Kerberos: Difference between revisions
(use ntp instead of openntpd) |
m (32 revisions imported) |
||
(7 intermediate revisions by one other user not shown) | |||
Line 10: | Line 10: | ||
* https://help.ubuntu.com/10.10/serverguide/C/kerberos-ldap.html |
* https://help.ubuntu.com/10.10/serverguide/C/kerberos-ldap.html |
||
== Time synchronization == |
== Time synchronization between hosts == |
||
Kerberos clients and server must be synchronized. |
Kerberos clients and server must be synchronized. |
||
For that purpose I use ntp on the clients and server. |
|||
Line 130: | Line 130: | ||
=== Configuration: slapd === |
=== Configuration: slapd === |
||
==== LDAP plugin for Kerberos ==== |
|||
⚫ | |||
⚫ | |||
⚫ | |||
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema |
|||
⚫ | |||
==== /etc/ldap/ldap.conf ==== |
==== /etc/ldap/ldap.conf ==== |
||
First, check |
First, check configuration ! |
||
<pre><nowiki> |
<pre><nowiki> |
||
Line 151: | Line 141: | ||
==== |
==== schema ==== |
||
⚫ | |||
<pre><nowiki> |
<pre><nowiki> |
||
⚫ | |||
#Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf: |
|||
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema |
|||
echo "include /etc/ldap/schema/kerberos.schema" > /tmp/schema_convert.conf |
|||
slaptest -f /tmp/schema_convert.conf -F /tmp/ |
|||
# remove lines at the end of /tmp/cn=config/cn=schema/cn={0}kerberos.ldif, starting at "structuralObjectClass: olcSchemaConfig" |
|||
# change "dn: cn={0}kerberos" by "dn: cn=kerberos,cn=schema,cn=config" |
|||
# change "cn: {0}kerberos" by "cn: kerberos" |
|||
ldapadd -QY EXTERNAL -H ldapi:/// -f /tmp/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif |
|||
</nowiki></pre> |
</nowiki></pre> |
||
==== increase log level ==== |
|||
<pre><nowiki> |
<pre><nowiki> |
||
# log all: change log level from 'none' to ' |
# log all: change log level from 'none' to 'stats' |
||
cat ldap/log_level.ldif |
|||
loglevel 256 |
|||
dn: cn=config |
|||
changetype: modify |
|||
replace: olcLogLevel |
|||
olcLogLevel: stats |
|||
ldapmodify -QY EXTERNAL -H ldapi:/// -f log_level.ldif |
|||
</nowiki></pre> |
</nowiki></pre> |
||
Line 186: | Line 191: | ||
# Providing access to realm container |
# Providing access to realm container |
||
access to dn.subtree="cn=COINCOIN.EU, |
access to dn.subtree="cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu" |
||
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read |
by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read |
||
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write |
by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write |
||
Line 237: | Line 242: | ||
dn: ou=Groups,dc=coincoin,dc=eu |
dn: ou=Groups,dc=coincoin,dc=eu |
||
ou: Groups |
ou: Groups |
||
objectClass: organizationalUnit |
|||
dn: ou=Hosts,dc=coincoin,dc=eu |
|||
ou: Hosts |
|||
objectClass: organizationalUnit |
objectClass: organizationalUnit |
||
Line 346: | Line 355: | ||
<pre><nowiki> |
<pre><nowiki> |
||
kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create |
kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu |
||
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section |
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section |
||
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu |
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu |
||
Line 402: | Line 411: | ||
==== Kerberize |
==== Kerberize user ==== |
||
Hum, "-x" parameter should not be mandatory here, with no doubt there is a configuration problem somewhere ! |
|||
Without the option, slapd.log contains: |
|||
⚫ | |||
Feb 20 02:48:39 kdc slapd[27767]: conn=13 op=6 SRCH base="dc=coincoin,dc=eu" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=lilou@COINCOIN.EU))" |
|||
Feb 20 02:48:39 kdc slapd[27767]: conn=13 op=6 SRCH attr=krbprincipalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth loginexpirationtime logindisabled modifytimestamp krbLastPwdChange krbExtraData krbObjectReferences |
