How to Build an Ubuntu 11.10 SBS (Small Business Server)

Part 4: Kerberos

It’s time to install and configure Kerberos.

sudo apt-get install krb5-kdc krb5-admin-server

The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool:

sudo krb5_newrealm

There will be a slight delay whilst the server gathers enough random data to continue, then you will be asked to enter a master key for Kerberos, make sure you use something secure and memorable.

To configure Kerberos for NFS later, we’ll need to create an admin user.

sudo kadmin.local

The following output should be observed:

Authenticating as principal root/admin@DANBISHOP.ORG with password.
kadmin.local: 

Enter the following:

addprinc dan/admin

Enter a password when prompted, then quit:

WARNING: no policy specified for dan/admin@DANBISHOP.ORG; defaulting to no policy
Enter password for principal "dan/admin@DANBISHOP.ORG": 
Re-enter password for principal "dan/admin@DANBISHOP.ORG": 
Principal "dan/admin@DANBISHOP.ORG" created.
kadmin.local: quit

We need to give dan/admin admin privileges by editing the access control list for Kerberos (/etc/krb5kdc/kadm5.acl) this file should contain the following:

# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *

Note that the last line has been uncommented so that all /admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it:

sudo service krb5-admin-server restart

Now we can test everything has worked with:

kinit dan/admin

Enter the password you set when requested then run klist:

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan/admin@DANBISHOP.ORG

Valid starting     Expires            Service principal
02/05/11 19:57:24  02/06/11 05:57:24  krbtgt/DANBISHOP.ORG@DANBISHOP.ORG
	renew until 02/06/11 19:57:21

If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm 🙂

To ensure that all services (samba for windows clients in particular) that might like to use your Kerberos realm in the future can do so, you should add your realm information to /etc/krb5.conf like so:

[libdefaults]
	default_realm = DANBISHOP.ORG

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	allow_weak_crypto = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
        DANBISHOP.ORG = {
                kdc = neo.danbishop.org
                admin_server = neo.danbishop.org
                master_kdc = neo.danbishop.org
                default_domain = danbishop.org
        }

Finally, we can enable kerberos authentication to login to the server.

sudo apt-get install libpam-krb5
sudo pam-auth-update

Check that Kerberos and LDAP are selected as authentication methods to allow users to login/ssh into the server.

  • shane piper

    Hi Dan, I have been following your blog on setting up an SBS so far so good apart from when I get to the part for adding an ldap group.

    sudo ldapaddgroup domainadmins

    I get an error: Error adding group domainadmins to LDAP

    I have read in a previous blog about the ldap.secret password having to be 1 more than the password length but not having much joy.

    The ldapscripts log talks about the credentials not being correct (49).

    I have installed phpldapadmin as well to see if I can add the groups and users there but it doesn’t add a GID to the group.

    Any ideas?

  • shane piper

    I also added the ldap password to /etc/pam_ldap.secret and fixed the error I had above.

    Regards,

    Shane

  • shane piper

    Dan,

    Sorry to be a pain, but now that I have set up the client machine when I go to login with an ldap user, I get the message ‘Could not update ICEauthority file /home/spiper/.ICEauthority’

    When I look at the home folder on the server there is no ICEauthority file.

  • jim smith

    Dan (or anyone reading this page) , if you could help me on this that would be great… i run the command

    “sudo ldapaddgroup domainadmins”

    i receive an output of “Could not guess current user”

    having a look round it seems the error is related to the $USER variable not being defined. But other than that i have no idea how to debug and fix this.

  • Myself

    I’ve installed LDAP and Kerberos, but how the two work together is a complete puzzle. Can you elaborate a bit on the roles of each one?

  • Daiko Dauda

    Hi Dan

    Thanks for an excellent set of steps described above.
    I do have on query…everything works no problems, but I struggle to add normal users and am I able to create eg – print admin, etc (other like groups) with specific permissions?

    Thanks again

    Daiko

    NB: can add-users but cannot generate passwords am I missing the point here?

    • Dan Bishop

      To generate passwords, you just create a new kerberos principal with the same name as the username… 🙂

  • Dan,

    This is a great idea, but rather than make the same mistake microsoft made with SBS, why not use Linux Containers or KVM and modularize the single physical box design so as to make the system more scalable and easier to migrate to new hardware?

    Even back in my Windows consulting days, I found that installing SBS on top of ESXi often saved clients money in the long term.

    –Sam

    • Dan Bishop

      Hi Sam,

      I am hoping to look at KVM when I get a bit more time. Maybe even making some preconfigured images with a script to modify the configuration for a custom domain… 🙂

      Dan