User:Tiicoo/AFSKRB/KerberosConfig

Configuring your Domain Name System
In this chapter we will have a look at the Domain Name System which provides useful automation of service discovery.

Configuration of your Nameserver
We are going to have a look at a configuration for a zone called "secure". If you would like to have a closer look at DNS, see DNS. If you think in terms of subnets or other hierarchies you have to distribute the information where to find the services inside your network. You can do so by using a Domain Name System or LDAP.

Basic Configuration of your Nameserver
After we defined the base structure we will have a look at the zones where computers interact.

Configuration of the zone "ilm"
Here is the file db.ilm

;zone file for TLD $TTL 1d @		IN	SOA	ilm. ossy.ilm. ( 2006041000	; Serial 604800		; Refresh 86400		; Retry 2419200		; Expire 604800 )	; Negative Cache TTL @		IN	NS	ilm. @		IN	A	192.168.2.10

Here is the file db.192.168

;zone file for TLD $TTL 1d @              IN      SOA     ilm. ossy.ilm. ( 2006041000     ; Serial 604800          ; Refresh 86400           ; Retry 2419200         ; Expire 604800 )        ; Negative Cache TTL @		IN	NS	ilm. 2.10		IN	PTR	ilm.

Configuration of the zone "secure.ilm"
Here is the file db.secure.ilm

;zone file for domain secure.ilm $TTL 1d @              IN      SOA     torpedo-bay.secure.ilm. ossy.torpedo-bay.secure.ilm. ( 2006041000     ; Serial 604800          ; Refresh 86400           ; Retry 2419200         ; Expire 604800 )        ; Negative Cache TTL @              IN      NS      torpedo-bay.secure.ilm. @              IN      A       192.168.2.10 torpedo-bay    IN      A       192.168.2.10 sensor-array   IN      A       192.168.2.110 ;Kerberos-Section kerberos               IN	CNAME	torpedo-bay.secure.ilm. _kerberos              IN      TXT     "SECURE.ILM" _kerberos-master._udp  IN      SRV     0 0 88 kerberos _kerberos-adm._tcp     IN      SRV     0 0 749 kerberos _kpasswd._udp          IN      SRV     0 0 464 kerberos _kerberos._udp         IN      SRV     0 0 88 kerberos

Here is the file db.192.168.2

;zone file for domain secure.ilm $TTL 1d @              IN      SOA     torpedo-bay.secure.ilm      ossy.torpedo-bay.secure.ilm ( 2006041000      ; Serial 604800          ; Refresh 86400           ; Retry 2419200         ; Expire 604800 )        ; Negative Cache TTL @             IN      NS      torpedo-bay.secure.ilm. 1.            IN      PTR     torpedo-bay.secure.ilm. 110.          IN      PTR     sensor-array.secure.ilm.

Basic Configuration of Kerberos Database
TODO: post configuration files of krb5.conf and kdc.conf

We start by initializing the Kerberos database for our principal via. Please note that it is VERY IMPORTANT to remember the password you type in.

root@torpedo-bay:~# kdb5_util create -r SECURE.ILM -s Loading random data Initializing database '/usr/var/krb5kdc/principal' for realm 'SECURE.ILM', master key name 'K/M@SECURE.ILM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:

We used the r switch in order to tell that we are using the Realm  and the s switch because it is our intention to create the corresponding stash files.

As the Kerberos servers are still offline we can use the  tool for creation of the necessary administration accounts. We do so by

root@torpedo-bay:~# kadmin.local Authenticating as principal root/admin@SECURE.ILM with password. kadmin.local: addprinc afsadmin@SECURE.ILM WARNING: no policy specified for afsadmin@SECURE.ILM; defaulting to no policy Enter password for principal "afsadmin@SECURE.ILM": Re-enter password for principal "afsadmin@SECURE.ILM": Principal "afsadmin@SECURE.ILM" created. kadmin.local: addprinc afsadmin/admin@SECURE.ILM WARNING: no policy specified for afsadmin/admin@SECURE.ILM; defaulting to no policy Enter password for principal "afsadmin/admin@SECURE.ILM": Re-enter password for principal "afsadmin/admin@SECURE.ILM": Principal "afsadmin/admin@SECURE.ILM" created.

Now we need an account responsible for the creation of the AFS tokens. That key may be random. Again we use the  tool for that task. Please note that the name of our future AFS cell is identical to the name of our Kerberos realm.

kadmin.local: addprinc -randkey afs/secure.ilm@SECURE.ILM WARNING: no policy specified for afs/secure.ilm@SECURE.ILM; defaulting to no policy Principal "afs/secure.ilm@SECURE.ILM" created.

Because OpenAFS needs direct access to the keyfile we export it by kadmin.local: ktadd -e des-cbc-crc:normal -k /etc/kdc/kdc.keytab.afs afs/secure.ilm Entry for principal afs/secure.ilm with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/kdc/kdc.keytab.afs

You may start the services  and   by kadmind krb5kdc