First make sure that your time is in sync. So install and configure ntp first.
1. Here is a very basic ntp.conf
peer 192.168.2.80 server 192.168.2.4 server 127.127.1.0 fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift
2. Install the ypserv nis package
# yum install -y ypserv
3. Add these 2 values to /etc/sysconfig/network
YPSERV_ARGS="-p 808" NISDOMAIN=LOCAL.DOMB.COM
Set the NIS domain on the KDC server and add it to /etc/yp.conf:
# nisdomainname LOCAL.DOMB.COM # sysctl -w kernel.domainname=LOCAL.DOMB.COM # echo "domain LOCAL.DOMB.COM server kdc.local.domb.com" >> /etc/yp.conf
4. As nis is not very secure lets limit from where we can access the nis domains server
# echo "255.0.0.0 127.0.0.0" >> /var/yp/securenets # echo "255.255.255.0 192.168.2.0" >> /var/yp/securenets
5. lets make sure portmap and nis is on after a reboot
# chkconfig portmap on; chkconfig ypserv on; chkconfig ypbind on
6. Add iptables to your configuration
#iptables -N SERV #iptables -I INPUT 1 -j SERV #iptables -A SERV -p udp --dport 123 -j ACCEPT -m comment --comment "ntp" #iptables -A SERV -p tcp --dport 111 -j ACCEPT -m comment --comment "rpc" #iptables -A SERV -p udp --dport 111 -j ACCEPT -m comment --comment "rpc" #iptables -A SERV -p tcp --dport 808 -j ACCEPT -m comment --comment "nis" #iptables -A SERV -p udp --dport 808 -j ACCEPT -m comment --comment "nis" #iptables -A SERV -p tcp --dport 88 -j ACCEPT -m comment --comment "kerberos" #iptables -A SERV -p udp --dport 88 -j ACCEPT -m comment --comment "kerberos" #iptables -A SERV -p udp --dport 464 -j ACCEPT -m comment --comment "kerberos" #iptables -A SERV -p tcp --dport 749 -j ACCEPT -m comment --comment "kerberos" #/etc/init.d/iptables save
7. Lets start the nis server
# service ypserv start
8. This command will ask you to list your NIS servers press CTRL-D
# /usr/lib64/yp/ypinit -m
9. Now to check if nis works you should be able to query the passwd file from the server. You need to have a local user account to get something back!
ypcat -d LOCAL.DOMB.COM -h kdc.local.domb.com passwd
10. The client needs also be aware of the nisdomain. So we need to add /etc/sysconfig/network
NISDOMAIN = LOCAL.DOMB.COM # sysctl -w kernel.domainname=LOCAL.DOMB.COM
11. Also add you nis server to your clients /etc/yp.conf
#echo "domain LOCAL.DOMB.COM server kdc.local.domb.com" >> /etc/yp.conf
12. start authconfig-tui and set
DOMAIN: LOCAL.DOMB.COM SERVER: kdc.local.domb.com
13. Do the same thing on the NIS server
DOMAIN: LOCAL.DOMB.COM SERVER: kdc.local.domb.com
14. Lets install kerberos
# yum install krb5-server krb5-workstation
15. Edit /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LOCAL.DOMB.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
LOCAL.DOMB.COM = {
kdc = 192.168.2.84:88
admin_server = 192.168.2.84:749
}
[domain_realm]
kdc.local.domb.com = LOCAL.DOMB.COM
rhs333a.local.domb.com = LOCAL.DOMB.COM # thats the client
local.domb.com = LOCAL.DOMB.COM
.local.domb.com = LOCAL.DOMB.COM
[appdefaults]
pam = {
validate = true
}
16. Initialize the kerberos database and add the master password
# kdb5_util create -r LOCAL.DOMB.COM -s
17. Edit /var/kerberos/krb5kdc/kdc.conf and add the domain name as well as the default_principal_flags
[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88
[realms]
LOCAL.DOMB.COM = {
master_key_type = des3-hmac-sha1
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
18. Lastly we need to edit vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@LOCAL.DOMB.COM *
19. On the KDC, use kadmin.local to add some users and admin (root/admin) principals to
the database.
[root@kdc ~]# kadmin.local Authenticating as principal root/admin@LOCAL.DOMB.COM with password. kadmin.local: addprinc root/admin kadmin.local: addprinc frodo kadmin.local: addprinc gandalf
20. If you want to list the principals you can fire the command
kadmin.local: listprincs kadmin.local: getprinc frodo
21. Now go and restore the file context for selinux
# restorecon -R -v /var/kerberos/krb5kdc/ # restorecon -R -v /var/log
22. Finally we can start the services
# service krb5kdc start; chkconfig krb5kdc on # service kadmin start; chkconfig kadmin on
23. Now we have to create a host principle on the KDC
kadmin.local: addprinc -randkey host/kdc.local.domb.com
24. extract the new principal into a local keytab file
readable only by root
kadmin.local: ktadd -k /etc/krb5.keytab host/kdc.local.domb.com
25. Restore the label for selinux
# restorcon /etc/krb5.keytab
26. Now copy the /etc/krb5.conf to you client and restore the file contexts
# scp /etc/krb5.conf client:/etc # on the client: # chcon -t krb5_conf_t /etc/krb5.conf
27. Now we have to add the new host principal for the client
#kadmin -p root/admin kadmin: addprinc -randkey host/rhs333a.local.domb.com kadmin: ktadd -k /etc/krb5.keytab host/rhs333a.local.domb.com
28. Restore the file context of /etc/krb5.keytab
# restorecon /etc/krb5.keytab
28. Now on the client and server change the auth to kerberos
authconfig-tui
select kerberos
You won’t need to select any values
29. Lets add some users to the system on the KDC
[root@kdc ~]# useradd dobby [root@kdc ~]# passwd dobby [root@kdc ~]# useradd frodo [root@kdc ~]# passwd frodo [root@kdc ~]# make -C /var/yp/
30. Now you should be able to query the users password as it is not mapped
[root@client ~]# ypcat -d LOCAL.DOMB.COM -h kdc.local.domb.com passwd | grep frodo frodo:$1$sBluGivv$rgK8El3z8N4y.mi5Ge3Q60:500:500::/home/user1:/bin/bash
31. To fix this you can execute the follwing command on the KDC. Do not forget to rebuild the nis database
# usermod -p '!!' frodo # make -C /var/yp/
32. As we do not have nfs and automounter we create the user home for the test
[root@rhs333a ~]# mkdir /home/user1 [root@rhs333a ~]# cp -av /etc/skel/.bash* /home/frodo/ [root@rhs333a ~]# chown -R user1:user1 /home/frodo/
33. Now login as frodo on the client and initialize kerberos
[frodo@rhs333a ~]$ kinit
34. finally we are done and you should see your ticket
[frodo@rhs333a ~]$ klist Ticket cache: FILE:/tmp/krb5cc_6000 Default principal: frodo@LOCAL.DOMB.COM Valid starting Expires Service principal 05/05/13 15:13:30 05/06/13 15:13:27 krbtgt/LOCAL.DOMB.COM@LOCAL.DOMB.COM 05/05/13 15:13:42 05/06/13 15:13:27 host/kdc.local.domb.com@LOCAL.DOMB.COM Kerberos 4 ticket cache: /tmp/tkt6000 klist: You have no tickets cached
35. Configure SSH to pass the kerberos credentials. In /etc/ssh/ssh_config add and reset the kerberos ticket
GSSAPIDelegateCredentials yes [frodo@rhs333a ~]$ kdestroy [frodo@rhs333a ~]$ kinit
Now you should be able to login without password betwen kdc and frodo (rhs333a)