Working Single KDC Linux
My attempt to follow the steps here HOWTO: Kerberos for small networks, without LDAP or AD. Hopefully I will have a working Key Distribution Center solution for the farm when I am done, as the steps I am following are about twelve years old at this point.
Goal 1
- A master Key Distribution Center (KDC) built on MIT-KRB5 Kerberos.
Prerequisites
Working Network Time Protocol (NTP)
Validate NTP is working on systems using
systemd
by issuingtimedatectl status
command.$ timedatectl status Local time: Fri 2019-10-25 04:41:10 CDT Universal time: Fri 2019-10-25 09:41:10 UTC RTC time: Fri 2019-10-25 09:41:10 Time zone: US/Central (CDT, -0500) System clock synchronized: yes NTP service: active RTC in local TZ: no
Output from devices running long term support (LTS) releases may look more like the following:
Local time: Fri 2019-10-25 05:08:56 CDT Universal time: Fri 2019-10-25 10:08:56 UTC RTC time: Fri 2019-10-25 10:08:58 Time zone: America/Chicago (CDT, -0500) System clock synchronized: yes systemd-timesyncd.service active: yes RTC in local TZ: no
Issue
systemctl status systemd-timesyncd.service
command to check which NTP server device is syncing time with.$ systemctl status systemd-timesyncd.service ● systemd-timesyncd.service - Network Time Synchronization Loaded: loaded (/lib/systemd/system/systemd-timesyncd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2019-10-25 04:50:21 CDT; 1min 33s ago Docs: man:systemd-timesyncd.service(8) Main PID: 88031 (systemd-timesyn) Status: "Synchronized to time server for the first time 107.172.97.205:123 (0.gentoo.pool.ntp.org)." Tasks: 2 Memory: 1.2M CPU: 236ms CGroup: /system.slice/systemd-timesyncd.service └─88031 /lib/systemd/systemd-timesyncd Oct 25 04:50:21 setback systemd[1]: Starting Network Time Synchronization... Oct 25 04:50:21 setback systemd[1]: Started Network Time Synchronization. Oct 25 04:50:21 setback systemd-timesyncd[88031]: Synchronized to time server for the first time 107.172.97.205:123 (0.gentoo.pool.ntp.org).
Working Domain Name Service (DNS)
Kerberos ticketing depends on working which I will define for this post as the forward and reverse lookups work for the KDC. Further the hostname -f
command returns the fully qualified domain name for the KDC. The same expectations will need to be in place for devices hoping to make use of the KDC.
$ dig +noall +answer setback.grimmig.mine.nu
setback.grimmig.mine.nu. 19588 IN A 192.168.100.96
chuck@setback ~ $ dig +noall +answer -x 192.168.100.96
96.100.168.192.in-addr.arpa. 43518 IN PTR setback.grimmig.mine.nu.
$ hostname -f
setback.grimmig.mine.nu
Configuration
For this initial set up I will be using the following:
SERVER
- DNS domain: grimmig.mine.nu
- Kerberos realm: GRIMMIG.MINE.NU
- Key Distribution Center (KDC) host: setback.grimmig.mine.nu
- KDC config file: /var/lib/krb5kdc/kdc.conf
- Admin ACL file: /var/lib/krb5kdc/kadm5.acl
- Readable only by root
CLIENT
- Client configuration file: /etc/krb5.conf
- PAM file to allow Kerberos system access: /etc/pam.d/system-auth
Steps
- Install necessary packages on KDC:
- app-crypt/mit-krb5-1.17-r1
- sys-auth/pam_krb5-4.7
- Create initial
kdc.conf
file, /var/lib/krb5kdc/kdc.conf.
[realms]
GRIMMIG.MINE.NU = {
max_life = 16h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts-hmac-sha1-96
supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal
kdc_supported_enctypes = aes256-cts-hmac-sha1-96:normal rc4-hmac:normal
}
- Create admin ACL file, /var/lib/krb5kdc/kadm5.acl.
*/admin@GRIMMIG.MINE.NU *
- Create client config file, /etc/krb5.conf. Same across all devices.
[libdefaults]
default_realm = GRIMMIG.MINE.NU
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac
forwardable = true
[realms]
GRIMMIG.MINE.NU = {
admin_server = setback.grimmig.mine.nu
kdc = setback.grimmig.mine.nu
}
[domain_realm]
.grimmig.mine.nu = GRIMMIG.MINE.NU
grimmig.mine.nu = GRIMMIG.MINE.NU
[logging]
kdc = SYSLOG
admin_server = SYSLOG
default = SYSLOG
- Create Keberos database.
- Do not forget or lose passwordrd entered.
- Ensure /var/lib/krb5kdc/.k5.GRIMMIG.MINE.NU is readable only by root after creation.
kdb5_util create -r GRIMMIG.MINE.NU -s
- Add Kerberos database service principals and users.
kadmin.local
Add required Kerberos service principals to system keytab.
kadmin:local: ktadd kadmin/admin kadmin/changepw
Create default policy.
kadmin.local: add_policy -maxlife "10 years" default
Create normal and administrative user principals, replaceing user name in the following with actual user account names.
kadmin.local: add_principal username/admin
kadmin.local: add_principal username
Create KDC server host principal and add to keytab.
kadmin.local: add_principal -randkey host/setback.grimmig.mine.nu
kadmin.local: ktadd host/setback.grimmig.mine.nu
Exit admin utility.
kadmin.local: quit
- Enable and start KDC services.
systemctl enable mit-krb5kdc
systemctl enable mit-krb5kadmind
systemctl start mit-krb5kdc
systemctl start mit-krb5kadmind
-
Testing
- Get ticket for host principal from keytab
sudo kinit -k
- No feedback is good.
- Review ticket:
$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_1000_Omhc4N
Default principal: host/setback.grimmig.mine.nu@GRIMMIG.MINE.NU
Valid starting Expires Service principal
10/29/2019 09:04:35 10/30/2019 01:04:35 krbtgt/GRIMMIG.MINE.NU@GRIMMIG.MINE.N
renew until 10/30/2019 09:04:35
- Get user ticket:
$ kinit chuck
Password for chuck@GRIMMIG.MINE.NU:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_Omhc4N
Default principal: chuck@GRIMMIG.MINE.NU
Valid starting Expires Service principal
10/29/2019 09:12:42 10/30/2019 01:12:42 krbtgt/GRIMMIG.MINE.NU@GRIMMIG.MINE.NU
renew until 10/30/2019 09:12:42
As no errors, first KDC is presumed ready for use.