In this short note, we'll download kerberos source code and compile it in a Linux environment. We'll setup a master KDS and create a realm and principals for admin and regular users. In the end, we'll implement NFS v4 on Solaris 10 server and use our new kerberos for NFS authentication. Finally, we'll setup a samba share using kerberos authentication and integrate NIS netgroup on the Unix/Linux side enabling Windows domain users access samba thru kerberos. (A lot of fun stuffs!)
Kerberos is a single-sign-on authentication system developed by MIT. It's a faithful watchdog that keeps intruders out of network. Because of its holy grail single-sign-on authentication, implementing kerberos in your IT environment and integrate it into Microsoft's Active Directory (ADS) provides a reliable, secured and quick authentication solutions for the entire network.
A good introduction for kerberos is at : http://technet.microsoft.com/en-us/library/bb742516.aspx
Another thing to know, all kerberos clients on the network must sync time with the kerberos server. Make sure NTP is setup properly between kerberos clients and servers otherwise kerberos won't work.
1. Download Kerberos source code at http://web.mit.edu/kerberos/www/
[root@ipc4 src]# pwd
/home/shan/krb5/krb5-1.7/src
[root@ipc4 src]# ./configure
configure: loading cache ./config.cache
checking for gcc... (cached) gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
...
[root@ipc4 src]# make
(cd include && make autoconf.h osconf.h)
make[1]: Entering directory `/home/shan/krb5/krb5-1.7/src/include'
...
[root@ipc4 src]# make install
Note, if you compile from a Linux OS inside vmware workstation (like I do), you may have problem compiling db2.so shared library. If this is the case, go to the directory that has db2's source code (should be krb5-1.7/src/plugins/kdb/db2) and manually compile it then copy the shared lib db2.so to /usr/local/lib/krb5/plugins/kdb/ directory. Then you should have no problem compile kerberos from the main src directory.
If you didn't change the prefix in Makefile, kerberos should be installed under /usr/local/.
[root@ipc4 src]# ls /usr/local/sbin /usr/local/bin /usr/local/bin:
compile_et k5srvutil kadmin krb524init ktutil
/usr/local/sbin:
k5srvutil kadmin.local krb5kdc rpc.yppasswdd ypserv
kadmin kdb5_util krb5-send-pr rpc.ypxfrd
kadmind krb524d ktutil yppush
2. Next, create configuration file for your realm. The configuration file is /etc/krb5.conf, here is mine.
[root@ipc4 db2]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SHANJING.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SHANJING.COM = {
kdc = ipc4.shanjing.com:88
admin_server = ipc4.shanjing.com:749
default_domain = shanjing.com
}
[domain_realm]
.shanjing.com = SHANJING.COM
shanjing.com = SHANJING.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
3. Next, we can start krb5kdc and kadmind daemon. One is kdc daemon, the other one is administration daemon. krb5kdc is only allowed to run on master kdc server.
Now, let's see the related network ports for kerberos:
[root@ipc4 db2]# lsof -i -p 17815
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 2193 rpc 3u IPv4 4987 UDP *:sunrpc
portmap 2193 rpc 4u IPv4 4990 TCP *:sunrpc (LISTEN)
rpc.statd 2213 rpcuser 4u IPv4 5024 UDP *:32768
rpc.statd 2213 rpcuser 5u IPv4 5015 UDP *:693
rpc.statd 2213 rpcuser 6u IPv4 5027 TCP *:32769 (LISTEN)
ypserv 2291 root 5u IPv4 5215 UDP *:773
ypserv 2291 root 6u IPv4 5220 TCP *:776 (LISTEN)
rpc.yppas 2294 root 4u IPv4 5228 UDP *:775
ypbind 2302 root 4u IPv4 5248 UDP *:784
ypbind 2302 root 5u IPv4 5253 TCP *:787 (LISTEN)
ypbind 2302 root 6u IPv4 20355 UDP *:813
