Tuesday, November 27, 2012

SUSE11 Kerberos

To access to KDC in local mode

kadmin.local

Create the SPN user
addprinc -randkey HTTP/bpmpsvip.soro.com@SORO.COM

Create the keytab
ktadd -k /tmp/bpmpsvip.kt HTTP/bpmpsvip.soro.com@SORO.COM

configure the kerberos conf file /etc/krb5.conf

[libdefaults]
        default_realm = SORO.COM
        clockskew = 300
#       default_realm = EXAMPLE.COM

[realms]
SORO.COM = {
        kdc = waskerb.soro.com
        default_domain = soro.com
        admin_server = waskerb
}
#       EXAMPLE.COM = {
#                kdc = kerberos.example.com
#               admin_server = kerberos.example.com
#       }

[logging]
        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
[domain_realm]
        .soro.com = SORO.COM

[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        clockskew = 300
        external = sshd
        use_shmem = sshd
}




to start kerberos server
service krb5kdc start

to start kerberos admin
service kadmind start

to check log files
tail -f /var/log/krb5/krb5kdc.log

use kadmin.local to connect to the local database.  Does not require anything to be started.

use listprincs to list principles

kadmin.local:  listprincs
HTTP/bpmpsvip.soro.com@SORO.COM
K/M@SORO.COM
bpmspn@SORO.COM
kadmin/admin@SORO.COM
kadmin/changepw@SORO.COM
kadmin/history@SORO.COM
kadmin/waskerb.soro.com@SORO.COM
krbtgt/SORO.COM@SORO.COM



use kadmin to connect to the kerberos server.

You may find that the server rejects the request if you do not come in over the correct interface.

Check the interface by doing a netstat -na | grep 750

udp        0      0 192.168.71.128:750      0.0.0.0:*

Shows that the admin interface is listening on 192.* but when we ping the hostname waskerb we see its configured for 127.*

vi /etc/hosts
192.168.71.128  waskerb.soro.com waskerb

check the configuration by accessing the admin database

kadmin -p kadmin/admin@SORO.COM

Type in
listprincs

If you get an error about list principle privileges you are not authorised......

To give permissions to your users to do things in the database (be careful) setup the following ACL:
vi /var/lib/kerberos/krb5kdc/kadm5.acl

This privilege gives the ability to list users
kadmin/whalem@SORO.COM ADMCIl

restart the kadmin
service kadmind restart

more details can be found


Now have a go at kinit to get yourself a token!

kinit -p kadmin/whalem@SORO.COM


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kadmin/whalem@SORO.COM

Valid starting     Expires            Service principal
11/27/12 19:02:15  11/28/12 05:02:15  krbtgt/SORO.COM@SORO.COM
renew until 11/28/12 19:02:15


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Now get a service ticket for a particular service!
kinit -S HTTP/bpmpsvip.soro.com@SORO.COM -p kadmin/whalem@SORO.COM

waskerb:/ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kadmin/whalem@SORO.COM

Valid starting     Expires            Service principal
11/27/12 19:09:49  11/28/12 05:09:49  HTTP/bpmpsvip.soro.com@SORO.COM
renew until 11/28/12 19:09:49


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached







Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)