Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
howtos:network_services:kerberizing_slackware_without_pam [2015/11/28 00:17 (UTC)]
jamesaxl created
howtos:network_services:kerberizing_slackware_without_pam [2015/11/28 03:46 (UTC)] (current)
jamesaxl
Line 6: Line 6:
   - Install krb (you can download and build it from http://​slackbuilds.org/​repository/​14.1/​network/​krb5/​)   - Install krb (you can download and build it from http://​slackbuilds.org/​repository/​14.1/​network/​krb5/​)
   - Configure /​etc/​krb5.conf,​ /​var/​krb5kdc/​kdc.conf and /​var/​krb5kdc/​kadm5.acl . These files are examples which you should adjust after reading the Kerberos documentation.   - Configure /​etc/​krb5.conf,​ /​var/​krb5kdc/​kdc.conf and /​var/​krb5kdc/​kadm5.acl . These files are examples which you should adjust after reading the Kerberos documentation.
- **krb5.conf**<​code>​+**krb5.conf**<​code>​
  ​[domain_realm]  ​[domain_realm]
         example.com = EXAMPLE.COM         example.com = EXAMPLE.COM
Line 40: Line 40:
                 max_renewable_life = 7d 0h 0m 0s                 max_renewable_life = 7d 0h 0m 0s
                 supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5                 supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5
-        }+        }</​code>​ 
 + 
 +**kadm5.acl** 
 +<​code>​ 
 +krb5adminprinc/​admin ​  ​*</​code>​ 
 + 
 +**3. ** Create DataBase 
 +<​code>​ 
 +/​usr/​kerberos/​sbin/​kdb5_util create -r EXAMPLE.COM -s
 </​code>​ </​code>​
 +**4.** Extract the admin server keys to /​var/​krb5kdc/​kadm5.keytab.
 +<​code>/​usr/​kerberos/​sbin/​kadmin.local
 +kadmin.local:​ xst -k /​var/​krb5kdc/​kadm5.keytab kadmin/​admin kadmin/​changepw
 +</​code>​
 +**5.** Create host and other principals; extract to /​etc/​krb5.keytab
 +<​code>​
 +kadmin.local:​ ank -randkey host/​fully.qualified.domain.name
 +kadmin.local:​ xst -k /​etc/​krb5.keytab host/​fully.qualified.domain.name
 +</​code>​
 +<​code>​
 +**6.** Create admin, user principals
 +kadmin.local:​ ank krb5adminprinc/​admin
 +kadmin.local:​ ank krb5userprinc
 +kadmin.local:​ quit
 +</​code>​
 +**7.** Create startup script /​etc/​rc.d/​rc.krb5
 +<note important>​rc.krb5 - shamelessly ripped off from rc.samba from Slackware 13.0</​note>​
 +<​code>​
 +#!/bin/sh
 +#
 +# /​etc/​rc.d/​rc.krb5
 +#
 +# Start/​stop/​restart the MIT Kerberos V KDC
 +#
 +# To make Kerberos start automatically at boot, make this
 +# file executable: ​ chmod 755 /​etc/​rc.d/​rc.krb5
 +#
  
