Set up kerberos on Redhat/CentOS 7

kerberos_setup.md

Installing Kerberos on Redhat 7

This installation is going to require 2 servers one acts as kerberos KDC server and the other machine is going to be client. Lets assume the FQDN's are (here cw.com is the domain name, make a note of the domain name here):

• Kerberos KDC Server: kdc.cw.com
• Kerberos Client: kclient.cw.com

Important: Make sure that both systems have their hostnames properly set and both systems have the hostnames and IP addresses of both systems in /etc/hosts. Your server and client must be able to know the IP and hostname of the other system as well as themselves.

Pre-Requisites:

Setup and install NTP

yum -y install ntp
ntpdate 0.rhel.pool.ntp.org
systemctl start  ntpd.service
systemctl enable ntpd.service

RHEL 7 comes with systemd as the default service manager. Here is a handy guide for mapping service and chkconfig command here

Packages required:

• KDC server package: krb5-server
• Admin package: krb5-libs
• Client package: krb5-workstation

Configuration Files:

• /var/kerberos/krb5kdc/kdc.conf
• /var/kerberos/krb5kdc/kadm5.acl
• /etc/krb5.conf

Important Paths:

• KDC path: /var/kerberos/krb5kdc/

Installing & Configuring KDC Server:

yum -y install krb5-server krb5-libs

Primary configuration file is 'krb5.conf':

• Ensure the default realm is set your domain name in capital case

Sample '/etc/krb5.conf'

[libdefaults]
    default_realm = CW.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1000000
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
    permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
    CW.COM = {
        kdc = kdc.cw.com:88
        admin_server = kdc.cw.com:749
        default_domain = cw.com
    }

[domain_realm]
    .cw.com = CW.COM
     cw.com = CW.COM

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

Adjust /var/kerberos/krb5kdc/kdc.conf on the KDC:

default_realm = CW.COM

[kdcdefaults]
    v4_mode = nopreauth
    kdc_ports = 0

[realms]
    CW.COM = {
        kdc_ports = 88
        admin_keytab = /etc/kadm5.keytab
        database_name = /var/kerberos/krb5kdc/principal
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        key_stash_file = /var/kerberos/krb5kdc/stash
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

Adjust /var/kerberos/krb5kdc/kadm5.acl on KDC:

*/admin@CW.COM	    *

Creating KDC database to hold our sensitive Kerberos data

Create the database and set a good password which you can remember. This command also stashes your password on the KDC so you don’t have to enter it each time you start the KDC:

kdb5_util create -r CW.COM -s

This command may take a while to complete based on the CPU power

Now on the KDC create a admin principal and also a test user (user1):

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc root/admin
kadmin.local:  addprinc user1
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local:  exit

Let’s start the Kerberos KDC and kadmin daemons:

systemctl start krb5kdc.service
systemctl start kadmin.service
systemctl enable krb5kdc.service
systemctl enable kadmin.service

Now, let’s create a principal for our KDC server and stick it in it’s keytab:

[root@kdc ~]# kadmin.local
kadmin.local:  addprinc -randkey host/kdc.cw.com
kadmin.local:  ktadd host/kdc.cw.com

Setup kerberos client

yum -y install krb5-workstation

Transfer your /etc/krb5.conf (which got created from above command) from the KDC server to the client. Hop onto the client server, install the Kerberos client package and add some host principals:

[root@client ~]# yum install krb5-workstation
[root@client ~]# kadmin -p root/admin
kadmin:  addpinc --randkey host/client.example.com
kadmin:  ktadd host/kdc.example.com

kerberos_ssh.md

Setting up SSH to use Kerberos Authentication

Pre-Req: Make sure you can issue a kinit -k host/fqdn@REALM and get back a kerberos ticket without having to specify a password.

Step1: Configuring SSH Server

Configure /etc/ssh/sshd_config file to include the following lines:

KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no

Now, restart the ssh daemon.

Step2: Configure the SSH Client

Configure /etc/ssh_config to include following lines:

Host *.domain.com
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Note: make sure you change the domain to match your environment.

Hi,
I am using centos 7(64 bit) and followed all the steps as mentioned above. I was successfully able to create the KDC Database and start the kadmin daemon. But when I am trying to add some host principals on client I am facing a issue.
when I am trying to fire the command : kadmin -p root/admin it gives me error as : kadmin: Cannot contact any KDC for realm 'REALM.COM' while initializing kadmin interface. There is no issue with the DNS. I had already checked the realm name in krb5.conf file. Both the IP and hostnames are present in both server and client machines. Can someone point-out what i am missing.

@sanketswagh
as @prasithtoughboy said :
you need to allow Kerberos through firewalld. see here (search for firewalld): https://www.certdepot.net/rhel7-configure-kerberos-kdc/

Do not use this encryption, DES is obsolescent and the preferred encryption in this configuration is classified as WEAK by Kerberos official documentation (http://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html), you have to use AES.

Use this encryption:

Primary configuration file is 'krb5.conf':

[libdefaults]
default_tgs_enctypes = \ aes256-cts-hmac-sha384-192 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

default_tkt_enctypes = \ aes256-cts-hmac-sha384-192 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 aes256-cts des3-cbc-sha1 arcfour-hmac des-cbc-md5 des-cbc-crc

Or better remove DES completely, you can see compability on MIT enctype link above.

Reference:
https://www.ibm.com/developerworks/aix/library/au-kerberosaes/index.html

How to use this with smb file sharing ? Can you please help

Hi, i have a problem with su - ( or sudo -l ) after login with user admin;
ssh login with user domain works, id "user domain" works correctly but after the login when enter " sudo - " sudo - l" the password is reject and into sssd.log I see " not server found into kerberos database ... "
I have not understand if the problem is into PAN ACL or other ...

note: the problem disappears if enter into sudoers.d : "user admin" (ALL:ALL) NOPASSWD:ALL

when remove NOPASSWD:ALL the sudo -l command require the password again but is not accept .. !

@prasithtoughboy you need to allow Kerberos through firewalld. see here (search for firewalld): https://www.certdepot.net/rhel7-configure-kerberos-kdc/

I am facing the issue with error
kadmin: Cannot contact any KDC for realm 'DOMAINTEST.COM' while initializing kadmin interface

@prasithtoughboy - were you able to solve the issue?