HOWTO setup a small server
Heimdal (Kerberos 5 Server)
Client Installation
Prerequisite: NTP Kerberos permits only small differences in the system times of the server and its clients. Therefore it is recommended to install a time server on the server and clients to avoid problems.
There are plenty of documents on the web on how to setup an MIT Kerberos server/clients. I prefer the Heimdal Kerberos server due to its multithreading support. The neccessary packages for the clients are:
apt-get install krb5-config libkrb5-25-heimdal heimdal-clients heimdal-kcm
During the installation some of the questions below must be answered
(krb5-config). Typical answers look like that:
- default Kerberos realm:
- this is the name of your new REALM that should be identical to the domain name of the server in capital letters (EXAMPLE.COM)
- DNS contains pointers
- unless you know what this means, the default answer
nois just fine - Kerberos servers for realm:
- the FQDN (fully qualified domain name) of the server (server.example.com)
- administrative server for realm
- again, the FQDN' of the server (server.example.com)
To correct or change your answers at some time in the future, use:
# dpkg-reconfigure krb5-config
or edit /etc/krb5.conf manually as described in the next
section.
Client Configuration
The Kerberos library configuration file /etc/krb5.conf is
divided into sections. Each section begins with the section name in square
brackets, e.g., [libdefaults]. Although section names might
appear several times in the following excerpts, each of them should only be
entered once in the complete configuration file. The excerpts are not complete:
There might already be further entries in the sections in
/etc/krb5.conf on the system. In principal, the configuration
excerpts below should work with both the Heimdal and the MIT Kerberos library.
The following configuration of the Kerberos library should have been
done by krb5-config and specifies the new REALM:
Excerpt: /etc/krb5.conf
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = server.example.com admin_server = server.example.com }
In some cases you want to change some behaviour of the Kerberos library.
Ticket lifetimes can be increased by these lines in the
libdefaults section:
Excerpt: /etc/krb5.conf
[libdefaults] ticket_lifetime = 10d 0h 0m 0s renew_lifetime = 30d 0h 0m 0s
(Note: The maximum lifetime configured for the server and the principal might limit the maximum ticket lifetime as well! So this will only help, if server and principal configurations also permit these lifetimes.)
Server Installation
On the server the following additional packages are required:
apt-get install heimdal-kdc heimdal-docs
Server KDC Configuration
To avoid problems when using basic authentication in Apache2 (Request
is a replay errors in the log files), the configuration of the Kerberos
library on the server might require the following line in the
libdefaults section:
Excerpt: /etc/krb5.conf
[libdefaults]
# required when using basic authentication with Apache2's
# mod_auth_kerb module (`Request is a replay' errors);
# `0' for MIT library and `false' for Heimdal library
kdc_timesync = 0/false
Also useful in some cases:
Excerpt: /etc/krb5.conf
[logging] kdc = SYSLOG:DEBUG:AUTH admin_server = SYSLOG:DEBUG:AUTH default = SYSLOG:DEBUG:AUTH
The default configuration of the KDC and the Kerberos library in general need no further changes. But if you want to restrict Kerberos to IPv4, you will have to set:
Excerpt: /etc/heimdal-kdc/kdc.conf
addresses = 0.0.0.0
The KDC database is already initialized during the installation of the KDC with the following commands. You will only have to run these commands again, if you want to reset the KDC database for some reason:
# rm -f /var/lib/heimdal-kdc/heimdal.db /var/lib/heimdal-kdc/m-key
# kstash --random-key
# kadmin -l
> init EXAMPLE.COM
> q
Later on we will need a testuser, so let us create it now:
# kadmin -l > add testuser > q
Finally, you can (re)start the Kerberos server and check, whether you are able to get a token:
# /etc/init.d/heimdal-kdc restart
# kinit testuser@EXAMPLE.COM
Server PAM Configuration
If you like to add Kerberos authentication to PAM, install the following package:
apt-get install libpam-heimdal
You will have to configure libpam-heimdal now. See the manual
page of pam_krb5 for more details.
Server Remote Administration Configuration
The kadmind daemon is started by the inetd.
By default, the following line (or similar) should exist in
/etc/inetd.conf:
Excerpt: /etc/inetd.conf
kerberos-adm stream tcp nowait root /usr/sbin/tcpd /usr/lib/heimdal-servers/kadmind
If you do not want to use remote administration,
comment this line and restart inetd. The kadmind
daemon will not be running in this case (you can skip the rest of this
section):
# /etc/init.d/openbsd-inetd restart
If you want to use remote administration, you
will need an administrative principal. In order to add one, let us say
root, you must on the one hand create the principal
# kadmin -l > add root/admin > q
and on the other hand configure his ACLs:
Excerpt: /etc/heimdal-kdc/kadmind.acl
root/admin@EXAMPLE.COM all
Due to a bug in the Debian package(?), you will also have to create a symlink to that ACL file:
# ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc
Now you should be able to remotely administer your Kerberos database with
kadmin.
Make sure kadmind is running properly. In my case,
inetd did not start kadmind while the packages were
installed (maybe due to the order of configuring and starting the services
during their installation). Check for the kerberos-admline in
/etc/inetd.conf and restart inetd as shown at the
begining of this section.
Networking Requirements
Prerequisite: Shorewall In case of a packet
filter (Shorewall), you will have to permit some traffic to make use of the
Kerberos server. Check with netstat -tulpen which are actually
required, as - depending on your configuration - some services may (not) be
running on your system:
Excerpt: /etc/shorewall/rules
# Heimdal/Kerberos 5 # # Kerberos v5 KDC ACCEPT net $FW tcp 88 ACCEPT net $FW udp 88 # kpasswd #ACCEPT net $FW tcp 464 ACCEPT net $FW udp 464 # kadmin v5 (required for remote administration) #ACCEPT net $FW tcp 749 # Kerberos v4 KDC #ACCEPT net $FW tcp 750 #ACCEPT net $FW udp 750 # Kerberos 524 #ACCEPT net $FW tcp 4444 #ACCEPT net $FW udp 4444 #
and restart the packet filter:
# shorewall restart