NCSA Home
Contact Us Intranet

User Information Home
Data
Security
Allocations
Consulting
Training

NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year:
help.ncsa.illinois.edu
217-244-0710
help@ncsa.illinois.edu

Kerberos Installation Notes for RedHat and Fedora Systems

These instructions are for installing the Kerberos client on RedHat Linux machines. If you run into trouble see the troubleshooting notes.

Installation Choices:

Using RedHat Kerberos 5 rpm's.

    If you want to use the Kerberos 5 distribution from RedHat then you can follow the directions below. This will work for most people.
Using NCSA's Kerberos 5 distribution.
    In AFS (/afs/ncsa/packages/kerberos/rpms/) there are kerberos RPMs that install kerberos into /usr/local/krb5.

Installing and using RedHat Kerberos 5 rpm's.

Installing the RPM's

    With many RedHat systems the Kerberos rpm's are installed when the operating system is first installed. You can find out what Kerberos rpm's are installed by running the following command: 

     
   rpm -qa | grep krb
    If there are any installed you may get a list like the following: 
     
krbafs-1.2.2-9.2.1
krb5-devel-1.4.3-5.1
krb5-libs-1.4.3-5.1
krb5-workstation-1.4.3-5.1
pam_krb5-2.2.6-2.2
    The rpm's that you will need to have installed are krb5-workstation, krb5-libs, and pam_krb5. If these are not installed you should grab the latest versions from RedHat/Fedora.

Configuring RedHat Kerberos 5

    The main problem with the RedHat Kerberos installation is that the Kerberos realm is usually not set up correctly. To fix this the easiest thing to do is to move /etc/krb5.conf to /etc/krb5.conf.redhat and replace it with NCSA's krb5.conf file. Once you replce it with NCSA's krb5.conf make sure the permissions on it are correct: 

      chmod 644 /etc/krb5.conf
    The RedHat kerberos binaries should now work for getting tickets and using the kerberos clients to connect to other systems. You might want to put /usr/kerberos/bin on your path to make sure you are using the kerberos versions of the telnet, rsh, rlogin, etc. clients.

Configuring RedHat Kerberos 5 application servers

Configuring PAM for Kerberos 5

Using ksu

    RedHat ships their ksu binary so that it is not suid root. You'll need to change this if you want to run ksu on the machine. 
      # chmod u+s /usr/kerberos/bin/ksu
    You'll also need to have a host key on the system to run ksu. Please see the web page for adding a host to the Kerberos database for directions.

Differences between RedHat and NCSA Kerberos 5 distributions

    The RedHat distribution of kerberos is basically a standard compile of the kerberos distribution by MIT packaged in rpm format. However, with the NCSA distribution there are a number of "features" that have been compiled in. One of these is that kinit automatically gets a forwardable ticket when run. When using the RedHat version the -f flag will need to be used to get a forwardable ticket "kinit -f". Likewise, all of the clients automatically forward the ticket with NCSA's version, and with RedHat you will need to use the -F flag to forward your ticket. For telnet you will also need the -a flag for automatic authentication "telnet -Fa".

    If you are also using the RedHat Kerberos application servers (telnetd, rlogind, ftpd, etc.) then you will not automatically get an AFS token (if you are running AFS) when logging in. Once you login into your system then you will need to run aklog to get your token.

Back to NCSA Kerberos Information

Question or comments about this page may be sent to Kerberos@ncsa.uiuc.edu

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact webmaster with questions regarding this page. Last updated October 26, 2006.
All rights reserved. ©2013 Board of Trustees of the University of Illinois.