### Kerberos + LDAP Centralized Authentication ### Author: jgor # # Notes: # Based heavily on the following articles from linux-mag.com: # http://www.linux-mag.com/id/4738 # http://www.linux-mag.com/id/4765 # Tested on Debian 5.0.3. # # Description: # This document is an informal list of commands and # file contents, not a shell script. File contents # are labeled as to whether they are the entire file # (complete), or modifications to the default file # contents (additions/changes). Choices made for # dpkg-reconfigure prompts are listed, in order, # following applicable apt-get commands. # # Machines used in this setup: # forseti.indiecom.org - kerberos, ldap server # fenrir.indiecom.org - client # odin.indiecom.org - dns, ntp server ##### Begin Server Configuration ##### sudo apt-get install krb5-kdc krb5-admin-server libkrb5-dev krb5-config krb5-user krb5-clients libkadm55 sudo vi /etc/krb5.conf (complete) [libdefaults] default_realm = INDIECOM.ORG forwardable = true proxiable = true [appdefaults] minimum_uid = 1100 [realms] INDIECOM.ORG = { kdc = forseti.indiecom.org admin_server = forseti.indiecom.org } [domain_realm] .indiecom.org = INDIECOM.ORG indiecom.org = INDIECOM.ORG [login] krb4_convert = false krb4_get_tickets = false sudo addgroup --system nvram sudo addgroup --system fuse sudo addgroup --system rdma sudo addgroup --system tss sudo addgroup --system kvm sudo adduser --system --no-create-home tss sudo dpkg-reconfigure krb5-kdc (Yes, disable, No) sudo kdb5_util create -s sudo kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin" sudo kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/changepw" sudo kadmin.local -q "addprinc krbadm@INDIECOM.ORG" sudo kadmin.local -q "addprinc ldapadm@INDIECOM.ORG" sudo /etc/init.d/krb5-admin-server start sudo /etc/init.d/krb5-kdc start sudo vi /etc/krb5kdc/kadm5.acl (complete) krbadm@INDIECOM.ORG * */admin@INDIECOM.ORG * */*@INDIECOM.ORG i *@INDIECOM.ORG i sudo vi /etc/krb5kdc/kdc.conf (complete) [kdcdefaults] kdc_ports = 750,88 [realms] INDIECOM.ORG = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth } sudo apt-get install libpam-krb5 libsasl2-dev libsasl2-modules-gssapi-mit libsasl2-modules ( forseti.indiecom.org forseti.indiecom.org ) sudo vi /etc/pam.d/common-auth (complete) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_krb5.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so sudo vi /etc/pam.d/common-session (complete) session [success=2 default=ignore] pam_unix.so session [success=1 default=ignore] pam_krb5.so session requisite pam_deny.so session required pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 sudo vi /etc/pam.d/common-password (complete) password [success=2 default=ignore] pam_unix.so nullok obscure md5 password [success=1 default=ignore] pam_krb5.so password requisite pam_deny.so password required pam_permit.so sudo vi /etc/pam.d/common-account (complete) account [success=2 default=ignore] pam_unix.so account [success=1 default=ignore] pam_krb5.so account requisite pam_deny.so account required pam_permit.so sudo vi /etc/ssh/sshd_config (additions/changes) KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes UsePAM yes AllowTcpForwarding yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes sudo vi /etc/ssh/ssh_config (additions/changes) GSSAPIAuthentication yes GSSAPIDelegateCredentials yes sudo kadmin -p krbadm -q "addprinc -randkey host/forseti.indiecom.org" sudo kadmin -p krbadm -q "ktadd host/forseti.indiecom.org" sudo kadmin -p krbadm -q "addprinc jgor@INDIECOM.ORG" sudo apt-get install ntp sudo apt-get install ntpdate sudo vi /etc/ntp.conf server odin.indiecom.org sudo apt-get install libldap-2.4-2 slapd ldap-utils libdb4.6-dev libdb4.6 openssl req -new -nodes -out forseti.indiecom.org.csr -keyout forseti.indiecom.org.key (signed .csr via cacert.org, saved cert to forseti.indiecom.org.crt) wget http://www.cacert.org/certs/class3.crt sudo cp forseti.indiecom.org.crt /etc/ldap/servercrt.pem sudo cp forseti.indiecom.org.key /etc/ldap/serverkey.pem sudo mv class3.crt /etc/ldap/cacert.pem sudo chown root:openldap /etc/ldap/*.pem sudo chmod 640 /etc/ldap/serverkey.pem sudo vi /etc/default/slapd (additions/changes) SLAPD_SERVICES="ldaps:///" sudo vi /etc/ldap/schema/krb5-kdc.schema (complete) # $Id: krb5-kdc.schema 815 2004-03-22 17:25:05Z quanah $ # Definitions for a Kerberos V KDC schema # OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10) # # Syntaxes are under 1.3.6.1.4.1.5322.10.0 # Attributes types are under 1.3.6.1.4.1.5322.10.1 # Object classes are under 1.3.6.1.4.1.5322.10.2 # Syntax definitions #krb5KDCFlagsSyntax SYNTAX ::= { # WITH SYNTAX INTEGER #-- initial(0), -- require as-req #-- forwardable(1), -- may issue forwardable #-- proxiable(2), -- may issue proxiable #-- renewable(3), -- may issue renewable #-- postdate(4), -- may