kdc.conf and krb5.conf
Frank Dornheim
conloos at googlemail.com
Thu Jun 16 04:53:09 EDT 2011
Hi list,
i asked my questions yesterday the irc (#kerberos at freenode) but i
didn't get a full answer.
FIrst, i have a full working system. ;) I use Kerberos with a openLDAP backend.
At a review of my system i found several spelling errors (configs are
at the end of this mail) in the kdc.conf, so the kdc.conf isn't used
by my config. I removed the kdc.conf and my Kerberos is working well.
That all is working is fine, but i want to understand that points.
So my questions:
* Is the kdc.conf obsolete?
* Which config is the winner by a misconfiguration?
' Which parts had to be in both configs (not the specific points -
the topics)?
Thanks Con
__krb5.conf__
[libdefaults]
ticket_lifetime = "36000"
default_realm = EXAMPLE.COM
kdc_timesync = "1"
forwardable = "true"
forward = "true"
renewable = "true"
proxiable = "true"
ccache_type = 4
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
[realms]
EXAMPLE.COM = {
kdc = "kerberos.example.com:88"
master_kdc = "kerberos.example.com:88"
admin_server = "kerberos.example.com:749"
default_domain = "example.com"
database_module = ldap.example.com
}
[domain_realm]
.example.com = "EXAMPLE.COM"
example.com = "EXAMPLE.COM"
[dbmodules]
ldap.example.com = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
# the RO account
ldap_kdc_dn = cn=krb5-kdc-srv,ou=services,dc=example,dc=com
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
# the RW account
ldap_kadmind_dn = cn=krb5-adm-srv,ou=services,dc=example,dc=com
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap.example.com
ldap_conns_per_server = 5
}
__kdc.conf__
[kdcdefaults]
kdc_ports = 750,88
default_real = EXAMPLE.COM ← spelling error: default realm
[realms]
EXAMPLE = { <--spellinge error: EXAMPLE.COM
database_name = /var/lib/krb5kdc/principal ← error: my
conffig resides in LDAP
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab ← error: i
didn't have this keytab, i found a howto
(http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5/doc/krb5-install/Create-a-kadmind-Keytab--optional-.html),
to create this keyfile. But this keytab is obsolate?
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/.k5.EXAMPLE.COM
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
default_principal_flags = "+forwardable +preauth +renewable
+pwservice +service"
}
More information about the Kerberos
mailing list