This installation is going to require 2 servers one acts as kerberos KDC server
and the other machine is going to be client. Lets assume the FQDN's are (here
cw.com is the domain name, make a note of the domain name here):
- Kerberos KDC Server: kdc.cw.com
- Kerberos Client: kclient.cw.com
Important: Make sure that both systems have their hostnames properly set and both systems have the hostnames and IP addresses of both systems in
/etc/hosts. Your server and client must be able to know the IP and hostname of the other system as well as themselves.
Pre-Requisites:
Setup and install NTP
yum -y install ntp
ntpdate 0.rhel.pool.ntp.org
systemctl start ntpd.service
systemctl enable ntpd.service
RHEL 7 comes with systemd as the default service manager. Here is a handy guide for mapping service and chkconfig command here
Packages required:
- KDC server package: krb5-server
- Admin package: krb5-libs
- Client package: krb5-workstation
Configuration Files:
- /var/kerberos/krb5kdc/kdc.conf
- /var/kerberos/krb5kdc/kadm5.acl
- /etc/krb5.conf
Important Paths:
- KDC path: /var/kerberos/krb5kdc/
yum -y install krb5-server krb5-libs
Primary configuration file is 'krb5.conf':
- Ensure the default realm is set your domain name in capital case
Sample '/etc/krb5.conf'
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
allow_weak_crypto = true
default_realm = CW.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
CW.COM = {
kdc = kdc.cw.com:88
admin_server = kdc.cw.com:749
default_domain = cw.com
}
[domain_realm]
.cw.com = CW.COM
cw.com = CW.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5libs.log
Adjust /var/kerberos/krb5kdc/kdc.conf on the KDC:
default_realm = CW.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
CW.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
Adjust /var/kerberos/krb5kdc/kadm5.acl on KDC:
*/admin@CW.COM *
Create the database and set a good password which you can remember. This command also stashes your password on the KDC so you don’t have to enter it each time you start the KDC:
kdb5_util create -r CW.COM -s -W
This command may take a while to complete based on the CPU power
Now on the KDC create a admin principal and also a test user (user1):
[root@kdc ~]# kadmin.local
kadmin.local: addprinc root/admin
kadmin.local: addprinc admin/admin
kadmin.local: addprinc kadmin/admin
kadmin.local: addprinc kadmin/changepw
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local: exit
Let’s start the Kerberos KDC and kadmin daemons:
systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service
Now, let’s create a principal for our KDC server and stick it in it’s keytab:
[root@kdc ~]# kadmin.local
kadmin.local: addprinc -randkey host/kdc.cw.com
kadmin.local: ktadd host/kdc.cw.com
yum -y install krb5-workstation
Transfer your /etc/krb5.conf (which got created from above command) from the
KDC server to the client. Hop onto the client server, install the Kerberos
client package and add some host principals:
[root@client ~]# yum install krb5-workstation
[root@client ~]# kadmin -p root/admin
kadmin: addpinc --randkey host/client.example.com
kadmin: ktadd host/kdc.example.com
If one is getting an error like
kinit: Included profile directory could not be read while initializing Kerberos 5 library, then one possible reason for this may be that a non-existing directory was included in the/etc/krb5.conf. Check forincludediroption in the client's /etc/krb5.conf