Jump to: navigation, search

Configuring Kerberos

This section provides detailed procedures for configuring Kerberos. Sample configurations are provided in Sample Kerberos Configuration

Configuring Kerberos on Configuration Server or Configuration Server Proxy

  1. In the options of the Configuration Server or Configuration Server Proxy Application object, do the following:

    2. (Optional) Do one of the following: If the authentication section does not exist, create it and add the following option and value:

    Option: library Value: gauth_kerberos


    If the authentication section already exists, add the following to the end of the line of values for the library option:

    , gauth_kerberos

    For example:

    gauth_ldap, gauth_kerberos

    Create the gauth_kerberos section, and set the following options: SPN


    realm


    keytab


    Refer to the section gauth_kerberos Section for descriptions of these options.

  2. Finish the configuration by completing one of the following installation procedures, depending on the operating system you are using.

Installing Kerberos

<tabber> On Windows 32-bit=

Installing Kerberos on Configuration Server/Proxy host running Windows 32-bit

Prerequisites

Configuration Server or Configuration Server Proxy is configured as described in the procedure See

  1. Install MIT kerberos for Windows 4.0.1 32 on the host on which Configuration Server or Configuration Server Proxy is running. The executable file is available at:

    2. http://web.mit.edu/Kerberos/dist/kfw/4.0/kfw-4.0.1-i386.msi

  2. Make sure that the krb5.ini file contains correct information in the libdefaults and realms sections.This file is usually located in the Windows directory or in the Kerberos initialization directory (C:\ProgramData\MIT\Kerberos5 ), but may have been placed elsewhere. If you cannot find it, use a file-search utility, such as Windows Search, to locate it.See Kerberos Initialization File for more information about this file.

|-| On Windows 64-bit=

Installing Kerberos on Configuration Server/Proxy host running Windows 64-bit

Prerequisites

Configuration Server or Configuration Server Proxy is configured as described in the procedure See

  1. Install MIT kerberos for Windows 4.0.1 64 on the host on which Configuration Server or Configuration Server Proxy is running. The executable file is available at:

    2. http://web.mit.edu/Kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi

  2. Make sure that the krb5.ini file contains correct information in the libdefaults and realms sections. This file is usually located in the Windows directory or in the Kerberos initialization directory (C:\ProgramData\MIT\Kerberos5 ), but may have been placed elsewhere. If you cannot find it, use a file-search utility, such as Windows Search, to locate it.See Kerberos Initialization File for more information about this file.

|-| On RHEL=

Installing Kerberos on Configuration Server/Proxy host running RHEL

Prerequisites

Configuration Server or Configuration Server Proxy is configured as described in the procedure See

  1. Install MIT kerberos 5-1.11 on the host on which Configuration Server or Configuration Server Proxy is running. The executable installation file is available at:

    2. http://web.mit.edu/Kerberos/dist/krb5/1.11/krb5-1.11-signed.tar

    The installation process is described at:

    http://web.mit.edu/Kerberos/krb5-latest/doc/build/doing_build.html

  2. After executing make install, add the /usr/local/lib path to the /etc/ld.so.conf file.
  3. Run /sbin/ldconfig.
  4. Make sure that the /etc/krb5.conf file contains the correct information in the libdefaults and realms sections. This file is located in /etc by default, but its location can be overridden by setting the environment variable KRB5_CONFIG.

    5. See Kerberos Initialization File for more information about thie file.

|-| On Solaris 10 64-bit=

Installing Kerberos on Configuration Server/Proxy host running Solaris 10 64-bit

Prerequisites

Configuration Server or Configuration Server Proxy is configured as described in the procedure See

  1. Install MIT kerberos 5-1.11 on the host on which Configuration Server or Configuration Server Proxy is running. The executable installation file is available at:

    2. http://web.mit.edu/Kerberos/dist/krb5/1.11/krb5-1.11-signed.tar

    The installation process is described at:

    http://web.mit.edu/Kerberos/krb5-latest/doc/build/doing_build.html

  2. Extract the file as follows:

    3. mkdir .krb5_install cd .krb5_install tar xvf ../krb5-1.11-signed.tar tar xzvf krb5-1.11.tar.gz


