General Information

Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.

The second part is setting up a KDC client with local accounts as well.

• Fully qualified domain names are required
  • Setup /etc/hosts with IP addresses and FQDNs
• This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos. (which is why local users are created)

Install main packages required

yum install krb5-server krb5-workstation pam_krb5

Replace domain with desired domain

vim /var/kerberos/krb5kdc/kdc.conf
 
....
[realms]
MYDOMAIN.COM = {
....

Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain

vim /etc/krb5.conf
 
....
default_realm = MYDOMAIN.COM
....
[realms]
MYDOMAIN.COM = {
  kdc = server3.mydomain.com
  admin_server = server3.mydomain.com
}
 
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain

vim /var/kerberos/krb5kdc/kadm5.acl
 
*/admin@MYDOMAIN.COM  *

Create the Kerberos database

kdb5_util create -s -r MYDOMAIN.COM

• -s → Create stash file for master database key
• -r → realm name
• You will be prompted to enter a KDC database master password after a few minutes. It takes time due to it generating random entropy for the database.

Enable and start the services

systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc

Open the Kerberos admin tool

kadmin.local

Add the principal for root/admin

addprinc root/admin

• Enter a new password for root/admin

Add a user principal

addprinc user1

• Prompted for a new password for user1

Add hostname of the server so kerberos knows about the server

addprinc -randkey host/server3.mydomain.com

Create a local copy stored in /etc/krb5.keytab

ktadd host/server3.mydomain.com

Exit the Kerberos admin tool

exit

Configure SSH

vim /etc/ssh/sshd_config
 
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Reload the SSHD config

systemctl reload sshd

Configure authorization (authconfig) to enable krb5

authconfig --enablekrb5 --update

Copy the built in kerberos xml file to the over ride location

cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml

Edit the kerberos.xml file and add the kadmin port

....
  <port protocol="tcp" port="749"/>
</service>

• The built in kerberos service does NOT include tcp/749 (kadmin)

Open up firewall ports

firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload

Add a user account

useradd user1

Switch to that user

su - user1

Initialize Kerberos authentication

kinit

• Prompted for user1 principal password created earlier

SSH to the fully qualified name of the local system

ssh server3.mydomain.com

Install the required packages

yum install krb5-workstation pam_krb5

Setup the krb5.conf file

• Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
• OR copy the /etc/krb5.conf file from the KDC server to the client

Create the user

useradd user1

Open the Kerberos admin tool on the client system

kadmin

Add the client hostname

addprinc -randkey host/server1.example.com

Create the local keytab file for the client hostname

ktadd host/server1.example.com

Exit the admin tool

exit

Uncomment the required GSSAPI lines

vim /etc/ssh/sshd_config
 
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

Reload the SSHD config

systemctl reload sshd

Configure PAM to enable krb5

authconfig --enablekrb5 --update

Change to the user

su - user1

Initialize kerberos

kinit

SSH to to the KDC server

ssh ipa.example.com

• Should not be prompted for a password due to initializing a kerberos ticket