{"id":609,"date":"2011-07-14T09:03:11","date_gmt":"2011-07-14T09:03:11","guid":{"rendered":"http:\/\/blog.designed79.co.uk\/?p=609"},"modified":"2011-07-14T09:19:54","modified_gmt":"2011-07-14T09:19:54","slug":"ubuntu-11-04-sbs-small-business-server-setup-part-4-%e2%80%93-kerberos","status":"publish","type":"post","link":"https:\/\/blog.designed79.co.uk\/?p=609","title":{"rendered":"Ubuntu 11.04 SBS (Small Business Server) Setup: Part 4 \u2013 Kerberos"},"content":{"rendered":"

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small\/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.<\/p>\n

Part 1 –\u00a0DHCP and DNS<\/a><\/p>\n

Part 2 – NTP<\/a><\/p>\n

Part 3 – OpenLDAP<\/a><\/p>\n

Part 4 – Kerberos<\/a><\/p>\n

Part 5 – NFS<\/a><\/p>\n

Part 6 – Account Management<\/a><\/p>\n

Part 7 – Setting Up Clients<\/a><\/p>\n

It\u2019s time to install and configure Kerberos.<\/p>\n

\n
\n
sudo apt-get install krb5-kdc krb5-admin-server<\/pre>\n<\/div>\n<\/div>\n
The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool:<\/p>\n
\n
\n
sudo krb5_newrealm<\/pre>\n<\/div>\n<\/div>\n
There will be a slight delay whilst the server gathers enough random data to continue, then you will be asked to enter a master key for Kerberos, make sure you use something secure and memorable.<\/p>\n
To configure Kerberos for NFS later, we\u2019ll need to create an admin user.<\/p>\n
\n
\n
sudo kadmin.local<\/pre>\n<\/div>\n<\/div>\n
The following output should be observed:<\/p>\n
\n
\n
Authenticating as principal root\/admin@DANBISHOP.ORG with password.\r\nkadmin.local:<\/pre>\n<\/div>\n<\/div>\n
Enter the following:<\/p>\n
\n
\n
addprinc dan\/admin<\/pre>\n<\/div>\n<\/div>\n
Enter a password when prompted, then quit:<\/p>\n
\n
\n
WARNING: no policy specified for dan\/admin@DANBISHOP.ORG; defaulting to no policy\r\nEnter password for principal \"dan\/admin@DANBISHOP.ORG\":\r\nRe-enter password for principal \"dan\/admin@DANBISHOP.ORG\":\r\nPrincipal \"dan\/admin@DANBISHOP.ORG\" created.\r\nkadmin.local: quit<\/pre>\n<\/div>\n<\/div>\n
We need to give dan\/admin admin privileges by editing the access control list for Kerberos (\/etc\/krb5kdc\/kadm5.acl) this file should contain the following:<\/p>\n
\n
\n
# This file Is the access control list for krb5 administration.\r\n# When this file is edited run \/etc\/init.d\/krb5-admin-server restart to activate\r\n# One common way to set up Kerberos administration is to allow any principal\r\n# ending in \/admin  is given full administrative rights.\r\n# To enable this, uncomment the following line:\r\n*\/admin *<\/pre>\n<\/div>\n<\/div>\n
Note that the last line has been uncommented so that all \/admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it:<\/p>\n
\n
\n
sudo service krb5-admin-server restart<\/pre>\n<\/div>\n<\/div>\n
Now we can test everything has worked with:<\/p>\n
\n
\n
kinit dan\/admin<\/pre>\n<\/div>\n<\/div>\n
Enter the password you set when requested then run klist:<\/p>\n
\n
\n
klist\r\nTicket cache: FILE:\/tmp\/krb5cc_1000\r\nDefault principal: dan\/admin@DANBISHOP.ORG\r\n\r\nValid starting     Expires            Service principal\r\n02\/05\/11 19:57:24  02\/06\/11 05:57:24  krbtgt\/DANBISHOP.ORG@DANBISHOP.ORG\r\n\trenew until 02\/06\/11 19:57:21<\/pre>\n<\/div>\n<\/div>\n
If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm\u00a0\":)\"<\/p>\n
Finally, we can enable kerberos authentication to login to the server.<\/p>\n
\n
\n
sudo apt-get install libpam-krb5\r\nsudo pam-auth-update<\/pre>\n<\/div>\n<\/div>\n
Check that Kerberos and LDAP are selected as authentication methods to allow users to login\/ssh into the server.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small\/medium business. The server will provide DHCP, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-609","post","type-post","status-publish","format-standard","hentry","category-info-on-tech"],"_links":{"self":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=609"}],"version-history":[{"count":0,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/609\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}