welcome: please sign in

The following 352 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
able   about   above   access   account   action   add   adding   addprinc   Admin   admin   Administration   administration   administrative   administrators   admins   after   against   aklog   all   All   allow   allowing   already   also   Although   an   An   and   any   anyway   are   as   As   asks   assign   assorted   at   attention   authenticate   authentication   automated   automatic   automatically   be   bonus   breaks   but   by   cache   called   can   cannot   cases   Category   Center   change   changes   Changing   changing   chmod   chown   cleanly   comes   command   commands   components   confusions   connect   contains   control   convention   couple   course   create   created   createuser   Creating   creating   Creation   credentials   Cs   daemon   daemons   database   desirable   directories   displeases   Distribution   do   doing   domtool   done   Ds   each   Each   else   ensuring   entries   etc   even   Everything   example   examples   except   exist   expected   explicitly   export   exported   fact   file   files   filesystem   finds   first   fits   follow   following   for   found   from   generally   good   group   has   how   However   if   If   impersonate   Important   impractical   In   in   include   incorrect   infrastructure   init   instance   instead   interactive   interface   into   Invoke   invoke   is   issue   it   It   its   Jan   just   k5start   kadmin   Kadmin   kadmind   Kerberos   Key   key   keys   keytab   keytabs   kinit   kinits   klist   Krb   ktadd   legitimate   like   Linux   local   login   logins   logs   long   lost   ls   maches   machine   machines   make   makes   management   mandated   manual   Many   master   may   maybe   meaningfullity   means   members   might   mutual   name   named   need   needed   Needs   networks   news   next   no   normal   not   obtain   of   omit   on   One   one   only   Open   options   or   order   other   others   Our   our   output   over   parameter   party   pass   password   Passwords   passwords   performs   periods   points   policy   principal   principals   privileges   properly   protected   protocol   providing   Providing   pts   public   ran   randkey   re   read   readable   rearranged   reducing   remote   request   requests   requires   reset   root   run   running   runs   saved   script   scripts   section   sense   separately   server   service   services   shell   should   simple   since   slaves   smooth   So   so   some   Sometimes   source   speaking   special   specific   specifies   standard   starting   statistics   stored   Strictly   such   sudo   supplying   support   system   System   talks   target   than   that   The   the   them   There   there   these   they   third   this   This   ticket   time   to   To   token   trusted   two   Unix   untrusted   up   update   use   Use   user   User   username   users   usual   variants   various   verified   version   very   view   want   was   way   We   we   what   wheel   where   which   who   will   with   without   word   Work   work   would   write   You   you  

Clear message


Use of Kerberos is mandated by the use of AFS.

Kerberos is an authentication protocol allowing mutual authentication in and over untrusted networks, by use of the trusted third party. Each Kerberos server runs one or two components: the KDC (Key Distribution Center) and kadmind (Admin server). KDC is what performs authentication; Kadmin is the "management interface" for the Kerberos principals database.

Kerberos is very simple and fits cleanly in the infrastructure. User's passwords (be it interactive or from keytab files) are verified against KDCs. Everything else is automatic and requires no attention, except maybe for the fact that Kerberos support in OpenSSH breaks public key logins, which displeases some members. (In Jan 2010, machines are rearranged to allow one to be "standard Linux" login machine, with Unix passwords, SSH keys and local filesystem.)

1. The kadmin shell

All Kerberos administration commands are run from a special shell, called Kadmin. There are two variants of Kadmin. Kadmin is the usual, remote version of the command which can be run on any machine and requires username and password to connect to the Kerberos admin server. Kadmin.local is the "local" version which can only be ran on the Kerberos KDC machines. (Although it only makes sense running it on Kerberos master server, as any database changes on the slaves will be lost on next update from the master server).

Invoke kadmin.local as sudo kadmin.local -p YOURUSERNAME_admin. It is good to include "-p YOURUSERNAME_admin", or kadmin will "authenticate" as the first user it finds in the ticket cache, which may or may not be the username you expected. All the administrative commands would work anyway (since you ran kadmin.local), but an incorrect principal name would make various statistics incorrect (like name of principal who was adding/changing entries in the DB), reducing logs "meaningfullity". (I want bonus points for this word).

To invoke kadmin, use kadmin -p YOURUSERNAME_admin. In normal course of action, kadmin asks for a password.

Providing a password is impractical for automated scripts. As usual, instead of a password, you can also pass a keytab file. Our keytabs are saved in /etc/keytabs/ on each system, and they are readable by group 'wheel'. So administrators should be able to invoke 'kadmin' (use control shell) or kinit/k5start (impersonate any user) by supplying target user's key from a keytab, such as kadmin -p domtool -k -t /etc/keytabs/domtool.

However, domtool and a couple other keytabs are special cases. One can only obtain the user's $USER.daemon token, which has access to assorted user's read and write directories. There is no way to authenticate as $USER by means other than providing a password. (Strictly speaking, Krb/AFS admins can do it, but others cannot, not even from the Unix root account).

2. Creating users

This section talks about creating PTS entries for system services. (Creation of user entries is done automatically by create-user script and no manual work is needed).

We follow the convention that Kerberos users for daemons are named $DAEMON, where $DAEMON is the name of the daemon (for instance, the name of system user it runs as, or the name of its /etc/init.d file).

To add the Kerberos principal for a daemon, run this in kadmin:

addprinc -randkey -policy service $DAEMON

AFS users exist separately from Kerberos principals. To add the AFS user for a daemon to which you want to assign UID $UID, run:

pts createuser $DAEMON

. It is very good if the UID maches the Unix ID, so that there are no confusions in ls or any other output with user IDs.

"keytab" files smooth the way to running daemons that run with AFS privileges. An access-protected local file contains a user's credentials, and daemons read these files on starting up in order to authenticate.

To create a keytab for a daemon, run this in kadmin:

ktadd -k /etc/keytabs/$DAEMON $DAEMON
chown $DAEMON:wheel /etc/keytabs/$DAEMON
chmod 440 /etc/keytabs/$DAEMON

In the example above, only one key (of 4 or 5 created) is exported for a user. Sometimes it might be desirable to only export a specific key into a keytab file, but we generally just omit the -e KEY_TYPE parameter and export all keys to the keytab file.

You can view keys stored in a keytab by doing sudo klist -k /etc/keytabs/KEYTAB_FILE.

To make daemons properly kinit/aklog as the user you created for them, use k5start command. Many examples of how to use it are already found in our /etc/init.d/ scripts. Important options include -U (which kinits as the first principal found in the keytab file, without the need to explicitly name a principal), -f (which specifies the keytab file to kinit from), and -K MINUTES (which re-news the ticket after MINUTES, so that daemons can run for long periods of time).

3. Changing Passwords

If a user requests a password reset the following should be done after ensuring the request comes from a legitimate source.

Invoke kadmin and at the shell issue:

change_password $USER

CategorySystemAdministration CategoryNeedsWork

MitKerberos (last edited 2018-04-22 06:26:18 by ClintonEbadi)