Enabling Kerberos on an UNAB Host.

Document ID : KB000029194
Last Modified Date : 14/02/2018
Show Technical Document Details

The steps in this document were verified in Red Hat Linux with UNAB r12.8 against Windows 2012 R2 but should be applicable in any other compatible environment.

Although UNAB is using Kerberos functionality for its tasks it basically does not make Kerberos reduntant.

Hence in case 3rd party applications require Kerberos it has to be installed and configured in parallel to UNAB.

However, UNAB is greatly relieving configuration of Kerberos. UNAB's uxpreinstall utility allows to confirm all prerequisites like connectivity and naming resolution.

1. On the UNAB host in a root shell confirm all prerequisites using uxpreinstall

[root@RH5664 ~]# cd /opt/CA/uxauth/bin
[root@RH5664 ~]# ./uxpreinstall -a administrator -w <Password of the Administrator user> -d mydom.ca.com -v 3 -f result.txt

Confirm all categories return with status S U C C E S S


2. Install Kerberos binaries and libraries RPMs:


3. Replace the existing Kerberos configuration with the one found in uxauth.ini

[root@RH5664 ~]# cat /etc/krb5.conf

        dns_lookup_kdc = true
        ticket_lifetime = 24000
        default_realm = MYDOM.CA.COM



;       DCs specified here will be always tried by Kerberos first and at least
;       one of them must be functional.  The list can be pruned if desired.
        kdc = mydc.mydom.ca.com

4. Amend the PAM configuration to reference the Kerberos libraries behind UNAB calls

(in this case we also put minimum_uid to prevent kerberos authentication for system accounts and that credentials obtained should be forwardable to allow SSO functionality)

[root@RH5664 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth optional pam_unix.so nullok
auth sufficient pam_uxauth.so
auth sufficient pam_krb5.so minimum_uid=1000 forwardable
auth sufficient pam_unix.so nullok try_first_pass
auth optional pam_seos.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account optional pam_seos.so
account sufficient pam_uxauth.so
account required pam_uxauth.so
account sufficient pam_krb5.so minimum_uid=1000
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password sufficient pam_uxauth.so
password sufficient pam_krb5.so minimum_uid=1000
password sufficient pam_seos.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_seos.so
session required pam_uxauth.so create_homedir
session optional pam_krb5.so minimum_uid=1000
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

5. Initialise Kerberos by retrieving a session ticket

[root@RH5664 ~]# klist -5
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@RH5664 ~]# kinit Administrator
Password for Administrator@MYDOM.CA.COM: adminpwd
[root@RH5664 ~]# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYDOM.CA.COM

Valid starting     Expires            Service principal
12/17/14 03:47:18  12/17/14 10:27:18  krbtgt/MYDOM.CA.COM@MYDOM.CA.COM

6. Reset the host account password in AD

(after reset the password is equal the displayed hostname)

DC - Win 2012 R2-2014-12-17-13-22-28.png


 7. Change the host Kerberos password and create a local keytab file

(the local keytab is used to validate the TGTs issued by the Ticket Granting Service to prevent man in the middle attacks)

[root@RH5664 ~]# kpasswd rh5664
Password for rh5664@MYDOM.CA.COM: rh5664
Enter new password: s@cPW0s@cPW0
Enter it again: s@cPW0s@cPW0
Password changed.
[root@RH5664 ~]# kvno rh5664@MYDOM.CA.COM
rh5664@MYDOM.CA.COM: kvno = 4
[root@RH5664 ~]# ktutil
ktutil:  addent -password -p rh5664@MYDOM.CA.COM -k 4 -e rc4-hmac
Password for rh5664@MYDOM.CA.COM: s@cPW0s@cPW0
ktutil:  addent -password -p host/rh5664.mydom.ca.com@MYDOM.CA.COM -k 4 -e rc4-hmac
Password for host/rh5664.mydom.ca.com@MYDOM.CA.COM: s@cPW0s@cPW0
ktutil:  wkt /etc/krb5.keytab


8. Shutdown UNAB and SSH into the box as AD user and confirm Kerberos authentication is successful

[root@RH5664 ~]# tail /var/log/secure
Dec 17 04:49:58 RH5664 sshd[4774]: pam_krb5[4774]: TGT verified using key for 'host/rh5664.mydom.ca.com@MYDOM.CA.COM'
Dec 17 04:49:58 RH5664 sshd[4774]: pam_krb5[4774]: authentication succeeds for 'Administrator' (Administrator@MYDOM.CA.COM)
Dec 17 04:49:58 RH5664 sshd[4774]: Accepted password for Administrator from port 58605 ssh2
Dec 17 04:49:58 RH5664 sshd[4774]: pam_unix(sshd:session): session opened for user Administrator by (uid=0)


In case of problems please see these Kerberos and LDAP Troubleshooting Tips