aims2 & Kerberos 5
Introduction
This recipe guide should demonstrate to you how to configure the server for Kerberos authentication. Many thanks to Bernard Antoine for providing the foundations of this recipe. Please note, through this recipe we will use lxsoft01 as our example host when demonstrating commands.
Creating a prinicipal & obtaining a key tab file
First, log in to lxsoft01 as root.
You'll need to make sure you have some valid Kerberos credentials for yourself, so run
kinit
. Failure to do so would see something like:
arc: cannot authenticate to server afsdb1: You have no tickets cached
So now you have some Kerberos credentials we can start to talk to the KDC. We want to create a new principal for our aims2 service and download a keytab for this new principal. For the moment, we'll just place this key tab file in /tmp/ so that we can test it.
arc -h afsdb1 kas ext aims2/lxsoft01.cern.ch > /tmp/tmp_lxsoft01_kt
Testing your new key tab file
We can do some quick lightweight tests on our key tab file. First, start a new Kerberos context with:
/usr/bin/pagsh.krb
and then create a new KRB cache variable:
export KRB5CCNAME=FILE:/tmp/tmp_lxsoft01_kt
If you have a valid reason to support Kerberos 4, you can issue the following, but try to avoid it if you can:
export KRBCCNAME=/tmp/tmp_lxsoft01_kt
Now we want to see if we can kinit against it:
/usr/kerberos/bin/kinit -k -t /tmp/tmp_lxsoft01_kt aims2/lxsoft01.cern.ch
That should not croak, and when you run:
/usr/kerberos/bin/klist
You should see a valid Kerberos credential
Deploying your keytab file
So now you can feel confident your key tab will do what it is meant to:
cp /tmp/tmp_lxsoft01_kt /etc/krb5.keytab.aims2
and then we need to make sure it's locked down:
chown apache:apache /etc/krb5.keytab.aims2
It should look like:
-rw------- apache apache /etc/krb5.keytab.aims2
and
REMEMBER
rm /tmp/tmp_lxsoft01_kt