System Administration Guide: Security Services
Previous Next

Configuring KDC Servers

After you install the Kerberos software, you must configure the KDC servers. Configuring a master KDC and at least one slave KDC provides the service that issues credentials. These credentials are the basis for the Kerberos service, so the KDCs must be installed before you attempt other tasks.

The most significant difference between a master KDC and a slave KDC is that only the master KDC can handle database administration requests. For instance, changing a password or adding a new principal must be done on the master KDC. These changes can then be propagated to the slave KDCs. Both the slave KDC and master KDC generate credentials. This feature provides redundancy in case the master KDC cannot respond.

Table 23-1 Configuring KDC Servers (Task Map)

Task

Description

For Instructions

Configuring a Master KDC

Configures and builds the master KDC server and database for a realm using an automatic process, which is good for scripts.

How to Automatically Configure a Master KDC

Configures and builds the master KDC server and database for a realm using an interactive process, which is sufficient for most installations

How to Interactively Configure a Master KDC

Configures and builds the master KDC server and database for a realm using a manual process, which is needed for more complex installations

How to Configure a Master KDC

Configures and builds the master KDC server and database for a realm using a manual process and using LDAP for the KDC

How to Configure a KDC to Use an LDAP Data Server

Configure a slave KDC server.

Configures and builds a slave KDC server for a realm using an automatic process, which is good for scripts

How to Automatically Configure a Slave KDC

Configures and builds a slave KDC server for a realm using an interactive process, which is sufficient for most installations

How to Interactively Configure a Slave KDC

Configures and builds a slave KDC server for a realm using the manual process, which is needed for more complex installations

How to Configure a Slave KDC

How to Automatically Configure a Master KDC

Starting with the Solaris 10 5/08 and the Solaris Express Developer Edition 1/08 releases, a master KDC can be automatically configured by using the following procedure.

  1. Become superuser.
  2. Create the KDC.

    Run the kdcmgr utility to create the KDC. You need to provide both the master key password and the password for the administrative principal.

    kdc1# kdcmgr -a kws/admin -r EXAMPLE.COM create master
    
    Starting server setup
    ---------------------------------------
    
    Setting up /etc/krb5/kdc.conf
    
    Setting up /etc/krb5/krb5.conf
    
    Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM', 
    master key name 'K/M@EXAMPLE.COM' 
    You will be prompted for the database Master Password. 
    It is important that you NOT FORGET this password. 
    Enter KDC database master key: <Type the password>
    Re-enter KDC database master key to verify: <Type it again>
    
    Authenticating as principal root/admin@EXAMPLE.COM with password. 
    WARNING: no policy specified for kws/admin@EXAMPLE.COM; defaulting to no policy 
    Enter password for principal "kws/admin@EXAMPLE.COM": <Type the password>
    Re-enter password for principal "kws/admin@EXAMPLE.COM": <Type it again>
    Principal "kws/admin@EXAMPLE.COM" created. 
    
    Setting up /etc/krb5/kadm5.acl. 
    
    --------------------------------------------------- 
    Setup COMPLETE. 
    
    kdc1#

How to Interactively Configure a Master KDC

Starting with the Solaris 10 5/08 and the Solaris Express Developer Edition 1/08 releases, a master KDC can be interactively configured by using the following procedure.

  1. Become superuser.
  2. Create the KDC.

    Run the kdcmgr utility to create the KDC. You need to provide both the master key password and the password for the administrative principal.

    kdc1# kdcmgr create master
    
    Starting server setup
    ---------------------------------------
    
    Enter the Kerberos realm: EXAMPLE.COM
    
    Setting up /etc/krb5/kdc.conf
    
    Setting up /etc/krb5/krb5.conf
    
    Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM', 
    master key name 'K/M@EXAMPLE.COM' 
    You will be prompted for the database Master Password. 
    It is important that you NOT FORGET this password. 
    Enter KDC database master key: <Type the password>
    Re-enter KDC database master key to verify: <Type it again>
    
    Enter the krb5 administrative principal to be created: kws/admin
    
    Authenticating as principal root/admin@EXAMPLE.COM with password. 
    WARNING: no policy specified for kws/admin@EXAMPLE.COM; defaulting to no policy 
    Enter password for principal "kws/admin@EXAMPLE.COM": <Type the password>
    Re-enter password for principal "kws/admin@EXAMPLE.COM": <Type it again>
    Principal "kws/admin@EXAMPLE.COM" created. 
    
