The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Setting up a Kerberos client on a system allows it to use Kerberos to authenticate users who are defined in NIS or LDAP, and to provide secure remote access by using commands such as ssh with GSS-API enabled or the Kerberos implementation of telnet.
To set up a system as a Kerberos client:
Configure the client system to use DNS and that both direct and reverse name lookups of the domain name and IP address for both the client and the Kerberos server work.
For more information about configuring DNS, see Chapter 13, Name Service Configuration.
Configure the system to use a network time synchronization protocol such as the Network Time Protocol (NTP). Kerberos requires that the system time on Kerberos servers and clients are synchronized as closely as possible. If the system times of the server and a client differ by more than 300 seconds (by default), authentication fails.
To configure the server as an NTP client:
Install the
ntp
package:#
yum install ntp
Edit
/etc/ntp.conf
and configure the settings as required. See thentp.conf(5)
manual page and http://www.ntp.org.Start the
ntpd
service and configure it to start following system reboots.#
service ntpd start
#chkconfig ntpd on
Install the
krb5-libs
andkrb5-workstation
packages:#
yum install krb5-libs krb5-workstation
Copy the
/etc/krb5.conf
file to the system from the Kerberos server.Use the Authentication Configuration GUI or authconfig to set up the system to use Kerberos with either NIS or LDAP, for example:
#
authconfig --enablenis --enablekrb5 --krb5realm=MYDOM.COM
\--krb5adminserver=krbsvr.mydom.com --krb5kdc=krbsvr.mydom.com
\--update
On the Kerberos KDC, use either kadmin or kadmin.local to add a host principal for the client, for example:
#
kadmin.local -q "addprinc -randkey host/
client.mydom.com
"On the client system, use kadmin to cache the key for its host principal in
/etc/kadm5.keytab
, for example:#
kadmin -q "ktadd -k /etc/kadm5.keytab host/
client.mydom.com
"To use ssh and related OpenSSH commands to connect from Kerberos client system to another Kerberos client system:
On the remote Kerberos client system, verify that
GSSAPIAuthentication
is enabled in/etc/ssh/sshd_config
:GSSAPIAuthentication yes
On the local Kerberos client system, enable
GSSAPIAuthentication
andGSSAPIDelegateCredentials
in the user's.ssh/config
file:GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
Alternatively, the user can specify the -K option to ssh.
Test that the principal can obtain a ticket and connect to the remote system, for example:
$
kinit
$principal_name
@MYDOM.COM
ssh
username
@remote.mydom.com
To allow use of the Kerberos versions of rlogin, rsh, and telnet, which are provided in the
krb5-appl-clients
package, you must enable the corresponding services on the remote client.
For more information, see the kadmin(1)
manual page.