cupsd 2437 root 0u IPv4 5612 TCP localhost.nis.shanjing.com:ipp (LISTEN)
cupsd 2437 root 2u IPv4 5613 UDP *:ipp
named 2476 named 20u IPv4 5672 UDP localhost.nis.shanjing.com:domain
named 2476 named 21u IPv4 5673 TCP localhost.nis.shanjing.com:domain (LISTEN)
named 2476 named 22u IPv4 5674 UDP ipc4.shanjing.com:domain
named 2476 named 23u IPv4 5675 TCP ipc4.shanjing.com:domain (LISTEN)
named 2476 named 24u IPv4 5685 UDP *:32769
named 2476 named 25u IPv6 5686 UDP *:32770
named 2476 named 26u IPv4 5687 TCP localhost.nis.shanjing.com:rndc (LISTEN)
sshd 2489 root 3u IPv6 5696 TCP *:ssh (LISTEN)
xinetd 2504 root 5u IPv4 5745 TCP *:klogin (LISTEN)
xinetd 2504 root 6u IPv4 5746 TCP *:telnet (LISTEN)
xinetd 2504 root 8u IPv4 5747 TCP *:kshell (LISTEN)
ntpd 2517 ntp 4u IPv4 5762 UDP *:ntp
ntpd 2517 ntp 5u IPv6 5763 UDP *:ntp
ntpd 2517 ntp 6u IPv4 5764 UDP localhost.nis.shanjing.com:ntp
ntpd 2517 ntp 7u IPv4 5765 UDP ipc4.shanjing.com:ntp
sendmail 2537 root 4u IPv4 5827 TCP localhost.nis.shanjing.com:smtp (LISTEN)
mysqld 3166 mysql 11u IPv4 7652 TCP *:mysql (LISTEN)
sshd 3616 root 3u IPv6 8276 TCP ipc4.shanjing.com:ssh->192.168.1.71:53212 (ESTABLISHED)
sshd 3618 shan 3u IPv6 8276 TCP ipc4.shanjing.com:ssh->192.168.1.71:53212 (ESTABLISHED)
sshd 4225 root 3u IPv6 9003 TCP ipc4.shanjing.com:ssh->192.168.1.71:53474 (ESTABLISHED)
sshd 4227 shan 3u IPv6 9003 TCP ipc4.shanjing.com:ssh->192.168.1.71:53474 (ESTABLISHED)
krb5kdc 17815 root cwd DIR 253,0 4096 2 /
krb5kdc 17815 root rtd DIR 253,0 4096 2 /
krb5kdc 17815 root txt REG 253,0 270844 60015 /usr/local/sbin/krb5kdc
krb5kdc 17815 root mem REG 253,0 1524800 348279 /lib/tls/libc-2.3.4.so
krb5kdc 17815 root mem REG 253,0 244541 59204 /usr/local/lib/libkadm5srv.so.6.0
krb5kdc 17815 root mem REG 253,0 589536 57778 /usr/local/lib/libk5crypto.so.3.1
krb5kdc 17815 root mem REG 253,0 2180071 57786 /usr/local/lib/libkrb5.so.3.3
krb5kdc 17815 root mem REG 253,0 108320 348278 /lib/ld-2.3.4.so
krb5kdc 17815 root mem REG 253,0 71845 56826 /usr/local/lib/libkrb5support.so.0.1
krb5kdc 17815 root mem REG 253,0 16864 348283 /lib/libdl-2.3.4.so
krb5kdc 17815 root mem REG 253,0 305391 152655 /usr/local/lib/krb5/plugins/kdb/db2.so
krb5kdc 17815 root mem REG 253,0 189109 58597 /usr/local/lib/libkdb5.so.4.0
krb5kdc 17815 root mem REG 253,0 81280 348281 /lib/libresolv-2.3.4.so
krb5kdc 17815 root mem REG 253,0 328072 58591 /usr/local/lib/libgssrpc.so.4.1
krb5kdc 17815 root mem REG 253,0 864863 57832 /usr/local/lib/libgssapi_krb5.so.2.2
krb5kdc 17815 root mem REG 253,0 21998 57711 /usr/local/lib/libcom_err.so.3.0
krb5kdc 17815 root 0u CHR 1,3 1575 /dev/null
krb5kdc 17815 root 1u CHR 1,3 1575 /dev/null
krb5kdc 17815 root 2u CHR 1,3 1575 /dev/null
krb5kdc 17815 root 3w REG 253,0 42662 605316 /var/log/krb5kdc.log
krb5kdc 17815 root 4u unix 0xd55817c0 20412 socket
krb5kdc 17815 root 5u REG 253,0 0 152659 /usr/local/var/krb5kdc/principal.ok
krb5kdc 17815 root 6u REG 253,0 0 152661 /usr/local/var/krb5kdc/principal.kadm5.lock
krb5kdc 17815 root 7u REG 253,0 6 605491 /var/tmp/krb5kdc_rcache
krb5kdc 17815 root 8u IPv4 20414 UDP *:kerberos-iv
krb5kdc 17815 root 9u IPv4 20415 UDP *:kerberos
krb5kdc 17815 root 10u IPv6 20416 UDP *:kerberos-iv
krb5kdc 17815 root 11u IPv6 20417 UDP *:kerberos
kadmind 17817 root 7u IPv4 20424 UDP *:kpasswd
kadmind 17817 root 8u IPv6 20425 UDP *:kpasswd
kadmind 17817 root 9u IPv6 20427 TCP *:kpasswd (LISTEN)
kadmind 17817 root 10u IPv4 20428 TCP *:kpasswd (LISTEN)
kadmind 17817 root 11u IPv4 20429 TCP *:kerberos-adm (LISTEN)
kdc uses port 88 and administration daemon uses 749, make sure iptables are enabled to allow packets going thru these ports.
