krb5 1.16 on FreeBSD, multi realms

Cory Albrecht cory at albrecht.name
Sat Aug 18 18:58:31 EDT 2018 

Hello all,

I'm trying to replicate my Ubuntu kerberos servers in FreeBSD 11.2 as I
move things from AWS to Digital Ocean. I'm using 1.16 in both places, but
on FreeBSD the programmes do not seem to honour the database_name field in
kdc.conf. Not in the [realms] section, nor in the [dbmodules] section.

Using kdb5_util will create the database files in the proper spot if you
use the -d option, but when one tries to use kadmin.local, or start the
kadmind server, they complain about the database not being found in the
default location (/usr.local.var/krb5kdc).

I need this feature because I run multiple realms.

Has anybody gotten this work on FreeBSD? Thanks in advance.

My /usr/local/etc/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
default_realm = CORY.ALBRECHT.NAME
allow_weak_crypto = true
ticket_lifetime = 7d 0h 0m 0s
renew_lifetime = 60d 0h 0m 0s

[realms]
HANFASTOLFE.COM = {
database_name = /usr/local/var/krb5kdc/hanfastolfe.com/principal
admin_keytab = FILE:/usr/local/etc/krb5kdc/hanfastolfe.com/kadm5.keytab
acl_file = /usr/local/etc/krb5kdc/hanfastolfe.com/kadm5.acl
key_stash_file = /usr/local/etc/krb5kdc/hanfastolfe.com/stash
admin_server = authns1.do.hanfastolfe.com
master_kdc = authns1.do.hanfastolfe.com
kdc = authns1.do.hanfastolfe.com
default_domain = hanfastolfe.com
kdc_ports = 750,88
max_life = 60d 0h 0m 0s
max_renewable_life = 60d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
CORY.ALBRECHT.NAME = {
database_name = /usr/local/var/krb5kdc/cory.albrecht.name/principal
admin_keytab = FILE:/usr/local/etc/krb5kdc/cory.albrecht.name/kadm5.keytab
acl_file = /usr/local/etc/krb5kdc/cory.albrecht.name/kadm5.acl
key_stash_file = /usr/local/etc/krb5kdc/cory.albrecht.name/stash
admin_server = authns1.do.hanfastolfe.com
master_kdc = authns1.do.hanfastolfe.com
kdc = authns1.do.hanfastolfe.com
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}

[logging]
default = FILE:/var/log/krb5/krb5.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log

[dbmodules]
HANFASTOLFE.COM = {
database_name = /usr/local/var/krb5kdc/hanfastolfe.com/principal
db_library = db2
}
CORY.ALBRECHT.NAME = {
database_name = /usr/local/var/krb5kdc/cory.albrecht.name/principal
db_library = db2
}

More information about the Kerberos mailing list