Top
SettingUpKerberosOnLinux
Making kerberos work under Linux isn't difficult, but the process can be a bit confusing if you don't understand the purpose of each step... so read carefully.
|
for the moment, these instructions are written for someone with a working knowledge of unix/linux
if you aren't sure that you know what you're doing, ask for help....we'll try to make these instructions more easy to understand in the future.
|
NOTE: for the moment, some of the random files dealing with kerberos/sidecar are going to be available from the northstar website, (
http://northstar-www.dartmouth.edu/~qubit/sidecar/)
overview
- Install the programs for requesting/handling kerberos tickets
- configure some domain-specific files
- (instructions on how to use the three tools kinit, klist, and kdestroy)
- (troubleshoot -- if necessary)
Install binaries for your system
- Get the appropriate rpm or .deb package for the kerberos5 client applications.
- (Specifically, we want to find a package to install kinit, kdestroy, and klist).
- The name of the redhat rpm I installed is
krb5-workstation, and the debian package is krb5-user.
It is possible to compile from source, and if you're trying to get kerberos to work on the
SharpZaurus or a random Unix OS, that may be your only method.
If you are asked about domain names and such during the installation of the kerberos5 packages, you can just enter blank values (or the default values).
We're using the kerberos5 packages because they are widely available for a variety of OSes and easy to install. Unfortunately, Dartmouth has not yet migrated to kerberos5, so we will be configuring the tools to work with kerberos4 by hand.
configure the kerberos setup
Type
ls /etc/krb*, and you should see something like this:
/etc/krb5.conf /etc/krb.conf /etc/krb.conf.rpmnew /etc/krb.realms
We just need to configure krb.conf (the rest apply to kerberos5).
If you open up the file and look at the first few lines, you should see something like this:
SICS.SE kerberos.sics.se admin server
NADA.KTH.SE kerberos.nada.kth.se admin server
NADA.KTH.SE sysman.nada.kth.se
NADA.KTH.SE server.nada.kth.se
ADMIN.KTH.SE ulysses.admin.kth.se admin server
ADMIN.KTH.SE graziano.admin.kth.se
ADMIN.KTH.SE montano.admin.kth.se
BION.KTH.SE chaplin.bion.kth.se admin server
| You may not see a /etc/krb.conf file, in which case you can just create one (and put in the appropriate lines for dartmouth as listed below) |
The file krb.conf is an index of kerberos servers for different kerberos domains.
But we want to use the DARTMOUTH.EDU domain (well, that's what I'm assuming! :)
Here are the appropriate lines for Dartmouth:
DARTMOUTH.EDU
DARTMOUTH.EDU kerberos.dartmouth.edu:750 admin server
append those to the file so that the final result looks something like:
DARTMOUTH.EDU
DARTMOUTH.EDU kerberos.dartmouth.edu:750 admin server
SICS.SE kerberos.sics.se admin server
NADA.KTH.SE kerberos.nada.kth.se admin server
NADA.KTH.SE sysman.nada.kth.se
NADA.KTH.SE server.nada.kth.se
ADMIN.KTH.SE ulysses.admin.kth.se admin server
ADMIN.KTH.SE graziano.admin.kth.se
ADMIN.KTH.SE montano.admin.kth.se
SUPERUSER NOTES:
- kerberos.dartmouth.edu is the kerberos server for the Dartmouth kerberos realm
- theoretically you could have more than one kerberos server, so we indicate that kerberos.dartmouth.edu is the admin server (I believe that the admin server is the only one used for changing passwords or something like that).
- by indicating the port number 750 explicitly here, we avoid possible problems with port numbers in /etc/services
|
Okay, now let's take a look at
/etc/services.
If you installed an rpm or .deb package to get the basic kerberos commands, you probably had a number of ports added to this file for kerberos.
