This is an old revision of the document!
Configure A System To Authenticate Using Kerberos
General Information
Setting up a client to authenticate using kerberos.
Prerequisites
Some items are required before being able to practice this objective.
- Lab Setup: Ensure you have already setup your FreeIPA server. (ipa.example.com)
- Alternatively, you can setup a KDC server.
- Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
- Lab Setup: An additional system to act as a client. (server1.example.com)
Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Configure the Kerberos Client
Setup the krb5.conf file
- Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
- OR copy the /etc/krb5.conf file from the KDC server to the client
Create the user
useradd user1
Open the Kerberos admin tool on the client system
kadmin
Add the client hostname
addprinc -randkey host/server1.example.com
Create the local keytab file for the client hostname
ktadd host/server1.example.com
Exit the admin tool
quit
Configure the Client OS Components
SSH
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Reload the SSHD config
systemctl reload sshd
PAM
Configure PAM to enable krb5
authconfig --enablekrb5 --update
Test The Client
Change to the user
su - user1
Initialize kerberos
kinit
SSH to to the KDC server
ssh ipa.example.com
- Should not be prompted for a password due to initializing a kerberos ticket