Tuesday, December 21, 2010

How to add a new host to Kerberos

Each host (a client computer) that need to be a part of kerberos realm must have principal and keytab. Let do that for host deby01. The command must be invoked on Kerberos administrative server (kdc1):
kadmin.local -q "addprinc -randkey host/deby01.dev.local"
This is run on client (deby01):
kadmin -p admin -q "ktadd host/deby01.dev.local"
or consider using the following script (file /usr/local/sbin/kdc-add):
#!/bin/sh

type=host
if [ ! -z $1 ]; then type=$1; fi

sh -c "`cat /etc/hostname | xargs -t -I {} echo \
"kadmin -p admin -q \\\"addprinc -randkey $type/{}\\\""`"

sh -c "`cat /etc/hostname | xargs -t -I {} echo \
"kadmin -p admin -q \\\"ktadd $type/{}\\\""`"
You can run it on a machine you wish to add (you will be prompted to enter password two times):
kdc-add
Please note that each host added to kerberos must have fully qualified hostname. Both forward and reverse mapping must work properly. Here are few simple tests:
deby01:~# hostname
deby01.dev.local

deby01:~# dig deby01.dev.local +short
192.168.2.41

deby01:~# dig -x 192.168.2.41 +short
deby01.dev.local.
Read more here.

No comments :

Post a Comment