    Setting up /etc/krb5/kadm5.acl. 
    
    --------------------------------------------------- 
    Setup COMPLETE. 
    
    kdc1#
Example 23-1 Displaying the Status of a KDC Server

The kdcmgr status command can be used to display information about either a master or a slave KDC server.

How to Configure a Master KDC

In this procedure, incremental propagation is configured. In addition, the following configuration parameters are used:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • Master KDC = kdc1.example.com

  • admin principal = kws/admin

  • Online help URL = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956


    Note - Adjust the URL to point to the “Graphical Kerberos Administration Tool” section, as described in Online Help URL in the Graphical Kerberos Administration Tool.


Before You Begin

This procedure requires that the host is configured to use DNS. For specific naming instructions if this master is to be swappable, see Swapping a Master KDC and a Slave KDC.

  1. Become superuser on the master KDC.
  2. Edit the Kerberos configuration file (krb5.conf).

    You need to change the realm names and the names of the servers. See the krb5.conf(4) man page for a full description of this file.

    kdc1 # cat /etc/krb5/krb5.conf
    [libdefaults]
            default_realm = EXAMPLE.COM
    
    [realms]
            EXAMPLE.COM = {
            kdc = kdc1.example.com
            admin_server = kdc1.example.com
            }
    
    [domain_realm]
            .example.com = EXAMPLE.COM
    #
    # if the domain name and realm name are equivalent, 
    # this entry is not needed
    #
    [logging]
            default = FILE:/var/krb5/kdc.log
            kdc = FILE:/var/krb5/kdc.log
    
    [appdefaults]
        gkadmin = {
            help_url = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
            }

    In this example, the lines for default_realm, kdc, admin_server, and all domain_realm entries were changed. In addition, the line that defines the help_url was edited.


    Note - If you want to restrict the encryption types, you can set the default_tkt_enctypes or default_tgs_enctypes lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting the encryption types.


  3. Edit the KDC configuration file (kdc.conf).

    You need to change the realm name. See the kdc.conf(4) man page for a full description of this file.

    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM = {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
                    sunw_dbprop_master_ulogsize = 1000
                    }

    In this example, the realm name definition in the realms section was changed. Also, in the realms section, lines to enable incremental propagation and to select the number of updates the KDC master keeps in the log were added.


    Note - If you want to restrict the encryption types, you can set the permitted_enctypes, supported_enctypes, or master_key_type lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting the encryption types.


  4. Create the KDC database by using the kdb5_util command.

    The kdb5_util command creates the KDC database. Also, when used with the -s option, this command creates a stash file that is used to authenticate the KDC to itself before the kadmind and krb5kdc daemons are started.

    kdc1 # /usr/sbin/kdb5_util create -s
    Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM'
    master key name 'K/M@EXAMPLE.COM'
    You will be prompted for the database Master Password.
    It is important that you NOT FORGET this password.
    Enter KDC database master key: <Type the key>
    Re-enter KDC database master key to verify: <Type it again>
  5. Edit the Kerberos access control list file (kadm5.acl).

    Once populated, the /etc/krb5/kadm5.acl file should contain all principal names that are allowed to administer the KDC.

    kws/admin@EXAMPLE.COM   *

    The entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals or policies in the KDC. The default installation includes an asterisk (*) to match all admin principals. This default could be a security risk, so it is more secure to include a list of all of the admin principals. See the kadm5.acl(4) man page for more information.

  6. Start the kadmin.local command and add principals.

    The next substeps create principals that are used by the Kerberos service.

    kdc1 # /usr/sbin/kadmin.local
    kadmin.local: 
    1. Add administration principals to the database.

      You can add as many admin principals as you need. You must add at least one admin principal to complete the KDC configuration process. For this example, a kws/admin principal is added. You can substitute an appropriate principal name instead of “kws.”

      kadmin.local: addprinc kws/admin
      Enter password for principal kws/admin@EXAMPLE.COM:<Type the password>
      Re-enter password for principal kws/admin@EXAMPLE.COM: <Type it again>
      Principal "kws/admin@EXAMPLE.COM" created.
      kadmin.local: 
    2. Create the kiprop principals.

