Kerberos is a network authentication system based on the principal of a trusted third party. The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO).
If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms will relate to things you may be familiar with in other environments:
To put the pieces together, a Realm has at least one KDC, preferably two for redundancy, which contains a database of Principals. When a user principal logs into a workstation, configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password.
The first step in installing a Kerberos Realm is to install the krb5-kdc and krb5-admin-server packages. From a terminal enter:
bash$ sudo aptitude install krb5-kdc krb5-admin-serverYou will be asked at the end of the install to supply a name for the Kerberos and Admin servers, which may or may not be the same server, for the realm. Next, create the new realm with the kdb5_newrealm utility:
bash$ sudo krb5_newrealmThe questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon. The sample /etc/krb5.conf is shown below:
[libdefaults] default_realm = EXAMPLE.COM
[realms] EXAMPLE.COM = { kdc = _SERVER_NAME_ admin_server = _SERVER_NAME_ default_domain = example.com }[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM[logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.logMake the directory /var/log/kerberos since it doesn't exist by default.
kadmin.local is a command intended to be ran only on the administration server. It does not connect using the Kerberos protocol; instead, it directly opens the Kerberos database on the local filesystem and authenticates as any user it desires. This can only work for the system administrator who has sufficient privileges to open the database files on the local Unix filesystem, as one would guess. kadmin is the same thing, but it works over the network. It means it uses the Kerberos protocol to connect, and it requires the account password as part of the routine.
Take a look at the /etc/krb5kdc/kadm5.acl file. It defines user access rights in Kerberos. For users with no special privileges, no action is required. To admin users, however, we want to grant all privileges. To do this, make sure the following line is present in the file and enabled (that is, without the comment '#' character at the beginning):
*/admin@EXAMPLE.COM *