Hey Thanks Jonathan,
With the KDC and the Proxy, we've almost got the test suite nailed.
Cheers,
Peter.
Jonathan Costers (JIRA) wrote:
[ https://issues.apache.org/jira/browse/RIVER-307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12764451#action_12764451 ]
Jonathan Costers edited comment on RIVER-307 at 10/11/09 7:01 AM:
------------------------------------------------------------------
I have successfully installed and configured a testing KDC on my machine and
have successfully run the hello example using this configuration.
Here is a rough guide:
1. Configure your network
2. Install MIT Kerberos 5 (example for Ubuntu)
sudo apt-get install krb5-kdc krb5-admin-server
sudo dpkg-reconfigure krb5-kdc
3. Configure MIT Kerberos 5 servers
The configuration file for Kerberos is /etc/krb5kdc/kdc.conf. This file provides settings for your Kerberos realm. Important settings here are the locations of the KDC's data files, and the default settings for the durations that tickets are valid.
[kdcdefaults]
kdc_ports = 750,88
[realms]
YOURREALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal
arcfour-hmac:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Kerberos uses an Access Control List (ACL) to specify the access a principal
will have to the Kerberos admin deamon. This file is /etc/krb5kdc/kadm5.acl.
The default, as shown below will suffice to get started. You may need to add
additional ACLs depending on the needs of your network configuration.
*/ad...@yourrealm *
Edit /etc/krb5.conf:
[libdefaults]
default_realm = YOURREALM
default_tgs_enctypes = des3-cbc-sha1 aes256-cts arcfour-hmac des-cbc-md5
des-cbc-crc
default_tkt_enctypes = des3-cbc-sha1 aes256-cts arcfour-hmac des-cbc-md5
des-cbc-crc
permitted_enctypes = des3-cbc-sha1 aes256-cts arcfour-hmac des-cbc-md5
des-cbc-crc
[realms]
YOURREALM = {
kdc = yourhostname.yourdomainname
admin_server = yourhostname.yourdomainname
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Create the Kerberos database:
jonat...@calisto:~$ krb5_newrealm
Restart Kerberos services
4. Setup Principals
Use the program kadmin or kadmin.local to create principals. Running kadmin.local as root will let you authenticate without having an existing principal for yourself.
kadmin.local: addprinc -pw yourpw youruser/admin
Create principals for hello example:
kadmin.local: addprinc -pw serverpw -e des3-cbc-sha1 server
kadmin.local: addprinc -pw clientpw -e des3-cbc-sha1 client
kadmin.local: addprinc -pw reggiepw -e des3-cbc-sha1 reggie
kadmin.local: addprinc -pw phoenixpw -e des3-cbc-sha1 phoenix
Verify:
kadmin.local: listprincs
K/m...@lektronet
cli...@lektronet
root/ad...@lektronet
jonat...@lektronet
kadmin/ad...@lektronet
kadmin/chang...@lektronet
kadmin/hist...@lektronet
kadmin/localh...@lektronet
krbtgt/lektro...@lektronet
phoe...@lektronet
reg...@lektronet
ser...@lektronet
jonat...@calisto:~$ sudo kadmin
Authenticating as principal root/ad...@lektronet with password.
Password for root/ad...@lektronet:
kadmin: q
jonat...@calisto:~$ kinit
Password for jonathan/@LEKTRONET:
jonat...@calisto:~$
5. Create keytab file for hello example
jonat...@calisto:~$ ktutil
kutil: addent -password -p server -k 1 -e des3-cbc-sha1
kutil: addent -password -p phoenix -k 1 -e des3-cbc-sha1
kutil: addent -password -p reggie -k 1 -e des3-cbc-sha1
kutil: wkt /home/jonathan/Documenten/NetBeansProjects/River/jtsk/trunk/examples/hello/config/krb-servers.keytab
6. Configure hello example script
Edit scripts/krb-setenv.sh:
REALM=${REALM:-YOURREALM}
KDC_HOST=${KDC_HOST:-yourhostname.yourdomainname}
was (Author: jcosters):
I have successfully installed and configured a testing KDC on my machine
and have successfully run the hello example using this configuration.
Here is a rough guide:
1. Configure your network
2. Install MIT Kerberos 5 (example for Ubuntu)
sudo apt-get install krb5-kdc krb5-admin-server
sudo dpkg-reconfigure krb5-kdc
3. Configure MIT Kerberos 5 servers
The configuration file for Kerberos is /etc/krb5kdc/kdc.conf. This file provides settings for your Kerberos realm. Important settings here are the locations of the KDC's data files, and the default settings for the durations that tickets are valid.
