Problem Scenario
You want to install the Kerberos KDC server on a Red Hat derivative of Linux. You want to test it out with a second Red Hat distribution of Linux server as a client of the Kerberos centralized authentication server. What do you do?
Solution
Prerequisites
Ensure the Kerberos authentication server can receive inbound connections over ports 88, 464, and 749. Intermediate firewalls and/or software firewalls must allow these ports to receive inbound connections to the Kerberos authentication server. With AWS the controlling Security Group for the Kerberos authentication server must allow for these ports based on the source IP address of each Kerberos client server. (There are non-standard port configurations for Kerberos. If you are using non-standard ports, ensure the firewalls permit connectivity accordingly.)
Overview
The first five steps are to be done on the server that will do the authentication. Steps 6 through 8 (inclusive) are to be done on the server that will be a client. Steps 9 through 11 are to be done back on the authentication server.
1. On the server that will be the centralize authorization server, the main Kerberos server, run this command:
sudo yum install -y krb5-server krb5-workstation krb5-libs
2. Modify this file /etc/krb5.conf in at least six places. It should look like the below but do two things 1) replace "fqdnfqdnfqdn" with the result of the FQDN of your server (even if it does not include the domain name in #2); if you don't know the FQDN of your server, run this command without quotes "hostname -f". 2) replace "CONTINUALINTEGRATION.COM" with the domain name of your choice. (As a proof-of-concept, acme.com should work even if you do not own it.)
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = CONTINUALINTEGRATION.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
CONTINUALINTEGRATION.COM = {
kdc = fqdnfqdnfqdn
admin_server = fqdnfqdnfqdn
}
[domain_realm]
.continualintegration.com = CONTINUALINTEGRATION.COM
continualintegration.com = CONTINUALINTEGRATION.COM
3.a. Run this: sudo /usr/sbin/kdb5_util create -s
3.b. Respond to this prompt "Enter KDC database master key:" with the string of your choice.
4.a. Run this but replace "contintuser" with a new username of your choice:
sudo kadmin.local -q "addprinc contintuser"
4.b. Respond to the two prompts that follow with the string of your choice that will become the password.
5. Run these commands:
sudo service krb5kdc start
sudo service kadmin start
6. Log into the server that will be the Kerberos client.
7. Run this command: sudo yum install -y krb5-workstation krb5-libs
8. Copy /etc/krb5.conf from the master server and place it on the client server.
9. Go back to the Kerberos authentication server.
10. Run this command but replace "fqdnfqdnfqdn" with the FQDN of the Kerberos client server:
sudo kadmin.local -q "addprinc host/fqdnfqdnfqdn"
11. Run this command but replace "fqdnfqdnfqdn" with the FQDN of the Kerberos client server:
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab host/fqdnfqdnfqdn"
12. From the client server, run these commands (but replace "contintuser" with the user you created earlier):
sudo useradd contintuser
sudo passwd contintuser
su contintuser
kinit
13. Respond with the password for kerberos (entered in step #4.b. above).
14. Run this command: klist
If you see something like this, Kerberos is working:
Ticket cache: KEYRING:persistent:1001:1001
Default principal: contintuser@CONTINUALINTEGRATION.COM
Valid starting Expires Service principal
05/12/2019 01:04:49 05/13/2019 01:04:49 krbtgt/CONTINUALINTEGRATION.COM@CONTINUALINTEGRATION.COM