linux_wiki:setup_a_kdc_server

Setup A KDC Server

General Information

Setting up a KDC server for practice with RHCE Exam Objective: “Configure a system to authenticate using Kerberos” and “Use Kerberos to control access to NFS network shares”.

The second part is setting up a KDC client with local accounts as well.


Lab Setup

The following virtual machines will be used:

  • server1.example.com (192.168.1.150) → Kerberos Client
  • server2.example.com (192.168.1.151) → Kerberos KDC

Prerequisites

  • Fully qualified domain names are required
    • Setup /etc/hosts with IP addresses and FQDNs
  • This setup assumes you are NOT using a combined LDAP or FreeIPA with Kerberos. (which is why local users are created)

Kerberos KDC: Install Packages

Install main packages required

yum install krb5-server krb5-workstation pam_krb5

Kerberos KDC: Configure the Server

KDC Config: Replace domain with desired domain

vim /var/kerberos/krb5kdc/kdc.conf
 
....
[realms]
MYDOMAIN.COM = {
....


Kadmin ACL: Edit /var/kerberos/krb5kdc/kadm5.acl and replace the domain with desired domain

vim /var/kerberos/krb5kdc/kadm5.acl
 
*/admin@MYDOMAIN.COM  *


KRB5 Client Config: Edit /etc/krb5.conf, uncomment all lines and replace the domain with the desired domain

vim /etc/krb5.conf
 
....
default_realm = MYDOMAIN.COM
....
[realms]
MYDOMAIN.COM = {
  kdc = server2.mydomain.com
  admin_server = server2.mydomain.com
}
 
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

Kerberos KDC: Create the KDC Database and Start

Create the Kerberos database

kdb5_util -r MYDOMAIN.COM create -s
  • -r → realm name
  • create -s → Create database with stash file for master database key
  • You will be prompted to enter a KDC database master password after a few minutes. It takes time due to it generating random entropy for the database.


Enable and start the services

systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc

Kerberos KDC: Create Principals for Users and Hosts

Open the Kerberos admin tool

kadmin.local


Add the principal for root/admin

addprinc root/admin
  • Enter a new password for root/admin


Add a user principal

addprinc user1
  • Prompted for a new password for user1


Add hostname of the KDC server so the kerberos database knows about the server it is installed on

addprinc -randkey host/server2.mydomain.com


Add host principal to the local keytab (/etc/krb5.keytab) for automatic use with kerberos client commands

ktadd host/server2.mydomain.com


Exit the Kerberos admin tool

exit

Kerberos KDC: Setup OS Components for Testing

Configure SSH

vim /etc/ssh/sshd_config
 
GSSAPIAuthentication yes


Reload the SSHD config

systemctl reload sshd

Configure PAM authentication (authconfig) to enable krb5

authconfig --enablekrb5 --update

Copy the built in kerberos xml file to the over ride location

cp /usr/lib/firewalld/services/kerberos.xml /etc/firewalld/services/kerberos.xml


Edit the kerberos.xml file and add the kadmin port

....
  <port protocol="tcp" port="749"/>
</service>
  • The built in kerberos service does NOT include tcp/749 (kadmin)
  • If you don't remember the port, check ss or netstat for listening kadmin services
    ss -antp | grep kadmin
    netstat -antp | grep kadmin


Open up firewall ports

firewall-cmd --permanent --add-service=kerberos
firewall-cmd --reload

Kerberos KDC: Test the KDC Server

Add a user account

useradd user1


Switch to that user

su - user1


Initialize Kerberos authentication

kinit
  • Prompted for user1 principal password created earlier


SSH to the fully qualified name of the local system

ssh server2.mydomain.com

Kerberos Client: Package Install

Install the required packages

yum install krb5-workstation pam_krb5

Kerberos Client: Configure the Kerberos Client

Setup the krb5.conf file

  • Edit /etc/krb5.conf and change EXAMPLE.COM to the desired domain
  • OR copy the /etc/krb5.conf file from the KDC server to the client


Create the user

useradd user1


Open the Kerberos admin tool on the client system

kadmin


Add a new principal host for the client to the keberos database

addprinc -randkey host/server1.example.com


Create the local keytab file for the client

ktadd host/server1.example.com


Exit the admin tool

exit

Kerberos Client: Configure the Client OS Components

Uncomment the required GSSAPI lines

vim /etc/ssh/sshd_config
 
GSSAPIAuthentication yes


Reload the SSHD config

systemctl reload sshd

Configure PAM authentication to enable krb5

authconfig --enablekrb5 --update

Kerberos Client: Test The Client

Change to the user

su - user1


Initialize kerberos

kinit


SSH to to the KDC server

ssh server2.example.com
  • Should not be prompted for a password due to initializing a kerberos ticket

  • linux_wiki/setup_a_kdc_server.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)