Differences

This shows you the differences between two versions of the page.

--- linux_wiki:setup_a_kdc_server [2018/04/15 23:25]
billdozor
+++ linux_wiki:setup_a_kdc_server [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== Setup A KDC Server ======
-**General Information**
-Setting up a KDC server for practice with RHCE Exam Objective: "Configure a system to authenticate using Kerberos" and "Use Kerberos to control access to NFS network shares".
-The second part is setting up a KDC client with local accounts as well.
-----
-====== Prerequisites ======
-  * Fully qualified domain names are required
-    * Setup /etc/hosts with IP addresses and FQDNs
-  * **This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos.** (which is why local users are created)
-----
-====== Server: Install Packages ======
-Install main packages required
-<code bash>
-yum install krb5-server krb5-workstation pam_krb5
-</code>
-----
-====== Server: Configure the Server ======
-**KDC Config**: Replace domain with desired domain
-<code bash>
-vim /var/kerberos/krb5kdc/kdc.conf
-....
-[realms]
-MYDOMAIN.COM = {
-....
-</code>
-\\
-**Kadmin ACL**: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
-<code bash>
-vim /var/kerberos/krb5kdc/kadm5.acl
-*/admin@MYDOMAIN.COM  *
-</code>
-\\
-**KRB5 Client Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
-<code bash>
-vim /etc/krb5.conf
-....
-default_realm = MYDOMAIN.COM
-....
-[realms]
-MYDOMAIN.COM = {
-  kdc = server2.mydomain.com
-  admin_server = server2.mydomain.com
-}
-[domain_realm]
-.mydomain.com = MYDOMAIN.COM
-mydomain.com = MYDOMAIN.COM
-</code>
-----
-====== Server: Create the KDC Database and Start ======
-Create the Kerberos database
-<code bash>
-kdb5_util -r MYDOMAIN.COM create -s
-</code>
-  * -r  -> realm name
-  * create -s  -> Create database with stash file for master database key
-  * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database.
-\\
-Enable and start the services
-<code bash>
-systemctl enable kadmin krb5kdc
-systemctl start kadmin krb5kdc
-</code>
-----
-====== Server: Create Principals for Users and Hosts ======
-Open the Kerberos admin tool
-<code bash>
-kadmin.local
-</code>
-\\
-Add the principal for root/admin
-<code bash>
-addprinc root/admin
-</code>
-  * Enter a new password for root/admin
-\\
-Add a user principal
-<code bash>
-addprinc user1
-</code>
-  * Prompted for a new password for user1
-\\
-Add hostname of the KDC server so the kerberos database knows about the server it is installed on
-<code bash>
-addprinc -randkey host/server2.mydomain.com
-</code>
-\\
-Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
-<code bash>
-ktadd host/server2.mydomain.com
-</code>
-\\
-Exit the Kerberos admin tool
-<code bash>
-exit
-</code>
-----
-====== Server: Setup OS Components for Testing ======
-===== SSH =====
-Configure SSH
-<code bash>
-vim /etc/ssh/sshd_config
-GSSAPIAuthentication yes
-</code>
-\\
-Reload the SSHD config
-<code bash>
-systemctl reload sshd
-</code>
-===== Authentication =====
-Configure PAM authentication (authconfig) to enable krb5
-<code bash>
-authconfig --enablekrb5 --update
-</code>
-===== Firewall =====
-Copy the built in kerberos xml file to the over ride location
-<code bash>
-cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
-</code>
-\\
-Edit the kerberos.xml file and add the kadmin port
-<code bash>
-....
-  <port protocol="tcp" port="749"/>
-</service>
-</code>
-  * The built in kerberos service does NOT include tcp/749 (kadmin)
-  * If you don't remember the port, check ss or netstat for listening kadmin services<code bash>ss -antp | grep kadmin
-netstat -antp | grep kadmin</code>
-\\
-Open up firewall ports
-<code bash>
-firewall-cmd --permanent --add-service=kerberos
-firewall-cmd --reload
-</code>
-----
-====== Server: Test the KDC Server ======
-Add a user account
-<code bash>
-useradd user1
-</code>
-\\
-Switch to that user
-<code bash>
-su - user1
-</code>
-\\
-Initialize Kerberos authentication
-<code bash>
-kinit
-</code>
-  * Prompted for user1 principal password created earlier
-\\
-SSH to the fully qualified name of the local system
-<code bash>
-ssh server2.mydomain.com
-</code>
-----
-====== Client: Package Install ======
-Install the required packages
-<code bash>
-yum install krb5-workstation pam_krb5
-</code>
-----
-====== Client: Configure the Kerberos Client ======
-Setup the krb5.conf file
-  * Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
-  * OR copy the /etc/krb5.conf file from the KDC server to the client
-\\
-Create the user
-<code bash>
-useradd user1
-</code>
-\\
-Open the Kerberos admin tool on the client system
-<code bash>
-kadmin
-</code>
-\\
-Add a new principal host for the client to the keberos database
-<code bash>
-addprinc -randkey host/server1.example.com
-</code>
-\\
-Create the local keytab file for the client
-<code bash>
-ktadd host/server1.example.com
-</code>
-\\
-Exit the admin tool
-<code bash>
-exit
-</code>
-----
-====== Client: Configure the Client OS Components ======
-===== SSH =====
-Uncomment the required GSSAPI lines
-<code bash>
-vim /etc/ssh/sshd_config
-GSSAPIAuthentication yes
-</code>
-\\
-Reload the SSHD config
-<code bash>
-systemctl reload sshd
-</code>
-===== Authentication =====
-Configure PAM authentication to enable krb5
-<code bash>
-authconfig --enablekrb5 --update
-</code>
-----
-====== Client: Test The Client ======
-Change to the user
-<code bash>
-su - user1
-</code>
-\\
-Initialize kerberos
-<code bash>
-kinit
-</code>
-\\
-SSH to to the KDC server
-<code bash>
-ssh server2.example.com
-</code>
-  * Should not be prompted for a password due to initializing a kerberos ticket
-----