Red Hat Enterprise Linux 5 Administration Unleashed

278CHAPTER 12Identity ManagementEnabling KerberosUnlike other authentication systems, Kerberos is designed to allow authorized users accessto systems and services based on an encrypted ticketing system. The key distribution center(KDC) stores the Kerberos database, and the ticket-granting server (TGS) issues tickets toclients.Each client requests a ticket from the KDC. The client must enter a valid password afterthe request, and the password is used as the key to encrypt the ticket. A ticket-grantingticket (TGT) is granted by the KDC, encrypted with the user’s password, and sent back tothe client. The client decrypts it with the password. The TGT and the corresponding ticketsession key (TSK) on the client are called credentials. The credentials automatically time outafter a configured amount of time, which is set to 10 hours by default. Each Kerberosserver is responsible for granting access for a particular realm, or network that utilizesKerberos.Usually, the realm name is the same as the domain name. To distinguish between realmnames and domain names, realms are written in all uppercase letters, and domain namesare written in all lowercase letters. Be sure to use this convention when modifying configurationfiles.NOTEIf SELinux, a mandatory access control security mechanism, is set to enforcing mode,Kerberos is protected by it. For the default targeted policy, the system is allowed towork with Kerberos by setting the SELinux boolean allow_kerberos to 1. Refer toChapter 23 for details on SELinux. Execute the man kerberos_selinux command formore information on how SELinux affects Kerberos.Allowing Kerberos ConnectionsKerberos uses TCP and UDP port 88 by default. The kpasswd user application for changingthe user’s password uses TCP and UDP port 464. The kadmin program uses TCP port 749.If klogin is used, it used TCP port 543 or TCP port 2105 for the encrypted version. Ifadditional Kerberized applications are enabled, refer to /etc/services for their portnumbers.If custom IPTables rules are being used, refer to Chapter 24 for details on how to allowconnections from a specific port.If the default security level is enabled instead of custom IPTables rules, use the Security LevelConfiguration tool to allow Kerberos connections. Start it by selecting Administration,Security Level and Firewall from the System menu on the top panel of the desktop or byexecuting the system-config-securitylevel command. Enter the root password whenprompted if running as a non-root user. Click Add next to the Other ports table to add aport.