In the last post I configured single sign on for users in the Apache Directory Server. Now we modify the server to supply Kerberos tickets to users at log on. There is a corresponding video here.
In this guide I presume that you have:
- Followed my previous guide and installed the apacheds
- Followed my previous guide and configured LDAP on apacheds
Lets get on with configuring the Kerberos service
- Open Directory Studio
- Right click your connection and select ‘Open Configuration’
- Open the ‘Kerberos Server’ tab in the configuration pane
- Check the enable Kerberos Server checkbox
- Set the ‘port’ to 88
- Set the ‘Primary KDC Realm to your capitalized domain suffix ie. everything after the hostname. eg. FUKR.ORG.UK or UBUNTU.COM, mine is just LAN
- Set the search base to the partition that you set in the previous guide. Mine for example is ou=potato
- Click ‘File’->’Save’
- Exit Apache Directory Server
- Restart ApacheDS service
sudo /etc/init.d/apacheds-2.0.0-M23-default restart
- Start Directory Studio
Now we create an organizational unit to hold our service principals.
- Open your connection\n* Right click our partition and select ‘New’->’New entry’
- Select ‘Create entry from scratch’
- Click ‘next’ then add ‘organizationalUnit’ from the list of available objectClasses
- Click ‘Next’ and in the ‘RDN’ field, select ‘ou’
- Set it’s value to ‘servicePrincipals’
- Click ‘Next’ then ‘Finish’
Next we create a service principal for the ticket granting service.
- Right click our new servicePrincipals ou and select ‘New’->’New entry’
- Select ‘Create entry from scratch’
- Click ‘next’ then add the following objectClasses:
organizationalUnit
krb5KDCEntry
uidObject - Click ‘Next’ then in the ‘RDN’ field, select ‘uid’
- Set it’s value to ‘krbtgt’
- Click ‘Next’ and then set the ‘krb5keyVersionNumber’ to 1
- Set the ‘krb5PrincipalName’ to ‘krbtgt/YOUR.REALM.NAME@DOMAIN.SUFFIX (case is important)
- Set the ‘ou’ to TGT, I think this can be anything. I presume the ‘ou’ attribute is only needed because it is a structural requirement
- Click ‘Finish’
- Select the newly created user object in the DIT and right click in the blank space in the pane to the right of the DIT and select ‘New Attribute’
- Set ‘Attribute Type’ to userPassword
- Click ‘Finish’
- In the ‘Password Editor’, set a really good password as you will not need to remember this. You’ll also see a set of keys created
Now we need to enable Kerberos for our test user
- Navigate the DIT and click on the user we created in an earlier guide
- Right click in the blank space in the pane to the right of the DIT and select ‘New Attribute’
- Set the ‘Attribute type’ to ‘objectClass’ and then click ‘Finish’
- Add ‘krb5KDCEntry’ to the list of selected object classes
- Click ‘Next’
- Enter 1 in the ‘Integer Editor’ window and click ‘OK’
- Set the ‘krb5PrincipalName’ to user@REALM. In my case it is set to testuser@LAN (CASE is ImPorTaNT)
- Set a new password for this user to create the necessary keys
That’s it. In the next post I’ll configure Kerberos on the Ubuntu 16.04 client.