Integrating with Kerberos

Overview

This article explains the basic configurations and tools a user or administrator will need to integrate with UConn Kerberos. For a description of the Kerberos protocol please see: The Kerberos Protocol.

Configuration

To properly setup a kerberos client or to kerberize a server, the krb5.conf must be properly configured.

The logging and libdefaults sections can be modified to suit the needs of the client/server/application, but the realms and domain_realms sections must remains as they are exhibited in this article to function properly.

The default location of this file is /etc/krb5.conf, but this may vary depending on the client or operating system being utilized. We have provided examples that are known good for RHEL/CentOS 7 and Windows Subsystem for Linux (WSL).

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = UCONN.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdsn = false
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 UCONN.EDU = {
  kdc = kerberos.uconn.edu
  admin_server = kadmin.uconn.edu
 }

[domain_realm]
 .uconn.edu = UCONN.EDU
 uconn.edu = UCONN.EDU

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = UCONN.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdsn = false

[realms]
 UCONN.EDU = {
  kdc = kerberos.uconn.edu
  admin_server = kadmin.uconn.edu
 }

[domain_realm]
 .uconn.edu = UCONN.EDU
 uconn.edu = UCONN.EDU

Once the file has been created, the kerberos client should be able to connect to the KDC (Key Distribution Center) to perform authentication. For information and examples on clients, see the clients section below.

To integrate a server or application, a service must register with Kerberos before a client can authenticate against it. Also, a keytab must be created and installed prior to attempting authentications. A keytab is a file that is unique to each registered service that contain an encrypted copy of the service’s key. Service registration and keytabs can be obtained upon request.

It is important to note that Kerberos relies heavily on DNS as well as the time. If you intend to integrate with Kerberos, ensure that DNS for your service is resolving correctly and that network time services are configured and accurate.

Kerberos Clients

There are a variety of kerberos clients and libraries for various programming languages. The examples below utilize one of the most commonly used clients, the GNU krb5 client (krb5-workstation/krb5-clients).

Obtaining a Kerberos Ticket

To obtain an TGT (Ticket Granting Ticket) which will allow your client to connect automatically with kerberized services, you can initialize the connection with kinit.

kinit abc12345@UCONN.EDU

password for abc12345@UCONN.EDU:

Viewing Kerberos Tickets

After typing your password, if the password is confirmed, you will see no output. You can view the kerberos ticket information through the use of klist.

klist

Ticket cache: File:/tmp/krb5cc_1000
Default principal: abc12345@UCONN.EDU

Valid starting           Expires              Service principal
07/01/17 12:00:00        07/01/17 8:00:00     krbtgt/UCONN.EDU@UCONN.EDU

A valid TGT will appear as krbtgt/UCONN.EDU@UCONN.EDU

Updating a Kerberos Password

To update the password of a kerberos account, kpasswd is used. Please note, do not change your NetID password in this manner as it will cause account synchronization issues.

kpasswd spinlock@UCONN.EDU

Password for spinlock@UCONN.EDU:
Enter a new password:
Enter it again: