How to set-up Kerberos in RHEL

October 9, 2014 · by dbversity · in Linux, MongoDB

At Authentication Server ( Master KDC ) :-
#######################################
 
1) Install the following Kerberos packages (on your Kerberos Server ) i.e., krb5 server, workstation & thier libraries
----------------------------------------------------------------------------------------------------------------------
Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which runs the KDC. This machine needs to be very secure
if possible, it should not run any services other than the KDC.
 
[root@master_host ~]# yum install krb5-server krb5-workstation
Resolving Dependencies
--> Running transaction check
---> Package krb5-server.x86_64 0:1.10.3-15.el6_5.1 will be installed
NOT-CERTIFIED/filelists | 3.7 MB 00:00 
--> Processing Dependency: krb5-libs = 1.10.3-15.el6_5.1 for package: krb5-server-1.10.3-15.el6_5.1.x86_64
---> Package krb5-workstation.x86_64 0:1.10.3-15.el6_5.1 will be installed
--> Running transaction check
---> Package krb5-libs.i686 0:1.10.3-10.el6_4.4 will be updated
---> Package krb5-libs.x86_64 0:1.10.3-10.el6_4.4 will be updated
---> Package krb5-libs.i686 0:1.10.3-15.el6_5.1 will be an update
---> Package krb5-libs.x86_64 0:1.10.3-15.el6_5.1 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
============================================================================================================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================================================================================================
Installing:
krb5-server x86_64 1.10.3-15.el6_5.1 NOT-CERTIFIED 2.0 M
krb5-workstation x86_64 1.10.3-15.el6_5.1 NOT-CERTIFIED 805 k
Updating for dependencies:
krb5-libs i686 1.10.3-15.el6_5.1 NOT-CERTIFIED 769 k
krb5-libs x86_64 1.10.3-15.el6_5.1 NOT-CERTIFIED 761 k
 
Transaction Summary
============================================================================================================================================================================================================================================
Install 2 Package(s)
Upgrade 2 Package(s)
 
 
Total download size: 4.3 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): krb5-libs-1.10.3-15.el6_5.1.i686.rpm | 769 kB 00:00 
(2/4): krb5-libs-1.10.3-15.el6_5.1.x86_64.rpm | 761 kB 00:00 
(3/4): krb5-server-1.10.3-15.el6_5.1.x86_64.rpm | 2.0 MB 00:00 
(4/4): krb5-workstation-1.10.3-15.el6_5.1.x86_64.rpm | 805 kB 00:00 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 4.1 MB/s | 4.3 MB 00:01 
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction 6/6
 
 
Installed:
 krb5-server.x86_64 0:1.10.3-15.el6_5.1 krb5-workstation.x86_64 0:1.10.3-15.el6_5.1 
 
 
Dependency Updated:
 krb5-libs.i686 0:1.10.3-15.el6_5.1 krb5-libs.x86_64 0:1.10.3-15.el6_5.1 
 
 
Complete!
 
 
[root@master_host ~]#
 
 
2) Configure the krb5 configuration files as below.
---------------------------------------------------
Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf configuration files to reflect the realm name and domain-to-realm mappings.
A simple realm can be constructed by replacing instances of EXAMPLE.COM and example.com with the correct domain name — being certain to keep uppercase and lowercase names in the correct format — and by changing the KDC from kerberos.example.com to the name of the Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. The man pages of these configuration files have full details about the file formats.
Also, edit the /var/kerberos/krb5kdc/kadm5.acl file. This file is used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations can be accommodated by a single line:
Most users are represented in the database by a single principal (with a NULL, or empty, instance, such as joe@EXAMPLE.COM). In this configuration, users with a second principal with an instance of admin (for example,joe/admin@EXAMPLE.COM) are able to exert full administrative control over the realm's Kerberos database.
After kadmind has been started on the server, any user can access its services by running kadmin on any of the clients or servers in the realm. However, only users listed in the kadm5.acl file can modify the database in any way, except for changing their own passwords.
Note : The kadmin utility communicates with the kadmind server over the network, and uses Kerberos to handle authentication. Consequently, the first principal must already exist before connecting to the server over the network to administer it. Create the first principal with the kadmin.local command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication
 
 
[root@master_host hpadmin]# cat /etc/krb5.conf
 --------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = ASIA.MYDOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
 
