====== Setup A KDC Server ======

**General Information**

Setting up a KDC server for practice with RHCE Exam Objective: "Configure a system to authenticate using Kerberos" and "Use Kerberos to control access to NFS network shares".

The second part is setting up a KDC client with local accounts as well.

----

====== Lab Setup ======

The following virtual machines will be used:
  * server1.example.com (192.168.1.150) -> Kerberos Client
  * server2.example.com (192.168.1.151) -> Kerberos KDC

----

====== Prerequisites ======

  * Fully qualified domain names are required
    * Setup /etc/hosts with IP addresses and FQDNs
  * **This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos.** (which is why local users are created)

----

====== Kerberos KDC: Install Packages ======

Install main packages required
<code bash>
yum install krb5-server krb5-workstation pam_krb5
</code>

----

====== Kerberos KDC: Configure the Server ======

**KDC Config**: Replace domain with desired domain
<code bash>
vim /var/kerberos/krb5kdc/kdc.conf

....
[realms]
MYDOMAIN.COM = {
....
</code>

\\
**Kadmin ACL**: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
<code bash>
vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@MYDOMAIN.COM  *
</code>

\\
**KRB5 Client Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
<code bash>
vim /etc/krb5.conf

....
default_realm = MYDOMAIN.COM
....
[realms]
MYDOMAIN.COM = {
  kdc = server2.mydomain.com
  admin_server = server2.mydomain.com
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
</code>

----

====== Kerberos KDC: Create the KDC Database and Start ======

Create the Kerberos database
<code bash>
kdb5_util -r MYDOMAIN.COM create -s
</code>
  * -r  -> realm name
  * create -s  -> Create database with stash file for master database key
  * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database.

\\
Enable and start the services
<code bash>
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
</code>

----

====== Kerberos KDC: Create Principals for Users and Hosts ======

Open the Kerberos admin tool
<code bash>
kadmin.local
</code>

\\
Add the principal for root/admin
<code bash>
addprinc root/admin
</code>
  * Enter a new password for root/admin

\\
Add a user principal
<code bash>
addprinc user1
</code>
  * Prompted for a new password for user1

\\
Add hostname of the KDC server so the kerberos database knows about the server it is installed on
<code bash>
addprinc -randkey host/server2.mydomain.com
</code>

\\
Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
<code bash>
ktadd host/server2.mydomain.com
</code>

\\
Exit the Kerberos admin tool
<code bash>
exit
</code>

----

====== Kerberos KDC: Setup OS Components for Testing ======

===== SSH =====

Configure SSH
<code bash>
vim /etc/ssh/sshd_config

GSSAPIAuthentication yes
</code>

\\
Reload the SSHD config
<code bash>
systemctl reload sshd
</code>

===== Authentication =====

Configure PAM authentication (authconfig) to enable krb5
<code bash>
authconfig --enablekrb5 --update
</code>

===== Firewall =====

Copy the built in kerberos xml file to the over ride location
<code bash>
cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
</code>

\\
Edit the kerberos.xml file and add the kadmin port
<code bash>
....
  <port protocol="tcp" port="749"/>
</service>
</code>
  * The built in kerberos service does NOT include tcp/749 (kadmin)
  * If you don't remember the port, check ss or netstat for listening kadmin services<code bash>ss -antp | grep kadmin
netstat -antp | grep kadmin</code>

\\
Open up firewall ports
<code bash>
firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload
</code>

----

====== Kerberos KDC: Test the KDC Server ======

Add a user account
<code bash>
useradd user1
</code>

\\
Switch to that user
<code bash>
su - user1
</code>

\\
Initialize Kerberos authentication
<code bash>
kinit
</code>
  * Prompted for user1 principal password created earlier

\\
SSH to the fully qualified name of the local system
<code bash>
ssh server2.mydomain.com
</code>

----

====== Kerberos Client: Package Install ======

Install the required packages
<code bash>
yum install krb5-workstation pam_krb5
</code>

----

====== Kerberos Client: Configure the Kerberos Client ======

Setup the krb5.conf file
  * Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
  * OR copy the /etc/krb5.conf file from the KDC server to the client

\\
Create the user
<code bash>
useradd user1
</code>

\\
Open the Kerberos admin tool on the client system
<code bash>
kadmin
</code>

\\
Add a new principal host for the client to the keberos database
<code bash>
addprinc -randkey host/server1.example.com
</code>

\\
Create the local keytab file for the client
<code bash>
ktadd host/server1.example.com
</code>

\\
Exit the admin tool
<code bash>
exit
</code>

----

====== Kerberos Client: Configure the Client OS Components ======

===== SSH =====

Uncomment the required GSSAPI lines
<code bash>
vim /etc/ssh/sshd_config

GSSAPIAuthentication yes
</code>

\\
Reload the SSHD config
<code bash>
systemctl reload sshd
</code>

===== Authentication =====

Configure PAM authentication to enable krb5
<code bash>
authconfig --enablekrb5 --update
</code>

----

====== Kerberos Client: Test The Client ======

Change to the user
<code bash>
su - user1
</code>

\\
Initialize kerberos
<code bash>
kinit
</code>

\\
SSH to to the KDC server
<code bash>
ssh server2.example.com
</code>
  * Should not be prompted for a password due to initializing a kerberos ticket

----