Loading
Centralized Authentication with Kerberos 5, Part I
Kerberos can solve your account administration woes.
This tells you if you need to use special configure options for your site. /usr/local/ is the default installation directory. If you need this software in another directory, use a --prefix=/new/path/to/directory flag in the next step.
5) In almost all cases, the default should be fine:
% ./configure
6) Compile the package with:
% make
I had a problem with one file in the krb5-1.3.4/src/kadmin/testing/util directory, which can be safely ignored. Restart the compilation with % make -i in this case.
7) Check whether everything compiled correctly with:
% make check
8) If everything looks okay, install the package with:
% sudo make install
Never compile code as root. Use root privileges only when necessary, as in these installation steps.
9) You now have MIT Krb5 installed in /usr/local/. Some additional directories need to be created by hand and their permissions set:
% sudo mkdir -p /usr/local/var/krb5kdc % sudo chown root /usr/local/var/krb5kdc % sudo chmod 700 /usr/local/var/krb5kdc
If you really need or want to compile your own PAM module, here are the steps to get a working version of the module shipped by Red Hat. Get the source (see Resources) and upack it with:
% tar zxf pam_krb5-1.3-rc7.tar.gz % cd pam_krb5-1.3-rc7
Your $PATH environment variable has to have the Kerberos distribution of your choice first, in case you have more than one distribution on your computer. For example:
% PATH=/usr/local/bin:$PATH
A Kerberos realm is an administrative domain that has its own Kerberos database. Each Kerberos realm has its own set of Kerberos servers. The name of your realm can be anything, but it should reflect your place in the DNS world. If the new Kerberos realm is for your entire DNS domain example.com, you should give the same name (with all capital letters, this is a Kerberos convention) to your Kerberos realm: EXAMPLE.COM. Or, if your are setting up a new realm for your engineering department in example.com, a realm name of ENG.EXAMPLE.COM could be chosen.
The first step for creating your own realm is to create a /etc/krb5.conf file that contains all the necessary information about this realm. The krb5.conf file needs to be on every computer that wants access to your new Kerberos realm. Here is an example file for the realm EXAMPLE.COM with the KDC and administration servers running on machine kdc.example.com:
[libdefaults]
# determines your default realm name
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
# specifies where the servers are and on
# which ports they listen (88 and 749 are
# the standard ports)
kdc = kdc.example.com:88
admin_server = kdc.example.com:749
}
[domain_realm]
# maps your DNS domain name to your Kerberos
# realm name
.example.com = EXAMPLE.COM
[logging]
# determines where each service should write its
# logging info
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON
The next file, /usr/local/var/krb5kdc/kdc.conf, configures the KDC server. It needs to be on only the computer running the KDC dæmon. Every entry has a reasonable default. Creating an empty file should be sufficient for most cases:
% sudo touch /usr/local/var/krb5kdc/kdc.conf
The following commands need to be executed on the computer that will become your KDC. The command:
% sudo /usr/local/sbin/kdb5_util create -s
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Nice article, thanks for the
4 hours 40 min ago - I once had a better way I
10 hours 26 min ago - Not only you I too assumed
10 hours 43 min ago - another very interesting
12 hours 36 min ago - Reply to comment | Linux Journal
14 hours 29 min ago - Reply to comment | Linux Journal
21 hours 23 min ago - Reply to comment | Linux Journal
21 hours 40 min ago - Favorite (and easily brute-forced) pw's
23 hours 31 min ago - Have you tried Boxen? It's a
1 day 5 hours ago - seo services in india
1 day 9 hours ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
SSO not working
I have read document and implement it but my SSH not working for SSO like one time auth its asking me passwd again and again any solution ?
/etc/hosts file
Excellent guide.
Here's a tip that might save knuckleheads like me a few hours of stumbling around: None of this works if you don't have /etc/hosts set up properly. I kept getting this error:
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
/etc/hosts MUST contain a line associating the KDC server not with a loopback address (WRONG: "127.0.0.1 kdc.example.com") but with a real IP address available over the network (RIGHT: "128.231.35.98 kdc.example.com"). Ports 88 and 749 must be unfirewalled.
(Since I'm currently out of town and can't fiddle with my router, I'm temporarily assigning KDC to the local address assigned by the router (192.168.2.3), although of course this means I can't access Kerberos over the Internet).
/etc/passwd & /etc/shadow account syncronisation
The second requirement is harder to meet. All account names, UIDs and GIDs have to be the same on all your
computers. This is necessary because each of these accounts becomes a new and independent Kerberos account,
called a principal. You have to go through all your local /etc/passwd files and check whether this requirement is
met. If not, you need to consolidate your accounts. If you want to add Windows or Mac OS X clients to your
Kerberos installation, you need to look at all the accounts on those machines as well.
I assume this only applies to user accounts (ie uid > 1k), it would be an utter pain to have to synchronise system accounts across multiple machines.
Format or /etc/krb5.conf
Running "kdb5_util create -s" gave me the error "Improper format of Kerberos configuration file while initializing Kerberos code" with the example krb5.conf in the article.
Removing all leading whitespace from krb5.conf did the trick.
Thank you btw
Hi,
Hi,
I have read this article. I was wondering is there any second part(s) / continuation of this tutorial? if yes can you provide those tutorial links?
please note my eramil id : massoo@gmail.com , massoo@30gigs.com
regards
shann
pam-krb5 and gksudo
I've been following the directions in this article and the the subsequent articles about centralized authentication and I was delighted to get my kerberos implementation working. But upon further investigation, I realized that although login and sudo works, applications that use gksudo, such as synaptic don't is there a solution for this. I found a few others with this promlem on the internet, but I couldn't find any solutions. Many thanks for your help on this issue, and all of your very informative articles.
gksudo
I have since moved away from sudo and started using .k5user and .k5login in /root/ directory
.k5login allow users in that file access to become root
.k5user allow specified commands to be executed as root or as another user.
enjoy