Differences

This shows you the differences between two versions of the page.

--- linux_wiki:setup_a_kdc_server [2016/09/13 23:25]
billdozor [Test the KDC Server]
+++ linux_wiki:setup_a_kdc_server [2019/05/25 23:50] (current)
@@ Line 6: / Line 6: @@
 The second part is setting up a KDC client with local accounts as well.
+----
+====== Lab Setup ======
+The following virtual machines will be used:
+  * server1.example.com (192.168.1.150) -> Kerberos Client
+  * server2.example.com (192.168.1.151) -> Kerberos KDC
 ----
@@ Line 17: / Line 25: @@
 ----
-====== Server: Install Packages ======
+====== Kerberos KDC: Install Packages ======
 Install main packages required
@@ Line 26: / Line 34: @@
 ----
-====== Server: Configure the Server ======
+====== Kerberos KDC: Configure the Server ======
-Replace domain with desired domain
+**KDC Config**: Replace domain with desired domain
 <code bash>
 vim /var/kerberos/krb5kdc/kdc.conf
@@ Line 39: / Line 47: @@
 \\
-Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
+**Kadmin ACL**: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
+<code bash>
+vim /var/kerberos/krb5kdc/kadm5.acl
+*/admin@MYDOMAIN.COM  *
+</code>
+\\
+**KRB5 Client Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
 <code bash>
 vim /etc/krb5.conf
@@ Line 48: / Line 64: @@
 [realms]
 MYDOMAIN.COM = {
-  kdc = server3.mydomain.com
+  kdc = server2.mydomain.com
-  admin_server = server3.mydomain.com
+  admin_server = server2.mydomain.com
 }
@@ Line 55: / Line 71: @@
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM
-</code>
-\\
-Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
-<code bash>
-vim /var/kerberos/krb5kdc/kadm5.acl
-*/admin@MYDOMAIN.COM  *
 </code>
 ----
-====== Server: Create the KDC Database and Start ======
+====== Kerberos KDC: Create the KDC Database and Start ======
 Create the Kerberos database
 <code bash>
-kdb5_util create -s -r MYDOMAIN.COM
+kdb5_util -r MYDOMAIN.COM create -s
 </code>
-  * -s  -> Create stash file for master database key
   * -r  -> realm name
+  * create -s  -> Create database with stash file for master database key
   * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database.
@@ Line 86: / Line 94: @@
 ----
-====== Server: Create Users and Principals ======
+====== Kerberos KDC: Create Principals for Users and Hosts ======
 Open the Kerberos admin tool
@@ Line 108: / Line 116: @@
 \\
-Add hostname of the server so kerberos knows about the server
+Add hostname of the KDC server so the kerberos database knows about the server it is installed on
 <code bash>
-addprinc -randkey host/server3.mydomain.com
+addprinc -randkey host/server2.mydomain.com
 </code>
 \\
-Create a local copy stored in /etc/krb5.keytab
+Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
 <code bash>
-ktadd host/server3.mydomain.com
+ktadd host/server2.mydomain.com
 </code>
@@ Line 127: / Line 135: @@
 ----
-====== Server: Setup OS Components for Testing ======
+====== Kerberos KDC: Setup OS Components for Testing ======
 ===== SSH =====
@@ Line 136: / Line 144: @@
 GSSAPIAuthentication yes
-GSSAPICleanupCredentials yes
 </code>
@@ Line 145: / Line 152: @@
 </code>
-===== PAM =====
+===== Authentication =====
-Configure authorization (authconfig) to enable krb5
+Configure PAM authentication (authconfig) to enable krb5
 <code bash>
 authconfig --enablekrb5 --update
@@ Line 167: / Line 174: @@
 </code>
   * The built in kerberos service does NOT include tcp/749 (kadmin)
+  * If you don't remember the port, check ss or netstat for listening kadmin services<code bash>ss -antp | grep kadmin
+netstat -antp | grep kadmin</code>
 \\
@@ Line 177: / Line 186: @@
 ----
-====== Server: Test the KDC Server ======
+====== Kerberos KDC: Test the KDC Server ======
 Add a user account
@@ Line 200: / Line 209: @@
 SSH to the fully qualified name of the local system
 <code bash>
-ssh server3.mydomain.com
+ssh server2.mydomain.com
 </code>
 ----
-====== Client: Package Install ======
+====== Kerberos Client: Package Install ======
 Install the required packages
@@ Line 214: / Line 223: @@
 ----
-====== Client: Configure the Kerberos Client ======
+====== Kerberos Client: Configure the Kerberos Client ======
 Setup the krb5.conf file
@@ Line 233: / Line 242: @@
 \\
-Add the client hostname
+Add a new principal host for the client to the keberos database
 <code bash>
 addprinc -randkey host/server1.example.com
@@ Line 239: / Line 248: @@
 \\
-Create the local keytab file for the client hostname
+Create the local keytab file for the client
 <code bash>
 ktadd host/server1.example.com
@@ Line 252: / Line 261: @@
 ----
-====== Client: Configure the Client OS Components ======
+====== Kerberos Client: Configure the Client OS Components ======
 ===== SSH =====
@@ Line 261: / Line 270: @@
 GSSAPIAuthentication yes
-GSSAPICleanupCredentials yes
 </code>
@@ Line 270: / Line 278: @@
 </code>
-===== PAM =====
+===== Authentication =====
-Configure PAM to enable krb5
+Configure PAM authentication to enable krb5
 <code bash>
 authconfig --enablekrb5 --update
@@ Line 279: / Line 287: @@
 ----
-====== Client: Test The Client ======
+====== Kerberos Client: Test The Client ======
 Change to the user
@@ Line 295: / Line 303: @@
 SSH to to the KDC server
 <code bash>
-ssh ipa.example.com
+ssh server2.example.com
 </code>
   * Should not be prompted for a password due to initializing a kerberos ticket
 ----