Red Hat ENTERPRISE LINUX 3 Reference Manual page 288

270
pose. Refer to
how to set up Network Time Protocol servers and http://www.eecis.udel.edu/~ntp for additional
information about NTP.
2. Install the
krb5-libs
machine which runs the KDC. This machine needs to be very secure — if possible, it should
not run any services other than the KDC.
If a graphical user interface is required to administrate Kerberos, install the
package. It contains
3. Edit the
/etc/krb5.conf
reflect the realm name and domain-to-realm mappings. A simple realm can be constructed by
replacing instances of EXAMPLE.COM and example.com with the correct domain name —
being certain to keep uppercase and lowercase names in the correct format — and by changing
the KDC from kerberos.example.com to the name of the Kerberos server. By convention,
all realm names are uppercase and all DNS hostnames and domain names are lowercase. For
full details about the formats of these files, refer to their respective man pages.
4. Create the database using the
/usr/kerberos/sbin/kdb5_util create -s
The command creates the database that used to store keys for the Kerberos realm. The
create
switch forces creation of a stash file in which the master server key is stored. If no stash file
-s
is present from which to read the key, the Kerberos server (
master server password (which can be used to regenerate the key) every time it starts.
5. Edit the
/var/kerberos/krb5kdc/kadm5.acl
mine which principals have administrative access to the Kerberos database and their level of
access. Most organizations can get by with a single line:
*/admin@EXAMPLE.COM
Most users are represented in the database by a single principal (with a NULL, or empty, in-
stance, such as joe@EXAMPLE.COM). With this configuration, users with a second principal
with an instance of admin (for example, joe/admin@EXAMPLE.COM) are able to wield full
power over the realm's Kerberos database.
Once
kadmind
on any of the clients or servers in the realm. However, only users listed in the
can modify the database in any way, except for changing their own passwords.
Note
The
kadmin
to handle authentication. For this reason, the first principal must already exist before connecting
to the server over the network to administer it. Create the first principal with the
command, which is specifically designed to be used on the same host as the KDC and does
not use Kerberos for authentication.
Type the following
/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"
6. Start Kerberos using the following commands:
/sbin/service krb5kdc start
/sbin/service kadmin start
/sbin/service krb524 start
7. Add principals for the users using the
kadmin.local
available after launching the
information.
/usr/share/doc/ntp- version-number /index.htm
,
krb5-server
, a GUI tool for managing tickets.
krb5
and
/var/kerberos/krb5kdc/kdc.conf
kdb5_util
*
is started on the server, any user can to access its services by running
utility communicates with the
kadmin.local
are command line interfaces to the KDC. As such, many commands are
kadmin
, and
krb5-workstation
utility from a shell prompt:
file. This file is used by
server over the network, and uses Kerberos
kadmind
command at the KDC terminal to create the first principal:
command with
addprinc
program. Refer to the
Chapter 18. Kerberos
for details about
packages on the dedicated
gnome-kerberos
configuration files to
) prompts the user for the
krb5kdc
kadmind
kadm5.acl
.
kadmin
man page for more
kadmin
to deter-
kadmin
file
kadmin.local
and
kadmin