SiNotes-Grid

Deploy Myproxy

2006-06-29T17:58:00.000-07:00

suppose you have already installed GT4 and sorted out all the security stuff.
1) copy GLOBUS_LOCATION/share/myproxy/myproxy-server.config to GLOBUS_LOCATION/etc/, uncomment these lines:

accepted_credentials  "*"
authorized_retrievers "*"
default_retrievers    "*"
authorized_renewers   "*"
default_renewers      "none"

2)source $GLOBUS_LOCATION/etc/globus-user-env.csh
3)run $GLOBUS_LOCATION/sbin/myproxy-server -d

If no errors found, restart myproxy-server without "-d" parameters

globus Toolkit 4 Installation on SL4

2006-05-23T10:26:00.000-07:00

Reference:
http://www.globus.org/toolkit/docs/4.0/admin/docbook/ch04.html
http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch03.html#s-platform-redhat
http://www-unix.globus.org/toolkit/docs/4.0/security/myproxy/admin-index.html#s-myproxy-admin-installing
http://gdp.globus.org/gt4-tutorial/singlehtml/progtutorial_0.2.1.html

*N.B.* One thing should be pointed out is that, the installation precedure doesn't seems like totally "standard". Normally you can use whatever user to "configure" and "make " the source code, and only su to root when you "make install". But the "make" in globus toolkit already start to copy files to your installation directory!!! Make sure you have wirte access when u run "make"!

1./configure --prefix=/usr/local/globus-4.0.2 --with-buildopts="--verbose"

WebAuth Installation & Configuraiton

2006-05-22T03:35:00.000-07:00

Suppose you already have

1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install

*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:

 WebAuthWebKdcSSLCertCheck off

Or, you can also use


WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert

to specify the cert file.

6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.

The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html

An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable

Use mod_proxy to connect Apache 2.0 and Tomcat

2006-05-18T03:32:00.000-07:00

Refererced instructions :
http://tomcat.apache.org/tomcat-4.1-doc/proxy-howto.html

1. Make sure you have already configured apache with "--enable-proxy --enable-proxy-http" parameters.
2. If you have done step1, apache 2.0.58 will automatically load mod_proxy for you when startup.(if not, load mod_proxy in your httpd.conf)
3. In the "Location" directory of httpd.conf, which you want to be forwarded to tomcat, add two lines:
ProxyPass http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp
ProxyPassReverse http://ktang.oerc.ox.ac.uk:8081/shibboleth2/sample.jsp

*N.B.* use "http" or "https" aproprately. In my case, tomcat and apache reside on same machine, so I chosed to let tomcat listen on port 8081 without enabling ssl.

4.In the server.xml of your tomcat, add a http connector. You don't have to remove your existing AJP13 connector if you do have one.They can function simutinously, each of which serves some of your web applications. Just put your new connector under the same "service " directory with your AJP connector":

<Connector port="8081" className="org.apache.catalina.connector.http.HttpConnector"
maxHttpHeaderSize="81920" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true"
proxyName="ktang.oerc.ox.ac.uk"
proxyPort="8080"/>

*N.B* There's an attribute used to limit the max header size, default is also around 8K!!(just like AJP13). The only reason I changed to mod_proxy from AJP13 is to forward bigger HTTP header size(packet), therefore change this value if you need.

4. Make sure to use filer/firewall/whatever to restrict the access to your tomcat server:8081 port for security considerations.

Installation and configuration of idP

2006-05-09T17:50:00.000-07:00

After the configuration of idP, use following command to test it:

./resolvertest --idpXml=file:///usr/local/shibboleth-idp/etc/idp.xml --requester=https://ktang.oerc.ox.ac.uk/shibboleth --user=David.Wallom        



* Sometime you may find tomcat has problem to load Idp servlet, some information like:
Idp servlet is not available will be displayed when user browser is directed to idp.
Make sure you start tomcat process as root, otherwise some privlige issues might be the reasons!!

* Some code of Shibboleth-idp need to be modifed before installation, otherwise.........

