Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM

691

692

693

694

695

696

697

698

699

700

“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 669 — #695

Security in the Network

Accepting the defaults by pressing









Enter is okay. Choose a good password,

however.

Next, create another principal named newbie/admin by typing add

newbie/admin at the kadmin prompt. The admin sufﬁxed to your

user name is a role. Later, use this role when administering the Kerberos

database. A user can have several roles for different purposes. Roles are

basically completely different accounts with similar names.

Starting the KDC

Start the KDC daemons. This includes kdc itself (the daemon handling

user authentication and ticket requests), kadmind (the server perform-

ing remote administration), and kpasswddd (handling user’s password

change requests). To start the daemon manually, enter rckdc start. Also

make sure KDC is started by default when the server machine is rebooted

with the command insserv kdc.

26.6.6 Conﬁguring Kerberos Clients

When conﬁguring Kerberos, there are basically two approaches you can

take — static conﬁguration via the /etc/krb5.conf ﬁle or dynamic con-

ﬁguration via DNS. With DNS conﬁguration, Kerberos applications try to

locate the KDC services via DNS records. With static conﬁguration, add the

host names of your KDC server to krb5.conf (and update the ﬁle when-

ever you move the KDC or reconﬁgure your realm in other ways).

DNS-based conﬁguration is generally a lot more ﬂexible and the amount

of conﬁguration work per machine is a lot less. However, it requires that

your realm name is either the same as your DNS domain or a subdomain

of it. Conﬁguring Kerberos via DNS also creates a minor security issue —

an attacker can seriously disrupt your infrastructure through your DNS (by

shooting down the name server, by spooﬁng DNS records, etc). However,

this amounts to a denial of service at most. A similar scenario applies to

the static conﬁguration case unless you enter IP addresses in krb5.conf

instead of host names.

Static Conﬁguration

One way to conﬁgure Kerberos is to edit the conﬁguration ﬁle /etc/

krb5.conf. The ﬁle installed by default contains various sample entries.

Erase all of these entries before starting. krb5.conf is made up of sev-

eral sections, each introduced by the section name included in brackets like

[this].

669SUSE LINUX Enterprise Server