Kerberos on Centos 5.9 RHCSS

First make sure that your time is in sync. So install and configure ntp first.

1. Here is a very basic ntp.conf

2. Install the ypserv nis package

3. Add these 2 values to /etc/sysconfig/network

Set the NIS domain on the KDC server and add it to /etc/yp.conf:

4. As nis is not very secure lets limit from where we can access the nis domains server

5. lets make sure portmap and nis is on after a reboot

6. Add iptables to your configuration

7. Lets start the nis server

8. This command will ask you to list your NIS servers press CTRL-D

9. Now to check if nis works you should be able to query the passwd file from the server. You need to have a local user account to get something back!

10. The client needs also be aware of the nisdomain. So we need to add /etc/sysconfig/network

11. Also add you nis server to your clients /etc/yp.conf

12. start authconfig-tui and set

13. Do the same thing on the NIS server

14. Lets install kerberos

15. Edit /etc/krb5.conf

16. Initialize the kerberos database and add the master password

17. Edit /var/kerberos/krb5kdc/kdc.conf and add the domain name as well as the default_principal_flags

18. Lastly we need to edit vim /var/kerberos/krb5kdc/kadm5.acl

19. On the KDC, use kadmin.local to add some users and admin (root/admin) principals to
the database.

20. If you want to list the principals you can fire the command

21. Now go and restore the file context for selinux

22. Finally we can start the services

23. Now we have to create a host principle on the KDC

24. extract the new principal into a local keytab file
readable only by root

25. Restore the label for selinux

26. Now copy the /etc/krb5.conf to you client and restore the file contexts

27. Now we have to add the new host principal for the client

28. Restore the file context of /etc/krb5.keytab

28. Now on the client and server change the auth to kerberos
select kerberos
You won’t need to select any values

29. Lets add some users to the system on the KDC

30. Now you should be able to query the users password as it is not mapped

31. To fix this you can execute the follwing command on the KDC. Do not forget to rebuild the nis database

32. As we do not have nfs and automounter we create the user home for the test

33. Now login as frodo on the client and initialize kerberos

34. finally we are done and you should see your ticket

35. Configure SSH to pass the kerberos credentials. In /etc/ssh/ssh_config add and reset the kerberos ticket

Now you should be able to login without password betwen kdc and frodo (rhs333a)

1 thought on “Kerberos on Centos 5.9 RHCSS”

  1. Hello Laurent

    We are trying to setup a Kerberos KDC using Oracle Directory Server Enterprise Edition as the Principal Database. Do you know where can I find the correct Oracle Directory Server Enterprise Edition (ODSEE) LDAP Schema Extensions for this?

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.