kdc.conf and krb5.conf

Frank Dornheim conloos at googlemail.com
Thu Jun 16 04:53:09 EDT 2011


Hi list,

i asked my questions yesterday the irc (#kerberos at freenode) but i
didn't get a full answer.

FIrst, i have a full working system. ;) I use Kerberos with a openLDAP backend.

At a review of my system i found several spelling errors (configs are
at the end of this mail) in the kdc.conf, so the kdc.conf isn't used
by my config. I removed the kdc.conf and my Kerberos is working well.

That all is working is fine, but i want to understand that points.

So my questions:

 * Is the kdc.conf obsolete?
 * Which config is the winner by a misconfiguration?
 '  Which parts had to be in both configs (not the specific points -
the topics)?

Thanks Con

__krb5.conf__

[libdefaults]
	ticket_lifetime = "36000"
	default_realm = EXAMPLE.COM
	kdc_timesync = "1"
	forwardable = "true"
	forward = "true"
	renewable = "true"
	proxiable = "true"
	ccache_type = 4

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

[realms]
	EXAMPLE.COM = {
		kdc = "kerberos.example.com:88"
		master_kdc = "kerberos.example.com:88"
		admin_server = "kerberos.example.com:749"
		default_domain = "example.com"
		database_module = ldap.example.com
	}

[domain_realm]
	.example.com = "EXAMPLE.COM"
	example.com = "EXAMPLE.COM"

[dbmodules]
	ldap.example.com = {
		db_library = kldap
		ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com

	# the RO account
	ldap_kdc_dn = cn=krb5-kdc-srv,ou=services,dc=example,dc=com
	# this object needs to have read rights on
	# the realm container, principal container and realm sub-trees
	
	# the RW account
	ldap_kadmind_dn = cn=krb5-adm-srv,ou=services,dc=example,dc=com
	# this object needs to have read and write rights on
	# the realm container, principal container and realm sub-trees

	ldap_service_password_file = /etc/krb5kdc/service.keyfile
	ldap_servers = ldaps://ldap.example.com
	ldap_conns_per_server = 5
	}


__kdc.conf__

[kdcdefaults]
    kdc_ports = 750,88
    default_real = EXAMPLE.COM ← spelling error: default realm

[realms]
    EXAMPLE = {  <--spellinge error: EXAMPLE.COM
        database_name = /var/lib/krb5kdc/principal  ← error: my
conffig resides in LDAP
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab  ← error: i
didn't have this keytab, i found  a howto
(http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5/doc/krb5-install/Create-a-kadmind-Keytab--optional-.html),
to create this keyfile. But this keytab is obsolate?
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
        default_principal_flags = "+forwardable +preauth +renewable
+pwservice +service"
    }




More information about the Kerberos mailing list