Installing heimdal-kdc
Lothar Schilling
ls at proasyl.de
Fri Mar 8 06:12:39 EST 2019
Hi,
I got stuck again with putting heimdal-kdc to work.
/etc/heimdal-kdc/kdc.conf
[kdcdefaults]
[realms]
MYDOMAIN.DE = {
database_name = /var/lib/heimdal-kdc/heimdal.db
#admin_keytab = FILE:/etc/heimdal-kdc/kadm5.keytab
acl_file = /etc/heimdal-kdc/kadmind.acl
#key_stash_file = /etc/heimdal-kdc/stash
kdc = kdc.mydomain.de
admin_server = kdc.mydomain.de
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
/etc/kdc.conf
[realms]
MYDOMAIN.DE = {
kdc = kdc.mydomain.de
admin_server = kdc.mydomain.de
default_domain = mydomain.de
}
[domain_realm]
.mydomain.de = MYDOMAIN.DE
mydomain.de = MYDOMAIN.DE
/etc/heimdal-kdc/kadmind.acl
*/admin at MYDOMAIN.DE *
*@MYDOMAIN.DE il
KCM and KDC are up an running, ps ax:
/usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf
/usr/sbin/kcm --detach
netstat -tulpen
tcp 0 0 192.168.27.3:88 0.0.0.0:*
LISTEN 0 1059909 16596/kdc
tcp 0 0 127.0.0.1:88 0.0.0.0:*
LISTEN 0 1059908 16596/kdc
tcp 0 0 0.0.0.0:749 0.0.0.0:*
LISTEN 0 1060381 16715/inetd
udp 0 0 192.168.27.3:464
0.0.0.0:* 0 1060878 16599/kpasswdd
udp 0 0 127.0.0.1:464
0.0.0.0:* 0 1060877 16599/kpasswdd
udp 0 0 192.168.27.3:88
0.0.0.0:* 0 1059907 16596/kdc
udp 0 0 127.0.0.1:88
0.0.0.0:* 0 1059906 16596/kdc
Having initiated the database I logged in locally (kadmin -l). There is
no such command as "add_principals" or "addprinc". Availabe are:
stash, kstash / dump / init / load / merge / add, ank, add_new_key /
passwd, cpw, change_password / delete, del, del_entry / del_enctype /
add_enctype / ext_keytab / get, get_entry / rename / modify /
privileges, privs / list / verify-password-quality, pwq / check / lock/
unlock / help, ? / exit, quit /
So I used "add root/admin". Then I logged in again via "kadmin -p
root/admin" or simply "kadmin" and issued a command, let's say "add
[user]". I was asked for root/admin at MY.DOMAIN's password. After having
entered the password what I got is:
kadmin: kadm5_create_principal: Operation requires `add' privilege
kadmin: adding fh: Operation requires `add' privilege
Also nothing gets logged in /var/log/kadmind.log.
Appreciating help very much, thank you!
Lothar Schilling
Am 07.03.2019 um 12:35 schrieb Lothar Schilling:
> Thank you for putting me on the right track though I had to modify
> your instructions:
>
> _kerberos._udp IN SRV 0 0 88
> kdc.mydomain.de.
> _kerberos._tcp IN SRV 0 0 88
> kdc.mydomain.de.
> _kerberos-adm._tcp IN SRV 0 0 749
> kdc.mydomain.de.
>
> A record for *_kerberos-adm._tcp* is required, too.
>
> Am 06.03.2019 um 14:47 schrieb Jeffrey Hutzelman:
>>
>> You need to tell the Kerberos library where to find your kdc. You
>> have basically two options:
>>
>>
>> 1) Add the following to /etc/krb5.conf on every client:
>>
>>
>> [realms]
>>
>> MYDOMAIN.DE = {
>>
>> kdc = kdc.mydomain.de:88
>>
>> }
>>
>>
>>
>> 2) Publish SRV records in DNS:
>>
>>
>> _kerberos._udp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
>>
>> _kerberos._tcp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
>>
>>
>>
>> I strongly recommend the SRV approach, particularly if you have a lot
>> of clients, or expect any that you don't directly control.
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Lothar Schilling <ls at proasyl.de>
>> *Sent:* Wednesday, March 6, 2019 08:30
>> *To:* kerberos at mit.edu
>> *Subject:* Installing heimdal-kdc
>>
>> Hi,
>>
>> being a newbie to kerberos I am trying to setup heimdal-kdc 7.1.0 on a
>> Debian 9.8 VM. Heimdal because we need Kerberos to be compliant with
>> Samba 4 acting as an ADDC. So here's what I did:
>>
>> /apt-get install heimdal-kdc. /It's up and running: ps ax =>
>> /usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf/
>> //systemctl stop heimdal-kdc//
>> //
>> ///etc/heimdal-kdc/kdc-conf//
>> //[libdefaults]//
>> // default_realm = MYDOMAIN.DE//
>> //[domain_realm]//
>> // .MYDOMAIN.DE = MYDOMAIN.DE//
>> //[logging]//
>> //kdc = FILE:/var/log/heimdal-kdc.log//
>> //[kdc]//
>> //database = {//
>> // dbname = /var/lib/heimdal-kdc/heimdal//
>> // kdc = KDC.MYDOMAIN.DE:88//
>> // realm = MYDOMAIN.DE//
>> // mkey_file = /var/lib/heimdal-kdc/m-key//
>> // acl_file = /etc/heimdal-kdc/kadmind.acl//
>> // log_file = /var/lib/heimdal-kdc/log//
>> //}//
>> //
>> //systemctl start heimdal-kdc//
>> /
>> /kadmin -l/ is working, /list */ is giving me this:
>> admin
>> default
>> kadmin/admin
>> kadmin/hprop
>> kadmin/changepw
>> krbtgt/MYDOMAIN.DE
>> changepw/kerberos
>> WELLKNOWN/ANONYMOUS
>> WELLKNOWN/org.h5l.fast-cookie at WELLKNOWN:ORG.H5L
>>
>> But /kadmin/ (not-local) is not: kadm5_init_with_password: No KDC found
>> for realm MYDOMAIN.DE.
>>
>> I thought it might be DNS-related, so I made sure nsswitch.conf fits the
>> bill, added the server's name to /etc/hosts. I even set up bind9 on that
>> very machine:
>> KDC.MYDOMAIN.DE. 43200 IN A 192.168.27.3
>> Also made sure Kerberos is listening on port 88. I even tried localhost
>> and IP address instead of KDC.MYDOMAIN.DE in kdc.conf - didn't help
>> either.
>>
>> I've been trying now for 2 days, it's driving me nuts. Would anybody
>> please enlighten me what kind of mistake I make?
>>
>> Thank you
>>
>> Lothar Schilling
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list