====== Setup A KDC Server ======
**General Information**
Setting up a KDC server for practice with RHCE Exam Objective: "Configure a system to authenticate using Kerberos" and "Use Kerberos to control access to NFS network shares".
The second part is setting up a KDC client with local accounts as well.
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> Kerberos Client
* server2.example.com (192.168.1.151) -> Kerberos KDC
----
====== Prerequisites ======
* Fully qualified domain names are required
* Setup /etc/hosts with IP addresses and FQDNs
* **This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos.** (which is why local users are created)
----
====== Kerberos KDC: Install Packages ======
Install main packages required
yum install krb5-server krb5-workstation pam_krb5
----
====== Kerberos KDC: Configure the Server ======
**KDC Config**: Replace domain with desired domain
vim /var/kerberos/krb5kdc/kdc.conf
....
[realms]
MYDOMAIN.COM = {
....
\\
**Kadmin ACL**: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@MYDOMAIN.COM *
\\
**KRB5 Client Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
vim /etc/krb5.conf
....
default_realm = MYDOMAIN.COM
....
[realms]
MYDOMAIN.COM = {
kdc = server2.mydomain.com
admin_server = server2.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
----
====== Kerberos KDC: Create the KDC Database and Start ======
Create the Kerberos database
kdb5_util -r MYDOMAIN.COM create -s
* -r -> realm name
* create -s -> Create database with stash file for master database key
* **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database.
\\
Enable and start the services
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
----
====== Kerberos KDC: Create Principals for Users and Hosts ======
Open the Kerberos admin tool
kadmin.local
\\
Add the principal for root/admin
addprinc root/admin
* Enter a new password for root/admin
\\
Add a user principal
addprinc user1
* Prompted for a new password for user1
\\
Add hostname of the KDC server so the kerberos database knows about the server it is installed on
addprinc -randkey host/server2.mydomain.com
\\
Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
ktadd host/server2.mydomain.com
\\
Exit the Kerberos admin tool
exit
----
====== Kerberos KDC: Setup OS Components for Testing ======
===== SSH =====
Configure SSH
vim /etc/ssh/sshd_config
GSSAPIAuthentication yes
\\
Reload the SSHD config
systemctl reload sshd
===== Authentication =====
Configure PAM authentication (authconfig) to enable krb5
authconfig --enablekrb5 --update
===== Firewall =====
Copy the built in kerberos xml file to the over ride location
cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
\\
Edit the kerberos.xml file and add the kadmin port
....
* The built in kerberos service does NOT include tcp/749 (kadmin)
* If you don't remember the port, check ss or netstat for listening kadmin servicesss -antp | grep kadmin
netstat -antp | grep kadmin
\\
Open up firewall ports
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload
----
====== Kerberos KDC: Test the KDC Server ======
Add a user account
useradd user1
\\
Switch to that user
su - user1
\\
Initialize Kerberos authentication
kinit
* Prompted for user1 principal password created earlier
\\
SSH to the fully qualified name of the local system
ssh server2.mydomain.com
----
====== Kerberos Client: Package Install ======
Install the required packages
yum install krb5-workstation pam_krb5
----
====== Kerberos Client: Configure the Kerberos Client ======
Setup the krb5.conf file
* Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
* OR copy the /etc/krb5.conf file from the KDC server to the client
\\
Create the user
useradd user1
\\
Open the Kerberos admin tool on the client system
kadmin
\\
Add a new principal host for the client to the keberos database
addprinc -randkey host/server1.example.com
\\
Create the local keytab file for the client
ktadd host/server1.example.com
\\
Exit the admin tool
exit
----
====== Kerberos Client: Configure the Client OS Components ======
===== SSH =====
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config
GSSAPIAuthentication yes
\\
Reload the SSHD config
systemctl reload sshd
===== Authentication =====
Configure PAM authentication to enable krb5
authconfig --enablekrb5 --update
----
====== Kerberos Client: Test The Client ======
Change to the user
su - user1
\\
Initialize kerberos
kinit
\\
SSH to to the KDC server
ssh server2.example.com
* Should not be prompted for a password due to initializing a kerberos ticket
----