NCSA Home
Contact Us | Intranet | Search

ncsa

Kerberos Installation Notes for NCSA Unix Systems

These instructions are for installing the Kerberos client on machines that are on NCSA's network. If you have a remote machine which is not on NCSA's network then you can refer to the Installing Kerberos on remote systems page.

If you run into trouble see the troubleshooting notes.

Installation Choices:

Binaries on local disk or as a link to AFS?

    If you have AFS installed on your Unix system, you can either have the binaries stored on local disk or as a symbolic link into AFS. By having the binaries on local disk you protect yourself from AFS/network/whatever outages causing a loss of the binaries, but you then must manually copy down a new version of the binaries whenever you need to upgrade them. Obviously if your machine does not participate in NCSA's AFS cell then you must put the binaries on local disk.
Kerberos clients only or application servers (e.g. telnetd, ftpd, etc.) as well?
    If you only need to be making connections from your machine to other machines running Kerberos, then you only need to install the Kerberos client software. This can be done without special privileges on either the local machine or in the Kerberos realm.

    If you need to make Kerberos connections to your machine via telnet, rlogin or the like, then you will need to install the application servers and also get a Kerberos key for your machine. This will require root access on your machine and you will need to contact NCSA's Kerberos support staff to acquire the key.

Installation step 1: Installing the binaries

Option 1: Binaries are linked to AFS

    The standard place to install the binaries is in /usr/local/krb5.

    • Make /usr/local/krb5 a symbolic link to the appropriate directory in /afs/ncsa/packages/kerberos. The directories are named according to what operating system they are for.
    • cat /afs/ncsa/packages/kerberos/Common/install/afs/services >> /etc/services

Option 2: Binaries are on local disk and you want to tar up the distribution from AFS

    You can make your own distribution from the appropriate directory in /afs/ncsa/packages/kerberos.

    1. cd to the appropriate directory under /afs/ncsa/packages/kerberos
    2. run: tar cfh /tmp/krb5.tar *
      Note: on IRIX machines run "tar cfL /tmp/krb5.tar *"
    3. Copy the resulting tar file over to the target machine (assuming you're not on the target machine)
    4. Create the directory /usr/local/krb5
    5. cd to /usr/local/krb5
    6. untar the tar file: tar xf /tmp/krb5.tar

Option 3: Binaries are on local disk and you want to download the distribution from the Web

    Browser Requirements

    You can download unix binary distributions from the NCSA Kerberos 5 Binary download page. Note that you will need a valid NCSA account in order to do so.

    1. Create the directory /usr/local/krb5 with permissions 0755
    2. cd to /usr/local/krb5
    3. unpack the distribution file into this directory
      uncompress <distribution>.tar.Z ; tar xf <distribution>.tar

Option 4: I need to use the Kerberos clients on a machine but don't have root access to it

    If you don't have root access to a machine, and you can't (or don't want to) get those that do to install the Kerberos clients, you can install and use them as a normal user.

    1. Get a Kerberos distribution as suggested in option 2 or 3 above.
    2. Create a directory to hold the distribution. For the sake of these examples we'll assume it's /home/jdoe/krb5
    3. Unpack the distribution into /home/jdoe/krb5
    4. In order to run the Kerberos clients you need to set the KRB5_CONFIG environment variables to point at the location of the krb5.conf file (including the file name). For example in csh you would run:
      • setenv KRB5_CONFIG /home/jdoe/krb5/etc/krb5.conf

    Note that if your machines has access to NCSA's AFS cell you can run them directly out of the AFS cell by setting the KRB5_CONFIG variable to /afs/ncsa/packages/kerberos/Common/etc/krb5.conf

Installation step 2: Configuring the application servers

    You only need to do this step if you need to run the Kerberos application servers (e.g. rlogind, telnetd, ftpd, rshd, ksu) to allow people to use Kerberos to connect to your Unix system. Otherwise you can skip to Step 3.

