Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up kerberos on Redhat/CentOS 7

Installing Kerberos on Redhat 7

This installation is going to require 2 servers one acts as kerberos KDC server and the other machine is going to be client. Lets assume the FQDN's are (here cw.com is the domain name, make a note of the domain name here):

  • Kerberos KDC Server: kdc.cw.com
  • Kerberos Client: kclient.cw.com

Important: Make sure that both systems have their hostnames properly set and both systems have the hostnames and IP addresses of both systems in /etc/hosts. Your server and client must be able to know the IP and hostname of the other system as well as themselves.

Pre-Requisites:

Setup and install NTP

yum -y install ntp
ntpdate 0.rhel.pool.ntp.org
systemctl start  ntpd.service
systemctl enable ntpd.service

RHEL 7 comes with systemd as the default service manager. Here is a handy guide for mapping service and chkconfig command here

Packages required:

  • KDC server package: krb5-server
  • Admin package: krb5-libs
  • Client package: krb5-workstation

Configuration Files:

  • /var/kerberos/krb5kdc/kdc.conf
  • /var/kerberos/krb5kdc/kadm5.acl
  • /etc/krb5.conf

Important Paths:

  • KDC path: /var/kerberos/krb5kdc/

Installing & Configuring KDC Server:

yum -y install krb5-server krb5-libs

Primary configuration file is 'krb5.conf':

  • Ensure the default realm is set your domain name in capital case

Sample '/etc/krb5.conf'

[libdefaults]
    default_realm = CW.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1000000
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
    CW.COM = {
        kdc = kdc.cw.com:88
        admin_server = kdc.cw.com:749
        default_domain = cw.com
    }

[domain_realm]
    .cw.com = CW.COM
     cw.com = CW.COM

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

Adjust /var/kerberos/krb5kdc/kdc.conf on the KDC:

default_realm = CW.COM

[kdcdefaults]
    v4_mode = nopreauth
    kdc_ports = 0

[realms]
    CW.COM = {
        kdc_ports = 88
        admin_keytab = /etc/kadm5.keytab
        database_name = /var/kerberos/krb5kdc/principal
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        key_stash_file = /var/kerberos/krb5kdc/stash
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Adjust /var/kerberos/krb5kdc/kadm5.acl on KDC:

*/admin@CW.COM	    *

Creating KDC database to hold our sensitive Kerberos data

Create the database and set a good password which you can remember. This command also stashes your password on the KDC so you don’t have to enter it each time you start the KDC:

kdb5_util create -r CW.COM -s

This command may take a while to complete based on the CPU power

Now on the KDC create a admin principal and also a test user (user1):

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc root/admin
kadmin.local:  addprinc user1
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local:  exit

Let’s start the Kerberos KDC and kadmin daemons:

systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service

Now, let’s create a principal for our KDC server and stick it in it’s keytab:

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc -randkey host/kdc.cw.com
kadmin.local:  ktadd host/kdc.cw.com

Setup kerberos client

yum -y install krb5-workstation

Transfer your /etc/krb5.conf (which got created from above command) from the KDC server to the client. Hop onto the client server, install the Kerberos client package and add some host principals:

[root@client ~]# yum install krb5-workstation
[root@client ~]# kadmin -p root/admin
kadmin:  addpinc --randkey host/client.example.com
kadmin:  ktadd host/kdc.example.com

Setting up SSH to use Kerberos Authentication

Pre-Req: Make sure you can issue a kinit -k host/fqdn@REALM and get back a kerberos ticket without having to specify a password.

Step1: Configuring SSH Server

Configure /etc/ssh/sshd_config file to include the following lines:

KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no

Now, restart the ssh daemon.

Step2: Configure the SSH Client

Configure /etc/ssh_config to include following lines:

Host *.domain.com
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Note: make sure you change the domain to match your environment.

@carlosadean

This comment has been minimized.

Copy link

commented Jan 9, 2015

Thanks for the tutorial.

@shoubamzlibap

This comment has been minimized.

Copy link

commented Feb 24, 2015

Thanks. There seems to be small typo: when you add the principal on the client, there is an "r" missing from the command, and the option starts with just one dash (at least on my centos 7 box 😄 ). So the line would read something like

addprinc -randkey host/client.example.com
@unicolet

This comment has been minimized.

Copy link

commented Sep 11, 2015

 UsePAM no

in /etc/ssh/ssh_config is not necessary (unless you want to disable un-kerberized logins).

