RHEL7: Configure a system to authenticate using Kerberos.

Share this link

Note: This is an RHCE 7 exam objective.

Prerequisites

Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If no working DNS, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Client Configuration

Install the Kerberos client packages:

# yum install -y krb5-workstation pam_krb5

Edit the /etc/krb5.conf file, uncomment all the lines, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Alternatively, you get the /etc/krb5.conf file from the KDC server (here kbserver.example.com):

# scp root@kbserver.example.com:/etc/krb5.conf /etc/krb5.conf

Create a user for test:

# useradd user01

Add the client machine name (here kbclient.example.com) to the principals:

# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
kadmin:  addprinc -randkey host/kbclient.example.com
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.

Create a local copy stored by default in the /etc/krb5.keytab file:

kadmin:  ktadd host/kbclient.example.com
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  quit

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# systemctl reload sshd

Configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Test your configuration (here kbserver.example.com is the KDC server name):

# su - user01
$ kinit
Password for user01@EXAMPLE.COM: user01
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
07/22/2014 17:20:15 07/23/2014 17:19:54 krbtgt/EXAMPLE.COM@EXAMPLE.COM
 renew until 07/22/2014 17:19:54
$ ssh kbserver.example.com

Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password (see kinit above). Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

Additional Resources

The chapter 11 of the RHEL 7 System-Level Authentication Guide provides many Kerberos configuration details.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

55
Leave a Reply

Please Login to comment
20 Comment threads
35 Thread replies
8 Followers
 
Most reacted comment
Hottest comment thread
24 Comment authors
Oxygenjrios9POCasifshabirwildb1 Recent comment authors
  Subscribe  
newest oldest
Notify of
SkoolofManoovah
Member
SkoolofManoovah

Hi, could you clarify please… in /eetc/hosts for the kdc server

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

why include the ip for the client? and on a kdc client, does it need it’s own ip in /etc/hosts? or to puut another way, why not just use 127.0.0.1 for the kdserver on the kdc server, and 127.0.01 for the kdclient on a client? Hope that makes sense.

SkoolofManoovah
Member
SkoolofManoovah

Ok, thanks for clarification.

jerky_rs
Member
jerky_rs

Centos7 – It appears as though “GSSAPIDelegateCredentials yes” is not longer a valid configuration option available to SSHD for Centos7.

From journalctl
/etc/ssh/sshd_config: line 160: Bad configuration option: GSSAPIDelegateCredentials

It is also not listed in “man sshd_config”.

Annoyingly “systemctl restart sshd” shows no error and sshd silently dies..

It is however documented in RHEL7 = https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_a_Kerberos_5_Client.html

Not sure if this is the case for RHEL

Source RPM : openssh-6.4p1-8.el7.src.rpm7

Carl
Member
Carl

You’re supposed to update the ssh_config file, not the sshd_config file. I had the same problem 🙂

Mike_
Member
Mike_

I made this same mistake, but it worked for me anyway. i.e. I updated sshd_config, could not restart daemon/service. I removed the GSSAPIDelegateCredentials entry, it started, and I was able to log onto the system. The entry is neither in ssh_config or sshd_config. Centos 7.4.1708

Weird…

anserk
Member
anserk

The link you provided is pretty clear (at least at the time I checked it): “If the client also has GSSAPIDelegateCredentials enabled, the user’s credentials are made available on the remote system.” This option is a client-only option, as can be seen in man ssh_config vs man sshd_config. You don’t have to put this option in the config file, you can use ssh -K youserver to delegate credentials when connecting. How do you know whether to use it or not? It’s actually rather simple concept. I have 3 servers which are all members of Kerberos realm. I log in to… Read more »

laurentiu.v
Member
laurentiu.v

When taking the RHCE exam what exactly is provided?

Is there a Kerberos/LDAP server that can be used? Or do we have to set-up one?

Shikaz
Member
Shikaz

can’t i do all the configuration for kerberos from authconfig-tui ?

sendtodeji
Member
sendtodeji

Thank you for the awesome work. I was wondering if one can achieve this objective by installing ipa-client and running ipa-client-install instead of doing it manually? I found that easy to accomplish because the utility is interactive.