[root@ipc4 db2]# grep kerberos /etc/services
kerberos 88/tcp kerberos5 krb5 # Kerberos v5
kerberos 88/udp kerberos5 krb5 # Kerberos v5
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos-iv 750/udp kerberos4 kerberos-sec kdc
kerberos-iv 750/tcp kerberos4 kerberos-sec kdc
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
Next, we'll create our realm and admin principal and users principals, download keys to local keytab file.
[root@ipc4 src]# /usr/local/sbin/kdb5_util create -s
Loading random data
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'SHANJING.COM',
master key name 'K/M@SHANJING.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@ipc4 krb5kdc]# ls -al
total 64
drwx------ 2 root root 4096 Oct 14 17:45 .
drwxr-xr-x 3 root root 4096 Oct 9 17:01 ..
-rw------- 1 root root 65 Oct 14 17:45 .k5.SHANJING.COM
-rw-r--r-- 1 root root 697 Oct 9 17:22 kdc.conf
-rw------- 1 root root 8192 Oct 14 17:45 principal
-rw------- 1 root root 8192 Oct 14 17:45 principal.kadm5
-rw------- 1 root root 0 Oct 14 17:45 principal.kadm5.lock
-rw------- 1 root root 0 Oct 14 17:45 principal.ok
[root@ipc4 krb5kdc]# /usr/local/sbin/kadmin.local
Authenticating as principal root/admin@SHANJING.COM with password.
kadmin.local: listprincs
K/M@SHANJING.COM
kadmin/admin@SHANJING.COM
kadmin/changepw@SHANJING.COM
kadmin/history@SHANJING.COM
kadmin/ipc4.shanjing.com@SHANJING.COM
krbtgt/SHANJING.COM@SHANJING.COM
kadmin.local: addprinc shan/admin
WARNING: no policy specified for shan/admin@SHANJING.COM; defaulting to no policy
Enter password for principal "shan/admin@SHANJING.COM":
Re-enter password for principal "shan/admin@SHANJING.COM":
Principal "shan/admin@SHANJING.COM" created.
kadmin.local:
[root@ipc4 krb5kdc]# /usr/kerberos/bin/kinit shan/admin
Password for shan/admin@SHANJING.COM:
[root@ipc4 krb5kdc]# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: shan/admin@SHANJING.COM
Valid starting Expires Service principal
10/14/09 17:53:26 10/15/09 17:53:26 krbtgt/SHANJING.COM@SHANJING.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@ipc4 krb5kdc]# kadmin.local
Authenticating as principal shan/admin@SHANJING.COM with password.
kadmin.local: listprincs
K/M@SHANJING.COM
kadmin/admin@SHANJING.COM
kadmin/changepw@SHANJING.COM
kadmin/history@SHANJING.COM
kadmin/ipc4.shanjing.com@SHANJING.COM
krbtgt/SHANJING.COM@SHANJING.COM
shan/admin@SHANJING.COM
kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/usr/local/var/krb5kdc/kadm5.keytab.
kadmin.local:
Authenticating as principal shan/admin@SHANJING.COM with password.
Password for shan/admin@SHANJING.COM:
kadmin: Incorrect password while initializing kadmin interface
[root@ipc4 krb5kdc]# kadmin
Authenticating as principal shan/admin@SHANJING.COM with password.
