Kerberos and Windows 2003 Server

Michenaud Laurent lmichenaud at adeuza.fr
Mon Jul 26 12:23:52 EDT 2004 

Hi,

I'm searching a good tutorial how to install and configure a windows 
2003 server.

I have already installed the Mit Kerberos server on Linux.
I don't know if i have done it well ( the instructions i've done are 
below ).

On the Windows 2003 Server, i've got 2 errors in the event log :
KDC_ERR_BADOPTION
KDC_ERR_S_PRINCIPAL_UNKNOWN

Any help would be appreciated.
Thx


**** File : /etc/kerberos/krb5.conf

[libdefaults]
        ticket_lifetime = 36000
        default_realm = TSTADEUZA.FR
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
        TSTADEUZA.FR = {
                kdc = kerberos.tstadeuza.fr:88
                admin_server = kerberos.tstadeuza.fr:749
                default_domain = tstadeuza.fr
        }

[domain_realm]
        .tstadeuza.fr = TSTADEUZA.FR
        tstadeuza.fr = TSTADEUZA.FR

[logging]
    kdc = FILE:/var/kerberos/log/krb5kdc.log
    admin_server = FILE:/var/kerberos/log/kadmin.log
    default = FILE:/var/kerberos/log/krb5lib.log

**** Link

ln -s /etc/kerberos/krb5.conf /etc/krb5.conf

***** File /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 88,750

[realms]
    TSTADEUZA.FR = {
        database_name = /var/kerberos/krb5kdc/principal
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /var/kerberos/krb5kdc/kadm5.dict
        key_stash_file = /var/kerberos/krb5kdc/.k5.TSTADEUZA.FR
        kadmind_port = 749
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal 
des-cbc-crc:v4
        kdc_supported_enctypes = des3-hmac-sha1:normal 
des-cbc-crc:normal des-cbc-crc:v4
    }


***** DNS Windows 2003 Server

kerberos IN CNAME beaufix
_kerberos TXT "TSTADEUZA.FR"
_kerberos._udp SRV 0 0 88 beaufix
_kerberos-master._udp SRV 0 0 88 beaufix
_kerberos-adm._tcp SRV 0 0 749 beaufix
_kpasswd._udp SRV 0 0 464 beaufix

**** Database creation

kdb5_util create -r TSTADEUZA.FR -s
Initializing database '/var/kerberos/krb5kdc/principal' for realm 
'TSTADEUZA.FR',
master key name 'K/M at TSTADEUZA.FR'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:


**** ACL : /var/kerberos/krb5kdc/kadm5.acl

#  This file represents the Access Control List for the database.
#  The format is the following:
#  Kerberos_Principal                   Permissions             
Optional_Target_Principal
root/admin at TSTADEUZA.FR            *
pwchanger/admin at TSTADEUZA.FR        ADMcIL


****

$ /opt/krb5-1.3.2/sbin/kadmin.local
Authenticating as principal root/admin at TSTADEUZA.FR with password.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin 
kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES 
cbc mode with HMAC/sha1 added to keytab 
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc 
mode with CRC-32 addedto keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple 
DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc 
mode with CRC-32 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  quit


***** Each KDC needs to have a host principal in the kerberos database.

$ /opt/krb5-1.3.2/sbin/kadmin.local
kadmin.local: addprinc -randkey host/kerberos.tstadeuza.fr
WARNING: no policy specified for 
host/kerberos.tstadeuza.fr at TSTADEUZA.FR; defaulting to no policy
Principal "host/kerberos.tstadeuza.fr at TSTADEUZA.FR" created.
Quit

***** Keytab

$ /opt/krb5-1.3.2/sbin/kadmin.local
Authenticating as principal root/admin at TSTADEUZA.FR with password.
kadmin.local -q 'ktadd -k /tmp/master-krb5.keytab 
host/kerberos.tstadeuza.fr'
Entry for principal host/kerberos.tstadeuza.fr with kvno 3, encryption 
type Triple DES cbc mode with HMAC/sha1 added to keytab 
WRFILE:/tmp/master-krb5.keytab.
Entry for principal host/kerberos.tstadeuza.fr with kvno 3, encryption 
type DES cbc mode with CRC-32 added to keytab 
WRFILE:/tmp/master-krb5.keytab.
quit

mv /tmp/master-krb5.keytab /etc/kerberos/krb5.keytab
ln -s /etc/kerberos/krb5.keytab /etc/krb5.keytab


***** Policy

/opt/krb5-1.3.2/sbin/kadmin.local -q 'addpol -maxlife "90 days" -minlife 
"1 hour" -minlength 8 -minclasses 3 -history 4 myuserspol'

***** Adding prinicipal

/opt/krb5-1.3.2/sbin/kadmin.local -q 'addprinc -policy myuserspol -pw 
******* dummy'
Authenticating as principal root/admin at TSTADEUZA.FR with password.
Principal "dummy at TSTADEUZA.FR" created.

Pour tester :
/opt/krb5-1.3.2/sbin/kadmin.local -q 'getprinc dummy'

Encore tester :
$ /opt/krb5-1.3.2/bin/kinit dummy
password:
$ /opt/krb5-1.3.2/bin/klist

More information about the Kerberos mailing list