RHEL7: Configure a system to authenticate using Kerberos.

Share this link

Note: This is an RHCE 7 exam objective.

Prerequisites

Before configuring a Kerberos client, you have to configure a KDC.
Also, to get Kerberos running, NTP synchronization and hostname resolution must be working.
If no working DNS, add the following lines in the /etc/hosts file (replace the specified ip addresses with yours):

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

Client Configuration

Install the Kerberos client packages:

# yum install -y krb5-workstation pam_krb5

Edit the /etc/krb5.conf file, uncomment all the lines, replace EXAMPLE.COM with your own realm, example.com with your own domain name, and kerberos.example.com with your own KDC server name (here kbserver.example.com).

Alternatively, you get the /etc/krb5.conf file from the KDC server (here kbserver.example.com):

# scp root@kbserver.example.com:/etc/krb5.conf /etc/krb5.conf

Create a user for test:

# useradd user01

Add the client machine name (here kbclient.example.com) to the principals:

# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM: kerberos
kadmin:  addprinc -randkey host/kbclient.example.com
WARNING: no policy specified for host/kbclient.example.com@EXAMPLE.COM; defaulting to no policy
Principal "host/kbclient.example.com@EXAMPLE.COM" created.

Create a local copy stored by default in the /etc/krb5.keytab file:

kadmin:  ktadd host/kbclient.example.com
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kbclient.example.com with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/krb5.keytab.
kadmin:  quit

Edit the /etc/ssh/ssh_config file and add/uncomment the following lines:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

Reload the sshd service configuration:

# systemctl reload sshd

Configure the PAM component at the command line:

# authconfig --enablekrb5 --update

Test your configuration (here kbserver.example.com is the KDC server name):

# su - user01
$ kinit
Password for user01@EXAMPLE.COM: user01
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: user01@EXAMPLE.COM

Valid starting Expires Service principal
07/22/2014 17:20:15 07/23/2014 17:19:54 krbtgt/EXAMPLE.COM@EXAMPLE.COM
 renew until 07/22/2014 17:19:54
$ ssh kbserver.example.com

Now, you should be able to quit and reconnect without giving any password.
In addition, the first time you log in to a Kerberos client, you have to provide a login/password (see kinit above). Then, you get a ticket that allows you to log in to all the other Kerberos clients in the same realm and you don’t need to provide a password any more as long as your ticket is valid.
Note: To delete a ticket, use the kdestroy command.

Source: RHEL 5 Deployment Guide.

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

38 Comments on "RHEL7: Configure a system to authenticate using Kerberos."

Notify of
Sort by:   newest | oldest
SkoolofManoovah
Member
SkoolofManoovah

Hi, could you clarify please… in /eetc/hosts for the kdc server

192.168.1.11 kbserver.example.com
192.168.1.12 kbclient.example.com

why include the ip for the client? and on a kdc client, does it need it’s own ip in /etc/hosts? or to puut another way, why not just use 127.0.0.1 for the kdserver on the kdc server, and 127.0.01 for the kdclient on a client? Hope that makes sense.

SkoolofManoovah
Member
SkoolofManoovah

Ok, thanks for clarification.

jerky_rs
Member
jerky_rs

Centos7 – It appears as though “GSSAPIDelegateCredentials yes” is not longer a valid configuration option available to SSHD for Centos7.

From journalctl
/etc/ssh/sshd_config: line 160: Bad configuration option: GSSAPIDelegateCredentials

It is also not listed in “man sshd_config”.

Annoyingly “systemctl restart sshd” shows no error and sshd silently dies..

It is however documented in RHEL7 = https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_a_Kerberos_5_Client.html

Not sure if this is the case for RHEL

Source RPM : openssh-6.4p1-8.el7.src.rpm7

anserk
Member
anserk
The link you provided is pretty clear (at least at the time I checked it): “If the client also has GSSAPIDelegateCredentials enabled, the user’s credentials are made available on the remote system.” This option is a client-only option, as can be seen in man ssh_config vs man sshd_config. You don’t have to put this option in the config file, you can use ssh -K youserver to delegate credentials when connecting. How do you know whether to use it or not? It’s actually rather simple concept. I have 3 servers which are all members of Kerberos realm. I log in to… Read more »
laurentiu.v
Member
laurentiu.v

When taking the RHCE exam what exactly is provided?

