Rate this page

Flattr this

Create a service principal using MIT Kerberos

Content

Tested on

Debian (Lenny, Squeeze)
Ubuntu (Lucid)

Objective

To create a service principal using MIT Kerberos

Background

A principal is an identity that Kerberos is able to authenticate. Principals may represent users, network hosts, or network services. A principal that corresponds to a network service is called a service principal and has a name of the form:

<service-name>/<hostname>@<realm>

Service principals are needed for two reasons:

Some network services (such as Apache with mod_auth_kerb) can be configured to allow authentication without the use of a keytab or a service principal. This is inadvisable for any purpose other than troubleshooting because it leaves the server without the means to verify that a presented ticket is genuine.

Scenario

Suppose you wish to allow authentication to the web site http://www.example.com/ using Kerberos. The canonical domain name of the web server is the same as the domain nameof the website (www.example.com), and the Kerberos realm to which it belongs is EXAMPLE.COM.

In order to achieve this in a secure manner it is necessary to create a service principal named HTTP/www.example.com@EXAMPLE.COM.

Prerequisites

The method described here assumes that you already have:

Method

Service principals can be created using the addprinc command of kadmin in much the same way as user principals:

kadmin -q "addprinc -randkey HTTP/www.example.com"

The -q option specifies a kadmin command to be executed, in this case addprinc.

The -randkey option of addprinc specifies that the encryption key should be chosen at random instead of being derived from a password. Services normally authenticate using a keytab, so have no need for a password.

By default kadmin appends /admin to your default principal or username and attempts to authenticate to the admin server using that. You can specify an alternative admin principal using the -p if required.

You do not need to be root to run kadmin, however if you are not root then it will probably not be on your path. A common location for the executable is /usr/sbin/kadmin.

It is often convenient to run kadmin on the machine for which the service principal is needed, particularly if you also intend to create a keytab, however you should do this only if you are willing to trust that machine with administrative rights to the realm as a whole. Otherwise, choose a machine that you do trust (such as the KDC).

On Debian-based systems kadmin is provided by the krb5-user package, whereas on Red Hat-based systems it is provided by the krb5-workstation package.

Testing

You can check that the service principal exists using the getprinc command of kadmin:

kadmin -q "getprinc HTTP/www.example.com"

If the principal exists then you should see output similar to the following:

Principal: HTTP/www.example.com@EXAMPLE.COM
Expiration date: [never]
Last password change: Fri Nov 11 20:05:11 GMT 2011
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Nov 11 20:05:11 GMT 2011 (bofh/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

If it does not then you should see an error of the form:

get_principal: Principal does not exist while retrieving "HTTP/www.example.com@EXAMPLE.COM".

Next steps

Having created a service principal, you will normally want to add it to a keytab (sometimes the default keytab, /etc/krb5.keytab, or sometimes one with a different owner). See Add a host or service principal to a keytab using MIT Kerberos for instructions.

See also

Further reading

Tags: kerberos