0

i don't understand kerberos. from a you tube video,i configure kerberos. and got error. i create principal for client from kdc server..

but,from client side for root user is shows :

 [root@client ~]# kadmin
Authenticating as principal root/admin@CSE.LOCAL with password.
Password for root/admin@CSE.LOCAL: 
kadmin: Communication failure with server while initializing kadmin interface

[root@client ~]# kinit
kinit: Client 'root@CSE.LOCAL' not found in Kerberos database while getting initial credentials

and for other user (client side) it shows:

[client@client ~]$ kadmin
Couldn't open log file /var/log/kadmind.log: Permission denied
Authenticating as principal client/admin@CSE.LOCAL with password.

kadmin: Client 'client/admin@CSE.LOCAL' not found in Kerberos database while initializing kadmin interface

[client@client ~]$ kinit
kinit: Client 'client@CSE.LOCAL' not found in Kerberos database while getting initial credentials

here is my principal list:

kadmin.local:  listprincs 

K/M@CSE.LOCAL

host@CSE.LOCAL

host@client.cse.local


host@server.cse.local

kadmin/admin@CSE.LOCAL

kadmin/changepw@CSE.LOCAL


kadmin/server.cse.local@CSE.LOCAL

kiprop/server.cse.local@CSE.LOCAL

krbtgt/CSE.LOCAL@CSE.LOCAL

root/admin@CSE.LOCAL

root@client.cse.local

root@clint.cse.local

server/admin@CSE.LOCAL

server@CSE.LOCAL

server@server.cse.local

configuratin file of kdc server (/etc/krb5.conf):

includedir /etc/krb5.conf.d/

[logging]

default = FILE:/var/log/krb5libs.log
 
kdc = FILE:/var/log/krb5kdc.log
 
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

 default_realm = CSE.LOCAL

 default_ccache_name = KEYRING:persistent:%{uid}

[realms]

 CSE.LOCAL = {

  kdc = server.cse.local

 admin_server = server.cse.local
 }

[domain_realm]

 .cse.local = CSE.LOCAL

 cse.local = CSE.LOCAL

/var/kerbersos/krb5kdc/kdc.conf :

[kdcdefaults]

 kdc_ports = 88

 kdc_tcp_ports = 88

[realms]

 CSE.LOCAL = {

  master_key_type = aes256-cts

  default_principal_flags = +preauth

  acl_file = /var/kerberos/krb5kdc/kadm5.acl

  dict_file = /usr/share/dict/words

  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal 
arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

client side /etc/krb5.conf configuration:

includedir /etc/krb5.conf.d/

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

 default_realm = CSE.LOCAL

 default_ccache_name = KEYRING:persistent:%{uid}

[realms]

 CSE.LOCAL = {

  kdc = server.cse.local

 admin_server = server.cse.local
 }

[domain_realm]

 .cse.local = CSE.LOCAL

 cse.local = CSE.LOCAL

NTP is working perfectly..

also i add kerbersos server and tcp & udp port 88 on both side..dns also working correctly..what can i do now??

Lorem ipsum
  • 852
  • 3
  • 13
tamjidul islam
  • 1
  • 4
  • For the communication failure error make sure port 749 is allowed. This port is used by kadmin.For the second error, the problem is that root@CSE.LOCAL and client@CSE.LOCAL are non existing usernames. It's not part of the principal list either. – Lorem ipsum Sep 10 '20 at 12:31
  • hello ,dear thanks a lot... it works fine – tamjidul islam Sep 10 '20 at 16:50
  • What did you do? Add principal and allow port 749? – Lorem ipsum Sep 10 '20 at 16:52
  • root user of client server can not get kinit.. is it a problem or it's a natural proccess? i have less idea about kerberos.. just configure it by you tube video viewing..can you tell me please ? ? – tamjidul islam Sep 10 '20 at 16:53
  • yes ,i add port 749/tcp and 749 udp on both side...and add principle for my clients – tamjidul islam Sep 10 '20 at 16:54
  • Does kinit work for other users on client server? What is the error message you getting with root? – Lorem ipsum Sep 10 '20 at 17:07
  • alright....it works for all... acctually i add root@CSE.LOCAL .then it works .. but,one thing i don't know..how this things work ? the things is : whenever i type kinit for any kind of user ..and then type kilst..it show me new time ticket..is it rules ??? – tamjidul islam Sep 10 '20 at 17:12
  • I don't fully understand your question, but whenever you execute kinit for a user, this user gets a new tgt,which you can see with klist. So yes the new tgt is longer valid than the old one. – Lorem ipsum Sep 10 '20 at 17:25
  • i want to know full process...how it exactly work...why need for kinit within my same server ?? can please help me to know about this kerberos process – tamjidul islam Sep 10 '20 at 17:27

0 Answers0