skip to main | skip to sidebar

Linux Tutorial for Beginners

Pages

  • Home
 
  • RSS
  • Twitter
Wednesday, February 15, 2012

How to Create the Kerberos database

Posted by Raju Gupta at 5:08 AM – 2 comments
 

Create the database with the following command.

 [root@coma ~] kdb5_util create -s

This will prompt you for a password. You will only have to enter this password when you initially configure a slave KDC, so choose something large and random and store it in a secure place. Really, you may only have to enter this once more, so make it secure.

Add the first Administrative User

I do administration as root, so the first user I add is root/admin. The default realm is appended automatically, so the command to use is as follows.
 [root@coma ~] kadmin.local -q "addprinc root/admin"
Enter a password when prompted. You will need this password every time you administer the database.

Starting the Services
At this point it is necessary to enable and start the kerberos services.

 [root@coma ~] chkconfig kadmin on
 [root@coma ~] service kadmin start
 [root@coma ~] chkconfig krb5kdc on
 [root@coma ~] service krb5kdc start

To test if everything is working, run kadmin. By default, the current user appended with ‘/admin’ is used as the principle.
 [root@coma ~] kadmin
 Authenticating as principal root/admin@PHYSIK.UNIZH.CH with password.
 Password for root/admin@PHYSIK.UNIZH.CH:
 kadmin:  listprincs
 K/M@PHYSIK.UNIZH.CH
 kadmin/admin@PHYSIK.UNIZH.CH
 kadmin/changepw@PHYSIK.UNIZH.CH
 kadmin/history@PHYSIK.UNIZH.CH
 krbtgt/PHYSIK.UNIZH.CH@PHYSIK.UNIZH.CH
 root/admin@PHYSIK.UNIZH.CH
The additional principles have been created by the tool. They are required so leave them be.

Create a Host Principal for the KDC

Now you will want to create a host principal for the KDC. This is required for replication (see below). You also need to add this principal to the local key table.
 [root@coma ~]# kadmin
 Authenticating as principal root/admin@EXAMPLE.COM with password.
 Password for root/admin@EXAMPLE.COM:
 kadmin: addprinc -randkey host/coma.EXAMPLE.COM
 NOTICE: no policy specified for host/coma.example.com@EXAMPLE.COM; assigning "default"
 Principal "host/coma.example.com@EXAMPLE.COM" created.
 kadmin: ktadd host/coma.example.com

Setup the default Policy

You will want to create the default password policy at this point. All new accounts will have this policy enforced.
 [root@coma ~] kadmin
 Authenticating as principal root/admin@ EXAMPLE.COM with password.
 Password for root/admin@ EXAMPLE.COM:
 kadmin: add_policy -maxlife 180days -minlife 2days -minlength 8 -minclasses 3 -history 10 default
You can also add other policies and apply different policies to different principles. The different flags and their meaning are as follows.
Flag
Description
-maxlife
The is the maximum period before the password must be changed.
-minlife
This is the minimum time after a password change before it can be changed again. Without a minimum time, users can change their password multiple times and overflow the history (see below) and end up back with the same password.
-minclasses
This is the number of distinct character classes that must appear in the password. Character classes are uppercase letters, lowercase letters, number and symbols. Setting this to 2 for example would mean a password with at least one lowercase letter and a number would be valid.
-history
This is the number of previous passwords to keep. A password may not duplicate a prior password.


Changing the Maximum Renewal Time

Each principal has its own maximum renewal life. On RHEL4, new principals are created with a maximum renewal time of zero. This means you can get a renewable ticket, but they can never be renewed. Each principal must be manually changed to the desired maximum renewal time. In addition, the special principal krbtgt/REALM@REALM must be changed to reflect the maximum renewal time that any principal will have.
 [root@coma ~]# kadmin
 Authenticating as principal root/admin@ EXAMPLE.COM with password.
 Password for root/admin@ EXAMPLE.COM:
 kadmin:  modprinc -maxrenewlife 2weeks krbtgt/ EXAMPLE.COM @ EXAMPLE.COM
 Principal "krbtgt/ EXAMPLE.COM @ EXAMPLE.COM " modified.

Adding Principals

 [root@coma ~] kadmin
 uthenticating as principal root/admin@ EXAMPLE.COM with password.
 Password for root/admin@ EXAMPLE.COM:
 kadmin: addprinc -maxrenewlife 7days doug
The various options allow you to tune your password policy. 
Labels: Kerberos, kerberos configuration, kerberos database Email This BlogThis! Share to Twitter Share to Facebook

2 Responses so far.

  1. for ict 99 says:
    October 10, 2019 at 7:30 PM

    Great Article
    Cyber Security Projects for CSE Students


    JavaScript Training in Chennai



    Project Centers in Chennai




    JavaScript Training in Chennai

  2. Anonymous says:
    December 4, 2022 at 5:16 AM

    This helps us confirm we are paying the right particular person and protects our players against any authorised use of their account. Please e mail your proof of tackle as outlined above or use the submit button 바카라사이트 under. We settle for all main banking methods to deposit and withdraw, together with MasterCard and Visa, pay by mobile , Trustly, Skrill, Instant bank transfer and Pay Safe. Spin up classics like Rainbow Riches and Raging Rhino or use your every day freebies to fire up some jackpot joy with Wolfs Gold and Pandas Fortune.

