homedownloadordersupportcontact
     
  In this sample configuration tutorial, we use 2 "clean" VMware virtual machines - one running CentOS 7 and another running Windows 7. The VMs are interconnected via a VMware NAT virtual network.
   
 
   
  Set up MIT Kerberos and Dante on CentOS 7
   
  Start the CentOS 7 VM.
   
   
  Install MIT Kerberos:

[root@localhost ~]# yum install krb5-server krb5-libs krb5-workstation

The version of MIT Kerberos in this sample is 1.15.1-37.
   
   
  Install Dante:

[root@localhost ~]# yum install http://mirror.ghettoforge.org/distributions/gf/gf-release-latest.gf.el7.noarch.rpm
[root@localhost ~]# yum --enablerepo=gf-plus install dante-server

The version of Dante in this sample is 1.4.1.
   
   
  Edit /etc/hosts, add the following entries (replace the IP addresses with your IP addresses):

192.168.241.146 vm-centos7
192.168.241.146 kerberos.vm-centos7
192.168.241.107 vm-win7.vm-centos
   
   
  Modify the default /etc/krb5.conf as follows:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = VM-CENTOS7
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 VM-CENTOS7 = {
   kdc = kerberos.VM-CENTOS7
   admin_server = kerberos.VM-CENTOS7
 }

[domain_realm]
 .vm-centos7 = VM-CENTOS7
 vm-centos7 = VM-CENTOS7
   
   
  Modify the default /var/kerberos/krb5kdc/kadm5.acl as follows:

*/admin@VM-CENTOS7      *
   
   
  Modify the default /var/kerberos/krb5kdc/kdc.conf as follows:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 VM-CENTOS7 = {
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
   supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal \
     camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
   
   
  Create the database and set a password (you don't need to enter the password each time you start the KDC):

[root@localhost ~]# kdb5_util create -r VM-CENTOS7 -s
   
   
  Create an admin principal "root":

[root@localhost ~]# kadmin.local
kadmin.local: addprinc root/admin
kadmin.local: exit
   
   
  Start the Kerberos KDC and kadmin daemons and configure Linux to run them on system startup:

[root@localhost ~]# systemctl start krb5kdc.service
[root@localhost ~]# systemctl enable krb5kdc.service
[root@localhost ~]# systemctl start kadmin.service
[root@localhost ~]# systemctl enable kadmin.service
   
   
  Create a test Kerberos user "user1", the password must match the one of your test Windows user account on the Windows 7 VM;
create a host principle for Windows 7 VM "host/vm-win7.vm-centos7", remember the password - you will need it when setting up the Wndows Kerberos client;
create a service principle for Dante "rcmd/VM-CENTOS7";
extract a keytab file for Dante:

kadmin -p root/admin@VM-CENTOS7
kadmin: addprinc -e rc4-hmac:normal user1
kadmin: addprinc -e rc4-hmac:normal host/vm-win7.vm-centos7
kadmin: addprinc -e rc4-hmac:normal rcmd/VM-CENTOS7
kadmin: ktadd -k /etc/sockd.keytab -e rc4-hmac:normal rcmd/VM-CENTOS7
kadmin: exit
   
   
  Modify /etc/sockd.conf as follows (replace "eth0" with the name of the network interface on your system if needed):

internal: eth0 port = 1080
external: eth0
socksmethod: gssapi
logoutput: /var/log/sockd
debug: 1

client pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
       from: 0.0.0.0/0 to: 0.0.0.0/0
       command: udpreply
       log: connect error
}

socks pass {
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: connect udpassociate
        log: connect disconnect error
}

socks block {
       from: 0.0.0.0/0 to: 0.0.0.0/0
       log: connect error
}
   
   
  Finally, start the Dante server. Doing that using the "systemctl" command didn't work for us correctly for some reason. So let's start Dante manually (-D tells Dante to run as daemon):

[root@localhost ~]# /usr/sbin/sockd -D
   
   
  Set up the native Kerberos client and ProxyCap on Windows 7
   
   
  Start the Windows 7 VM.
   
   
  Edit %SystemRoot%\system32\drivers\etc\host, add the following entries (replace the IP addresses with your IP addresses):

192.168.241.146   vm-centos7
192.168.241.146   kerberos.vm-centos7
192.168.241.107   vm-win7.vm-centos7
   
   
  Open the Command Prompt as Administrator.
   
   
  Configure the Kerberos client (replace "Administrator" with the name of your test Windows user account if needed; replace "password" with the password of the Kerberos principal "host/vm-win7.vm-centos7"):

c:\Windows\System32>ksetup /setrealm VM-CENTOS7
c:\Windows\System32>ksetup /addkdc VM-CENTOS7 kerberos.vm-centos7
c:\Windows\System32>ksetup /SetComputerPassword password
c:\Windows\System32>ksetup /mapuser user1@VM-CENTOS7 Administrator
   
   
  Install ProxyCap.
   
   
  Restart the Windows 7 VM.
   
   
  Log into Windows as "VM-CENTOS7\user1".
   
   
  Open ProxyCap Configuration.
   
   
  Add a new proxy server:

Type: SOCKS5
Hostname: VM-CENTOS7
Port: 1080

Check the "Proxy requires authentication" and "Use GSSAPI authentication" checkboxes.

Note that the value of "Hostname" above is used by ProxyCap to format the Kerberos service principle (in this sample "rcmd/VM-CENTOS7"). So don't specify the IP address. Here the name also must be in uppercase letters else the Linux KDC won't recognize it.
   
   
  Finally create a "redirect" routing rule in ProxyCap, specify the proxy server defined in the previous step.
   
   
© 2019, Proxy Labs. All rights reserved.