Kerberos 5 admin in the CITI Realm
Spring 2009 notesTo add someone to Kerberos:
kaserver to MIT K5 conversion
We used the AFS to K5 migration kit from Ken Hornstein of the Naval Research Laboratory. This kit provides auxillary programs to the MIT K5 distribution that allow transparent migration from using an AFS kaserver for authentication to using an MIT K5 KDC for authentication. See this picture for a flow of how things fit together. The fakeka, ka-forwarder, and aklog programs are provided in the migration kit. In addition to the picture, there is a kadmind4 server provided with the MIT code that allows a user to change their password using a Kerberos 4 version of the kpasswd program.
Note: that the AFS kpasswd program can no longer be used to change CITI cell passwords.
November 2003 updates
The binaries currently in use on babylon.citi.umich.edu (aka kerberos.citi.umich.edu) are located in /usr/krb5/. The 'system' binaries are in the sbin directory and the user binaries are in bin. The source for this code is currently in /afs/umich.edu/group/itd/build/kwc/krb5-131/krb5/src. There are several builds for different platforms in sister directories.
N.B. (ph, 25 april 2005): The kadmin command can sometimes be found in
Configuration files, etc.
/etc/krb5.conf is the general use K5 configuration file. It defines the default realm for a machine and server locations for all known realms. It also defines log file information for the kdc and admin server (kadmind). Here is an example of a minimal krb5.conf file for the CITI realm. The configuration file for the KDC (and other programs) has a default location of /usr/krb5/var/krb5kdc/kdc.conf. /usr/krb5/var/krb5kdc/ is also the default location for the actual database files and various other related files.
Changes are also required in /etc/services to locate kerberos services. Here are the changes required in /etc/services for a client machine.
Adding new users
The kas create command is no longer used to create new principals
in the cell. Instead, the kadmin command is used. To
create a new user:
Deleting userskadmin: delprinc exampleid
<you'll be asked to verify the deletion>
To change the ticket lifetime for an individual user:
To change a user's password:
To list the attributes of a principal:
To list policy information:
Creating keytabs (K4 had srvtabs, K5 has keytabs)
To create a K5 keytab file, use the kadmin ktadd subcommand. This can be invoked so that a new keytab file is created and a new random password for the principal is generated. The K5 keytab can then be converted into a K4 srvtab format for use by K4 application servers with the ktutil program.
The syntax of the ktadd subcommand is:
NOTE: The principal name formats have changed between K4 and K5. In K4, the principal and instance were separated by a period. In K5, the principal and instance are separated with a slash. So a principal name of www and instance name of buffalo in K4 would be www.buffalo@CITI.UMICH.EDU. The same principal in K5 is www/buffalo@CITI.UMICH.EDU.
To create a K5 keytab file:
To convert the keytab into a K4 srvtab format:
The first subcommand (rkt) reads the existing keytab file. The list subcommand prints the contents read from the keytab file. The wst subcommand writes the current contents to the file specified in srvtab format.