Skip to content

Instantly share code, notes, and snippets.

@ashrithr
Last active August 2, 2024 02:34
Show Gist options
  • Save ashrithr/4767927948eca70845db to your computer and use it in GitHub Desktop.
Save ashrithr/4767927948eca70845db to your computer and use it in GitHub Desktop.
Set up kerberos on Redhat/CentOS 7

Installing Kerberos on Redhat 7

This installation is going to require 2 servers one acts as kerberos KDC server and the other machine is going to be client. Lets assume the FQDN's are (here cw.com is the domain name, make a note of the domain name here):

  • Kerberos KDC Server: kdc.cw.com
  • Kerberos Client: kclient.cw.com

Important: Make sure that both systems have their hostnames properly set and both systems have the hostnames and IP addresses of both systems in /etc/hosts. Your server and client must be able to know the IP and hostname of the other system as well as themselves.

Pre-Requisites:

Setup and install NTP

yum -y install ntp
ntpdate 0.rhel.pool.ntp.org
systemctl start  ntpd.service
systemctl enable ntpd.service

RHEL 7 comes with systemd as the default service manager. Here is a handy guide for mapping service and chkconfig command here

Packages required:

  • KDC server package: krb5-server
  • Admin package: krb5-libs
  • Client package: krb5-workstation

Configuration Files:

  • /var/kerberos/krb5kdc/kdc.conf
  • /var/kerberos/krb5kdc/kadm5.acl
  • /etc/krb5.conf

Important Paths:

  • KDC path: /var/kerberos/krb5kdc/

Installing & Configuring KDC Server:

yum -y install krb5-server krb5-libs

Primary configuration file is 'krb5.conf':

  • Ensure the default realm is set your domain name in capital case

Sample '/etc/krb5.conf'

[libdefaults]
    default_realm = CW.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1000000
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
    CW.COM = {
        kdc = kdc.cw.com:88
        admin_server = kdc.cw.com:749
        default_domain = cw.com
    }

[domain_realm]
    .cw.com = CW.COM
     cw.com = CW.COM

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

Adjust /var/kerberos/krb5kdc/kdc.conf on the KDC:

default_realm = CW.COM

[kdcdefaults]
    v4_mode = nopreauth
    kdc_ports = 0

[realms]
    CW.COM = {
        kdc_ports = 88
        admin_keytab = /etc/kadm5.keytab
        database_name = /var/kerberos/krb5kdc/principal
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        key_stash_file = /var/kerberos/krb5kdc/stash
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Adjust /var/kerberos/krb5kdc/kadm5.acl on KDC:

*/admin@CW.COM	    *

Creating KDC database to hold our sensitive Kerberos data

Create the database and set a good password which you can remember. This command also stashes your password on the KDC so you don’t have to enter it each time you start the KDC:

kdb5_util create -r CW.COM -s

This command may take a while to complete based on the CPU power

Now on the KDC create a admin principal and also a test user (user1):

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc root/admin
kadmin.local:  addprinc user1
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local:  exit

Let’s start the Kerberos KDC and kadmin daemons:

systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service

Now, let’s create a principal for our KDC server and stick it in it’s keytab:

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc -randkey host/kdc.cw.com
kadmin.local:  ktadd host/kdc.cw.com

Setup kerberos client

yum -y install krb5-workstation

Transfer your /etc/krb5.conf (which got created from above command) from the KDC server to the client. Hop onto the client server, install the Kerberos client package and add some host principals:

[root@client ~]# yum install krb5-workstation
[root@client ~]# kadmin -p root/admin
kadmin:  addpinc --randkey host/client.example.com
kadmin:  ktadd host/kdc.example.com

Setting up SSH to use Kerberos Authentication

Pre-Req: Make sure you can issue a kinit -k host/fqdn@REALM and get back a kerberos ticket without having to specify a password.

Step1: Configuring SSH Server

Configure /etc/ssh/sshd_config file to include the following lines:

KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no

Now, restart the ssh daemon.

Step2: Configure the SSH Client

Configure /etc/ssh_config to include following lines:

Host *.domain.com
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Note: make sure you change the domain to match your environment.

@harschware
Copy link

addpinc --randKey should be: addprinc -randkey
should this: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw be this ktadd -k /var/kerberos/krb5kdc/kadm5.keytab user1/changepw ?

@sanketswagh
Copy link

Hi,
I am using centos 7(64 bit) and followed all the steps as mentioned above. I was successfully able to create the KDC Database and start the kadmin daemon. But when I am trying to add some host principals on client I am facing a issue.
when I am trying to fire the command : kadmin -p root/admin it gives me error as : kadmin: Cannot contact any KDC for realm 'REALM.COM' while initializing kadmin interface. There is no issue with the DNS. I had already checked the realm name in krb5.conf file. Both the IP and hostnames are present in both server and client machines. Can someone point-out what i am missing.

@I-Akrout
Copy link

@sanketswagh
as @prasithtoughboy said :
you need to allow Kerberos through firewalld. see here (search for firewalld): https://www.certdepot.net/rhel7-configure-kerberos-kdc/

@001101
Copy link

001101 commented Aug 20, 2018

Do not use this encryption, DES is obsolescent and the preferred encryption in this configuration is classified as WEAK by Kerberos official documentation (http://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html), you have to use AES.

Use this encryption:

Primary configuration file is 'krb5.conf':

[libdefaults]
default_tgs_enctypes = \ aes256-cts-hmac-sha384-192 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

default_tkt_enctypes = \ aes256-cts-hmac-sha384-192 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

Or better remove DES completely, you can see compability on MIT enctype link above.

Reference:
https://www.ibm.com/developerworks/aix/library/au-kerberosaes/index.html

@thumbeyashwath
Copy link

How to use this with smb file sharing ? Can you please help

@zingaro1972
Copy link

Hi, i have a problem with su - ( or sudo -l ) after login with user admin;
ssh login with user domain works, id "user domain" works correctly but after the login when enter " sudo - " sudo - l" the password is reject and into sssd.log I see " not server found into kerberos database ... "
I have not understand if the problem is into PAN ACL or other ...

note: the problem disappears if enter into sudoers.d : "user admin" (ALL:ALL) NOPASSWD:ALL

when remove NOPASSWD:ALL the sudo -l command require the password again but is not accept .. !

@ThakkarMaulik
Copy link

ThakkarMaulik commented Mar 30, 2022

@prasithtoughboy you need to allow Kerberos through firewalld. see here (search for firewalld): https://www.certdepot.net/rhel7-configure-kerberos-kdc/

I am facing the issue with error
kadmin: Cannot contact any KDC for realm 'DOMAINTEST.COM' while initializing kadmin interface

@prasithtoughboy - were you able to solve the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment