Kerberos

From DcSharedWiki
Revision as of 20:07, 19 February 2011 by Pilou (talk | contribs) (add client part)

How to install MIT Kerberos on Debian with slapd backend


References:

Other how-to:

Install slapd

Install ldap server

# slapd admin password will be asked
DEBIAN_PRIORITY=medium aptitude install slapd


slapd logs

Syslog

# /etc/rsyslog.d/slapd.conf
# minus before file => omit syncing the file after every loggin
# & ~               => don't transmist log to next logger
local4.* -/var/log/slapd.log
& ~


rotation

# /etc/logrotate.d/slapd
/var/log/slapd.log 
{
    # 1 month
    weekly
    rotate 4
    missingok
    compress
    delaycompress
    notifempty
    postrotate
        /etc/init.d/slapd restart
    endscript
}


Install MIT Kerberos master server

Some informations will be asked:

  • REALM
  • FQDN of Kerberos server (check dns configuration !)
  • fqdn of administrative server for the kerberos realm


# DEBIAN_PRIORITY=medium aptitude install krb5-admin-server krb5-config krb5-kdc krb5-user libkadm55

Default Kerberos version 5 realm:
COINCOIN.EU

Kerberos V4 compatibility mode to use:
None

Kerberos servers for your realm:
hostile.coincoin.eu


# krb5_newrealm

This script should be run on the master KDC/admin server to initialize
a Kerberos realm.  It will ask you to type in a master key password.
This password will be used to generate a key that is stored in
/etc/krb5kdc/stash.  You should try to remember this password, but it
is much more important that it be a strong password than that it be
remembered.  However, if you lose the password and /etc/krb5kdc/stash,
you cannot decrypt your Kerberos database.
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'COINCOIN.EU',
master key name 'K/M@COINCOIN.EU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

Now that your realm is set up you may wish to create an administrative
principal using the addprinc subcommand of the kadmin.local program.
Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that
you can use the kadmin program on other computers.  Kerberos admin
principals usually belong to a single user and end in /admin.  For
example, if jruser is a Kerberos administrator, then in addition to
the normal jruser principal, a jruser/admin principal should be
created.

Don't forget to set up DNS information so your clients can find your
KDC and admin servers.  Doing so is documented in the administration
guide.


Configuration: slapd

LDAP plugin for Kerberos

Install LDAP plugin for the Kerberos key server, include kerberos schema in schema used by slapd

aptitude install krb5-kdc-ldap
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema
#Include Kerberos schema in slapd configuration in /etc/ldap/slapd.conf:
include         /etc/ldap/schema/kerberos.schema


/etc/ldap/ldap.conf

First, check dns configuration !

BASE    dc=coincoin,dc=eu
URI     ldap://ldap.coincoin.eu


/etc/ldap/slapd.conf

# log all: change log level from 'none' to '256'
loglevel 256

# add ACL for Kerberos:
access to dn.base=""
        by * read

access to dn.base="cn=Subschema"
        by * read

access to attrs=userPassword,userPKCS12
        by self write
        by * auth

access to attrs=shadowLastChange
        by self write
        by * read

# Providing access to realm container
access to dn.subtree="cn=COINCOIN.EU,cn=krb5,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

# Providing access to principals, if not underneath realm container
access to dn.subtree="ou=Users,dc=coincoin,dc=eu"
        by dn.exact="cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu" read
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write
        by * none

access to *
        by * read

access to *
        by dn.exact="cn=adm-srv,ou=krb5,dc=coincoin,dc=eu" write

# Comment all other default ACL

# add specific directives for database #1
suffix          "dc=coincoin,dc=eu"
rootdn          "cn=admin,dc=coincoin,dc=eu"

# add indexes
index           objectClass eq # by default
index           uid         eq
index           krbPrincipalName eq,pres,sub


Create indexes

/etc/init.d/slapd stop
slapindex
chown -R openldap:openldap /var/lib/ldap
/etc/init.d/slapd start


