Table of Contents
To use NFSv4 with Kerberos authentication, we need a Kerberos server. Because we may later switch to a Novell Kerberos server, and Novell seems to ship Heimdal, we use Heimdal, on Debian Lenny.
If you wish to use a different Linux distribution, or a different UNIX, there is excellent documentation on the MIT.edu site. You probably want to read the part on installation.
But since the Heimdal and MIT implementations differ in details, I fall back on the more elaborate MIT docs if necessary, sticking first to the Heimdal-specific documentation on the Heimdal site, in particular on building and installing.
Procedure 2.1. Installation of a Kerberos server on Ubuntu Lucid
Note | |
---|---|
On Ubuntu, you may have to loosen security a bit and do sudo ufw disable before you proceed. We are using Debian Lenny, which comes with no iptables rules enabled by default. |
Preconfiguring the Heimdal packages
Create a file debconf-kerberos-settings
containing this:
# Kerberos servers for your realm: krb5-config krb5-config/kerberos_servers string krbserver.mydomain.com # Default Kerberos version 5 realm: krb5-config krb5-config/default_realm string MYDOMAIN.COM # Local realm name: heimdal-kdc heimdal/realm string MYDOMAIN.COM # Administrative server for your Kerberos realm: krb5-config krb5-config/admin_server string krbserver.mydomain.com # Does DNS contain pointers to your realm's Kerberos Servers? krb5-config krb5-config/dns_for_default boolean false # Add locations of default Kerberos servers to /etc/krb5.conf? krb5-config krb5-config/add_servers boolean true
This is the hostname of the Kerberos server, the machine we are configuring. We 've got only one at this stage, which is to be KDC as well as Administration server. | |
By convention, the Kerberos domain is identical to the uppercased domain name. |
Now tell debconf about these settings:
apprentice@krbserver:~$ cat debconf-kerberos-settings |sudo debconf-set-selections
apprentice@krbserver:~$
Installing the packages
Warning | |
---|---|
On Ubuntu Lucid, bug #579127 causes a hanging |
apprentice@krbserver:~$ sudo apt-get install -y heimdal-kdc
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
heimdal-clients krb5-config libasn1-8-heimdal libdb4.2 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0 libhx509-3-heimdal
libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-25-heimdal libotp0-heimdal libroken18-heimdal
libsl0-heimdal libwind0-heimdal
Suggested packages:
heimdal-docs heimdal-kcm
The following NEW packages will be installed:
heimdal-clients heimdal-kdc krb5-config libasn1-8-heimdal libdb4.2 libgssapi2-heimdal libhdb9-heimdal libheimntlm0-heimdal libhesiod0
libhx509-3-heimdal libkadm5clnt7-heimdal libkadm5srv8-heimdal libkafs0-heimdal libkdc2-heimdal libkrb5-25-heimdal libotp0-heimdal
libroken18-heimdal libsl0-heimdal libwind0-heimdal
0 upgraded, 19 newly installed, 0 to remove and 0 not upgraded.
Need to get 2306kB of archives.
<snip a lot of Get, Unpacking and Selecting>
Processing triggers for man-db ...
Setting up krb5-config (1.22) ...
Setting up libroken18-heimdal (1.2.dfsg.1-2.1) ...
Setting up libasn1-8-heimdal (1.2.dfsg.1-2.1) ...
Setting up libdb4.2 (4.2.52+dfsg-5) ...
Setting up libwind0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libhx509-3-heimdal (1.2.dfsg.1-2.1) ...
Setting up libkrb5-25-heimdal (1.2.dfsg.1-2.1) ...
Setting up libheimntlm0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libgssapi2-heimdal (1.2.dfsg.1-2.1) ...
Setting up libhdb9-heimdal (1.2.dfsg.1-2.1) ...
Setting up libkadm5clnt7-heimdal (1.2.dfsg.1-2.1) ...
Setting up libkadm5srv8-heimdal (1.2.dfsg.1-2.1) ...
Setting up libhesiod0 (3.0.2-18.3) ...
Setting up libkafs0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libotp0-heimdal (1.2.dfsg.1-2.1) ...
Setting up libsl0-heimdal (1.2.dfsg.1-2.1) ...
Setting up heimdal-clients (1.2.dfsg.1-2.1) ...
Setting up libkdc2-heimdal (1.2.dfsg.1-2.1) ...
Setting up heimdal-kdc (1.2.dfsg.1-2.1) ...
kstash: writing key to `/var/lib/heimdal-kdc/m-key'
Realm max ticket life [unlimited]:Realm max renewable ticket life [unlimited]:Starting Heimdal KDC: heimdal-kdc.
Starting Heimdal password server: kpasswdd.
apprentice@krbserver:~$
Note | |
---|---|
Because we preseeded the package, it is not necessary to initialize the |
Adding an admin principal
apprentice@krbserver:~$ sudo kadmin -l
kadmin> add apprentice/admin@MYDOMAIN.COM
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
apprentice/admin@MYDOMAIN.COM's Password:
Verifying - apprentice/admin@MYDOMAIN.COM's Password:
kadmin> quit
apprentice@krbserver:~$
Granting admin access to the newly created principal
Fix a small mistake in the kdc.conf
There is a reference to “FILE:/etc/heimdal-kdc/kadmind.acl” in /etc/heimdal-kdc/kdc.conf
, which the kadmind tires to open literally.
We need to fix that (actually, there is another instance of “FILE:”, which we also fix:
apprentice@krbserver:~$ sudo sed -i.bak 's%FILE:%%' /etc/heimdal-kdc/kdc.conf
apprentice@krbserver:~$
Grant all permissions to apprentice/admin
apprentice@krbserver:~$ sudo sh -c "echo 'apprentice/admin@MYDOMAIN.COM all' >> /etc/heimdal-kdc/kadmind.acl"
apprentice@krbserver:~$
Symlink the ACL
The kadmin daemon looks for the ACL file in /var/lib/heimdal
, so we need it to show up there:
apprentice@krbserver:~$ sudo ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/
apprentice@krbserver:~$
(Re)start the services
apprentice@krbserver:~$ sudo /etc/init.d/openbsd-inetd start
apprentice@krbserver:~$ sudo /etc/init.d/heimdal-kdc restart
Stopping Heimdal password server: kpasswdd.
Stopping Heimdal KDC: heimdal-kdc.
Starting Heimdal KDC: heimdal-kdc.
Starting Heimdal password server: kpasswdd.
apprentice@krbserver:~$
Creating a Kerberos principal for a user
apprentice@krbserver:~$ /usr/sbin/kadmin
kadmin> add joeuser@MYDOMAIN.COM
apprentice/admin@MYDOMAIN.COM's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
joeuser@MYDOMAIN.COM's Password:
Verifying - joeuser@MYDOMAIN.COM's Password:
kadmin> list *
default
joeuser
apprentice/admin
kadmin/admin
kadmin/hprop
krbtgt/MYDOMAIN.COM
kadmin/changepw
changepw/kerberos
kadmin> quit
apprentice@krbserver:~$
Note | |
---|---|
This time, we ran |