How to install MIT Kerberos on Debian with slapd backend


Other how-to:

Time synchronization between hosts

Kerberos clients and server must be synchronized. For that purpose I use ntp on the clients and server.

aptitude install ntp


Install slapd

Install ldap server

# slapd admin password will be asked
DEBIAN_PRIORITY=medium aptitude install slapd

slapd logs


# /etc/rsyslog.d/slapd.conf
# minus before file => omit syncing the file after every loggin
# & ~               => don't transmist log to next logger
local4.* -/var/log/slapd.log
& ~


# /etc/logrotate.d/slapd
    # 1 month
    rotate 4
        /etc/init.d/slapd restart

Install MIT Kerberos master server

Some informations will be asked:

# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55

Default Kerberos version 5 realm:

Kerberos V4 compatibility mode to use:

Kerberos servers for your realm:

Next create a new realm:

# krb5_newrealm

This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU',
master key name 'K/M@COINCOIN.EU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration

Configuration: slapd


First, check configuration !

BASE    dc=coincoin,dc=eu
URI     ldap://


Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd

aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema

echo "include /etc/ldap/schema/kerberos.schema" > /tmp/schema_convert.conf
slaptest -f /tmp/schema_convert.conf -F /tmp/
# remove lines at the end of /tmp/cn=config/cn=schema/cn={0}kerberos.ldif, starting at "structuralObjectClass: olcSchemaConfig"
# change "dn: cn={0}kerberos" by "dn: cn=kerberos,cn=schema,cn=config"
# change "cn: {0}kerberos" by "cn: kerberos"
ldapadd -QY EXTERNAL -H ldapi:///  -f /tmp/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif

increase log level

# log all: change log level from 'none' to 'stats'
cat ldap/log_level.ldif     
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
ldapmodify -QY EXTERNAL -H ldapi:/// -f log_level.ldif


# add ACL for Kerberos:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

access to *
        by * read

access to *
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write

# Comment all other default ACL

# add specific directives for database #1
suffix          "dc=coincoin,dc=eu"
rootdn          "cn=admin,dc=coincoin,dc=eu"

# add indexes
index           objectClass eq # by default
index           uid         eq
index           krbPrincipalName eq,pres,sub

Create indexes

/etc/init.d/slapd stop
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Add ldap entries

/etc/init.d/slapd stop
cat data.ldif
dn: ou=Users,dc=coincoin,dc=eu
ou: Users
objectClass: organizationalUnit

dn: ou=Groups,dc=coincoin,dc=eu
ou: Groups
objectClass: organizationalUnit

dn: ou=Hosts,dc=coincoin,dc=eu
ou: Hosts
objectClass: organizationalUnit

dn: ou=krb5,dc=coincoin,dc=eu
ou: krb5
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: 5Wdx~FgK|VFm>>2`K1UW

dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: grh~1JnFvN*}]742_Jvc

slapadd -svl data.ldif
/etc/init.d/slapd start

If the LDAP server and KDC service are running on the same machine:

# slapd listen only unix socket, in /etc/default/slapd:
/etc/init.d/slapd restart

You should disallow anonymous binding:

#Add at the beginning of /etc/ldap/slapd.conf
disallow bind_anon

/etc/init.d/slapd restart

Configure Kerberos


        default_realm = COINCOIN.EU

        COINCOIN.EU = { 
                kdc =
                admin_server =
                database_module = openldap_ldapconf

[domain_realm] = COINCOIN.EU = COINCOIN.EU

        ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu

        openldap_ldapconf = { 
            db_library = kldap
            ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_conns_per_server = 5 

        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
        # TODO logrotate


    kdc_ports = 750,88
    kdc_tcp_ports = 750,88

    COINCOIN.EU = { 
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth

Set up the realms subtree and the realm itself

kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -r COINCOIN.EU -s -H ldap://
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu

Add users to ldap server

This step is needed if users's account are not already in the ldap.

The following command fails:

/etc/init.d/slapd stop
slapadd -svl users.ldif
/etc/init.d/slapd stop

where users.ldif is:

dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu
cn: lilou
gidNumber: 1000
objectClass: top 
objectClass: posixGroup

dn: uid=lilou,ou=Users,dc=coincoin,dc=eu
uid: lilou
uidNumber: 1000
gidNumber: 1000
cn: Lilou
sn: Lilou
objectClass: top 
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/lilou

I use cpu command from the cpu package:

# extract of /etc/cpu/cpu.conf
# USER_BASE = ou=Users,dc=coincoin,dc=eu
# GROUP_BASE = ou=Groups,dc=coincoin,dc=eu
cpu -w useradd lilou

Kerberize user

# kadmin.local 
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin.local:  addprinc lilou
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy
Enter password for principal "lilou@COINCOIN.EU": 
Re-enter password for principal "lilou@COINCOIN.EU": 
Principal "lilou@COINCOIN.EU" created.

Restart services

/etc/init.d/slapd restart
/etc/init.d/krb5-kadmin-server restart
/etc/init.d/krb5-kdc restart

Check hostname configuration

user@kdc:~$ hostname
user@kdc:~$ hostname -f # /etc/resolv.conf could contains "search". 


kdc:~# kinit lilou
Password for lilou@COINCOIN.EU: 
kdc:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU

Valid starting     Expires            Service principal
02/20/11 03:07:54  02/20/11 13:07:54  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 02/21/11 03:07:51

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Clients configuration

Check DNS configuration

root@client:/root# host has address
root@client:/root# host domain name pointer

Check hostname configuration

root@client:~$ hostname
root@client:~$ hostname -f


aptitude install krb5-user libpam-krb5

Install libpam-krb5 package only if you want SSO. After installing libpam-krb5, you can use pam-auth-update command in order to handle PAM & kerberos configuration.


        default_realm = COINCOIN.EU

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                plain = {
                        something = something-else
        fcc-mit-ticketflags = true

        COINCOIN.EU = {
                kdc =
                admin_server =

[domain_realm] = COINCOIN.EU = COINCOIN.EU

        krb4_convert = false
        krb4_get_tickets = false

    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log



toto@client:~# kinit lilou
Password for lilou@COINCOIN.EU: 
toto@client:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU

Valid starting     Expires            Service principal
02/20/11 02:17:09  02/20/11 12:17:09  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 02/21/11 02:17:05


In order to test PAM configuration, disconnect and reconnect, next use klist command.

Some errors

kinit: Generic error (see e-text) while getting initial credentials

Cause: slapd service is not started.

Kerberos (last edited 2011-09-27 23:23:40 by pilou)