      The kiprop principal is used to authorize updates from the master KDC.

      kadmin.local: addprinc -randkey kiprop/kdc1.example.com
      Principal "kiprop/kdc1.example.com@EXAMPLE.COM" created.
      kadmin.local:
    3. Create a keytab file for the kadmind service.

      This command sequence creates a special keytab file with principal entries for kadmin/<FQDN> and changepw/<FQDN>. These principals are needed for the kadmind service and for passwords to be changed. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file. The kadmin/changepw principal is used to change passwords from clients that are not running a Solaris release.

      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc1.example.com
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
      Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local:
    4. Add the kiprop principal for the master KDC server to the kadmind keytab file.

      Adding the kiprop principal to the kadm5.keytab file allows the kadmind command to authenticate itself when incremental propagation is started.

      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc1.example.com
      Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kiprop/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local: 
    5. Quit kadmin.local.

      You have added all of the required principals for the next steps.

      kadmin.local: quit
  7. Start the Kerberos daemons.
    kdc1 # svcadm enable -r network/security/krb5kdc
    kdc1 # svcadm enable -r network/security/kadmin
  8. Start kadmin and add more principals.

    At this point, you can add principals by using the Graphical Kerberos Administration Tool. To do so, you must log in with one of the admin principal names that you created earlier in this procedure. However, the following command-line example is shown for simplicity.

    kdc1 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: 
    1. Create the master KDC host principal.

      The host principal is used by Kerberized applications, such as kprop to propagate changes to the slave KDCs. This principal is also used to provide secure remote access to the KDC server using applications, like ssh. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.

      kadmin: addprinc -randkey host/kdc1.example.com
      Principal "host/kdc1.example.com@EXAMPLE.COM" created.
      kadmin: 
    2. (Optional) Create the kclient principal.

      This principal is used by the kclient utility during the installation of a Kerberos client. If you do not plan on using this utility, then you do not need to add the principal. The users of the kclient utility need to use this password.

      kadmin: addprinc clntconfig/admin
      Enter password for principal clntconfig/admin@EXAMPLE.COM:<Type the password>
      Re-enter password for principal clntconfig/admin@EXAMPLE.COM: <Type it again>
      Principal "clntconfig/admin@EXAMPLE.COM" created.
      kadmin: 
    3. Add the master KDC's host principal to the master KDC's keytab file.

      Adding the host principal to the keytab file allows this principal to be used by application servers, like sshd, automatically.

      kadmin: ktadd host/kdc1.example.com
      Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 
    4. Quit kadmin.
      kadmin: quit
  9. (Optional) Synchronize the master KDCs clock by using NTP or another clock synchronization mechanism.

    Installing and using the Network Time Protocol (NTP) is not required. However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file for authentication to succeed. See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.

  10. Configure Slave KDCs.

    To provide redundancy, make sure to install at least one slave KDC. See How to Configure a Slave KDC for specific instructions.

How to Configure a KDC to Use an LDAP Data Server

Starting with the Solaris 10 5/08 and the Solaris Express Developer Edition 1/08 releases, a KDC can be configured to use an LDAP data server by using the following procedure.

In this procedure, the following configuration parameters are used:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • Master KDC = kdc1.example.com

  • Directory Server = dsserver.example.com

  • admin principal = kws/admin

  • Online help URL = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956


    Note - Adjust the URL to point to the “Graphical Kerberos Administration Tool” section, as described in Online Help URL in the Graphical Kerberos Administration Tool.


Before You Begin

This procedure also requires that the host is configured to use DNS. For better performance, install the KDC and the LDAP Directory Service on the same server. In addition, a directory server should be running. The procedure below works with servers using the Sun JavaTM Directory Server Enterprise Edition release.

  1. Become superuser on the KDC.
  2. Configure the master KDC to use SSL to reach the directory server.

    The following steps configure a Solaris Express Developer Release KDC to use the Directory Server 6.1 self-signed certificate. If the certificate has expired, follow the instructions for renewing a certificate in To Manage Self-Signed Certificates in Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide.

    1. On the directory server, export the self-signed directory server certificate.
      # /export/sun-ds6.1/ds6/bin/dsadm show-cert -F der /export/sun-ds6.1/directory2 \ defaultCert > /tmp/defaultCert.cert.der
    2. On the master KDC, import the directory server certificate.
      # pktool setpin keystore=nss dir=/var/ldap
      # chmod a+r /var/ldap/*.db
      # pktool import keystore=nss objtype=cert trust="CT" infile=/tmp/defaultCert.certutil.der \
              label=defaultCert dir=/var/ldap
    3. On the master KDC, test that SSL is working.

      This example assumes that the cn=directory managerentry has administration privileges.

      /usr/bin/ldapsearch -Z -P /var/ldap -D "cn=directory manager" \ -h dsserver.example.com -b "" -s base objectclass='*'
      Subject:
          "CN=dsserver.example.com,CN=636,CN=Directory Server,O=Example Corporation

      Note that the CN=dsserver.example.com entry should include the fully qualified host name, not a short version.

  3. Populate the LDAP directory, if necessary.
  4. Add the Solaris Kerberos schema to the existing schema.
    # ldapmodify -h dsserver.example.com -D "cn=directory manager" -f /usr/share/lib/ldif/kerberos.ldif
  5. Create the Kerberos container in the LDAP directory.

    Add the following entries to the krb5.conf file.

    1. Define the database type.

      Add an entry to define the database_moduleto the realms section.

      database_module = LDAP
    2. Define the database module.
      [dbmodules] LDAP = { ldap_kerberos_container_dn = "cn=krbcontainer,dc=example,dc=com" db_library = kldap ldap_kdc_dn = "cn=kdc service,ou=profile,dc=example,dc=com" ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=example,dc=com" ldap_cert_path = /var/ldap ldap_servers = ldaps://dsserver.example.com }
    3. Create the KDC in the LDAP directory.

      This command creates krbcontainer and several other objects. It also creates a /var/krb5/.k5.EXAMPLE.COM master key stash file.

      # kdb5_ldap_util -D "cn=directory manager" create -P abcd1234 -r EXAMPLE.COM -s
  6. Stash the KDC bind Distinguished Name (DN) passwords.

    These passwords are used by the KDC when it binds to the DS. The KDC uses different roles depending on the type of access the KDC is using.

    # kdb5_ldap_util stashsrvpw "cn=kdc service,ou=profile,dc=example,dc=com"
    # kdb5_ldap_util stashsrvpw "cn=kadmin service,ou=profile,dc=example,dc=com"
  7. Add KDC service roles.
    1. Create a kdc_roles.ldif file with contents like this:
      dn: cn=kdc service,ou=profile,dc=example,dc=com
      cn: kdc service
      sn: kdc service
      objectclass: top
      objectclass: person
      userpassword: test123
      
      dn: cn=kadmin service,ou=profile,dc=example,dc=com
      cn: kadmin service
      sn: kadmin service
      objectclass: top
      objectclass: person
      userpassword: test123
    2. Create the role entries in the LDAP directory
      # ldapmodify -a -h dsserver.example.com -D "cn=directory manager" -f kdc_roles.ldif
  8. Set the ACLs for the KDC-related roles.
    # cat << EOF | ldapmodify -h dsserver.example.com -D "cn=directory manager" 
    # Set kadmin ACL for everything under krbcontainer.
    dn: cn=krbcontainer,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target="ldap:///cn=krbcontainer,dc=example,dc=com")(targetattr="krb*")(version 3.0;\
          acl kadmin_ACL; allow (all)\
          userdn = "ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)
    
    # Set kadmin ACL for everything under the people subtree if there are
    # mix-in entries for krb princs:
    dn: ou=people,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target="ldap:///ou=people,dc=example,dc=com")(targetattr="krb*")(version 3.0;\
          acl kadmin_ACL; allow (all)\
          userdn = "ldap:///cn=kadmin service,ou=profile,dc=example,dc=com";)
    EOF
  9. Edit the Kerberos configuration file (krb5.conf).

    You need to change the realm names and the names of the servers. See the krb5.conf(4) man page for a full description of this file.

    kdc1 # cat /etc/krb5/krb5.conf
    [libdefaults]
            default_realm = EXAMPLE.COM
    
    [realms]
            EXAMPLE.COM = {
            kdc = kdc1.example.com
            admin_server = kdc1.example.com
            }
    
    [domain_realm]
            .example.com = EXAMPLE.COM
    #
    # if the domain name and realm name are equivalent, 
    # this entry is not needed
    #
    [logging]
            default = FILE:/var/krb5/kdc.log
            kdc = FILE:/var/krb5/kdc.log
    
    [appdefaults]
        gkadmin = {
            help_url = http://denver:8888/ab2/coll.384.1/SEAM/@AB2PageView/6956
            }

    In this example, the lines for default_realm, kdc, admin_server, and all domain_realm entries were changed. In addition, the line that defines the help_url was edited.