Is there a Kerberos/LDAP server that can be used? Or do we have to set-up one?

Shikaz
Member
Shikaz

can’t i do all the configuration for kerberos from authconfig-tui ?

sendtodeji
Member
sendtodeji

Thank you for the awesome work. I was wondering if one can achieve this objective by installing ipa-client and running ipa-client-install instead of doing it manually? I found that easy to accomplish because the utility is interactive.

Sam
Member
Sam
Hopefully this will help some one. I had a problem when connecting to kadmin using admin/root, however, kinit worked !! the error message was : kadmin: GSS-API (or Kerberos) error while initializing kadmin interface The link http://research.imb.uq.edu.au/~l.rathbone/ldap/kerberos.shtml came close but did not solve my problem, which was restarting the ntp server. As it turns out my internet connection is v.poor, with a delay of about 300ms. My solution ended up changing the ntp.conf from the default (server) to peer : peer 0.centos.pool.ntp.org iburst peer 1.centos.pool.ntp.org iburst peer 2.centos.pool.ntp.org iburst peer 3.centos.pool.ntp.org iburst note, only the ntpserver.exmaple.com was changed to peers,… Read more »
alamahant
Member
alamahant

Dont we need to add a principal also nfs/kbclient.example.com ???Or only adding users principals and host principal is sufficient?

alamahant
Member
alamahant

If in the exam they use an ipa-server then can we still in /etc/krb5.conf point to the ipa-servers kdc???
Or we should install an ipa-client instead??
Because ipa-server and ipa client like to operate at the top level and do not allow kerberos-only interactions between server and client..
I hope you understand what i mean…….

alamahant
Member
alamahant

I checked it..It works fine with krb5-workstation on client and ipa-server as kdc 🙂
Thanks dear and sorry for the redundant question

anserk
Member
anserk

I just wanted to add a note about what you said in the last paragraph (using kinit). This is normally not needed if you log in to the server as Kerberos user. Or if you do su – user01 under unprivileged user. In both cases you get prompted for a password and obtain a ticket. From there you could use SSH right away, no need to issue kinit command.

konrad
Member
konrad

Hi there,

Just did read Sander van Vugt’s book and I see you present two different positions on the issue of Kerberos authentication. He assumes that we have user credentials stored on IPA server, you are creating them on local machine and then adding client machine details to the KDC. Please can I have any comment on that?

hunter86_bg
Member

Dear Certdepot,
I have followed Appendix D of the Sander van Vugt’s book and I have created a freeipa server with DNS .But when I configured the client, I had to install the ipa-client and 2 more packages. Running ipa-client-install modified sssd.conf, ldap’s conf ,ssh conf , etc.
Have you tested this method and do you think that using ipa-client even without an freeipa server to connect with , would do the job ?

algorisms
Member
algorisms
It seems this discussion omits Realmd which I just learned about through recent Redhat training. With my domain, I was able to join my domain via kerberos very simply with the following: [root@BTS-RHEL7-1 ~]# yum install realmd [root@BTS-RHEL7-1 ~]# realm discover 192.168.1.221 bts.test type: kerberos realm-name: BTS.TEST domain-name: bts.test configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common [root@BTS-RHEL7-1 ~]# yum install oddjob oddjob-mkhomedir sssd adcli samba-common [root@BTS-RHEL7-1 ~]# realm join 192.168.1.221 Password for Administrator: [root@BTS-RHEL7-1 ~]# Done. I then log into my DC and I can see the computer object. This daemon… Read more »
twostep
Member
twostep

Could you explain why do you create the keytab for client host principal?
kadmin: ktadd host/kbclient.example.com?

yarilc
Member
yarilc

I believe knowing how to configure centralized authentication with authconfig-* tools should be enough

wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create two users "tom" and "engine". "tom" has the UID/GID 3000 and "engine" the UID/GID 4000. "engine" doesn't have an interactive shell.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a default secure MariaDB database called maria with a user named muser with all privileges.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...