Kerberos on Centos 5.9 RHCSS

First make sure that your time is in sync. So install and configure ntp first.

1. Here is a very basic ntp.conf

peer 192.168.2.80
server 192.168.2.4
server 127.127.1.0
fudge  127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift

2. Install the ypserv nis package

# yum install -y ypserv

3. Add these 2 values to /etc/sysconfig/network

YPSERV_ARGS="-p 808"
NISDOMAIN=LOCAL.DOMB.COM

Set the NIS domain on the KDC server and add it to /etc/yp.conf:

# nisdomainname LOCAL.DOMB.COM
# sysctl -w kernel.domainname=LOCAL.DOMB.COM
# echo "domain LOCAL.DOMB.COM server kdc.local.domb.com" >> /etc/yp.conf

4. As nis is not very secure lets limit from where we can access the nis domains server

# echo "255.0.0.0 127.0.0.0" >> /var/yp/securenets
# echo "255.255.255.0 192.168.2.0" >> /var/yp/securenets

5. lets make sure portmap and nis is on after a reboot

# chkconfig portmap on; chkconfig ypserv on; chkconfig ypbind on

6. Add iptables to your configuration

#iptables -N SERV
#iptables -I INPUT 1 -j SERV
#iptables -A SERV -p udp --dport 123 -j ACCEPT -m comment --comment "ntp"
#iptables -A SERV -p tcp --dport 111 -j ACCEPT -m comment --comment "rpc"
#iptables -A SERV -p udp --dport 111 -j ACCEPT -m comment --comment "rpc"
#iptables -A SERV -p tcp --dport 808 -j ACCEPT -m comment --comment "nis"
#iptables -A SERV -p udp --dport 808 -j ACCEPT -m comment --comment "nis"
#iptables -A SERV -p tcp --dport 88 -j ACCEPT -m comment --comment "kerberos"
#iptables -A SERV -p udp --dport 88 -j ACCEPT -m comment --comment "kerberos"
#iptables -A SERV -p udp --dport 464 -j ACCEPT -m comment --comment "kerberos"
#iptables -A SERV -p tcp --dport 749 -j ACCEPT -m comment --comment "kerberos"
#/etc/init.d/iptables save

7. Lets start the nis server

# service ypserv start

8. This command will ask you to list your NIS servers press CTRL-D

# /usr/lib64/yp/ypinit -m

9. Now to check if nis works you should be able to query the passwd file from the server. You need to have a local user account to get something back!

ypcat -d LOCAL.DOMB.COM -h kdc.local.domb.com passwd

10. The client needs also be aware of the nisdomain. So we need to add /etc/sysconfig/network

NISDOMAIN = LOCAL.DOMB.COM
# sysctl -w kernel.domainname=LOCAL.DOMB.COM

11. Also add you nis server to your clients /etc/yp.conf

#echo "domain LOCAL.DOMB.COM server kdc.local.domb.com" >> /etc/yp.conf

12. start authconfig-tui and set

DOMAIN: LOCAL.DOMB.COM
SERVER: kdc.local.domb.com

13. Do the same thing on the NIS server

DOMAIN: LOCAL.DOMB.COM
SERVER: kdc.local.domb.com

14. Lets install kerberos

# yum install krb5-server krb5-workstation

15. Edit /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LOCAL.DOMB.COM

 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 LOCAL.DOMB.COM = {
  kdc = 192.168.2.84:88
  admin_server = 192.168.2.84:749
 }

[domain_realm]
 kdc.local.domb.com = LOCAL.DOMB.COM
 rhs333a.local.domb.com = LOCAL.DOMB.COM # thats the client 
 local.domb.com = LOCAL.DOMB.COM
 .local.domb.com = LOCAL.DOMB.COM
[appdefaults]
 pam = {
   validate = true
 }

