Skip to main content

Setting up kerberos in Mac OS X

Kerberos in MAC OS X

Kerberos authentication allows the computers in same domain network to authenticate certain services with prompting the user for credentials. MAC OS X comes with Heimdal Kerberos which is an alternate implementation of the kerberos and uses LDAP as identity management database.
Here we are going to learn how to setup a kerberos on MAC OS X which we will configure latter in our application.

Installing Kerberos

In MAC we can use Homebrew for installing any software package. Homebrew makes it very easy to install the kerberos by just executing a simple command as given below.
brew install krb5
Once installation is complete, we need to set the below export commands in user's profile which will make the kerberos utility commands and compiler available to execute from anywhere.
Open user's bash profile:
vi ~/.bash_profile
Add below lines:
    export PATH=/usr/local/opt/krb5/bin:$PATH
    export PATH=/usr/local/opt/krb5/sbin:$PATH
    export LDFLAGS="-L/usr/local/opt/krb5/lib"
    export CPPFLAGS="-I/usr/local/opt/krb5/include"

Creating kerberos configuration

Now we need to create kerberos configuration which will be used during the setup of our installed kerberos. In this configuration we will setup few things like, domain names, KDC setup, logging, default keytab etc. Kerberos authentication looks up for the /etc/krb5.conf file which is default kerberos configuration location in MAC OS and we will create this file if it does not exist. If this file already exists then we can use the existing kerberos also for the modification. Here I am considering the situation when this file is not available and we need to create it.
To create our kerberos configuration, we will use below user and domain.
User: macuser
Domain: myserver.localhost
To configure above domain, we need to add below configuration in /etc/hosts file.
127.0.0.1 myserver.localhost MYSERVER.LOCALHOST

/etc/krb5.conf

Execute below command to create the file.
sudo vi /etc/krb5.conf
Put below code in this file and save it. In below code we also set the default encryption code supported. Also we set whether weak encryption is allowed. We have set the keytab, admin keytab location and KDC database also here. Same database will be created and setup the users & domain also.
[libdefaults]
    default_realm = MYSERVER.LOCALHOST
    default_keytab_name = file:/Users/macuser/krb5/conf/krb5.keytab
    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96
    allow_weak_crypto = true
    forwardable=true
    dns_lookup_realm = false
    dns_lookup_kdc = false

[logging]
    default = FILE:/Users/macuser/krb5/logs/krb5kdc.log
    admin_server = FILE:/Users/macuser/krb5/logs/kadmind.log
    kdc = FILE:/Users/macuser/krb5/logs/krb5kdc.log
[realms]
    MYSERVER.LOCALHOST = {
        kdc = myserver.localhost
        database_name = /Users/macuser/krb5/db/principal
        admin_server = myserver.localhost
        admin_keytab = file:/Users/macuser/krb5/conf/kadm5.keytab
    }
    MYSERVER = {
        kdc = myserver.localhost
        database_name = /Users/macuser/krb5/db/principal
        admin_server = myserver.localhost
        admin_keytab = file:/Users/macuser/krb5/conf/kadm5.keytab
        default_domain = myserver.localhost
    }
[domain_realm]
    .localhost = MYSERVER.LOCALHOST
    myserver.localhost = MYSERVER.LOCALHOST

Create database

To create the database we need to create below directory structure which we have mentioned in our kerberos configuration file.
/Users/macuser/krb5/db/
/Users/macuser/krb5/conf/
/Users/macuser/krb5/logs/
We need to execute below command to create the database.
kdb5_util create -r MYSERVER.LOCALHOST -s
You will see the similar output where you can see the database location which we configured in kerberos configuration file.
Loading random data
Initializing database '/Users/macuser/krb5/db/principal' for realm 'MYSERVER.LOCALHOST',
master key name 'K/M@MYSERVER.LOCALHOST'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Creating principle, policies and keytab file

Execute below command to open the kadmin console in given directory. If you want to use specific encryption type while configuring database and keytab, then open kadmin with same command by specifying "-e" parameter with comma separated encryption types
cd /Users/macuser/krb5/conf/
kadmin.local
Now execute below commands in kadmin console to create policies. Policy creation is not necessary but it is always helpful to manage users using policies.
addpol users
addpol admin
addpol hosts
Execute below commands in kadmin console to create principles.
addprinc -policy users macuser
addprinc -policy admin macuser/admin
addprinc -randkey -policy hosts host/myserver.localhost
addprinc -randkey  HTTP/myserver.localhost
Execute below commands in kadmin console to create keytab files.
ktadd -k krb5.keytab host/myserver.localhost
ktadd -k krb5.keytab HTTP/myserver.localhost
ktadd -k krb5.keytab macuser

ktadd -k kadm5.keytab kadmin/admin kadmin/changepw

Verifying and initializing keytab

Exit the kadmin console by typing "quit" and execute below command to check the keytab entries.
klist -e -k -t krb5.keytab
It will given you below output:
Keytab name: FILE:krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 12/29/19 20:40:17 host/myserver.localhost@MYSERVER.LOCALHOST (aes256-cts-hmac-sha1-96) 
   2 12/29/19 20:40:17 host/myserver.localhost@MYSERVER.LOCALHOST (aes128-cts-hmac-sha1-96) 
   2 12/29/19 20:40:32 HTTP/myserver.localhost@MYSERVER.LOCALHOST (aes256-cts-hmac-sha1-96) 
   2 12/29/19 20:40:32 HTTP/myserver.localhost@MYSERVER.LOCALHOST (aes128-cts-hmac-sha1-96) 
   2 12/29/19 20:40:43 macuser@MYSERVER.LOCALHOST (aes256-cts-hmac-sha1-96) 
   2 12/29/19 20:40:43 macuser@MYSERVER.LOCALHOST (aes128-cts-hmac-sha1-96) 
Now execute the same command on "kadm5.keytab" to check the admin entries. Below is the output.
Keytab name: FILE:kadm5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 12/29/19 20:40:55 kadmin/admin@MYSERVER.LOCALHOST (aes256-cts-hmac-sha1-96) 
   2 12/29/19 20:40:55 kadmin/admin@MYSERVER.LOCALHOST (aes128-cts-hmac-sha1-96) 
   2 12/29/19 20:40:55 kadmin/changepw@MYSERVER.LOCALHOST (aes256-cts-hmac-sha1-96) 
   2 12/29/19 20:40:55 kadmin/changepw@MYSERVER.LOCALHOST (aes128-cts-hmac-sha1-96) 
Now check if you have read permission for other users also on both the keytab files (created above). If not then please update the permission on them. Post that, please execute below commands in given sequence, to start your kerberos.
krb5kdc
kadmind
Finally, execute below command to initialize your keytab with given user.
kinit macuser@MYSERVER.LOCALHOST -kt krb5.keytab
It will ask for the password, we set during principal creation.
Now open  the "Ticket viewer" and you will see similar to below screen for your initialized user.
ticket viewer
You can check my another post on implementation of Kerberos authentication using Spring boot and SPNEGO API.
https://www.thetechnojournals.com/2019/12/integratedkerberos-authentication-using.html

Comments

  1. I am trying to follow the instruction to set up my Kerberos server on mac OX, I have faced two issues:

    1) ```kdb5_util create -r MYSERVER.LOCALHOST -s```, after you input the password, I will get error
    ```kdb5_util: Can not fetch master key (error: No such file or directory). while initializing the Kerberos admin interface```

    2) ```cd /Users/macuser/krb5/conf/
    kadmin.local
    ```
    I will have the problem that kadmin.local is trying to open the database `/usr/local/Cellar/krb5/1.17.1/var/krb5kdc/principal`, and this will get a result No such file or directory while initializing kadmin.local interface

    Is there anything wrong? Any suggestion will be appreciated

    ReplyDelete
    Replies
    1. You getting these issues as your database couldn't created and then latter it failed during initialization due to same issue.
      Seems, you have not defined below database setting in your "/etc/krb5.conf" file which specifies the desired location for database.
      database_name = /Users/macuser/krb5/db/principal
      If you don't want to use above setting and want to use default location for database then please make sure that you have below folder hierarchy, if not then please create the folders. Folder hierarchy for database must be present with both custom and default database location.
      /usr/local/Cellar/krb5/1.17.1/var/krb5kdc/
      Then try to create database using kdb5_util.

      Delete
  2. Thanks for your reply.

    I have define the database setting in the config file, however, it seems like kadmin.local cannot find the default real I config in the krb5.conf, I have to use `sudo kadmin -r MYSERVER.LOCALHOST` to let it know where is the path of the database.

    For the first issue, I just simply add "sudo" in front of the command to execute, then the issue is gone.

