SiNotes-Grid

Boz I need to install openLDAP for Idp installation in future, I need to install Kerberos, which is recommanded by openLDAP.
Either Heimdal or MIT Kerberos V5 are free implementation of Kerberos v5 protocol, you can choose the one u like, I have picked the latter.

1.Download the src code from MIT kerberos site
http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar

2. tar -xvf krb5-1.4.3-signed.tar
then u get krb5-1.4.3.tar.gz, unpack it by,
tar -zxvf krb5-1.4.3.tar.gz

3. cd krb5-1.4.3/src
*IMPORTANT* If you configure the code without any parameters, some tcl related error will usually occur when build the code .
After some googling, some guy said tcl is only used to perform some tests when u run "make check", therefore can be considered not necessary. So you can configure the code using,
./configure --prefix=/usr/local/kerberos5 --without-krb4 --without-tcl

Everything should be fine, but what if i want to do the unit tests depending on tcl to make sure my installation is all right? I searched my system and found tcl binary is already installed, but we need tcl.h and
tcl lib to build with tcl support. Therefore we need to install tcl-devel package.
yum install tcl-devel.i386
The "tcl.h" is located in /usr/include/, lib files in /usr/lib
Now we can configure the code using:
./configure --prefix=/usr/local/kerberos5 --without-krb4 --with-tcl=/usr

4, make
5, make install
6, make check
You should see no errors

7, configure /etc/krb5.conf and kdc.conf, instructions can be found at
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-install/Install-the-Master-KDC.html#Install%20the%20Master%20KDC
*Make sure to change the default var files directory to your installation dir
#krb5.conf#######################################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = IERC.OX.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
IERC.OX.AC.UK = {
kdc = ktang.ierc.ox.ac.uk:88
admin_server = ktang.ierc.ox.ac.uk:749
default_domain = ierc.ox.ac.uk
}

[domain_realm]
.ierc.ox.ac.uk = IERC.OX.AC.UK
ierc.ox.ac.uk = IERC.OX.AC.UK

[kdc]
profile = /usr/local/kerberos5/var/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#kdc.conf#######################################
[kdcdefaults]
kdc_ports = 88

[realms]
IERC.OX.AC.UK = {
database_name = /usr/local/kerberos5/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keyta
b
acl_file = /usr/local/kerberos5/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/kerberos5/var/krb5kdc/.k5.IERC.OX.AC
.UK
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}


[logging]
kdc = FILE:/usr/local/kerberos5/var/krb5kdc/kdc.log
admin_server = FILE:/usr/local/kerberos5/var/krb5kdc/kadmin.log
#########################END####################

8,Create a database on the system where KDC resides:
#/usr/local/kerberos5/sbin/kdb5_util create IERC.OX.AC.UK -s
the database related information files will be generated in the var directories you configured
kdc.conf file(/usr/local/kerberos5/var/krb5kdc/)
* If you dont wanna stash file to be generated, don't use " -s " parameter.
*To delete the existing database, delete all these new genenated files
* You can costomize the name of generated files by change the kdc name in "kdc.conf", default
name is "principal"

9, Create acl file "kadm5.acl" in /usr/local/kerberos5/var/krb5kdc(the location is determined by kdc.conf)
To understand acl, you need to understand the definition of principal and instance
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-user/What-is-a-Kerberos-Principal-.html
Mine is like this:
#####################
*/admin@IERC.OX.AC.UK *
ktang@IERC.OX.AC.UK ADMCIL
###########################

10. Add administrator to database, use
# ./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: addprinc ktang/admin@IERC.OX.AC.UK
WARNING: no policy specified for ktang/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "ktang/admin@IERC.OX.AC.UK":
Re-enter password for principal "ktang/admin@IERC.OX.AC.UK":
Principal "ktang/admin@IERC.OX.AC.UK" created.
kadmin.local: addprinc synew/admin@IERC.OX.AC.UK
WARNING: no policy specified for synew/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "synew/admin@IERC.OX.AC.UK":
Re-enter password for principal "synew/admin@IERC.OX.AC.UK":
Principal "synew/admin@IERC.OX.AC.UK" created.
kadmin.local:quit

11. Create keytab, use,
./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: ktadd -k /usr/local/kerberos5/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
kadmin.local: quit

12. Start the Kerberos daemons by:
./krb5kdc
./kadmind

posted by Synew  # 4:41 AM