Kerberos: Difference between revisions
From DcSharedWiki
(add link to ubuntu how to) |
(add "Kerberize existing user") |
||
Line 285: | Line 285: | ||
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section |
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section |
||
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu |
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu |
||
</nowiki></pre> |
|||
Kerberize existing user: |
|||
<pre><nowiki> |
|||
# kadmin.local |
|||
Authenticating as principal root/admin@COINCOIN.EU with password. |
|||
kadmin.local: addprinc -x containerdn="uid=lilou,ou=Users,dc=coincoin,dc=eu" lilou |
|||
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy |
|||
Enter password for principal "lilou@COINCOIN.EU": |
|||
Re-enter password for principal "lilou@COINCOIN.EU": |
|||
Principal "lilou@COINCOIN.EU" created. |
|||
</nowiki></pre> |
</nowiki></pre> |
||
Revision as of 20:56, 20 June 2010
How to install MIT Kerberos on Debian with slapd backend
References:
- http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
Other how-to:
- http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
- https://help.ubuntu.com/9.04/serverguide/C/kerberos-ldap.html
Install slapd
TODO increase level of configuration questions
Install ldap server
# slapd admin password will be asked aptitude install slapd
Logs:
Syslog:
# /etc/rsyslog.d/slapd.conf # minus before file => omit syncing the file after every loggin # & ~ => don't transmist log to next logger local4.* -/var/log/slapd.log & ~
Logrotate:
# /etc/logrotate.d/slapd /var/log/slapd.log { # 1 month weekly rotate 4 missingok compress delaycompress notifempty postrotate /etc/init.d/slapd restart endscript }
Install Kerberos master server
# aptitude install krb5-admin-server # krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU', master key name 'K/M@COINCOIN.EU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
Install Kerberos key server
Some informations will be asked:
- REALM
- FQDN of Kerberos server (check dns configuration !)
- fqdn of administrative server for the kerberos realm
aptitude install krb5-kdc # dependances will be installed too (krb5-config, krb5-user, etc)
Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd
aptitude install krb5-kdc-ldap gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema #Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf: include /etc/ldap/schema/kerberos.schema
Configure slapd
/etc/ldap/ldap.conf (check dns configuration !)
BASE dc=coincoin,dc=eu URI ldap://ldap.coincoin.eu
/etc/ldap/slapd.conf
# log all: change log level from 'none' to '256' loglevel 256 # add ACL for Kerberos: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read # Providing access to realm container access to dn.subtree="cn=COINCOIN.EU,cn=krb5,dc=coincoin,dc=eu" by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write by * none # Providing access to principals, if not underneath realm container access to dn.subtree="ou=Users,dc=coincoin,dc=eu" by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write by * none access to * by * read access to * by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write # Comment all other default ACL # add specific directives for database #1 suffix "dc=coincoin,dc=eu" rootdn "cn=admin,dc=coincoin,dc=eu" # add indexes index objectClass eq # by default index uid eq index krbPrincipalName eq,pres,sub #TODO check indexes are created !
Add ldap entries:
/etc/init.d/slapd stop cat data.ldif dn: ou=Users,dc=coincoin,dc=eu ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=coincoin,dc=eu ou: Groups objectClass: organizationalUnit dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu cn: lilou gidNumber: 1000 objectClass: top objectClass: posixGroup dn: uid=lilou,ou=Users,dc=coincoin,dc=eu uid: lilou uidNumber: 1000 gidNumber: 1000 cn: Lilou sn: Lilou objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash homeDirectory: /home/lilou dn: ou=krb5,dc=coincoin,dc=eu ou: krb5 objectClass: organizationalUnit dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu cn: kdc-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos KDC server userPassword: 5Wdx~FgK|VFm>>2`K1UW dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu cn: adm-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos Administration server userPassword: grh~1JnFvN*}]742_Jvc slapadd -svl data.ldif /etc/init.d/slapd start
Configure Kerberos
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU [...] [realms] COINCOIN.EU = { kdc = kdc.coincoin.eu admin_server = kdc.coincoin.eu database_module = openldap_ldapconf } [domain_realm] .coincoin.eu = COINCOIN.EU coincoin.eu = COINCOIN.EU [dbdefaults] ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_conns_per_server = 5 } [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log # TODO logrotate
/etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 kdc_tcp_ports = 750,88 [realms] COINCOIN.EU = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth
Set up the realms subtree and the realm itself
kdb5_ldap_util -D "cn=admin,dc=piloucorp,dc=eu" create -subtrees dc=piloucorp,dc=eu -r PILOUCORP.EU -s -H ldap://ldap.piloucorp.eu # slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu # slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu
Kerberize existing user:
# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin.local: addprinc -x containerdn="uid=lilou,ou=Users,dc=coincoin,dc=eu" lilou WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy Enter password for principal "lilou@COINCOIN.EU": Re-enter password for principal "lilou@COINCOIN.EU": Principal "lilou@COINCOIN.EU" created.
If the LDAP server and KDC service are running on the same machine:
# slapd listen only unix socket, in /etc/default/slapd: SLAPD_SERVICES="ldapi:///" /etc/init.d/slapd restart
You should disallow anonymous binding:
#Add at the beginning of /etc/ldap/slapd.conf disallow bind_anon /etc/init.d/slapd restart