The FreeIPA Master Class - Part 4

The FreeIPA Master Class - Part 4

Published Feb. 10, 2025, 5:11 a.m. by dwest

Kerberos Authentication Deep Dive

In the previous parts of this series we covered:

  • What directory servers are and how FreeIPA works
  • Installing FreeIPA masters and replicas
  • Joining systems to the domain
  • Managing users, groups, and access policies

At this point, users can authenticate across your infrastructure. But what actually makes this possible behind the scenes?

The answer is Kerberos.

Kerberos is the authentication system that powers FreeIPA’s single sign-on capabilities. Understanding how it works will make troubleshooting authentication problems dramatically easier.

This article explains how Kerberos works, what tickets are, and how FreeIPA uses them to authenticate users and services securely.

What is Kerberos?

Kerberos is a network authentication protocol designed to securely verify identities over an untrusted network. Instead of sending passwords across the network every time a user accesses a service, Kerberos uses cryptographically signed tickets. These tickets prove that a user has already authenticated with the system.

The major advantages of Kerberos include:

  • Passwords are not repeatedly transmitted across the network
  • Mutual authentication between users and services
  • Single sign-on (SSO)
  • Strong cryptographic security

Kerberos was originally developed at MIT and has become the standard authentication protocol for enterprise identity systems.

It is used by:

  • FreeIPA
  • Microsoft Active Directory
  • Hadoop ecosystems

  • Many enterprise Linux platforms

    Note:
    While FreeIPA uses “MIT Kerberos”, do not confuse this with another flavor of Kerberos called “Heimdall Kerberos”. They both are trying to solve the same issue, but they are not compatible with each other. Heimdall was developed in Sweden and is more popular with BSD (Unix) systems than Linux

Key Kerberos Components

A Kerberos environment consists of several key components.

Component Description
Principal An identity in Kerberos (user or service)
KDC Key Distribution Center that manages authentication
Ticket Cryptographic proof of authentication
TGT Ticket Granting Ticket used for single sign-on
Service Ticket Ticket used to access a specific service

In FreeIPA, the KDC runs as part of the FreeIPA server.

The Kerberos Authentication Flow

Kerberos authentication occurs in several stages.

The process looks complex, but it allows a user to authenticate once and then access multiple services without re-entering a password.

  1. User Requests Authentication.

    • The user logs into a system and enters their username and password.
    • The client sends a request to the Kerberos Key Distribution Center (KDC). 
      User → KDC
Request: Authentication Ticket

  2. KDC Issues a Ticket Granting Ticket (TGT)

    • If the credentials are valid, the KDC returns a Ticket Granting Ticket (TGT).
    • This ticket proves the user has authenticated successfully.
    • The TGT is encrypted so that only the KDC can read it. 
      KDC → User
Return: TGT

  3. User Requests Access to a Service

    • When the user tries to access a service (SSH, HTTP, CIFS, etc.), the client presents the TGT to the KDC. 
      User → KDC
Request: Service Ticket

  4. KDC Issues a Service Ticket

    • The KDC verifies the TGT and then issues a service ticket for the requested service. 
      KDC → User
Return: Service Ticket

  5. Access the Service

    • The client presents the service ticket to the target system. 
      User → Service
Provide: Service Ticket
    • The service verifies the ticket and grants access.

Single Sign-On in Action

The important detail is that the user only enters their password once. After that, the TGT allows access to multiple services without re-authentication.

Example workflow:

User logs into workstation
↓
SSH to server
↓
Access web application
↓
Mount file share

All of these actions can occur without re-entering a password.

Viewing Kerberos Tickets

The klist command shows the tickets currently held by the user.

klist

Example output:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jsmith@EXAMPLE.COM

Valid starting Expires Service principal
05/01/24 09:20:31 05/01/24 19:20:31 krbtgt/EXAMPLE.COM@EXAMPLE.COM

This ticket is the Ticket Granting Ticket (TGT).

Requesting a Kerberos Ticket

You can manually request a ticket using:

kinit username

Example:

kinit jsmith

You will be prompted for your password.

Verify the ticket:

klist

Destroying Tickets

To remove tickets from memory:

kdestroy

This forces the user to re-authenticate.

Service Principals

Kerberos also authenticates services.

Examples of service principals include:

host/server.example.com
HTTP/web.example.com
cifs/fileserver.example.com

These principals allow services to participate in Kerberos authentication.

FreeIPA automatically generates many of these when hosts join the domain.

Example service listing:

ipa service-find

Keytabs

Services authenticate using keytabs instead of passwords. A keytab is a file containing encrypted credentials for a Kerberos principal.

Example location:

/etc/krb5.keytab

To view the contents:

klist -k

Example output:

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

3 host/server.example.com@EXAMPLE.COM

Keytabs allow services like SSH, HTTP, and Samba to authenticate automatically.

Common Kerberos Problems

Kerberos authentication failures usually fall into a few categories.

  • Clock Drift. Kerberos requires synchronized system clocks. Even a few minutes of drift can cause authentication failures.

    • Check time 
      timedatectl status
    • Ensure NTP or Chrony is running.

  • DNS Issues. Kerberos depends heavily on DNS.

    • Verify forward and reverse lookups: 
      dig server.example.com
dig -x 192.168.1.10
    • If DNS is incorrect, Kerberos will fail.

  • Expired Tickets. Tickets expire after a certain time.

    • Check ticket expiration: 
      klist
    • If needed: 
      kinit username

  • Incorrect Service Principals. Services must have correct principals registered in FreeIPA.

    • Verify the service principal (example) 
      ipa service-find HTTP

Debugging Kerberos Authentication

Several tools help diagnose authentication issues.

Check Kerberos tickets

klist

Request new ticket

kinit username

View system authentication logs

journalctl -u sssd

Check FreeIPA server logs

/var/log/krb5kdc.log

Why Kerberos Matters in FreeIPA

Kerberos is what makes FreeIPA a true single sign-on system.

Without it:

  • Every service would require a password
  • Authentication would be repeated constantly
  • Password exposure risk would increase

With Kerberos:

  • Authentication happens once
  • Secure tickets grant access to services
  • Passwords remain protected

What’s Next

In the next part of the FreeIPA Master Class, we’ll explore:

Host-Based Access Control (HBAC) and Sudo Policies

These features allow FreeIPA to centrally control:

  • Which users can log into which systems
  • Which users can run administrative commands
  • How access policies apply across your infrastructure

This is where FreeIPA starts to become a true enterprise access control system.

Share this post

Similar posts

The FreeIPA Master Class - Part 3

The FreeIPA Master Class - Part 2

The FreeIPA Master Class - Part 1

LVM is Dyn-o-mite

0 comments

There are no comments.

Add a new comment

Search
Categories
Popular Posts