Kerberos

Discussion in 'Server Operation' started by alex123, Apr 15, 2011.

  1. alex123

    alex123 New Member

    Hi,
    I am trying to set up Kerberos authentication for a website hosted on Apache 2 on Debian linux.

    I have installed the apache module libapache2-mod-auth-kerb but I am getting the following error in apache:

    [Thu Apr 14 16:53:49 2011] [error] [client 10.0.0.153] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table file '/etc/krb5.keytab' not found)

    How do I go about creating the keytab file it is looking for?

    What is it suppose to contain?

    From what I have read I am suppose to use the `ktpass` tool to create it but this command does not work on my server it says `command not found`.

    Thanks
     
    alex123, Apr 15, 2011
    #1
  2. tusshar

    tusshar New Member

    Try This

    To begin setting up a KDC, ensure that your /etc/rc.conf file contains the correct settings to act as a KDC (you may need to adjust paths to reflect your own system):
    kerberos5_server_enable="YES"
    kadmind5_server_enable="YES"

    Next we will set up your Kerberos config file, /etc/krb5.conf:
    [libdefaults]
    default_realm = EXAMPLE.ORG
    [realms]
    EXAMPLE.ORG = {
    kdc = kerberos.example.org
    admin_server = kerberos.example.org
    }
    [domain_realm]
    .example.org = EXAMPLE.ORG
    Note that this /etc/krb5.conf file implies that your KDC will have the fully-qualified hostname of kerberos.example.org. You will need to add a CNAME (alias) entry to your zone file
    to accomplish this if your KDC has a different hostname.
    [libdefaults]
    default_realm = EXAMPLE.ORG
    _kerberos._udp IN SRV 01 00 88 kerberos.example.org.
    _kerberos._tcp IN SRV 01 00 88 kerberos.example.org.
    _kpasswd._udp IN SRV 01 00 464 kerberos.example.org.
    _kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org.
    _kerberos IN TXT EXAMPLE.ORG

    After installing the /etc/krb5.conf file, you can use kadmin from the Kerberos server. The add --random-key command will let you add the server's host principal,
    and the ext command will allow you to extract the server's host principal to its own keytab.For example:
    # kadmin
    kadmin> add --random-key host/myserver.example.org
    Max ticket life [unlimited]:
    Max renewable life [unlimited]:
    Attributes []:
    kadmin> ext host/myserver.example.org
    kadmin> exit


    The rc.conf must also be modified to contain the following configuration:
    kerberos5_server="/usr/local/sbin/krb5kdc"
    kadmind5_server="/usr/local/sbin/kadmind"
    kerberos5_server_enable="YES"
    kadmind5_server_enable="YES
     
    tusshar, Apr 16, 2011
    #2

Share This Page