linux_wiki:configure_a_system_to_authenticate_using_kerberos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:configure_a_system_to_authenticate_using_kerberos [2016/09/13 23:13]
billdozor [Configure the Kerberos Client] 		linux_wiki:configure_a_system_to_authenticate_using_kerberos [2019/05/25 23:50]
Line 1: Line 1:
-====== Configure A System To Authenticate Using Kerberos ====== 
- 
-**General Information** 
- 
-Setting up a client to authenticate using kerberos.  
- 
----- 
- 
-====== Prerequisites ====== 
- 
-Some items are required before being able to practice this objective. 
- 
-  * [[linux_wiki:rhce#lab_setup|Lab Setup]]: Ensure you have already setup your [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA server]]. (ipa.example.com) 
-    * Alternatively, you can [[setup a KDC server|setup a KDC server and client with local accounts]]. 
-    * Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with. 
-  * Lab Setup: An additional system to act as a client. (**server1.example.com**) 
-    * If you are using the FreeIPA server, configure the client to [[linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information|connect to it via ldap]]. 
- 
----- 
- 
-====== Package Install ====== 
- 
-Install the required packages 
-<code bash> 
-yum install krb5-workstation pam_krb5 
-</code> 
- 
----- 
- 
-====== Configure the Kerberos Client ====== 
- 
-**Option 1**: Use authconfig to enable kerberos<code bash>authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update</code> 
- 
-**Option 2**: Use authconfig-tui to enable kerberos 
-  * Open authconfig-tui<code bash>authconfig-tui</code> 
-  * Authentication Configuration 
-    * Under Authentication -> select "Use Kerberos", then Next 
-  * LDAP Settings -> Do not change anything, Next 
-  * Kerberos Settings 
-    * Realm: EXAMPLE.COM 
-    * KDC: ipa.example.com 
-    * Admin Server: ipa.example.com 
-  * Ok 
- 
----- 
- 
-Test a kerberos ticket 
-  * Login as a LDAP user<code bash>su - linda</code> 
-  * Get a kerberos ticket<code bash>kinit linda</code> 
-  * View ticket<code bash>klist</code> 
-  * SSH to another system<code bash>ssh ipa.example.com</code> 
- 
----- 
- 
-====== Configure the Client OS Components ====== 
- 
-===== SSH ===== 
- 
-Uncomment the required GSSAPI lines 
-<code bash> 
-vim /etc/ssh/sshd_config 
- 
-GSSAPIAuthentication yes 
-GSSAPICleanupCredentials yes 
-</code> 
- 
-\\ 
-Reload the SSHD config 
-<code bash> 
-systemctl reload sshd 
-</code> 
- 
-===== PAM ===== 
- 
-Configure PAM to enable krb5 
-<code bash> 
-authconfig --enablekrb5 --update 
-</code> 
- 
----- 
- 
-====== Test The Client ====== 
- 
-Change to the user 
-<code bash> 
-su - user1 
-</code> 
- 
-\\ 
-Initialize kerberos 
-<code bash> 
-kinit 
-</code> 
- 
-\\ 
-SSH to to the KDC server 
-<code bash> 
-ssh ipa.example.com 
-</code> 
-  * Should not be prompted for a password due to initializing a kerberos ticket 
- 
----- 
  
  • linux_wiki/configure_a_system_to_authenticate_using_kerberos.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)