kdc logs use decimal value to refer encrypt types
Extract from kr5b.conf
/* per Kerberos v5 protocol spec */ #define ENCTYPE_NULL 0x0000 #define ENCTYPE_DES_CBC_CRC 0x0001 /* DES cbc mode with CRC-32 */ #define ENCTYPE_DES_CBC_MD4 0x0002 /* DES cbc mode with RSA-MD4 */ #define ENCTYPE_DES_CBC_MD5 0x0003 /* DES cbc mode with RSA-MD5 */ #define ENCTYPE_DES_CBC_RAW 0x0004 /* DES cbc mode raw */ /* XXX deprecated? */ #define ENCTYPE_DES3_CBC_SHA 0x0005 /* DES-3 cbc mode with NIST-SHA */ #define ENCTYPE_DES3_CBC_RAW 0x0006 /* DES-3 cbc mode raw */ #define ENCTYPE_DES_HMAC_SHA1 0x0008 #define ENCTYPE_DES3_CBC_SHA1 0x0010 #define ENCTYPE_AES128_CTS_HMAC_SHA1_96 0x0011 #define ENCTYPE_AES256_CTS_HMAC_SHA1_96 0x0012 #define ENCTYPE_ARCFOUR_HMAC 0x0017 #define ENCTYPE_ARCFOUR_HMAC_EXP 0x0018 #define ENCTYPE_UNKNOWN 0x01ff /* local crud */ /* marc's DES-3 with 32-bit length */ #define ENCTYPE_LOCAL_DES3_HMAC_SHA1 0x7007
Packages
# apt-get install krb5-admin-server krb5-kdc
Create the realm database and the stash file
# kdb5_util create -r <realm> -s
Initial ACL /etc/krb5kdc/kadm5.acl
*/admin@DEBIAN-FR.ORG *
This is the minimal ACL file you MUST have in order to login locally (with kadmin.local) and add another principals.
Create the kadmin principal
# kadmin.local Authenticating as principal root/admin@DEBIAN-FR.ORG with password. kadmin.local: addprinc asyd/admin@DEBIAN-FR.ORG WARNING: no policy specified for asyd/admin@DEBIAN-FR.ORG; defaulting to no policy Enter password for principal "asyd/admin@DEBIAN-FR.ORG": Re-enter password for principal "asyd/admin@DEBIAN-FR.ORG": Principal "asyd/admin@DEBIAN-FR.ORG" created.
Create the minial keytab
# kadmin.local kadmin.local: ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab. Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Check for stash file: If you don't have /etc/krb5kdc/stash, just simple run
# kdb5_util stash -f /etc/krb5kdc/stash
Optional: enable logging, add the following lines to /etc/krb5.conf
[logging] kdc = FILE:/var/log/krb/kdc.log admin_server = FILE:/var/log/krb/admin.log