FreeBSD MIT Kerberos Server

Read post on vermaden.wordpress.com

It often starts with a comment – your comment – and it is not different this time.In the comments section below Native FreeBSD Kerberos/LDAP with FreeIPA/IDM article in one of the places it was shared someone asked why FreeBSD Handbook – Security – Kerberos section does not cover setting up MIT Kerberos … as FreeBSD since FreeBSD 15.0-RELEASE uses MIT Kerberos in its Base System instead of Heimdal implementation … and that is very good question.MIT KRB5 1.22.1 Kerberos replaces Heimdal 1.5.2 by default. (Sponsored by The FreeBSD Foundation)I even created a PR:289117 about it some time ago … but nothing changed since.Encouraged that in the past the FreeBSD Handbook – Jails chapter was reworked also using information from my FreeBSD Jails Containers article – I though that maybe it will also happen this time … and even if not – this article will serve its role before anything related MIT Kerberos server will appear in official FreeBSD Handbook. The Table of Contents will look like that this time.FreeBSD InstallationIt Was DNSMIT Kerberos ServerSummaryNow …FreeBSD InstallationThe install I did was pretty generic and just Next … Next … Next … in the FreeBSD bsdinstall(8) installer. I have chosen Auto (ZFS) way (but it would work the same on UFS) and then setup static 10.1.1.123/24 IP and kerberos.example.org hostname. I also used PKGBASE but older Distribution Sets setup will also work the same.It will also work in a Jail (VNET or not) if needed.This is how /etc/rc.conf file looked like after install.kerberos # cat /etc/rc.conf# NETWORKhostname="kerberos.example.org"ifconfig_vtnet0="inet 10.1.1.123/24"defaultrouter="10.1.1.1"# SERVICESsshd_enable="YES"zfs_enable="YES"syslogd_flags="-ss"It Was DNSBefore we start setting up Kerberos we need DNS server.You can use other other that you already have working – but if not – we will install and setup some basic nsd(8) DNS server first.kerberos # hostnamekerberos.example.orgkerberos # netstat -Win -f inetName Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Collvtnet0 - 10.1.1.0/24 10.1.1.123 0 - - 0 - -lo0 - 127.0.0.0/8 127.0.0.1 0 - - 0 - -kerberos # echo nameserver 1.1.1.1 > /etc/resolv.confkerberos # mkdir -pv /usr/local/etc/pkg/reposkerberos # sed s/quarterly/latest/g /etc/pkg/FreeBSD.conf > /usr/local/etc/pkg/repos/FreeBSD.confkerberos # pkg install -y nsdThis is what we got.Now we will create simple DNS config.kerberos # cat /usr/local/etc/nsd/nsd.confserver: ip-address: 0.0.0.0 port: 53 logfile: /var/log/nsd.logzone: name: example.org zonefile: example.org.zonekerberos # cat /usr/local/etc/nsd/example.org.zone$ORIGIN example.org.$TTL 86400@ IN SOA kerberos.example.org. admin.example.org. ( 2026022101 ; serial 3600 ; refresh 600 ; retry 864000 ; expire 86400 ; minimum ) IN NS kerberos.example.org.kerberos IN A 10.1.1.123* IN A 10.1.1.123@ IN A 10.1.1.123_kerberos._udp IN SRV 01 00 88 kerberos.example.org._kerberos._tcp IN SRV 01 00 88 kerberos.example.org._kpasswd._udp IN SRV 01 00 464 kerberos.example.org._kerberos-adm._tcp IN SRV 01 00 749 kerberos.example.org._kerberos IN TXT EXAMPLE.ORGWe can now enable and start our nsd(8) DNS server.kerberos # service nsd enablensd enabled in /etc/rc.confkerberos # service nsd startStarting nsd.kerberos # nc -w 1 -v -u localhost 53Connection to localhost 53 port [udp/domain] succeeded!kerberos # nc -w 1 -v localhost 53Connection to localhost 53 port [tcp/domain] succeeded!kerberos # drill @10.1.1.123 kerberos.example.org;; ->>HEADER