Kerberos on Centos 5.9 RHCSS

First make sure that your time is in sync. So install and configure ntp first.

1. Here is a very basic ntp.conf

fudge stratum 10
driftfile /var/lib/ntp/drift

2. Install the ypserv nis package

# yum install -y ypserv

3. Add these 2 values to /etc/sysconfig/network

YPSERV_ARGS="-p 808"

Set the NIS domain on the KDC server and add it to /etc/yp.conf:

# nisdomainname LOCAL.DOMB.COM
# sysctl -w kernel.domainname=LOCAL.DOMB.COM
# echo "domain LOCAL.DOMB.COM server" >> /etc/yp.conf

4. As nis is not very secure lets limit from where we can access the nis domains server

# echo "" >> /var/yp/securenets
# echo "" >> /var/yp/securenets

5. lets make sure portmap and nis is on after a reboot

# chkconfig portmap on; chkconfig ypserv on; chkconfig ypbind on

6. Add iptables to your configuration

#iptables -N SERV
#iptables -I INPUT 1 -j SERV
#iptables -A SERV -p udp --dport 123 -j ACCEPT -m comment --comment "ntp"
#iptables -A SERV -p tcp --dport 111 -j ACCEPT -m comment --comment "rpc"
#iptables -A SERV -p udp --dport 111 -j ACCEPT -m comment --comment "rpc"
#iptables -A SERV -p tcp --dport 808 -j ACCEPT -m comment --comment "nis"
#iptables -A SERV -p udp --dport 808 -j ACCEPT -m comment --comment "nis"
#iptables -A SERV -p tcp --dport 88 -j ACCEPT -m comment --comment "kerberos"
#iptables -A SERV -p udp --dport 88 -j ACCEPT -m comment --comment "kerberos"
#iptables -A SERV -p udp --dport 464 -j ACCEPT -m comment --comment "kerberos"
#iptables -A SERV -p tcp --dport 749 -j ACCEPT -m comment --comment "kerberos"
#/etc/init.d/iptables save

7. Lets start the nis server

# service ypserv start

8. This command will ask you to list your NIS servers press CTRL-D

# /usr/lib64/yp/ypinit -m

9. Now to check if nis works you should be able to query the passwd file from the server. You need to have a local user account to get something back!

ypcat -d LOCAL.DOMB.COM -h passwd

10. The client needs also be aware of the nisdomain. So we need to add /etc/sysconfig/network

# sysctl -w kernel.domainname=LOCAL.DOMB.COM

11. Also add you nis server to your clients /etc/yp.conf

#echo "domain LOCAL.DOMB.COM server" >> /etc/yp.conf

12. start authconfig-tui and set


13. Do the same thing on the NIS server


14. Lets install kerberos

# yum install krb5-server krb5-workstation

15. Edit /etc/krb5.conf

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = LOCAL.DOMB.COM

 dns_lookup_realm = false
 dns_lookup_kdc = false
  kdc =
  admin_server =

[domain_realm] = LOCAL.DOMB.COM = LOCAL.DOMB.COM # thats the client = LOCAL.DOMB.COM = LOCAL.DOMB.COM
 pam = {
   validate = true

16. Initialize the kerberos database and add the master password

# kdb5_util create -r LOCAL.DOMB.COM -s

17. Edit /var/kerberos/krb5kdc/kdc.conf and add the domain name as well as the default_principal_flags

 v4_mode = nopreauth
 kdc_tcp_ports = 88

  master_key_type = des3-hmac-sha1
  default_principal_flags = +preauth
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

18. Lastly we need to edit vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@LOCAL.DOMB.COM  *

19. On the KDC, use kadmin.local to add some users and admin (root/admin) principals to
the database.

[root@kdc ~]# kadmin.local
Authenticating as principal root/admin@LOCAL.DOMB.COM with password.
kadmin.local: addprinc root/admin
kadmin.local: addprinc frodo
kadmin.local: addprinc gandalf

20. If you want to list the principals you can fire the command

kadmin.local: listprincs
kadmin.local: getprinc frodo

21. Now go and restore the file context for selinux

# restorecon -R -v /var/kerberos/krb5kdc/
# restorecon -R -v /var/log

22. Finally we can start the services

# service krb5kdc start; chkconfig krb5kdc on
# service kadmin start; chkconfig kadmin on

23. Now we have to create a host principle on the KDC

kadmin.local: addprinc -randkey host/

24. extract the new principal into a local keytab file
readable only by root

kadmin.local: ktadd -k /etc/krb5.keytab host/

25. Restore the label for selinux

# restorcon /etc/krb5.keytab

26. Now copy the /etc/krb5.conf to you client and restore the file contexts

# scp /etc/krb5.conf client:/etc
# on the client: 
# chcon -t krb5_conf_t /etc/krb5.conf

27. Now we have to add the new host principal for the client

#kadmin -p root/admin
kadmin: addprinc -randkey host/
kadmin: ktadd -k /etc/krb5.keytab host/

28. Restore the file context of /etc/krb5.keytab

# restorecon /etc/krb5.keytab

28. Now on the client and server change the auth to kerberos
select kerberos
You won’t need to select any values

29. Lets add some users to the system on the KDC

[root@kdc ~]# useradd dobby
[root@kdc ~]# passwd dobby
[root@kdc ~]# useradd frodo
[root@kdc ~]# passwd frodo
[root@kdc ~]# make -C /var/yp/

30. Now you should be able to query the users password as it is not mapped

[root@client ~]# ypcat -d LOCAL.DOMB.COM -h passwd | grep frodo

31. To fix this you can execute the follwing command on the KDC. Do not forget to rebuild the nis database

# usermod -p '!!' frodo
# make -C /var/yp/

32. As we do not have nfs and automounter we create the user home for the test

[root@rhs333a ~]# mkdir /home/user1
[root@rhs333a ~]# cp -av /etc/skel/.bash* /home/frodo/
[root@rhs333a ~]# chown -R user1:user1 /home/frodo/

33. Now login as frodo on the client and initialize kerberos

[frodo@rhs333a ~]$ kinit

34. finally we are done and you should see your ticket

[frodo@rhs333a ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_6000
Default principal: frodo@LOCAL.DOMB.COM

Valid starting     Expires            Service principal
05/05/13 15:13:30  05/06/13 15:13:27  krbtgt/LOCAL.DOMB.COM@LOCAL.DOMB.COM
05/05/13 15:13:42  05/06/13 15:13:27  host/

Kerberos 4 ticket cache: /tmp/tkt6000
klist: You have no tickets cached

35. Configure SSH to pass the kerberos credentials. In /etc/ssh/ssh_config add and reset the kerberos ticket

GSSAPIDelegateCredentials yes

[frodo@rhs333a ~]$ kdestroy
[frodo@rhs333a ~]$ kinit

Now you should be able to login without password betwen kdc and frodo (rhs333a)

1 thought on “Kerberos on Centos 5.9 RHCSS”

  1. Hello Laurent

    We are trying to setup a Kerberos KDC using Oracle Directory Server Enterprise Edition as the Principal Database. Do you know where can I find the correct Oracle Directory Server Enterprise Edition (ODSEE) LDAP Schema Extensions for this?

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.