= LewisSetupKerberosServer = This LewisSetup sub-guide describes the steps necessary to make the computer a Kerberos server. The Kerberos Server will be used to host the `DAVISONLINEHOME.NAME` realm. == Installing Kerberos == To install Kerberos: 1. Run the following command to install Kerberos: {{{ # apt-get install krb5-kdc }}} * ''Kerberos servers for your realm:'' `lewis.davisonlinehome.name` * ''Administrative server for your Kerberos realm:'' `lewis.davisonlinehome.name` == Creating a Kerberos Database == === Creating a New Database === To create a new, empty Kerberos database, run the following command: {{{ # kdb5_util create -r DAVISONLINEHOME.NAME -s }}} Install the Kerberos administrative server: {{{ # apt-get install krb5-admin-server }}} Run the following commands to create a default policy and an administrator principal: {{{ # kadmin.local kadmin.local: add_policy -minlength 8 -minclasses 3 default kadmin.local: addprinc karl/admin kadmin.local: quit }}} Edit the `/etc/krb5kdc/kadm5.acl` file to read as follows: {{{ # This file Is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@DAVISONLINEHOME.NAME * }}} Restart `krb5-admin-server`: {{{ # /etc/init.d/krb5-admin-server restart }}} === Migrating an Existing Database === References: * http://www.mail-archive.com/kerberos@mit.edu/msg02079.html If the Kerberos server will be replacing an existing one, the database from the old server will need to be dumped to a file and then loaded into the new server. To backup the database on the old server to a `fullDump-2009-07-03.krb5dump` file, run the following command: {{{ user@oldserver:# kdb5_util dump -verbose fullDump-2009-07-03.krb5dump }}} The resulting file will then need to be copied from the old server, perhaps via `scp`. In addition, copy the `/etc/krb5.conf` and `/etc/krb5kdc/kdc.conf` files from their locations on the old server to the same locations on the new server. Once all of this has been copied, run the following commands to create an empty database and load the old server's data into it: {{{ user@newserver:# kdb5_util create -s # The password you enter doesn't matter; it will be replaced. user@newserver:# kdb5_util -d principal load -verbose fullDump-2009-07-03.krb5dump user@newserver:# rm /etc/krb5kdc/stash user@newserver:# kdb5_util stash -f /etc/krb5kdc/stash # Enter the old database's master password user@newserver:# /etc/init.d/krb5kdc restart }}} Install the Kerberos administrative server: {{{ # apt-get install krb5-admin-server }}} Edit the `/etc/krb5kdc/kadm5.acl` file to read as follows: {{{ # This file Is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@DAVISONLINEHOME.NAME * }}} Restart `krb5-admin-server`: {{{ # /etc/init.d/krb5-admin-server restart }}} == DNS Entries == There are two ways for clients to locate Kerberos servers: DNS and local configuration files. See the [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html#libdefaults krb.conf] configuration options for information on how DNS support may be enabled. Generally speaking, though, some local configuration of Kerberos clients is necessary as MIT's client implementation does not yet support lookup of the Kerberos admin server via DNS. Regardless of whether or not you wish to use DNS for lookup of Kerberos realm and server information, `CNAME` records should be created for the Kerberos servers. Here's a sample of such a record: {{{ ; CNAME Records ; name ttl class rr name kerberos IN CNAME lewis }}} If you wish to try using DNS for lookup of the Kerberos realm and servers, please first see the following article: [http://www.gnu.org/software/shishi/manual/html_node/Configuring-DNS-for-KDC.html]. The following records provide an example of the records that would need to be created to list `lewis` as the primary Kerberos server in the `davisonlinehome.name` DNS domain and the `DAVISONLINEHOME.NAME` Kerberos realm: {{{ ; TXT Records ; name ttl class rr name _kerberos IN TXT "DAVISONLINEHOME.NAME" ; SRV Records ; name ttl class rr name _kerberos._udp IN SRV 0 0 88 lewis _kerberos-master._udp IN SRV 0 0 88 lewis _kerberos-adm._tcp IN SRV 0 0 749 lewis _kpasswd._udp IN SRV 0 0 464 lewis }}}