====== Configure A System To Authenticate Using Kerberos ======

**General Information**

Setting up a client to authenticate using kerberos. 

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> Client for kerberos authentication
  * ipa.example.com (192.168.1.152) -> FreeIPA server/kerberos server

----

====== Help ======

Finding help in this section.
  * authconfig help, filter for krb<code bash>authconfig --help | grep krb</code>

----

====== Prerequisites ======

Some items are required before being able to practice this objective.

  * [[linux_wiki:rhce#lab_setup|Lab Setup]]: Ensure you have already setup your [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA server]]. (ipa.example.com)
    * Alternatively, you can [[setup a KDC server|setup a KDC server and client with local accounts]].
    * Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
  * Lab Setup: An additional system to act as a client. (**server1.example.com**)
    * If you are using the FreeIPA server, configure the client to [[linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information|connect to it via ldap]].

----

====== Package Install ======

Install the required packages
<code bash>
yum install krb5-workstation pam_krb5
</code>

----

====== Configure the Kerberos Client ======

**Option 1**: Use authconfig to enable kerberos<code bash>authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update</code>
  * Note: If you get this message: "authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly."
    * You did not install "pam_krb5"<code bash>yum install pam_krb5</code>

\\
**Option 2**: Use authconfig-tui to enable kerberos
  * Open authconfig-tui<code bash>authconfig-tui</code>
  * Authentication Configuration
    * Under Authentication -> select "Use Kerberos", then Next
  * LDAP Settings -> Do not change anything, Next
  * Kerberos Settings
    * Realm: EXAMPLE.COM
    * KDC: ipa.example.com
    * Admin Server: ipa.example.com
  * Ok

===== Add Client Host to The Kerberos Server =====

The kerberos server (KDC) must have an entry for the client host.

A kerberos client keytab (containing client host identification) will probably be provided in the exam.

For lab purposes, you may need to add the client and generate a keytab.

[[linux_wiki:setup_a_kdc_server#kerberos_clientconfigure_the_kerberos_client|See here for more details]].

----

====== Test The Client ======

  * Login as a LDAP user<code bash>su - robert</code>
  * Get a kerberos ticket<code bash>kinit robert</code>
  * View ticket<code bash>klist</code>
  * SSH to another system<code bash>ssh ipa.example.com</code>
    * Should not be prompted for a password due to initializing a kerberos ticket

----