Loading...
 

Edit the kerberos client config file

Edit the kerberos client config file


Kerberos clients use the file /etc/krb5.conf on Linux. On Solaris 10 the file is located at /etc/krb5/krb5.conf. Why does the server need that file? Usually you use kerberos authentication on the server machine too, so you'll need that file. Here is a starting example:
[libdefaults]
        default_realm = REDFLO.DE

[realms]
        REDFLO.DE = {
                kdc = kerberos.redflo.de
                admin_server = kerberos.redflo.de
        }

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log


What does this mean? The kerberos config files are structured in the windows ini-file style. Here we can see three setions.
The first section libdefaults contains default values for the kerberos libraries. These libraries are used by all kerberizes programs. There are more than 20 possible settings here, but we start only with default_realm. This saves some typing.
In the section realms we tell the kerberos client programs where to find the kerberos server and the kerberos admin server. Both are on kerberos.redflo.de in our case. Remember to setup your DNS server so that the clients can resolve the machine "kerberos.redflo.de".
The logging section should be self-explanatory. If you run into problems later, always think about to have a look into these files!

All options and all sections of the /etc/krb5.conf file are explained in the krb5.conf manpage or in the Kerberos V5 System Administrators Guide.

Everytime we change something, we want to check if it works. At the moment we don't have a kerberos server running, but we can check that it don't work. To get a ticket from the kerberos server we can use kinit. So you type "kinit" and watch the output:
kinit
kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials

That just means that kinit cannot contact the kerberos server. So let's setup the kerberos server.

If you get
kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials


then you have to setup name resolution (DNS) for your kerberos server.

Created by system. Last Modification: Monday 14 of January, 2008 00:15:30 GMT-0000 by redflo.

Flattr me!