    Note - If you want to restrict the encryption types, you can set the default_tkt_enctypes or default_tgs_enctypes lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting the encryption types.


  10. Edit the KDC configuration file (kdc.conf).

    You need to change the realm name. See the kdc.conf(4) man page for a full description of this file.

    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM = {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
                    sunw_dbprop_master_ulogsize = 1000
                    }

    In this example, the realm name definition in the realms section was changed. Also, in the realms section, lines to enable incremental propagation and to select the number of updates the KDC master keeps in the log were added.


    Note - If you want to restrict the encryption types, you can set the permitted_enctypes, supported_enctypes, or master_key_type lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting the encryption types.


  11. Edit the Kerberos access control list file (kadm5.acl).

    Once populated, the /etc/krb5/kadm5.acl file should contain all principal names that are allowed to administer the KDC.

    kws/admin@EXAMPLE.COM   *

    The entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals or policies in the KDC. The default installation includes an asterisk (*) to match all admin principals. This default could be a security risk, so it is more secure to include a list of all of the admin principals. See the kadm5.acl(4) man page for more information.

  12. Start the kadmin.local command and add principals.

    The next substeps create principals that are used by the Kerberos service.

    kdc1 # /usr/sbin/kadmin.local
    kadmin.local: 
    1. Add administration principals to the database.

      You can add as many admin principals as you need. You must add at least one admin principal to complete the KDC configuration process. For this example, a kws/admin principal is added. You can substitute an appropriate principal name instead of “kws.”

      kadmin.local: addprinc kws/admin
      Enter password for principal kws/admin@EXAMPLE.COM:<Type the password>
      Re-enter password for principal kws/admin@EXAMPLE.COM: <Type it again>
      Principal "kws/admin@EXAMPLE.COM" created.
      kadmin.local: 
    2. Create a keytab file for the kadmind service.

      This command sequence creates a special keytab file with principal entries for kadmin and changepw. These principals are needed for the kadmind service. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.

      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc1.example.com
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
      Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
      kadmin.local:
    3. Quit kadmin.local.

      You have added all of the required principals for the next steps.

      kadmin.local: quit
  13. Start the Kerberos daemons.
    kdc1 # svcadm enable -r network/security/krb5kdc
    kdc1 # svcadm enable -r network/security/kadmin
  14. Start kadmin and add more principals.

    At this point, you can add principals by using the Graphical Kerberos Administration Tool. To do so, you must log in with one of the admin principal names that you created earlier in this procedure. However, the following command-line example is shown for simplicity.

    kdc1 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: 
    1. Create the master KDC host principal.

      The host principal is used by Kerberized applications, such as klist and kprop. Solaris 10 clients use this principal when mounting an authenticated NFS file system. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.

      kadmin: addprinc -randkey host/kdc1.example.com
      Principal "host/kdc1.example.com@EXAMPLE.COM" created.
      kadmin: 
    2. (Optional) Create the kclient principal.

      This principal is used by the kclient utility during the installation of a Kerberos client. If you do not plan on using this utility, then you do not need to add the principal. The users of the kclient utility need to use this password.

      kadmin: addprinc clntconfig/admin
      Enter password for principal clntconfig/admin@EXAMPLE.COM:<Type the password>
      Re-enter password for principal clntconfig/admin@EXAMPLE.COM: <Type it again>
      Principal "clntconfig/admin@EXAMPLE.COM" created.
      kadmin: 
    3. Add the master KDC's host principal to the master KDC's keytab file.

      Adding the host principal to the keytab file allows this principal to be used automatically.

      kadmin: ktadd host/kdc1.example.com
      Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc1.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 
    4. Quit kadmin.
      kadmin: quit
  15. (Optional) Synchronize the master KDCs clock by using NTP or another clock synchronization mechanism.

    Installing and using the Network Time Protocol (NTP) is not required. However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file for authentication to succeed. See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.

