General Information
Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.
The second part is setting up a KDC client with local accounts as well.
The following virtual machines will be used:
Install main packages required
yum install krb5-server krb5-workstation pam_krb5
KDC Config: Replace domain with desired domain
vim /var/kerberos/krb5kdc/kdc.conf .... [realms] MYDOMAIN.COM = { ....
Kadmin ACL: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
vim /var/kerberos/krb5kdc/kadm5.acl */admin@MYDOMAIN.COM *
KRB5 Client Config: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
vim /etc/krb5.conf .... default_realm = MYDOMAIN.COM .... [realms] MYDOMAIN.COM = { kdc = server2.mydomain.com admin_server = server2.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
Create the Kerberos database
kdb5_util -r MYDOMAIN.COM create -s
Enable and start the services
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
Open the Kerberos admin tool
kadmin.local
Add the principal for root/admin
addprinc root/admin
Add a user principal
addprinc user1
Add hostname of the KDC server so the kerberos database knows about the server it is installed on
addprinc -randkey host/server2.mydomain.com
Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
ktadd host/server2.mydomain.com
Exit the Kerberos admin tool
exit
Configure SSH
vim /etc/ssh/sshd_config GSSAPIAuthentication yes
Reload the SSHD config
systemctl reload sshd
Configure PAM authentication (authconfig) to enable krb5
authconfig --enablekrb5 --update
Copy the built in kerberos xml file to the over ride location
cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
Edit the kerberos.xml file and add the kadmin port
.... <port protocol="tcp" port="749"/> </service>
ss -antp | grep kadmin netstat -antp | grep kadmin
Open up firewall ports
firewall-cmd --permanent --add-service=kerberos firewall-cmd --reload
Add a user account
useradd user1
Switch to that user
su - user1
Initialize Kerberos authentication
kinit
SSH to the fully qualified name of the local system
ssh server2.mydomain.com
Install the required packages
yum install krb5-workstation pam_krb5
Setup the krb5.conf file
Create the user
useradd user1
Open the Kerberos admin tool on the client system
kadmin
Add a new principal host for the client to the keberos database
addprinc -randkey host/server1.example.com
Create the local keytab file for the client
ktadd host/server1.example.com
Exit the admin tool
exit
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config GSSAPIAuthentication yes
Reload the SSHD config
systemctl reload sshd
Configure PAM authentication to enable krb5
authconfig --enablekrb5 --update
Change to the user
su - user1
Initialize kerberos
kinit
SSH to to the KDC server
ssh server2.example.com