Kerberos V5 Installation

This document outlines the steps needed to install a Key Distibution Centre (KDC) server.
It was last updated on 18 July 2021.

Pre-requisites

NTP Service: The NTP service must be installed on the KDC server.
DNS Resolution:
- You must have DNS hostname resolution available in the network where the KDC server is installed.
- Your KDC must be resolvable by its fully qualified domain name.
- This means that the KDC hostname must resolve to an IP address and that IP address must resolve back to the hostname.
Linux Server: A Linux VM with root access. In this installation, I have installed Debian 10.10 with 1024GB RAM, 8GB hard disk space, 2 vCPUs
- I have assigned the hostname kdc-server. This is automatically picked up by my router’s DNS resolver and assigned a DHCP address. Since bigtom.local is my local network’s domain name, fully qualitified domain name for this server is kdc-server.bigtom.local.
- Update the server with $ sudo apt update and $ sudo apt upgrade -y to ensure the OS has the latest updates.
- Install dnsutils with $ sudo apt install -y dnsutils and take a snapshot of the VM. This provides dig and hosts to ensure our DNS resolution works correctly.
  
  Results of dig shows the hostname and IP address
- The diagram above shows that the IP address 192.168.1.225 is associated with kdc-server.bigtom.local

KDC Installation

Issue $ sudo apt-get install krb5-admin-server krb5-kdc -y as your privileged user.

Default Realm

The first install dialog box bring up the following screen:

Create your default Realm / Domain as requested in this first Kerberos server install dialog

You can set the realm (or domain in Windows world) to anything you desire. In this case, I have set it to a fictitious BANKGROUP.BANK.COM.

Note this does NOT setup an actual realm. It only sets the default real / domain in cases where the realm / domain has not been specified.

After these initial installation steps, we would still need to setup a realm.

Kerberos Server Name (KDC)

The next dialog box requests for the KDC server name:

Hostname of the kdc server

Administrative Server Name

The installation then requests for the administrative server name:

Hostname of the administrative server

In our case, as this is a single server installation, the KDC server name and administrative server names are the same.

Kerberos Administrative Tools

A message box then appears to tell the installer that the kerberos administrative tools have been setup, but that the realm has not been setup.

Warning that the realm has not been created

Completion of Initial Installation

../../_images/kdc-initial-install.png — Packages for the KDC server now completes

The installation of the KDC server packages have now completed and the system tries to start the KDC server. However, the KDC server will not start as we have not setup a realm or a principal for that real yet.

Configuring the KDC server

Reference URL: http://blog.manula.org/2012/04/setting-up-kerberos-server-with-debian.html

Setting up a New Real

../../_images/new-realm-setup.png — We setup a new realm with the `krb5_newrealm` command

The system will require you to enter a new master password for the Kerberos administrative server.

As shown above, the /etc/krb5.conf configuration file is now updated with the new realm and server details.

Now that we have a valid realm, check the status of the krb5-kdc service:

../../_images/krb5-kdc-service.png — Status of the krb5-kdc service once it has a valid realm

Managing users (Principles)

To manage users in this default realm, we need to use the kadmin.local command line tool. It must be started as root with $ sudo kadmin.local.

../../_images/admin-local.png — The `kadmin.local` must be started as root and is used for managing users

Adding users (Principles)

We now need to add users to the realm / domain that we just created.
This is done with the addprinc command, e.g., $ addprinc trader, which would create the trader user.

../../_images/addprinc.png — Add users to the realm with the `addprinc` commaind in admin.local

You will need to enter a password twice for this user as shown above.

Listing users (Principles)

../../_images/listprinc.png — Displaying the list of users / Principles in a realm with `listprinc`

To list the users / Principles in this real, use the listprinc command. You will see that the newly created trader user has been created along with other default which already exist for this realm.

Testing with a Java Client

We are going to test the setup with a simple Java command line application.
You can download the source code here zip and unzip all files into a single folder.
It contains two Java source code files: Krb5client.java and LoginCallbackHandler.java.
The code has been tested to compile and run on JDK 15 in Windows and JDK 11 on Linux.

../../_images/Java-Krb5Client-Config.PNG — The Java source code containing the Kerberos client that connects to the KDC server

Line 33 needs to be set with the correct realm, in this case “BANKGROUP.BANK.COM”.
Line 35 needs to be updated with the correct kdc server, in this case “kdc-server.bigtom.local”.
The code can then be compiled with a Java compiler on Windows or Linux as described below.

Windows

If you are using Windows, modify the file kerberos-test.bat and modify the first line to point to your Java installation path.

Then run the kerberos-test.bat file.

Linux

If you are using Linux, modify the second line of the file kerberos-test.sh to point to your Java application.
Ensure that the file is set with execute permission with $ chmod u+x kerberos-test.sh.

Then run the kerberos-test.sh file.

Output

../../_images/client-success.png — A successful connection to the kdc server.

../../_images/client-failure.png — The client fails to connect if the password is wrong.

This concludes the Kerberos KDC server setup and Java client test.