Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ sudo apt-get install krb5-{admin-server,kdc} -y
- 127.0.0.1 localhost
- 192.168.1.2 client.domain.tld client
- 192.168.1.3 kdc.domain.tld kdc
- domain domain.tld
- search domain.tld
- nameserver 192.168.1.1
- nameserver 8.8.8.8
- nameserver 8.8.4.4
- [libdefaults]
- default_realm = DOMAIN.TLD
- # The following krb5.conf variables are only for MIT Kerberos.
- kdc_timesync = 1
- ccache_type = 4
- forwardable = true
- proxiable = true
- # The following libdefaults parameters are only for Heimdal Kerberos.
- fcc-mit-ticketflags = true
- [realms]
- DOMAIN.TLD = {
- kdc = kdc.domain.tld
- admin_server = kdc.domain.tld
- default_domain = domain.tld
- }
- [domain_realm]
- .domain.tld = DOMAIN.TLD
- domain.tld = DOMAIN.TLD
- [logging]
- default = FILE:/var/log/kerberos/krb5-libs.log
- kdc = FILE:/var/log/kerberos/krb5-kdc.log
- admin_server = FILE:/var/log/kerberos/krb5-admin.log
- K/M@DOMAIN.TLD
- userid/admin@DOMAIN.TLD
- userid@TLD.TLD
- host/kdc.domain.tld@DOMAIN.TLD
- kadmin/admin@DOMAIN.TLD
- kadmin/changepw@DOMAIN.TLD
- kadmin/kdc.domain.tld@DOMAIN.TLD
- kiprop/kdc.domain.tld@DOMAIN.TLD
- krbtgt/DOMAIN.TLD@DOMAIN.TLD
- $ iptables -S (on the KDC server, where I've disabled ufw):
- -P INPUT ACCEPT
- -P FORWARD ACCEPT
- -P OUTPUT ACCEPT
- -N ufw-after-forward
- -N ufw-after-input
- -N ufw-after-logging-forward
- -N ufw-after-logging-input
- -N ufw-after-logging-output
- -N ufw-after-output
- -N ufw-before-forward
- -N ufw-before-input
- -N ufw-before-logging-forward
- -N ufw-before-logging-input
- -N ufw-before-logging-output
- -N ufw-before-output
- -N ufw-reject-forward
- -N ufw-reject-input
- -N ufw-reject-output
- -N ufw-track-forward
- -N ufw-track-input
- -N ufw-track-output
- $ netstat -antup | grep krb (output on the KDC server):
- tcp 0 0 0.0.0.0:88 0.0.0.0:* LISTEN 528/krb5kdc
- tcp6 0 0 :::88 :::* LISTEN 528/krb5kdc
- udp 0 0 0.0.0.0:750 0.0.0.0:* 528/krb5kdc
- udp 0 0 0.0.0.0:88 0.0.0.0:* 528/krb5kdc
- udp6 0 0 :::750 :::* 528/krb5kdc
- udp6 0 0 :::88 :::* 528/krb5kdc
- $ KRB5_TRACE=/dev/stdout kinit -V
- Using default cache: /tmp/krb5cc_1000
- Using principal: userid@DOMAIN.TLD
- Getting initial credentials for userid@DOMAIN.TLD
- Sending request (181 bytes) to DOMAIN.TLD
- Resolving hostname kdc.domain.tld
- Sending initial UDP request to dgram 192.168.1.3:88
- Received answer (274 bytes) from dgram 192.168.1.3:88
- Response was not from master KDC
- Received error from KDC: -1765328359/Additional pre-authentication required
- Processing preauth types: 136, 19, 2, 133
- Selected etype info: etype aes256-cts, salt "DOMAIN.TLDuserid", params ""
- Received cookie: MIT
- Password for userid@DOMAIN.TLD:
- AS key obtained for encrypted timestamp: aes256-cts/000C
- ...etc
- $ klist -f
- Ticket cache: FILE:/tmp/krb5cc_1000
- Default principal: userid@DOMAIN.TLD
- Valid starting Expires Service principal
- mm/dd/yyyy hh:mm:ss mm/dd/yyyy hh:mm:ss krbtgt/DOMAIN.TLD@DOMAIN.TLD
- renew until mm/dd/yyyy hh:mm:ss, Flags: FPRIA
- 127.0.0.1 localhost
- 192.168.1.2 client.domain.tld client
- 192.168.1.3 kdc.domain.tld kdc
- domain domain.tld
- search domain.tld
- nameserver 192.168.1.1
- nameserver 8.8.8.8
- nameserver 8.8.4.4
- $ ping -c1 kdc.domain.tld (from the client Linux system):
- PING kdc.domain.tld (192.168.1.3) 56(84) bytes of data.
- 64 bytes from kdc.domain.tld (192.168.1.3): icmp_seq=1 ttl=64 time=0.231 ms
- --- kdc.domain.tld ping statistics ---
- 1 packets transmitted, 1 received, 0% packet loss, time 0ms
- rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms
- $ iptables -S (on the KDC server, where I've disabled ufw):
- -P INPUT ACCEPT
- -P FORWARD ACCEPT
- -P OUTPUT ACCEPT
- -N ufw-after-forward
- -N ufw-after-input
- -N ufw-after-logging-forward
- -N ufw-after-logging-input
- -N ufw-after-logging-output
- -N ufw-after-output
- -N ufw-before-forward
- -N ufw-before-input
- -N ufw-before-logging-forward
- -N ufw-before-logging-input
- -N ufw-before-logging-output
- -N ufw-before-output
- -N ufw-reject-forward
- -N ufw-reject-input
- -N ufw-reject-output
- -N ufw-track-forward
- -N ufw-track-input
- -N ufw-track-output
- $ KRB5_TRACE=/dev/stdout kinit -V
- Using default cache: /tmp/krb5cc_1000
- Using principal: userid@DOMAIN.TLD
- Getting initial credentials for userid@DOMAIN.TLD
- Sending request (175 bytes) to DOMAIN.TLD
- Resolving hostname kdc.domain.tld
- Sending initial UDP request to dgram 192.168.1.3:88
- Resolving hostname kdc.domain.tld
- Sending initial UDP request to dgram 192.168.1.3:750
- Initiating TCP connection to stream 192.168.1.3:88
- Terminating TCP connection to stream 192.168.1.3:88
- kinit: Cannot contact any KDC for realm 'DOMAIN.TLD' while getting initial credentials
- $ nmap -v -A --version-all -p88 kdc.domain.tld
- ...
- Nmap scan report for kdc.domain.tld (192.168.1.3)
- Host is up (0.00043s latency).
- PORT STATE SERVICE VERSION
- 88/tcp closed kerberos-sec
- ...
Add Comment
Please, Sign In to add comment