Step 2.1: Get a Kerberos host key

Step 2.2: Add Kerberos services to /etc/services

    The file /usr/local/krb5/etc/services contains a list of services you need to add the your /etc/services file. You can append these entries your file with the following command:

    • cat /usr/local/krb5/etc/services >> /etc/services

    If that file does not exist then you can take a look at this copy of the services entries.

Step 2.3: Add Kerberos servers to /etc/inetd.conf

    The file /usr/local/krb5/etc/inetd.conf contains example entries for installing Kerberos servers in a /etc/inetd.conf file. You need to look through this file and decide which servers you want to run and add these to your /etc/inetd.conf file. After making changes to your inetd.conf file, don't forget to restart your inetd daemon (usually kill -HUP <inetd's pid>).

    Note that the klogind and kshell daemons run on different ports than their standard BSD counterparts so there is no problem running them in parallel. However the Kerberos telnet and ftp daemons will by default use the same port as their BSD counterparts. You can run them in parallel on alternate ports, (for example we commonly run Kerberized telnet on port 888 here at NCSA when we don't want to replace the vendor or AFS telnetd) or you can replace the vendor daemons with the kerberos ones. If you want to use the kerberos daemons then you can comment the current vendor supplied ones in the inetd.conf file, uncomment the kerberos ftp line, and copy the ktelnet line and remove the "k" from ktelnet so it's just telnet.

    Here is a copy of the inetd.conf entries.

Option 2: Installing applications servers in alternate directory

    If you need to install the kerberos distribution in a different directory than /usr/local/krb5 then here are the additional steps that need to be taken for configuring the application servers.

    The krb5.conf file will need to be copied to the /etc directory: 

        % cp <local krb5 dir>/etc/krb5.conf /etc
    If you are running AFS and want to get a token when logging in you will need to change the krb5_aklog_path to point to your alternate installed location. 
          krb5_aklog_path = <local krb5 dir>/bin/aklog

    You will also need to modify the krb5 entries in the inetd.conf file. These are different from the normal entries and contain -L flags at then end of some lines. Here is a copy of the new entries. You will need to replace <local krb5 dir> with the location of where kerberos was installed.

Installation step 3: Configuring AFS support

    Edit the file /usr/local/krb5/etc/krb5.conf and look for a line near the beginning of the file that looks like: 
    
       krb5_run_aklog = 0
    If you have AFS on your system and you have access to NCSA's cell, change the 0 to a 1 so the line looks like: 
    
       krb5_run_aklog = 1
    This will tell kinit to get an AFS token for you whenever you get a Kerberos ticket.
Step 3.1: Additional Configuration for AFS/NFS translator clients

    On AFS clients using a AFS/NFS translator you need to make sure that the file /.AFSSERVER and /.AFSCONF are in place and are world-readable (permissions should be 0644). The file /.AFSSERVER contains the full hostname of the machine acting as a translator. The file /.AFSCONF contains the path to the AFS configuration files, typically /afs/ncsa/service/etc.

    If you don't know if you are using an AFS translator, run the command: 

     
df | grep afs
    and the output should look like one of the following lines: 
     
AFS                  9000000       0  9000000      0%   /afs
    or 
     
translator:/afs          72000000       0  72000000      0%   /afs
    If you see the first line (with the capital AFS) that means you have a native AFS client and you don't need to worry about the /.AFSSERVER and /.AFSCONF files.

    If you see the second line, that means you are using a translator (in this case the translator is the host translator) and you need to make sure the /.AFSSERVER and /.AFSCONF files exist.

Back to NCSA Kerberos Information

Question or comments about this page may be sent to Kerberos@ncsa.uiuc.edu

University of Illinois home page NCSA Home | About NCSA | NCSA Projects | Blue Waters | NCSA News | NCSA User Info
Contact NCSA | NCSA Intranet | Site Map
Contact webmaster with questions regarding this page. Last updated September 30, 2003.
All rights reserved. ©2009 Board of Trustees of the University of Illinois.