There will be three parts of the tutorial below:
- dns
- kerberos server
- client authenticate against kerberos
----
kerberos server ip : 192.168.202.25
kerberos realm: AUTH.COM
kerberos admin server: k.auth.com
***dns
1- install bind9
$ sudo apt-get install bind9
2- configure name server and add kerberos service record
- /etc/bind9/named.conf.default-zones add the following lines
zone "auth.com" {
type master;
file "/etc/bind/db.auth.com";
};
- file zone of auth.com /etc/bind/db.auth.com with the following lines
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns1.auth.com. root.auth.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.auth.com.
@ IN A 192.168.202.25
@ IN AAAA ::1
ns1 IN A 192.168.202.250
k IN A 192.168.202.25
$ORIGIN auth.com.
_kerberos TXT "AUTH.COM"
$ORIGIN _udp.auth.com.
_kerberos SRV 0 0 88 k.auth.com.
_kerberos-adm SRV 0 0 749 k.auth.com.
3- restart the bind9 service and it finishes the dns part
$ sudo /etc/init.d/bind9 restart
***kerberos server
1- install the kerberos packages
$ sudo apt-get install krb5-kdc krb5-admin-server (escape, not to auto configure with the prompt message )
$ sudo dpkg-reconfigure krb5-kdc
2- update the kerberos configuration file to add realm auth.com on file /etc/krb5.conf with the following content
[libdefaults]
kdc_ports = 750,88
default_realm = AUTH.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
AUTH.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm
default_principal_flags = +preauth
}
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
default = FILE:/var/log/krb5.log
3- create realm database by issue the following command, then restart kerberos service
$ sudo krb5_newrealm
$ sudo /etc/init.d/krb5-admin-server restart
$ sudo /etc/init.d/krb5-kdc restart
4- create principle accounts and user account
$ kadmin.local
kadmin.local: addprinc admin
kadmin.local: ank -policy users test
kadmin.local: q
5- test those account
$ kinit admin
or
$ kinit admin@AUTH.COM
$ kinit test
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@AUTH.COM
Valid starting Expires Service principal
09/24/2016 06:14:15 09/24/2016 16:14:15 krbtgt/AUTH.COM@AUTH.COM
renew until 09/25/2016 06:14:14
*** client part
1- install all necessary packages
$ sudo apt-get install krb5-user krb5-config libkadm5clnt-mit10 libpam-krb5
2- update the kerberos configuration file /etc/krb5.conf as below
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = AUTH.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
AUTH.COM = {
kdc = k.auth.com
admin_server = k.auth.com
default_domain = AUTH.COM
}
[domain_realm]
.auth.com = AUTH.COM
auth.com = AUTH.COM
3- update pam common auth file by adding the following line to file /etc/pam.d/common-auth
auth sufficient pam_krb5.so minimum_uid=1000
4- now if the client is authentication againt ldap, just create account on ldap, but if the client authentication againt local, we have to add account with command useradd -m
so we now add user test because, we already create on kerberos user
$ sudo useradd -m test
5- now we can login user test, that the password is store in kerberos server
snapshot of login with user test
No comments:
Post a Comment