This wiki page is outdated and deprecated. See SPNEGO documentation in GateIn reference guide for latest instructions.
This article covers a step by step tutorial for setting up a MIT 5.0 Kerberos Server for development/testing of Single Sign On apps. A production setup is much more complicated and out of scope for the purpose of this article.
Development Environment:
- Dell Latitude D820 Intel Centrino Core Duo
- (K)Ubuntu 8.10 OS
Although these instructions cover my local Kubuntu 8.10 machine, it should work for other Linux distributuons as well. The package management commands will be different on these.
Step 1: Installation
Install krb5-admin-server, krb5-kdc, krb5-config, krb5-user, krb5-clients, and krb5-rsh-server. These will bring some dependencies with them.
Kerberos configuration is found under: /etc/krb5.conf
Here is what mine looks like:
[libdefaults]
default_realm = LOCAL.NETWORK
#dns_lookup_kdc=false
#dns_lookup_realm=false
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = vice28.fs.andrew.cmu.edu
kdc = vice2.fs.andrew.cmu.edu
kdc = vice11.fs.andrew.cmu.edu
kdc = vice12.fs.andrew.cmu.edu
admin_server = vice28.fs.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementia.org
kdc = kerberos2.dementia.org
admin_server = kerberos.dementia.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
LOCAL.NETWORK={
kdc = server.local.network
admin_server = server.local.network
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
local.network = LOCAL.NETWORK
.local.network = LOCAL.NETWORK
[login]
krb4_convert = true
krb4_get_tickets = false
Your KDC Configuration is located under: /etc/krb5kdc/kdc.conf
Here is what mine looks like
[kdcdefaults]
kdc_ports = 750,88
[realms]
LOCAL.NETWORK = {
database_name = /home/soshah/krb5kdc/principal
admin_keytab = FILE:/home/soshah/krb5kdc/kadm5.keytab
acl_file = /home/soshah/krb5kdc/kadm5.acl
key_stash_file = /home/soshah/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/home/soshah/krb5logs/kdc.log
admin_server = FILE:/home/soshah/krb5logs/kadmin.log
Now create a KDC database using the following command:
kdb5_util -s
Now start your KDC and Kerberos Admin servers using the following commands:
sudo /etc/init.d/krb5-kdc restart sudo /etc/init.d/krb-admin-server restart
Step 2: Adding Principals and Creating Keys
Create a Kerberos database and setup a master key for the realm
# kdb5_util create -s [type password]
Start an interactive 'kadmin' session and create the necessary Principals
sudo kadmin.local
Add the "Gatein machine" that will need to be authenticated
addprinc -randkey host/server.local.network
Add defaut "Gatein User Accounts" that will be authenticated
addprinc demo addprinc john
Generate a "keytab" file for the "Gatein machine". This will be used when configuring the JBoss Negotiation stack inside GateIn
ktadd host/server.local.network
Step 3: Setup your /etc/hosts file to add server.local.network as a valid host
Add this to /etc/hosts
192.168.1.103 server.local.network
Make sure this is a proper IP address and not a loopback address. Kerberos does not like hosts with loopback IPs
This is also the host to which the Gatein Portal should be bound using the "-b" option. This will be covered in more detail in the GateIn configuration
Step 4: Test your setup
Login:
kinit -A demo
Do not forget the -A. Without the -A, the kerberos ticket validation involved reverse DNS lookups which can get very very cumbersome to debug if your network's DNS setup is not great. This is a production level security feature which is not necessary in this development setup
See if it worked:
klist
Destroy the issued token. Usually used to login with another user
kdestroy
Step 5: Switch from Coffee to Beer. You are done!!!
Special Thanks to : http://www.alittletooquiet.net/text/kerberos-on-ubuntu/
Comments