====== Configure A System To Authenticate Using Kerberos ======
**General Information**
Setting up a client to authenticate using kerberos.
----
====== Lab Setup ======
The following virtual machines will be used:
* server1.example.com (192.168.1.150) -> Client for kerberos authentication
* ipa.example.com (192.168.1.152) -> FreeIPA server/kerberos server
----
====== Help ======
Finding help in this section.
* authconfig help, filter for krbauthconfig --help | grep krb
----
====== Prerequisites ======
Some items are required before being able to practice this objective.
* [[linux_wiki:rhce#lab_setup|Lab Setup]]: Ensure you have already setup your [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA server]]. (ipa.example.com)
* Alternatively, you can [[setup a KDC server|setup a KDC server and client with local accounts]].
* Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
* Lab Setup: An additional system to act as a client. (**server1.example.com**)
* If you are using the FreeIPA server, configure the client to [[linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information|connect to it via ldap]].
----
====== Package Install ======
Install the required packages
yum install krb5-workstation pam_krb5
----
====== Configure the Kerberos Client ======
**Option 1**: Use authconfig to enable kerberosauthconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update
* Note: If you get this message: "authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly."
* You did not install "pam_krb5"yum install pam_krb5
\\
**Option 2**: Use authconfig-tui to enable kerberos
* Open authconfig-tuiauthconfig-tui
* Authentication Configuration
* Under Authentication -> select "Use Kerberos", then Next
* LDAP Settings -> Do not change anything, Next
* Kerberos Settings
* Realm: EXAMPLE.COM
* KDC: ipa.example.com
* Admin Server: ipa.example.com
* Ok
===== Add Client Host to The Kerberos Server =====
The kerberos server (KDC) must have an entry for the client host.
A kerberos client keytab (containing client host identification) will probably be provided in the exam.
For lab purposes, you may need to add the client and generate a keytab.
[[linux_wiki:setup_a_kdc_server#kerberos_clientconfigure_the_kerberos_client|See here for more details]].
----
====== Test The Client ======
* Login as a LDAP usersu - robert
* Get a kerberos ticketkinit robert
* View ticketklist
* SSH to another systemssh ipa.example.com
* Should not be prompted for a password due to initializing a kerberos ticket
----