Quick Linux Kerberos Configuration Guide

#
# Quick Linux Kerberos Configuration Guide
#
# Based on http://aput.net/~jheiss/krbldap/
#
# LDAP Guide at http://oss.segetech.com/linux-ldap-configuration.html
#

SERVER auth.example.com
* yum install krb5-server krb5-workstation pam_krb5
* conf files
  - /etc/krb5.conf
  - /var/kerberos/krb5kdc/kdc.conf
  - /var/kerberos/krb5kdc/kadm5.acl
  - /etc/pam.d/system-auth

* kdb5_util create -r EXAMPLE.COM -s
* kadmin.local -q "addprinc admin/admin"
* kadmin.local -q \
    "ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw"
* kadmin.local -q "addprinc testuser"
* kadmin.local -q "addprinc -randkey host/auth.example.com"
* kadmin.local -q "ktadd -k /etc/krb5.keytab host/auth.example.com"
* chkconfig kadmin on
* chkconfig krb5kdc on
* service kadmin start
* service krb5kdc start
* replication
  - http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/install.html#SEC48

* LDAP keytab if needed
  - kadmin.local -q "addprinc -randkey ldap/auth.example.com"
  - kadmin.local -q "ktadd -k /etc/openldap/ldap.keytab ldap/auth.example.com"
* HTTP keytab if needed (case sensitive)
  - kadmin.local -q "addprinc -randkey HTTP/auth.example.com"
  - kadmin.local -q "ktadd -k /etc/httpd/httpd.keytab HTTP/auth.example.com"
* Firefox with Kerberos:
  - From about:config set to .example.com
      - network.negotiate-auth.delegation-uris
      - network.negotiate-auth.trusted-uris
  - run kinit and restart firefox

CLIENT test.example.com
* yum install krb5-workstation pam_krb5
* conf files
  - /etc/krb5.conf
  - /etc/pam.d/system-auth

* host keytab if needed for ssh
  - kinit admin/admin
  - kadmin -q "addprinc -randkey host/test.example.com"
  - kadmin -q "ktadd -k /etc/krb5.keytab host/test.example.com"

CROSS REALM
* On both KDCs for SUB.EXAMPLE.COM to trust EXAMPLE.COM (one-way trust):
  - kinit admin/admin
  - kadmin -q "addprinc krbtgt/SUB.EXAMPLE.COM@EXAMPLE.COM"
* echo user@EXAMPLE.COM >> ~user/.k5login on each SUB.EXAMPLE.COM realm host
* use pam_access.so in /etc/pam.d/system-auth to limit access as needed
* add EXAMPLE.COM into [realms] and [domain_realm] in krb5.conf
  in SUB.EXAMPLE.COM as needed