Installation & configuration of SP under EL4

2006-05-08T16:38:00.000-07:00

Reference:
http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-debian.html
https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LinuxNotes

N.B. Shibboleth 1.3(sp) require apache2.0.x , compiling error will occur if using apache2.2.x!!!

1)OpenSSL

not needed, just use what comes with your Linux

2)libcurl

(Downloaded from http://curl.haxx.se/libcurl)

usually not needed, or use ./configure --disable-static --without-ca-bundle --enable-thread --prefix=/usr/local/shibboleth-sp

3)log4cpp

(*Must* download from http://shibboleth.internet2.edu/downloads/log4cpp-0.3.5rc1.tar.gz)

./configure --disable-static --disable-doxygen --prefix=/usr/local/shibboleth-sp

4)Xerces-C

(*Must* download from

http://shibboleth.internet2.edu/downloads/xerces-c-src_2_6_1.tar.gz)

(*Must* export XERCESCROOT=/home/synew/download/shibboleth-sp/xerces-c-src_2_6_1)

./runConfigure -p linux -c gcc -x g++ -r pthread -b 32 -P /usr/local/shibboleth-sp

5) XML-Security-C

(*Must* download from

http://xml.apache.org/dist/security/c-library/xml-security-c-1.2.1.tar.gz)

(*Must* export XERCESCROOT=/home/synew/download/shibboleth-sp/xerces-c-src_2_6_1)

./configure --without-xalan --prefix=/usr/local/shibboleth-sp

6)OpenSAML

(*Must* download from

http://shibboleth.internet2.edu/downloads/opensaml-1.1a.tar.gz)

./configure --with-curl=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --prefix=/usr/local/shibboleth-sp -C

7) build shibboleth 1.3:
./configure --with-saml=/usr/local/shibboleth-sp --with-log4cpp=/usr/local/shibboleth-sp --enable-apache-20 --with-apxs2=/usr/local/apache20/bin/apxs --with-apr=/usr/local/apache20/bin/apr-config --prefix=/usr/local/shibboleth-sp -C

#########Post Configuration of SP #################################
Ref:https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/SPApacheConfiguration

Suppose apache2.0.x with mod_ssl is already successfully installed in /usr/local/apache20

1) Add the following line to the end of /usr/local/apache20/conf/httpd.conf(*Not* in any VirtualHost!!):
Include /usr/local/shibboleth-sp/etc/shibboleth/apache2.config

2)In /usr/local/apache20/conf/httpd.conf, set:
UseCanonicalName on
And uncomment ServerName:
ServerName ktang.oerc.ox.ac.uk:8080

3)To start shibboleth daemon,use
/usr/local/shibboleth-sp/sbin/shibd &

SPIE

2006-05-04T18:36:00.000-07:00

is the LDAP server dedicately create for SPIE project and maintained by SPIEs?
if yes, how did they populate the LDAP server?
To be authenticate through webAuth is not hard, and if we dont have access to centre LDAP
directory(if we have one), I would like create one myself for testing purpose.

Then no point to use the idP from SPIE, create my own will be more flexiable.

Q: When users are redirected to SSO handle for authencation, a handle will be generated and sent to SP within SAML assertion.Then SP daemon use this handle as a temporary reference to
query the attributes from AA handler of idP. The questions is, the SSO authZ is performed through Kerberos database, while attributes are stored in LDAP directory, how can the handler map them together so that we can find the desired attr from right person?

Prepare Tomcat/mod_jk for shibboleth idP 1.3

2006-05-02T05:54:00.000-07:00

HOWTO use JK1.2.15 to connect Tomcat5.5 and Apache2.2

1. Set up Apache 2.2 ,Tomcat 5.5 and JK1.2.15 seperately, following the instructions in
http://johnturner.com/howto/apache2-tomcat4127-jk-rh9-howto.html

a. install apache
b. install tomcat5.5
c.install mod_jk
a)download the src code of mod_jk1.2.15 from:
http://apache.rmplc.co.uk/tomcat/tomcat-connectors/jk/source/jk-1.2.15/jakarta-tomcat-connectors-1.2.15-src.tar.gz
b)cd jakarta-tomcat-connectors-1.2.15-src/jk/native
c)./buildconf.sh
d)./configure --with-apxs=/usr/local/apache/bin/apxs
e)make
f)make install
check apache2/modules, you should see mod_jk with 755 in this directory now.
2. In tomcat5/conf/,
mv server-minimul.xml server.xml
then edit server.xml:
delete the line:
Connector port="8080"
And change the port 8009 line to:
connector port="8009" protocol="AJP/1.3" address="127.0.0.1"
enableLookups="false" redirectPort="443"
tomcatAuthentication="false"

3. create a file "workers.properties" in /opt/tomcat/conf/jk/", include the following in it:

# /etc/tomcat/workers.properties
# define a worker using ajp13
worker.list=ajp13
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=50
worker.ajp13.cachesize=10
worker.ajp13.cache_timeout=600
worker.ajp13.socket_keepalive=1
worker.ajp13.recycle_timeout=300

4. Enable ssl in your apache/tomcat configuration, details see other articles

5.Enable mod_jk:
In your httpd.conf, add the following line:
Include conf/extra/mod_jk.conf
Then create a file" mod_jk.conf "in conf/extra/, including the following in it:
LoadModule jk_module modules/mod_jk.so

JkWorkersFile /opt/tomcat/conf/jk/workers.properties
JkLogFile /var/log/httpd/mod_jk.log
JkLogLevel emerg
JkMount /shibboleth-idp/* ajp13
JkMount /jsp-examples/* ajp13
# JkMount /cas/* ajp13

Make sure the directory for log files exist already.

6. Start Tomcat5 first, after the auto genereated file is ready, start apache2. then try to access
https://ktang.oerc.ox.ac.uk/jsp-examples
to test the setup

7. To provide kerberos users authentication to apache web server, mod_auth_kerb is required
(http://modauthkerb.sourceforge.net/install.html).
1) suppose you already have an working kerberos server, download the source code, untar it.
2)./configure --prefix=/usr/local/mod_auth_krb5 --with-krb4=no --with-krb5=/usr/local/kerberos5/ --with-apache=/usr/local/apache2/
3) make
4) make install
5) don't forget to load the new installed module in your httpd.conf!
LoadModule auth_kerb_module modules/mod_auth_kerb.so

8. Auth_kerb_module Configuration & Test
Firstly, create a service instance( and user instance if you don't have one) in KDC:
kadmin.local
ank -randky HTTP/ktang.oerc.ox.ac.uk
ktadd -k /etc/keytabs/apache.HTTP.keytab
It's recommanded to put the server key in a seperated file from other keys, and
make sure the file can be read by apache process!!

Suppose we wanna set web resources in "shibboleth-idp/SSO" (/usr/local/tomcat/webapps/shibboleth-idp/SSO) to be protected by kerberos. Users are
required to authenticate by kerberos when they try to access this dir.
The followings are added to httpd.conf for this purpose:

<Location /shibboleth-idp/SSO>
AuthType Kerberos
AuthName "Kerberos Login"
KrbSaveCredentials On
KrbMethodK5Passwd On
KrbMethodNegotiate On
Krb5Keytab "/etc/keytabs/apache.HTTP.keytab"
KrbServiceName HTTP
KrbAuthoritative On
SSLVerifyClient none
require valid-user
</Location>

*Detailed implication available in http://modauthkerb.sourceforge.net/

Use SASL(GSSAPI) in openLDAP

2006-04-28T04:45:00.000-07:00

1.#ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

*Because I have already disable other auth mechanisms when building Cyrus-SASL, only GSSAPI available here.

2.#ldapsearch -h localhost -p 389 -I -b "" -s base -LLL supportedSASLMechanisms
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name:
SASL username: ktang/admin@IERC.OX.AC.UK
SASL SSF: 56
SASL installing layers
dn:
supportedSASLMechanisms: GSSAPI

* Note*: Don't enter anything when promoted to enter username!!! just press "Enter"!
otherwise errors will occur:
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: Inappropriate authentication

*Of course you need to use "kinit ktang/admin" first to get the ticket.
Alternatively, you can use:
./ldapsearch -h localhost -p 389 -U 'ktang/admin@IERC.OX.AC.UK' -b "" -s base -LLL supportedSASLMechanisms
Then no need to input username.

