Security Guide : 9. Configuring Vector to Use Kerberos : How to Configure Kerberos to Authenticate against Active Directory on Windows
 
Share this page                  
How to Configure Kerberos to Authenticate against Active Directory on Windows
This section is for users who want to use Kerberos authentication on Linux against Windows Active Directory using a Kerberos client on Linux.
The minimum steps required for configuring Kerberos on Vector to authenticate against Active Directory/KDC on Windows are as follows.
Active Directory/KDC (Windows)
1. Enable the Active Directory feature on the Windows machine to install Active Directory.
2. Configure Active Directory: Provide forest name and add users/groups to the domain.
3. Create a keytab file for the principals described in this chapter:
ktpass princ host/fully_qualified_Vector_host_name@DOMAIN.COM mapuser user -pass password out krb5-1.keytab
ktpass princ $ingres/fully_qualified_Vector_host_name@DOMAIN.COM mapuser user -pass password in krb5-1.keytab out krb5-2.keytab
where:
fully qualified Vector host name is the fully qualified name of the Vector Linux server being configured.
DOMAIN.COM is your domain.
user is the installation owner that is also a user in Active Directory.
password is the password you specified for the installation owner in the Active Directory Domain Controller. (The installation owner must be added to the Domain Controller user list.)
Vector Server (Linux)
1. Install Kerberos client:
yum install krb5-workstation
2. Configure /etc/krb5.conf as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = EXAMPLE.COM
 
[realms]
EXAMPLE.COM = {
  kdc = domain_srv.example.com
  admin_server = domain_srv.example.com
  default_domain = example.com
}
 
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
where EXAMPLE.COM is your Windows domain name or realm and domain_srv is the Active Directory Domain Server name.
3. Shut down Vector.
4. Run iisukerberos: Choose "Client Kerberos authentication", "a" to add client-level Kerberos authentication, and then return and 0 to exit.
5. Copy krb5-2.keytab to Linux client machine where Vector is installed.
6. Set read-only permission on the krb5-2.keytab file for the Vector admin user:
chmod 60044 krb5-2.keytab
Note:  If the file is not owned by the Vector admin user, you will see misleading errors.
7. Set KRB5_KTNAME in Vector environment:
export KRB5_KTNAME=path to newly copied krb5.keytab
Note:  This should be added to the Vector environment file .ingVHsh.
8. Initialize the Vector admin principal:
kinit username@DOMAIN.COM
Enter the password when prompted.
9. Verify the ticket was issued:
klist
10. To test that Kerberos is working create a loopback node:
a. Run Netutil.
b. Create a new node and give it a name (cannot be a hostname).
c. Choose "global" for type of node.
d. Leave the Login and Password fields blank, and then Save.
e. Type in the fully qualified name of the current host (not IP address). (Update /etc/hosts if the name is not mapped correctly to IP.)
f. Enter the listen address of the current installation and then press Save.
g. Edit the newly created node and select attributes from the menu.
h. Add authentication_mechanism=kerberos, and then press Save.
i. Select newly created node, select Test, and then Connection.
If the connection succeeds then the Kerberos authentication is working.