Setup A KDC Server
General Information
Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.
The second part is setting up a KDC client with local accounts as well.
Lab Setup
The following virtual machines will be used:
- server1.example.com (192.168.1.150) → Kerberos Client
- server2.example.com (192.168.1.151) → Kerberos KDC
Prerequisites
- Fully qualified domain names are required
- Setup /etc/hosts with IP addresses and FQDNs
- This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos. (which is why local users are created)
Kerberos KDC: Install Packages
Install main packages required
yum install krb5-server krb5-workstation pam_krb5
Kerberos KDC: Configure the Server
KDC Config: Replace domain with desired domain
vim /var/kerberos/krb5kdc/kdc.conf .... [realms] MYDOMAIN.COM = { ....
Kadmin ACL: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain
vim /var/kerberos/krb5kdc/kadm5.acl */admin@MYDOMAIN.COM *
KRB5 Client Config: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain
vim /etc/krb5.conf .... default_realm = MYDOMAIN.COM .... [realms] MYDOMAIN.COM = { kdc = server2.mydomain.com admin_server = server2.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM
Kerberos KDC: Create the KDC Database and Start
Create the Kerberos database
kdb5_util -r MYDOMAIN.COM create -s
- -r → realm name
- create -s → Create database with stash file for master database key
- You will be prompted to enter a KDC database master password after a few minutes. It takes time due to it generating random entropy for the database.
Enable and start the services
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
Kerberos KDC: Create Principals for Users and Hosts
Open the Kerberos admin tool
kadmin.local
Add the principal for root/admin
addprinc root/admin
- Enter a new password for root/admin
Add a user principal
addprinc user1
- Prompted for a new password for user1
Add hostname of the KDC server so the kerberos database knows about the server it is installed on
addprinc -randkey host/server2.mydomain.com
Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands
ktadd host/server2.mydomain.com
Exit the Kerberos admin tool
exit
Kerberos KDC: Setup OS Components for Testing
SSH
Configure SSH
vim /etc/ssh/sshd_config GSSAPIAuthentication yes
Reload the SSHD config
systemctl reload sshd
Authentication
Configure PAM authentication (authconfig) to enable krb5
authconfig --enablekrb5 --update
Firewall
Copy the built in kerberos xml file to the over ride location
cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml
Edit the kerberos.xml file and add the kadmin port
.... <port protocol="tcp" port="749"/> </service>
- The built in kerberos service does NOT include tcp/749 (kadmin)
- If you don't remember the port, check ss or netstat for listening kadmin services
ss -antp | grep kadmin netstat -antp | grep kadmin
Open up firewall ports
firewall-cmd --permanent --add-service=kerberos firewall-cmd --reload
Kerberos KDC: Test the KDC Server
Add a user account
useradd user1
Switch to that user
su - user1
Initialize Kerberos authentication
kinit
- Prompted for user1 principal password created earlier
SSH to the fully qualified name of the local system
ssh server2.mydomain.com
Kerberos Client: Package Install
Install the required packages
yum install krb5-workstation pam_krb5
Kerberos Client: Configure the Kerberos Client
Setup the krb5.conf file
- Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
- OR copy the /etc/krb5.conf file from the KDC server to the client
Create the user
useradd user1
Open the Kerberos admin tool on the client system
kadmin
Add a new principal host for the client to the keberos database
addprinc -randkey host/server1.example.com
Create the local keytab file for the client
ktadd host/server1.example.com
Exit the admin tool
exit
Kerberos Client: Configure the Client OS Components
SSH
Uncomment the required GSSAPI lines
vim /etc/ssh/sshd_config GSSAPIAuthentication yes
Reload the SSHD config
systemctl reload sshd
Authentication
Configure PAM authentication to enable krb5
authconfig --enablekrb5 --update
Kerberos Client: Test The Client
Change to the user
su - user1
Initialize kerberos
kinit
SSH to to the KDC server
ssh server2.example.com
- Should not be prompted for a password due to initializing a kerberos ticket