RHEL7: Configure a Kerberos KDC.

Share this link

Presentation of Kerberos

Kerberos is an authentication protocol that was developed at MIT in 1988.
A client connects to a KDC server (Kerberos Distribution Center) by using a principal (kind of login) and get a ticket. As long as the ticket is valid, the client can access some services and doesn’t need to authenticate any more.
Both client (here kbclient.example.com) and KDC server (here kbserver.example.com) must be inside the same realm (usually your domain name written in upper case, here EXAMPLE.COM).

Prerequisites

Before configuring Kerberos, NTP synchronization and hostname resolution must be working.
If DNS is not configured, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Note: When adding a new line in the /etc/hosts file, you have to write the fully qualified domain name just after the ip address. If you use one or several aliases and add them before the fully qualified domain name, Kerberos will not work.

Server Configuration

Install the Kerberos packages:

# yum install -y krb5-server krb5-workstation pam_krb5

First, edit the /var/kerberos/krb5kdc/kdc.conf file and replace EXAMPLE.COM with your own realm.
Optionally, uncomment the master_key_type = aes256-cts line and paste the following line in the [realms] stanza:

default_principal_flags = +preauth

Note: This removes compatibility with Kerberos 4 but improves security.

Then, in the /etc/krb5.conf file, uncomment all the lines, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Finally, edit the /var/kerberos/krb5kdc/kadm5.acl file and replace EXAMPLE.COM with your own realm.

Create the Kerberos database (replace EXAMPLE.COM with you own realm):

# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: example
Re-enter KDC database master key to verify: example

Note: It can be necessary to type keys on the keyboard to increase the entropy needed for the random data generation!

Start the Kerberos services:

# systemctl start krb5kdc kadmin

Activate the Kerberos services at boot:

# systemctl enable krb5kdc kadmin

Create a user for test:

# useradd user01

Execute the Kerberos administration tool:

# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.

Create the admin principal:

kadmin.local:  addprinc root/admin
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM": kerberos
Re-enter password for principal "root/admin@EXAMPLE.COM": kerberos
Principal "root/admin@EXAMPLE.COM" created.

Create the user01 principal:

kadmin.local:  addprinc user01
Enter password for principal "user01@EXAMPLE.COM": user01
Re-enter password for principal "user01@EXAMPLE.COM": user01
Principal "user01@EXAMPLE.COM" created.

Add the KDC hostname to the Kerberos database:

kadmin.local:  addprinc -randkey host/kbserver.example.com
Authenticating as principal root/admin@EXAMPLE.COM with password.
WARNING: no policy specified for host/kbserver.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbserver.example.com@EXAMPLE.COM" created.

Create a local copy stored by default in the /etc/krb5.keytab file:

kadmin.local:  ktadd host/kbserver.example.com
Authenticating as principal root/admin@EXAMPLE.COM with password.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbserver.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.

Exit the Kerberos administration tool:

kadmin.local:  quit

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# systemctl reload sshd

Configure the PAM component at the command line:

# authconfig --enablekrb5 --update

To get the correct firewall configuration (port udp/tcp 88 for Kerberos itself, port tcp 749 for kadmin communication), create the /etc/firewalld/services/kerberos.xml file and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Kerberos</short>
  <description>Kerberos network authentication protocol server</description>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="749"/>
</service>

Note: A Kerberos Firewalld configuration file already exists in the /usr/lib/firewalld/services directory but it doesn’t specify the kadmin protocol (749/tcp). This would force all configurations to be made on the KDC server only, which is not very handy.

Add the new service to the firewall :

# firewall-cmd --permanent --add-service=kerberos

Reload the firewall configuration:

# firewall-cmd --reload

Test your configuration (here kbserver.example.com is the KDC server name):

# su - user01
$ kinit
Password for user01@EXAMPLE.COM: user01
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
07/22/2014 16:48:35 07/23/2014 16:48:11 krbtgt/EXAMPLE.COM@EXAMPLE.COM
 renew until 07/22/2014 16:48:11
$ ssh kbserver.example.com

Now, you should be able to quit and reconnect without giving any password.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

Troubleshooting Tip

When troubleshooting Kerberos behaviour as root, you can assign a filename to the KRB5_TRACE environment variable. This will help you trace the various steps followed by Kerberos.

# export KRB5_TRACE=/dev/stdout
# kinit
[2878] 1451496694.41411: Getting initial credentials for root@EXAMPLE.COM
[2878] 1451496694.41547: Sending request (183 bytes) to EXAMPLE.COM
...

Additional Resources

You can also watch Andrew Mallett‘s video about setting up a KDC (23min/2015).

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

13 Comments on "RHEL7: Configure a Kerberos KDC."

Notify of
Sort by:   newest | oldest
SkoolofManoovah
Member
SkoolofManoovah

Hi CertDepot,

I have followed the process you’ve laid out here to setup KDC server and client, and afterwards I can run “kinit user” and enter my password, and then “klist” and see the tgt listed. But when I ssh from client into the server I still always need to enter my password to log in.

Can you suggest anything I may have missed?

iaskakho
Member
iaskakho

check that everything resolves correctly.
in /etc/hosts 192.168.1.11 kbserver.example.com kbserver
also enable debugging in sshd -d -d -d (/usr/lib/systemd/system/sshd.service)
from client side you can use:
$ KRB5_TRACE=/dev/stdout ssh -vvv kbserver.example.com
on server side: # journalctl -xeu sshd

if all is well in the log:
Jul 02 16:22:29 kbserver sshd[7677]: Authorized to user01, krb5 principal user01@EXAMPLE.COM (ssh_gssapi_krb5_cmdok)
Jul 02 16:22:29 kbserver sshd[7677]: Accepted gssapi-with-mic for user01 from 192.168.1.11 port 46943 ssh2

FredSim
Member
FredSim

Hi,

Can i setup Kerbose, NFS and Domain server in one VM ‘Server’ as a whole? How do i do that? How to test out the user login when using NFS to authenticate by kerboros in that VM server. Thanks

FredSim
Member
FredSim

Hi,

Can i setup Kerbose, NFS, Domain and Mail server in one VM ‘Server’ as a whole? How do i do that? How to test out the user login when using NFS to authenticate by kerboros in that VM server. Thanks

twostep
Member
twostep

It is worth to mention that during generate the kdc database on the virtual machine via command:
kdb5_util create
due to insufficient entropy data:
cat /proc/sys/kernel/random/entropy_avail
the process will hang.
The solution is to install package:
yum install rng-tools
and feed entropy via command:
rngd -r /dev/urandom

samuel.sappa
Member
samuel.sappa

hi CertDepot,
is it ok both kerberos/ntp/dns in one server ?
or can be done using ipaserver instead, my concern is when using ipaserver I will not get the same experience in the exam.

hasanin
Member
hasanin
Hello, Thanks for such great resources, hope you all the best. I have a question, is Installing and configuring a kdc kerberos server part of the exam objectives? according to Sander van Vugt it is not, then this tutorial is mainly for kerberos client testing purpose and I don’t need to memorize it for the exam purpose? One more question, according to the client tutorial I need to manually add the user account to the kdc client machine then he gets the single sign on, but that defeats the purpose of single sign on right? I mean you have to… Read more »
wpDiscuz

RHCSA7: Task of the day

Allowed time: 10 minutes.
Boot and change the root password before the end of the boot process.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a NFS server that exports the /opt directory in read-only mode.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...