Configure A System To Authenticate Using Kerberos
General Information
Setting up a client to authenticate using kerberos.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Client for kerberos authentication
- ipa.example.com (192.168.1.152) → FreeIPA server/kerberos server
Help
Finding help in this section.
- authconfig help, filter for krb
authconfig --help | grep krb
Prerequisites
Some items are required before being able to practice this objective.
- Lab Setup: Ensure you have already setup your FreeIPA server. (ipa.example.com)
- Alternatively, you can setup a KDC server and client with local accounts.
- Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
- Lab Setup: An additional system to act as a client. (server1.example.com)
- If you are using the FreeIPA server, configure the client to connect to it via ldap.
Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Configure the Kerberos Client
Option 1: Use authconfig to enable kerberos
authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update
- Note: If you get this message: “authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly.”
- You did not install “pam_krb5”
yum install pam_krb5
Option 2: Use authconfig-tui to enable kerberos
- Open authconfig-tui
authconfig-tui
- Authentication Configuration
- Under Authentication → select “Use Kerberos”, then Next
- LDAP Settings → Do not change anything, Next
- Kerberos Settings
- Realm: EXAMPLE.COM
- KDC: ipa.example.com
- Admin Server: ipa.example.com
- Ok
Add Client Host to The Kerberos Server
The kerberos server (KDC) must have an entry for the client host.
A kerberos client keytab (containing client host identification) will probably be provided in the exam.
For lab purposes, you may need to add the client and generate a keytab.
Test The Client
- Login as a LDAP user
su - robert
- Get a kerberos ticket
kinit robert
- View ticket
klist
- SSH to another system
ssh ipa.example.com
- Should not be prompted for a password due to initializing a kerberos ticket