{{tag>[rhel7 kerberos security]}}


=====RHEL 7 Kerberos 5 with OpenLDAP backend=====
 
====Prerequisites====
  * Working DNS environment.
  * Working NTP environment, ntpd or chronyd.

====Modifications on LDAP server====
  * Install prerequisite packages:<code>yum install krb5-server-ldap</code>
  * Copy schema files:<code>cp /usr/share/doc/krb5-server-ldap-1.13.2/kerberos.* /etc/openldap/schema/</code>
  * Workaround problem with importing the kerberos LDIF:<code>

mkdir /tmp/ldap-kerberos/
echo "include /etc/openldap/schema/kerberos.schema" > /tmp/ldap-kerberos/schema_convert.conf

mkdir /tmp/ldap-kerberos/krb5_ldif

slaptest -f /tmp/ldap-kerberos/schema_convert.conf -F /tmp/ldap-kerberos/krb5_ldif

# Edit /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif and replace

dn: cn={0}kerberos
cn: {0}kerberos

with

dn: cn=kerberos,cn=schema,cn=config
cn: kerberos

# Remove (at the end of the file)

structuralObjectClass: olcSchemaConfig
entryUUID: ...
creatorsName: cn=config
createTimestamp: ...
entryCSN: ...
modifiersName: cn=config
modifyTimestamp: ...</code>
  * You can now add the schema: <code>ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f  /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif</code>

  * Create a LDAP user than can modify LDAP data, for example ''krbadmin''.
  * Modify LDAP ACLs, for example:<code>
olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey
      by dn.exact="cn=Manager,dc=domain,dc=tld" write
      by dn.exact="cn=krbadmin,dc=domain,dc=tld" write
      by dn.exact="cn=replicator,dc=domain,dc=tld" read
      by self =xw
      by anonymous auth
      by * none
olcAccess: {1}to *
      by dn.exact="cn=Manager,dc=domain,dc=tld" write
      by dn.exact="cn=krbadmin,dc=domain,dc=tld" write
      by dn.exact="cn=replicator,dc=domain,dc=tld" read
      by self read
      by users read
      by * none 
</code>
  * Add index to speed up the access:<code>
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={2}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
-
EOF 
</code>




====Install and configure KDC server====
  * Install required packages: <code>yum install -y krb5-server krb5-server-ldap krb5-workstation</code>
  * Edit ''/var/kerberos/krb5kdc/kdc.conf'' and replace EXAMPLE.COM with your domain. Convention is to make it the same as your domain name, in upper-case letters.
  * Edit ''/var/kerberos/krb5kdc/kdc.conf'' add below ''[realms]'':<code>default_principal_flags = +preauth</code>

  * Edit ''/etc/krb5.conf'' uncomment all lines and replace EXAMPLE.COM (and the lower-case ones) with your domain. 
  * Edit ''/etc/krb5.conf'' and add below ''[realms]''.<code>
  default_domain = example.com
  database_module = openldap_ldapconf
</code>
  * Edit ''/etc/krb5.conf'' add LDAP config:<code>
[dbdefaults]
        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com

[dbmodules]
        openldap_ldapconf = {
                db_library = kldap
                ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"

                # this object needs to have read rights on
                # the realm container, principal container and realm sub-trees
                ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"

                # this object needs to have read and write rights on
                # the realm container, principal container and realm sub-trees
                ldap_service_password_file = /etc/kerberos/service.keyfile
                ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
                ldap_conns_per_server = 5
        }</code>
  * Edit ''/var/kerberos/krb5kdc/kadm5.acl'', replace EXAMPLE.COM with your own realm.

  * Create the realm, choose a bind user that has rights to create the LDAP/Kerberos container:<code> kdb5_ldap_util -D  cn=krbadmin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com</code>
  * Create directory ''/etc/kerberos''
  * Stash the admin password:<code>
kdb5_ldap_util -D cn=krbadmin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com</code>
  * Start and activate Kerberos:<code>systemctl start krb5kdc kadmin
systemctl enable krb5kdc kadmin</code>


  * Add principal:<code>
kadmin.local:  addprinc -randkey host/kdc.dc.polaire.nl

kadmin.local:  ktadd host/kdc.dc.polaire.nl

kadmin.local:  addprinc root/admin

kadmin.local:  addprinc -x dn="uid=example,ou=people,dc=example,dc=com" example

kadmin.local:  quit
</code>


====Firewall====
  * Open firewall ports: <code>firewall-cmd --zone public --add-service kerberos --permanent
firewall-cmd --reload</code>



====SSH clients====

  * Install the required packages:<code>yum -y install krb5-workstation pam_krb5</code>
  * Edit the ''/etc/krb5.conf'' file
    * Uncomment all lines.
    * Replace al example domain names and realms.
    * Change example kdc and admin_server.
  * Add principals on KDC:<code>kadmin -p root/admin
kadmin:  addprinc -randkey host/test1.example.com

kadmin:  addprinc -randkey host/test2.example.com

kadmin:  addprinc -randkey host/test3.example.com

kadmin:  ktadd host/test1.example.com

kadmin:  ktadd host/test2.example.com

kadmin:  ktadd host/test3.example.com


</code>

===Configure SSH Server===
  * Configure server as LDAP client: [[ldap:centos7client]]
  * Edit ''/etc/ssh/sshd_config'' file to include the following lines:<code>
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#UsePAM no   # set to no if you don't want to allow logins with local accounts.
</code>
===Configure SSH client===
  * Edit ''/etc/ssh/ssh_config'' to include following lines:<code>
Host *.domain.com
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
</code>
  * Retrieve ticket:<code>kinit benst</code>
  * Login to other host:<code>ssh user@host</code>