Version 10

    This wiki page is outdated and deprecated. See SPNEGO documentation in  GateIn reference guide for latest instructions.

     

     

    This article covers a step by step tutorial for setting up a MIT 5.0 Kerberos Server for development/testing of Single Sign On apps. A production setup is much more complicated and out of scope for the purpose of this article.

     

    Development Environment:

     

    • Dell Latitude D820 Intel Centrino Core Duo

     

    • (K)Ubuntu 8.10 OS

     

    Although these instructions cover my local Kubuntu 8.10 machine, it should work for other Linux distributuons as well. The package management commands will be different on these.

     

    Step 1: Installation

     

    Install krb5-admin-server, krb5-kdc, krb5-config, krb5-user, krb5-clients, and   krb5-rsh-server.  These will bring some dependencies with them.

     

    Kerberos configuration is found under: /etc/krb5.conf

     

    Here is what mine looks like:

    [libdefaults]                                  
            default_realm = LOCAL.NETWORK          
            #dns_lookup_kdc=false                  
            #dns_lookup_realm=false                
    
    # The following krb5.conf variables are only for MIT Kerberos.
            krb4_config = /etc/krb.conf                           
            krb4_realms = /etc/krb.realms                         
            kdc_timesync = 1                                      
            ccache_type = 4                                       
            forwardable = true                                    
            proxiable = true                                      
    
    # The following encryption type specification will be used by MIT Kerberos
    # if uncommented.  In general, the defaults in the MIT Kerberos code are  
    # correct and overriding these specifications only serves to disable new  
    # encryption types as they are added, creating interoperability problems. 
    #                                                                         
    # Thie only time when you might need to uncomment these lines and change  
    # the enctypes is if you have local software that will break on ticket    
    # caches containing ticket encryption types it doesn't know about (such as
    # old versions of Sun Java).                                              
    
    #       default_tgs_enctypes = des3-hmac-sha1
    #       default_tkt_enctypes = des3-hmac-sha1
    #       permitted_enctypes = des3-hmac-sha1  
    
    # The following libdefaults parameters are only for Heimdal Kerberos.
            v4_instance_resolve = false                                  
            v4_name_convert = {                                          
                    host = {                                             
                            rcmd = host                                  
                            ftp = ftp                                    
                    }                                                    
                    plain = {                                            
                            something = something-else                   
                    }                                                    
            }                                                            
            fcc-mit-ticketflags = true                                   
    
    [realms]
            ATHENA.MIT.EDU = {
                    kdc = kerberos.mit.edu:88
                    kdc = kerberos-1.mit.edu:88
                    kdc = kerberos-2.mit.edu:88
                    admin_server = kerberos.mit.edu
                    default_domain = mit.edu       
            }                                      
            MEDIA-LAB.MIT.EDU = {                  
                    kdc = kerberos.media.mit.edu   
                    admin_server = kerberos.media.mit.edu
            }                                            
            ZONE.MIT.EDU = {                             
                    kdc = casio.mit.edu                  
                    kdc = seiko.mit.edu                  
                    admin_server = casio.mit.edu         
            }                                            
            MOOF.MIT.EDU = {                             
                    kdc = three-headed-dogcow.mit.edu:88 
                    kdc = three-headed-dogcow-1.mit.edu:88
                    admin_server = three-headed-dogcow.mit.edu
            }                                                 
            CSAIL.MIT.EDU = {                                 
                    kdc = kerberos-1.csail.mit.edu            
                    kdc = kerberos-2.csail.mit.edu            
                    admin_server = kerberos.csail.mit.edu     
                    default_domain = csail.mit.edu            
                    krb524_server = krb524.csail.mit.edu      
            }                                                 
            IHTFP.ORG = {                                     
                    kdc = kerberos.ihtfp.org                  
                    admin_server = kerberos.ihtfp.org         
            }                                                 
            GNU.ORG = {                                       
                    kdc = kerberos.gnu.org                    
                    kdc = kerberos-2.gnu.org                  
                    kdc = kerberos-3.gnu.org                  
                    admin_server = kerberos.gnu.org           
            }                                                 
            1TS.ORG = {                                       
                    kdc = kerberos.1ts.org                    
                    admin_server = kerberos.1ts.org           
            }                                                 
            GRATUITOUS.ORG = {                                
                    kdc = kerberos.gratuitous.org             
                    admin_server = kerberos.gratuitous.org    
            }                                                 
            DOOMCOM.ORG = {                                   
                    kdc = kerberos.doomcom.org                
                    admin_server = kerberos.doomcom.org       
            }                                                 
            ANDREW.CMU.EDU = {                                
                    kdc = vice28.fs.andrew.cmu.edu            
                    kdc = vice2.fs.andrew.cmu.edu             
                    kdc = vice11.fs.andrew.cmu.edu
                    kdc = vice12.fs.andrew.cmu.edu
                    admin_server = vice28.fs.andrew.cmu.edu
                    default_domain = andrew.cmu.edu
            }
            CS.CMU.EDU = {
                    kdc = kerberos.cs.cmu.edu
                    kdc = kerberos-2.srv.cs.cmu.edu
                    admin_server = kerberos.cs.cmu.edu
            }
            DEMENTIA.ORG = {
                    kdc = kerberos.dementia.org
                    kdc = kerberos2.dementia.org
                    admin_server = kerberos.dementia.org
            }
            stanford.edu = {
                    kdc = krb5auth1.stanford.edu
                    kdc = krb5auth2.stanford.edu
                    kdc = krb5auth3.stanford.edu
                    admin_server = krb5-admin.stanford.edu
                    default_domain = stanford.edu
            }
            LOCAL.NETWORK={
                  kdc = server.local.network
                  admin_server = server.local.network
            }
    