@arbreezy

This comment has been minimized.

Copy link

commented Sep 21, 2015

Nice and clean tutorial, thank you.

@jorisdevrede

This comment has been minimized.

Copy link

commented Feb 5, 2016

Thank you very much for this tutorial!

@rainysia

This comment has been minimized.

Copy link

commented Mar 16, 2016

"kdb5_util create -r CW.COM -s" will take some time, beware do not touch keyboard in case you input "Enter" or "Space" for the password.

@error10

This comment has been minimized.

Copy link

commented Mar 30, 2016

Why have you disabled all the strong crypto?

@mzdv

This comment has been minimized.

Copy link

commented May 24, 2016

In case kdb5_util's create command is taking too long, it might be because of your low entropy count. This should fix it: haveged

@saqib-ali

This comment has been minimized.

Copy link

commented Aug 29, 2016

We are trying to setup a Kerberos KDC using Oracle Directory Server Enterprise Edition as the Principal Database. Do you know where can I find the correct Oracle Directory Server Enterprise Edition (ODSEE) LDAP Schema Extensions for this?

@maozi07

This comment has been minimized.

Copy link

commented Oct 18, 2016

Hi do you konw how to configure slave kerberos kdc on RHEL7? The mit doc is not for RHEL7, and it's difficult to find other doc

@prasithtoughboy

This comment has been minimized.

Copy link

commented May 24, 2017

Hi, I have an issue while executing from client side

[root@admin~]# kadmin -p root/admin
Authenticating as principal root/admin with password.
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface

What must be done to overcome this

@jcogs

This comment has been minimized.

Copy link

commented Jun 2, 2017

@prasithtoughboy you need to allow Kerberos through firewalld. see here (search for firewalld): https://www.certdepot.net/rhel7-configure-kerberos-kdc/

@rim1984

This comment has been minimized.

Copy link

commented Jul 7, 2017

Dear friends, please help me to resolve my situation
I have successfully done these things:

[root@kdc ~]# kadmin.local
kadmin.local: addprinc root/admin
kadmin.local: addprinc user1
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local: exit

But when performing these commends:
[root@client ~]# kadmin -p root/admin
kadmin: addpinc --randkey host/client.example.com
kadmin: ktadd host/kdc.example.com

I get the following message
kadmin -p root/admin
Authenticating as principal root/admin with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

Please, help me to resolve my issue

@whg517

This comment has been minimized.

Copy link

commented Aug 2, 2017

Thank you very much

@vqiu

This comment has been minimized.

Copy link

commented Aug 9, 2017

Thanks a lot.

@harschware

This comment has been minimized.

Copy link

commented Sep 26, 2017

addpinc --randKey should be: addprinc -randkey
should this: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw be this ktadd -k /var/kerberos/krb5kdc/kadm5.keytab user1/changepw ?

@sanketswagh

This comment has been minimized.

Copy link

commented Mar 15, 2018

Hi,
I am using centos 7(64 bit) and followed all the steps as mentioned above. I was successfully able to create the KDC Database and start the kadmin daemon. But when I am trying to add some host principals on client I am facing a issue.
when I am trying to fire the command : kadmin -p root/admin it gives me error as : kadmin: Cannot contact any KDC for realm 'REALM.COM' while initializing kadmin interface. There is no issue with the DNS. I had already checked the realm name in krb5.conf file. Both the IP and hostnames are present in both server and client machines. Can someone point-out what i am missing.

@I-Akrout

This comment has been minimized.

Copy link

commented Apr 30, 2018

@sanketswagh
as @prasithtoughboy said :
you need to allow Kerberos through firewalld. see here (search for firewalld): https://www.certdepot.net/rhel7-configure-kerberos-kdc/

@001101

This comment has been minimized.

Copy link

commented Aug 20, 2018

Do not use this encryption, DES is obsolescent and the preferred encryption in this configuration is classified as WEAK by Kerberos official documentation (http://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html), you have to use AES.

Use this encryption:

Primary configuration file is 'krb5.conf':

[libdefaults]
default_tgs_enctypes = \ aes256-cts-hmac-sha384-192 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

default_tkt_enctypes = \ aes256-cts-hmac-sha384-192 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

Or better remove DES completely, you can see compability on MIT enctype link above.

Reference:
https://www.ibm.com/developerworks/aix/library/au-kerberosaes/index.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.