aims2 & Kerberos 5

Introduction

This recipe guide should demonstrate to you how to configure the server for Kerberos authentication. Many thanks to Bernard Antoine for providing the foundations of this recipe. Please note, through this recipe we will use lxsoft01 as our example host when demonstrating commands.

Creating a prinicipal & obtaining a key tab file

First, log in to lxsoft01 as root.

You'll need to make sure you have some valid Kerberos credentials for yourself, so run kinit. Failure to do so would see something like:

arc: cannot authenticate to server afsdb1: You have no tickets cached

So now you have some Kerberos credentials we can start to talk to the KDC. We want to create a new principal for our aims2 service and download a keytab for this new principal. For the moment, we'll just place this key tab file in /tmp/ so that we can test it.

arc -h afsdb1 kas ext aims2/lxsoft01.cern.ch > /tmp/tmp_lxsoft01_kt

Testing your new key tab file

We can do some quick lightweight tests on our key tab file. First, start a new Kerberos context with:

/usr/bin/pagsh.krb

and then create a new KRB cache variable:

export KRB5CCNAME=FILE:/tmp/tmp_lxsoft01_kt

If you have a valid reason to support Kerberos 4, you can issue the following, but try to avoid it if you can:

export KRBCCNAME=/tmp/tmp_lxsoft01_kt

Now we want to see if we can kinit against it:

/usr/kerberos/bin/kinit -k -t /tmp/tmp_lxsoft01_kt aims2/lxsoft01.cern.ch

That should not croak, and when you run:

/usr/kerberos/bin/klist

You should see a valid Kerberos credential

Deploying your keytab file

So now you can feel confident your key tab will do what it is meant to:

cp /tmp/tmp_lxsoft01_kt /etc/krb5.keytab.aims2

and then we need to make sure it's locked down:

chown apache:apache /etc/krb5.keytab.aims2

It should look like:

-rw-------  apache apache /etc/krb5.keytab.aims2

and REMEMBER

rm /tmp/tmp_lxsoft01_kt