Consider the following examples: First the /etc/krb5.conf In this example a second domain is configured (Active Directory) for cross realm authentication with AES256 encryption being used by AD. Using AES256 means that one must install the JCE Policy Files For JDK6 or the JCE Policy Files for JDK7 to use stron encryption like AES256. Note the Items in bold that are pointed, out, they should be set in that specific file (krb5.condif) [logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TEST.LAB
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
TEST.ORG.LAB = {
kdc = Win2k8x64-AD4.test.org.lab:88
kdc = Win2k8x64-AD2.test.org.lab:88
admin_server = Win2k8x64-AD4.test.org.lab:749
admin_server = Win2k8x64-AD2.test.org.lab:749
default_domain = test.org.lab
}
TEST.LAB = {
kdc = kdc1.test.lab:88
admin_server = kdc1.test.lab:749
default_domain = test.lab
}
[domain_realm]
.test.lab = TEST.LAB
test.lab = TEST.LAB
.test.org.lab = TEST.ORG.LAB
test.org.lab = TEST.ORG.LAB Consider the following for the /var/kerberose/krb5kdc/kdc.conf, calling out items to set in this file as Bold Text, below. [kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
TEST.LAB = {
#master_key_type = aes256-cts
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable
}
... View more
