My linux world » Create kerberos domain controller (KDC)
  1.  Home
  2. Survival guides
  3. Kerberos Survival Guide
  4. Create kerberos domain controller (KDC)

Create kerberos domain controller (KDC)

Contents

Install packages

yum -y install krb5-server krb5-libs

# test tools (client):
yum -y install krb5-workstation

Configure krb5 (client)

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = MYDOMAIN.LOCAL
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
MYDOMAIN.LOCAL = {
  kdc = ldap-server.mydomain.local
  admin_server = ldap-server.mydomain.local
}

[domain_realm]
.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL

test

# 1 -- init connection :
# MY-LDAP-LOGIN is the user account present in ldap-server.MYDOMAIN.local
# you will be prompt for your password
kinit MY-LDAP-LOGIN
 
# 2 -- display ticket :
klist
 
# 3-- finally destroy ticket :
kdestroy

Configure kdc (server)

First, edit and update file /var/kerberos/krb5kdc/kdc.conf like this :

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 MYDOMAIN.LOCAL = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Then, configure acl : /var/kerberos/krb5kdc/kadm5.acl
Note: this give maximum rights to users USER-LOGIN/admin.

*/admin@MYDOMAIN.LOCAL      *

Init database:

# take some times... you will be prompt for an admin password. Remember it!
kdb5_util create -r MYDOMAIN.LOCAL -s

Start services :

systemctl enable krb5kdc.service
systemctl start krb5kdc.service
 
systemctl enable kadmin.service
systemctl start kadmin.service

Add human users :

kadmin.local
kadmin.local: add_principal admin/admin
kadmin.local: add_principal MY-ADMIN-USER-LOGIN/admin
 
kadmin.local: add_principal -randkey host/mydomain.local
kadmin.local: ktadd host/mydomain.local

Add service users :

kadmin.local
kadmin.local: add_principal -randkey ldap/MY-HOST-1
kadmin.local: add_principal -randkey ldap/MY-HOST-2
kadmin.local: add_principal -randkey host/MY-HOST-1.mydomain.local
kadmin.local: add_principal -randkey host/MY-HOST-2.mydomain.local

Create service keys :

kadmin.local
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local:  exit

Test

List keytab informations:

kutil
ktutil:  read_kt /var/kerberos/krb5kdc/kadm5.keytab
ktutil:  list
ktutil:  exit

Also check default keytab informations:

klist -e -k

Copyright © 2024 My linux world - by Marc RABAHI
Design by Marc RABAHI and encelades.