How to install MIT Kerberos on Debian with slapd backend

References:

Other how-to:

Time synchronization between hosts

Kerberos clients and server must be synchronized. For that purpose I use ntp on the clients and server.

aptitude install ntp

NTPD_OPTS='-g'

Install slapd

Install ldap server

# slapd admin password will be asked
DEBIAN_PRIORITY=medium aptitude install slapd

slapd logs

Syslog

# /etc/rsyslog.d/slapd.conf
# minus before file => omit syncing the file after every loggin
# & ~               => don't transmist log to next logger
local4.* -/var/log/slapd.log
& ~

rotation

# /etc/logrotate.d/slapd
/var/log/slapd.log 
{
    # 1 month
    weekly
    rotate 4
    missingok
    compress
    delaycompress
    notifempty
    postrotate
        /etc/init.d/slapd restart
    endscript
}

Install MIT Kerberos master server

Some informations will be asked:

# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55

Default Kerberos version 5 realm:
COINCOIN.EU

Kerberos V4 compatibility mode to use:
None

Kerberos servers for your realm:
kdc.coincoin.eu

Next create a new realm:

# krb5_newrealm

This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU',
master key name 'K/M@COINCOIN.EU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.

Configuration: slapd

/etc/ldap/ldap.conf

First, check configuration !

BASE    dc=coincoin,dc=eu
URI     ldap://ldap.coincoin.eu

schema

Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd

aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema

echo "include /etc/ldap/schema/kerberos.schema" > /tmp/schema_convert.conf
slaptest -f /tmp/schema_convert.conf -F /tmp/
# remove lines at the end of /tmp/cn=config/cn=schema/cn={0}kerberos.ldif, starting at "structuralObjectClass: olcSchemaConfig"
# change "dn: cn={0}kerberos" by "dn: cn=kerberos,cn=schema,cn=config"
# change "cn: {0}kerberos" by "cn: kerberos"
ldapadd -QY EXTERNAL -H ldapi:///  -f /tmp/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif

increase log level

# log all: change log level from 'none' to 'stats'
cat ldap/log_level.ldif     
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
ldapmodify -QY EXTERNAL -H ldapi:/// -f log_level.ldif

ACLs:

# add ACL for Kerberos:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

access to *
        by * read

access to *
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write

# Comment all other default ACL

# add specific directives for database #1
suffix          "dc=coincoin,dc=eu"
rootdn          "cn=admin,dc=coincoin,dc=eu"

# add indexes
index           objectClass eq # by default
index           uid         eq
index           krbPrincipalName eq,pres,sub

Create indexes

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start

Add ldap entries

/etc/init.d/slapd stop
cat data.ldif
dn: ou=Users,dc=coincoin,dc=eu
ou: Users
objectClass: organizationalUnit

dn: ou=Groups,dc=coincoin,dc=eu
ou: Groups
objectClass: organizationalUnit

dn: ou=Hosts,dc=coincoin,dc=eu
ou: Hosts
objectClass: organizationalUnit

dn: ou=krb5,dc=coincoin,dc=eu
ou: krb5
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: 5Wdx~FgK|VFm>>2`K1UW

dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: grh~1JnFvN*}]742_Jvc


slapadd -svl data.ldif
/etc/init.d/slapd start

If the LDAP server and KDC service are running on the same machine:

# slapd listen only unix socket, in /etc/default/slapd:
SLAPD_SERVICES="ldapi:///"
/etc/init.d/slapd restart

You should disallow anonymous binding:

#Add at the beginning of /etc/ldap/slapd.conf
disallow bind_anon

/etc/init.d/slapd restart

Configure Kerberos

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU
[...]

[realms]
        COINCOIN.EU = { 
                kdc = kdc.coincoin.eu
                admin_server = kdc.coincoin.eu
                database_module = openldap_ldapconf
        }   

[domain_realm]
        .coincoin.eu = COINCOIN.EU
        coincoin.eu = COINCOIN.EU

[dbdefaults]
        ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu

[dbmodules]
        openldap_ldapconf = { 
            db_library = kldap
            ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_conns_per_server = 5 
        }   

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
        # TODO logrotate

/etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88
    kdc_tcp_ports = 750,88

[realms]
    COINCOIN.EU = { 
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth

Set up the realms subtree and the realm itself

kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu

Add users to ldap server

This step is needed if users's account are not already in the ldap.

The following command fails:

/etc/init.d/slapd stop
slapadd -svl users.ldif
/etc/init.d/slapd stop

where users.ldif is:

dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu
cn: lilou
gidNumber: 1000
objectClass: top 
objectClass: posixGroup

dn: uid=lilou,ou=Users,dc=coincoin,dc=eu
uid: lilou
uidNumber: 1000
gidNumber: 1000
cn: Lilou
sn: Lilou
objectClass: top 
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/lilou

I use cpu command from the cpu package:

# extract of /etc/cpu/cpu.conf
# USER_BASE = ou=Users,dc=coincoin,dc=eu
# GROUP_BASE = ou=Groups,dc=coincoin,dc=eu
#
cpu -w useradd lilou

Kerberize user

# kadmin.local 
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin.local:  addprinc lilou
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy
Enter password for principal "lilou@COINCOIN.EU": 
Re-enter password for principal "lilou@COINCOIN.EU": 
Principal "lilou@COINCOIN.EU" created.

Restart services

/etc/init.d/slapd restart
/etc/init.d/krb5-kadmin-server restart
/etc/init.d/krb5-kdc restart

Check hostname configuration

user@kdc:~$ hostname
kdc
user@kdc:~$ hostname -f
kdc.coincoin.eu # /etc/resolv.conf could contains "search coincoin.eu". 

Tests

kdc:~# kinit lilou
Password for lilou@COINCOIN.EU: 
kdc:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU

Valid starting     Expires            Service principal
02/20/11 03:07:54  02/20/11 13:07:54  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 02/21/11 03:07:51


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Clients configuration

Check DNS configuration

root@client:/root# host kdc.coincoin.eu
kdc.coincoin.eu has address 192.168.20.123
root@client:/root# host 192.168.20.123
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.

Check hostname configuration

root@client:~$ hostname
client
root@client:~$ hostname -f
client.coincoin.eu

Packages

aptitude install krb5-user libpam-krb5

Install libpam-krb5 package only if you want SSO. After installing libpam-krb5, you can use pam-auth-update command in order to handle PAM & kerberos configuration.

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        COINCOIN.EU = {
                kdc = kdc.coincoin.eu
                admin_server = kdc.coincoin.eu
        }

[domain_realm]
        .coincoin.eu = COINCOIN.EU
        coincoin.eu = COINCOIN.EU

[login]
        krb4_convert = false
        krb4_get_tickets = false

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

Tests

Kerberos

toto@client:~# kinit lilou
Password for lilou@COINCOIN.EU: 
toto@client:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: lilou@COINCOIN.EU

Valid starting     Expires            Service principal
02/20/11 02:17:09  02/20/11 12:17:09  krbtgt/COINCOIN.EU@COINCOIN.EU
        renew until 02/21/11 02:17:05

PAM

In order to test PAM configuration, disconnect and reconnect, next use klist command.

Some errors

kinit: Generic error (see e-text) while getting initial credentials

Cause: slapd service is not started.

Kerberos (last edited 2011-09-27 23:23:40 by pilou)