Configuración de kerberos
Tenemos que modificar una serie de ficheros.
Ficheros de configuración
El fichero /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = BEZMI.IES dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] BEZMI.IES = { kdc = caronte.bezmi.ies:88 kdc = CARONTE admin_server = caronte.bezmi.ies:749 default_domain = bezmi.ies } [domain_realm] .bezmi.ies = BEZMI.IES bezmi.ies = BEZMI.IES
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
El fichero /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BEZMI.IES = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
El fichero /var/kerberos/krb5kdc/kadm5.acl
*/admin@BEZMI.IES * kadmin/admin@BEZMI.IES * root@BEZMI.IES * krbadm@BEZMI.IES * */*@BEZMI.IES *
Iniciando kerberos
Para iniciar Kerberos ejecutamos;
service krb5kdc start service kadmin start
Igualmente podemos usar stop o restart para para o reiniciar, respectivamente.
Configurando kerberos
Iniciamos la base de datos kerberos:
kdb5_util create -s
Añadimos un administrador a kerberos
kadmin.local -q "addprinc admin/admin"
kadmin.local -q "addprinc kadmin/admin"
kadmin.local -q "addprinc kadmin/changepw"
kadmin.local -q "addprinc root"
Damos de alta los hosts
kadmin.local -q "addprinc -randkey host/caronte.bezmi.ies" kadmin.local -q "addprinc -randkey ldap/caronte.bezmi.ies" kadmin.local -q "ktadd -k /etc/krb5.keytab host/caronte.bezmi.ies" kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/caronte.bezmi.ies" kadmin.local -q "addprinc -randkey host/localhost" kadmin.local -q "addprinc -randkey ldap/localhost" kadmin.local -q "ktadd -k /etc/krb5.keytab host/localhost" kadmin.local -q "ktadd -k /etc/krb5.keytab ldap/localhost"