Sam
Member
Sam

Hopefully this will help some one. I had a problem when connecting to kadmin using admin/root, however, kinit worked !! the error message was : kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The link http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml came close but did not solve my problem, which was restarting the ntp server. As it turns out my internet connection is v.poor, with a delay of about 300ms. My solution ended up changing the ntp.conf from the default (server) to peer : peer 0.centos.pool.ntp.org iburst peer 1.centos.pool.ntp.org iburst peer 2.centos.pool.ntp.org iburst peer 3.centos.pool.ntp.org iburst note, only the ntpserver.exmaple.com was changed to peers,… Read more »

alamahant
Member
alamahant

Dont we need to add a principal also nfs/kbclient.example.com ???Or only adding users principals and host principal is sufficient?

alamahant
Member
alamahant

If in the exam they use an ipa-server then can we still in /etc/krb5.conf point to the ipa-servers kdc???
Or we should install an ipa-client instead??
Because ipa-server and ipa client like to operate at the top level and do not allow kerberos-only interactions between server and client..
I hope you understand what i mean…….

alamahant
Member
alamahant

I checked it..It works fine with krb5-workstation on client and ipa-server as kdc 🙂
Thanks dear and sorry for the redundant question

anserk
Member
anserk

I just wanted to add a note about what you said in the last paragraph (using kinit). This is normally not needed if you log in to the server as Kerberos user. Or if you do su – user01 under unprivileged user. In both cases you get prompted for a password and obtain a ticket. From there you could use SSH right away, no need to issue kinit command.

konrad
Member
konrad

Hi there,

Just did read Sander van Vugt’s book and I see you present two different positions on the issue of Kerberos authentication. He assumes that we have user credentials stored on IPA server, you are creating them on local machine and then adding client machine details to the KDC. Please can I have any comment on that?

hunter86_bg
Member

Dear Certdepot,
I have followed Appendix D of the Sander van Vugt’s book and I have created a freeipa server with DNS .But when I configured the client, I had to install the ipa-client and 2 more packages. Running ipa-client-install modified sssd.conf, ldap’s conf ,ssh conf , etc.
Have you tested this method and do you think that using ipa-client even without an freeipa server to connect with , would do the job ?

algorisms
Member
algorisms

It seems this discussion omits Realmd which I just learned about through recent Redhat training. With my domain, I was able to join my domain via kerberos very simply with the following: [root@BTS-RHEL7-1 ~]# yum install realmd [root@BTS-RHEL7-1 ~]# realm discover 192.168.1.221 bts.test type: kerberos realm-name: BTS.TEST domain-name: bts.test configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common [root@BTS-RHEL7-1 ~]# yum install oddjob oddjob-mkhomedir sssd adcli samba-common [root@BTS-RHEL7-1 ~]# realm join 192.168.1.221 Password for Administrator: [root@BTS-RHEL7-1 ~]# Done. I then log into my DC and I can see the computer object. This daemon… Read more »

twostep
Member
twostep

Could you explain why do you create the keytab for client host principal?
kadmin: ktadd host/kbclient.example.com?

yarilc
Member
yarilc

I believe knowing how to configure centralized authentication with authconfig-* tools should be enough

asifshabir
Member
asifshabir

In both the articles:

RHEL7: Configure a system to authenticate using Kerberos
And
RHEL7: Configure a Kerberos KDC.

You have created same user user01 on both the machines (server and client).

Should we just create user01 on server and access it from client?
or we will have to create the same user on all the client machines locally?

POC
Member
POC

Hi
Since we are likely to be supplied a keytab file for the client, how much of the above configuration is really necessary? Will we have the kadmin password to add the client as a host?

Sam
Member
Sam

RHCE is about test of ability for practical implementation.

Questions on the exam vary from time to time. Knows and understands it all. This is required for troubleshooting different problems.

jrios9
Member
jrios9

Please, someone who took the RHCE exam could tell me how the part “Configure a system to authenticate using Kerberos” is?

I don’t know if in the exam is going to be an admin user to register the server on the kerberos. Can someone give a trick or tips to crack this part of the exam?

Regards!

Lisenet
Member

Tip: know how to use a Kerberos keytab file.

jrios9
Member
jrios9

Lots of thanks for your tip. Now I’m able to obtain kerberos ticket in different ways. By the way, all your posts on https://www.lisenet.com/ about RHCE preparation are really useful.

I’ll crack the RHCE exam. Thank you CertDepot and Lisenet.

Lisenet
Member

I’m glad you found it useful, best of luck with your studies.

Oxygen
Member
Oxygen

Thanks for the article, but I think there is an easier way though. If the goal is to get the kerberos ticket, that could be achieved with authconfig for kerberos only (1 command and 2 RPMs on 7.1). And then:

root# kinit user01
root# klist
root# ssh user01@kbserver.example.com

That works without adding principals and keytabs, GSSAPIAuthentication is enabled by default.

Cheers

RHCSA7: Task of the day

Allowed time: 10 minutes.
Archive and compress the content of the /opt directory (create files if none exists).
Uncompress and unarchive the resulting file in /root

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...