Jump to content

Fundraising/techops/procedures/services-kerberos kdc install

From Wikitech

Services: Kerberos KDC Master Setup Procedure

These are notes from the kerberos server setup circa approximately the beginning of time. It is likely the specifics are outdated.

Create a New Kerberos Realm

root@frauth1001:/etc/krb5kdc# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'WMF-FUNDRAISING',
master key name 'K/M@WMF-FUNDRAISING'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

 * Starting Kerberos KDC krb5kdc                    [ OK ]
 * Starting Kerberos administrative servers kadmind [ OK ]

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.

Add an Administrative User, Configure Realm Policies, Additional Users

root@frauth1001:/etc/krb5kdc# kadmin -p root/admin
Authenticating as principal root/admin with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

root@frauth1001:/etc/krb5kdc# kadmin.local
Authenticating as principal root/admin@WMF-FUNDRAISING with password.
kadmin.local:  add_policy -minlength 12 -minclasses 4 -maxlife "90 days" -history 10 admin
kadmin.local:  add_policy -minlength 12 -minclasses 4 host
kadmin.local:  add_policy -minlength 12 -minclasses 4 service
kadmin.local:  add_policy -minlength 12 -minclasses 4 -maxlife "90 days" -history 10 user
kadmin.local:  addprinc -policy admin jgreen/admin
Enter password for principal "jgreen/admin@WMF-FUNDRAISING": 
Re-enter password for principal "jgreen/admin@WMF-FUNDRAISING": 
Principal "jgreen/admin@WMF-FUNDRAISING" created.
kadmin.local:  addprinc -policy user jgreen
Enter password for principal "jgreen@WMF-FUNDRAISING": 
Re-enter password for principal "jgreen@WMF-FUNDRAISING": 
Principal "jgreen@WMF-FUNDRAISING" created.
kadmin.local:  quit
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Fundraising/techops/procedures/services-kerberos_kdc_install&oldid=2093291"