3. Any user authenticaited by Kerberos will be mapped to an authentication request DN in LDAP server in form of :
uid=username,cn=realm,cn=gssapi,cn=auth

To check your authentication request DN, use "/usr/local/openLDAP/bin/ldapwhoami" command. In my case, I was authenciated as "ktang/admin@IERC.OX.AC.UK" in kerberos server, then my authentication request DN in LDAP is:
uid=ktang/admin,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth

4. You can configure ACL in slapd.conf to give read/write access to the authentication request DN above, this might be the simplest way, for example, add following in slapd.conf will make I have write priviledge to all entries in LDAP server after I was authenticatied as ktang/admin by
kerberos:
access to *
by self write
by dn="uid=synew,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth" write
by users read
by anonymous auth
by * none
However, usually we already has all entries for all the users who wanna access it in Ldap server,
but not in the authencation request format(e.g. not under auth subtree ). What we need is authentication identities mapping.

5. Wherever possbile, direct mapping is recommanded,which has the following format:
authz-regexp
uid=([^,]*),cn=oerc.ox.ac.uk,cn=gssapi,cn=auth
uid=$1,dc=oerc,dc=ox,dc=ac,dc=uk

*N.B. Don't use the following format, it doesn't work for me, although it should.
authz-regexp
uid=([^,]*),cn=[^,]*,cn=auth
uid=$1,dc=oerc,dc=ox,dc=ac,dc=uk

*N.B. With this mapping added, the ACL we just made will *NOT* work for the super user "synew"!! The reason is your authencation quest DN is no longer "uid=synew,cn=ierc.ox.ac.uk,cn=gssapi,cn=auth", but is
mapped to "uid=synew,dc=oerc,dc=ox,dc=ac,dc=uk" !!! Therefore we need to use the following
ACL policy instead:
access to *
by self write
by dn="uid=synew,dc=oerc,dc=ox,dc=ac,dc=uk" write
by users read
by anonymous auth
by * none

SAML,shibboleth,SSO,GSSAPI,Kerberos and webAuth

2006-04-25T01:51:00.000-07:00

1.The single most important problem that SAML is trying to solve is the web single sign-on (SSO) problem. SSO solutions at the intranet level abound (using cookies, e.g.) but extending these solutions beyond the intranet has been problematic and has led to the proliferation of proprietary technologies that do not interoperate. SAML has become the definitive standard underlying many web SSO solutions in the identity management problem space.

2. The GSSAPI is a generic API for doing client-server authentication. The motivation behind it is that every security system has it's own API, and the effort involved with adding different security systems to applications is extremely difficult with the variance between security APIs. However, with a common API, application vendors could write to the generic API and it could work with any number of security systems. Most major Kerberos 5 distributions is a GSSAPI implementation. Thus, if a particular application or protocol says that it supports the GSSAPI, then that means that it supports Kerberos.

openLDAP installation & Configuration

2006-04-24T01:57:00.000-07:00

1.Prepare the prequired softwares:
2.After BerkeleyDB is installed. *Make sure * create the runtime links to BerkeleyDB's dynamic link library files by:
1) In EL4, create a new file "BerkeleyDB.conf" in /etc/ld.so.conf.d, add this line to it:
/usr/local/BerkeleyDB.4.4/lib, otherwise the later configure procedure will complain "BerkeleyDB version mismatched".
2) run " ldconfig" to load the config

3. To configure openLDAP, using:
1)env CPPFLAGS="-I/usr/local/BerkeleyDB.4.4/include" LDFLAGS="-L/usr/local/BerkeleyDB.4.4/lib" ./configure --with-cyrus-sasl --enable-slapd --enable-crypt --with-tls --enable-spasswd --enable-wrappers --prefix=/usr/local/openLDAP
*Note*
a. IMPORTANT If you use --disable-cleartext paraments when configure the code, the "test002-populate" later will fail! So better dont use it unless u dont wanna do the tests.
b. The env variables in this command will only be valid for this single process.)