Leave a Reply

Newer Post Older Post
Subscribe to: Post Comments (Atom)

Our Blogs

  • Java Programs with Output
  • C Programming Tutorial
  • Language Tutorial
  • Android Development Tutorial
  • Web Development Tutorial
  • Popular
  • Recent
  • Archives

Popular Posts

  • How to create limited shell
    We want to limit the activities or command to run for specific user then, how to limit a shell? here are the steps to create limited shel...
  • Apache and SELinux File Labels
    Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into tw...
  • Advantages & Disadvantages of Kerberos
    Advantages of Kerberos Most conventional network services use password-based authentication schemes. Such schemes require a user to au...
  • Apache Configuration File Security Option
    you’ll examine the security options available in the main Apache configuration file, httpd.conf. That file can be modified to secure the e...
  • AWS VPC Overview
    What is VPC ? A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other vir...
  • SSH login without password
    The following steps can be used to ssh from one system to another without specifying a password: 1. On the client run the following com...
  • How to automatically chroot jail selected ssh user logins
    1. Creating basic chroot environment First we need to create a simple chroot environment. Our chroot environment will consist of a bash she...
  • Apache Installation and Configuration through source code
    In this example we extract the source code to a directory under /usr/local/src/ cp httpd-2.0.46.tar.gz /usr/local/src cd /usr/local/src...
  • Tcpdump command with some examples
    To print all packets arriving at or departing from sundown: tcpdump host sundown To print traffic between helios and either hot or ace: ...
  • How to Create the Kerberos database
    Create the database with the following command.  [root@coma ~] kdb5_util create -s This will prompt you for a password. You will ...
Powered by Blogger.

Archives

  • ►  2014 (1)
    • ►  May (1)
  • ►  2013 (4)
    • ►  February (4)
  • ▼  2012 (89)
    • ►  November (1)
    • ►  March (4)
    • ▼  February (36)
      • Why sendmail Is So Complex?
      • Defination of MUA, MTA & MSA (sendmail)
      • Mail Server Basic
      • Configuring a DHCP Client
      • Starting and Stopping the DHCP Server
      • DHCP Lease Database
      • Dhcp configuration file Example
      • Dhcp Configuration file Logic
      • How to install DHCP?
      • What is dhcp ?
      • ls command
      • Some important point about Iptables
      • Explain iptables terminology
      • Iptables
      • How to install PHP on linux system
      • How does LDAP work ?
      • What is LDAP ?
      • How to configure Slave KDC (Backup KDC)
      • How to Create the Kerberos database
      • Edit /var/kerberos/krb5kdc/kadm5.acl & /etc/gssapi...
      • Edit /var/kerberos/krb5kdc/kdc.conf
      • Edit file /etc/krb5.com
      • How to create bridge ?
      • How to explain Webmin?
      • Setup rsync over ssh without password on Linux
      • Linux chkconfig Command Examples
      • How to create limited shell
      • How to Domain-to-Realm Mapping
      • How to configuring a Kerberos 5 Client
      • How to Configuring a Kerberos 5 Server
      • Some important information about Kerberos
      • How Kerberos Works
      • Kerberos Terminology explanation
      • Kerberos and PAM
      • Advantages & Disadvantages of Kerberos
      • What is Kerberos?
    • ►  January (48)
 

Followers

Labels

  • Apache (8)
  • aws (1)
  • Bridge (1)
  • cloud computing (1)
  • Configuration (1)
  • dhcp server (7)
  • DNS (8)
  • File system (11)
  • Fping (1)
  • Iptable basic (3)
  • KDC slave server (1)
  • Kerberos (14)
  • kerberos configuration (5)
  • kerberos database (1)
  • LaTeX (1)
  • Ldap basic (2)
  • Linux aliases (1)
  • Linux Commands (4)
  • Linux History (2)
  • Linux Installation (3)
  • Linux kernel (3)
  • Linux shell (2)
  • Linux software (2)
  • Lvm (1)
  • Mail Server (3)
  • Network Script (1)
  • PHP (1)
  • Raid (6)
  • SELinux (1)
  • Sendmail (3)
  • ssh (2)
  • Tcpdump example (1)
  • Virtualization (5)
  • Webmin (1)
  • Yum (2)
 
 
© 2011 Linux Tutorial for Beginners | Designs by Web2feel & Fab Themes

Bloggerized by DheTemplate.com - Main Blogger