Saturday, September 24, 2016

configure kerberos server as authentication server in a network

***information***
There will be three parts of the tutorial below:
- dns
- kerberos server
- client authenticate against kerberos
----
kerberos server ip : 192.168.202.25
kerberos realm: AUTH.COM
kerberos admin server: k.auth.com



***dns
1- install bind9
$ sudo apt-get install bind9

2- configure name server and add kerberos service record

- /etc/bind9/named.conf.default-zones add the following lines
zone "auth.com" {
    type master;
    file "/etc/bind/db.auth.com";
};




- file zone of auth.com /etc/bind/db.auth.com with the following lines
;
; BIND data file for local loopback interface
;
$TTL    604800
@    IN    SOA    ns1.auth.com. root.auth.com. (
                  2        ; Serial
             604800        ; Refresh
              86400        ; Retry
            2419200        ; Expire
             604800 )    ; Negative Cache TTL
;
@    IN    NS    ns1.auth.com.
@    IN    A    192.168.202.25
@    IN    AAAA    ::1
ns1    IN    A    192.168.202.250
k    IN    A    192.168.202.25
$ORIGIN auth.com.
_kerberos               TXT     "AUTH.COM"
$ORIGIN _udp.auth.com.
_kerberos               SRV     0 0 88 k.auth.com.
_kerberos-adm           SRV     0 0 749 k.auth.com.



3- restart the bind9 service and it finishes the dns part
$ sudo /etc/init.d/bind9 restart


***kerberos server
1- install the kerberos packages
$ sudo apt-get install krb5-kdc krb5-admin-server  (escape, not to auto configure with the prompt message )
$ sudo dpkg-reconfigure krb5-kdc

2- update the kerberos configuration file to add realm auth.com on file /etc/krb5.conf  with the following content

[libdefaults]
    kdc_ports = 750,88
    default_realm = AUTH.COM

    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        }
        plain = {
            something = something-else
        }
    }
    fcc-mit-ticketflags = true

[realms]
    AUTH.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
        default_principal_flags = +preauth
    }

   

[login]
    krb4_convert = true
    krb4_get_tickets = false
[logging]
    default = FILE:/var/log/krb5.log


3- create realm database by issue the following command, then restart kerberos service
$ sudo krb5_newrealm
$ sudo  /etc/init.d/krb5-admin-server restart
$ sudo /etc/init.d/krb5-kdc restart

4- create principle accounts and user account
$ kadmin.local
kadmin.local:  addprinc admin
kadmin.local:  ank -policy users test
kadmin.local: q

5- test those account
$ kinit admin
or
$ kinit admin@AUTH.COM
$ kinit test
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@AUTH.COM

Valid starting       Expires              Service principal
09/24/2016 06:14:15  09/24/2016 16:14:15  krbtgt/AUTH.COM@AUTH.COM
    renew until 09/25/2016 06:14:14


*** client part
1- install all necessary packages
$ sudo apt-get install krb5-user krb5-config libkadm5clnt-mit10 libpam-krb5

2- update the kerberos configuration file  /etc/krb5.conf as below
[logging]
    default = FILE:/var/log/krb5.log

[libdefaults]
    default_realm = AUTH.COM
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

[realms]
    AUTH.COM = {
        kdc = k.auth.com
        admin_server = k.auth.com
        default_domain = AUTH.COM
    }

[domain_realm]
    .auth.com = AUTH.COM
    auth.com = AUTH.COM




3- update pam common auth file by adding the following line to file /etc/pam.d/common-auth
auth    sufficient      pam_krb5.so minimum_uid=1000

4- now if the client is authentication againt ldap, just create account on ldap, but if the client authentication againt local, we have to add account with command useradd -m
so we now add user test because, we already create on kerberos user
$ sudo useradd -m test

5- now we can login user test, that the password is store in kerberos server

snapshot of login with user test

No comments:

Post a Comment