{{tag>[rhel7 kerberos security]}}
=====RHEL 7 Kerberos 5 with OpenLDAP backend=====
====Prerequisites====
* Working DNS environment.
* Working NTP environment, ntpd or chronyd.
====Modifications on LDAP server====
* Install prerequisite packages:yum install krb5-server-ldap
* Copy schema files:cp /usr/share/doc/krb5-server-ldap-1.13.2/kerberos.* /etc/openldap/schema/
* Workaround problem with importing the kerberos LDIF:
mkdir /tmp/ldap-kerberos/
echo "include /etc/openldap/schema/kerberos.schema" > /tmp/ldap-kerberos/schema_convert.conf
mkdir /tmp/ldap-kerberos/krb5_ldif
slaptest -f /tmp/ldap-kerberos/schema_convert.conf -F /tmp/ldap-kerberos/krb5_ldif
# Edit /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif and replace
dn: cn={0}kerberos
cn: {0}kerberos
with
dn: cn=kerberos,cn=schema,cn=config
cn: kerberos
# Remove (at the end of the file)
structuralObjectClass: olcSchemaConfig
entryUUID: ...
creatorsName: cn=config
createTimestamp: ...
entryCSN: ...
modifiersName: cn=config
modifyTimestamp: ...
* You can now add the schema: ldapadd -H ldaps:// -x -D "cn=Manager,dc=domain,dc=tld" -W -f /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
* Create a LDAP user than can modify LDAP data, for example ''krbadmin''.
* Modify LDAP ACLs, for example:
olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey
by dn.exact="cn=Manager,dc=domain,dc=tld" write
by dn.exact="cn=krbadmin,dc=domain,dc=tld" write
by dn.exact="cn=replicator,dc=domain,dc=tld" read
by self =xw
by anonymous auth
by * none
olcAccess: {1}to *
by dn.exact="cn=Manager,dc=domain,dc=tld" write
by dn.exact="cn=krbadmin,dc=domain,dc=tld" write
by dn.exact="cn=replicator,dc=domain,dc=tld" read
by self read
by users read
by * none
* Add index to speed up the access:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <
====Install and configure KDC server====
* Install required packages: yum install -y krb5-server krb5-server-ldap krb5-workstation
* Edit ''/var/kerberos/krb5kdc/kdc.conf'' and replace EXAMPLE.COM with your domain. Convention is to make it the same as your domain name, in upper-case letters.
* Edit ''/var/kerberos/krb5kdc/kdc.conf'' add below ''[realms]'':default_principal_flags = +preauth
* Edit ''/etc/krb5.conf'' uncomment all lines and replace EXAMPLE.COM (and the lower-case ones) with your domain.
* Edit ''/etc/krb5.conf'' and add below ''[realms]''.
default_domain = example.com
database_module = openldap_ldapconf
* Edit ''/etc/krb5.conf'' add LDAP config:
[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/kerberos/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
* Edit ''/var/kerberos/krb5kdc/kadm5.acl'', replace EXAMPLE.COM with your own realm.
* Create the realm, choose a bind user that has rights to create the LDAP/Kerberos container: kdb5_ldap_util -D cn=krbadmin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com
* Create directory ''/etc/kerberos''
* Stash the admin password:
kdb5_ldap_util -D cn=krbadmin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com
* Start and activate Kerberos:systemctl start krb5kdc kadmin
systemctl enable krb5kdc kadmin
* Add principal:
kadmin.local: addprinc -randkey host/kdc.dc.polaire.nl
kadmin.local: ktadd host/kdc.dc.polaire.nl
kadmin.local: addprinc root/admin
kadmin.local: addprinc -x dn="uid=example,ou=people,dc=example,dc=com" example
kadmin.local: quit
====Firewall====
* Open firewall ports: firewall-cmd --zone public --add-service kerberos --permanent
firewall-cmd --reload
====SSH clients====
* Install the required packages:yum -y install krb5-workstation pam_krb5
* Edit the ''/etc/krb5.conf'' file
* Uncomment all lines.
* Replace al example domain names and realms.
* Change example kdc and admin_server.
* Add principals on KDC:kadmin -p root/admin
kadmin: addprinc -randkey host/test1.example.com
kadmin: addprinc -randkey host/test2.example.com
kadmin: addprinc -randkey host/test3.example.com
kadmin: ktadd host/test1.example.com
kadmin: ktadd host/test2.example.com
kadmin: ktadd host/test3.example.com
===Configure SSH Server===
* Configure server as LDAP client: [[ldap:centos7client]]
* Edit ''/etc/ssh/sshd_config'' file to include the following lines:
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#UsePAM no # set to no if you don't want to allow logins with local accounts.
===Configure SSH client===
* Edit ''/etc/ssh/ssh_config'' to include following lines:
Host *.domain.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
* Retrieve ticket:kinit benst
* Login to other host:ssh user@host