Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


rhel7_kerberos

RHEL 7 Kerberos 5 with OpenLDAP backend

Prerequisites

  • Working DNS environment.
  • Working NTP environment, ntpd or chronyd.

Modifications on LDAP server

  • Install prerequisite packages:
    yum install krb5-server-ldap
  • Copy schema files:
    cp /usr/share/doc/krb5-server-ldap-1.13.2/kerberos.* /etc/openldap/schema/
  • Workaround problem with importing the kerberos LDIF:
    mkdir /tmp/ldap-kerberos/
    echo "include /etc/openldap/schema/kerberos.schema" > /tmp/ldap-kerberos/schema_convert.conf
    
    mkdir /tmp/ldap-kerberos/krb5_ldif
    
    slaptest -f /tmp/ldap-kerberos/schema_convert.conf -F /tmp/ldap-kerberos/krb5_ldif
    
    # Edit /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif and replace
    
    dn: cn={0}kerberos
    cn: {0}kerberos
    
    with
    
    dn: cn=kerberos,cn=schema,cn=config
    cn: kerberos
    
    # Remove (at the end of the file)
    
    structuralObjectClass: olcSchemaConfig
    entryUUID: ...
    creatorsName: cn=config
    createTimestamp: ...
    entryCSN: ...
    modifiersName: cn=config
    modifyTimestamp: ...
  • You can now add the schema:
    ldapadd -H ldaps://<FQDN> -x -D "cn=Manager,dc=domain,dc=tld" -W -f  /tmp/ldap-kerberos/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
  • Create a LDAP user than can modify LDAP data, for example krbadmin.
  • Modify LDAP ACLs, for example:
    olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey
          by dn.exact="cn=Manager,dc=domain,dc=tld" write
          by dn.exact="cn=krbadmin,dc=domain,dc=tld" write
          by dn.exact="cn=replicator,dc=domain,dc=tld" read
          by self =xw
          by anonymous auth
          by * none
    olcAccess: {1}to *
          by dn.exact="cn=Manager,dc=domain,dc=tld" write
          by dn.exact="cn=krbadmin,dc=domain,dc=tld" write
          by dn.exact="cn=replicator,dc=domain,dc=tld" read
          by self read
          by users read
          by * none 
  • Add index to speed up the access:
    # ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
    dn: olcDatabase={2}hdb,cn=config
    add: olcDbIndex
    olcDbIndex: krbPrincipalName eq,pres,sub
    -
    EOF 

Install and configure KDC server

  • Install required packages:
    yum install -y krb5-server krb5-server-ldap krb5-workstation
  • Edit /var/kerberos/krb5kdc/kdc.conf and replace EXAMPLE.COM with your domain. Convention is to make it the same as your domain name, in upper-case letters.
  • Edit /var/kerberos/krb5kdc/kdc.conf add below [realms]:
    default_principal_flags = +preauth
  • Edit /etc/krb5.conf uncomment all lines and replace EXAMPLE.COM (and the lower-case ones) with your domain.
  • Edit /etc/krb5.conf and add below [realms].
      default_domain = example.com
      database_module = openldap_ldapconf
  • Edit /etc/krb5.conf add LDAP config:
    [dbdefaults]
            ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
    
    [dbmodules]
            openldap_ldapconf = {
                    db_library = kldap
                    ldap_kdc_dn = "cn=krbadmin,dc=example,dc=com"
    
                    # this object needs to have read rights on
                    # the realm container, principal container and realm sub-trees
                    ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=com"
    
                    # this object needs to have read and write rights on
                    # the realm container, principal container and realm sub-trees
                    ldap_service_password_file = /etc/kerberos/service.keyfile
                    ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
                    ldap_conns_per_server = 5
            }
  • Edit /var/kerberos/krb5kdc/kadm5.acl, replace EXAMPLE.COM with your own realm.
  • Create the realm, choose a bind user that has rights to create the LDAP/Kerberos container:
     kdb5_ldap_util -D  cn=krbadmin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com
  • Create directory /etc/kerberos
  • Stash the admin password:
    kdb5_ldap_util -D cn=krbadmin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com
  • Start and activate Kerberos:
    systemctl start krb5kdc kadmin
    systemctl enable krb5kdc kadmin
  • Add principal:
    kadmin.local:  addprinc -randkey host/kdc.dc.polaire.nl
    
    kadmin.local:  ktadd host/kdc.dc.polaire.nl
    
    kadmin.local:  addprinc root/admin
    
    kadmin.local:  addprinc -x dn="uid=example,ou=people,dc=example,dc=com" example
    
    kadmin.local:  quit

Firewall

  • Open firewall ports:
    firewall-cmd --zone public --add-service kerberos --permanent
    firewall-cmd --reload

SSH clients

  • Install the required packages:
    yum -y install krb5-workstation pam_krb5
  • Edit the /etc/krb5.conf file
    • Uncomment all lines.
    • Replace al example domain names and realms.
    • Change example kdc and admin_server.
  • Add principals on KDC:
    kadmin -p root/admin
    kadmin:  addprinc -randkey host/test1.example.com
    
    kadmin:  addprinc -randkey host/test2.example.com
    
    kadmin:  addprinc -randkey host/test3.example.com
    
    kadmin:  ktadd host/test1.example.com
    
    kadmin:  ktadd host/test2.example.com
    
    kadmin:  ktadd host/test3.example.com
    
    

Configure SSH Server

  • Configure server as LDAP client: centos7client
  • Edit /etc/ssh/sshd_config file to include the following lines:
    KerberosAuthentication yes
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes
    #UsePAM no   # set to no if you don't want to allow logins with local accounts.

Configure SSH client

  • Edit /etc/ssh/ssh_config to include following lines:
    Host *.domain.com
      GSSAPIAuthentication yes
      GSSAPIDelegateCredentials yes
  • Retrieve ticket:
    kinit benst
  • Login to other host:
    ssh user@host
rhel7_kerberos.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1