    ReplyDelete
  3. Hi,

    i've follow all the steps you provided, but when i run the `kdb5_util create -r MYSERVER.LOCALHOST -s` command, after typing the master key password i got the following error:

    kdb5_util: Key table file '/usr/local/Cellar/krb5/1.17.1/var/krb5kdc/.k5.MYSERVER.LOCALHOST_tmp' not found while storing key
    Warning: couldn't stash master key.
    kdb5_util: Can not fetch master key (error: No such file or directory). while initializing the Kerberos admin interface

    What am i doing wrong? Do you please have any suggestion?

    Thanks in advance

    ReplyDelete
    Replies
    1. I tried your previously suggestion: create `/usr/local/Cellar/krb5/1.17.1/var/krb5kdc/` path. This solved my issue. Now i have another one. When i run `kadmin.local` i got the following error:

      kadmin.local: unsupported command

      Any suggestion?

      Thanks in advance

      Delete
    2. Seems your krb5 sbin is not set on environment's path and not able to find this command. You can set it by exporting location "/usr/local/opt/krb5/sbin" in PATH variable. If this location is not available then you can export location "/usr/local/Cellar/krb5/1.17.1/sbin" in PATH variable. Other way is to execute the command by prepending it with actual location, for example "/usr/local/opt/krb5/sbin/kadmin.local".

      Delete
    3. First of all, thanks for you support!

      My krb5 sbin path is already setup as environment variable.
      However using kadmin.local inside "/usr/local/Cellar/krb5/1.17.1/sbin" folder everything works fine.

      Thanks again!

      Delete

Post a comment

Popular Posts

SpringBoot - @ConditionalOnProperty example for conditional bean initialization

@ConditionalOnProperty annotation is used to check if specified property available in the environment or it matches some specific value so it can control the execution of some part of code like bean creation. It may be useful in many cases for example enable/disable service if specific property is available. Below are the attributes which can be used for property check.
havingValue - Provide the value which need to check against specified property otherwise it will check that value should not be false.matchIfMissing - If true it will match the condition and execute the annotated code when property itself is not available in environment.name - Name of the property to be tested. If you want to test single property then you can directly put the property name as string like "property.name" and if you have multiple properties to test then you can put the names like {"prop.name1","prop.name2"}prefix - It can be use when you want to apply some prefix to all prop…

Asynchronous REST service implementation in Spring boot

In this tutorial we will see how to create an asynchronous REST service endpoint using Spring boot application.
Asynchronous service works in a way that it will not block the client request and do the processing in separate thread. When work is complete the response returned to the client so our service will be able to handle more client requests at the same time, compare to synchronous processing model.
Let's understand how it is working in synchronous mode. In such server/client application at server side it has a pool of threads which are serving the request. If a request received by a thread then it will be blocked until it send the response back to client. In this case if processing doesn't take much time it will be able to process it quickly and accept other client requests but there could be one situation when all threads are busy and not able to accept the new client requests.

To overcome of such problems, asynchronous processing model introduced for REST services. In…

Entity to DTO conversion in Java using Jackson

It's very common to have the DTO class for a given entity in any application. When persisting data, we use entity objects and when we need to provide the data to end user/application we use DTO class. Due to this we may need to have similar properties on DTO class as we have in our Entity class and to share the data we populate DTO objects using entity objects. To do this we may need to call getter on entity and then setter on DTO for the same data which increases number of code line. Also if number of DTOs are high then we need to write lot of code to just get and set the values or vice-versa.
To overcome this problem we are going to use Jackson API and will see how to do it with minimal code only.
Maven dependency <dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.9.9</version> </dependency> Entity class Below is our ent…

Web scraper using JSoup and Spring Boot

What is webscraping Webscraping is a technique to extract or pull the data from a website to gather required information by parsing the HTML source of their websites, such as articles from news or books site, products information from online shopping sites or course information from education sites. There are many organisations who uses web scraper to provide the best experience to their customers, for example extract the price for a smartphone from multiple online websites and show their customers the best and cheap product URL.
We will learn here how to code a web scraper by developing a simple new scraper service.
News scraper News scraper is used to extract the news articles or other related contents from a news site. Here we are going to create a web scraper application to pull the articles from news site.
Below are the operations provided by our news scraper service.
List all the authorsSearch articles by author nameSearch articles by article titleSearch articles by article desc…