Kerberos 5 environment set up
 Step 1: Prepare two Linux machine, one for NFS server and another for KDC server(i.e.
RedHat Linux 5)
 Step 2: Open Terminal in Linux and type command “setup” in KDC server.
 Step 3: Select “Authentication configuration”  “Run Tool”  ”Use Kerberos” and
select “Next”(Note: if the Linux was not installed Kerberos, need download
krb5-workstation,krb5-server and krb5-auth-dialog rpm packages and install them).
 Step 4: In Realm, input a network domain(i.e. SPIRENTCOM.COM), in KDC, input the
kdc server ip address and KDC port number 88(i.e. 10.61.40.3:88), in Admin Server, input
Admin server’s full address with port 749(that’s probably the same ip address to kdc
server, i.e. avpc03.spirentcom.com:749), checked the two options for DNS and then click
“OK” button.
 Step 5:
Type command “setup” in KDC server again, select
Serviceskrb5kdc,kadmin,rpcgssd,rpcidmapd,rpcsvcgssd and then click “OK” button.
 Step 6: Create a kdc database for kdc services. Type command “kdb5_util create –r
SPIRENTCOM.COM -s” to create a kdc database with releam SPIRENTCOM.COM.
 Step 7: Modify network configuration, type command “vi /etc/sysconfig/network”,
modify the config as below:
NETWORK=yes
NETWORKING_IPV6=no
HOSTNAME=avpc03.spirentcom.com
GATEWAY=10.61.40.1
 Step 8:Modify krb5.conf,krb.conf file in /etc/ directory and kadm5.keytab in
/var/kerberos/krb5kdc/ directory.Modify krb5.conf file as below:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SPIRENTCOM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
SPIRENTCOM.COM = {
kdc = 10.61.40.3:88
admin_server = avpc03.spirentcom.com:749
default_domain = spirentcom.com
}
[domain_realm]
spirentcom.com = SPIRENTCOM.COM
.spirentcom.com = SPIRENTCOM.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 360000
renew_lifetime = 360000
forwardable = true
krb4_convert = false
}
Modify krb.conf file as below:
SPIRENTCOM.COM
SPIRENTCOM.COM 10.61.40.3:88
SPIRENTCOM.COM avpc03.spirentcom.com:749 admin server
 Step 9:Modify kdc.conf file in /var/kerberos/krb5kdc/ directory as below:
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
SPIRENTCOM.COM = {
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
Modify kadm5.keytab file as below:
*/admin@SPIRENTCOM.COM *
 Note: if there’s no kadm5.keytab file in /var/kerberos/krb5kdc/ directory, create it and
add the above content to it.
 Step 10:Modify hosts file in /etc/ directory as below by command “vi /etc/hosts”:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1
pv3 localhost.localdomain localhost
::1
localhost6.localdomain6 localhost6
10.61.38.173
pv3.spirentcom.com pv3
10.61.38.174
pv2.spirentcom.com pv2
10.61.38.185
10.61.38.185.spirentcom.com 10.61.38.185
10.61.38.176
PV1.spirentcom.com PV1
10.61.46.155
root.spirentcom.com root
10.61.46.156
root1.spirentcom.com root1
fe80::20c:29ff:fe46:e61d pv2.spirentcom.com
fe80::20c:29ff:fe34:1d4c pv3.spirentcom.com
fe80::20c:29ff:fe34:100 root.spirentcom.com root
Note: Here 10.61.38.173 is HTTP server ipaddress, 10.61.46.155 is Client ip address(Avalanche
simulated), 10.61.38.174 is KDC server ip address.
 Step 11:Setup http server environment, enable http server in Redhat5 system, create a
folder called krb5 in /var/www/html directory and create a index.html in krb5 folder.
Add below content to /etc/httpd/conf/httpd.conf file:
<Location /krb5>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbAuthRealms SPIRENTCOM.COM
Krb5KeyTab /etc/krb5.keytab
# KrbAuthoritative off
# require user HTTP/pv2.spirentcom.com@SPIRENTOCM.COM
require valid-user
KrbServiceName HTTP/pv3.spirentcom.com@SPIRENTCOM.COM
</Location>
Then restart http server by type command: service httpd restart
 Step 12:Create client principle
Type command “/usr/kerberos/sbin/kadmin.local” in KDC server terminal
Add client principle: “addprinc HTTP/pv2.spirentcom.com@SPIRENTCOM.COM” in kadmin.local,
this require you to input a password twice, open another KDC server terminal, type command
“kinit HTTP/pv2.spirentcom.com@SPIRENTCOM.COM” (if this not work, type command: “service
krb5kdc restart” and try again), add client keytab file by type command “ktadd -e
des-cbc-crc:normal -k /tmp/krb5.keytab HTTP/pv2.spirentcom.com@SPIRENTCOM.COM”
Copy client keytab file krb5.keytab in /tmp/ directory to local computer and upload it to “Content
Files” tab in Commander. See below:
 Step 13:Create Server principle
Type command “/usr/kerberos/sbin/kadmin.local” in KDC server terminal
Add server principle: “addprinc –randkey HTTP/pv3.spirentcom.com@SPIRENTCOM.COM” in
kadmin.local, this do not require you to input a password. Add server keytab file by type
command “ktadd -k /etc/krb5.keytab HTTP/pv3.spirentcom.com@SPIRENTCOM.COM”
Copy server keytab file krb5.keytab in /etc/ directory to HTTP server
 Step 14:Restart KDC in HTTP server
Type command “service krb5kdc restart” HTTP server terminal
 Step 15: SPF configuration
Action list like this:
“KERBEROSCONNECT CLIENT_PRINCIPAL=HTTP/pv2.spirentcom.com@SPIRENTCOM.COM
1
GET
http://10.61.38.173/krb5/<AUTH:Kerberos
SERVER_PRINCIPAL=HTTP/pv3.spirentcom.com@SPIRENTCOM.COM>
Client profile like this:






Note:
Keytab FileName of the keytab file you added in the content file
KDC Host IP AddressIP address of the Key Distribution Center
KDC Host Porthas to be 88. That is where KDC listens to for Ticket exchanges.
TGS Service PrincipalKrbtgt/SPIRENTCOM.COM@SPIRENTCOM.COM
Additional ConfigurationSubnet,Port,Assitooncations