Table of Contents
Advertisement
role when administering the Kerberos database. A user can have several roles for dif-
ferent purposes. Roles are basically completely different accounts with similar names.
47.4.4 Starting the KDC
Start the KDC daemon and the kadmin daemon. To start the daemons manually, enter
rckrb5kdc start and rckadmind start. Also make sure that KDC and kad-
mind are started by default when the server machine is rebooted with the command
insserv krb5kdc and insserv kadmind.
47.5 Manually Configuring Kerberos
Clients
When configuring Kerberos, there are basically two approaches you can take—static
configuration in the /etc/krb5.conf file or dynamic configuration with DNS.
With DNS configuration, Kerberos applications try to locate the KDC services using
DNS records. With static configuration, add the hostnames of your KDC server to krb5
.conf (and update the file whenever you move the KDC or reconfigure your realm
in other ways).
DNS-based configuration is generally a lot more flexible and the amount of configuration
work per machine is a lot less. However, it requires that your realm name is either the
same as your DNS domain or a subdomain of it. Configuring Kerberos via DNS also
creates a minor security issue—an attacker can seriously disrupt your infrastructure
through your DNS (by shooting down the name server, spoofing DNS records, etc.).
However, this amounts to a denial of service at most. A similar scenario applies to the
static configuration case unless you enter IP addresses in krb5.conf instead of
hostnames.
47.5.1 Static Configuration
One way to configure Kerberos is to edit the configuration file /etc/krb5.conf.
The file installed by default contains various sample entries. Erase all of these entries
before starting. krb5.conf is made up of several sections, each introduced by the
section name included in brackets like [this].
858
Installation and Administration
Advertisement
Table of Contents
Troubleshooting