[realms]
ASIA.MYDOMAIN.NET = {
 
#kdc = master_host.ASIA.MYDOMAIN.NET
kdc = master_host.ASIA.MYDOMAIN.NET
#admin_server = master_host.ASIA.MYDOMAIN.NET
admin_server = master_host.ASIA.MYDOMAIN.NET
 
}
[domain_realm]
.ASIA.MYDOMAIN.NET = ASIA.MYDOMAIN.NET
ASIA.MYDOMAIN.NET = ASIA.MYDOMAIN.NET
 
# .ASIA.MYDOMAIN.NET = ASIA.MYDOMAIN.NET
# ASIA.MYDOMAIN.NET = ASIA.MYDOMAIN.NET
[root@master_host hpadmin]#
 
 
[root@master_host ~]# cat /var/kerberos/krb5kdc/kdc.conf
 ------------------------------
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
 
 
[realms]
ASIA.MYDOMAIN.NET = {
 #master_key_type = aes256-cts
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
 
 
[root@master_host ~]# cat /var/kerberos/krb5kdc/kadm5.acl
 -----------------------------
*/admin@ASIA.MYDOMAIN.NET *
~
[root@master_host ~]#
 
3) Create the database using the kdb5_util utility.
--------------------------------------------------
 
The create command creates the database that stores keys for the Kerberos realm.
The -s argument creates a stash file in which the master server key is stored.
If no stash file is present from which to read the key, the Kerberos server (krb5kdc) prompts the user for the master server password (which can be used to regenerate the key) every time it starts.
 
[root@master_host ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'ASIA.MYDOMAIN.NET',
master key name 'K/M@ASIA.MYDOMAIN.NET'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@master_host ~]#
 
4) Create the first principal using kadmin.local at the KDC terminal:
--------------------------------------------------------------------
 
[root@master_host ~]# kadmin.local -q "addprinc mongodb/admin"
Authenticating as principal mongodb/admin@ASIA.MYDOMAIN.NET with password.
WARNING: no policy specified for mongodb/admin@ASIA.MYDOMAIN.NET; defaulting to no policy
Enter password for principal "mongodb/admin@ASIA.MYDOMAIN.NET":
Re-enter password for principal "mongodb/admin@ASIA.MYDOMAIN.NET":
Principal "mongodb/admin@ASIA.MYDOMAIN.NET" created.
 
5) Start Kerberos using the following commands:
----------------------------------------------
[root@master_host hpadmin]# /etc/init.d/krb5kdc start && /etc/init.d/kadmin start
Starting Kerberos 5 KDC: [ OK ]
Starting Kerberos 5 Admin Server: [ OK ]
[root@master_host hpadmin]#
 
6) Check Principles & checking the issuing ticket commands :-
--------------------------------------------------------------
Add principals for the users using the addprinc command within kadmin. kadmin and kadmin.local are command line interfaces to the KDC. As such, many commands — such as addprinc — are available after launching the kadmin program. Refer to the kadmin man page for more information.

[root@master_host ~]# kadmin
Authenticating as principal mongodb/admin@ASIA.MYDOMAIN.NET with password.
kadmin: Cannot find KDC for requested realm while initializing kadmin interface
 
[root@master_host hpadmin]# kadmin.local
Authenticating as principal mongodb/admin@ASIA.MYDOMAIN.NET with password.
kadmin.local: listprincs
K/M@ASIA.MYDOMAIN.NET
kadmin/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
kadmin/admin@ASIA.MYDOMAIN.NET
kadmin/changepw@ASIA.MYDOMAIN.NET
krbtgt/ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
mongodb/admin@ASIA.MYDOMAIN.NET
kadmin.local:
kadmin.local:
kadmin.local:
kadmin.local: addprinc -randkey host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
WARNING: no policy specified for host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET; defaulting to no policy
Principal "host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET" created.
kadmin.local:
kadmin.local: ktadd host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
Entry for principal host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:
kadmin.local: addprinc -randkey host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
WARNING: no policy specified for host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET; defaulting to no policy
Principal "host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET" created.
kadmin.local:
kadmin.local:
kadmin.local: ktadd host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
Entry for principal host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:
 
Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a credential cache file. Next, use klist to view the list of credentials in the cache and use kdestroy to destroy the cache and the credentials it contains.
 
[root@master_host ~]# kinit mongodb/admin
Password for mongodb/admin@ASIA.MYDOMAIN.NET:
[root@master_host ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mongodb/admin@ASIA.MYDOMAIN.NET
 
Valid starting Expires Service principal
06/05/14 06:34:27 06/06/14 06:34:27 krbtgt/ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
 renew until 06/05/14 06:34:27
[root@master_host ~]#
 
Note : By default, kinit attempts to authenticate using the same system login username (not the Kerberos server). If that username does not correspond to a principal in the Kerberos database, kinit issues an error message. If that happens, supply kinit with the name of the correct principal as an argument on the command line:
 
kinit <principal>
 
 
Copying keytab file to all Mongod/mongod servers;
------------------------------------------------
 
root@master_host hpadmin]# kadmin.local
Authenticating as principal mongodb/admin@ASIA.MYDOMAIN.NET with password.
kadmin.local: listprincs
K/M@ASIA.MYDOMAIN.NET
kadmin/master_host.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
kadmin/admin@ASIA.MYDOMAIN.NET
kadmin/changepw@ASIA.MYDOMAIN.NET
krbtgt/ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
mongodb/admin@ASIA.MYDOMAIN.NET
kadmin.local:
kadmin.local: addprinc -randkey mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
kadmin.local:
kadmin.local: ktadd -k /tmp/mongodb_new.keytab mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
Entry for principal mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/mongodb_new.keytab.
Entry for principal mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/mongodb_new.keytab.
Entry for principal mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/mongodb_new.keytab.
Entry for principal mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/tmp/mongodb_new.keytab.
Entry for principal mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/mongodb_new.keytab.
Entry for principal mongodb/12d4-dl585-04.ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/mongodb_new.keytab.
kadmin.local:
kadmin.local: exit
[root@master_host hpadmin]#
[root@master_host hpadmin]#
[root@master_host hpadmin]# scp /tmp/mongodb_new.keytab hpadmin@12d4-dl585-04:/opt/mongodb/keytab/
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Kernel \r on an \m
PAM Authentication
Password:
[root@master_host hpadmin]#
 
Setting up Secondary KDCs ( Client)
###################################
 
When there are multiple KDCs for a given realm, one KDC (the master KDC) keeps a writable copy of the realm database and runs kadmind. The master KDC is also the realm's admin server. Additional secondary KDCs keep read-only copies of the database and run kpropd.
The master-slave propagation procedure entails the master KDC dumping its database to a temporary dump file and then transmitting that file to each of its slaves, which then overwrite their previously-received read-only copies of the database with the contents of the dump file.
To set up a secondary KDC:
 
 
Copy the master KDC's krb5.conf and kdc.conf files to the secondary KDC.
Start kadmin.local from a root shell on the master KDC.
 
 
Use the kadmin.local add_principal command to create a new entry for the master KDC's host service.
Use the kadmin.local ktadd command to set a random key for the service and store the random key in the master's default keytab file.
 
Note : This key is used by the kprop command to authenticate to the secondary servers. You will only need to do this once, regardless of how many secondary KDC servers you install

[root@client_host hpadmin]# kinit mongodb/admin
Password for mongodb/admin@ASIA.MYDOMAIN.NET:
[root@client_host hpadmin]#
[root@client_host hpadmin]#
[root@client_host hpadmin]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mongodb/admin@ASIA.MYDOMAIN.NET
 
Valid starting Expires Service principal
06/09/14 06:46:51 06/10/14 06:46:51 krbtgt/ASIA.MYDOMAIN.NET@ASIA.MYDOMAIN.NET
 renew until 06/09/14 06:46:51
[root@client_host hpadmin]#

Now you can check http://dbversity.com/wp-admin/post.php?post=109

Tags: how to setup kerberos, kerberos, kerberos in rhel, MongoDB kerberos

One Response

How to set-up Kerberos in RHEL | DBVERSITY.COM … · November 11, 2014 at 13:52:56 · →

[…] At Authentication Server ( Master KDC ) :- ####################################### 1) Install the following Kerberos packages (on your Kerberos Server ) i.e., krb5 server, workstation & thier libraries ———————————————————————————————————————- Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated machine which… […]

Leave a Reply

← MongoDB with SSL, KeyFile & Kerberos Authentication

MongoDB Job trends from INDEED.COM (http://www.indeed.com/) →