Kerberos initialisation error

cov · 02-20-2008, 05:19 PM

I am having a great deal of difficulty getting an authentication scheme working for squid.

It seems that Kerberos is necessary to get this off the ground but the /etc/krb5.conf file generates the following error:
"Improper format of Kerberos configuration file while initializing context, aborting"

I have tried editing this file in the following manner:

============================================================================

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = REALM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
IQETD.LAN = {
kdc = iqBase.iqetd.lan:88
admin_server = iqBase.iqetd.lan:749
default_domain = iqBase.iqetd.lan
}
[domain_realm]
.iqetd.lan = IQETD.LAN
iqetd.lan = IQETD.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

=================================================================================

I have removed a little rant about obfuscated conf files because it serves no purpose, but, honestly, surely this deserves a prize as one of the most obscure configuration formats?

The error message is also completely uninformative; I'm assuming that the /etc/krb5.conf file is at fault?

Any assistance welcome.

cov · 02-21-2008, 06:11 AM

Okay, /etc/krb5kdc/kdc.conf had to be edited as below:

Code:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
IQETD.LAN = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:norma$
        default_principal_flags = +preauth
    }

Also I had to run "krb5_newrealm" to initialise the KDC database.

This give the following useful tips:

Quote:

# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm. It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash. You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered. However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'IQETD.LAN',
master key name 'K/M@IQETD.LAN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers. Kerberos admin
principals usually belong to a single user and end in /admin. For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers. Doing so is documented in the administration
guide.

cov · 02-21-2008, 06:58 AM

Don't let anyone tell you that configuring Kerberos is straightforward.

I'm using http://www.ornl.gov/~jar/HowToKerb.html, but it throws up more questions than it actually answers, it gives incorrect syntax and glosses over crucial configuration requirements with barely a mention. (I suspect it is some years out of date).

If anyone knows of a reasonably straightforward walkthrough on installing this complete mess, please post it.

cov · 02-26-2008, 01:43 AM

Oh, I get it!

The entire Kerberos project had been concocted in a pub by a group of BOFH looking for a few cheap laughs watching would-be users floundering in a sea of disjointed and obfuscated TLAs (three lettered acronyms). Very amusing.

This project is a wind-up, isn't it?