linux_wiki:setup_a_kdc_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:setup_a_kdc_server [2018/04/03 13:01]
billdozor [SSH] 		linux_wiki:setup_a_kdc_server [2019/05/25 23:50] (current)
Line 6: Line 6:
  
 The second part is setting up a KDC client with local accounts as well. The second part is setting up a KDC client with local accounts as well.
 +
 +----
 +
 +====== Lab Setup ======
 +
 +The following virtual machines will be used:
 +  * server1.example.com (192.168.1.150) -> Kerberos Client
 +  * server2.example.com (192.168.1.151) -> Kerberos KDC
  
 ---- ----
Line 17: Line 25:
 ---- ----
  
-====== Server: Install Packages ======+====== Kerberos KDC: Install Packages ======
  
 Install main packages required Install main packages required
Line 26: Line 34:
 ---- ----
  
-====== Server: Configure the Server ======+====== Kerberos KDC: Configure the Server ======
  
 **KDC Config**: Replace domain with desired domain **KDC Config**: Replace domain with desired domain
Line 47: Line 55:
  
 \\ \\
-**KRB5 Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain+**KRB5 Client Config**: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
 <code bash> <code bash>
 vim /etc/krb5.conf vim /etc/krb5.conf
Line 56: Line 64:
 [realms] [realms]
 MYDOMAIN.COM = { MYDOMAIN.COM = {
-  kdc = server3.mydomain.comĀ +  kdc = server2.mydomain.comĀ 
-  admin_server = server3.mydomain.com+  admin_server = server2.mydomain.com
 } }
  
Line 67: Line 75:
 ---- ----
  
-====== Server: Create the KDC Database and Start ======+====== Kerberos KDC: Create the KDC Database and Start ======
  
 Create the Kerberos database Create the Kerberos database
Line 74: Line 82:
 </code> </code>
   * -r  -> realm name   * -r  -> realm name
-  * create -s  -> Create stash file for master database key+  * create -s  -> Create database with stash file for master database key
   * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database.   * **You will be prompted to enter a KDC database master password** after a few minutes. It takes time due to it generating random entropy for the database.
  
Line 86: Line 94:
 ---- ----
  
-====== Server: Create Users and Principals ======+====== Kerberos KDC: Create Principals for Users and Hosts ======
  
 Open the Kerberos admin tool Open the Kerberos admin tool
Line 108: Line 116:
  
 \\ \\
-Add hostname of the server so kerberos knows about the server+Add hostname of the KDC server so the kerberos database knows about the server it is installed on
 <code bash> <code bash>
-addprinc -randkey host/server3.mydomain.com+addprinc -randkey host/server2.mydomain.com
 </code> </code>
  
 \\ \\
-Create a local copy stored in /etc/krb5.keytab+Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
 <code bash> <code bash>
-ktadd host/server3.mydomain.com+ktadd host/server2.mydomain.com
 </code> </code>
  
Line 127: Line 135:
 ---- ----
  
-====== Server: Setup OS Components for Testing ======+====== Kerberos KDC: Setup OS Components for Testing ======
  
 ===== SSH ===== ===== SSH =====
Line 144: Line 152:
 </code> </code>
  
-===== PAM =====+===== Authentication =====
  
-Configure authorization (authconfig) to enable krb5+Configure PAM authentication (authconfig) to enable krb5
 <code bash> <code bash>
 authconfig --enablekrb5 --update authconfig --enablekrb5 --update
Line 178: Line 186:
 ---- ----
  
-====== Server: Test the KDC Server ======+====== Kerberos KDC: Test the KDC Server ======
  
 Add a user account Add a user account
Line 201: Line 209:
 SSH to the fully qualified name of the local system SSH to the fully qualified name of the local system
 <code bash> <code bash>
-ssh server3.mydomain.com+ssh server2.mydomain.com
 </code> </code>
  
 ---- ----
  
-====== Client: Package Install ======+====== Kerberos Client: Package Install ======
  
 Install the required packages Install the required packages
Line 215: Line 223:
 ---- ----
  
-====== Client: Configure the Kerberos Client ======+====== Kerberos Client: Configure the Kerberos Client ======
  
 Setup the krb5.conf file Setup the krb5.conf file
Line 234: Line 242:
  
 \\ \\
-Add the client hostname+Add a new principal host for the client to the keberos database
 <code bash> <code bash>
 addprinc -randkey host/server1.example.com addprinc -randkey host/server1.example.com
Line 240: Line 248:
  
 \\ \\
-Create the local keytab file for the client hostname+Create the local keytab file for the client
 <code bash> <code bash>
 ktadd host/server1.example.com ktadd host/server1.example.com
Line 253: Line 261:
 ---- ----
  
-====== Client: Configure the Client OS Components ======+====== Kerberos Client: Configure the Client OS Components ======
  
 ===== SSH ===== ===== SSH =====
Line 262: Line 270:
  
 GSSAPIAuthentication yes GSSAPIAuthentication yes
-GSSAPICleanupCredentials yes 
 </code> </code>
  
Line 271: Line 278:
 </code> </code>
  
-===== PAM =====+===== Authentication =====
  
-Configure PAM to enable krb5+Configure PAM authentication to enable krb5
 <code bash> <code bash>
 authconfig --enablekrb5 --update authconfig --enablekrb5 --update
Line 280: Line 287:
 ---- ----
  
-====== Client: Test The Client ======+====== Kerberos Client: Test The Client ======
  
 Change to the user Change to the user
Line 296: Line 303:
 SSH to to the KDC server SSH to to the KDC server
 <code bash> <code bash>
-ssh ipa.example.com+ssh server2.example.com
 </code> </code>
   * Should not be prompted for a password due to initializing a kerberos ticket   * Should not be prompted for a password due to initializing a kerberos ticket
  
 ---- ----
  • linux_wiki/setup_a_kdc_server.1522774863.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)