Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Setup A KDC Server ====== **General Information** Setting up a KDC server for practice with RHCE Exam Objective: "Configure a system to authenticate using Kerberos" and "Use Kerberos to control access to NFS network shares". The second part is setting up a KDC client with local accounts as well. ---- ====== Lab Setup ====== The following virtual machines will be used: * server1.example.com (192.168.1.150) -> Kerberos Client * server2.example.com (192.168.1.151) -> Kerberos KDC ---- ====== Prerequisites ====== * Fully qualified domain names are required * Setup /etc/hosts with IP addresses and FQDNs * **This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos.** (which is why local users are created) ---- ====== Kerberos KDC: Install Packages ====== Install main packages required <code bash> yum install krb5-server krb5-workstation pam_krb5 </code> ---- ====== Kerberos KDC: Configure the Server ====== **KDC Config**: Replace domain with desired domain <code bash> vim /var/kerberos/krb5kdc/kdc.conf .... [realms] MYDOMAIN.COM = { .... </code> \\ **Kadmin ACL**: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain <code bash> vim /var/kerberos/krb5kdc/kadm5.acl */admin@MYDOMAIN.COM * </code> \\ **KRB5 Client Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain <code bash> vim /etc/krb5.conf .... default_realm = MYDOMAIN.COM .... [realms] MYDOMAIN.COM = { kdc = server2.mydomain.com admin_server = server2.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM </code> ---- ====== Kerberos KDC: Create the KDC Database and Start ====== Create the Kerberos database <code bash> kdb5_util -r MYDOMAIN.COM create -s </code> * -r -> realm name * create -s -> Create database with stash file for master database key * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database. \\ Enable and start the services <code bash> systemctl enable kadmin krb5kdc systemctl start kadmin krb5kdc </code> ---- ====== Kerberos KDC: Create Principals for Users and Hosts ====== Open the Kerberos admin tool <code bash> kadmin.local </code> \\ Add the principal for root/admin <code bash> addprinc root/admin </code> * Enter a new password for root/admin \\ Add a user principal <code bash> addprinc user1 </code> * Prompted for a new password for user1 \\ Add hostname of the KDC server so the kerberos database knows about the server it is installed on <code bash> addprinc -randkey host/server2.mydomain.com </code> \\ Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands <code bash> ktadd host/server2.mydomain.com </code> \\ Exit the Kerberos admin tool <code bash> exit </code> ---- ====== Kerberos KDC: Setup OS Components for Testing ====== ===== SSH ===== Configure SSH <code bash> vim /etc/ssh/sshd_config GSSAPIAuthentication yes </code> \\ Reload the SSHD config <code bash> systemctl reload sshd </code> ===== Authentication ===== Configure PAM authentication (authconfig) to enable krb5 <code bash> authconfig --enablekrb5 --update </code> ===== Firewall ===== Copy the built in kerberos xml file to the over ride location <code bash> cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml </code> \\ Edit the kerberos.xml file and add the kadmin port <code bash> .... <port protocol="tcp" port="749"/> </service> </code> * The built in kerberos service does NOT include tcp/749 (kadmin) * If you don't remember the port, check ss or netstat for listening kadmin services<code bash>ss -antp | grep kadmin netstat -antp | grep kadmin</code> \\ Open up firewall ports <code bash> firewall-cmd --permanent --add-service=kerberos firewall-cmd --reload </code> ---- ====== Kerberos KDC: Test the KDC Server ====== Add a user account <code bash> useradd user1 </code> \\ Switch to that user <code bash> su - user1 </code> \\ Initialize Kerberos authentication <code bash> kinit </code> * Prompted for user1 principal password created earlier \\ SSH to the fully qualified name of the local system <code bash> ssh server2.mydomain.com </code> ---- ====== Kerberos Client: Package Install ====== Install the required packages <code bash> yum install krb5-workstation pam_krb5 </code> ---- ====== Kerberos Client: Configure the Kerberos Client ====== Setup the krb5.conf file * Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain * OR copy the /etc/krb5.conf file from the KDC server to the client \\ Create the user <code bash> useradd user1 </code> \\ Open the Kerberos admin tool on the client system <code bash> kadmin </code> \\ Add a new principal host for the client to the keberos database <code bash> addprinc -randkey host/server1.example.com </code> \\ Create the local keytab file for the client <code bash> ktadd host/server1.example.com </code> \\ Exit the admin tool <code bash> exit </code> ---- ====== Kerberos Client: Configure the Client OS Components ====== ===== SSH ===== Uncomment the required GSSAPI lines <code bash> vim /etc/ssh/sshd_config GSSAPIAuthentication yes </code> \\ Reload the SSHD config <code bash> systemctl reload sshd </code> ===== Authentication ===== Configure PAM authentication to enable krb5 <code bash> authconfig --enablekrb5 --update </code> ---- ====== Kerberos Client: Test The Client ====== Change to the user <code bash> su - user1 </code> \\ Initialize kerberos <code bash> kinit </code> \\ SSH to to the KDC server <code bash> ssh server2.example.com </code> * Should not be prompted for a password due to initializing a kerberos ticket ---- linux_wiki/setup_a_kdc_server.txt Last modified: 2019/05/25 23:50(external edit)