Friday 17 June 2011

Configure system to authenticate using Kerberos

This objective is not very well defined or at least I don't understand what Red Hat is aiming at here.  There is no mention of using Kerberos for anything once the system is configured to authenticate with Kerberos or what directory service should be used for accounts or indeed whether a directory server should be used at all. The other issue that I see, is the fact that you need user principals to be able to do anything, you might be supplied these in the exam, who knows?

Anyway, assuming that you have a working KDC server, see my post on openSSH with Kerberos for details of configuring a KDC, you can use authconfig-tui to configure Kerberos on your client.


You can then check the /etc/krb5.conf file should now be modified to:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN.COM = {
  kdc = yetanother.domain.com
  admin_server = yetanother.domain.com
 }

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM
Unfortunately, this will not actually do much.
kinit
kinit: Client not found in Kerberos database while getting initial credentials
As mentioned above you need a user principal in order to get a ticket and a user to be able to do anything useful. Let's say that you have openLDAP configured (have a look at this post if in doubt) and you have a user account called crap in that domain. Assuming that a principal for crap exists and you know the password you can just do:
kinit crap
and provided that you typed the right password, you'll get a ticket, check with:
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: crap@DOMAIN.COM

Valid starting     Expires            Service principal
06/17/11 11:59:53  06/18/11 11:59:53  krbtgt/DOMAIN.COM@DOMAIN.COM
        renew until 06/17/11 11:59:53
Have a look at my previous post to configure openSSH to work with Kerberos.

No comments:

Post a Comment