Big Data and Cloud: Linux : Fedora : Install and Configure Keberos KDC and Client

#yum install krb5-server krb5-workstation pam_krb5

Kerboros Server Configuration:
#cd /var/kerberos/krb5kdc

#ls -l
total 8
-rw------- 1 root root 22 Nov 5 12:36 kadm5.acl
-rw------- 1 root root 451 Nov 5 12:36 kdc.conf

#vi kadm5.acl

*/admin@EXAMPLE.COM *

#vi kdc.conf

[realms]
EXAMPLE.COM = {

Kerberos Client configuration
#cd /etc
#ls -ld krb5.conf
-rw-r--r-- 1 root root 525 Nov 5 12:36 krb5.conf

#vi krb5.conf

[libdefaults]
default_realm = EXAMPLE.COM

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Initialize database
# kdb5_util create -s -r EXAMPLE.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

# cd /var/kerberos/krb5kdc

# ls -al
total 36
drwxr-xr-x 2 root root 4096 Dec 7 12:34 .
drwxr-xr-x. 4 root root   31 Dec 7 12:15 ..
-rw------- 1 root root   68 Dec 7 12:34 .k5.EXAMPLE.COM
-rw------- 1 root root   18 Dec 7 12:19 kadm5.acl
-rw------- 1 root root 447 Dec 7 12:23 kdc.conf
-rw------- 1 root root 8192 Dec 7 12:34 principal
-rw------- 1 root root 8192 Dec 7 12:34 principal.kadm5
-rw------- 1 root root    0 Dec 7 12:34 principal.kadm5.lock
-rw------- 1 root root    0 Dec 7 12:34 principal.ok

# systemctl start krb5kdc kadmin
# systemctl enable krb5kdc kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

Add entries
# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/p-68@EXAMPLE.COM
kiprop/p-68@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "root/admin@EXAMPLE.COM":
Re-enter password for principal "root/admin@EXAMPLE.COM":
Principal "root/admin@EXAMPLE.COM" created.
kadmin.local: listprincs
:
:
:
root/admin@EXAMPLE.COM

kadmin.local: addprinc test <- add user
kadmin.local: addprinc -randkey host/p-68.example.com <- add host

kadmin.local: ktadd host/p-68.example.com
Entry for principal host/p-68.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/p-68.example.com with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.

kadmin.local: quit

Set up SSH client to accept Kerberos
# cd /etc/ssh
# vi ssh_config

   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials yes

# authconfig --enablekrb5 --update
# systemctl reload sshd.service

Now login the test user account
$ id
uid=1000(test) gid=1000(test) groups=1000(test)
$ klist
klist: Credentials cache keyring 'persistent:1000:1000' not found

$ kinit
Password for test@EXAMPLE.COM:

$ klist (now we have Kerberos token assigned for 24 hours)
Ticket cache: KEYRING:persistent:1000:1000
Default principal: test@EXAMPLE.COM

Valid starting       Expires              Service principal
12/07/2015 13:33:41 12/08/2015 13:33:41 krbtgt/EXAMPLE.COM@EXAMPLE.COM

Big Data and Cloud

Tuesday, December 8, 2015

Linux : Fedora : Install and Configure Keberos KDC and Client

No comments:

Post a Comment

Labels