  3. During the installation, specify the following values for the following configuration options:

    4. ./configure CC=’opt/SUNWspro/bin/cc’ CXX=’opt/SUNWspro/bin/cc’ CFLAGS=’-g -v -xarch=v10’ CXXFLAGS=’-g -v -xarch=v10’ LDFLAGS=’-xarch=v10’ LIBS=’-lsocket -lnsl -ldl -lresolv’


    and

    correspondent --prefix


  4. After the corresponding stage, before the make stage, do the following:

    5. Add a symbolic link, using the following command (on one line): ln s <installation directory>/plugins/kdb/db2/libdb2/libdb.so <installation directory>/lib/libdb.so


    Patch the code at line 358: <source_dir>src.lib.krb5/os/expand_path.c


    With:

    -static const struct token { +static const struct { const char *tok; PTYPE param; const char *postfix;


  5. Make sure that the /etc/krb5.conf file contains the correct information in the libdefaults and realms sections. This file is located in /etc by default, but its location can be overridden by setting the environment variable KRB5_CONFIG .

    6. See Kerberos Initialization File for more information about thie file.


Installing Kerberos on Configuration Server/Proxy host running Solaris 10 64-bit

Installing Kerberos on Configuration Server/Proxy host running AIX 64-bit

Prerequisites

Configuration Server or Configuration Server Proxy is configured as described in the procedure See


Start

  1. Install MIT kerberos 5-1.11 on the host on which Configuration Server or Configuration Server Proxy is running. The executable installation file is available at:

    2. http://web.mit.edu/Kerberos/dist/krb5/1.11/krb5-1.11-signed.tar

    The installation process is described at:

    http://web.mit.edu/Kerberos/krb5-latest/doc/build/doing_build.html

  2. Extract the file as follows:

    3. mkdir .krb5_install cd .krb5_install tar xvf ../krb5-1.11-signed.tar tar xzvf krb5-1.11.tar.gz


  3. During the installation, specify the following values for the following configuration options, as prompted:

    4. ./configure CC=’/usr/vacapp/bin/xlc’ CXX=’/usr/vacapp/bin/xlc’ CFLAGS=’-g -v -q64 -qlanglvl=newexcp’ CXXFLAGS=’-g -v -q64 qlanglvl=newexcp’ LDFLAGS=’-b64 -brtl’ LIBS=’-ldl’ AR=’ar -X 32_64’

    and

    correspondent --prefix


  4. After the corresponding stage, before the make stage, do the following:

    5. Add a symbolic link, using the following command (on one line): ln s <installation directory>plugins/kdb/db2/libdb2/libdb.so <installation directory>/lib/libdb.so


    Patch the code at line 358: <source_dir>src.lib.krb5/os/expand_path.c


    With:

    -static const struct token { +static const struct { const char *tok; PTYPE param; const char *postfix;


  5. Make sure that the /etc/krb5.conf file contains the correct information in the libdefaults and realms sections. This file is located in /etc by default, but its location can be overridden by setting the environment variable KRB5_CONFIG .

    6. See Kerberos Initialization File for more information about thie file.

End

Kerberos Initialization File

When Kerberos is installed on the host of the Configuration Server or Configuration Server Proxy, it creates an initialization file that contains information about the realms used by Kerberos. This file has different names depending on the platform on which Kerberos is installed, but contains two sections, as follows:

libdefaults —This section is required by Kerberos, and must contain the name of the realm used for authentication.

realms —This section must contain subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, especially the kdc key with the key distribution center host.

The following is a sample of a Kerberos initialization file:

[libdefaults] default_realm = ROOTDOMAIN.CONTOSO.COM


[realms] KRBTEST.GENESYSLAB.COM= { kdc = rh5qa64-1.genesyslab.com admin_server = rh5qa64-1.genesyslab.com }


ROOTDOMAIN.CONTOSO.COM = { kdc = 135.225.51.144 admin_server = 135.225.51.144 }


For more information, see

http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5/doc/krb5-admin/krb5.conf.html

Redundant Configuration Servers

When primary and backup Configuration Servers are running on separate hosts, they can both use the same principal name (SPN). Each Configuration Server must be configured to use Kerberos, as described in this section; otherwise, no special configuration is required.

If the two servers are running on the same host and using the same principal name (SPN), the server applications musts run under different system user accounts. That is, they must use a different user name in the Windows Services property—the Log in as field on the Log on tab.

This page was last edited on August 1, 2014, at 14:21.
Comments or questions about this documentation? Contact us for support!