The distribution of Kerby.
mvn package -Pdist
cd kerby-dist/kdc-dist sh bin/kdcinit.sh [server-conf-dir] [keytab-dir]
The admin principal will be exported into keytab-dir/admin.keytab, it will be used by kadmin tool for the authentication.
cd kerby-dist/kdc-dist sh bin/start-kdc.sh [server-conf-dir] [work-dir]
cd kerby-dist/kdc-dist sh bin/kadmin.sh [server-conf-dir] -k [keytab]
The keytab file is created by the kdcinit. In kadmin, you can type “?” for help.
cd kerby-dist/tool-dist sh bin/kinit.sh -conf [client-conf-dir] [principal-name]
cd kerby-dist/tool-dist sh bin/klist.sh -c [credentials-cache]
If you don‘t specify [server-conf-dir] in step 2, 3 or 4, it will be set as /etc/kerby. In [server-conf-dir], there should be kdc.conf, backend.conf. And if you don’t specify [client-conf-dir] in step 5, it will be set as /etc/, there should be krb5.conf.
An example of kdc.conf:
[kdcdefaults] kdc_host = localhost kdc_tcp_port = 8015 kdc_udp_port = 8015 kdc_realm = EXAMPLE.COM
An example of json backend backend.conf:
kdc_identity_backend = org.apache.kerby.kerberos.kdc.identitybackend.JsonIdentityBackend backend.json.dir = /tmp/kerby/jsonbackend
An example of zookeeper backend backend.conf:
kdc_identity_backend = org.apache.kerby.kerberos.kdc.identitybackend.ZookeeperIdentityBackend data_dir = /tmp/kerby/zookeeper/data data_log_dir = /tmp/kerby/zookeeper/datalog
An example of krb5.conf:
[libdefaults] kdc_realm=EXAMPLE.COM kdc_tcp_port = 8015 kdc_udp_port = 8015
openssl genrsa -out cakey.pem 2048
openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
openssl genrsa -out kdckey.pem 2048
openssl req -new -out kdc.req -key kdckey.pem
First, you will need a file named pkinit_extensions containing the following:
[kdc_cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type=EXP:0,INTEGER:1 name_string=EXP:1,SEQUENCE:kdc_principals [kdc_principals] princ1=GeneralString:krbtgt princ2=GeneralString:${ENV::REALM}
Then:
openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc_cert -CAcreateserial -days 3650
Configure the following relation in the[kdcdefaults] section of the KDC’s kdc.conf file
pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/etc/krb5/cacert.pem
sh bin/kadmin.sh [server-conf-dir] -k [keytab] addprinc -randkey WELLKNOWN/ANONYMOUS
sh bin/kinit.sh -conf [client-conf-dir] -n
The resulting tickets will have the client name WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.
[1]http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html#creating-certificates [2]http://k5wiki.kerberos.org/wiki/Pkinit_configuration
mvn package -Pdist
cd kerby-dist/kdc-dist sh bin/kdcinit.sh [kdc-server-conf-dir] [keytab]
The admin principal will be exported into [keytab], it will be used by kadmin tool for the authentication.
cd kerby-dist/kdc-dist sh bin/start-kdc.sh [kdc-server-conf-dir] [work-dir]
cd kerby-dist/kdc-dist sh bin/admin-server.sh [admin-server-conf-dir]
An example of adminClient.conf:
[libdefaults] default_realm = EXAMPLE.COM admin_port = 65417 keytab_file = admin.keytab protocol = adminprotocol server_name = localhost
The keytab_file is the keytab file path created by the kdcinit.
cd kerby-dist/kdc-dist sh bin/remote-admin-client.sh [admin-client-conf-dir]
An example of adminServer.conf:
[libdefaults] default_realm = EXAMPLE.COM admin_realm = EXAMPLE.COM admin_port = 65417 keytab_file = protocol.keytab protocol = adminprotocol server_name = localhost
The keytab_file is the keytab file path created by the kdcinit. The kdc-server-conf-dir, admin-client-conf-dir, admin-server-conf-dir are the same dir.