Purpose:
This how-to is for the users who want to setup an environment with CAS in front and OpenLDAP, GSSAPI, Kerberos as the authorization engine.
Environment:
Server: Fedora Core 6 + CAS 3.1 + Tomcat 5.5.20 + OpenLDAP 2.3.30 + Cyrus SASL 2.1.22 + Kerboeros 1.5-23
Client: Fedora Core 6 + Firefox 2
Windows XP + IE6 SP2
Config DNS:
To make SSL and Kerberos work, I have to config DNS at the very beginning.
1. Edit /etc/named.conf, add langhua zone:
zone "1.168.192.IN-ADDR.ARPA." IN { type master; file "192.168.1.db"; }; zone "langhua." IN { type master; file "named.langhua"; };
2. Create /var/named/named.langhua
$TTL 1H @ SOA localhost. root.localhost. ( 2 3H 1H 1W 1H ) NS localhost. auth.langhua. IN 1H A 192.168.1.110 _kerberos IN TXT "AUTH.LANGHUA" _kerberos._udp.auth.langhua. IN SRV 0 0 88 auth.langhua. _kerberos-master._udp.auth.langhua. IN SRV 0 0 88 auth.langhua. _kerberos-adm._tcp.auth.langhua. IN SRV 0 0 749 auth.langhua. _kpasswd._udp.auth.langhua. IN SRV 0 0 464 auth.langhua. _ldap._tcp.auth.langhua. IN SRV 0 0 389 auth.langhua. _ldap._tcp.dc._msdcs.auth.langhua. IN SRV 0 0 389 auth.langhua. _kerberos._tcp.dc._msdcs.auth.langhua. IN SRV 0 0 88 auth.langhua.
3. Create /var/name/192.168.1.db
$TTL 1H @ SOA localhost. root.localhost. ( 2 3H 1H 1W 1H ) NS localhost. 110 PTR auth.langhua.
4. nslookup auth.langhua
Server: 192.168.1.110
Address: 192.168.1.110#53
Name: auth.langhua
Address: 192.168.1.110
5. dig -x 192.168.1.110
; <<>> DiG 9.3.4-P1 <<>> -x 192.168.1.110
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3829
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;110.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
110.1.168.192.in-addr.arpa. 3600 IN PTR auth.langhua.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 3600 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 86400 IN A 127.0.0.1
localhost. 86400 IN AAAA ::1
;; Query time: 1 msec
;; SERVER: 192.168.1.110#53(192.168.1.110)
;; WHEN: Thu Nov 29 04:53:02 2007
;; MSG SIZE rcvd: 137
Config Kerberos:
1. Config /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AUTH.LANGHUA dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = true [realms] AUTH.LANGHUA = { kdc = auth.langhua:88 admin_server = auth.langhua:749 default_domain = langhua } [domain_realm] .langhua = AUTH.LANGHUA [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
2. kdb5_util create -s
3. Add users to Kerberos
kadmin.local -q "addprinc krbadm@AUTH.LANGHUA"
kadmin.local -q "addprinc ldapadm@AUTH.LANGHUA"
kadmin.local -q "addprinc host/auth.langhua@AUTH.LANGHUA"
kadmin.local -q "addprinc ldap/auth.langhua@AUTH.LANGHUA"
If you face this error in this step, delete the files under /var/kerberos/krb5kdc/ and redo the above step 2 and 3:
kadmin.local: Cannot find/read stored master key while initializing kadmin.local interface
4. Edit /var/kerberos/krb5kdc/kdc.conf
This file is configed in /etc/krb5.conf.
[kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] AUTH.LANGHUA = { master_key_type = des3-hmac-sha1 supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal }
5. Edit /var/kerberos/krb5kdc/kadm5.acl
This file is configed in /var/kerberos/krb5kdc/kdc.conf.
kadmin/admin@AUTH.LANGHUA * ldap/auth.langhua@AUTH.LANGHUA * krbadm@AUTH.LANGHUA * */*@AUTH.LANGHUA i host/auth.langhua@AUTH.LANGHUA *
6. Config /var/kerberos/krb5kdc/kadm5.keytab
This file is configed in /var/kerberos/krb5kdc/kdc.conf.
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin"
kadmin.local -q "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw"
7. Edit /etc/krb.realms
auth.langhua AUTH.LANGHUA .langhua AUTH.LANGHUA
8. Edit /etc/krb.conf
AUTH.LANGHUA AUTH.LANGHUA auth.langhua:88 AUTH.LANGHUA auth.langhua:749 admin server
9. Start Kerberos
/etc/init.d/kadmin start
/etc/init.d/krb5kdc start
Test Kerberos
1. kadmin.local -q "ktadd -k /etc/krb5.keytab host/auth.langhua"
2. kinit -k host/auth.langhua
If the error "kinit(v5): Password incorrect while getting initial credentials" found, delete /etc/krb5.keytab, and redo step 1 and 2.
3. klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/auth.langhua@AUTH.LANGHUA
Valid starting Expires Service principal
11/29/07 02:44:44 11/30/07 02:44:44 krbtgt/AUTH.LANGHUA@AUTH.LANGHUA
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
4. Make sure kvno numbers are the same
4.1 kvno host/auth.langhua
host/auth.langhua@AUTH.LANGHUA: kvno = 5
4.2 klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--- -------------------------------------------------------------------------
5 host/auth.langhua@AUTH.LANGHUA
5 host/auth.langhua@AUTH.LANGHUA
If the numbers are not same, redo step 1, 2, 3.
5. Test ktelnetd, krlogind, krshd
5.1 Edit ~/.k5login
host/auth.langhua@AUTH.LANGHUA
5.2 Start xinetd
chkconfig klogin on
chkconfig kshell on
chkconfig eklogin on
chkconfig krb5-telnet on
/etc/init.d/xinetd restart
5.3 krlogin auth.langhua -k AUTH.LANGHUA
This rlogin session is encrypting all data transmissions.
Last login: Thu Nov 29 04:46:08 from auth.langhua
You have new mail.
5.4 telnet -x 192.168.1.110 -k AUTH.LANGHUA
Trying 192.168.1.110...
Connected to auth.langhua (192.168.1.110).
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as ``host/auth.langhua@AUTH.LANGHUA'' ]
done.
Last login: Thu Nov 29 04:46:23 from auth.langhua
You have new mail.
5.5 rsh 192.168.1.110 -k AUTH.LANGHUA
Last login: Thu Nov 29 04:47:00 from auth.langhua
You have new mail.
Kerberos configuration is OK now.