This is an old revision of the document!
Setup A KDC Server
General Information
Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.
The second part is setting up a KDC client with local accounts as well.
Prerequisites
- Fully qualified domain names are required
- Setup /etc/hosts with IP addresses and FQDNs
- This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos. (which is why local users are created)
Server: Install Packages
Install main packages required
yum install krb5-server krb5-workstation pam_krb5
Server: Configure the Server
Replace domain with desired domain
vim /var/kerberos/krb5kdc/kdc.conf .... [realms] MYDOMAIN.COM = { ....
Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
vim /etc/krb5.conf .... default_realm = MYDOMAIN.COM .... [realms] MYDOMAIN.COM = { kdc = server3.mydomain.com admin_server = server3.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
vim /var/kerberos/krb5kdc/kadm5.acl */admin@MYDOMAIN.COM *
Server: Create the KDC Database and Start
Create the Kerberos database
kdb5_util create -s -r MYDOMAIN.COM
- -s → Create stash file for master database key
- -r → realm name
- You will be prompted to enter a KDC database master password after a few minutes. It takes time due to it generating random entropy for the database.
Enable and start the services
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
Create Users and Principals
Open the Kerberos admin tool
kadmin.local
Add the principal for root/admin
addprinc root/admin
- Enter a new password for root/admin
Add a user principal
addprinc user1
- Prompted for a new password for user1
Add hostname of the server so kerberos knows about the server
addprinc -randkey host/server3.mydomain.com
Create a local copy stored in /etc/krb5.keytab
ktadd host/server3.mydomain.com
Exit the Kerberos admin tool
exit
Setup OS Components for Testing
SSH
Configure SSH
vim /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Reload the SSHD config
systemctl reload sshd
PAM
Configure authorization (authconfig) to enable krb5
authconfig --enablekrb5 --update
Firewall
Copy the built in kerberos xml file to the over ride location
cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
Edit the kerberos.xml file and add the kadmin port
.... <port protocol="tcp" port="749"/> </service>
- The built in kerberos service does NOT include tcp/749 (kadmin)
Open up firewall ports
firewall-cmd --permanent --add-service=kerberos firewall-cmd --reload
Test the KDC Server
Add a user account
useradd user1
Switch to that user
su - user1
Initialize Kerberos authentication
kinit
- Prompted for user1 principal password created earlier
SSH to the fully qualified name of the local system
ssh server3.mydomain.com
Client: Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Client: Configure the Kerberos Client
Setup the krb5.conf file
- Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
- OR copy the /etc/krb5.conf file from the KDC server to the client
Create the user
useradd user1
Open the Kerberos admin tool on the client system
kadmin
Add the client hostname
addprinc -randkey host/server1.example.com
Create the local keytab file for the client hostname
ktadd host/server1.example.com
Exit the admin tool
exit
Client: Configure the Client OS Components
SSH
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Reload the SSHD config
systemctl reload sshd
PAM
Configure PAM to enable krb5
authconfig --enablekrb5 --update
Client: Test The Client
Change to the user
su - user1
Initialize kerberos
kinit
SSH to to the KDC server
ssh ipa.example.com
- Should not be prompted for a password due to initializing a kerberos ticket