Chapter 47. Installing and Administering Kerberos

Contents

47.1. Choosing the Kerberos Realms
47.2. Setting Up the KDC Hardware
47.3. Clock Synchronization
47.4. Configuring the KDC
47.5. Manually Configuring Kerberos Clients
47.6. Configuring a Kerberos Client with YaST
47.7. Remote Kerberos Administration
47.8. Creating Kerberos Host Principals
47.9. Enabling PAM Support for Kerberos
47.10. Configuring SSH for Kerberos Authentication
47.11. Using LDAP and Kerberos

This section covers the installation of the MIT Kerberos implementation as well as some aspects of administration. This section assumes you are familiar with the basic concepts of Kerberos (see also Chapter 46, Network Authentication—Kerberos).

47.1. Choosing the Kerberos Realms

The domain of a Kerberos installation is called a realm and is identified by a name, such as FOOBAR.COM or simply ACCOUNTING. Kerberos is case-sensitive, so foobar.com is actually a different realm than FOOBAR.COM. Use the case you prefer. It is common practice, however, to use uppercase realm names.

It is also a good idea to use your DNS domain name (or a subdomain, such as ACCOUNTING.FOOBAR.COM). As shown below, your life as an administrator can be much easier if you configure your Kerberos clients to locate the KDC and other Kerberos services via DNS. To do so, it is helpful if your realm name is a subdomain of your DNS domain name.

Unlike the DNS name space, Kerberos is not hierarchical. You cannot set up a realm named FOOBAR.COM, have two “subrealms” named DEVELOPMENT and ACCOUNTING underneath it, and expect the two subordinate realms to somehow inherit principals from FOOBAR.COM. Instead, you would have three separate realms for which you would have to configure crossrealm authentication for users from one realm to interact with servers or other users from another realm.

For the sake of simplicity, assume you are setting up just one realm for your entire organization. For the remainder of this section, the realm name EXAMPLE.COM is used in all examples.