krb5.conf -a -r /var/krb5kdc/kdc.conf ]; then
+    echo "Starting Kerberos:  /usr/kerberos/sbin/krb5kdc"
+    /usr/kerberos/sbin/krb5kdc
+    echo "                 /usr/kerberos/sbin/kadmind"
+    /usr/kerberos/sbin/kadmind
+  fi
+}
+krb5_stop() {
+  killall krb5kdc kadmind
+}
+krb5_restart() {
+  krb5_stop
+  sleep 2
+  krb5_start
+}
+case "$1" in
+'start')
+  krb5_start
+  ;;
+'stop')
+  krb5_stop
+  ;;
+'restart')
+  krb5_restart
+  ;;
+*)
+  # Default is "start", for backwards compatibility with previous
+  # Slackware versions.  This may change to a 'usage' error someday.
+  krb5_start
+esac
+</code>
+**8.** Start KDC daemons:
+<code>
+# chmod +x /etc/rc.d/rc.krb5
+# /etc/rc.d/rc.krb5 start
+</code>
+**9.** Remember to make the rc.krb5 script executable if you want the KDC to start automatically at boot.
+Verify connectivity to KDC with kadmin, kinit:
+<code>
+$ kinit krb5userprinc
+$ klist
+$ kadmin -p krb5adminprinc/admin
+</code>
+==== The Client ====
+This procedure will result in a client capable of retrievving Kerberos tickets from a KDC and allow Kerberos principals to login at the console. Successful console login by a principal will generate tickets in the user's cache. Failed login by a principal (because the principal doesn't exist, or the wrong password was supplied) should fall through to local authentications (/etc/shadow). Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP.
+**1.** Install krb5 always http://slackbuilds.org/repository/14.1/network/krb5/ :-).
+**2.** Setup /etc/krb5.conf:
+**krb5.conf**
+<code>
+[domain_realm]
+        example.com = EXAMPLE.COM
+        .example.com = EXAMPLE.COM
+[libdefaults]
+        default_realm = EXAMPLE.COM
+        dns_kdc_lookup = true
+        dns_realm_lookup = true
+        forwardable = true
+        renewable = true
+[realms]
+EXAMPLE.COM = {
+			kdc = kerberos-1.example.com:88
+			kdc = kerberos-2.example.com:88
+			admin_server = kerberos-1.example.com:749
+        }</code>
+**3.** Verify kadmin, kinit working
+<code>
+$ kinit krb5userprinc
+$ klist
+$ kadmin -p krb5adminprinc/admin
+</code>
+**4.** Add host principal, and extract host principal to /etc/krb5.keytab using kadmin and admin principal:
+<code># kadmin -p krb5adminprinc/admin
+kadmin: ank -randkey host/fully.qualified.domain.name
+kadmin: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
+kadmin: quit
+</code>
+ ====== Sources ======
 <!-- If you are copying information from another source, then specify that source -->
-<!-- * Original source: [[http://some.website.org/some/page.html]] -->
+* Original source: [[http://arktur.shuttle.de/CD/Testpakete/Kerberos/krb5.html]]
 <!-- Authors are allowed to give credit to themselves! -->
 <!-- * Originally written by [[wiki:user:xxx | User X]] -->
-<!-- * Contributions by [[wiki:user:yyy | User Y]] -->
+* Contributions by [[wiki:user:jamesaxl | User jamesaxl]]
 <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must remove the tag-word "template" below before saving your new page -->
-{{tag>howtos template}}
+{{tag>howtos network_services kerberizing_slackware_without_pam}}

Trace:

Differences

Search

Navigation

Print/export

Tools

SlackDocs

Slackware Links