skip to main | skip to sidebar

Linux Tutorial for Beginners

Pages

  • Home
 
  • RSS
  • Twitter
Wednesday, February 15, 2012

How to Create the Kerberos database

Posted by Raju Gupta at 5:08 AM – 1 comments
 

Create the database with the following command.

 [root@coma ~] kdb5_util create -s

This will prompt you for a password. You will only have to enter this password when you initially configure a slave KDC, so choose something large and random and store it in a secure place. Really, you may only have to enter this once more, so make it secure.

Add the first Administrative User

I do administration as root, so the first user I add is root/admin. The default realm is appended automatically, so the command to use is as follows.
 [root@coma ~] kadmin.local -q "addprinc root/admin"
Enter a password when prompted. You will need this password every time you administer the database.

Starting the Services
At this point it is necessary to enable and start the kerberos services.

 [root@coma ~] chkconfig kadmin on
 [root@coma ~] service kadmin start
 [root@coma ~] chkconfig krb5kdc on
 [root@coma ~] service krb5kdc start

To test if everything is working, run kadmin. By default, the current user appended with ‘/admin’ is used as the principle.
 [root@coma ~] kadmin
 Authenticating as principal root/admin@PHYSIK.UNIZH.CH with password.
 Password for root/admin@PHYSIK.UNIZH.CH:
 kadmin:  listprincs
 K/M@PHYSIK.UNIZH.CH
 kadmin/admin@PHYSIK.UNIZH.CH
 kadmin/changepw@PHYSIK.UNIZH.CH
 kadmin/history@PHYSIK.UNIZH.CH
 krbtgt/PHYSIK.UNIZH.CH@PHYSIK.UNIZH.CH
 root/admin@PHYSIK.UNIZH.CH
The additional principles have been created by the tool. They are required so leave them be.

Create a Host Principal for the KDC

Now you will want to create a host principal for the KDC. This is required for replication (see below). You also need to add this principal to the local key table.
 [root@coma ~]# kadmin
 Authenticating as principal root/admin@EXAMPLE.COM with password.
 Password for root/admin@EXAMPLE.COM:
 kadmin: addprinc -randkey host/coma.EXAMPLE.COM
 NOTICE: no policy specified for host/coma.example.com@EXAMPLE.COM; assigning "default"
 Principal "host/coma.example.com@EXAMPLE.COM" created.
 kadmin: ktadd host/coma.example.com

Setup the default Policy

You will want to create the default password policy at this point. All new accounts will have this policy enforced.
 [root@coma ~] kadmin
 Authenticating as principal root/admin@ EXAMPLE.COM with password.
 Password for root/admin@ EXAMPLE.COM:
 kadmin: add_policy -maxlife 180days -minlife 2days -minlength 8 -minclasses 3 -history 10 default
You can also add other policies and apply different policies to different principles. The different flags and their meaning are as follows.
Flag
Description
-maxlife
The is the maximum period before the password must be changed.
-minlife
This is the minimum time after a password change before it can be changed again. Without a minimum time, users can change their password multiple times and overflow the history (see below) and end up back with the same password.
-minclasses
This is the number of distinct character classes that must appear in the password. Character classes are uppercase letters, lowercase letters, number and symbols. Setting this to 2 for example would mean a password with at least one lowercase letter and a number would be valid.
-history
This is the number of previous passwords to keep. A password may not duplicate a prior password.


Changing the Maximum Renewal Time

Each principal has its own maximum renewal life. On RHEL4, new principals are created with a maximum renewal time of zero. This means you can get a renewable ticket, but they can never be renewed. Each principal must be manually changed to the desired maximum renewal time. In addition, the special principal krbtgt/REALM@REALM must be changed to reflect the maximum renewal time that any principal will have.
 [root@coma ~]# kadmin
 Authenticating as principal root/admin@ EXAMPLE.COM with password.
 Password for root/admin@ EXAMPLE.COM:
 kadmin:  modprinc -maxrenewlife 2weeks krbtgt/ EXAMPLE.COM @ EXAMPLE.COM
 Principal "krbtgt/ EXAMPLE.COM @ EXAMPLE.COM " modified.

Adding Principals

 [root@coma ~] kadmin
 uthenticating as principal root/admin@ EXAMPLE.COM with password.
 Password for root/admin@ EXAMPLE.COM:
 kadmin: addprinc -maxrenewlife 7days doug
The various options allow you to tune your password policy. 
Labels: Kerberos, kerberos configuration, kerberos database Email This BlogThis! Share to Twitter Share to Facebook

One Response so far.

