linux_wiki:configure_a_system_to_authenticate_using_kerberos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:configure_a_system_to_authenticate_using_kerberos [2016/09/13 22:34]
billdozor [Configure the Kerberos Client] 		linux_wiki:configure_a_system_to_authenticate_using_kerberos [2019/05/25 23:50] (current)
Line 4: Line 4:
  
 Setting up a client to authenticate using kerberos.  Setting up a client to authenticate using kerberos. 
 +
 +----
 +
 +====== Lab Setup ======
 +
 +The following virtual machines will be used:
 +  * server1.example.com (192.168.1.150) -> Client for kerberos authentication
 +  * ipa.example.com (192.168.1.152) -> FreeIPA server/kerberos server
 +
 +----
 +
 +====== Help ======
 +
 +Finding help in this section.
 +  * authconfig help, filter for krb<code bash>authconfig --help | grep krb</code>
  
 ---- ----
Line 12: Line 27:
  
   * [[linux_wiki:rhce#lab_setup|Lab Setup]]: Ensure you have already setup your [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA server]]. (ipa.example.com)   * [[linux_wiki:rhce#lab_setup|Lab Setup]]: Ensure you have already setup your [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA server]]. (ipa.example.com)
-    * Alternatively, you can [[setup a KDC server]].+    * Alternatively, you can [[setup a KDC server|setup a KDC server and client with local accounts]].
     * Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.     * Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
   * Lab Setup: An additional system to act as a client. (**server1.example.com**)   * Lab Setup: An additional system to act as a client. (**server1.example.com**)
Line 30: Line 45:
 ====== Configure the Kerberos Client ====== ====== Configure the Kerberos Client ======
  
-Setup the krb5.conf file +**Option 1**: Use authconfig to enable kerberos<code bash>authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update</code> 
-  Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain +  * Note: If you get this message: "authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly." 
-  * OR copy the /etc/krb5.conf file from the KDC server to the client+    * You did not install "pam_krb5"<code bash>yum install pam_krb5</code>
  
 \\ \\
-Create the user (**if not using LDAP/FreeIPA**) +**Option 2**: Use authconfig-tui to enable kerberos 
-<code bash> +  * Open authconfig-tui<code bash>authconfig-tui</code> 
-useradd user1 +  * Authentication Configuration 
-</code>+    * Under Authentication -> select "Use Kerberos", then Next 
 +  * LDAP Settings -> Do not change anything, Next 
 +  * Kerberos Settings 
 +    * Realm: EXAMPLE.COM 
 +    * KDC: ipa.example.com 
 +    * Admin Server: ipa.example.com 
 +  * Ok
  
-\\ +===== Add Client Host to The Kerberos Server =====
-Open the Kerberos admin tool on the client system +
-<code bash> +
-kadmin +
-</code>+
  
-\\ +The kerberos server (KDC) must have an entry for the client host.
-Add the client hostname +
-<code bash> +
-addprinc -randkey host/server1.example.com +
-</code>+
  
-\\ +A kerberos client keytab (containing client host identification) will probably be provided in the exam.
-Create the local keytab file for the client hostname +
-<code bash> +
-ktadd host/server1.example.com +
-</code>+
  
-\\ +For lab purposes, you may need to add the client and generate a keytab.
-Exit the admin tool +
-<code bash> +
-exit +
-</code>+
  
----- +[[linux_wiki:setup_a_kdc_server#kerberos_clientconfigure_the_kerberos_client|See here for more details]].
- +
-====== Configure the Client OS Components ====== +
- +
-===== SSH ===== +
- +
-Uncomment the required GSSAPI lines +
-<code bash> +
-vim /etc/ssh/sshd_config +
- +
-GSSAPIAuthentication yes +
-GSSAPICleanupCredentials yes +
-</code> +
- +
-\\ +
-Reload the SSHD config +
-<code bash> +
-systemctl reload sshd +
-</code> +
- +
-===== PAM ===== +
- +
-Configure PAM to enable krb5 +
-<code bash> +
-authconfig --enablekrb5 --update +
-</code>+
  
 ---- ----
Line 95: Line 75:
 ====== Test The Client ====== ====== Test The Client ======
  
-Change to the user +  * Login as a LDAP user<code bash>su - robert</code> 
-<code bash> +  * Get a kerberos ticket<code bash>kinit robert</code> 
-su - user1 +  * View ticket<code bash>klist</code> 
-</code> +  SSH to another system<code bash>ssh ipa.example.com</code> 
- +    * Should not be prompted for a password due to initializing a kerberos ticket
-\\ +
-Initialize kerberos +
-<code bash> +
-kinit +
-</code> +
- +
-\\ +
-SSH to to the KDC server +
-<code bash> +
-ssh ipa.example.com +
-</code> +
-  * Should not be prompted for a password due to initializing a kerberos ticket+
  
 ---- ----
  
  • linux_wiki/configure_a_system_to_authenticate_using_kerberos.1473820441.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)