1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 2"http://www.w3.org/TR/html4/loose.dtd"> 3<html> 4<head> 5<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 6<title>Poptop MSCHAP2 ADS Howto</title> 7</head> 8 9<body> 10<p><strong>8. Kerberos</strong></p> 11<p>There are two different versions of the Kerberos client, version 4 from KTH and 5 from MIT. As Microsoft uses version 5, you should use the MIT version. FC4 includes the MIT one so you will be ok to use the stock standard one.</p> 12<p>Packages krb5-lib and krb5-workstation are required. They are installed by default. If they are not, please get the latest version from yum.</p> 13<hr> 14<a name="krbconf"></a><strong>8.1 Configure Kerberos</strong> 15<p>The configuration file of Kerberos is /etc/krb5.conf. To connect to AD, the settings must match the domain configuration.</p> 16<blockquote> 17 <pre>[logging]<br> default = FILE:/var/log/krb5libs.log<br> kdc = FILE:/var/log/krb5kdc.log<br> admin_server = FILE:/var/log/kadmind.log</pre> 18 <p>[libdefaults]<br> 19 <strong>default_realm = EXAMPLENET.ORG</strong><br> 20 dns_lookup_realm = false<br> 21 dns_lookup_kdc = false<br> 22 ticket_lifetime = 24h<br> 23 forwardable = yes</p> 24 <p>[realms]<br> 25 <strong>EXAMPLENET.ORG = {</strong><br> 26 <strong>kdc = dc1.examplenet.org:88</strong><br> 27 # admin_server = kerberos.example.com:749<br> 28 <strong>default_domain = examplenet.org</strong><br> 29 }</p> 30 <p>[domain_realm]<br> 31 <strong>.examplenet.org = EXAMPLENET.ORG<br> 32 examplenet.org = EXAMPLENET.ORG</strong></p> 33 <p>[kdc]<br> 34 profile = /var/kerberos/krb5kdc/kdc.conf</p> 35 <p>[appdefaults]<br> 36 pam = {<br> 37 debug = false<br> 38 ticket_lifetime = 36000<br> 39 renew_lifetime = 36000<br> 40 forwardable = true<br> 41 krb4_convert = false<br> 42 }</p> 43</blockquote> 44<p>Lines shown in bold are the ones you should pay attention to. Use uppercase as shown. </p> 45<hr> 46<a name="krbtest"></a><strong>8.2 Test Kerberos</strong> 47<p>Before trying to connect to AD, the AD DNS should have a A record for the pptp server. To add the A record, on your Windows DNS server, click Start -> Administrative Tools -> DNS. The dnsmgmt window pops up. Click on the "+" of "Forward Lookup Zones". Right click on AD Domain name, in our test environment is EXAMPLENET.ORG, and choose "New Host (A)...". Put in the server name and ip address and then press the "Add Host" button.</p> 48<p>When the DNS is ready, it is time to test Kerberos. Please note that the domain name must be in capital. </p> 49<blockquote> 50 <pre>[root@pptp etc]# kinit -V skwok@EXAMPLENET.ORG<br>Password for skwok@EXAMPLENET.ORG: <br>Authenticated to Kerberos v5 </pre> 51</blockquote> 52<p>To check the Kerberos tickets:</p> 53<blockquote> 54 <pre>[root@pptp etc]# klist<br>Ticket cache: FILE:/tmp/krb5cc_0<br>Default principal: skwok@EXAMPLENET.ORG</pre> 55 <pre>Valid starting Expires Service principal 56 09/03/05 14:43:47 09/04/05 00:43:04 krbtgt/EXAMPLENET.ORG@EXAMPLENET.ORG 57 renew until 09/04/05 14:43:47</pre> 58 <pre>Kerberos 4 ticket cache: /tmp/tkt0 59 klist: You have no tickets cached</pre> 60</blockquote> 61<p></p> 62<hr> 63<a href="poptop_ads_howto_6.htm">Next</a> <a href="poptop_ads_howto_4.htm">Previous</a> <a href="poptop_ads_howto_1.htm#toc">Content</a> 64<p> </p> 65</body> 66</html> 67