Kerberose authentication
To use kerberose authentication we need to set up server with all the needed principle and their passwords.and we must configure the client to use the proper kerberpse server as needed.
Server Configuration
server:virtual19.virtual.com
IP:192.168.100.19
client:virtual21.virtual.com
IP:192.168.100.21
Packages needed are
yum install -y krb5-server
yum install -y krb5-libs
yum install -y readline-devel
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = VIRTUAL.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
VIRTUAL.COM = {
kdc = virtual19.virtual.com
admin_server = virtual19.virtual.com
}
[domain_realm]
virtual19.virtual.com = VIRTUAL.COM
virtual21.virtual.com = VIRTUAL.COM
[appdefault]
validate=true
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
VIRTUAL.COM = {
master_key_type = aes256-cts
default_principle_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
kdb5_util create -r VIRTUAL.COM -s
kadmin.local
kadmin: listprincs
kadmin: addprinc root/admin
kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin: addprinc -randkey host/virtual19.virtual.com
kadmin: ktadd -k /etc/krb5.keytab host/virtual19.virtual.com
vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@VIRTUAL.COM *
service krb5kdc restart
chkconfig krb5kdc on
service kadmin restart
chkconfig kadmin on
----------------------------------------------------------
Client side configuration
----------------------------------------------------------
copy the /etc/krb5.conf from server to client
authconfig-tui
select the kerberised password authentication then they will ask for kdc and krb5 server and releam name to which we need to enter the correct entry .When closing the utils the system will configure itself for connection to kerberose server
Now we need to add that machine to kerberose server database
kadmin
kadmin: addprinc -randkey host/virtual21.virtual.com
kadmin: ktadd -k /etc/krb5.keytab host/virtual21.virtual.com
now the client machine is added to server and now the tickets will be issued as normal and to check that
klist to list the tickets got from server
-------------------------------------------------------------------.
Now adding nis user to kerberose
At server make a principle for the nis users and that is it
kadmin.local
kadmin: addprinc nisuser1
now will be prompted for kerberose password which at client will enable the user to login as user using kerberised security .
No comments:
Post a Comment