Same timezone or Kerberos will fail
No more than 5 minutes time drift or Kerberos will fail
# Installation (server)
yum install krb5-workstation krb5-server -y
# Basic Setup
# Edit config files
/etc/kr5.conf
/var/kerberos/krb5kdc/kdc.conf
# create Kerberos DB and stash file (which allows Kerberos to start automatically without the admin password, which is used by the kdc to encrypt the database)
kdb5_util create -s
# start services
systemctl enable kadmin krb5kdc
systemctl start kadmin krb5kdc
# place firewall rule
firewall-cmd –permanent –add-service=kerberos
firewall-cmd –reload
# add principals
kadmin.local
?
addprinc user
# Installation (client)
yum install authconfig-gtk -y
# setup
authconfig-gtk
–select LDAP
–select Kerberos password
# or use authconfig-tui
only select LDAP and Kerberos password on authconfig-tui
# authenticate on client (kinit is used to obtain and cache our Kerberos ticket)
adduser user; kinit or kinit user
# run klist to see if you’ve been granted the ticket granting ticket from the KDC
klist
—————–
— NFS Setup —
—————–
addprinc -randkey host/server2.turnips.com
addprinc -randkey host/server1.turnips.com
addprinc -randkey nfs/server1.turnips.com
addprinc -randkey nfs/server2.turnips.com
addprinc -randkey nfs/server2
addprinc -randkey nfs/server1
# create local keytab file for the NFS server containing the principals for the KDC
ktadd host/server1.turnips.com
ktadd nfs/server1.rootusers.com
ktadd nfs/server1
# write to external keytab file
ktadd -k /root/server2.keytab nfs/server2.rootusers.com
ktadd -k /root/server2.keytab nfs/server2
ktadd -k /root/server2.keytab host/server2.rootusers.com
exit
# transfer the keytab file from server1 to server2
scp /root/server2.keytab server2:/etc/krb5.keytab
# on server2 as root run restorecon and confirm root ownership and 600 permissions on the keytab file
restorecon -v /etc/krb5.keytab
kinit -k -t /etc/krb5.keytab nfs/server2
# run klist to see if you’ve been granted the ticket granting ticket from the KDC
klist