Ubuntu Server Guide Changes, errors and bugs
Download 1.27 Mb. Pdf ko'rish
|
ubuntu-server-guide
Configuration
The questions asked during installation are used to configure the /etc/krb5.conf and /etc/krb5kdc/kdc.conf files. The former is used by the kerberos 5 libraries, and the latter configures the KDC. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon. If you need to reconfigure Kerberos from scratch, perhaps to change the realm name, you can do so by typing sudo dpkg−r e c o n f i g u r e krb5−kdc 174 Note The manpage for krb5.conf is in the krb5−doc package. Once the KDC is properly running, an admin user – the admin principal – is needed. It is recommended to use a different username from your everyday username. Using the kadmin.local utility in a terminal prompt enter: $ sudo kadmin . l o c a l A u t h e n t i c a t i n g a s p r i n c i p a l r o o t /admin@EXAMPLE .COM with password . kadmin . l o c a l : a d d p r i n c ubuntu /admin WARNING: no p o l i c y s p e c i f i e d f o r ubuntu /admin@EXAMPLE .COM; d e f a u l t i n g t o no p o l i c y Enter password f o r p r i n c i p a l ” ubuntu /admin@EXAMPLE .COM” : Re−e n t e r password f o r p r i n c i p a l ” ubuntu /admin@EXAMPLE .COM” : P r i n c i p a l ” ubuntu /admin@EXAMPLE .COM” c r e a t e d . kadmin . l o c a l : q u i t In the above example ubuntu is the Principal, /admin is an Instance of tha principal, and @EXAMPLE.COM signifies the realm. The “every day” Principal, a.k.a. the user principal, would be ubuntu@EXAMPLE.COM, and should have only normal user rights. Note Replace EXAMPLE.COM and ubuntu with your Realm and admin username. Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions. The permissions are configured in the /etc/krb5kdc/kadm5.acl file: ubuntu /admin@EXAMPLE .COM * This entry grants ubuntu/admin the ability to perform any operation on all principals in the realm. You can configure principals with more restrictive privileges, which is convenient if you need an admin principal that junior staff can use in Kerberos clients. Please see the kadm5.acl man page for details. Note The extract privilege is not included in the wildcard privilege; it must be explicitly assigned. his privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. See the kadm5.acl man page for details. Now restart the krb5-admin-server for the new ACL to take affect: sudo s y s t e m c t l r e s t a r t krb5−admin−s e r v e r . s e r v i c e The new user principal can be tested using the kinit utility: $ k i n i t ubuntu /admin Password f o r ubuntu /admin@EXAMPLE .COM: After entering the password, use the klist utility to view information about the Ticket Granting Ticket (TGT): $ k l i s t T i c k e t c a c h e : FILE : / tmp/ krb5cc_1000 D e f a u l t p r i n c i p a l : ubuntu /admin@EXAMPLE .COM V a l i d s t a r t i n g E x p i r e s S e r v i c e p r i n c i p a l 04/03/20 1 9 : 1 6 : 5 7 04/04/20 0 5 : 1 6 : 5 7 k r b t g t /EXAMPLE.COM@EXAMPLE.COM renew u n t i l 04/04/20 1 9 : 1 6 : 5 5 175 Where the cache filename krb5cc_1000 is composed of the prefix krb5cc_ and the user id (uid), which in this case is 1000. kinit will inspect /etc/krb5.conf to find out which KDC to contact, and its address. The KDC can also be found via DNS lookups for special TXT and SRV records. You can add these records to your example.com DNS zone: _kerberos . _udp .EXAMPLE.COM. IN SRV 1 0 88 kdc01 . example . com . _kerberos . _tcp .EXAMPLE.COM. IN SRV 1 0 88 kdc01 . example . com . _k e r b e ro s . _udp .EXAMPLE.COM. IN SRV 10 0 88 kdc02 . example . com . _kerberos . _tcp .EXAMPLE.COM. IN SRV 10 0 88 kdc02 . example . com . _kerberos−adm . _tcp .EXAMPLE.COM. IN SRV 1 0 749 kdc01 . example . com . _kpasswd . _udp .EXAMPLE.COM. IN SRV 1 0 464 kdc01 . example . com . Note Replace EXAMPLE.COM, kdc01, and kdc02 with your domain name, primary KDC, and sec- ondary KDC. See the DNS chapter for detailed instructions on setting up DNS. A very quick and useful way to troubleshoot what kinit is doing is to set the environment variable KRB5_TRACE to a file, or stderr, and it will show extra information. The output is quite verbose, and won’t be shown fully here: $ KRB5_TRACE=/dev / s t d e r r k i n i t ubuntu /admin [ 2 8 9 8 ] 1 5 8 5 9 4 1 8 4 5 . 2 7 8 5 7 8 : G e t t i n g i n i t i a l c r e d e n t i a l s f o r ubuntu /admin@EXAMPLE .COM [ 2 8 9 8 ] 1 5 8 5 9 4 1 8 4 5 . 2 7 8 5 8 0 : Sending u n a u t h e n t i c a t e d r e q u e s t [ 2 8 9 8 ] 1 5 8 5 9 4 1 8 4 5 . 2 7 8 5 8 1 : Sending r e q u e s t ( 1 8 9 b y t e s ) t o EXAMPLE.COM [ 2 8 9 8 ] 1 5 8 5 9 4 1 8 4 5 . 2 7 8 5 8 2 : R e s o l v i n g hostname kdc01 . example . com ( . . . ) Your new Kerberos Realm is now ready to authenticate clients. Download 1.27 Mb. Do'stlaringiz bilan baham: |
Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling
ma'muriyatiga murojaat qiling