Kerberos: Difference between revisions

From DcSharedWiki
(add "Kerberize existing user")
(use DEBIAN_PRIORITY when installing slapd)
Line 11: Line 11:


== Install slapd ==
== Install slapd ==

TODO increase level of configuration questions


Install ldap server
Install ldap server
Line 18: Line 16:
<pre><nowiki>
<pre><nowiki>
# slapd admin password will be asked
# slapd admin password will be asked
aptitude install slapd
DEBIAN_PRIORITY=medium aptitude install slapd
</nowiki></pre>
</nowiki></pre>



Revision as of 01:52, 30 November 2010

How to install MIT Kerberos on Debian with slapd backend


References:

Other how-to:

Install slapd

Install ldap server

# slapd admin password will be asked
DEBIAN_PRIORITY=medium aptitude install slapd


Logs:

Syslog:

# /etc/rsyslog.d/slapd.conf
# minus before file => omit syncing the file after every loggin
# & ~               => don't transmist log to next logger
local4.* -/var/log/slapd.log
& ~


Logrotate:

# /etc/logrotate.d/slapd
/var/log/slapd.log 
{
    # 1 month
    weekly
    rotate 4
    missingok
    compress
    delaycompress
    notifempty
    postrotate
        /etc/init.d/slapd restart
    endscript
}


Install Kerberos master server

# aptitude install krb5-admin-server 
# krb5_newrealm
This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU',
master key name 'K/M@COINCOIN.EU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:


Install Kerberos key server Some informations will be asked:

  • REALM
  • FQDN of Kerberos server (check dns configuration !)
  • fqdn of administrative server for the kerberos realm
aptitude install krb5-kdc # dependances will be installed too (krb5-config, krb5-user, etc)


Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd

aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema
#Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf:
include         /etc/ldap/schema/kerberos.schema


Configure slapd /etc/ldap/ldap.conf (check dns configuration !)

BASE    dc=coincoin,dc=eu
URI     ldap://ldap.coincoin.eu


/etc/ldap/slapd.conf

# log all: change log level from 'none' to '256'
loglevel 256

# add ACL for Kerberos:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,cn=krb5,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

access to *
        by * read

access to *
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write

# Comment all other default ACL

# add specific directives for database #1
suffix          "dc=coincoin,dc=eu"
rootdn          "cn=admin,dc=coincoin,dc=eu"

# add indexes
index           objectClass eq # by default
index           uid         eq
index           krbPrincipalName eq,pres,sub
#TODO check indexes are created !


Add ldap entries:

/etc/init.d/slapd stop
cat data.ldif
dn: ou=Users,dc=coincoin,dc=eu
ou: Users
objectClass: organizationalUnit

dn: ou=Groups,dc=coincoin,dc=eu
ou: Groups
objectClass: organizationalUnit

dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu
cn: lilou
gidNumber: 1000
objectClass: top 
objectClass: posixGroup

dn: uid=lilou,ou=Users,dc=coincoin,dc=eu
uid: lilou
uidNumber: 1000
gidNumber: 1000
cn: Lilou
sn: Lilou
objectClass: top 
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/lilou

dn: ou=krb5,dc=coincoin,dc=eu
ou: krb5
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: 5Wdx~FgK|VFm>>2`K1UW

dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: grh~1JnFvN*}]742_Jvc


slapadd -svl data.ldif
/etc/init.d/slapd start


Configure Kerberos /etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU
[...]

[realms]
        COINCOIN.EU = { 
                kdc = kdc.coincoin.eu
                admin_server = kdc.coincoin.eu
                database_module = openldap_ldapconf
        }   

[domain_realm]
        .coincoin.eu = COINCOIN.EU
        coincoin.eu = COINCOIN.EU

[dbdefaults]
        ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu

[dbmodules]
        openldap_ldapconf = { 
            db_library = kldap
            ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_conns_per_server = 5 
        }   

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
        # TODO logrotate


/etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88
    kdc_tcp_ports = 750,88

[realms]
    COINCOIN.EU = { 
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth


Set up the realms subtree and the realm itself

kdb5_ldap_util -D "cn=admin,dc=piloucorp,dc=eu" create -subtrees dc=piloucorp,dc=eu -r PILOUCORP.EU -s -H ldap://ldap.piloucorp.eu
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=piloucorp,dc=eu
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=piloucorp,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=piloucorp,dc=eu


Kerberize existing user:

# kadmin.local 
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin.local:  addprinc -x containerdn="uid=lilou,ou=Users,dc=coincoin,dc=eu" lilou
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy
Enter password for principal "lilou@COINCOIN.EU": 
Re-enter password for principal "lilou@COINCOIN.EU": 
Principal "lilou@COINCOIN.EU" created.


If the LDAP server and KDC service are running on the same machine:

# slapd listen only unix socket, in /etc/default/slapd:
SLAPD_SERVICES="ldapi:///"
/etc/init.d/slapd restart


You should disallow anonymous binding:

#Add at the beginning of /etc/ldap/slapd.conf
disallow bind_anon

/etc/init.d/slapd restart