  16. Configure Slave KDCs.

    To provide redundancy, make sure to install at least one slave KDC. See How to Configure a Slave KDC for specific instructions.

How to Automatically Configure a Slave KDC

Starting with the Solaris 10 5/08 and the Solaris Express Developer Edition 1/08 releases, a slave KDC can be automatically configured by using the following procedure.

  1. Become superuser.
  2. Create the KDC.

    Run the kdcmgr utility to create the KDC. You need to provide both the master key password and the password for the administrative principal.

    kdc2# kdcmgr -a kws/admin -r EXAMPLE.COM create -m kdc1 slave
    
    Starting server setup
    ---------------------------------------
    
    Setting up /etc/krb5/kdc.conf
    
    Setting up /etc/krb5/krb5.conf
    Obtaining TGT for kws/admin ... 
    Password for kws/admin@EXAMPLE.COM: <Type the password>
    
    Setting up /etc/krb5/kadm5.acl. 
    
    Setting up /etc/krb5/kpropd.acl. 
    
    Waiting for database from master... 
    Waiting for database from master... 
    Waiting for database from master... 
    kdb5_util: Cannot find/read stored master key while reading master key 
    kdb5_util: Warning: proceeding without master key 
    Enter KDC database master key: <Type the password>
    
    --------------------------------------------------- 
    Setup COMPLETE. 
    
    kdc2#

How to Interactively Configure a Slave KDC

Starting with the Solaris 10 5/08 and the Solaris Express Developer Edition 1/08 releases, a slave KDC can be interactively configured by using the following procedure.

  1. Become superuser.
  2. Create the KDC.

    Run the kdcmgr utility to create the KDC. You need to provide both the master key password and the password for the administrative principal.

    kdc1# kdcmgr create slave
    
    Starting server setup
    ---------------------------------------
    
    Enter the Kerberos realm: EXAMPLE.COM
    What is the master KDC's host name?: kdc1
    
    Setting up /etc/krb5/kdc.conf
    
    Setting up /etc/krb5/krb5.conf
    Obtaining TGT for kws/admin ... 
    Password for kws/admin@EXAMPLE.COM: <Type the password>
    
    Setting up /etc/krb5/kadm5.acl. 
    
    Setting up /etc/krb5/kpropd.acl. 
    
    Waiting for database from master... 
    Waiting for database from master... 
    Waiting for database from master... 
    kdb5_util: Cannot find/read stored master key while reading master key 
    kdb5_util: Warning: proceeding without master key 
    Enter KDC database master key: <Type the password>
    
    --------------------------------------------------- 
    Setup COMPLETE. 
    
    kdc2#

How to Configure a Slave KDC

In this procedure, a new slave KDC named kdc2 is configured. Also, incremental propagation is configured. This procedure uses the following configuration parameters:

  • Realm name = EXAMPLE.COM

  • DNS domain name = example.com

  • Master KDC = kdc1.example.com

  • Slave KDC = kdc2.example.com

  • admin principal = kws/admin

Before You Begin

The master KDC must be configured. For specific instructions if this slave is to be swappable, see Swapping a Master KDC and a Slave KDC.

  1. On the master KDC, become superuser.
  2. On the master KDC, start kadmin.

    You must log in with one of the admin principal names that you created when you configured the master KDC.

    kdc1 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: 
    1. On the master KDC, add slave host principals to the database, if not already done.

      For the slave to function, it must have a host principal. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.

      kadmin: addprinc -randkey host/kdc2.example.com
      Principal "host/kdc2.example.com@EXAMPLE.COM" created.
      kadmin: 
    2. On the master KDC, create the kiprop principal.

      The kiprop principal is used to authorize incremental propagation from the master KDC.

      kadmin: addprinc -randkey kiprop/kdc2.example.com
      Principal "kiprop/kdc2.example.com@EXAMPLE.COM" created.
      kadmin:
    3. Quit kadmin.
      kadmin: quit
  3. On the master KDC, edit the Kerberos configuration file (krb5.conf).

    You need to add an entry for each slave. See the krb5.conf(4) man page for a full description of this file.

    kdc1 # cat /etc/krb5/krb5.conf
     .
     .
    [realms]
                    EXAMPLE.COM = {
                    kdc = kdc1.example.com
                    kdc = kdc2.example.com
                    admin_server = kdc1.example.com
            }
  4. On the master KDC, add an kiprop entry to kadm5.acl.

