Installation guide
140 Chapter 10. Kerberos
Note
Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate
clock synchronization between the machines on the network. Therefore, a clock synchronization
program should be set up for the network, such as ntpd.
Also, since certain aspects of Kerberos rely on the Domain Name Service (DNS), be sure that the
DNS entries and hosts on the network are all properly configured. See the Kerberos V5 System
Administrator’s Guide, provided in PostScript and HTML formats in /usr/share/doc/krb5-server-
version-number, (where version-number is the version installed on the system) for more infor-
mation.
10.5. Kerberos and PAM
Currently, kerberized services do not make use of Pluggable Authentication Modules (PAM) — ker-
berized servers bypass PAM completely. However, applications that use PAM can make use of Ker-
beros for authentication if the pam_krb5 module (provided in the pam_krb5 package) is installed.
The pam_krb5 package contains sample configuration files that allow services like login and gdm
to authenticate users and obtain initial credentials using their passwords. If access to network servers
is always done using kerberized services or services that use GSS-API, like IMAP, the network can
be considered reasonably safe.
Careful administrators will not add Kerberos password checking to all network services because most
of the protocols used by these services do not encrypt the password before sending it over the network.
The next section will describe how to set up a basic Kerberos server.
10.6. Configuring a Kerberos 5 Server
When you are setting up Kerberos, install the server first. If you need to set up slave servers, the details
of setting up relationships between master and slave servers are covered in the Kerberos 5 Installation
Guide located in the /usr/share/doc/krb5-server-
version-number directory.
To configure a basic Kerberos server, follow these steps:
1. Be sure that you have clock synchronization and DNS working on your server before config-
uring Kerberos 5. Pay particular attention to time synchronization between the Kerberos server
and its various clients. If the server and client clocks are different by more than five minutes (this
default amount is configurable in Kerberos 5), Kerberos clients will not be able to authenticate
to the server. This clock synchronization is necessary to prevent an attacker from using an old
Kerberos ticket to masquerade as a valid user.
You should set up a Network Time Protocol (NTP) compatible client/server network under, even
if you are not using Kerberos. Red Hat Linux 8.0 includes the ntp package for easy installation.
See http://www.eecis.udel.edu/~ntp for additional information on NTP.
2. Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated
machine which will run your KDC. This machine needs to be very secure — if possible, it
should not run any services other than the KDC.
If you would like to use a Graphical User Interface utility to administrate Kerberos, you should
also install the gnome-kerberos package. It contains krb5, a GUI tool for managing tickets.
3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to
reflect your realm name and domain-to-realm mappings. A simple realm can be constructed by
replacing instances of EXAMPLE.COM and example.com with your domain name — being
certain to keep uppercase and lowercase names in the correct format — and by changing the