4. make depend
5.make
6.make test
If no errors found during the tests procedure, you can start to configure the openldap now.
The configration file of slapd is located in /usr/local/openLDAP/etc/openldap/slapd.conf
Sightly modifications are required on the configuration file before you can start slapd service, my
slapd.conf is like:
###################start of slapd.conf##########################
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/openLDAP/etc/openldap/schema/core.schema
include /usr/local/openLDAP/etc/openldap/schema/corba.schema
include /usr/local/openLDAP/etc/openldap/schema/cosine.schema
include /usr/local/openLDAP/etc/openldap/schema/inetorgperson.schema
include /usr/local/openLDAP/etc/openldap/schema/misc.schema
include /usr/local/openLDAP/etc/openldap/schema/openldap.schema
include /usr/local/openLDAP/etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /usr/local/openLDAP/var/run/slapd.pid
argsfile /usr/local/openLDAP/var/run/slapd.args

#Log level
loglevel 1

#######################################################################
#Backend definitions
#######################################################################
backend bdb
readonly off

# Load dynamic backend modules:
# modulepath /usr/local/openLDAP/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database bdb
suffix "dc=ierc,dc=ox,dc=ac,dc=uk"
rootdn "cn=Manager,dc=ierc,dc=ox,dc=ac,dc=uk"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openLDAP/var/openldap-data
# Indices to maintain
index objectClass eq

###########################End of slapd.conf#########################

Cyrus SASL installation

2006-04-23T18:11:00.000-07:00

References:
http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt
http://www.linuxfromscratch.org/blfs/view/stable/postlfs/cyrus-sasl.html
http://mah.everybody.org/docs/sasl-gssapi/
http://www.bayour.com/LDAPv3-HOWTO.html

1.Download Cyrus SASL from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
The current release is "cyrus-sasl-2.1.21.tar.gz"
2.Unpack the downloaded file. Because I only wanna use gssapi(Kerberos V5) mechanism,so it's good idea to disable other mechnisams. Config it using,
./configure --prefix=/usr/local/cyrus-SASL --enable-gssapi --with-gss_impl=mit --disable-cram --disable-digest --disable-otp

3. make
4.make install

At the end of installation, you will see following message:
* WARNING:
* Plugins are being installed into /usr/local/cyrus-SASL/lib/sasl2,
* but the library will look for them in /usr/lib/sasl2.
* You need to make sure that the plugins will eventually
* be in /usr/lib/sasl2 -- the easiest way is to make a
* symbolic link from /usr/lib/sasl2 to /usr/local/cyrus-SASL/lib/sasl2,
* but this may not be appropriate for your site, so this
* installation procedure won't do it for you.
*
* If you don't want to do this for some reason, you can
* set the location where the library will look for plugins
* by setting the environment variable SASL_PATH to the path
* the library should use.

Cyrus-SASL will look for the lib files in /usr/lib/sasl2 by defualt, therefore it's important to copy lib files from /usr/local/cyrus-SASL/lib/sasl2 to /usr/lib/sasl2. The simplest way is create a link in /usr/lib/
ln -s /usr/local/cyrus-SASL/lib/sasl2 .
*If you found /usr/lib/sasl2 already exist b4 the installation, make sure to delete it!