    This entry allows the master KDC to receive requests for incremental propagation for the kdc2 server.

    kdc1 # cat /etc/krb5/kadm5.acl
    */admin@EXAMPLE.COM *
    kiprop/kdc2.example.com@EXAMPLE.COM p
  5. On the master KDC, restart kadmind to use the new entries in the kadm5.acl file.
    kdc1 # svcadm restart network/security/kadmin
  6. On all slave KDCs, copy the KDC administration files from the master KDC server.

    This step needs to be followed on all slave KDCs, because the master KDC server has updated information that each KDC server needs. You can use ftp or a similar transfer mechanism to grab copies of the following files from the master KDC:

    • /etc/krb5/krb5.conf

    • /etc/krb5/kdc.conf

  7. On all slave KDCs, add an entry for the master KDC and each slave KDC into the database propagation configuration file, kpropd.acl.

    This information needs to be updated on all slave KDC servers.

    kdc2 # cat /etc/krb5/kpropd.acl
    host/kdc1.example.com@EXAMPLE.COM
    host/kdc2.example.com@EXAMPLE.COM
  8. On all slave KDCs, make sure that the Kerberos access control list file, kadm5.acl, is not populated.

    An unmodified kadm5.acl file would look like:

    kdc2 # cat /etc/krb5/kadm5.acl
    */admin@___default_realm___ *

    If the file has kiprop entries, remove them.

  9. On the new slave, change an entry in kdc.conf.

    Replace the sunw_dbprop_master_ulogsize entry with an entry defining sunw_dbprop_slave_poll. The entry sets the poll time to 2 minutes.

    kdc1 # cat /etc/krb5/kdc.conf
    [kdcdefaults]
            kdc_ports = 88,750
    
    [realms]
            EXAMPLE.COM= {
                    profile = /etc/krb5/krb5.conf
                    database_name = /var/krb5/principal
                    admin_keytab = /etc/krb5/kadm5.keytab
                    acl_file = /etc/krb5/kadm5.acl
                    kadmind_port = 749
                    max_life = 8h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    sunw_dbprop_enable = true
                    sunw_dbprop_slave_poll = 2m
            }
  10. On the new slave, start the kadmin command.

    You must log in with one of the admin principal names that you created when you configured the master KDC.

    kdc2 # /usr/sbin/kadmin -p kws/admin
    Enter password: <Type kws/admin password>
    kadmin: 
    1. Add the slave's host principal to the slave's keytab file by using kadmin.

      This entry allows kprop and other Kerberized applications to function. Note that when the principal instance is a host name, the FQDN must be specified in lowercase letters, regardless of the case of the domain name in the /etc/resolv.conf file.

      kadmin: ktadd host/kdc2.example.com
      Entry for principal host/kdc2.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc2.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc2.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc2.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal host/kdc2.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 
    2. Add the kiprop principal to the slave KDC's keytab file.

      Adding the kiprop principal to the krb5.keytab file allows the kpropd command to authenticate itself when incremental propagation is started.

      kadmin: ktadd kiprop/kdc2.example.com
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type AES-256 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type AES-128 CTS mode
                with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type Triple DES cbc
                mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type ArcFour
                with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      Entry for principal kiprop/kdc2.example.com with kvno 3, encryption type DES cbc mode
                with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
      kadmin: 
    3. Quit kadmin.
      kadmin: quit
  11. On the new slave, start the Kerberos propagation daemon.
    kdc2 # svcadm enable network/security/krb5_prop
  12. On the new slave, create a stash file by using kdb5_util.
    kdc2 # /usr/sbin/kdb5_util stash
    kdb5_util: Cannot find/read stored master key while reading master key
    kdb5_util: Warning: proceeding without master key
    
    Enter KDC database master key: <Type the key>
  13. (Optional) On the new slave KDC, synchronize the master KDCs clock by using NTP or another clock synchronization mechanism.

    Installing and using the Network Time Protocol (NTP) is not required. However, every clock must be within the default time that is defined in the libdefaults section of the krb5.conf file for authentication to succeed. See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.

  14. On the new slave, start the KDC daemon (krb5kdc).
    kdc2 # svcadm enable network/security/krb5kdc
Previous Next