Gentoo Kerberos5 HOWTO

Date: 07 October 2005

Install Kerberos 5

Add kerberos to the USE flag in /etc/make.conf.


Then install everything:

emerge -N world

– Or –

emerge mit-krb5

This will install the MIT kerberos 5 library which may be restricted under US export restrictions. The Heimdal krb5 implementation is free from those restrictions. You can install Heimdal by doing:

emerge app-crypt/heimdal

Because the kerberos install will change libgssapi, you will need to run revdep-rebuild to fix any apps that you build prior to install krb5. Note: If you install heimdal, you may need to rebuild OpenSSH to enable krb5 support.

Configure Kerberos

Updated 2010-09-26: I just realized that I never put in the example configs. Oops. Sorry about that.

Edit /etc/krb5.conf

sample krb5.conf here

Edit /etc/kdc.conf

sample kdc.conf here

Initialize the Database

mkdir /etc/krb5kdc
kdb5_util create -r REALM -s

You will be prompted for the Master Password. This will be stored as the principle K/M@REALM.

Add Administrators

Now we need to add admin users to /etc/krb5kdc/kadm5.acl.

sample kadm5.acl here

bash# kadmin.local
kadmin.local: addprinc admin/admin@REALM

Skip keytab

Starting the Servers

/etc/init.d/mit-krb5kadmind start
/etc/init.d/mit-krb5kdc start

It can sometimes take a while to start kadmind. Be patient.

Setup PAM

PAM is used by many services to authenticate. It would be very convenient if it talked to the KDC too. So, let’s enable Kerberos in PAM. Note: According to the pam_krb5 docs, it only works with MIT Kerberos 5.

emerge pam_krb5

Now edit /etc/pam.d/system-auth

auth       required
auth       sufficient likeauth nullok
auth       sufficient try_first_pass
auth       required

account    required
account    required

password   required retry=3
password   sufficient use_authtok
password   sufficient nullok md5 shadow use_authtok
password   required

session    required
session    required
session    required