Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux_wiki:setup_a_kdc_server [2016/09/13 23:25] billdozor [Create the KDC Database and Start] |
linux_wiki:setup_a_kdc_server [2019/05/25 23:50] (current) |
||
---|---|---|---|
Line 6: | Line 6: | ||
The second part is setting up a KDC client with local accounts as well. | The second part is setting up a KDC client with local accounts as well. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | ====== Lab Setup ====== | ||
+ | |||
+ | The following virtual machines will be used: | ||
+ | * server1.example.com (192.168.1.150) -> Kerberos Client | ||
+ | * server2.example.com (192.168.1.151) -> Kerberos KDC | ||
---- | ---- | ||
Line 17: | Line 25: | ||
---- | ---- | ||
- | ====== | + | ====== |
Install main packages required | Install main packages required | ||
Line 26: | Line 34: | ||
---- | ---- | ||
- | ====== | + | ====== |
- | Replace domain with desired domain | + | **KDC Config**: |
<code bash> | <code bash> | ||
vim / | vim / | ||
Line 39: | Line 47: | ||
\\ | \\ | ||
- | Edit / | + | **Kadmin ACL**: Edit / |
+ | <code bash> | ||
+ | vim / | ||
+ | |||
+ | */ | ||
+ | </ | ||
+ | |||
+ | \\ | ||
+ | **KRB5 Client Config**: | ||
<code bash> | <code bash> | ||
vim / | vim / | ||
Line 48: | Line 64: | ||
[realms] | [realms] | ||
MYDOMAIN.COM = { | MYDOMAIN.COM = { | ||
- | kdc = server3.mydomain.com | + | kdc = server2.mydomain.com |
- | admin_server = server3.mydomain.com | + | admin_server = server2.mydomain.com |
} | } | ||
Line 55: | Line 71: | ||
.mydomain.com = MYDOMAIN.COM | .mydomain.com = MYDOMAIN.COM | ||
mydomain.com = MYDOMAIN.COM | mydomain.com = MYDOMAIN.COM | ||
- | </ | ||
- | |||
- | \\ | ||
- | Edit / | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | */ | ||
</ | </ | ||
---- | ---- | ||
- | ====== | + | ====== |
Create the Kerberos database | Create the Kerberos database | ||
<code bash> | <code bash> | ||
- | kdb5_util | + | kdb5_util -r MYDOMAIN.COM |
</ | </ | ||
- | * -s -> Create stash file for master database key | ||
* -r -> realm name | * -r -> realm name | ||
+ | * create -s -> Create database with stash file for master database key | ||
* **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database. | * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database. | ||
Line 86: | Line 94: | ||
---- | ---- | ||
- | ====== Create Users and Principals | + | ====== |
Open the Kerberos admin tool | Open the Kerberos admin tool | ||
Line 108: | Line 116: | ||
\\ | \\ | ||
- | Add hostname of the server so kerberos knows about the server | + | Add hostname of the KDC server so the kerberos |
<code bash> | <code bash> | ||
- | addprinc -randkey host/server3.mydomain.com | + | addprinc -randkey host/server2.mydomain.com |
</ | </ | ||
\\ | \\ | ||
- | Create a local copy stored in / | + | Add host principal to the local keytab (/ |
<code bash> | <code bash> | ||
- | ktadd host/server3.mydomain.com | + | ktadd host/server2.mydomain.com |
</ | </ | ||
Line 127: | Line 135: | ||
---- | ---- | ||
- | ====== Setup OS Components for Testing ====== | + | ====== |
===== SSH ===== | ===== SSH ===== | ||
Line 136: | Line 144: | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
- | GSSAPICleanupCredentials yes | ||
</ | </ | ||
Line 145: | Line 152: | ||
</ | </ | ||
- | ===== PAM ===== | + | ===== Authentication |
- | Configure | + | Configure |
<code bash> | <code bash> | ||
authconfig --enablekrb5 --update | authconfig --enablekrb5 --update | ||
Line 167: | Line 174: | ||
</ | </ | ||
* The built in kerberos service does NOT include tcp/749 (kadmin) | * The built in kerberos service does NOT include tcp/749 (kadmin) | ||
+ | * If you don't remember the port, check ss or netstat for listening kadmin services< | ||
+ | netstat -antp | grep kadmin</ | ||
\\ | \\ | ||
Line 177: | Line 186: | ||
---- | ---- | ||
- | ====== Test the KDC Server ====== | + | ====== |
Add a user account | Add a user account | ||
Line 200: | Line 209: | ||
SSH to the fully qualified name of the local system | SSH to the fully qualified name of the local system | ||
<code bash> | <code bash> | ||
- | ssh server3.mydomain.com | + | ssh server2.mydomain.com |
</ | </ | ||
---- | ---- | ||
- | ====== Client: Package Install ====== | + | ====== |
Install the required packages | Install the required packages | ||
Line 214: | Line 223: | ||
---- | ---- | ||
- | ====== Client: Configure the Kerberos Client ====== | + | ====== |
Setup the krb5.conf file | Setup the krb5.conf file | ||
Line 233: | Line 242: | ||
\\ | \\ | ||
- | Add the client | + | Add a new principal host for the client |
<code bash> | <code bash> | ||
addprinc -randkey host/ | addprinc -randkey host/ | ||
Line 239: | Line 248: | ||
\\ | \\ | ||
- | Create the local keytab file for the client | + | Create the local keytab file for the client |
<code bash> | <code bash> | ||
ktadd host/ | ktadd host/ | ||
Line 252: | Line 261: | ||
---- | ---- | ||
- | ====== Client: Configure the Client OS Components ====== | + | ====== |
===== SSH ===== | ===== SSH ===== | ||
Line 261: | Line 270: | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
- | GSSAPICleanupCredentials yes | ||
</ | </ | ||
Line 270: | Line 278: | ||
</ | </ | ||
- | ===== PAM ===== | + | ===== Authentication |
- | Configure PAM to enable krb5 | + | Configure PAM authentication |
<code bash> | <code bash> | ||
authconfig --enablekrb5 --update | authconfig --enablekrb5 --update | ||
Line 279: | Line 287: | ||
---- | ---- | ||
- | ====== Client: Test The Client ====== | + | ====== |
Change to the user | Change to the user | ||
Line 295: | Line 303: | ||
SSH to to the KDC server | SSH to to the KDC server | ||
<code bash> | <code bash> | ||
- | ssh ipa.example.com | + | ssh server2.example.com |
</ | </ | ||
* Should not be prompted for a password due to initializing a kerberos ticket | * Should not be prompted for a password due to initializing a kerberos ticket | ||
---- | ---- |