Basics on Kerberos on Centos Linux 8.
A user or service is defined as a principal. E.g. a user dev, a service postgres and postgres/TBOX.SITE
An instance is used to manage principals.
E.g. root/admin, where
root = principal
/admin = instance
A Key Distribution Center (KDC) contains database of all principals and
- Authentication Server (AS)
- Ticket Granting Server (TGS)
Keytab is a binary file that where the encryption key is extracted from a service or host.
Following are among the admin console commands
Admin console
sudo kadmin.local
List principals
listprincs
Add principals
addprinc -randkey HTTP/10.8.8.186@TBOX.SITE
addprinc -randkey postgres/10.8.8.186@TBOX.SITE
Delete principal
delprinc dev@TBOX.SITE
Install and configure kerberos server
sudo dnf install krb5-server sudo vi /etc/krb5.conf
[libdefaults]
default_realm = TBOX.SITE
[realms]
TBOX.SITE = {
kdc = 10.8.8.186
admin_server = 10.8.8.186
}
[domain_realm]
pg.tbox.com = TBOX.SITE
.pg.tbox.com = CTBOX.SITE
Create a Realm
To create realm called TBOX.SITE. This will initialise a database at /var/kerberos/krb5kdc/principal
sudo kdb5_util create -r TBOX.SITE -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TBOX.SITE',
master key name 'K/M@TBOX.SITE'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Assign administration access rights to the kerberos database;
sudo vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@TBOX.SITE *
Restart kerberos service
sudo systemctl restart krb5kdc
Destroy a kerberos database (optional)
sudo kdb5_util -r TBOX.SITE destroy
Initial Principal Admin setup in kadmin
sudo kadmin.local
kadmin.local: addprinc root/admin
kadmin.local: q
Add additional users to specific realm with random key
addprinc -randkey daniel@TBOX.SITE
Add additional users to specific realm with password and default realm
addprinc dev
Credential list
List credentials
klist
Ticket cache: KCM:1001:31655
Default principal: dev@TBOX.SITE
Valid starting Expires Service principal
10/27/2021 18:29:48 10/28/2021 18:29:48 krbtgt/TBOX.SITE@TBOX.SITE
renew until 10/27/2021 18:29:48
Create credentials
kinit root/admin
kinit dev
Delete credentials (optional)
kdestroy -A
Keytab management
ktutil
Load keytab data
rkt /tmp/postgres.keytab
List cached
list
Remove entry
delent {slot_number}
Create keytab for use in remote server (to be confirmed)
addprinc -randkey HTTP/www.mydomain.org@MYDOMAIN.ORG
ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG
Copy /tmp/http.keytab to the site