Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Guida di Installazione Scaricare il pdf (Pagina 143)

Chapter 11. Kerberos 143

KDC from kerberos.example.com to the name of your Kerberos server. By convention,

all realm names are uppercase and all DNS hostnames and domain names are lowercase. For

full details on the formats of these ﬁles, see their respective man pages.

4. Create the database using the kdb5_util utility from a shell prompt:

/usr/kerberos/sbin/kdb5_util create -s

The create command creates the database that will be used to store keys for your Kerberos

realm. The -s switch forces creation of a stash ﬁle in which the master server key is stored. If

no stash ﬁle is present from which to read the key, the Kerberos server (krb5kdc) will prompt

the user for the master server password (which can be used to regenerate the key) every time it

is started.

5. Edit the /var/kerberos/krb5kdc/kadm5.acl ﬁle. This ﬁle is used by kadmind to deter-

mine which principals have access to the Kerberos database and their level of access. Most

organizations will be able to get by with a single line:

*/[email protected]M *

Most users will be represented in the database by a single principal (with a NULL, or empty,

instance, such as [email protected]). With this conﬁguration, users with a second principal

with an instance of admin (for example, joe/[email protected]) will be able to wield full

power over the realm’s Kerberos database.

Once kadmind is started on the server, any user will be able to access its services by running

kadmin or gkadmin on any of the clients or servers in the realm. However, only users listed in

the kadm5.acl ﬁle will be able to modify the database in any way, except for changing their

own passwords.

Note

The kadmin and gkadmin utilities communicate with the kadmind server over the network, and

they use Kerberos to handle authentication. Of course, you need to create the ﬁrst principal

before you can connect to the server over the network to administer it. Create the ﬁrst principal

with the kadmin.local command, which is speciﬁcally designed to be used on the same host

as the KDC and does not use Kerberos for authentication.

Type the following kadmin.local command at the KDC terminal to create the ﬁrst principal:

/usr/kerberos/sbin/kadmin.local -q "addprinc username/admin"

6. Start Kerberos using the following commands:

/sbin/service krb5kdc start

/sbin/service kadmin start

/sbin/service krb524 start

7. Add principals for your users using the addprinc command with kadmin or using the Prin-

cipal => Add menu option in gkadmin. kadmin and kadmin.local on the master KDC are

a command line interfaces to the Kerberos administration system. As such, many commands

are available after launching the kadmin program. Please see the kadmin man page for more

information.

8. Verify that your server will issue tickets. First, run kinit to obtain a ticket and store it in

a credential cache ﬁle. Then use klist to view the list of credentials in your cache and use

kdestroy to destroy the cache and the credentials it contains.

Note

By default, kinit attempts to authenticate you using the login username of the account you

used when you ﬁrst logged into your system (not the Kerberos server). If that system username

does not correspond to a principal in your Kerberos database, you will get an error message. If

that happens, just give kinit the name of your principal as an argument on the command line

(kinit principal).

1 2 ... 138 139 140 141 142 143 144 145 146 147 148 ... 281 282

Commenti su questo manuale

Nessun commento

Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Guida di Installazione Pagina 143

Commenti su questo manuale

Prodotti e manuali riguardandi Software di system management Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE