Tuesday, December 21, 2010

Debian Kerberos Client

You must have Kerberos server running on the network, read here how to get it up. We are going to add host deby01 as a client for dev.local Kerberos realm.
  1. Ensure the host name is FQDN:
    ldap1:~# hostname -f
    deby01.dev.local
    
    If it is not, issue the following:
    echo "deby01" > /etc/hostname
    hostname -F /etc/hostname
    
  2. Install Kerberos client:
    apt-get -y install krb5-user libpam-krb5
    
  3. Configure client (file /etc/krb5.conf):
    [libdefaults]
            default_realm = DEV.LOCAL
    # ...
    [realms]
            DEV.LOCAL = {
                    # The entry below can be commented 
                    # out in case there is dns 
                    # resolution for kdc
                    kdc = kdc1.dev.local
                    admin_server = krb.dev.local
            }
    
    [domain_realm]
    
    
  4. Add host principal:
    kadmin -p admin -q "addprinc -randkey host/deby01.dev.local"
    
    kadmin -p admin -q "ktadd host/deby01.dev.local"
    
Let verify it:
  1. List kerberos principals:
    deby01:~# kadmin -p admin -q "list_principals"
    ...
    host/deby01.dev.local@DEV.LOCAL
    ...
    user1@DEV.LOCAL
    ...
    
  2. List keys in keytab:
    klist -ke
    
  3. Now you can login to deby01 as user1.
  4. Have a look at log on kerberos server (file /var/log/krb5/kdc.log):
    kdc1.dev.local krb5kdc[988](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.10.41: NEEDED_PREAUTH: user1@DEV.LOCAL for krbtgt/DEV.LOCAL@DEV.LOCAL, Additional pre-authentication required
    kdc1.dev.local krb5kdc[988](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.10.41: ISSUE: authtime 1293635137, etypes {rep=18 tkt=18 ses=18}, user1@DEV.LOCAL for krbtgt/DEV.LOCAL@DEV.LOCAL
    kdc1.dev.local krb5kdc[988](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.10.41: ISSUE: authtime 1293635137, etypes {rep=18 tkt=18 ses=18}, user1@DEV.LOCAL for host/deby01.dev.local@DEV.LOCAL
    
The pam authentication by default is configured to authenticate user with kerberos with fallback to local authentication, that is fine so nothing need to be configured there.

No comments :

Post a Comment