Kerberos on Centos 8 - notes

Basics on Kerberos on Centos Linux 8.

A user or service is defined as a principal. E.g. a user dev, a service postgres and postgres/TBOX.SITE

An instance is used to manage principals. 

E.g. root/admin, where

root = principal

/admin = instance

A Key Distribution Center (KDC) contains database of all principals and

• Authentication Server (AS)
• Ticket Granting Server (TGS)

Keytab is a binary file that where the encryption key is extracted from a service or host.

Following are among the admin console commands

Admin console

sudo kadmin.local

List principals

listprincs

Add principals

addprinc -randkey HTTP/10.8.8.186@TBOX.SITE

addprinc -randkey postgres/10.8.8.186@TBOX.SITE

Delete principal

delprinc dev@TBOX.SITE

Install and configure kerberos server

sudo dnf install krb5-server 

sudo vi /etc/krb5.conf

[libdefaults] default_realm = TBOX.SITE [realms] TBOX.SITE = { kdc = 10.8.8.186 admin_server = 10.8.8.186 } [domain_realm] pg.tbox.com = TBOX.SITE .pg.tbox.com = CTBOX.SITE

Create a Realm

To create realm called TBOX.SITE. This will initialise a database at /var/kerberos/krb5kdc/principal

sudo kdb5_util create -r TBOX.SITE -s

Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TBOX.SITE', master key name 'K/M@TBOX.SITE' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:

Assign administration access rights to the kerberos database;

sudo vi /var/kerberos/krb5kdc/kadm5.acl

*/admin@TBOX.SITE     *

Restart kerberos service

sudo systemctl restart krb5kdc

Destroy a kerberos database (optional)

sudo kdb5_util -r TBOX.SITE destroy

Initial Principal Admin setup in kadmin

sudo kadmin.local

kadmin.local: addprinc root/admin

kadmin.local: q

Add additional users to specific realm with random key

addprinc -randkey daniel@TBOX.SITE

Add additional users to specific realm with password and default realm

addprinc dev

Credential list

List credentials

klist

Ticket cache: KCM:1001:31655

Default principal: dev@TBOX.SITE

Valid starting       Expires              Service principal

10/27/2021 18:29:48  10/28/2021 18:29:48  krbtgt/TBOX.SITE@TBOX.SITE

        renew until 10/27/2021 18:29:48

Create credentials

kinit root/admin

kinit dev

Delete credentials (optional)

kdestroy -A

Keytab management

ktutil

Load keytab data

rkt /tmp/postgres.keytab

List cached

list

Remove entry

delent {slot_number}

Create keytab for use in remote server (to be confirmed)

addprinc -randkey HTTP/www.mydomain.org@MYDOMAIN.ORG

ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG

Copy /tmp/http.keytab to the site