KERBEROS: Configure a system to authenticate using Kerberos.

Share this link

Prerequisites

Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Client Configuration

Install the Kerberos client packages:

# yum install -y krb5-workstation pam_krb5

Edit the /etc/krb5.conf file, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Create a user for test:

# useradd user01

Add the client machine name (here kbclient.example.com) to the principals:

# kadmin -q "addprinc -randkey host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.
# kadmin -q "ktadd -k /etc/krb5.keytab host/kbclient.example.com"
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# service sshd reload

Configure the PAM component with a text interface:

# authconfig-tui

Select “[*] Use Kerberos” in the Authentication column, then Next and OK.

Alternatively, configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Test your configuration (here kbserver.example.com is the KDC server name):

# kinit user01
Password for user01@EXAMPLE.COM: user01
# ssh user01@kbserver.example.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_500_TGWbLJ1810
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
02/12/14 17:51:58 02/13/14 17:50:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/12/14 17:50:46

Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password. Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

3 Comments on "KERBEROS: Configure a system to authenticate using Kerberos."

Notify of
Sort by:   newest | oldest
scfewyy
Member
scfewyy
You should first edit the sshd_config file and add/uncomment the two GSSAPI* lines: GSSAPIAuthentication yes GSSAPIDelegateCredentials yes because if not you will receive an error: [root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com” Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface [root@r2 ~]# vim /etc/ssh/ssh_config [root@r2 ~]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] [root@r2 ~]# kadmin -q “addprinc -randkey host/r2.example.com” Authenticating as principal root/admin@EXAMPLE.COM with password. Password for root/admin@EXAMPLE.COM: WARNING: no policy specified for host/r2.example.com@EXAMPLE.COM; defaulting to no policy Principal “host/r2.example.com@EXAMPLE.COM” created.
mbrito
Member
mbrito

For me the client and server always ask for password… There must be same other setting , no?!

wpDiscuz

RHCSA7: Task of the day

Allowed time: 15 minutes.
Get an iso image of CentOS 7 (or a DVD) and set up a local repository.

RHCE7: Task of the day

Allowed time: 8 minutes.
Set up an iScsi target based on a fileio backstore of 100MB called /opt/shareddata with CHAP authentication (username=usr/password=pwd), xfs filesystem and standard firewall configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...