:::To Be Tested::: I'm not sure if you can just leave the default install of the ports alone (I believe that you can). Otherwise, here is the list of all kerberos ports (from one of my linux boxes):
# in order to get sidecar working, should these be set to kerberos v4 ?
# (see 'local' ports below for more information)
# (turn these k5 ports off..)
#kerberos 88/tcp kerberos5 krb5 # Kerberos v5
#kerberos 88/udp kerberos5 krb5 # Kerberos v5
..
..
# need these guys for sidecar to work properly
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos-iv 750/udp kerberos4 kerberos-sec kdc
kerberos-iv 750/tcp kerberos4 kerberos-sec kdc
..
..
#
# Kerberos (Project Athena/MIT) services
# Note that these are for Kerberos v4, and are unregistered/unofficial. Sites
# running v4 should uncomment these and comment out the v5 entries above.
#
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
passwd_server 752/udp # Kerberos passwd server
krbupdate 760/tcp kreg # Kerberos registration
kpop 1109/tcp # Pop with Kerberos
knetd 2053/tcp # Kerberos de-multiplexor
..
..
#
# Kerberos 5 services, also not registered with IANA
#
krb5_prop 754/tcp # Kerberos slave propagation
eklogin 2105/tcp # Kerberos encrypted rlogin
Try to get a ticket
To get a ticket from the kerberos.dartmouth.edu server, run kinit like this:
> kinit -4 "Jay R Hacker"
that's "Jay R Hacker", not "Jay R. Hacker". Periods should NOT be included when typing in the
DND name. AlexFerguson
if you don't want to type in your full
DND name, try
kclient instead. (see the section below)
Did I get a ticket?
try the command
klist: it should give you a list of the kerberos5 and kerberos4 tickets that you currently hold.
if you see something like:
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1002)
Kerberos 4 ticket cache: /tmp/tkt1402
Principal: Jay R Hacker@DARTMOUTH.EDU
Issued Expires Principal
11/07/02 19:27:20 11/08/02 05:27:20 krbtgt.DARTMOUTH.EDU@DARTMOUTH.EDU
then you've been successful!
If you're having problems, and perhaps get an error like:
> kinit -4 "Tux E Herring"
Password for Tux E Herring@DARTMOUTH.EDU:
kinit(v4): Retry count exceeded (send_to_kdc)
>
...that might indicate that you're not connecting to the right domain, server, or port number.
If you're ambitious, just run
strace on kinit to see what's going on. (On a debian box of mine, strace revealed that 'kinit -4' was still trying to go connect to the kerberos5 port, #88.
strace is a
very useful command! :)
How do I get rid of my ticket? -- I'm on a public machine...
Don't forget that
SidecarForLinux can deal with multi-user machines correctly. You have to trust whoever has root on the machine (but you're already doing that when you run
kinit), but except for the superuser, no other person can authenticate themselves using your kerberos ticket.
That aside, if you want to get rid of your ticket, just type
kdestroy.
Example:
> kdestroy
kdestroy: No credentials cache found while destroying cache
Kerberos 4 ticket cache destroyed.
>
Some useful scripts
There have been a few different
kclient scripts. All of them automate, to some degree, the process of getting a kerberos ticket from the
DND.
If you unpack the
kclient.tar (found on my northstar
AFS space), you'll find the files
kclient and
DND.pm
Try putting
kclient into
/usr/local/bin, and
DND.pm into
/usr/lib/perl5/5.6.1/ (basically it needs to be somewhere in the Perl include path so that the
kclient script knows where to find it.
usage is:
> kclient <DND name or nickname>
this tool is really nice, because you don't have to enter in your full
DND name.
Nice GUI interface
Ummm. we're working on that. There is a gnome-kerberos package that has a
GUI-thing for kerberos5, but it's not at all like what we have on the mac/windows side. Hopefully we'll have something (at least in beta) by the end of 2002.
UPDATE: okay, so we don't have any
GUI interface yet. We might continue working on the kerberos stuff, or we might start working on
PKI stuff instead. More on that soon.
RobinsonTryon - 07 Nov 2002