Kerberos
From DcSharedWiki
How to install MIT Kerberos on Debian with slapd backend
References:
- http://web.mit.edu/Kerberos/krb5-1.8/krb5-1.8.2/doc/krb5-admin.html#Configuring Kerberos with OpenLDAP back-end
Other how-to:
- http://www.rjsystems.nl/en/2100-kerberos-openldap-provider.php
- https://help.ubuntu.com/10.10/serverguide/C/kerberos-ldap.html
Install slapd
Install ldap server
# slapd admin password will be asked DEBIAN_PRIORITY=medium aptitude install slapd
slapd logs
Syslog
# /etc/rsyslog.d/slapd.conf # minus before file => omit syncing the file after every loggin # & ~ => don't transmist log to next logger local4.* -/var/log/slapd.log & ~
rotation
# /etc/logrotate.d/slapd /var/log/slapd.log { # 1 month weekly rotate 4 missingok compress delaycompress notifempty postrotate /etc/init.d/slapd restart endscript }
Install MIT Kerberos master server
Some informations will be asked:
- REALM
- FQDN of Kerberos server (check dns configuration !)
- fqdn of administrative server for the kerberos realm
# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55 Default Kerberos version 5 realm: COINCOIN.EU Kerberos V4 compatibility mode to use: None Kerberos servers for your realm: kdc.coincoin.eu
Next create a new realm:
# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU', master key name 'K/M@COINCOIN.EU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
Configuration: slapd
LDAP plugin for Kerberos
Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd
aptitude install krb5-kdc-ldap gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema
/etc/ldap/ldap.conf
First, check dns configuration !
BASE dc=coincoin,dc=eu URI ldap://ldap.coincoin.eu
/etc/ldap/sldap.conf
#Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf: include /etc/ldap/schema/kerberos.schema
# log all: change log level from 'none' to '256' loglevel 256
ACLs:
# add ACL for Kerberos: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by * auth access to attrs=shadowLastChange by self write by * read # Providing access to realm container access to dn.subtree="cn=COINCOIN.EU,cn=krb5,dc=coincoin,dc=eu" by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write by * none # Providing access to principals, if not underneath realm container access to dn.subtree="ou=Users,dc=coincoin,dc=eu" by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write by * none access to * by * read access to * by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write # Comment all other default ACL # add specific directives for database #1 suffix "dc=coincoin,dc=eu" rootdn "cn=admin,dc=coincoin,dc=eu" # add indexes index objectClass eq # by default index uid eq index krbPrincipalName eq,pres,sub
Create indexes
/etc/init.d/slapd stop slapindex chown -R openldap:openldap /var/lib/ldap /etc/init.d/slapd start
Add ldap entries
/etc/init.d/slapd stop cat data.ldif dn: ou=Users,dc=coincoin,dc=eu ou: Users objectClass: organizationalUnit dn: ou=Groups,dc=coincoin,dc=eu ou: Groups objectClass: organizationalUnit dn: ou=krb5,dc=coincoin,dc=eu ou: krb5 objectClass: organizationalUnit dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu cn: kdc-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos KDC server userPassword: 5Wdx~FgK|VFm>>2`K1UW dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu cn: adm-srv objectClass: simpleSecurityObject objectClass: organizationalRole description: Default bind DN for the Kerberos Administration server userPassword: grh~1JnFvN*}]742_Jvc slapadd -svl data.ldif /etc/init.d/slapd start
If the LDAP server and KDC service are running on the same machine:
# slapd listen only unix socket, in /etc/default/slapd: SLAPD_SERVICES="ldapi:///" /etc/init.d/slapd restart
You should disallow anonymous binding:
#Add at the beginning of /etc/ldap/slapd.conf disallow bind_anon /etc/init.d/slapd restart
Configure Kerberos
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU [...] [realms] COINCOIN.EU = { kdc = kdc.coincoin.eu admin_server = kdc.coincoin.eu database_module = openldap_ldapconf } [domain_realm] .coincoin.eu = COINCOIN.EU coincoin.eu = COINCOIN.EU [dbdefaults] ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_conns_per_server = 5 } [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log # TODO logrotate
/etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 kdc_tcp_ports = 750,88 [realms] COINCOIN.EU = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth
Set up the realms subtree and the realm itself
kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -subtrees dc=coincoin,dc=eu -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu # slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu # slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
Kerberize existing user
# kadmin.local Authenticating as principal root/admin@COINCOIN.EU with password. kadmin.local: addprinc -x containerdn="uid=lilou,ou=Users,dc=coincoin,dc=eu" lilou WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy Enter password for principal "lilou@COINCOIN.EU": Re-enter password for principal "lilou@COINCOIN.EU": Principal "lilou@COINCOIN.EU" created.
Clients configuration
Check DNS configuration
root@client:/root# host kdc.coincoin.eu kdc.coincoin.eu has address 192.168.20.123 root@client:/root# host 192.168.20.123 123.20.168.192.in-addr.arpa domain name pointer kdc.coincoin.eu.
Packages
aptitude install krb5-user
/etc/krb5.conf
[libdefaults] default_realm = COINCOIN.EU # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] COINCOIN.EU = { kdc = kdc.coincoin.eu admin_server = kdc.coincoin.eu } [domain_realm] .coincoin.eu = COINCOIN.EU coincoin.eu = COINCOIN.EU [login] krb4_convert = false krb4_get_tickets = false [logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log