{"id":1274,"date":"2015-02-19T11:31:49","date_gmt":"2015-02-19T10:31:49","guid":{"rendered":"http:\/\/blog.rabahi.net\/?page_id=1274"},"modified":"2017-05-14T16:19:01","modified_gmt":"2017-05-14T14:19:01","slug":"create-domain-controller-kdc","status":"publish","type":"page","link":"https:\/\/blog.rabahi.net\/?page_id=1274","title":{"rendered":"Create kerberos domain controller (KDC)"},"content":{"rendered":"<div id=\"toc_container\" class=\"no_bullets\"><p class=\"toc_title\">Contents<\/p><ul class=\"toc_list\"><li><a href=\"#Install_packages\"><span class=\"toc_number toc_depth_1\">1<\/span> Install packages<\/a><\/li><li><a href=\"#Configure_krb5_client\"><span class=\"toc_number toc_depth_1\">2<\/span> Configure krb5 (client)<\/a><ul><li><a href=\"#etckrb5conf\"><span class=\"toc_number toc_depth_2\">2.1<\/span> \/etc\/krb5.conf<\/a><\/li><li><a href=\"#test\"><span class=\"toc_number toc_depth_2\">2.2<\/span> test<\/a><\/li><\/ul><\/li><li><a href=\"#Configure_kdc_server\"><span class=\"toc_number toc_depth_1\">3<\/span> Configure kdc (server)<\/a><ul><li><a href=\"#Test\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Test<\/a><\/li><\/ul><\/li><\/ul><\/div>\n<h1><span id=\"Install_packages\">Install packages<\/span><\/h1>\n<pre>\r\nyum -y install krb5-server krb5-libs\r\n\r\n# test tools (client):\r\nyum -y install krb5-workstation\r\n<\/pre>\n<h1><span id=\"Configure_krb5_client\">Configure krb5 (client)<\/span><\/h1>\n<h2><span id=\"etckrb5conf\">\/etc\/krb5.conf<\/span><\/h2>\n<pre>\r\n[logging]\r\n default = FILE:\/var\/log\/krb5libs.log\r\n kdc = FILE:\/var\/log\/krb5kdc.log\r\n admin_server = FILE:\/var\/log\/kadmind.log\r\n\r\n[libdefaults]\r\n dns_lookup_realm = false\r\n ticket_lifetime = 24h\r\n renew_lifetime = 7d\r\n forwardable = true\r\n rdns = false\r\n default_realm = MYDOMAIN.LOCAL\r\n default_ccache_name = KEYRING:persistent:%{uid}\r\n\r\n[realms]\r\nMYDOMAIN.LOCAL = {\r\n  kdc = ldap-server.mydomain.local\r\n  admin_server = ldap-server.mydomain.local\r\n}\r\n\r\n[domain_realm]\r\n.mydomain.local = MYDOMAIN.LOCAL\r\nmydomain.local = MYDOMAIN.LOCAL\r\n<\/pre>\n<h2><span id=\"test\">test<\/span><\/h2>\n<pre lang=\"bash\">\r\n# 1 -- init connection :\r\n# MY-LDAP-LOGIN is the user account present in ldap-server.MYDOMAIN.local\r\n# you will be prompt for your password\r\nkinit MY-LDAP-LOGIN\r\n\r\n# 2 -- display ticket :\r\nklist\r\n\r\n# 3-- finally destroy ticket :\r\nkdestroy\r\n<\/pre>\n<h1><span id=\"Configure_kdc_server\">Configure kdc (server)<\/span><\/h1>\n<p>First, edit and update file \/var\/kerberos\/krb5kdc\/kdc.conf like this :<\/p>\n<pre>\r\n[kdcdefaults]\r\n kdc_ports = 88\r\n kdc_tcp_ports = 88\r\n\r\n[realms]\r\n MYDOMAIN.LOCAL = {\r\n  #master_key_type = aes256-cts\r\n  acl_file = \/var\/kerberos\/krb5kdc\/kadm5.acl\r\n  dict_file = \/usr\/share\/dict\/words\r\n  admin_keytab = \/var\/kerberos\/krb5kdc\/kadm5.keytab\r\n  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal\r\n }\r\n<\/pre>\n<p>Then, configure acl : \/var\/kerberos\/krb5kdc\/kadm5.acl<br \/>\nNote: this give maximum rights to users USER-LOGIN\/admin.<\/p>\n<pre>\r\n*\/admin@MYDOMAIN.LOCAL      *\r\n<\/pre>\n<p>Init database:<\/p>\n<pre lang=\"bash\">\r\n# take some times... you will be prompt for an admin password. Remember it!\r\nkdb5_util create -r MYDOMAIN.LOCAL -s\r\n<\/pre>\n<p>Start services :<\/p>\n<pre lang=\"bash\">\r\nsystemctl enable krb5kdc.service\r\nsystemctl start krb5kdc.service\r\n\r\nsystemctl enable kadmin.service\r\nsystemctl start kadmin.service\r\n<\/pre>\n<p>Add human users :<\/p>\n<pre lang=\"bash\">\r\nkadmin.local\r\nkadmin.local: add_principal admin\/admin\r\nkadmin.local: add_principal MY-ADMIN-USER-LOGIN\/admin\r\n\r\nkadmin.local: add_principal -randkey host\/mydomain.local\r\nkadmin.local: ktadd host\/mydomain.local\r\n<\/pre>\n<p>Add service users :<\/p>\n<pre lang=\"bash\">\r\nkadmin.local\r\nkadmin.local: add_principal -randkey ldap\/MY-HOST-1\r\nkadmin.local: add_principal -randkey ldap\/MY-HOST-2\r\nkadmin.local: add_principal -randkey host\/MY-HOST-1.mydomain.local\r\nkadmin.local: add_principal -randkey host\/MY-HOST-2.mydomain.local\r\n<\/pre>\n<p>Create service keys :<\/p>\n<pre lang=\"bash\">\r\nkadmin.local\r\nkadmin.local:  ktadd -k \/var\/kerberos\/krb5kdc\/kadm5.keytab kadmin\/admin\r\nkadmin.local:  ktadd -k \/var\/kerberos\/krb5kdc\/kadm5.keytab kadmin\/changepw\r\nkadmin.local:  exit\r\n<\/pre>\n<h2><span id=\"Test\">Test<\/span><\/h2>\n<p>List keytab informations:<\/p>\n<pre lang=\"bash\">\r\nkutil\r\nktutil:  read_kt \/var\/kerberos\/krb5kdc\/kadm5.keytab\r\nktutil:  list\r\nktutil:  exit\r\n<\/pre>\n<p>Also check default keytab informations:<\/p>\n<pre lang=\"bash\">\r\nklist -e -k\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Contents1 Install packages2 Configure krb5 (client)2.1 \/etc\/krb5.conf2.2 test3 Configure kdc (server)3.1 Test Install packages yum -y install krb5-server krb5-libs # test tools (client): yum -y install krb5-workstation Configure krb5 (client) \/etc\/krb5.conf [logging] default = FILE:\/var\/log\/krb5libs.log kdc = FILE:\/var\/log\/krb5kdc.log admin_server = FILE:\/var\/log\/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":1271,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-1274","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1274"}],"version-history":[{"count":12,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1274\/revisions"}],"predecessor-version":[{"id":2031,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1274\/revisions\/2031"}],"up":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1271"}],"wp:attachment":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}