• 15 min Reading
  • 300 Views
  • 9 Sharings
Table of contents

It handles to connect to your favorite operating system by using kerberos authentication.
I assume that your are in Linux environment (for example Ubuntu), and you have one KDC already running under realm EXAMPLE.COM.
Here we are going to build virtual machine to show how to configure that.

login on Ubuntu
login on Ubuntu

Prerequisites

Install Vagrant and Virtualbox and check your version:

$ vagrant --version
Vagrant 2.0.3
$ vboxmanage --version
5.1.36r122089

Create Vagrantfile

First download box and create a Vagrantfile template

vagrant init ubuntu/xenial64

Decomment line for private_network:

config.vm.network "private_network", ip: "192.168.33.10"

Choose virtual machine name in virtualbox UI by adding these lines:

config.vm.provider :virtualbox do |vb|
    vb.name = "krb5-ubuntu-16.04"
end

See Vagrantile file.

Build virtual machine

Run:

vagrant up

if local vagrant box ubuntu/xenial64 doesn't exist, it downloads box from Vagrant Cloud:

https://app.vagrantup.com/ubuntu/boxes/xenial64

Then it creates .vagrant folder in the current working directory and creates associated virtual machine.

krb5-ubuntu-16.04 virtualbox
krb5-ubuntu-16.04 virtualbox

Access to virtual machine

From terminal:

vagrant ssh

From virtualbox UI:

login/password: vagrant/vagrant

Configure virtual machine

Launch this command on created virtual machine:

sudo apt update
sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config

Click on Enter to continue without giving kerberos realm.

Append these following lines to /etc/hosts:

<ip_addr_v4>        krb5-kdc-server.example.com krb5-kdc-server

where <ip_addr_v4> is IPV4 of yout Key Distribution Center (KDC).

Override current kerberos client configuration /etc/krb5.conf by:

[libdefaults]
    default_realm = EXAMPLE.COM
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    dns_canonicalize_hostname = false

[realms]
    EXAMPLE.COM = {
        kdc = krb5-kdc-server.example.com
        admin_server = krb5-kdc-server.example.com
        default_domain = EXAMPLE.COM
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

You can see in /etc/pam.d/common-auth if entry pam_krb5.so is present.

Then change your Vagrantfile:

config.vm.box = "krb5-ubuntu-16.04"

Configure your KDC

Add principal in your kdc:

kadmin.local -q "add_principal -pw 'password' [email protected]"

You can test connection from your virtual machine to KDC with:

kinit [email protected]

It is important that system user name and first component of kerberos principal name are identical, here vagrant. So vagrant user could login with kerberos password. here password instead of using system password vagrant.

Test kerberos login

Use virtualbox UI, to restart virtual machine krb5-ubuntu-16.04.

Login with vagrant user and kerberos password.

You can see your kerberos credentials with:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000_uzgYyG
Default principal: [email protected]

Valid starting       Expires              Service principal
04/23/2018 21-22-18  04/24/2018 07-22-18  krbtgt/[email protected]
        renew until 04/24/2018 21-22-18

You can use Wireshark to capture network exchange and check that kerberos connection is done.

capture kerberos protocol with wireshark
capture kerberos protocol with wireshark

Export Virtual Machine

vagrant package --vagrantfile ./Vagrantfile --output krb5-ubuntu-16.04.box

It creates krb5-ubuntu-16.04.box file. This box is large file about 300MB, that's why I don't push on Gihub because:

GitHub will warn you when pushing files larger than 50 MB. You will not be allowed to push files larger than 100 MB.

I pushed that on Vagrant Cloud:

https://app.vagrantup.com/glegoux/boxes/krb5-ubuntu-16.04.box

If you don't rebuild .box locally, replace krb5-ubuntu-16.04.box by glegoux/krb5-ubuntu-16.04.box

Import Virtual Machine

Destroy your previous VM, Vagrantfile and .vagrant folder. You can use vagrant destroy.

You can rebuild that directly from box file. Download krb5-ubuntu-16.04.box and Vagrantile.

vagrant box add krb5-ubuntu-16.04 ./krb5-ubuntu-16.04.box
vagrant box list
vagrant up

See status:

vagrant status

Stop default virtual machine:

vagrant halt

Written by Gilles Legoux (glegoux) - Software Engineer.