This is an old revision of the document!
Setup A KDC Server
General Information
Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.
The second part is setting up a KDC client with local accounts as well.
Prerequisites
- Fully qualified domain names are required
- Setup /etc/hosts with IP addresses and FQDNs
- This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos. (which is why local users are created)
Server: Install Packages
Install main packages required
yum install krb5-server krb5-workstation pam_krb5
Server: Configure the Server
Replace domain with desired domain
vim /var/kerberos/krb5kdc/kdc.conf .... [realms] MYDOMAIN.COM = { ....
Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
vim /etc/krb5.conf .... default_realm = MYDOMAIN.COM .... [realms] MYDOMAIN.COM = { kdc = server3.mydomain.com admin_server = server3.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
vim /var/kerberos/krb5kdc/kadm5.acl */admin@MYDOMAIN.COM *
Server: Create the KDC Database and Start
Create the Kerberos database
kdb5_util create -s -r MYDOMAIN.COM
- -s → Create stash file for master database key
- -r → realm name
- You will be prompted to enter a KDC database master password after a few minutes. It takes time due to it generating random entropy for the database.
Enable and start the services
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
Server: Create Users and Principals
Open the Kerberos admin tool
kadmin.local
Add the principal for root/admin
addprinc root/admin
- Enter a new password for root/admin
Add a user principal
addprinc user1
- Prompted for a new password for user1
Add hostname of the server so kerberos knows about the server
addprinc -randkey host/server3.mydomain.com
Create a local copy stored in /etc/krb5.keytab
ktadd host/server3.mydomain.com
Exit the Kerberos admin tool
exit
Server: Setup OS Components for Testing
SSH
Configure SSH
vim /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Reload the SSHD config
systemctl reload sshd
PAM
Configure authorization (authconfig) to enable krb5
authconfig --enablekrb5 --update
Firewall
Copy the built in kerberos xml file to the over ride location
cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
Edit the kerberos.xml file and add the kadmin port
.... <port protocol="tcp" port="749"/> </service>
- The built in kerberos service does NOT include tcp/749 (kadmin)
Open up firewall ports
firewall-cmd --permanent --add-service=kerberos firewall-cmd --reload
Server: Test the KDC Server
Add a user account
useradd user1
Switch to that user
su - user1
Initialize Kerberos authentication
kinit
- Prompted for user1 principal password created earlier
SSH to the fully qualified name of the local system
ssh server3.mydomain.com
Client: Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Client: Configure the Kerberos Client
Setup the krb5.conf file
- Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
- OR copy the /etc/krb5.conf file from the KDC server to the client
Create the user
useradd user1
Open the Kerberos admin tool on the client system
kadmin
Add the client hostname
addprinc -randkey host/server1.example.com
Create the local keytab file for the client hostname
ktadd host/server1.example.com
Exit the admin tool
exit
Client: Configure the Client OS Components
SSH
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials yes
Reload the SSHD config
systemctl reload sshd
PAM
Configure PAM to enable krb5
authconfig --enablekrb5 --update
Client: Test The Client
Change to the user
su - user1
Initialize kerberos
kinit
SSH to to the KDC server
ssh ipa.example.com
- Should not be prompted for a password due to initializing a kerberos ticket