Kerberos server settings

To install the Kerberos server package to the server, run the command:

$ sudo yum install -y krb5-server pam_krb5 krb5-workstation xinetd

To change the configuration, edit the /etc/krb5.conf file:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = ADREALM.IO
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
ADREALM.IO = {
kdc = kerberos-primary-host.ru-central1.internal #primary KDC host
kdc = kerberos-secondary-host.ru-central1.internal #secondary KDC host
admin_server = kerberos-primary-host.ru-central1.internal
}
[domain_realm]
.adrealm.io = ADREALM.IO
adrealm.io  = ADREALM.IO

You also need to edit the /var/kerberos/krb5kdc/kdc.conf file:

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
ADREALM.IO = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

The last file that should be edited before the Kerberos database setup is /var/keberos/krb5kdc/kadm5.acl:

*/admin@ADREALM.IO *

Now you have to configure the Kerberos database. For this, use the kdb5_util utility:

$ sudo kdb5_util create -s -r ADREALM.IO

Memorize the Master KDC password and run the services:

$ sudo systemctl enable kadmin
$ sudo systemctl enable krb5kdc
$ sudo systemctl start kadmin
$ sudo systemctl start krb5kdc

Now you have to create the new principals. You need to create host principals for every KDC instance. In order to do this, use the Kerberos administrator console:

$ sudo kadmin.local
$ addprinc root/admin
$ addprinc -randkey host/kerberos-primary-host.ru-central1.internal
$ addprinc -randkey host/kerberos-secondary-host.ru-central1.internal
$ ktadd host/kerberos-primary-host.ru-central1.internal

Generate the keytab of the secondary Kerberos server on the main Kerberos server:

$ ktadd -k /tmp/kerberos-secondary-host.keytab host/kerberos-secondary-host.ru-central1.internal

Install the necessary packages to the second server:

$ sudo yum install -y krb5-server krb5-workstation xinetd

To enable password authentication, uncomment the following string in the /etc/ssh/sshd_config file:

PasswordAuthentication yes

Restart the service:

$ sudo systemctl restart sshd

Copy the secondary server keytab file (that we obtained at the previous step) to the secondary KDC host:

$ sudo scp /tmp/kerberos-secondary-host.keytab <user>@<ip address>:/tmp/

While at secondary host, move the keytab file to the /etc/ directory and rename it:

$ sudo cp /tmp/kerberos-secondary-host.keytab /etc/krb5.keytab

The principal database is transferred from the main KDC to KDC replicas via the kpropd daemon. You have to specify the principals that are permitted to receive the updates of secondary Kerberos server dumps. Those updates contain the new database. You have to create the kpropd.acl file in the KDC state-monitoring directory. The kpropd.acl file will contain the principal host names for every KDC:

$ sudo vi /var/kerberos/krb5kdc/kpropd.acl

Add the following lines to kpropd.acl:

host/kerberos-primary-host.ru-central1.internal@ADREALM.IO
host/kerberos-secondary-host.ru-central1.internal@ADREALM.IO

You should copy the following files from the primary KDC host to the secondary KDC host:

Move the files that were copied to the corresponding directories. The files and directories structure should be exactly like it is at the primary KDC.

Run the following commands on the primary server:

$ sudo scp /etc/krb5.conf <user>@<ip address>:/tmp/
$ sudo scp /var/kerberos/krb5kdc/kdc.conf <user>@<ip address>:/tmp/
$ sudo scp /var/kerberos/krb5kdc/kadm5.acl <user>@<ip address>:/tmp/
$ sudo scp /var/kerberos/krb5kdc/.k5.ADREALM.IO <user>@<ip address>:/tmp/
$ sudo scp /var/kerberos/krb5kdc/kpropd.acl <user>@<ip address>:/tmp/

Run the following commands on the secondary server:

$ sudo cp /tmp/krb5.conf /etc/
$ sudo cp /tmp/kdc.conf /var/kerberos/krb5kdc/
$ sudo cp /tmp/kadm5.acl /var/kerberos/krb5kdc/
$ sudo cp /tmp/.k5.ADREALM.IO /var/kerberos/krb5kdc/
$ sudo cp /tmp/kpropd.acl /var/kerberos/krb5kdc/

Create the /etc/xinetd.d/krb5_prop configuration file:

service krb5_prop
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/kpropd
only_from = 0.0.0.0/0
log_on_success = PID HOST EXIT DURATION
}

Add the following line (if it’s missing) to the /etc/services file on every KDC:

krb5_prop       754/tcp               # Kerberos replica propagation

Run the following command:

$ sudo systemctl restart xinetd

Before you copy the database, create the database dump file on the primary KDC:

$ sudo kdb5_util dump /var/kerberos/krb5kdc/slavedump

Copy the database manually to every KDC replica:

$ sudo kprop -f /var/kerberos/krb5kdc/slavedump kerberos-secondary-host.ru-central1.internal

Database propagation to kerberos-secondary-host.ru-central.internal: SUCCEEDED

Run KDC on the secondary host:

$ sudo systemctl enable krb5kdc
$ sudo systemctl start krb5kdc

Enter the admin.local console and execute the listprincs command to view the principals list and make sure that the list is the same as the list on the primary host.