kerberos - kdc

Posted on

i don't understand kerberos. from a you tube video,i configure kerberos. and got error. i create principal for client from kdc server..

but,from client side for root user is shows :

[root@client ~]# kadmin
Authenticating as principal root/admin@CSE.LOCAL with password.
Password for root/admin@CSE.LOCAL:
kadmin: Communication failure with server while initializing kadmin interface
[root@client ~]# kinit
kinit: Client 'root@CSE.LOCAL' not found in Kerberos database while getting initial credentials

and for other user (client side) it shows:

[client@client ~]$ kadmin
Couldn't open log file /var/log/kadmind.log: Permission denied
Authenticating as principal client/admin@CSE.LOCAL with password.
kadmin: Client 'client/admin@CSE.LOCAL' not found in Kerberos database while initializing kadmin interface
[client@client ~]$ kinit
kinit: Client 'client@CSE.LOCAL' not found in Kerberos database while getting initial credentials

here is my principal list:

kadmin.local: listprincs
K/M@CSE.LOCAL
host@CSE.LOCAL
host@client.cse.local
host@server.cse.local
kadmin/admin@CSE.LOCAL
kadmin/changepw@CSE.LOCAL
kadmin/server.cse.local@CSE.LOCAL
kiprop/server.cse.local@CSE.LOCAL
krbtgt/CSE.LOCAL@CSE.LOCAL
root/admin@CSE.LOCAL
root@client.cse.local
root@clint.cse.local
server/admin@CSE.LOCAL
server@CSE.LOCAL
server@server.cse.local

configuratin file of kdc server (/etc/krb5.conf):

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = CSE.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
CSE.LOCAL = {
kdc = server.cse.local
admin_server = server.cse.local
}

[domain_realm]
.cse.local = CSE.LOCAL
cse.local = CSE.LOCAL

/var/kerbersos/krb5kdc/kdc.conf :

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
CSE.LOCAL = {
master_key_type = aes256-cts
default_principal_flags = +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}

client side /etc/krb5.conf configuration:

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = CSE.LOCAL
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
CSE.LOCAL = {
kdc = server.cse.local
admin_server = server.cse.local
}

[domain_realm]
.cse.local = CSE.LOCAL
cse.local = CSE.LOCAL

NTP is working perfectly..
also i add kerbersos server and tcp & udp port 88 on both side..dns also working correctly..what can i do now??
and also, please kindly describe me,how this things/command work