This section covers the initial configuration and installation of the KDC, including the creation of an administrative principal. This procedure is consists of several steps:
Install the RPMs On a machine designated as the KDC, install special software packages. Use YaST to install the krb5, krb5-server and krb5-client packages.
Adjust the Configuration Files The configuration files /etc/krb5.conf and /var/lib/kerberos/krb5kdc/kdc.conf must be adjusted for your scenario. These files contain all information on the KDC.
Create the Kerberos Database Kerberos keeps a database of all principal identifiers and the secret keys of all principals that need to be authenticated. Refer to Section 39.5.1, Setting Up the Database for details.
Adjust the ACL Files: Add Administrators The Kerberos database on the KDC can be managed remotely. To prevent unauthorized principals from tampering with the database, Kerberos uses access control lists. You must explicitly enable remote access for the administrator principal to enable him to manage the database. The Kerberos ACL file is located under /var/lib/kerberos/krb5kdc/kadm5.acl. Refer to Section 39.7, Configuring Remote Kerberos Administration for details.
Adjust the Kerberos Database: Add Administrators You need at least one administrative principal to run and administer Kerberos. This principal must be added before starting the KDC. Refer to Section 39.5.2, Creating a Principal for details.
Start the Kerberos Daemon Once the KDC software is installed and properly configured, start the Kerberos daemon to provide Kerberos service for your realm. Refer to Section 39.5.3, Starting the KDC for details.
Create a Principal for Yourself You need a principal for yourself. Refer to Section 39.5.2, Creating a Principal for details.
Your next step is to initialize the database where Kerberos keeps all information about principals. Set up the database master key, which is used to protect the database from accidental disclosure, in particular when it is backed up to a tape. The master key is derived from a pass phrase and is stored in a file called the stash file. This is so you do not need to enter the password every time the KDC is restarted. Make sure that you choose a good pass phrase, such as a sentence from a book opened to a random page.
When you make tape backups of the Kerberos database (/var/lib/kerberos/krb5kdc/principal), do not back up the stash file (which is in /var/lib/kerberos/krb5kdc/.k5.EXAMPLE.COM). Otherwise, everyone able to read the tape could also decrypt the database. Therefore, it is also a good idea to keep a copy of the pass phrase in a safe or some other secure location, because you need it to restore your database from backup tape after a crash.
To create the stash file and the database, run:
$> kdb5_util create -r EXAMPLE.COM -s Initializing database '/var/lib/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. $>
To verify that it did anything, use the list command:
$>kadmin.local kadmin> listprincs K/M@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM
This shows that there are now a number of principals in the database. All of these are for internal use by Kerberos.
Next, create two Kerberos principals for yourself: one normal principal for your everyday work and one for administrative tasks relating to Kerberos. Assuming your login name is newbie, proceed as follows:
kadmin.local kadmin> ank newbie newbie@EXAMPLE.COM's Password: <type password here> Verifying password: <re-type password here>
Next, create another principal named newbie/admin by typing ank newbie/admin at the kadmin prompt. The admin suffixed to your username is a role. Later, use this role when administering the Kerberos database. A user can have several roles for different purposes. Roles are basically completely different accounts with similar names.
Start the KDC daemon and the kadmin daemon. To start the daemons manually, enter rckrb5kdc start and rckadmind start. Also make sure that KDC and kadmind are started by default when the server machine is rebooted with the command insserv krb5kdc and insserv kadmind.