Share on Social Media

In this configuration guide, you will learn, how to Configure Kerberos Client Authentication in Linux or other Redhat based Linux OS. #centlinux #linux #freeipa

Problem Statement:

This Red Hat Certified Engineer (RHCE) exam objective, requires you to know, how to configure a Linux system to authenticate using Kerberos. This objective didn’t require you to know how to configure a Kerberos Server. However, for the sake of practice you can configure your own Kerberos Server using FreeIPA. (Please read our previous post Configure Identity Management with FreeIPA Server)

We have already wrote an article about authenticating a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos (or more specifically FreeIPA) server by using ipa-client package (Configure a Linux Machine as FreeIPA Client). Now, we will see how to authenticate a Red Hat Enterprise Linux (RHEL) 7 machine with Kerberos server without using ipa-client.

System Specification:

We have a RHEL 7.6 client and a FreeIPA server with following specifications.

FreeIPA Server

  • Hostname –
  • IP Address –

Kerberos Client

  • Hostname –
  • IP Address –

Configure Kerberos Server:

Although the Kerberos server-side configuration are not the requirement of RHCE objectives, but since you are practicing in your own test environment. Therefore, it is good to know about the server-side configuration of adding a Kerberos Client.

Add machine to Kerberos Server.

Connect to and execute following commands.

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa host-add --ip-address
Added host ""
  Host name:
  Principal name: host/
  Password: False
  Keytab: False
  Managed by:

# ipa dnsrecord-add client2 --ttl=3600 --a-ip-address=
  Record name: client2
  Time to live: 3600
  A record:

Generate the Kerberos keytab for

# ipa-getkeytab -s -p host/ -k /var/ftp/pub/client2.keytab
Keytab successfully retrieved and stored in: /var/ftp/pub/client2.keytab
# chmod 644 /var/ftp/pub/client2.keytab

Kerberos Client Authentication:

Connect to and configure Kerberos authentication.

Configure DNS resolution.

# nmcli connection modify eno16777728 ipv4.dns
# nmcli connection down eno16777728 ; nmcli connection up eno16777728
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)

Install required Packages using yum command.

# yum install -y krb5-workstation sssd pam_krb5

I have already installed the required packages. Therefore yum perform no action for my machine.

Download keytab file from

# wget ftp://ipaserver/pub/client2.keytab -O /etc/krb5.keytab
   --2018-07-29 02:20:07--  ftp://ipaserver/pub/client2.keytab
           => â/etc/krb5.keytabâ
Resolving ipaserver (ipaserver)...
Connecting to ipaserver (ipaserver)||:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /pub ... done.
==> SIZE client2.keytab ... 492
==> PASV ... done.    ==> RETR client2.keytab ... done.
Length: 492 (unauthoritative)

100%[======================================>] 492         --.-K/s   in 0s

2018-07-29 02:20:07 (53.8 MB/s) - â/etc/krb5.keytabâ saved [492]

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/
   1 host/
   1 host/
   1 host/
   1 host/
   1 host/

Our keytab is now in place. Let’s configure Kerberos authentication now.

# authconfig --update --enablekrb5 --krb5realm=EXAMPLE.COM

We have successfully configure our Red Hat Enterprise Linux (RHEL) 7 machine to authenticate with Kerberos server.


In this configuration guide, you have learned, how to Kerberos Client Authentication in Linux or other Redhat based Linux OS.

Leave a Reply

Your email address will not be published. Required fields are marked *