Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Configure A System To Authenticate Using Kerberos ====== **General Information** Setting up a client to authenticate using kerberos. ---- ====== Lab Setup ====== The following virtual machines will be used: * server1.example.com (192.168.1.150) -> Client for kerberos authentication * ipa.example.com (192.168.1.152) -> FreeIPA server/kerberos server ---- ====== Help ====== Finding help in this section. * authconfig help, filter for krb<code bash>authconfig --help | grep krb</code> ---- ====== Prerequisites ====== Some items are required before being able to practice this objective. * [[linux_wiki:rhce#lab_setup|Lab Setup]]: Ensure you have already setup your [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA server]]. (ipa.example.com) * Alternatively, you can [[setup a KDC server|setup a KDC server and client with local accounts]]. * Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with. * Lab Setup: An additional system to act as a client. (**server1.example.com**) * If you are using the FreeIPA server, configure the client to [[linux_wiki:configure_a_system_to_use_an_existing_authentication_service_for_user_and_group_information|connect to it via ldap]]. ---- ====== Package Install ====== Install the required packages <code bash> yum install krb5-workstation pam_krb5 </code> ---- ====== Configure the Kerberos Client ====== **Option 1**: Use authconfig to enable kerberos<code bash>authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update</code> * Note: If you get this message: "authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly." * You did not install "pam_krb5"<code bash>yum install pam_krb5</code> \\ **Option 2**: Use authconfig-tui to enable kerberos * Open authconfig-tui<code bash>authconfig-tui</code> * Authentication Configuration * Under Authentication -> select "Use Kerberos", then Next * LDAP Settings -> Do not change anything, Next * Kerberos Settings * Realm: EXAMPLE.COM * KDC: ipa.example.com * Admin Server: ipa.example.com * Ok ===== Add Client Host to The Kerberos Server ===== The kerberos server (KDC) must have an entry for the client host. A kerberos client keytab (containing client host identification) will probably be provided in the exam. For lab purposes, you may need to add the client and generate a keytab. [[linux_wiki:setup_a_kdc_server#kerberos_clientconfigure_the_kerberos_client|See here for more details]]. ---- ====== Test The Client ====== * Login as a LDAP user<code bash>su - robert</code> * Get a kerberos ticket<code bash>kinit robert</code> * View ticket<code bash>klist</code> * SSH to another system<code bash>ssh ipa.example.com</code> * Should not be prompted for a password due to initializing a kerberos ticket ---- linux_wiki/configure_a_system_to_authenticate_using_kerberos.txt Last modified: 2019/05/25 23:50(external edit)