To Test the installtion of SASL, we canuse Sample-Server/Client programs, which are located in the sample directory of cyrus-SASL source code. Because they are not compiled by default, manully compiling is necesssary, in /home/synew/download/cyrus-SASL/sample/ , use
make sample-server
make sample-client

*Important*
Before the test, configure the /etc/hosts and /etc/sysconfig/network as follow if you havn't.
*********/etc/hosts*************************
127.0.0.1 localhost.localdomain localhost
163.1.26.6 ktang.ierc.ox.ac.uk ktang
**********/etc/sysconfig/network*************
NETWORKING=yes
HOSTNAME=ktang.ierc.ox.ac.uk
********************************************
1. create " ktang/admin" as a administor(or user) for kerboeros database, more details about kerberos setup is available in my another post.
2. #kinit ktang/admin
this will get a ticket from kerberos server for user "ktang/admin", which will be stored in your temporary credensial cache(usually /tmp). You can use "klist" to check the information of the ticket cache, and use "kdestroy" to delete all information in the cache.
3, To use sample server/client, in addition to the user principal, a service principal is also required. Suppose we wanna add a new service named as "ldap" on host"ktang.ierc.ox.ac.uk", Use /usr/local/kerberos5/sbin/kadmin.local programm:
#
kadmin.local
listprincs
ank -randkey ldap/ktang.ierc.ox.ac.uk (create a host principal)
ktadd ldap/ktang.ierc.ox.ac.uk(generate a key for the principal and stored in /etc/krb5.keystab)
quit

Now we can start sample server/client to do the test:
In on session,
./sample-server -s ldap -p ../plugins/.libs
In another session,
./sample-client -s ldap -n ktang.ierc.ox.ac.uk -u ktang/admin -p ../plugins/.libs
Copy output from them around untill the "negoration complete" is displayed.

*********Possbile problems********************

1)DIGEST-MD5, instead of GSSAPI is selected, although GSSAPI is listed by the server.
*Because GSSAPI is stronger encrypt mechanism than DIGEST-MD5, so it should be choosed as best mechanism. This means there is sth wrong with GSSAPI mechanism,which makes it have to choose DIGEST-MD5. If we reconfigure cyrus-sasl without other mechanisms
such as digest-md5, gssapi will unavoidly be selected,but you will see some errors saying GSSAPI negorations failure etc if the server have error with it.
(you can re-configure SASL using:
./configure --prefix=/usr/local/cyrus-SASL --disable-cram --disable-digest --disable-otp --enable-gssapi --with-gss_impl=mit)

2)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (key version number mismatched)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
* Use "klist -k /usr/krb5.keytab" and "kvno ldap/ktang.ierc.ox.ac.uk" to check whether key version numbers of the service
you are interested in are matched.Everytime you use kadmin(ktadd) add a new key, kvno will increase by 1.
More details in http://www.bayour.com/LDAPv3-HOWTO.html

3)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (No principal in keytab matches desired name)
lt-sample-server: Starting SASL negotiation: generic failure (generic failure)
*Make sure you have created the key to the correct keytab file. The default keytab from where KDC will look for principals is
/etc/krb5.keytab. Use klist -k /etc/krb5.keytab to check the keys you added.

4)lt-sample-server: SASL Other: GSSAPI Error: Miscellaneous failure (Decrypt integrity check failed)
lt-sample-server: Starting SASL negotiation: authentication failure (authentication failure)
*To avoid this error happen, make sure to use "kdestroy" to get rid of any old cached tickets by using kdestroy,
otherwise the various Kerberos programs will continue to use an old ticket encrypted with the wrong encryption key.
More details in http://www.faqs.org/faqs/kerberos-faq/general/section-73.html

5) In client side, if see the following:
............
recieved 153 byte message
C:
Waiting for server reply...

*It is *NOT* an error! what you should do is copy C: to server side.Note, there's a space after C:!
Reference:http://www.irbs.net/internet/cyrus-sasl/0506/0050.html

Install & Configure Kerberos V5 under SL4

2006-04-23T04:41:00.000-07:00

Boz I need to install openLDAP for Idp installation in future, I need to install Kerberos, which is recommanded by openLDAP.
Either Heimdal or MIT Kerberos V5 are free implementation of Kerberos v5 protocol, you can choose the one u like, I have picked the latter.

