Install
1. OS (AMI Linux 2)
$ cat /etc/system-release
Amazon Linux release 2 (Karoo)
2. Installed Package
$ sudo yum list installed | grep krb
krb5-devel.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
krb5-libs.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
krb5-server.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
krb5-workstation.x86_64 1.15.1-19.amzn2.0.3 @amzn2-core
pam_krb5.x86_64 2.4.8-6.amzn2.0.2 @amzn2-core
$ sudo yum list installed | grep ntp
fontpackages-filesystem.noarch 1.44-8.amzn2 @amzn2-core
Reference
Settings
Summary
1. EC2 (2EA) - master, slave (HA)
2. DNS (Route 53, abcdef.com for sample)
- kdc.abcdef.com
- kdc2.abcdef.com
Configuration
1. /etc/krb5.conf 설정
- realm domain should upper string
$ cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
[libdefaults]
default_realm = ABCDEF.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ABCDEF.COM = {
kdc = kdc.abcdef.com:88
kdc = kdc2.abcdef.com:88
admin_server = kdc.abcdef.com:749
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
2. /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
ABCDEF.COM = {
kadmind_port = 749
max_life = 9h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal
database_name = /var/kerberos/krb5kdc/principal
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /var/kerberos/krb5kdc/kadm5.dict
key_stash_file = /var/kerberos/krb5kdc/.k5.ABCDEF.COM
}
3. /var/kerberos/krb5kdc/kadm5.acl
*/admin@ABCDEF.COM *
4. Create KDC database
kdb5_util create -r ABCDEF.COM -s
5. Create KDC admin
# kadmin.local
kadmin.local: addprinc account/admin@ABCDEF.COM
NOTICE: no policy specified for "admin/admin@ABCDEF.COM";
assigning "default".
Enter password for principal admin/admin@ATHENA.MIT.EDU: (Enter a password.)
Re-enter password for principal admin/admin@ATHENA.MIT.EDU: (Type it again.)
Principal "admin/admin@ABCDEF.COM" created.
kadmin.local:
6. KDC database Backup & Restore
Create script & run crontab & propagate to slave server
#!/bin/bash
/usr/sbin/kdb5_util dump /var/kerberos/slave_datatrans
/usr/sbin/kprop -f /var/kerberos/slave_datatrans mgmt-krb-kdc02.abcdef.com > /dev/null
- FYI, domain information in /etc/hosts
% cat /etc/hosts
...
10.100.125.156 mgmt-krb-kdc02.abcdef.com mgmt-krb-kdc02
7. Daemon start & enable
systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service