Setting up your Kerberos Development Environment

This wiki page is outdated and deprecated. See SPNEGO documentation in  GateIn reference guide for latest instructions.

 

 

This article covers a step by step tutorial for setting up a MIT 5.0 Kerberos Server for development/testing of Single Sign On apps. A production setup is much more complicated and out of scope for the purpose of this article.

 

Development Environment:

 

  • Dell Latitude D820 Intel Centrino Core Duo

 

  • (K)Ubuntu 8.10 OS

 

Although these instructions cover my local Kubuntu 8.10 machine, it should work for other Linux distributuons as well. The package management commands will be different on these.

 

Step 1: Installation

 

Install krb5-admin-server, krb5-kdc, krb5-config, krb5-user, krb5-clients, and   krb5-rsh-server.  These will bring some dependencies with them.

 

Kerberos configuration is found under: /etc/krb5.conf

 

Here is what mine looks like:

[libdefaults]                                  
        default_realm = LOCAL.NETWORK          
        #dns_lookup_kdc=false                  
        #dns_lookup_realm=false                

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf                           
        krb4_realms = /etc/krb.realms                         
        kdc_timesync = 1                                      
        ccache_type = 4                                       
        forwardable = true                                    
        proxiable = true                                      

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are  
# correct and overriding these specifications only serves to disable new  
# encryption types as they are added, creating interoperability problems. 
#                                                                         
# Thie only time when you might need to uncomment these lines and change  
# the enctypes is if you have local software that will break on ticket    
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).                                              

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1  

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false                                  
        v4_name_convert = {                                          
                host = {                                             
                        rcmd = host                                  
                        ftp = ftp                                    
                }                                                    
                plain = {                                            
                        something = something-else                   
                }                                                    
        }                                                            
        fcc-mit-ticketflags = true                                   

[realms]
        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu       
        }                                      
        MEDIA-LAB.MIT.EDU = {                  
                kdc = kerberos.media.mit.edu   
                admin_server = kerberos.media.mit.edu
        }                                            
        ZONE.MIT.EDU = {                             
                kdc = casio.mit.edu                  
                kdc = seiko.mit.edu                  
                admin_server = casio.mit.edu         
        }                                            
        MOOF.MIT.EDU = {                             
                kdc = three-headed-dogcow.mit.edu:88 
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
        }                                                 
        CSAIL.MIT.EDU = {                                 
                kdc = kerberos-1.csail.mit.edu            
                kdc = kerberos-2.csail.mit.edu            
                admin_server = kerberos.csail.mit.edu     
                default_domain = csail.mit.edu            
                krb524_server = krb524.csail.mit.edu      
        }                                                 
        IHTFP.ORG = {                                     
                kdc = kerberos.ihtfp.org                  
                admin_server = kerberos.ihtfp.org         
        }                                                 
        GNU.ORG = {                                       
                kdc = kerberos.gnu.org                    
                kdc = kerberos-2.gnu.org                  
                kdc = kerberos-3.gnu.org                  
                admin_server = kerberos.gnu.org           
        }                                                 
        1TS.ORG = {                                       
                kdc = kerberos.1ts.org                    
                admin_server = kerberos.1ts.org           
        }                                                 
        GRATUITOUS.ORG = {                                
                kdc = kerberos.gratuitous.org             
                admin_server = kerberos.gratuitous.org    
        }                                                 
        DOOMCOM.ORG = {                                   
                kdc = kerberos.doomcom.org                
                admin_server = kerberos.doomcom.org       
        }                                                 
        ANDREW.CMU.EDU = {                                
                kdc = vice28.fs.andrew.cmu.edu            
                kdc = vice2.fs.andrew.cmu.edu             
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        }
        CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
        DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
        }
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        }
        LOCAL.NETWORK={
              kdc = server.local.network
              admin_server = server.local.network
        }

[domain_realm]
        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        local.network = LOCAL.NETWORK
        .local.network = LOCAL.NETWORK

[login]
        krb4_convert = true
        krb4_get_tickets = false


 

 

Your KDC Configuration is located under: /etc/krb5kdc/kdc.conf

 

Here is what mine looks like

 

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    LOCAL.NETWORK = {
        database_name = /home/soshah/krb5kdc/principal
        admin_keytab = FILE:/home/soshah/krb5kdc/kadm5.keytab
        acl_file = /home/soshah/krb5kdc/kadm5.acl
        key_stash_file = /home/soshah/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }
[logging]
   kdc = FILE:/home/soshah/krb5logs/kdc.log
   admin_server = FILE:/home/soshah/krb5logs/kadmin.log

 

Now create a KDC database using the following command:

 

kdb5_util -s

 

Now start your KDC and Kerberos Admin servers using the following commands:

 

sudo /etc/init.d/krb5-kdc restart
sudo /etc/init.d/krb-admin-server restart

 

Step 2: Adding Principals and Creating Keys

 

Create a Kerberos database and setup a master key for the realm

 

# kdb5_util create -s
[type password]

 

Start an interactive 'kadmin' session and create the necessary Principals

 

sudo kadmin.local

 

Add the "Gatein machine" that will need to be authenticated

 

addprinc -randkey host/server.local.network

 

Add defaut "Gatein User Accounts" that will be authenticated

addprinc demo

addprinc john

 

Generate a "keytab" file for the "Gatein machine". This will be used when configuring the JBoss Negotiation stack inside GateIn

 

ktadd host/server.local.network

 

Step 3: Setup your /etc/hosts file to add server.local.network as a valid host

 

Add this to /etc/hosts

 

192.168.1.103   server.local.network

 

Make sure this is a proper IP address and not a loopback address. Kerberos does not like hosts with loopback IPs

 

This is also the host to which the Gatein Portal should be bound using the "-b" option. This will be covered in more detail in the GateIn configuration

 

Step 4: Test your setup

 

Login:

 

kinit -A demo

 

Do not forget the -A. Without the -A, the kerberos ticket validation involved reverse DNS lookups which can get very very cumbersome to debug if your network's DNS setup is not great. This is a production level security feature which is not necessary in this development setup

 

See if it worked:

 

klist

 

Destroy the issued token. Usually used to login with another user

 

kdestroy

 

 

Step 5: Switch from Coffee to Beer. You are done!!!

 

Special Thanks to : http://www.alittletooquiet.net/text/kerberos-on-ubuntu/