Chapter 2.  Kerberos

To use NFSv4 with Kerberos authentication, we need a Kerberos server. Because we may later switch to a Novell Kerberos server, and Novell seems to ship Heimdal, we use Heimdal, on Debian Lenny.

If you wish to use a different Linux distribution, or a different UNIX, there is excellent documentation on the MIT.edu site. You probably want to read the part on installation.

But since the Heimdal and MIT implementations differ in details, I fall back on the more elaborate MIT docs if necessary, sticking first to the Heimdal-specific documentation on the Heimdal site, in particular on building and installing.

Procedure 2.1.  Installation of a Kerberos server on Ubuntu Lucid

	Note
	On Ubuntu, you may have to loosen security a bit and do sudo ufw disable before you proceed. We are using Debian Lenny, which comes with no iptables rules enabled by default.

1. Preconfiguring the Heimdal packages

   Create a file debconf-kerberos-settings containing this:

   # Kerberos servers for your realm:
   krb5-config krb5-config/kerberos_servers string krbserver.mydomain.com 
   
   # Default Kerberos version 5 realm:
   krb5-config krb5-config/default_realm string MYDOMAIN.COM 
   
   # Local realm name:
   heimdal-kdc heimdal/realm string MYDOMAIN.COM
   
   # Administrative server for your Kerberos realm:
   krb5-config krb5-config/admin_server string krbserver.mydomain.com 
   
   # Does DNS contain pointers to your realm's Kerberos Servers?
   krb5-config krb5-config/dns_for_default boolean false
   
   # Add locations of default Kerberos servers to /etc/krb5.conf?
   krb5-config krb5-config/add_servers boolean true
   	      

   	This is the hostname of the Kerberos server, the machine we are configuring. We 've got only one at this stage, which is to be KDC as well as Administration server.
   	By convention, the Kerberos domain is identical to the uppercased domain name.

   Now tell debconf about these settings:

   
   
apprentice@krbserver:~$ cat debconf-kerberos-settings |sudo debconf-set-selections
apprentice@krbserver:~$

         

2. Installing the packages

   	Warning
   	On Ubuntu Lucid, bug #579127 causes a hanging debconf, which you will have to kill. After that, doing an uninstall (without purge) and then another install of heimdal-kdc will suffice.

   
   
apprentice@krbserver:~$ sudo apt-get install -y heimdal-kdc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  heimdal-clients krb5-config libasn1-8-heimdal libdb4.2 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0 libhx509-3-heimdal
  libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-25-heimdal libotp0-heimdal libroken18-heimdal
  libsl0-heimdal libwind0-heimdal
Suggested packages:
  heimdal-docs heimdal-kcm
The following NEW packages will be installed:
  heimdal-clients heimdal-kdc krb5-config libasn1-8-heimdal libdb4.2 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0
  libhx509-3-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-25-heimdal libotp0-heimdal
  libroken18-heimdal libsl0-heimdal libwind0-heimdal
0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded.
Need to get 2306kB of archives.
<snip a lot of Get, Unpacking and Selecting>
Processing triggers for man-db ...
Setting up krb5-config (1.22) ...
Setting up libroken18-heimdal (1.2.dfsg.1-2.1) ...
Setting up libasn1-8-heimdal (1.2.dfsg.1-2.1) ...
Setting up libdb4.2 (4.2.52+dfsg-5) ...
Setting up libwind0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libhx509-3-heimdal (1.2.dfsg.1-2.1) ...
Setting up libkrb5-25-heimdal (1.2.dfsg.1-2.1) ...
Setting up libheimntlm0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libgssapi2-heimdal (1.2.dfsg.1-2.1) ...
Setting up libhdb9-heimdal (1.2.dfsg.1-2.1) ...
Setting up libkadm5clnt7-heimdal (1.2.dfsg.1-2.1) ...
Setting up libkadm5srv8-heimdal (1.2.dfsg.1-2.1) ...
Setting up libhesiod0 (3.0.2-18.3) ...
Setting up libkafs0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libotp0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libsl0-heimdal (1.2.dfsg.1-2.1) ...
Setting up heimdal-clients (1.2.dfsg.1-2.1) ...
Setting up libkdc2-heimdal (1.2.dfsg.1-2.1) ...
Setting up heimdal-kdc (1.2.dfsg.1-2.1) ...
kstash: writing key to `/var/lib/heimdal-kdc/m-key'
Realm max ticket life [unlimited]:Realm max renewable ticket life [unlimited]:Starting Heimdal KDC: heimdal-kdc.
Starting Heimdal password server: kpasswdd.
apprentice@krbserver:~$

         

   	Note
   	Because we preseeded the package, it is not necessary to initialize the realm MYDOMAIN.COM.

3. Adding an admin principal

   
   
apprentice@krbserver:~$ sudo kadmin -l
kadmin> add apprentice/admin@MYDOMAIN.COM
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
apprentice/admin@MYDOMAIN.COM's Password:
Verifying - apprentice/admin@MYDOMAIN.COM's Password:
kadmin> quit
apprentice@krbserver:~$ 

         

4. Granting admin access to the newly created principal

   1. Fix a small mistake in the kdc.conf

      There is a reference to “FILE:/etc/heimdal-kdc/kadmind.acl” in /etc/heimdal-kdc/kdc.conf, which the kadmind tires to open literally. We need to fix that (actually, there is another instance of “FILE:”, which we also fix:

      
          
apprentice@krbserver:~$ sudo sed -i.bak 's%FILE:%%' /etc/heimdal-kdc/kdc.conf
apprentice@krbserver:~$
    
        

   2. Grant all permissions to apprentice/admin

      
          
apprentice@krbserver:~$ sudo sh -c "echo 'apprentice/admin@MYDOMAIN.COM    all' >>  /etc/heimdal-kdc/kadmind.acl"
apprentice@krbserver:~$ 
    
        

   3. Symlink the ACL

      The kadmin daemon looks for the ACL file in /var/lib/heimdal, so we need it to show up there:

      
          
apprentice@krbserver:~$ sudo ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/
apprentice@krbserver:~$
    
        

5. (Re)start the services

   
   
apprentice@krbserver:~$ sudo /etc/init.d/openbsd-inetd start
apprentice@krbserver:~$ sudo /etc/init.d/heimdal-kdc restart
Stopping Heimdal password server: kpasswdd.
Stopping Heimdal KDC: heimdal-kdc.
Starting Heimdal KDC: heimdal-kdc.
Starting Heimdal password server: kpasswdd.
apprentice@krbserver:~$

         

6. Creating a Kerberos principal for a user

   
   
apprentice@krbserver:~$ /usr/sbin/kadmin
kadmin> add joeuser@MYDOMAIN.COM
apprentice/admin@MYDOMAIN.COM's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
joeuser@MYDOMAIN.COM's Password:
Verifying - joeuser@MYDOMAIN.COM's Password:
kadmin> list *
default
joeuser
apprentice/admin
kadmin/admin
kadmin/hprop
krbtgt/MYDOMAIN.COM
kadmin/changepw
changepw/kerberos
kadmin> quit
apprentice@krbserver:~$ 

         

   	Note
   	This time, we ran kadmin without the -l switch, and without sudo, and still it worked. This also goes to show that the kadmind works, at least for the localhost.