KERBEROS: Configure a system to authenticate using Kerberos.

Share this link

Prerequisites

Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Client Configuration

Install the Kerberos client packages:

# yum install -y krb5-workstation pam_krb5

Edit the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Create a user for test:

# useradd user01

Add the client machine name (here kbclient.example.com) to the principals:

# kadmin -q "addprinc -randkey host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.
# kadmin -q "ktadd -k /etc/krb5.keytab host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# service sshd reload

Configure the PAM component with a text interface:

# authconfig-tui

Select “[*] Use Kerberos” in the Authentication column, then Next and OK.

Alternatively, configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Test your configuration (here kbserver.example.com is the KDC server name):

# kinit user01
Password for user01@EXAMPLE.COM: user01
# ssh user01@kbserver.example.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_500_TGWbLJ1810
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
02/12/14 17:51:58 02/13/14 17:50:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/12/14 17:50:46

Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password. Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
3 comments on “KERBEROS: Configure a system to authenticate using Kerberos.
  1. scfewyy says:

    You should first edit the sshd_config file and add/uncomment the two GSSAPI* lines:

    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

    because if not you will receive an error:

    [root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com”
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    Password for root/admin@EXAMPLE.COM:
    kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
    [root@r2 ~]# vim /etc/ssh/ssh_config
    [root@r2 ~]# service sshd restart
    Stopping sshd: [ OK ]
    Starting sshd: [ OK ]
    [root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com”
    Authenticating as principal root/admin@EXAMPLE.COM with password.
    Password for root/admin@EXAMPLE.COM:
    WARNING: no policy specified for host/r2.example.com@EXAMPLE.COM; defaulting to no policy
    Principal “host/r2.example.com@EXAMPLE.COM” created.

  2. mbrito says:

    For me the client and server always ask for password… There must be same other setting , no?!

Leave a Reply

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create two users "tom" and "engine". "tom" has the UID/GID 3000 and "engine" the UID/GID 4000. "engine" doesn't have an interactive shell.

RHCE7: Task of the day

Allowed time: 3 minutes.
Configure your machine to be a router.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Archives