| Configuring the Kerberos Environment |
| Configuration Files for Kerberos Clients |
krb5.conf | The krb5.conf file specifies the defaults for the REALM and Kerberos |
| applications, mappings of the hostnames onto Kerberos REALMs, and the |
| location of KDCs for Kerberos REALMs. Application clients depend on the |
| configuration file /etc/krb5.conf to locate the REALM's KDC. |
| The [libdefaults] section of the krb5.conf file specifies various |
| parameters for the Kerberos library. In order for the utility klist to |
| work with PAM Kerberos, it must include “ccache_type = 2.” |
| [libdefaults] |
| default_realm = KDC.SUBDOMAIN.DOMAIN.COM |
| default_tkt_enctypes = |
| default_tgs_enctypes = |
| ccache_type = 2 |
| The [realms] section of the krb5.conf file specifies the KDC server and |
| the Kerberos admin server, kadmind that manages the administration |
| interface to KDC. |
| The default ports used by Kerberos are port 88 for the KDC, port 749 for |
| the kadmin service, and port 751 for kpasswd. You can optionally choose |
| to run on other ports, as long as the ports are specified in each host’s |
| /etc/services, and in the krb5.conf files. |
| [realms] |
| KDC.SUBDOMAIN.DOMAIN.COM = { |
| kdc = hostname.subdomain.domain.com:88 |
| admin_server = hostname.subdomain.domain.com:749 |
| } |
| To configure for multiple Kerberos REALMs, list them in the order of |
| priority, as in the following example: |
| [libdefaults] |
| default_realm = KDC1.SUBDOMAIN.DOMAIN.COM |
| default_tkt_enctypes = |
| default_tgs_enctypes = |
| ccache_type = 2 |
| [realms] |
| KDC1.SUBDOMAIN.DOMAIN.COM = { |
| kdc = hostname1.subdomain.domain.com:88 |
| admin_server = hostname1.subdomain.domain.com:749 |
| } |
| KDC2.SUBDOMAIN.DOMAIN.COM = { |
| kdc = hostname2.subdomain.domain.com:88 |
| admin_server = hostname2.subdomain.domain.com:749 |
Chapter 3 | 79 |