16. Initialize the kerberos database and add the master password

# kdb5_util create -r LOCAL.DOMB.COM -s

17. Edit /var/kerberos/krb5kdc/kdc.conf and add the domain name as well as the default_principal_flags

[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 LOCAL.DOMB.COM = {
  master_key_type = des3-hmac-sha1
  default_principal_flags = +preauth
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }

18. Lastly we need to edit vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@LOCAL.DOMB.COM  *

19. On the KDC, use kadmin.local to add some users and admin (root/admin) principals to
the database.

[root@kdc ~]# kadmin.local
Authenticating as principal root/admin@LOCAL.DOMB.COM with password.
kadmin.local: addprinc root/admin
kadmin.local: addprinc frodo
kadmin.local: addprinc gandalf

20. If you want to list the principals you can fire the command

kadmin.local: listprincs
kadmin.local: getprinc frodo

21. Now go and restore the file context for selinux

# restorecon -R -v /var/kerberos/krb5kdc/
# restorecon -R -v /var/log

22. Finally we can start the services

# service krb5kdc start; chkconfig krb5kdc on
# service kadmin start; chkconfig kadmin on

23. Now we have to create a host principle on the KDC

kadmin.local: addprinc -randkey host/kdc.local.domb.com

24. extract the new principal into a local keytab file
readable only by root

kadmin.local: ktadd -k /etc/krb5.keytab host/kdc.local.domb.com

25. Restore the label for selinux

# restorcon /etc/krb5.keytab

26. Now copy the /etc/krb5.conf to you client and restore the file contexts

# scp /etc/krb5.conf client:/etc
# on the client: 
# chcon -t krb5_conf_t /etc/krb5.conf

27. Now we have to add the new host principal for the client

#kadmin -p root/admin
kadmin: addprinc -randkey host/rhs333a.local.domb.com
kadmin: ktadd -k /etc/krb5.keytab host/rhs333a.local.domb.com

28. Restore the file context of /etc/krb5.keytab

# restorecon /etc/krb5.keytab

28. Now on the client and server change the auth to kerberos
authconfig-tui
select kerberos
You won’t need to select any values

29. Lets add some users to the system on the KDC

[root@kdc ~]# useradd dobby
[root@kdc ~]# passwd dobby
[root@kdc ~]# useradd frodo
[root@kdc ~]# passwd frodo
[root@kdc ~]# make -C /var/yp/

30. Now you should be able to query the users password as it is not mapped

[root@client ~]# ypcat -d LOCAL.DOMB.COM -h kdc.local.domb.com passwd | grep frodo
frodo:$1$sBluGivv$rgK8El3z8N4y.mi5Ge3Q60:500:500::/home/user1:/bin/bash

31. To fix this you can execute the follwing command on the KDC. Do not forget to rebuild the nis database

# usermod -p '!!' frodo
# make -C /var/yp/

32. As we do not have nfs and automounter we create the user home for the test

[root@rhs333a ~]# mkdir /home/user1
[root@rhs333a ~]# cp -av /etc/skel/.bash* /home/frodo/
[root@rhs333a ~]# chown -R user1:user1 /home/frodo/

33. Now login as frodo on the client and initialize kerberos

[frodo@rhs333a ~]$ kinit

34. finally we are done and you should see your ticket

[frodo@rhs333a ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_6000
Default principal: frodo@LOCAL.DOMB.COM

Valid starting     Expires            Service principal
05/05/13 15:13:30  05/06/13 15:13:27  krbtgt/LOCAL.DOMB.COM@LOCAL.DOMB.COM
05/05/13 15:13:42  05/06/13 15:13:27  host/kdc.local.domb.com@LOCAL.DOMB.COM


Kerberos 4 ticket cache: /tmp/tkt6000
klist: You have no tickets cached

35. Configure SSH to pass the kerberos credentials. In /etc/ssh/ssh_config add and reset the kerberos ticket

GSSAPIDelegateCredentials yes

[frodo@rhs333a ~]$ kdestroy
[frodo@rhs333a ~]$ kinit

Now you should be able to login without password betwen kdc and frodo (rhs333a)