Add ldap entries

/etc/init.d/slapd stop
cat data.ldif
dn: ou=Users,dc=coincoin,dc=eu
ou: Users
objectClass: organizationalUnit

dn: ou=Groups,dc=coincoin,dc=eu
ou: Groups
objectClass: organizationalUnit

dn: cn=lilou,ou=Groups,dc=coincoin,dc=eu
cn: lilou
gidNumber: 1000
objectClass: top 
objectClass: posixGroup

dn: uid=lilou,ou=Users,dc=coincoin,dc=eu
uid: lilou
uidNumber: 1000
gidNumber: 1000
cn: Lilou
sn: Lilou
objectClass: top 
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/lilou

dn: ou=krb5,dc=coincoin,dc=eu
ou: krb5
objectClass: organizationalUnit

dn: cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: 5Wdx~FgK|VFm>>2`K1UW

dn: cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: grh~1JnFvN*}]742_Jvc


slapadd -svl data.ldif
/etc/init.d/slapd start


If the LDAP server and KDC service are running on the same machine:

# slapd listen only unix socket, in /etc/default/slapd:
SLAPD_SERVICES="ldapi:///"
/etc/init.d/slapd restart


You should disallow anonymous binding:

#Add at the beginning of /etc/ldap/slapd.conf
disallow bind_anon

/etc/init.d/slapd restart


Configure Kerberos

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU
[...]

[realms]
        COINCOIN.EU = { 
                kdc = kdc.coincoin.eu
                admin_server = kdc.coincoin.eu
                database_module = openldap_ldapconf
        }   

[domain_realm]
        .coincoin.eu = COINCOIN.EU
        coincoin.eu = COINCOIN.EU

[dbdefaults]
        ldap_kerberos_container_dn = ou=krb5,dc=coincoin,dc=eu

[dbmodules]
        openldap_ldapconf = { 
            db_library = kldap
            ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=coincoin,dc=eu
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_conns_per_server = 5 
        }   

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log
        # TODO logrotate


/etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88
    kdc_tcp_ports = 750,88

[realms]
    COINCOIN.EU = { 
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth


Set up the realms subtree and the realm itself

kdb5_ldap_util -D "cn=admin,dc=coincoin,dc=eu" create -subtrees dc=coincoin,dc=eu -r COINCOIN.EU -s -H ldap://ldap.coincoin.eu
# slapd password will be asked, enter new password for cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kdc_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc-srv,ou=krb5,dc=coincoin,dc=eu
# slapd password will be asked, enter new password for cn=adm-srv,ou=krb5,dc=coincoin,dc=eu wich is referenced in /etc/krb5.conf by ldap_kadmind_dn in db_modules section
kdb5_ldap_util -D cn=admin,dc=coincoin,dc=eu stashsrvpw -f /etc/krb5kdc/service.keyfile cn=adm-srv,ou=krb5,dc=coincoin,dc=eu


Kerberize existing user

# kadmin.local 
Authenticating as principal root/admin@COINCOIN.EU with password.
kadmin.local:  addprinc -x containerdn="uid=lilou,ou=Users,dc=coincoin,dc=eu" lilou
WARNING: no policy specified for lilou@COINCOIN.EU; defaulting to no policy
Enter password for principal "lilou@COINCOIN.EU": 
Re-enter password for principal "lilou@COINCOIN.EU": 
Principal "lilou@COINCOIN.EU" created.


Clients configuration

/etc/krb5.conf

[libdefaults]
        default_realm = COINCOIN.EU

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true

[realms]
        COINCOIN.EU = {
                kdc = kdc.coincoin.eu
                admin_server = kdc.coincoin.eu
        }

[domain_realm]
        .coincoin.eu = COINCOIN.EU
        coincoin.eu = COINCOIN.EU

[login]
        krb4_convert = false
        krb4_get_tickets = false

[logging]
    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log