|||
Feb 20 02:48:39 kdc slapd[27767]: conn=13 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= |
|||
Feb 20 02:48:39 kdc slapd[27767]: conn=13 op=7 ADD dn="krbPrincipalName=lilou@COINCOIN.EU,cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu" |
|||
Feb 20 02:48:39 kdc slapd[27767]: conn=13 op=7 RESULT tag=105 err=50 text=no write access to parent |
|||
⚫ | |||
Line 420: | Line 417: | ||
# kadmin.local |
# kadmin.local |
||
Authenticating as principal root/admin@COINCOIN.EU with password. |
Authenticating as principal root/admin@COINCOIN.EU with password. |
||
kadmin.local: addprinc |
kadmin.local: addprinc lilou |
||
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy |
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy |
||
Enter password for principal "lilou@COINCOIN.EU": |
Enter password for principal "lilou@COINCOIN.EU": |
||
Line 435: | Line 432: | ||
/etc/init.d/krb5-kadmin-server restart |
/etc/init.d/krb5-kadmin-server restart |
||
/etc/init.d/krb5-kdc restart |
/etc/init.d/krb5-kdc restart |
||
⚫ | |||
=== Check hostname configuration === |
|||
⚫ | |||
user@kdc:~$ hostname |
|||
kdc |
|||
user@kdc:~$ hostname -f |
|||
kdc.coincoin.eu # /etc/resolv.conf could contains "search coincoin.eu". |
|||
</nowiki></pre> |
</nowiki></pre> |
||
Line 468: | Line 476: | ||
root@client:/root# host 192.168.20.123 |
root@client:/root# host 192.168.20.123 |
||
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu. |
123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu. |
||
⚫ | |||
=== Check hostname configuration === |
|||
⚫ | |||
root@client:~$ hostname |
|||
client |
|||
root@client:~$ hostname -f |
|||
client.coincoin.eu |
|||
</nowiki></pre> |
</nowiki></pre> |
||
Line 563: | Line 581: | ||
==== PAM ==== |
==== PAM ==== |
||
In order to test PAM configuration, disconnect and reconnect, next use klist command. |
In order to test PAM configuration, disconnect and reconnect, next use klist command. |
||
== Some errors == |
|||
=== kinit: Generic error (see e-text) while getting initial credentials === |
|||
Cause: slapd service is not started. |
Latest revision as of 05:22, 22 April 2019
How to install MIT Kerberos on Debian with slapd backend
References:
- http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
Other how-to:
- http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
- https://help.ubuntu.com/10.10/serverguide/C/kerberos-ldap.html
Time synchronization between hosts
Kerberos clients and server must be synchronized. For that purpose I use ntp on the clients and server.
aptitude install ntp
- /etc/default/ntp: keep default configuration which allows one big adjustment
NTPD_OPTS='-g'
- /etc/ntp.conf: keep default configuration (listen on local)
Install slapd
Install ldap server
# slapd admin password will be asked DEBIAN_PRIORITY=medium aptitude install slapd
slapd logs
Syslog
# /etc/rsyslog.d/slapd.conf # minus before file => omit syncing the file after every loggin # & ~ => don't transmist log to next logger local4.* -/var/log/slapd.log & ~
rotation
# /etc/logrotate.d/slapd /var/log/slapd.log { # 1 month weekly rotate 4 missingok compress delaycompress notifempty postrotate /etc/init.d/slapd restart endscript }
Install MIT Kerberos master server
Some informations will be asked:
- REALM
- FQDN of Kerberos server (check dns configuration !)
- fqdn of administrative server for the kerberos realm
# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55 Default Kerberos version 5 realm: COINCOIN.EU Kerberos V4 compatibility mode to use: None Kerberos servers for your realm: kdc.coincoin.eu
Next create a new realm:
# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU', master key name 'K/M@COINCOIN.EU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
Configuration: slapd
/etc/ldap/ldap.conf
First, check configuration !