Password for shan/admin@SHANJING.COM:
kadmin: addprinc shan
WARNING: no policy specified for shan@SHANJING.COM; defaulting to no policy
Enter password for principal "shan@SHANJING.COM":
Re-enter password for principal "shan@SHANJING.COM":
Principal "shan@SHANJING.COM" created.
kadmin: addprinc host/ipc4.shanjing.com
WARNING: no policy specified for host/ipc4.shanjing.com@SHANJING.COM; defaulting to no policy
Enter password for principal "host/ipc4.shanjing.com@SHANJING.COM":
Re-enter password for principal "host/ipc4.shanjing.com@SHANJING.COM":
Principal "host/ipc4.shanjing.com@SHANJING.COM" created.
kadmin: listprincs
K/M@SHANJING.COM
host/ipc4.shanjing.com@SHANJING.COM
kadmin/admin@SHANJING.COM
kadmin/changepw@SHANJING.COM
kadmin/history@SHANJING.COM
kadmin/ipc4.shanjing.com@SHANJING.COM
krbtgt/SHANJING.COM@SHANJING.COM
shan/admin@SHANJING.COM
kadmin: ktadd host/ipc4.shanjing.com
Entry for principal host/ipc4.shanjing.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/ipc4.shanjing.com with kvno 2, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/ipc4.shanjing.com with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/ipc4.shanjing.com with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: ktadd shan
Entry for principal shan with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal shan with kvno 2, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal shan with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal shan with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
[root@ipc4 krb5kdc]# vi /etc/xinetd.conf
service krb5_prop
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/local/sbin/kpropd kpropd
instances = 20
}
[root@ipc4 krb5kdc]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@ipc4 krb5kdc]# /etc/init.d/xinetd status
xinetd (pid 3730) is running...
[root@ipc4 ~]# kadmin.local
Authenticating as principal shan/admin@SHANJING.COM with password.
kadmin.local: addprinc -randkey kiprop/ipc4.shanjing.com
WARNING: no policy specified for kiprop/ipc4.shanjing.com@SHANJING.COM; defaulting to no policy
Principal "kiprop/ipc4.shanjing.com@SHANJING.COM" created.
kadmin.local: addprinc -randkey kiprop/sun1.shanjing.com
WARNING: no policy specified for kiprop/sun1.shanjing.com@SHANJING.COM; defaulting to no policy
Principal "kiprop/sun1.shanjing.com@SHANJING.COM" created.
kadmin.local: ktadd kiprop/sun1.shanjing.com
Entry for principal kiprop/sun1.shanjing.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/sun1.shanjing.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/sun1.shanjing.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/sun1.shanjing.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local: ktadd kiprop/ipc4.shanjing.com
Entry for principal kiprop/ipc4.shanjing.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/ipc4.shanjing.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/ipc4.shanjing.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal kiprop/ipc4.shanjing.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local: quit
[root@ipc4 ~]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/ipc4.shanjing.com@SHANJING.COM
2 host/ipc4.shanjing.com@SHANJING.COM
2 host/ipc4.shanjing.com@SHANJING.COM
2 host/ipc4.shanjing.com@SHANJING.COM
2 shan@SHANJING.COM
2 shan@SHANJING.COM
2 shan@SHANJING.COM
2 shan@SHANJING.COM
3 host/sun1.shanjing.com@SHANJING.COM
3 host/sun1.shanjing.com@SHANJING.COM
3 host/sun1.shanjing.com@SHANJING.COM
3 host/sun1.shanjing.com@SHANJING.COM
3 kiprop/sun1.shanjing.com@SHANJING.COM
3 kiprop/sun1.shanjing.com@SHANJING.COM
3 kiprop/sun1.shanjing.com@SHANJING.COM
3 kiprop/sun1.shanjing.com@SHANJING.COM
3 kiprop/ipc4.shanjing.com@SHANJING.COM
3 kiprop/ipc4.shanjing.com@SHANJING.COM
3 kiprop/ipc4.shanjing.com@SHANJING.COM
Now, our kerberos setup is completed. Next, we'll setup NFS share on a Solaris 10 server. NFS clients access the NFS v4 share thru kerberos.
(Make sure all servers in your network have time synced; NTP is setup correctly.)
Case 1: Setup NFS v4 server on Solaris 10 and enable Kerberos authentication: