Doing a production setup of Kerberos environment is out of scope of this document but this appendix provides some help to get you started for setting up needed components for development.
First action is to setup a new realm and a database.
# kdb5_util create -s -r EXAMPLE.ORG Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.ORG', master key name 'K/[email protected]' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
kadmin command can be used to administer Kerberos environment but
you can’t yet use it because there are no admin users in a database.
root@neo:/etc/krb5kdc# kadmin Authenticating as principal root/[email protected] with password. kadmin: Client not found in Kerberos database while initializing kadmin interface
Lets use kadmin.local command to create one.
root@neo:/etc/krb5kdc# kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: listprincs K/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] krbtgt/[email protected] kadmin.local: addprinc root/[email protected] WARNING: no policy specified for root/[email protected]; defaulting to no policy Enter password for principal "root/[email protected]": Re-enter password for principal "root/[email protected]": Principal "root/[email protected]" created.
Then enable admins by modifying kadm5.acl file and restart Kerberos
services.
# cat /etc/krb5kdc/kadm5.acl # This file Is the access control list for krb5 administration. */admin *
Now you can use kadmin with previously created root/admin
principal. Lets create our first user user1.
kadmin: addprinc user1 WARNING: no policy specified for [email protected]; defaulting to no policy Enter password for principal "[email protected]": Re-enter password for principal "[email protected]": Principal "[email protected]" created.
Lets create our second user user2 and export a keytab file.
kadmin: addprinc user2 WARNING: no policy specified for [email protected]; defaulting to no policy Enter password for principal "[email protected]": Re-enter password for principal "[email protected]": Principal "[email protected]" created. kadmin: ktadd -k /tmp/user2.keytab [email protected] Entry for principal [email protected] with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/user2.keytab. Entry for principal [email protected] with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/user2.keytab. Entry for principal [email protected] with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/user2.keytab. Entry for principal [email protected] with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/tmp/user2.keytab.
Lets create a service ticket for tomcat and export credentials to a
keytab file named tomcat.keytab.
kadmin: addprinc -randkey HTTP/[email protected] WARNING: no policy specified for HTTP/[email protected]; defaulting to no policy Principal "HTTP/[email protected]" created. kadmin: ktadd -k /tmp/tomcat.keytab HTTP/[email protected] Entry for principal HTTP/[email protected] with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tomcat2.keytab. Entry for principal HTTP/[email protected] with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/tmp/tomcat2.keytab. Entry for principal HTTP/[email protected] with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/tomcat2.keytab. Entry for principal HTTP/[email protected] with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/tmp/tomcat2.keytab.
This was tested using Windows Server 2012 R2
![[Tip]](images/tip.png) | Tip |
|---|---|
|
Internet is full of good articles and videos how to setup Windows AD but these two are quite usefull Rackspace and Microsoft Technet. |
- Normal domain controller and active directory setup was done.
-
Used dns domain
example.organd windows domainEXAMPLE. -
I created various domain users like
user1,user2,user3,tomcatand set passwords toPassword#.
I eventually also added all ip’s of my vm’s to AD’s dns server for that not to cause any trouble.
Name: WIN-EKBO0EQ7TS7.example.org Address: 172.16.101.135 Name: win8vm.example.org Address: 172.16.101.136 Name: neo.example.org Address: 172.16.101.1
Service Principal Name(SPN) needs to be setup with HTTP and a
server name neo.example.org where tomcat servlet container is run. This
is used with tomcat domain user and its keytab is then used as a
service credential.
PS C:\> setspn -A HTTP/neo.example.org tomcat
I exported keytab file which is copied to linux server running tomcat.
PS C:\> ktpass /out c:\tomcat.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass Password# /ptype KRB5_NT_PRINCIPAL /crypto All Targeting domain controller: WIN-EKBO0EQ7TS7.example.org Using legacy password setting method Successfully mapped HTTP/neo.example.org to tomcat.