You must have Kerberos server running on the network, read
here how to get it up. We are going to add host
deby01 as a client for
dev.local Kerberos realm.
- Ensure the host name is FQDN:
ldap1:~# hostname -f
deby01.dev.local
If it is not, issue the following:
echo "deby01" > /etc/hostname
hostname -F /etc/hostname
- Install Kerberos client:
apt-get -y install krb5-user libpam-krb5
- Configure client (file /etc/krb5.conf):
[libdefaults]
default_realm = DEV.LOCAL
# ...
[realms]
DEV.LOCAL = {
# The entry below can be commented
# out in case there is dns
# resolution for kdc
kdc = kdc1.dev.local
admin_server = krb.dev.local
}
[domain_realm]
- Add host principal:
kadmin -p admin -q "addprinc -randkey host/deby01.dev.local"
kadmin -p admin -q "ktadd host/deby01.dev.local"
Let verify it:
- List kerberos principals:
deby01:~# kadmin -p admin -q "list_principals"
...
host/deby01.dev.local@DEV.LOCAL
...
user1@DEV.LOCAL
...
- List keys in keytab:
klist -ke
-
Now you can login to deby01 as user1.
-
Have a look at log on kerberos server (file /var/log/krb5/kdc.log):
kdc1.dev.local krb5kdc[988](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.10.41: NEEDED_PREAUTH: user1@DEV.LOCAL for krbtgt/DEV.LOCAL@DEV.LOCAL, Additional pre-authentication required
kdc1.dev.local krb5kdc[988](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.10.41: ISSUE: authtime 1293635137, etypes {rep=18 tkt=18 ses=18}, user1@DEV.LOCAL for krbtgt/DEV.LOCAL@DEV.LOCAL
kdc1.dev.local krb5kdc[988](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.10.41: ISSUE: authtime 1293635137, etypes {rep=18 tkt=18 ses=18}, user1@DEV.LOCAL for host/deby01.dev.local@DEV.LOCAL
The pam authentication by default is configured to authenticate user with kerberos with fallback to local authentication, that is fine so nothing need to be configured there.
Posts
No comments :
Post a Comment