Kerberos
From DcSharedWiki
How to install MIT Kerberos on Debian with slapd backend
References:
- http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
Other how-to:
- http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
- https://help.ubuntu.com/10.10/serverguide/C/kerberos-ldap.html
Time synchronization between hosts
Kerberos clients and server must be synchronized. For that purpose I use ntp on the clients and server.
aptitude install ntp
- /etc/default/ntp: keep default configuration which allows one big adjustment
NTPD_OPTS='-g'
- /etc/ntp.conf: keep default configuration (listen on local)
Install slapd
Install ldap server
# slapd admin password will be asked DEBIAN_PRIORITY=medium aptitude install slapd
slapd logs
Syslog
# /etc/rsyslog.d/slapd.conf # minus before file => omit syncing the file after every loggin # & ~ => don't transmist log to next logger local4.* -/var/log/slapd.log & ~
rotation
# /etc/logrotate.d/slapd
/var/log/slapd.log
{
# 1 month
weekly
rotate 4
missingok
compress
delaycompress
notifempty
postrotate
/etc/init.d/slapd restart
endscript
}
Install MIT Kerberos master server
Some informations will be asked:
- REALM
- FQDN of Kerberos server (check dns configuration !)
- fqdn of administrative server for the kerberos realm
# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55 Default Kerberos version 5 realm: COINCOIN.EU Kerberos V4 compatibility mode to use: None Kerberos servers for your realm: kdc.coincoin.eu
Next create a new realm:
# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU', master key name 'K/M@COINCOIN.EU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
Configuration: slapd
/etc/ldap/ldap.conf
First, check configuration !
BASE dc=coincoin,dc=eu URI ldap://ldap.coincoin.eu
schema
Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd
aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema
echo "include /etc/ldap/schema/kerberos.schema" > /tmp/schema_convert.conf
slaptest -f /tmp/schema_convert.conf -F /tmp/
# remove lines at the end of /tmp/cn=config/cn=schema/cn={0}kerberos.ldif, starting at "structuralObjectClass: olcSchemaConfig"
# change "dn: cn={0}kerberos" by "dn: cn=kerberos,cn=schema,cn=config"
# change "cn: {0}kerberos" by "cn: kerberos"
ldapadd -QY EXTERNAL -H ldapi:/// -f /tmp/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif
increase log level
# log all: change log level from 'none' to 'stats' cat ldap/log_level.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats ldapmodify -QY EXTERNAL -H ldapi:/// -f log_level.ldif
ACLs:
# add ACL for Kerberos:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu"
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
by * none
# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
by * none
access to *
by * read
access to *
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
# Comment all other default ACL
# add specific directives for database #1
suffix "dc=coincoin,dc=eu"
rootdn "cn=admin,dc=coincoin,dc=eu"
# add indexes
index objectClass eq # by default
index uid eq
index krbPrincipalName eq,pres,sub
Create indexes
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add ldap entries
/etc/init.d/slapd stop cat data.ldif dn: ou=Users,dc=coincoin,dc=eu ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=coincoin,dc=eu ou: Groups objectClass: organizationalUnit dn: ou=Hosts,dc=coincoin,dc=eu ou: Hosts objectClass: organizationalUnit dn: ou=krb5,dc=coincoin,dc=eu ou: krb5 objectClass: organizationalUnit dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu cn: kdc-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos KDC server userPassword: 5Wdx~FgK|VFm>>2`K1UW dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu cn: adm-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos Administration server userPassword: grh~1JnFvN*}]742_Jvc slapadd -svl data.ldif /etc/init.d/slapd start
If the LDAP server and KDC service are running on the same machine:
# slapd listen only unix socket, in /etc/default/slapd: SLAPD_SERVICES="ldapi:///" /etc/init.d/slapd restart
You should disallow anonymous binding:
#Add at the beginning of /etc/ldap/slapd.conf disallow bind_anon /etc/init.d/slapd restart
Configure Kerberos
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
[...]
[realms]
COINCOIN.EU = {
kdc = kdc.coincoin.eu
admin_server = kdc.coincoin.eu
database_module = openldap_ldapconf
}
[domain_realm]
.coincoin.eu = COINCOIN.EU
coincoin.eu = COINCOIN.EU
[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
# TODO logrotate
/etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
kdc_tcp_ports = 750,88
[realms]
COINCOIN.EU = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
Set up the realms subtree and the realm itself
kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu # slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu # slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
Add users to ldap server
This step is needed if users's account are not already in the ldap.
The following command fails:
/etc/init.d/slapd stop slapadd -svl users.ldif /etc/init.d/slapd stop
where users.ldif is:
dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu cn: lilou gidNumber: 1000 objectClass: top objectClass: posixGroup dn: uid=lilou,ou=Users,dc=coincoin,dc=eu uid: lilou uidNumber: 1000 gidNumber: 1000 cn: Lilou sn: Lilou objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/lilou
I use cpu command from the cpu package:
# extract of /etc/cpu/cpu.conf # USER_BASE = ou=Users,dc=coincoin,dc=eu # GROUP_BASE = ou=Groups,dc=coincoin,dc=eu # cpu -w useradd lilou
Kerberize user
# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin.local: addprinc lilou WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy Enter password for principal "lilou@COINCOIN.EU": Re-enter password for principal "lilou@COINCOIN.EU": Principal "lilou@COINCOIN.EU" created.
Restart services
/etc/init.d/slapd restart /etc/init.d/krb5-kadmin-server restart /etc/init.d/krb5-kdc restart
Check hostname configuration
user@kdc:~$ hostname kdc user@kdc:~$ hostname -f kdc.coincoin.eu # /etc/resolv.conf could contains "search coincoin.eu".
Tests
kdc:~# kinit lilou
Password for lilou@COINCOIN.EU:
kdc:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU
Valid starting Expires Service principal
02/20/11 03:07:54 02/20/11 13:07:54 krbtgt/COINCOIN.EU@COINCOIN.EU
renew until 02/21/11 03:07:51
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Clients configuration
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
Check hostname configuration
root@client:~$ hostname client root@client:~$ hostname -f client.coincoin.eu
Packages
aptitude install krb5-user libpam-krb5
Install libpam-krb5 package only if you want SSO.
After installing libpam-krb5, you can use pam-auth-update command in order to handle PAM & kerberos configuration.
/etc/krb5.conf
[libdefaults]
default_realm = COINCOIN.EU
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
COINCOIN.EU = {
kdc = kdc.coincoin.eu
admin_server = kdc.coincoin.eu
}
[domain_realm]
.coincoin.eu = COINCOIN.EU
coincoin.eu = COINCOIN.EU
[login]
krb4_convert = false
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
Tests
Kerberos
toto@client:~# kinit lilou
Password for lilou@COINCOIN.EU:
toto@client:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU
Valid starting Expires Service principal
02/20/11 02:17:09 02/20/11 12:17:09 krbtgt/COINCOIN.EU@COINCOIN.EU
renew until 02/21/11 02:17:05
PAM
In order to test PAM configuration, disconnect and reconnect, next use klist command.
Some errors
kinit: Generic error (see e-text) while getting initial credentials
Cause: slapd service is not started.