-====== Sources ======+krb5_start() { 
 +  if [ -x /​usr/​kerberos/​sbin/​krb5kdc -a -x /​usr/​kerberos/​sbin/​kadmind -a -r /​etc/​krb5.conf -a -r /​var/​krb5kdc/​kdc.conf ]; then 
 +    echo "​Starting Kerberos: ​ /​usr/​kerberos/​sbin/​krb5kdc"​ 
 +    /​usr/​kerberos/​sbin/​krb5kdc 
 +    echo " ​                /​usr/​kerberos/​sbin/​kadmind"​ 
 +    /​usr/​kerberos/​sbin/​kadmind 
 +  fi 
 +
 + 
 +krb5_stop() { 
 +  killall krb5kdc kadmind 
 +
 + 
 +krb5_restart() { 
 +  krb5_stop 
 +  sleep 2 
 +  krb5_start 
 +
 + 
 +case "​$1"​ in 
 +'​start'​) 
 +  krb5_start 
 +  ;; 
 +'​stop'​) 
 +  krb5_stop 
 +  ;; 
 +'​restart'​) 
 +  krb5_restart 
 +  ;; 
 +*) 
 +  # Default is "​start",​ for backwards compatibility with previous 
 +  # Slackware versions. ​ This may change to a '​usage'​ error someday. 
 +  krb5_start 
 +esac 
 +</​code>​ 
 +**8.** Start KDC daemons: 
 +<​code>​ 
 +# chmod +x /​etc/​rc.d/​rc.krb5 
 +# /​etc/​rc.d/​rc.krb5 start 
 +</​code>​ 
 +**9.** Remember to make the rc.krb5 script executable if you want the KDC to start automatically at boot. 
 +Verify connectivity to KDC with kadmin, kinit: 
 +<​code>​ 
 +$ kinit krb5userprinc 
 +$ klist 
 +$ kadmin -p krb5adminprinc/​admin 
 +</​code>​ 
 +==== The Client ==== 
 + 
 +This procedure will result in a client capable of retrievving Kerberos tickets from a KDC and allow Kerberos principals to login at the console. Successful console login by a principal will generate tickets in the user's cache. Failed login by a principal (because the principal doesn'​t exist, or the wrong password was supplied) should fall through to local authentications (/​etc/​shadow). Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP. 
 + 
 +**1.** Install krb5 always http://​slackbuilds.org/​repository/​14.1/​network/​krb5/​ :-). 
 +**2.** Setup /​etc/​krb5.conf:​ 
 +**krb5.conf** 
 +<​code>​ 
 +[domain_realm] 
 +        example.com = EXAMPLE.COM 
 +        .example.com = EXAMPLE.COM 
 + 
 +[libdefaults] 
 +        default_realm = EXAMPLE.COM 
 +        dns_kdc_lookup = true 
 +        dns_realm_lookup = true 
 +        forwardable = true 
 +        renewable = true 
 + 
 +[realms] 
 + 
 +EXAMPLE.COM = { 
 + kdc = kerberos-1.example.com:​88 
 + kdc = kerberos-2.example.com:​88 
 + admin_server = kerberos-1.example.com:​749 
 +        }</​code>​ 
 +**3.** Verify kadmin, kinit working 
 +<​code>​ 
 +$ kinit krb5userprinc 
 +$ klist 
 +$ kadmin -p krb5adminprinc/​admin 
 +</​code>​ 
 +**4.** Add host principal, and extract host principal to /​etc/​krb5.keytab using kadmin and admin principal:​ 
 +<​code>#​ kadmin -p krb5adminprinc/​admin 
 +kadmin: ank -randkey host/​fully.qualified.domain.name 
 +kadmin: xst -k /​etc/​krb5.keytab host/​fully.qualified.domain.name 
 +kadmin: quit 
 +</​code>​ 
 + ====== Sources ======
 <!-- If you are copying information from another source, then specify that source --> <!-- If you are copying information from another source, then specify that source -->
-<​!-- ​* Original source: [[http://some.website.org/some/page.html]] ​-->+* Original source: [[http://arktur.shuttle.de/CD/Testpakete/​Kerberos/​krb5.html]]
 <!-- Authors are allowed to give credit to themselves! --> <!-- Authors are allowed to give credit to themselves! -->
 <!-- * Originally written by [[wiki:​user:​xxx | User X]] --> <!-- * Originally written by [[wiki:​user:​xxx | User X]] -->
-<​!-- ​* Contributions by [[wiki:​user:​yyy | User Y]] -->+* Contributions by [[wiki:​user:​jamesaxl ​| User jamesaxl]]
  
 <!-- Please do not modify anything below, except adding new tags.--> <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must remove the tag-word "​template"​ below before saving your new page --> <!-- You must remove the tag-word "​template"​ below before saving your new page -->
-{{tag>​howtos ​template}}+{{tag>​howtos ​network_services kerberizing_slackware_without_pam}}

In Other Languages
QR Code
QR Code howtos:network_services:kerberizing_slackware_without_pam (generated for current page)