rhel7_kerberos
Table of Contents
RHEL 7 Kerberos 5 with OpenLDAP backend
Prerequisites
- Working DNS environment.
- Working NTP environment, ntpd or chronyd.
Modifications on LDAP server
- Install prerequisite packages:
yum install krb5-server-ldap
- Copy schema files:
cp /usr/share/doc/krb5-server-ldap-1.13.2/kerberos.* /etc/openldap/schema/
- Workaround problem with importing the kerberos LDIF:
mkdir /tmp/ldap-kerberos/ echo "include /etc/openldap/schema/kerberos.schema" > /tmp/ldap-kerberos/schema_convert.conf mkdir /tmp/ldap-kerberos/krb5_ldif slaptest -f /tmp/ldap-kerberos/schema_convert.conf -F /tmp/ldap-kerberos/krb5_ldif # Edit /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif and replace dn: cn={0}kerberos cn: {0}kerberos with dn: cn=kerberos,cn=schema,cn=config cn: kerberos # Remove (at the end of the file) structuralObjectClass: olcSchemaConfig entryUUID: ... creatorsName: cn=config createTimestamp: ... entryCSN: ... modifiersName: cn=config modifyTimestamp: ...
- You can now add the schema:
ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
- Create a LDAP user than can modify LDAP data, for example
krbadmin
. - Modify LDAP ACLs, for example:
olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn.exact="cn=Manager,dc=domain,dc=tld" write by dn.exact="cn=krbadmin,dc=domain,dc=tld" write by dn.exact="cn=replicator,dc=domain,dc=tld" read by self =xw by anonymous auth by * none olcAccess: {1}to * by dn.exact="cn=Manager,dc=domain,dc=tld" write by dn.exact="cn=krbadmin,dc=domain,dc=tld" write by dn.exact="cn=replicator,dc=domain,dc=tld" read by self read by users read by * none
- Add index to speed up the access:
# ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={2}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub - EOF
Install and configure KDC server
- Install required packages:
yum install -y krb5-server krb5-server-ldap krb5-workstation
- Edit
/var/kerberos/krb5kdc/kdc.conf
and replace EXAMPLE.COM with your domain. Convention is to make it the same as your domain name, in upper-case letters. - Edit
/var/kerberos/krb5kdc/kdc.conf
add below[realms]
:default_principal_flags = +preauth
- Edit
/etc/krb5.conf
uncomment all lines and replace EXAMPLE.COM (and the lower-case ones) with your domain. - Edit
/etc/krb5.conf
and add below[realms]
.default_domain = example.com database_module = openldap_ldapconf
- Edit
/etc/krb5.conf
add LDAP config:[dbdefaults] ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }
- Edit
/var/kerberos/krb5kdc/kadm5.acl
, replace EXAMPLE.COM with your own realm.
- Create the realm, choose a bind user that has rights to create the LDAP/Kerberos container:
kdb5_ldap_util -D cn=krbadmin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com
- Create directory
/etc/kerberos
- Stash the admin password:
kdb5_ldap_util -D cn=krbadmin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com
- Start and activate Kerberos:
systemctl start krb5kdc kadmin systemctl enable krb5kdc kadmin
- Add principal:
kadmin.local: addprinc -randkey host/kdc.dc.polaire.nl kadmin.local: ktadd host/kdc.dc.polaire.nl kadmin.local: addprinc root/admin kadmin.local: addprinc -x dn="uid=example,ou=people,dc=example,dc=com" example kadmin.local: quit
Firewall
- Open firewall ports:
firewall-cmd --zone public --add-service kerberos --permanent firewall-cmd --reload
SSH clients
- Install the required packages:
yum -y install krb5-workstation pam_krb5
- Edit the
/etc/krb5.conf
file- Uncomment all lines.
- Replace al example domain names and realms.
- Change example kdc and admin_server.
- Add principals on KDC:
kadmin -p root/admin kadmin: addprinc -randkey host/test1.example.com kadmin: addprinc -randkey host/test2.example.com kadmin: addprinc -randkey host/test3.example.com kadmin: ktadd host/test1.example.com kadmin: ktadd host/test2.example.com kadmin: ktadd host/test3.example.com
Configure SSH Server
- Configure server as LDAP client: centos7client
- Edit
/etc/ssh/sshd_config
file to include the following lines:KerberosAuthentication yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes #UsePAM no # set to no if you don't want to allow logins with local accounts.
Configure SSH client
- Edit
/etc/ssh/ssh_config
to include following lines:Host *.domain.com GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
- Retrieve ticket:
kinit benst
- Login to other host:
ssh user@host
rhel7_kerberos.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1