    [domain_realm]
            .mit.edu = ATHENA.MIT.EDU
            mit.edu = ATHENA.MIT.EDU
            .media.mit.edu = MEDIA-LAB.MIT.EDU
            media.mit.edu = MEDIA-LAB.MIT.EDU
            .csail.mit.edu = CSAIL.MIT.EDU
            csail.mit.edu = CSAIL.MIT.EDU
            .whoi.edu = ATHENA.MIT.EDU
            whoi.edu = ATHENA.MIT.EDU
            .stanford.edu = stanford.edu
            .slac.stanford.edu = SLAC.STANFORD.EDU
            local.network = LOCAL.NETWORK
            .local.network = LOCAL.NETWORK
    
    [login]
            krb4_convert = true
            krb4_get_tickets = false
    
    
    

     

     

    Your KDC Configuration is located under: /etc/krb5kdc/kdc.conf

     

    Here is what mine looks like

     

    [kdcdefaults]
        kdc_ports = 750,88
    
    [realms]
        LOCAL.NETWORK = {
            database_name = /home/soshah/krb5kdc/principal
            admin_keytab = FILE:/home/soshah/krb5kdc/kadm5.keytab
            acl_file = /home/soshah/krb5kdc/kadm5.acl
            key_stash_file = /home/soshah/krb5kdc/stash
            kdc_ports = 750,88
            max_life = 10h 0m 0s
            max_renewable_life = 7d 0h 0m 0s
            master_key_type = des3-hmac-sha1
            supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
            default_principal_flags = +preauth
        }
    [logging]
       kdc = FILE:/home/soshah/krb5logs/kdc.log
       admin_server = FILE:/home/soshah/krb5logs/kadmin.log
    

     

    Now create a KDC database using the following command:

     

    kdb5_util -s
    

     

    Now start your KDC and Kerberos Admin servers using the following commands:

     

    sudo /etc/init.d/krb5-kdc restart
    sudo /etc/init.d/krb-admin-server restart
    

     

    Step 2: Adding Principals and Creating Keys

     

    Create a Kerberos database and setup a master key for the realm

     

    # kdb5_util create -s
    [type password]

     

    Start an interactive 'kadmin' session and create the necessary Principals

     

    sudo kadmin.local
    

     

    Add the "Gatein machine" that will need to be authenticated

     

    addprinc -randkey host/server.local.network
    
    

     

    Add defaut "Gatein User Accounts" that will be authenticated

    addprinc demo
    
    addprinc john
    

     

    Generate a "keytab" file for the "Gatein machine". This will be used when configuring the JBoss Negotiation stack inside GateIn

     

    ktadd host/server.local.network
    

     

    Step 3: Setup your /etc/hosts file to add server.local.network as a valid host

     

    Add this to /etc/hosts

     

    192.168.1.103   server.local.network

     

    Make sure this is a proper IP address and not a loopback address. Kerberos does not like hosts with loopback IPs

     

    This is also the host to which the Gatein Portal should be bound using the "-b" option. This will be covered in more detail in the GateIn configuration

     

    Step 4: Test your setup

     

    Login:

     

    kinit -A demo
    

     

    Do not forget the -A. Without the -A, the kerberos ticket validation involved reverse DNS lookups which can get very very cumbersome to debug if your network's DNS setup is not great. This is a production level security feature which is not necessary in this development setup

     

    See if it worked:

     

    klist
    

     

    Destroy the issued token. Usually used to login with another user

     

    kdestroy
    

     

     

    Step 5: Switch from Coffee to Beer. You are done!!!

     

    Special Thanks to : http://www.alittletooquiet.net/text/kerberos-on-ubuntu/