This is a guick guide to MIT 1.4 Solaris 10u5 implementation of Kerberos V. For more details see Kerberos Service in System Administration Guide: Security Services
Below is an extract from Chapter 21 Introduction to the Kerberos Service:
The Kerberos service is a de-facto industry standard in a network security. It is a client-server architecture that provides secure transactions over networks. The service offers strong user authentication, as well as integrity and privacy. Authentication guarantees that the identities of both the sender and the recipient of a network transaction are true. The service can also verify the validity of data being passed back and forth (integrity) and encrypt the data during transmission (privacy). Using the Kerberos service, you can log in to other machines, execute commands, exchange data, and transfer files securely. Additionally, the service provides authorization services, which allows administrators to restrict access to services and machines. Moreover, as a Kerberos user, you can regulate other people’s access to your account.
The Kerberos service is a single-sign-on system, which means that you only need to authenticate yourself to the service once per session, and all subsequent transactions during the session are automatically secured. After the service has authenticated you, you do not need to authenticate yourself every time you use a Kerberos-based command such as ftp or rsh, or to access data on an NFS file system. Thus, you do not have to send your password over the network, where it can be intercepted, each time you use these services.
Similar to the MIT distribution of the Kerberos V5 product, the Solaris Kerberos service includes the following:
In addition, the Solaris Kerberos service includes the following:
Kerberos is part of Solaris 10 distribution; therefore, no additional software is necessary.
Despite its presence in sun doc, kdcmgr is not available in Solaris 10u5, only in !OpenSolaris. Therefore, we would have to use kdb5_util for database creation. 1. To begin, we modify two files first: /etc/krb5/krb5.conf и /etc/krb5/kdc.conf
# vi /etc/krb5/krb5.conf ====
[libdefaults]
default_realm = KRB_REALM
[realms]
KRB_REALM = {
kdc = kdc1.domain.com
# kdc = ___slave_kdc1___
admin_server = kdc1.domain.com
}
[domain_realm]
domain.com = KRB_REALM
.domain.com = KRB_REALM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
# vi /etc/krb5/kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
KRB_REALM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}
2. Now we create the principal database. -s option creates stash file /var/krb5/.k5.<realm>
# kdb5_util create -s
3. Now edit who can do what
# vi /etc/krb5/kadm5.acl <username>/admin@KRB_REALM * kiprop/kdc2.domain.com@KRB_REALM p
4. Add principals and create keytab for kadmind service. kiprop principal is needed for master/slave replication.
# /usr/sbin/kadmin.local kadmin.local: addprinc <username>/admin kadmin.local: addprinc -randkey host/kdc2.domain.com kadmin.local: addprinc -randkey kiprop/kdc2.domain.com kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.domain.com kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/kdc1.domain.com kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc1.domain.com
5. Start kerberos daemons (-r option recuresively enables service dependencies)
# svcadm enable -r krb5kdc # svcadm enable -r kadmin
6. Create master KDC host principal and its keytab. Now we can use kadmin (instead on kadmin.local) for adding more principals. We should also setup password policies
# kadmin -p <username>/admin kadmin: addprinc -randkey host/kdc1.domain.com kadmin: add_policy -minlength 8 -minclasses 3 -history 1 -maxlife 2009-12-01 user kadmin: add_policy -minlength 10 -minclasses 3 -history 3 -maxlife 2009-06-01 admin kadmin: quit
7. Configure KDC slave on another computer
7.1. Copy krb5.conf and kdc.conf. Add a kdc line for a slave KDC into all krb5.conf files and replace the following line in kdc.conf
sunw_dbprop_master_ulogsize = 1000
with
sunw_dbprop_slave_poll = 2m
7.2. Populate /etc/krb5/kpropd.acl file on the slave KDC with
host/kdc1.domain.com@KRB_REALM host/kdc2.domain.com@KRB_REALM
7.3. Create keytab
# kadmin -p <username>/admin kadmin: ktadd host/kdc2.domain.com kadmin: ktadd kiprop/kdc2.domain.com kadmin: quit
7.4. Start the propagation daemon
# /usr/lib/krb5/kpropd
7.5. Create stash file
# kdb5_util stash
7.6. Kill the propagation daemon
# pkill kpropd
7.7. Start the KDC service
# svcadm enable krb5kdc
Client configuration may be significantly simplified with the DNS SRV and TXT records. SRV records are used for locating KDC, admin and kadmin services and TXT records are used for mapping dns domains to kerberos realms; for example,
kdc1 IN A 192.168.0.1 kdc2 IN A 192.168.0.2 _kerberos._udp.KRB_REALM. IN SRV 0 0 88 kdc2.domain.com. _kerberos._tcp.KRB_REALM. IN SRV 0 0 88 kdc2.domain.com. _kerberos._udp.KRB_REALM. IN SRV 1 0 88 kdc1.domain.com. _kerberos._tcp.KRB_REALM. IN SRV 1 0 88 kdc1.domain.com. _kerberos-adm._udp.KRB_REALM. IN SRV 0 0 749 kdc1.domain.com. _kerberos-adm._tcp.KRB_REALM. IN SRV 0 0 749 kdc1.domain.com. _kpasswd._udp.KRB_REALM. IN SRV 0 0 749 kdc1.domain.com. _kerberos-master._udp.KRB_REALM. IN SRV 1 0 88 kdc1.domain.com. _kerberos-master._tcp.KRB_REALM. IN SRV 1 0 88 kdc1.domain.com. _kerberos.domain.com. IN TXT "KRB_REALM" ;_kerberos.domain1.com. IN TXT "KRB_REALM" ;_kerberos.domain2.com. IN TXT "KRB_REALM"
With the above DNS entries, the krb5.conf is simplified. One may get away with a few lines. Unfortunately, Solaris pam_krb5 does not do dns lookup for the FQDN to realm mappings; therefore, [domain_realm] section is necessary. pam_krb5 after successful user authentication and getting the TGT, will attempt to verify the ticket trying to obtain a service ticket for the local host. Therefore, it will require a valid key in /etc/krb5/krb5.keytab. (klist -k). If it fails to map the FQDN to the kerberos realm, then the following error will be logged via syslog and the entire authentication process will stop. See man pam_krb5 for for details.
PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found
Here is the minimum configuration
# vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = KRB_REALM
[domain_realm]
domain1.com = KRB_REALM
.domain1.com = KRB_REALM
1. Add users. On any computer, configured for kerberos with /etc/krb5/krb5.conf or DNS. Some non-solaris clients might require the following line in krb5.conf
kpasswd_protocol = SET_CHANGE
# kadmin -p <username>/admin kadmin: addprinc -p policy user <username> kadmin: quit
2. Add computers. On a particular computer, configured for kerberos with /etc/krb5/krb5.conf or DNS.
# kadmin -p <username>/admin kadmin: addprinc -randkey host/server.domain.com kadmin: ktadd host/server.domain.com kadmin: quit
3. Configure PAM to use kerberos
# vi /etc/pam.conf login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 login auth required pam_unix_auth.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1
Obtain ksetup.exe from the Windows Support Tools. ksetup from Windows XP works on Vista!
1. Set default kerberos realm
ksetup /SetRealm KRB_REALM
Important! The above command will reset not only the client’s workgroup but also the DNS domain to KRB_REALM. You probably want to restore the later to the original. Revert it back in System Properties and ensure that the checkbox that says something about updating the DNS name suffix with domain membership change is unchecked!
Another note: the above command is a key to make it work. The rest (except setting the machine password) can simply be added by modifying the registry. It makes the computer to log into the domain (realm), even though the Computer Properties show that the computer is a member of a workgroup!
2. Add KDCs and master KDC, which accepts user password changes
ksetup /AddKdc KRB_REALM kdc1.domain.com ksetup /AddKdc KRB_REALM kdc2.domain.com ksetup /AddKpasswd KRB_REALM kdc1.domain.com
The above command will add the following entries to the registry:
3. Set the machine’s password. Memorize the password because it will be required for adding host principal to the realm
ksetup /SetComputerPassword <ComplexComputerPassword>
4. Map the kerberos user to the local user
ksetup /MapUser <username>@KRB_REALM <username>
The above will create the following registry key
5. Add the realm to DNS domain mappings if necessary
regedt32
The settings are under HKEY_LOCAL_MACHINE\SYSTEM\!CurrentControlSet\Control\Lsa\Kerberos\!HostToRealm. Create a folder named KRB_REALM. In this folder create a key named !SpnMappings (type REG_MULTI_SZ) and assign the following values:
domain.com .domain.com
The above is usually not necessary. It may also be set via Local Computer Policy under Administrative Templcates/System/Kerberos.
6. Add host/fqdn principal with the Computer password specified above to the realm
# kadmin -p <username>\admin kadmin> addprinc host/pc.domain.com kadmin> addprinc -policy user <username> kadmin> quit
7. Restart the computer. When logging in, use <username>@REALM for the User name field; for example, arkadi@KRB_REALM
To enable NFS server to use kerberos, do the following:
# kadmin -p arkadi/admin kadmin: addprinc nfs/morcl.betline.ru kadmin: ktadd nfs/morcl.betline.ru kadmin: quit # vi /etc/nfssec.conf krb5 390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS # svcadm restart nfs/server # vi /etc/pam.conf other auth required pam_krb5.so.1
To setup the Samba server that uses kerberos auth:
# vi /etc/sfw/samba.conf realm = HITECO.ORG security = ads encrypt passwords = yes use kerberos keytab = yes # kadmin -p arkadi/admin kadmin> addprinc host/morcl.betline.ru kadmin> addprinc cifs/morcl.betline.ru kadmin> addprinc morcl$ kadmin> ktadd host/morcl.betline.ru kadmin> ktadd cifs/morcl.betline.ru kadmin> ktadd morcl$ kadmin> quit # svcadm enable samba # svcadm enable wins
To test the config, run on a kerberized smb client:
# vi /etc/sfw/samba.conf realm = HITECO.ORG security = ads encrypt passwords = yes use kerberos keytab = yes # smbclient -k \\\\morcl\\homes