Friday, 7 December 2018

Authenticate a RHEL 7 Machine with Kerberos Server

Authenticate a RHEL 7 Machine with Kerberos ServerThis Red Hat Certified Engineer (RHCE) objective requires you to know, how to configure a Linux system to authenticate using Kerberos. This objective didn’t require you to know how to configure a Kerberos Server. However, for the sake of practice you can configure your own Kerberos Server using FreeIPA. (Please read our previous post Configure Identity Management (IdM) with FreeIPA Server)

We have already wrote an article about authenticating a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos (or more specifically FreeIPA) server by using ipa-client package (Configure a Linux Machine as FreeIPA Client). Now, we will see how to authenticate a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos server without using ipa-client.

 

System Specification:

FreeIPA Server  
Hostname ipaserver.example.com
IP Address 192.168.116.200/24
   
Kerberos Client  
Hostname client2.example.com
IP Address 192.168.116.202/24

 

Kerberos Server-side Configuration:

Although the Kerberos server-side configuration are not the requirement of RHCE objectives, but since you are practicing in your own test environment. Therefore, it is good to know about the server-side configuration of adding a Kerberos Client.

Add client2.example.com machine to Kerberos Server.

Connect to ipaserver.example.com and execute following commands.

[root@ipaserver ~]# kinit admin Password for admin@EXAMPLE.COM: [root@ipaserver ~]# ipa host-add --ip-address 192.168.116.202 client2.example.com -------------------------------- Added host "client2.example.com" -------------------------------- Host name: client2.example.com Principal name: host/client2.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: client2.example.com [root@ipaserver ~]# ipa dnsrecord-add example.com client2 --ttl=3600 --a-ip-address=192.168.116.202 Record name: client2 Time to live: 3600 A record: 192.168.116.202

Generate the Kerberos keytab for client2.example.com.

[root@ipaserver ~]# ipa-getkeytab -s ipaserver.example.com -p host/client2.example.com -k /var/ftp/pub/client2.keytab Keytab successfully retrieved and stored in: /var/ftp/pub/client2.keytab [root@ipaserver ~]# chmod 644 /var/ftp/pub/client2.keytab

 

Kerberos Server-client Configuration:

Connect to client2.example.com and configure it for Kerberos authentication.

Configure DNS resolution.

[root@client2 ~]# nmcli connection modify eno16777728 ipv4.dns 192.168.116.200 [root@client2 ~]# nmcli connection down eno16777728 ; nmcli connection up eno16777728 Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)

Install required Packages using yum command.

[root@client2 ~]# yum install -y krb5-workstation sssd pam_krb5 Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Package krb5-workstation-1.11.3-49.el7.x86_64 already installed and latest version Package sssd-1.11.2-65.el7.x86_64 already installed and latest version Package pam_krb5-2.4.8-4.el7.x86_64 already installed and latest version Nothing to do

I have already installed the required packages. Therefore yum perform no action for my machine.

Download keytab file from ipaserver.example.com.

[root@client2 ~]# wget ftp://ipaserver/pub/client2.keytab -O /etc/krb5.keytab --2018-07-29 02:20:07-- ftp://ipaserver/pub/client2.keytab => â/etc/krb5.keytabâ Resolving ipaserver (ipaserver)... 192.168.116.200 Connecting to ipaserver (ipaserver)|192.168.116.200|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub ... done. ==> SIZE client2.keytab ... 492 ==> PASV ... done. ==> RETR client2.keytab ... done. Length: 492 (unauthoritative) 100%[======================================>] 492 --.-K/s in 0s 2018-07-29 02:20:07 (53.8 MB/s) - â/etc/krb5.keytabâ saved [492] [root@client2 ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM 1 host/client2.example.com@EXAMPLE.COM [root@client2 ~]#

Our keytab is now in place. Let’s configure Kerberos authentication now.

[root@client2 ~]# authconfig --update --enablekrb5 --krb5realm=EXAMPLE.COM --krb5kdc=ipaserver.example.com --krb5adminserver=ipaserver.example.com

We have successfully configure our Red Hat Enterprise Linux (RHEL) 7 machine to authenticate with Kerberos server.

Authenticate a RHEL 7 Machine with Kerberos Server


YOU MIGHT ALSO LIKE:

No comments:

Post a Comment