Configure A System To Authenticate Using Kerberos

General Information

Setting up a client to authenticate using kerberos.

Lab Setup

The following virtual machines will be used:

  • ( → Client for kerberos authentication
  • ( → FreeIPA server/kerberos server


Finding help in this section.

  • authconfig help, filter for krb
    authconfig --help | grep krb


Some items are required before being able to practice this objective.

Package Install

Install the required packages

yum install krb5-workstation pam_krb5

Configure the Kerberos Client

Option 1: Use authconfig to enable kerberos

authconfig --enablekrb5 --krb5realm=EXAMPLE.COM --update
  • Note: If you get this message: “authconfig: Authentication module /usr/lib64/security/ is missing. Authentication process might not work correctly.”
    • You did not install “pam_krb5”
      yum install pam_krb5

Option 2: Use authconfig-tui to enable kerberos

  • Open authconfig-tui
  • Authentication Configuration
    • Under Authentication → select “Use Kerberos”, then Next
  • LDAP Settings → Do not change anything, Next
  • Kerberos Settings
    • Realm: EXAMPLE.COM
    • KDC:
    • Admin Server:
  • Ok

The kerberos server (KDC) must have an entry for the client host.

A kerberos client keytab (containing client host identification) will probably be provided in the exam.

For lab purposes, you may need to add the client and generate a keytab.

See here for more details.

Test The Client

  • Login as a LDAP user
    su - robert
  • Get a kerberos ticket
    kinit robert
  • View ticket
  • SSH to another system
    • Should not be prompted for a password due to initializing a kerberos ticket

  • linux_wiki/configure_a_system_to_authenticate_using_kerberos.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)