KRB5 setup for ldap server testing

This will eventually get automated, but here is a quick krb recipe for testing. Works in docker containers too!

– krb5 without ldap backend.

Add as an entry to /etc/hosts for this local machine. It should be the first entry.

Edit /etc/krb5.conf.d/

NOTE: This doesn’t work, you need to add it to krb5.conf. Why doesn’t it work?

 kdc =
 admin_server =

[domain_realm] = EXAMPLE.COM = EXAMPLE.COM

Edit /var/kerberos/krb5kdc/kdc.conf

# Note, I think the defalt kdc.conf is good.

 kdc_ports = 88
 kdc_tcp_ports = 88

  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

Now setup the database.

/usr/sbin/kdb5_util create -r EXAMPLE.COM -s  # Prompts for password. Is there a way to avoid prompt?

Edit /var/kerberos/krb5kdc/kadm5.acl

/usr/sbin/kadmin.local -r EXAMPLE.COM -q listprincs

Add our LDAP servers

# There is a way to submit these on the CLI, but I get kadmin.local: Cannot find master key record in database while initializing kadmin.local interface

/usr/sbin/kadmin.local -r EXAMPLE.COM
add_principal -randkey ldap/
ktadd -k /opt/dirsrv/etc/dirsrv/slapd-localhost/ldap.keytab ldap/
add_principal -pw password client

Start the kdc

/usr/sbin/krb5kdc -P /var/run/ -r EXAMPLE.COM


# You need to edit /etc/sysconfig/krb5kdc and put -r EXAMPLE.COM into args
systemctl start krb5kdc
KRB5_TRACE=/tmp/foo kinit client@EXAMPLE.COM
Ticket cache: KEYRING:persistent:0:0
Default principal: client@EXAMPLE.COM

Valid starting     Expires            Service principal
05/11/15 11:35:37  06/11/15 11:35:37  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Now setup the DS instance.

# Note, might be dirsrv in newer installs.
chown nobody: /opt/dirsrv/etc/dirsrv/slapd-localhost/ldap.keytab


KRB5_KTNAME=/opt/dirsrv/etc/dirsrv/slapd-localhost/ldap.keytab ; export KRB5_KTNAME

To /opt/dirsrv/etc/sysconfig/dirsrv-localhost

Now restart the DS

/opt/dirsrv/etc/rc.d/init.d/dirsrv restart

Add a client object:

objectClass: top
objectClass: account
uid: client

Now check the GSSAPI is working.

ldapwhoami -Y GSSAPI -H ldap://
SASL/GSSAPI authentication started
SASL username: client@EXAMPLE.COM
SASL data security layer installed.
dn: uid=client,ou=people,dc=example,dc=com

All ready to go!

I have created some helpers in lib389 that are able to do this now.

TODO: How to setup krb5 with ldap backend.

create instance:

/opt/dirsrv/sbin/ –silent –debug –file=/home/wibrown/development/389ds/setup.inf

Now, add the krb5 schema

cd /opt/dirsrv/etc/dirsrv/slapd-localhost/schema ln -s ../../../../../../usr/share/doc/krb5-server-ldap/60kerberos.ldif

/opt/dirsrv/etc/rc.d/init.d/dirsrv restart

Query the schema:

python /home/wibrown/development/389ds/lib389/clitools/ | grep krb