Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2016/08/14 23:34] billdozor [Prerequisites] |
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2018/05/29 22:20] billdozor [Lab Setup] |
||
---|---|---|---|
Line 3: | Line 3: | ||
**General Information** | **General Information** | ||
- | About this page/how-to/script. | + | Setting up a client |
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Lab Setup ====== | ||
+ | |||
+ | The following virtual machines will be used: | ||
+ | * server1.example.com (192.168.1.150) -> Client for kerberos authentication | ||
+ | * ipa.example.com (192.168.1.152) -> FreeIPA server/kerberos server | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Help ====== | ||
+ | |||
+ | Finding help in this section. | ||
+ | * authconfig help, filter for krb<code bash> | ||
---- | ---- | ||
Line 12: | Line 27: | ||
* [[linux_wiki: | * [[linux_wiki: | ||
- | * Alternatively, | + | * Alternatively, |
* Creating a KDC server/ | * Creating a KDC server/ | ||
- | * Lab Setup: An additional system to act as a client. (server1.example.com) | + | * Lab Setup: An additional system to act as a client. (**server1.example.com**) |
+ | * If you are using the FreeIPA server, configure the client to [[linux_wiki: | ||
---- | ---- | ||
Line 29: | Line 45: | ||
====== Configure the Kerberos Client ====== | ====== Configure the Kerberos Client ====== | ||
- | Setup the krb5.conf file | + | **Option 1**: Use authconfig to enable kerberos< |
- | | + | * Note: If you get this message: " |
- | * OR copy the /etc/krb5.conf file from the KDC server to the client | + | * You did not install " |
\\ | \\ | ||
- | Create the user | + | **Option 2**: Use authconfig-tui to enable kerberos |
- | <code bash> | + | * Open authconfig-tui<code bash>authconfig-tui</ |
- | useradd user1 | + | * Authentication Configuration |
- | </ | + | * Under Authentication -> select "Use Kerberos", |
+ | * LDAP Settings -> Do not change anything, Next | ||
+ | * Kerberos Settings | ||
+ | * Realm: EXAMPLE.COM | ||
+ | * KDC: ipa.example.com | ||
+ | * Admin Server: ipa.example.com | ||
+ | * Ok | ||
- | \\ | + | ===== Add Client Host to The Kerberos |
- | Open the Kerberos | + | |
- | <code bash> | + | |
- | kadmin | + | |
- | </ | + | |
- | \\ | + | The kerberos server (KDC) must have an entry for the client host. |
- | Add the client | + | |
- | <code bash> | + | |
- | addprinc --randkey | + | |
- | </ | + | |
- | \\ | + | A kerberos client |
- | Create the local keytab | + | |
- | <code bash> | + | |
- | ktadd host/ | + | |
- | </ | + | |
- | \\ | + | For lab purposes, you may need to add the client and generate a keytab. |
- | Exit the admin tool | + | |
- | <code bash> | + | |
- | quit | + | |
- | </ | + | |
- | ---- | + | [[linux_wiki: |
- | + | ||
- | ====== Configure the Client OS Components ====== | + | |
- | + | ||
- | ===== SSH ===== | + | |
- | + | ||
- | Uncomment the required GSSAPI lines | + | |
- | <code bash> | + | |
- | vim / | + | |
- | + | ||
- | GSSAPIAuthentication yes | + | |
- | GSSAPIDelegateCredentials yes | + | |
- | </ | + | |
- | + | ||
- | \\ | + | |
- | Reload the SSHD config | + | |
- | <code bash> | + | |
- | systemctl reload sshd | + | |
- | </ | + | |
- | + | ||
- | ===== PAM ===== | + | |
- | + | ||
- | Configure PAM to enable krb5 | + | |
- | <code bash> | + | |
- | authconfig --enablekrb5 --update | + | |
- | </ | + | |
---- | ---- | ||
Line 94: | Line 75: | ||
====== Test The Client ====== | ====== Test The Client ====== | ||
- | Change to the user | + | * Login as a LDAP user< |
- | <code bash> | + | * Get a kerberos |
- | su - user1 | + | * View ticket< |
- | </ | + | |
- | + | * Should not be prompted for a password due to initializing a kerberos ticket | |
- | \\ | + | |
- | Initialize | + | |
- | <code bash> | + | |
- | kinit | + | |
- | </ | + | |
- | + | ||
- | \\ | + | |
- | SSH to to the KDC server | + | |
- | <code bash> | + | |
- | ssh server3.mydomain.com | + | |
- | </ | + | |
---- | ---- | ||