[kdcdefaults]
kdc_ports = 750,88
[realms]
YOURREALM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal aes256-cts:normal
arcfour-hmac:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
default_principal_flags = +preauth
}
Kerberos uses an Access Control List (ACL) to specify the access a principal
will have to the Kerberos admin deamon. This file is /etc/krb5kdc/kadm5.acl.
The default, as shown below will suffice to get started. You may need to add
additional ACLs depending on the needs of your network configuration.
*/ad...@yourrealm *
Edit /etc/krb5.conf:
[libdefaults]
default_realm = YOURREALM
default_tgs_enctypes = des3-cbc-sha1 aes256-cts arcfour-hmac des-cbc-md5
des-cbc-crc
default_tkt_enctypes = des3-cbc-sha1 aes256-cts arcfour-hmac des-cbc-md5
des-cbc-crc
permitted_enctypes = des3-cbc-sha1 aes256-cts arcfour-hmac des-cbc-md5
des-cbc-crc
[realms]
YOURREALM = {
kdc = yourhostname.yourdomainname
admin_server = yourhostname.yourdomainname
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Create the Kerberos database:
jonat...@calisto:~$ krb5_newrealm
Restart Kerberos services
4. Setup Principals
Use the program kadmin or kadmin.local to create principals. Running kadmin.local as root will let you authenticate without having an existing principal for yourself.
kadmin.local: addprinc -pw yourpw youruser/admin
Create principals for hello example:
kadmin.local: addprinc -pw serverpw -e des3-cbc-sha1 server
kadmin.local: addprinc -pw clientpw -e des3-cbc-sha1 client
kadmin.local: addprinc -pw reggiepw -e des3-cbc-sha1 reggie
kadmin.local: addprinc -pw phoenixpw -e des3-cbc-sha1 phoenix
Verify:
kadmin.local: listprincs
K/m...@lektronet
cli...@lektronet
root/ad...@lektronet
jonat...@lektronet
kadmin/ad...@lektronet
kadmin/chang...@lektronet
kadmin/hist...@lektronet
kadmin/localh...@lektronet
krbtgt/lektro...@lektronet
phoe...@lektronet
reg...@lektronet
ser...@lektronet
jonat...@calisto:~$ sudo kadmin
Authenticating as principal root/ad...@lektronet with password.
Password for root/ad...@lektronet:
kadmin: q
jonat...@calisto:~$ kinit
Password for jonathan/@LEKTRONET:
jonat...@calisto:~$
5. Create keytab file for hello example
jonat...@calisto:~$ ktutil
kutil: addent -password -p server -k 1 -e des3-cbc-sha1
kutil: addent -password -p phoenix -k 1 -e des3-cbc-sha1
kutil: addent -password -p reggie -k 1 -e des3-cbc-sha1
kutil: wkt /home/jonathan/Documenten/NetBeansProjects/River/jtsk/trunk/examples/hello/config/krb-servers.keytab
6. Configure hello example script
Edit scripts/krb-setenv.sh:
# Default realm used by KDC and all principals in this example
# Example: REALM=REALM1.XYZ.COM
REALM=${REALM:-YOURREALM}
# Host on which the KDC server is running
# Example: KDC_HOST=server3.xyz.com
KDC_HOST=${KDC_HOST:-yourhostname.yourdomainname}
KDC (Key Distribution Center) Server for kerberos tests
-------------------------------------------------------
Key: RIVER-307
URL: https://issues.apache.org/jira/browse/RIVER-307
Project: River
Issue Type: Sub-task
Components: Web site and infrastructure
Reporter: Peter Firmstone
From Peter Jones comment:
Another failed assumption of the previous internal Sun environment:
this test is expecting to find a Kerberos KDC at the host name
"jiniautot.east.sun.com".
FAILED: net/jini/jeri/kerberos/UnitTests/runTestEndpoints.sh
FAILED: net/jini/jeri/kerberos/UnitTests/runTestPerformance.sh
These tests failed because they attempt to invoke the JRE's "kinit"
tool using the internal sun.security.krb5.internal.tools.Kinit API,
from which it was available in 1.4.x and 5.0 JRE versions. The Java
version of this tool was removed from the Solaris and Linux JREs for
version 6 because there is a native kinit on those platforms, although
it remains in the Windows JRE.
Beyond this kinit problem, though, these Kerberos tests would surely
have failed expecting to find a KDC at "jiniautot.east.sun.com" like
the previous two.
FAILED: net/jini/jeri/tcp/localHostExposure/LocalHostExposure.java
FAILED: net/jini/jeri/transport/multihomed/Multihomed.java
FAILED: net/jini/jeri/transport/multihomed/runMultihome.sh
These tests failed during the compilation phase because of this issue
discussed recently here:
http://mail-archives.apache.org/mod_mbox/incubator-river-dev/200904.mbox/%3c20090421151237.ga19...@east%3e
What's the best way to implement a KDC for tests? Your thoughts please?
