Overview
This article explains the basic configurations and tools a user or administrator will need to integrate with UConn Kerberos. For a description of the Kerberos protocol please see: The Kerberos Protocol.
Configuration
To properly setup a kerberos client or to kerberize a server, the krb5.conf must be properly configured.
The logging and libdefaults sections can be modified to suit the needs of the client/server/application, but the realms and domain_realms sections must remains as they are exhibited in this article to function properly.
The default location of this file is /etc/krb5.conf, but this may vary depending on the client or operating system being utilized. We have provided examples that are known good for RHEL/CentOS 7 and Windows Subsystem for Linux (WSL).
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UCONN.EDU dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdsn = false default_ccache_name = KEYRING:persistent:%{uid} [realms] UCONN.EDU = { kdc = kerberos.uconn.edu admin_server = kadmin.uconn.edu } [domain_realm] .uconn.edu = UCONN.EDU uconn.edu = UCONN.EDU
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = UCONN.EDU dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdsn = false [realms] UCONN.EDU = { kdc = kerberos.uconn.edu admin_server = kadmin.uconn.edu } [domain_realm] .uconn.edu = UCONN.EDU uconn.edu = UCONN.EDU
Once the file has been created, the kerberos client should be able to connect to the KDC (Key Distribution Center) to perform authentication. For information and examples on clients, see the clients section below.
To integrate a server or application, a service must register with Kerberos before a client can authenticate against it. Also, a keytab must be created and installed prior to attempting authentications. A keytab is a file that is unique to each registered service that contain an encrypted copy of the service’s key. Service registration and keytabs can be obtained upon request.
It is important to note that Kerberos relies heavily on DNS as well as the time. If you intend to integrate with Kerberos, ensure that DNS for your service is resolving correctly and that network time services are configured and accurate.
Kerberos Clients
There are a variety of kerberos clients and libraries for various programming languages. The examples below utilize one of the most commonly used clients, the GNU krb5 client (krb5-workstation/krb5-clients).
Obtaining a Kerberos Ticket
To obtain an TGT (Ticket Granting Ticket) which will allow your client to connect automatically with kerberized services, you can initialize the connection with kinit.
kinit abc12345@UCONN.EDU password for abc12345@UCONN.EDU:
Viewing Kerberos Tickets
After typing your password, if the password is confirmed, you will see no output. You can view the kerberos ticket information through the use of klist.
klist Ticket cache: File:/tmp/krb5cc_1000 Default principal: abc12345@UCONN.EDU Valid starting Expires Service principal 07/01/17 12:00:00 07/01/17 8:00:00 krbtgt/UCONN.EDU@UCONN.EDU
A valid TGT will appear as krbtgt/UCONN.EDU@UCONN.EDU
Updating a Kerberos Password
To update the password of a kerberos account, kpasswd is used. Please note, do not change your NetID password in this manner as it will cause account synchronization issues.
kpasswd spinlock@UCONN.EDU Password for spinlock@UCONN.EDU: Enter a new password: Enter it again: