Configure Kerberos Authentication in RHEL7

In this tutorial, we will configure a client machine to use Kerberos authentication. We will use a LDAP server for user information. 

For Kerberos Server configuration, refer to this post. For LDAP Server configuration, refer to this post.

We use the System Security Services Daemon (SSSD)  for user information services and authentication, instead of  the  legacy services.

We use the authconfig tool for authentication configuration.
 If --test action is specified, the authconfig just  reads  the  current settings  from the various configuration files and prints their values. If --update action is specified, authconfig must be  run  by  root, and configuration changes are saved.

Each  --enable has a matching --disable option that disables the service if it  is  already  enabled.  

Consider the following scenario:

Kerberos Realm:   MYCOMPANY.COM
Kerberos Server:  meru.mycompany.com

LDAP Server:        oserver1.mycompany.com
LDAP Base DN:     dc=my-domain,dc=com

Client Machine:    server2.mycompany.com

NOTE: 1) Ensure that time synchronization is maintained between all the machines. Kerberos requires accurate time synchronization to work properly. 
            2) Ensure that host name resolution is working. Configure DNS Server or /etc/hosts.

Perform the following steps on the client machine:

1) Install packages
[root@server2 ~]# yum install sssd* openldap-clients pam_krb5 krb5-workstation 

2) Configure LDAP
[root@server2 ~]# authconfig --enableldap --ldapserver="ldap://oserver1.mycompany.com:389" --ldapbasedn="dc=my-domain,dc=com" --update

Where,
--enableldap -> Use LDAP as an Identity Store. Configures user information services in /etc/nsswitch.conf.  

--ldapserver="ldap://oserver1.mycompany.com:389" -> The URL of the LDAP Server. This usually requires both the host name and port number of the LDAP server.

--ldapbasedn="dc=my-domain,dc=com" -> gives the root suffix or distinguished name (DN) for the user directory. All of the user entries will exist below this parent entry.


3) Test connection to LDAP server. We assume that an entry for user 'katrina' is present in the LDAP database.
[root@server2 ~]# ldapsearch '(uid=katrina)'


4) Configure Kerberos
[root@server2 ~]# authconfig --enablekrb5 --krb5realm MYCOMPANY.COM --krb5kdc meru.mycompany.com --krb5adminserver meru.mycompany.com --update

Where,
--enablekrb5 -> Enable Kerberos authentication.  

--krb5realm MYCOMPANY.COM  -> Kerberos realm
 
--krb5kdc meru.mycompany.com -> Host name of the Kerberos KDC Server

--krb5adminserver meru.mycompany.com -> Host name of the Kerberos admin server


5) Create user principal for 'katrina' in Kerberos database.
[root@server2 ~]# kadmin -p shabbir/admin -w shabbir
Authenticating as principal shabbir/admin with password.
kadmin:  add_principal katrina
WARNING: no policy specified for katrina@MYCOMPANY.COM; defaulting to no policy
Enter password for principal "katrina@MYCOMPANY.COM":
Re-enter password for principal "katrina@MYCOMPANY.COM":
Principal "katrina@MYCOMPANY.COM" created.

6) Verify Kerberos Operation
[root@server2 ~]# kinit katrina  
 Password for katrina@MYCOMPANY.COM:

[root@server2 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: katrina@MYCOMPANY.COM

Valid starting       Expires              Service principal
06/06/2015 10:51:37  06/07/2015 10:51:37  krbtgt/MYCOMPANY.COM@MYCOMPANY.COM
    renew until 06/06/2015 10:51:37

[root@server2 ~]# kdestroy


7) Create home directory on first login (if it doesnot exist).
[root@server2 ~]# authconfig --enablemkhomedir --update

8) Verify configuration changes
[root@server2 ~]# authconfig --test

9) Comment entry for user 'katrina' in '/etc/passwd' if exists.

10) Run the below command to verify that user information retrieval from LDAP server is working.
[root@server2 ~]# getent passwd katrina
katrina:x:1002:1002::/home/katrina:/bin/bash

11) Log in as user 'katrina' and enter password as given for user principal 'katrina' in the Kerberos database.