Differences
This shows you the differences between two versions of the page.
linux_wiki:setup_a_kdc_server [2018/04/15 23:28] billdozor |
linux_wiki:setup_a_kdc_server [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Setup A KDC Server ====== | ||
- | **General Information** | ||
- | |||
- | Setting up a KDC server for practice with RHCE Exam Objective: " | ||
- | |||
- | The second part is setting up a KDC client with local accounts as well. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Lab Setup ====== | ||
- | |||
- | The following virtual machines will be used: | ||
- | * server1.example.com (192.168.1.150) -> Kerberos Client | ||
- | * server2.example.com (192.168.1.151) -> Kerberos KDC | ||
- | |||
- | ---- | ||
- | |||
- | ====== Prerequisites ====== | ||
- | |||
- | * Fully qualified domain names are required | ||
- | * Setup /etc/hosts with IP addresses and FQDNs | ||
- | * **This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos.** (which is why local users are created) | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos KDC: Install Packages ====== | ||
- | |||
- | Install main packages required | ||
- | <code bash> | ||
- | yum install krb5-server krb5-workstation pam_krb5 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos KDC: Configure the Server ====== | ||
- | |||
- | **KDC Config**: Replace domain with desired domain | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | .... | ||
- | [realms] | ||
- | MYDOMAIN.COM = { | ||
- | .... | ||
- | </ | ||
- | |||
- | \\ | ||
- | **Kadmin ACL**: Edit / | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | */ | ||
- | </ | ||
- | |||
- | \\ | ||
- | **KRB5 Client Config**: Edit / | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | .... | ||
- | default_realm = MYDOMAIN.COM | ||
- | .... | ||
- | [realms] | ||
- | MYDOMAIN.COM = { | ||
- | kdc = server2.mydomain.com | ||
- | admin_server = server2.mydomain.com | ||
- | } | ||
- | |||
- | [domain_realm] | ||
- | .mydomain.com = MYDOMAIN.COM | ||
- | mydomain.com = MYDOMAIN.COM | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos KDC: Create the KDC Database and Start ====== | ||
- | |||
- | Create the Kerberos database | ||
- | <code bash> | ||
- | kdb5_util -r MYDOMAIN.COM create -s | ||
- | </ | ||
- | * -r -> realm name | ||
- | * create -s -> Create database with stash file for master database key | ||
- | * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database. | ||
- | |||
- | \\ | ||
- | Enable and start the services | ||
- | <code bash> | ||
- | systemctl enable kadmin krb5kdc | ||
- | systemctl start kadmin krb5kdc | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos KDC: Create Principals for Users and Hosts ====== | ||
- | |||
- | Open the Kerberos admin tool | ||
- | <code bash> | ||
- | kadmin.local | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add the principal for root/admin | ||
- | <code bash> | ||
- | addprinc root/admin | ||
- | </ | ||
- | * Enter a new password for root/admin | ||
- | |||
- | \\ | ||
- | Add a user principal | ||
- | <code bash> | ||
- | addprinc user1 | ||
- | </ | ||
- | * Prompted for a new password for user1 | ||
- | |||
- | \\ | ||
- | Add hostname of the KDC server so the kerberos database knows about the server it is installed on | ||
- | <code bash> | ||
- | addprinc -randkey host/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add host principal to the local keytab (/ | ||
- | <code bash> | ||
- | ktadd host/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Exit the Kerberos admin tool | ||
- | <code bash> | ||
- | exit | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos KDC: Setup OS Components for Testing ====== | ||
- | |||
- | ===== SSH ===== | ||
- | |||
- | Configure SSH | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | GSSAPIAuthentication yes | ||
- | </ | ||
- | |||
- | \\ | ||
- | Reload the SSHD config | ||
- | <code bash> | ||
- | systemctl reload sshd | ||
- | </ | ||
- | |||
- | ===== Authentication ===== | ||
- | |||
- | Configure PAM authentication (authconfig) to enable krb5 | ||
- | <code bash> | ||
- | authconfig --enablekrb5 --update | ||
- | </ | ||
- | |||
- | ===== Firewall ===== | ||
- | |||
- | Copy the built in kerberos xml file to the over ride location | ||
- | <code bash> | ||
- | cp / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Edit the kerberos.xml file and add the kadmin port | ||
- | <code bash> | ||
- | .... | ||
- | <port protocol=" | ||
- | </ | ||
- | </ | ||
- | * The built in kerberos service does NOT include tcp/749 (kadmin) | ||
- | * If you don't remember the port, check ss or netstat for listening kadmin services< | ||
- | netstat -antp | grep kadmin</ | ||
- | |||
- | \\ | ||
- | Open up firewall ports | ||
- | <code bash> | ||
- | firewall-cmd --permanent --add-service=kerberos | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos KDC: Test the KDC Server ====== | ||
- | |||
- | Add a user account | ||
- | <code bash> | ||
- | useradd user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Switch to that user | ||
- | <code bash> | ||
- | su - user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize Kerberos authentication | ||
- | <code bash> | ||
- | kinit | ||
- | </ | ||
- | * Prompted for user1 principal password created earlier | ||
- | |||
- | \\ | ||
- | SSH to the fully qualified name of the local system | ||
- | <code bash> | ||
- | ssh server2.mydomain.com | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos Client: Package Install ====== | ||
- | |||
- | Install the required packages | ||
- | <code bash> | ||
- | yum install krb5-workstation pam_krb5 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos Client: Configure the Kerberos Client ====== | ||
- | |||
- | Setup the krb5.conf file | ||
- | * Edit / | ||
- | * OR copy the / | ||
- | |||
- | \\ | ||
- | Create the user | ||
- | <code bash> | ||
- | useradd user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Open the Kerberos admin tool on the client system | ||
- | <code bash> | ||
- | kadmin | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add a new principal host for the client to the keberos database | ||
- | <code bash> | ||
- | addprinc -randkey host/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Create the local keytab file for the client | ||
- | <code bash> | ||
- | ktadd host/ | ||
- | </ | ||
- | |||
- | \\ | ||
- | Exit the admin tool | ||
- | <code bash> | ||
- | exit | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos Client: Configure the Client OS Components ====== | ||
- | |||
- | ===== SSH ===== | ||
- | |||
- | Uncomment the required GSSAPI lines | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | GSSAPIAuthentication yes | ||
- | </ | ||
- | |||
- | \\ | ||
- | Reload the SSHD config | ||
- | <code bash> | ||
- | systemctl reload sshd | ||
- | </ | ||
- | |||
- | ===== Authentication ===== | ||
- | |||
- | Configure PAM authentication to enable krb5 | ||
- | <code bash> | ||
- | authconfig --enablekrb5 --update | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Kerberos Client: Test The Client ====== | ||
- | |||
- | Change to the user | ||
- | <code bash> | ||
- | su - user1 | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize kerberos | ||
- | <code bash> | ||
- | kinit | ||
- | </ | ||
- | |||
- | \\ | ||
- | SSH to to the KDC server | ||
- | <code bash> | ||
- | ssh server2.example.com | ||
- | </ | ||
- | * Should not be prompted for a password due to initializing a kerberos ticket | ||
- | |||
- | ---- |