  1. for ict 99 says:
    October 10, 2019 at 7:30 PM

    Great Article
    Cyber Security Projects for CSE Students


    JavaScript Training in Chennai



    Project Centers in Chennai




    JavaScript Training in Chennai

Leave a Reply

Newer Post Older Post
Subscribe to: Post Comments (Atom)

Our Blogs

  • Java Programs with Output
  • C Programming Tutorial
  • Language Tutorial
  • Android Development Tutorial
  • Web Development Tutorial
  • Popular
  • Recent
  • Archives

Popular Posts

  • Apache Configuration File Security Option
    you’ll examine the security options available in the main Apache configuration file, httpd.conf. That file can be modified to secure the e...
  • AWS VPC Overview
    What is VPC ? A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other vir...
  • How to create limited shell
    We want to limit the activities or command to run for specific user then, how to limit a shell? here are the steps to create limited shel...
  • Advantages & Disadvantages of Kerberos
    Advantages of Kerberos Most conventional network services use password-based authentication schemes. Such schemes require a user to au...
  • Apache and SELinux File Labels
    Take a look at the SELinux settings associated with Apache. To review, SELinux settings, as they relate to a service, mostly fall into tw...
  • Apache Installation and Configuration through source code
    In this example we extract the source code to a directory under /usr/local/src/ cp httpd-2.0.46.tar.gz /usr/local/src cd /usr/local/src...
  • SSH login without password
    The following steps can be used to ssh from one system to another without specifying a password: 1. On the client run the following com...
  • How to automatically chroot jail selected ssh user logins
    1. Creating basic chroot environment First we need to create a simple chroot environment. Our chroot environment will consist of a bash she...
  • Kerberos and PAM
    Kerberos-aware services do not currently make use of Pluggable Authentication Modules (PAM) — these services bypass PAM completely. However...
  • History of MINIX 3
    MINIX has a long history. It goes back to 1987 when the first edition of the book Operating Systems: Design and Implementation by Andrew S...
Powered by Blogger.

Archives

  • ►  2014 (1)
    • ►  May (1)
  • ►  2013 (4)
    • ►  February (4)
  • ▼  2012 (89)
    • ►  November (1)
    • ►  March (4)
    • ▼  February (36)
      • Why sendmail Is So Complex?
      • Defination of MUA, MTA & MSA (sendmail)
      • Mail Server Basic
      • Configuring a DHCP Client
      • Starting and Stopping the DHCP Server
      • DHCP Lease Database
      • Dhcp configuration file Example
      • Dhcp Configuration file Logic
      • How to install DHCP?
      • What is dhcp ?
      • ls command
      • Some important point about Iptables
      • Explain iptables terminology
      • Iptables
      • How to install PHP on linux system
      • How does LDAP work ?
      • What is LDAP ?
      • How to configure Slave KDC (Backup KDC)
      • How to Create the Kerberos database
      • Edit /var/kerberos/krb5kdc/kadm5.acl & /etc/gssapi...
      • Edit /var/kerberos/krb5kdc/kdc.conf
      • Edit file /etc/krb5.com
      • How to create bridge ?
      • How to explain Webmin?
      • Setup rsync over ssh without password on Linux
      • Linux chkconfig Command Examples
      • How to create limited shell
      • How to Domain-to-Realm Mapping
      • How to configuring a Kerberos 5 Client
      • How to Configuring a Kerberos 5 Server
      • Some important information about Kerberos
      • How Kerberos Works
      • Kerberos Terminology explanation
      • Kerberos and PAM
      • Advantages & Disadvantages of Kerberos
      • What is Kerberos?
    • ►  January (48)
 

Followers

Labels

  • Apache (8)
  • aws (1)
  • Bridge (1)
  • cloud computing (1)
  • Configuration (1)
  • dhcp server (7)
  • DNS (8)
  • File system (11)
  • Fping (1)
  • Iptable basic (3)
  • KDC slave server (1)
  • Kerberos (14)
  • kerberos configuration (5)
  • kerberos database (1)
  • LaTeX (1)
  • Ldap basic (2)
  • Linux aliases (1)
  • Linux Commands (4)
  • Linux History (2)
  • Linux Installation (3)
  • Linux kernel (3)
  • Linux shell (2)
  • Linux software (2)
  • Lvm (1)
  • Mail Server (3)
  • Network Script (1)
  • PHP (1)
  • Raid (6)
  • SELinux (1)
  • Sendmail (3)
  • ssh (2)
  • Tcpdump example (1)
  • Virtualization (5)
  • Webmin (1)
  • Yum (2)
 
 
© 2011 Linux Tutorial for Beginners | Designs by Web2feel & Fab Themes

Bloggerized by DheTemplate.com - Main Blogger