1.Download the src code from MIT kerberos site
http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4.3-signed.tar

2. tar -xvf krb5-1.4.3-signed.tar
then u get krb5-1.4.3.tar.gz, unpack it by,
tar -zxvf krb5-1.4.3.tar.gz

3. cd krb5-1.4.3/src
*IMPORTANT* If you configure the code without any parameters, some tcl related error will usually occur when build the code .
After some googling, some guy said tcl is only used to perform some tests when u run "make check", therefore can be considered not necessary. So you can configure the code using,
./configure --prefix=/usr/local/kerberos5 --without-krb4 --without-tcl

Everything should be fine, but what if i want to do the unit tests depending on tcl to make sure my installation is all right? I searched my system and found tcl binary is already installed, but we need tcl.h and
tcl lib to build with tcl support. Therefore we need to install tcl-devel package.
yum install tcl-devel.i386
The "tcl.h" is located in /usr/include/, lib files in /usr/lib
Now we can configure the code using:
./configure --prefix=/usr/local/kerberos5 --without-krb4 --with-tcl=/usr

4, make
5, make install
6, make check
You should see no errors

7, configure /etc/krb5.conf and kdc.conf, instructions can be found at
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-install/Install-the-Master-KDC.html#Install%20the%20Master%20KDC
*Make sure to change the default var files directory to your installation dir
#krb5.conf#######################################
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = IERC.OX.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
IERC.OX.AC.UK = {
kdc = ktang.ierc.ox.ac.uk:88
admin_server = ktang.ierc.ox.ac.uk:749
default_domain = ierc.ox.ac.uk
}

[domain_realm]
.ierc.ox.ac.uk = IERC.OX.AC.UK
ierc.ox.ac.uk = IERC.OX.AC.UK

[kdc]
profile = /usr/local/kerberos5/var/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

#kdc.conf#######################################
[kdcdefaults]
kdc_ports = 88

[realms]
IERC.OX.AC.UK = {
database_name = /usr/local/kerberos5/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keyta
b
acl_file = /usr/local/kerberos5/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/kerberos5/var/krb5kdc/.k5.IERC.OX.AC
.UK
kdc_ports = 88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}

[logging]
kdc = FILE:/usr/local/kerberos5/var/krb5kdc/kdc.log
admin_server = FILE:/usr/local/kerberos5/var/krb5kdc/kadmin.log
#########################END####################

8,Create a database on the system where KDC resides:
#/usr/local/kerberos5/sbin/kdb5_util create IERC.OX.AC.UK -s
the database related information files will be generated in the var directories you configured
kdc.conf file(/usr/local/kerberos5/var/krb5kdc/)
* If you dont wanna stash file to be generated, don't use " -s " parameter.
*To delete the existing database, delete all these new genenated files
* You can costomize the name of generated files by change the kdc name in "kdc.conf", default
name is "principal"

9, Create acl file "kadm5.acl" in /usr/local/kerberos5/var/krb5kdc(the location is determined by kdc.conf)
To understand acl, you need to understand the definition of principal and instance
http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.3/doc/krb5-user/What-is-a-Kerberos-Principal-.html
Mine is like this:
#####################
*/admin@IERC.OX.AC.UK *
ktang@IERC.OX.AC.UK ADMCIL
###########################

10. Add administrator to database, use
# ./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: addprinc ktang/admin@IERC.OX.AC.UK
WARNING: no policy specified for ktang/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "ktang/admin@IERC.OX.AC.UK":
Re-enter password for principal "ktang/admin@IERC.OX.AC.UK":
Principal "ktang/admin@IERC.OX.AC.UK" created.
kadmin.local: addprinc synew/admin@IERC.OX.AC.UK
WARNING: no policy specified for synew/admin@IERC.OX.AC.UK; defaulting to no policy
Enter password for principal "synew/admin@IERC.OX.AC.UK":
Re-enter password for principal "synew/admin@IERC.OX.AC.UK":
Principal "synew/admin@IERC.OX.AC.UK" created.
kadmin.local:quit

11. Create keytab, use,
./kadmin.local
Authenticating as principal synew/admin@IERC.OX.AC.UK with password.
kadmin.local: ktadd -k /usr/local/kerberos5/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/usr/local/kerberos5/var/krb5kdc/kadm5.keytab.
kadmin.local: quit

12. Start the Kerberos daemons by:
./krb5kdc
./kadmind