Historique de la page

...

dans le fichier /etc/selinux/config (ou bien simplement SELINUX=permissive).

Configuration Kerberos

Modification de quelques fichiers de configuration pour créer le royaume IFSICUNIV-RENNES1.TESTFR.

/etc/krb5.conf

Bloc de code

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = IFSICUNIV-RENNES1.TESTFR
 default_etypes = des3-hmac-sha1 des-cbc-crc
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 UNIV-RENNES1.FR = {
  kdc = kerb.ifsic.univ-rennes1.fr:88
  admin_server = kerb.ifsic.univ-rennes1.fr:749
  default_domain = univ-rennes1.fr
 }

[domain_realm]
 .univ-rennes1.fr = UNIV-RENNES1.FR
 univ-rennes1.fr = UNIV-RENNES1.FR

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/var/kerberos/krb5kdc/kdc.conf

Bloc de code

[kdcdefaults]
 v4_mode = nopreauth
 kdc_ports = 88,750
 kdc_tcp_ports = 88

[realms]
 IFSICUNIV-RENNES1.TESTFR = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 rc4-hmac:normal
 }

/var/kerberos/krb5kdc/kadm5.acl

Bloc de code
/admin@IFSICadmin@UNIV-RENNES1.TESTFR

/etc/gssapi_mech.conf

En 64 bits seulement :

...

Bloc de code

[root@kerb ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'UNIV-RENNES1.FR',
master key name 'K/M@UNIV-RENNES1.FR'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@kerb ~]#

Ajout du premier utilisateur (root) :

Bloc de code

[root@kerb ~]# kadmin.local -q "addprinc root/admin"
Authenticating as principal root/admin@UNIV-RENNES1.FR with password.
WARNING: no policy specified for root/admin@UNIV-RENNES1.FR; defaulting to no policy
Enter password for principal "root/admin@UNIV-RENNES1.FR":
Re-enter password for principal "root/admin@UNIV-RENNES1.FR":
Principal "root/admin@UNIV-RENNES1.FR" created.
[root@kerb ~]#

Démarrage des services (auparavant arrêter SeLinux) :

Bloc de code

[root@kerb ~]# setenforcechkconfig kadmin 0on
[root@kerb ~]# chkconfigservice kadmin on
[root@kerb ~] service kadmin startstart
Starting Kerberos 5 Admin Server:                          [  OK  ]
[root@kerb ~]# chkconfig krb5kdc on
[root@kerb ~]# service krb5kdc start
Starting Kerberos 5 KDC:                                   [  OK  ]
[root@kerb ~]#

Vérification en affichant la liste des principals :

Bloc de code

[root@kerb ~]# kadmin
Authenticating as principal root/admin@IFSICadmin@UNIV-RENNES1.TESTFR with password.
Password for root/admin@IFSICadmin@UNIV-RENNES1.TESTFR:
kadmin:  listprincs
K/M@IFSICM@UNIV-RENNES1.TESTFR
kadmin/admin@IFSICadmin@UNIV-RENNES1.TESTFR
kadmin/changepw@IFSICchangepw@UNIV-RENNES1.TESTFR
kadmin/history@IFSIChistory@UNIV-RENNES1.TESTFR
kadmin/kerb.ifsic.univ-rennes1.fr@IFSICfr@UNIV-RENNES1.TESTFR
krbtgt/IFSIC.TEST@IFSIC.TESTUNIV-RENNES1.FR@UNIV-RENNES1.FR
root/admin@IFSIC.TESTadmin@UNIV-RENNES1.FR
kadmin:  exit
[root@kerb ~]#

Ajout d'un principal pour le KDC lui-même (indispensable pour la réplication) :

Bloc de code

[root@kerb ~]# kadmin
Authenticating as principal root/admin@IFSICadmin@UNIV-RENNES1.TESTFR with password.
Password for root/admin@IFSICadmin@UNIV-RENNES1.TESTFR:
kadmin:  addprinc -randkey host/kerb.ifsic.univ-rennes1.fr
WARNING: no policy specified for host/kerb.ifsic.univ-rennes1.fr@IFSICfr@UNIV-RENNES1.TESTFR; defaulting to no policy
Principal "host/kerb.ifsic.univ-rennes1.fr@IFSICfr@UNIV-RENNES1.TESTFR" created.
kadmin:  exit
[root@kerb ~]#

Ajout d'un utilisateur (kerbpaubry) pour les tests :

Bloc de code

[root@kerb ~]# kadmin
Authenticating as principal root/admin@IFSICadmin@UNIV-RENNES1.TESTFR with password.
Password for root/admin@IFSICadmin@UNIV-RENNES1.TESTFR:
kadmin:  addprinc kerbpaubry
WARNING: no policy specified for kerb@IFSICpaubry@UNIV-RENNES1.TESTFR; defaulting to no policy
Enter password for principal "kerb@IFSICpaubry@UNIV-RENNES1.TESTFR":
Re-enter password for principal "kerb@IFSICpaubry@UNIV-RENNES1.TESTFR":
Principal "kerb@IFSICpaubry@UNIV-RENNES1.TESTFR" created.
kadmin:  exit
[root@kerb ~]#

Configuration Firewall

Exécuter system-config-firewall et ouvrir les ports entrants suivants :

...

Pages enfant

Comparaison des versions

Ancienne version 5

Nouvelle version 6

Légende

Configuration Kerberos

Configuration Firewall

Pages enfant

Pages … Authentification des utilisateurs - de LDAP à Kerberos Mise en place d'une maquette à l'IFSIC (archive) Installation et configuration du serveur Kerberos (archive) Historique de la page

Comparaison des versions

Ancienne version 5

Nouvelle version 6

Légende

Configuration Kerberos

Configuration Firewall

Pages

Authentification des utilisateurs - de LDAP à Kerberos
Mise en place d'une maquette à l'IFSIC (archive)
Installation et configuration du serveur Kerberos (archive)

Historique de la page