Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

Chapter 18. Kerberos 2718. Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a creden-tial cache file. Next, use klist to view the list of credentials in the cache and use kdestroy todestroy the cache and the credentials it contains.NoteBy default, kinit attempts to authenticate using the login user name of the account used whenlogging into the system (not the Kerberos server). If that user name does not correspond toa principal in the Kerberos database, kinit issues an error message. If that happens, supplykinit with the name of the correct principal as an argument on the command line (kinitprincipal ).Once these steps are completed, the Kerberos server should be up and running.18.6. Configuring a Kerberos 5 ClientSetting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the clientpackages and provide each client with a valid krb5.conf configuration file. Kerberized versions ofrsh and rlogin also requires some configuration changes.1. Be sure that time synchronization is in place between the Kerberos client and the KDC. Refer toSection 18.5 Configuring a Kerberos 5 Server for more information. In addition, verify that DNSis working properly on the Kerberos client before configuring the Kerberos client programs.2. Install the krb5-libs and krb5-workstation packages on all of the client machines. Supplya valid /etc/krb5.conf file for each client (usually this can be the same krb5.conf file usedby the KDC).3. Before a workstation in the realm can allow users to connect using kerberized rsh and rlogin,that workstation needs to have the xinetd package installed and have its own host principal inthe Kerberos database. The kshd and klogind server programs also need access to the keysfor their service’s principal.Using kadmin, add a host principal for the workstation on the KDC. The instance in this caseis the hostname of the workstation. Use the -randkey option for the kadmin’s addprinccommand to create the principal and assign it a random key:addprinc -randkey host/blah.example.comNow that the principal has been created, keys can be extracted for the workstation by runningkadmin on the workstation itself , and using the ktadd command within kadmin:ktadd -k /etc/krb5.keytab host/blah.example.com4. To use other kerberized network services they need to be started. Below is a list of some of themore common kerberized services and instructions about enabling them:• rsh and rlogin — To use the kerberized versions of rsh and rlogin, enable klogin,eklogin, and kshell.• Telnet — To use kerberized Telnet, krb5-telnet must be enabled.• FTP — To provide FTP access, create and extract a key for the principal with a root of ftp.Be certain to set the instance to the fully qualified hostname of the FTP server, then enablegssftp.• IMAP — The IMAP server included in the imap package uses GSS-API authentication usingKerberos 5 if it finds the proper key in /etc/krb5.keytab. The root for the principal shouldbe imap.