This is an old revision of the document!
Configure A System To Authenticate Using Kerberos
General Information
Setting up a client to authenticate using kerberos.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Client for kerberos authentication
- ipa.example.com (192.168.1.152) → FreeIPA server/kerberos server
Prerequisites
Some items are required before being able to practice this objective.
- Lab Setup: Ensure you have already setup your FreeIPA server. (ipa.example.com)
- Alternatively, you can setup a KDC server and client with local accounts.
- Creating a KDC server/FreeIPA server is not a RHCE Exam Objective, but you will need one to practice with.
- Lab Setup: An additional system to act as a client. (server1.example.com)
- If you are using the FreeIPA server, configure the client to connect to it via ldap.
Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Configure the Kerberos Client
Option 1: Use authconfig to enable kerberos
authconfig --enablekrb5 --krb5kdc=ipa.example.com --krb5realm=EXAMPLE.COM --krb5adminserver=ipa.example.com --update
- Note: If you get this message: “authconfig: Authentication module /usr/lib64/security/pam_krb5.so is missing. Authentication process might not work correctly.”
- You did not install “pam_krb5”
Option 2: Use authconfig-tui to enable kerberos
- Open authconfig-tui
authconfig-tui
- Authentication Configuration
- Under Authentication → select “Use Kerberos”, then Next
- LDAP Settings → Do not change anything, Next
- Kerberos Settings
- Realm: EXAMPLE.COM
- KDC: ipa.example.com
- Admin Server: ipa.example.com
- Ok
Test The Client
- Login as a LDAP user
su - linda - Get a kerberos ticket
kinit linda
- View ticket
klist
- SSH to another system
ssh ipa.example.com- Should not be prompted for a password due to initializing a kerberos ticket