BASE dc=coincoin,dc=eu URI ldap://ldap.coincoin.eu
schema
Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd
aptitude install krb5-kdc-ldap gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema echo "include /etc/ldap/schema/kerberos.schema" > /tmp/schema_convert.conf slaptest -f /tmp/schema_convert.conf -F /tmp/ # remove lines at the end of /tmp/cn=config/cn=schema/cn={0}kerberos.ldif, starting at "structuralObjectClass: olcSchemaConfig" # change "dn: cn={0}kerberos" by "dn: cn=kerberos,cn=schema,cn=config" # change "cn: {0}kerberos" by "cn: kerberos" ldapadd -QY EXTERNAL -H ldapi:/// -f /tmp/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif
increase log level
# log all: change log level from 'none' to 'stats' cat ldap/log_level.ldif dn: cn=config changetype: modify replace: olcLogLevel olcLogLevel: stats ldapmodify -QY EXTERNAL -H ldapi:/// -f log_level.ldif
ACLs:
# add ACL for Kerberos: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read # Providing access to realm container access to dn.subtree="cn=COINCOIN.EU,ou=krb5,dc=coincoin,dc=eu" by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write by * none # Providing access to principals, if not underneath realm container access to dn.subtree="ou=Users,dc=coincoin,dc=eu" by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write by * none access to * by * read access to * by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write # Comment all other default ACL # add specific directives for database #1 suffix "dc=coincoin,dc=eu" rootdn "cn=admin,dc=coincoin,dc=eu" # add indexes index objectClass eq # by default index uid eq index krbPrincipalName eq,pres,sub
Create indexes
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add ldap entries
/etc/init.d/slapd stop cat data.ldif dn: ou=Users,dc=coincoin,dc=eu ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=coincoin,dc=eu ou: Groups objectClass: organizationalUnit dn: ou=Hosts,dc=coincoin,dc=eu ou: Hosts objectClass: organizationalUnit dn: ou=krb5,dc=coincoin,dc=eu ou: krb5 objectClass: organizationalUnit dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu cn: kdc-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos KDC server userPassword: 5Wdx~FgK|VFm>>2`K1UW dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu cn: adm-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos Administration server userPassword: grh~1JnFvN*}]742_Jvc slapadd -svl data.ldif /etc/init.d/slapd start
If the LDAP server and KDC service are running on the same machine:
# slapd listen only unix socket, in /etc/default/slapd: SLAPD_SERVICES="ldapi:///" /etc/init.d/slapd restart
You should disallow anonymous binding:
#Add at the beginning of /etc/ldap/slapd.conf disallow bind_anon /etc/init.d/slapd restart
Configure Kerberos
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU [...] [realms] COINCOIN.EU = { kdc = kdc.coincoin.eu admin_server = kdc.coincoin.eu database_module = openldap_ldapconf } [domain_realm] .coincoin.eu = COINCOIN.EU coincoin.eu = COINCOIN.EU [dbdefaults] ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_conns_per_server = 5 } [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log # TODO logrotate
/etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 kdc_tcp_ports = 750,88 [realms] COINCOIN.EU = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth
Set up the realms subtree and the realm itself
kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu # slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu # slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
Add users to ldap server
This step is needed if users's account are not already in the ldap.
The following command fails:
/etc/init.d/slapd stop slapadd -svl users.ldif /etc/init.d/slapd stop
where users.ldif is:
dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu cn: lilou gidNumber: 1000 objectClass: top objectClass: posixGroup dn: uid=lilou,ou=Users,dc=coincoin,dc=eu uid: lilou uidNumber: 1000 gidNumber: 1000 cn: Lilou sn: Lilou objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/lilou
I use cpu command from the cpu package:
# extract of /etc/cpu/cpu.conf # USER_BASE = ou=Users,dc=coincoin,dc=eu # GROUP_BASE = ou=Groups,dc=coincoin,dc=eu # cpu -w useradd lilou
Kerberize user
# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin.local: addprinc lilou WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy Enter password for principal "lilou@COINCOIN.EU": Re-enter password for principal "lilou@COINCOIN.EU": Principal "lilou@COINCOIN.EU" created.
Restart services
/etc/init.d/slapd restart /etc/init.d/krb5-kadmin-server restart /etc/init.d/krb5-kdc restart
Check hostname configuration
user@kdc:~$ hostname kdc user@kdc:~$ hostname -f kdc.coincoin.eu # /etc/resolv.conf could contains "search coincoin.eu".
Tests
kdc:~# kinit lilou Password for lilou@COINCOIN.EU: kdc:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lilou@COINCOIN.EU Valid starting Expires Service principal 02/20/11 03:07:54 02/20/11 13:07:54 krbtgt/COINCOIN.EU@COINCOIN.EU renew until 02/21/11 03:07:51 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Clients configuration
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
Check hostname configuration
root@client:~$ hostname client root@client:~$ hostname -f client.coincoin.eu
Packages
aptitude install krb5-user libpam-krb5
Install libpam-krb5 package only if you want SSO.
After installing libpam-krb5, you can use pam-auth-update command in order to handle PAM & kerberos configuration.
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] COINCOIN.EU = { kdc = kdc.coincoin.eu admin_server = kdc.coincoin.eu } [domain_realm] .coincoin.eu = COINCOIN.EU coincoin.eu = COINCOIN.EU [login] krb4_convert = false krb4_get_tickets = false [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log
Tests
Kerberos
toto@client:~# kinit lilou Password for lilou@COINCOIN.EU: toto@client:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: lilou@COINCOIN.EU Valid starting Expires Service principal 02/20/11 02:17:09 02/20/11 12:17:09 krbtgt/COINCOIN.EU@COINCOIN.EU renew until 02/21/11 02:17:05
PAM
In order to test PAM configuration, disconnect and reconnect, next use klist command.
Some errors
kinit: Generic error (see e-text) while getting initial credentials
Cause: slapd service is not started.