• Principal: any users, computers, and services provided by servers need to be defined as Kerberos Principals.

• Instances: are used for service principals and special administrative principals.

• Realms: the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to uppercase (EXAMPLE.COM).

• Key Distribution Center: (KDC) consist of three parts, a database of all principals, the authentication server, and the ticket granting server. For each realm there must be at least one KDC.

• Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's password which is known only to the user and the KDC.

• Ticket Granting Server: (TGS) issues service tickets to clients upon request.

• Tickets: confirm the identity of the two principals. One principal being a user and the other a service requested by the user. Tickets establish an encryption key used for secure communication during the authenticated session.

• Keytab Files: are files extracted from the KDC principal database and contain the encryption key for a service or host.

Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name, this section uses the example.com domain configured in the section called “Primary Master”.

Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts should have their time synchronized using the Network Time Protocol (NTP). For details on setting up NTP see the section called “Time Synchronisation with NTP”.

The first step in installing a Kerberos Realm is to install the krb5-kdc and krb5-admin-server packages. From a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server 

You will be asked at the end of the install to supply a name for the Kerberos and Admin servers, which may or may not be the same server, for the realm.

Next, create the new realm with the kdb5_newrealm utility:

sudo krb5_newrealm 

The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon.

Your new Kerberos Realm is now ready to authenticate clients.

1. First, install the packages, and when asked for the Kerberos and Admin server names enter the name of the Primary KDC:

   sudo apt-get install krb5-kdc krb5-admin-server 

2. Once you have the packages installed, create the Secondary KDC's host principal. From a terminal prompt, enter:

   kadmin -q "addprinc -randkey host/kdc02.example.com" 

   	After, issuing any kadmin commands you will be prompted for your username/admin@EXAMPLE.COM principal password.

3. Extract the keytab file:

   kadmin -q "ktadd -k keytab.kdc02 host/kdc02.example.com" 

4. There should now be a keytab.kdc02 in the current directory, move the file to /etc/krb5.keytab:

   sudo mv keytab.kdc02 /etc/krb5.keytab 

   	If the path to the keytab.kdc02 file is different adjust accordingly.

   Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the klist utility:

   sudo klist -k /etc/krb5.keytab 

5. Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For example, on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:

   host/kdc01.example.com@EXAMPLE.COM host/kdc02.example.com@EXAMPLE.COM 

6. Create an empty database on the Secondary KDC:

   sudo kdb5_util -s create 

7. Now start the kpropd daemon, which listens for connections from the kprop utility. kprop is used to transfer dump files:

   sudo kpropd -S 

8. From a terminal on the Primary KDC, create a dump file of the principal database:

   sudo kdb5_util dump /var/lib/krb5kdc/dump 

9. Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:

   kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com" sudo mv keytab.kdc01 /etc/kr5b.keytab 

   	Make sure there is a host for kdc01.example.com before extracting the Keytab.

10. Using the kprop utility push the database to the Secondary KDC:

    sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com 

    	There should be a SUCCEEDED message if the propagation worked. If there is an error message check /var/log/syslog on the secondary KDC for more information.

    You may also want to create a cron job to periodically update the database on the Secondary KDC. For example, the following will push the database every hour:

    # m h  dom mon dow   command 0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com 

11. Back on the Secondary KDC, create a stash file to hold the Kerberos master key:

    sudo kdb5_util stash 

12. Finally, start the krb5-kdc daemon on the Secondary KDC:

    sudo /etc/init.d/krb5-kdc start 

In order to authenticate to a Kerberos Realm, the krb5-user and libpam-krb5 packages are needed, along with a few others that are not strictly necessary but make life easier. To install the packages enter the following in a terminal prompt:

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config 

The auth-client-config package allows simple configuration of PAM for authentication from multiple sources, and the libpam-ccreds will cache authentication credentials allowing you to login in case the Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may authenticate using Kerberos while on the corporate network, but will need to be accessed off the network as well.

To configure the client in a terminal enter:

sudo dpkg-reconfigure krb5-config 

You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos SRV records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and Realm Administration server.

The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm. You should have entries similar to the following:

[libdefaults]         default_realm = EXAMPLE.COM ... [realms]         EXAMPLE.COM = }                                 kdc = 192.168.0.1                                admin_server = 192.168.0.1         } 

You can test the configuration by requesting a ticket using the kinit utility. For example:

kinit steve@EXAMPLE.COM Password for steve@EXAMPLE.COM: 

When a ticket has been granted, the details can be viewed using klist:

klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: steve@EXAMPLE.COM  Valid starting     Expires            Service principal 07/24/08 05:18:56  07/24/08 15:18:56  krbtgt/EXAMPLE.COM@EXAMPLE.COM         renew until 07/25/08 05:18:57   Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached 

Next, use the auth-client-config to configure the libpam-krb5 module to request a ticket during login:

sudo auth-client-config -a -p kerberos_example 

You will should now receive a ticket upon successful login authentication.

• For more information on Kerberos see the MIT Kerberos site.

• The Ubuntu Wiki Kerberos page has more details.

• O'Reilly's Kerberos: The Definitive Guide is a great reference when setting up Kerberos.

• Also, feel free to stop by the #ubuntu-server IRC channel on Freenode if you have Kerberos questions.