The distribution of Kerby.
mvn package -Pdist
cd kerby-dist/kdc-dist sh bin/kdcinit.sh [server-conf-dir] [keytab-dir]
The admin principal will be exported into keytab-dir/admin.keytab, it will be used by kadmin tool for the authentication.
cd kerby-dist/kdc-dist sh bin/start-kdc.sh [server-conf-dir] [work-dir]
cd kerby-dist/kdc-dist sh bin/kadmin.sh [server-conf-dir] -k [keytab]
The keytab file is created by the kdcinit. In kadmin, you can type “?” for help.
cd kerby-dist/tool-dist sh bin/kinit.sh -conf [client-conf-dir] [principal-name]
cd kerby-dist/tool-dist sh bin/klist.sh -c [credentials-cache]
If you don‘t specify [server-conf-dir] in step 2, 3 or 4, it will be set as /etc/kerby. In [server-conf-dir], there should be kdc.conf, backend.conf. And if you don’t specify [client-conf-dir] in step 5, it will be set as /etc/, there should be krb5.conf.
An example of kdc.conf:
[kdcdefaults]
kdc_host = localhost
kdc_tcp_port = 8015
kdc_udp_port = 8015
kdc_realm = EXAMPLE.COM
An example of json backend backend.conf:
kdc_identity_backend = org.apache.kerby.kerberos.kdc.identitybackend.JsonIdentityBackend backend.json.dir = /tmp/kerby/jsonbackend
An example of zookeeper backend backend.conf:
kdc_identity_backend = org.apache.kerby.kerberos.kdc.identitybackend.ZookeeperIdentityBackend data_dir = /tmp/kerby/zookeeper/data data_log_dir = /tmp/kerby/zookeeper/datalog
An example of krb5.conf:
[libdefaults]
kdc_realm=EXAMPLE.COM
kdc_tcp_port = 8015
kdc_udp_port = 8015
openssl genrsa -out cakey.pem 2048
openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
openssl genrsa -out kdckey.pem 2048
openssl req -new -out kdc.req -key kdckey.pem
First, you will need a file named pkinit_extensions containing the following:
[kdc_cert]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1=GeneralString:krbtgt
princ2=GeneralString:${ENV::REALM}
Then:
openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc_cert -CAcreateserial -days 3650
Configure the following relation in the[kdcdefaults] section of the KDC’s kdc.conf file
pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
pkinit_anchors = FILE:/etc/krb5/cacert.pem
sh bin/kadmin.sh [server-conf-dir] -k [keytab] addprinc -randkey WELLKNOWN/ANONYMOUS
sh bin/kinit.sh -conf [client-conf-dir] -n
The resulting tickets will have the client name WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.
[1]http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html#creating-certificates [2]http://k5wiki.kerberos.org/wiki/Pkinit_configuration
mvn package -Pdist
cd kerby-dist/kdc-dist sh bin/kdcinit.sh [kdc-server-conf-dir] [keytab]
The admin principal will be exported into [keytab], it will be used by kadmin tool for the authentication.
cd kerby-dist/kdc-dist sh bin/start-kdc.sh [kdc-server-conf-dir] [work-dir]
cd kerby-dist/kdc-dist sh bin/admin-server.sh [admin-server-conf-dir]
An example of adminClient.conf:
[libdefaults]
default_realm = EXAMPLE.COM
admin_port = 65417
keytab_file = admin.keytab
protocol = adminprotocol
server_name = localhost
The keytab_file is the keytab file path created by the kdcinit.
cd kerby-dist/kdc-dist sh bin/remote-admin-client.sh [admin-client-conf-dir]
An example of adminServer.conf:
[libdefaults]
default_realm = EXAMPLE.COM
admin_realm = EXAMPLE.COM
admin_port = 65417
keytab_file = protocol.keytab
protocol = adminprotocol
server_name = localhost
The keytab_file is the keytab file path created by the kdcinit. The kdc-server-conf-dir, admin-client-conf-dir, admin-server-conf-dir are the same dir.