rhel7_kerberos
RHEL 7 Kerberos 5 with OpenLDAP backend
Prerequisites
Modifications on LDAP server
Install prerequisite packages:
yum install krb5-server-ldap
Copy schema files:
cp /usr/share/doc/krb5-server-ldap-1.13.2/kerberos.* /etc/openldap/schema/
Workaround problem with importing the kerberos LDIF:
mkdir /tmp/ldap-kerberos/
echo "include /etc/openldap/schema/kerberos.schema" > /tmp/ldap-kerberos/schema_convert.conf
mkdir /tmp/ldap-kerberos/krb5_ldif
slaptest -f /tmp/ldap-kerberos/schema_convert.conf -F /tmp/ldap-kerberos/krb5_ldif
# Edit /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif and replace
dn: cn={0}kerberos
cn: {0}kerberos
with
dn: cn=kerberos,cn=schema,cn=config
cn: kerberos
# Remove (at the end of the file)
structuralObjectClass: olcSchemaConfig
entryUUID: ...
creatorsName: cn=config
createTimestamp: ...
entryCSN: ...
modifiersName: cn=config
modifyTimestamp: ...
You can now add the schema:
ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
Edit /etc/krb5.conf
uncomment all lines and replace EXAMPLE.COM (and the lower-case ones) with your domain.
Edit
/etc/krb5.conf
and add below
[realms]
.
default_domain = example.com
database_module = openldap_ldapconf
Edit
/etc/krb5.conf
add LDAP config:
[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/kerberos/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
Edit /var/kerberos/krb5kdc/kadm5.acl
, replace EXAMPLE.COM with your own realm.
Add principal:
kadmin.local: addprinc -randkey host/kdc.dc.polaire.nl
kadmin.local: ktadd host/kdc.dc.polaire.nl
kadmin.local: addprinc root/admin
kadmin.local: addprinc -x dn="uid=example,ou=people,dc=example,dc=com" example
kadmin.local: quit
Firewall
Open firewall ports:
firewall-cmd --zone public --add-service kerberos --permanent
firewall-cmd --reload
SSH clients
-
Edit
/etc/ssh/sshd_config
file to include the following lines:
KerberosAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#UsePAM no # set to no if you don't want to allow logins with local accounts.
Edit
/etc/ssh/ssh_config
to include following lines:
Host *.domain.com
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Retrieve ticket:
kinit benst
Login to other host:
ssh user@host
rhel7_kerberos.txt · Last modified: 2021/10/09 15:14 (external edit)