issue postdatable #-- server(5), -- may be server #-- client(6), -- may be client #-- invalid(7), -- entry is invalid #-- require-preauth(8), -- must use preauth #-- change-pw(9), -- change password service #-- require-hwauth(10), -- must use hwauth #-- ok-as-delegate(11), -- as in TicketFlags #-- user-to-user(12), -- may use user-to-user auth #-- immutable(13) -- may not be deleted # ID { 1.3.6.1.4.1.5322.10.0.1 } #} #krb5PrincipalNameSyntax SYNTAX ::= { # WITH SYNTAX OCTET STRING #-- String representations of distinguished names as per RFC1510 # ID { 1.3.6.1.4.1.5322.10.0.2 } #} # Attribute type definitions attributetype ( 1.3.6.1.4.1.5322.10.1.1 NAME 'krb5PrincipalName' DESC 'The unparsed Kerberos principal name' EQUALITY caseExactIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.5322.10.1.2 NAME 'krb5KeyVersionNumber' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.3 NAME 'krb5MaxLife' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.4 NAME 'krb5MaxRenew' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.5 NAME 'krb5KDCFlags' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.6 NAME 'krb5EncryptionType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.7 NAME 'krb5ValidStart' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.5322.10.1.8 NAME 'krb5ValidEnd' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.5322.10.1.9 NAME 'krb5PasswordEnd' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) # this is temporary; keys will eventually # be child entries or compound attributes. attributetype ( 1.3.6.1.4.1.5322.10.1.10 NAME 'krb5Key' DESC 'Encoded ASN1 Key as an octet string' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) attributetype ( 1.3.6.1.4.1.5322.10.1.11 NAME 'krb5PrincipalRealm' DESC 'Distinguished name of krb5Realm entry' SUP distinguishedName ) attributetype ( 1.3.6.1.4.1.5322.10.1.12 NAME 'krb5RealmName' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) # Object class definitions objectclass ( 1.3.6.1.4.1.5322.10.2.1 NAME 'krb5Principal' SUP top AUXILIARY MUST ( krb5PrincipalName ) MAY ( cn $ krb5PrincipalRealm ) ) objectclass ( 1.3.6.1.4.1.5322.10.2.2 NAME 'krb5KDCEntry' SUP krb5Principal AUXILIARY MUST ( krb5KeyVersionNumber ) MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $ krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $ krb5EncryptionType $ krb5Key ) ) objectclass ( 1.3.6.1.4.1.5322.10.2.3 NAME 'krb5Realm' SUP top AUXILIARY MUST ( krb5RealmName ) ) sudo vi /etc/ldap/slapd.conf (additions/changes) include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/openldap.schema # temporary, delete after setup! rootdn "cn=admin,dc=indiecom,dc=org" rootpw secret access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=indiecom,dc=org" write by dn="uid=ldapadm,ou=people,dc=indiecom,dc=org" write by anonymous auth by self write by * none access to * by dn="cn=admin,dc=indiecom,dc=org" write by dn="uid=ldapadm,ou=people,dc=indiecom,dc=org" write by * read TLSCACertificateFile /etc/ldap/cacert.pem TLSCertificateFile /etc/ldap/servercrt.pem TLSCertificateKeyFile /etc/ldap/serverkey.pem authz-policy from authz-regexp uid=([^,]*),cn=.* uid=$1,ou=people,dc=indiecom,dc=org sasl-secprops noanonymous,noplain,noactive sasl-realm INDIECOM.ORG sasl-host forseti.indiecom.org sudo vi /etc/ldap/ldap.conf (additions/changes) TLS_REQCERT allow sudo kadmin -p krbadm -q "addprinc -randkey ldap/forseti.indiecom.org" sudo kadmin -p krbadm -q "ktadd -k /etc/ldap/ldap.keytab ldap/forseti.indiecom.org" sudo chown root:openldap /etc/ldap/ldap.keytab sudo chmod 640 /etc/ldap/ldap.keytab sudo vi /etc/default/slapd (additions/changes) export KRB5_KTNAME=/etc/ldap/ldap.keytab vi setup.ldif dn: ou=people,dc=indiecom,dc=org objectClass: organizationalUnit ou: people dn: ou=groups,dc=indiecom,dc=org objectClass: organizationalUnit ou: groups dn: cn=krbusers,ou=groups,dc=indiecom,dc=org objectClass: posixGroup cn: krbusers gidNumber: 1100 dn: cn=krbadmins,ou=groups,dc=indiecom,dc=org objectClass: posixGroup cn: krbadmins memberUid: jgor gidNumber: 1101 dn: uid=ldapadm,ou=people,dc=indiecom,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: LDAP admin account sn: LDAP uid: ldapadm uidNumber: 1100 gidNumber: 1100 homeDirectory: /etc/ldap loginShell: /bin/false dn: uid=jgor,ou=people,dc=indiecom,dc=org uid: jgor objectClass: account objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash uidNumber: 1110 gidNumber: 1100 homeDirectory: /home/jgor gecos: John Gordon cn: John Gordon sudo /etc/init.d/slapd start ldap -x -D "cn=admin,dc=indiecom,dc=org" -W -H ldaps://localhost -f setup.ldif (password is "secret", from config file) sudo vi /etc/ldap/slapd.conf (*DELETE* these entries now) rootdn "cn=admin,dc=indiecom,dc=org" rootpw secret sudo apt-get install ldap-utils libnss-ldap nscd ( ldaps://forseti.indiecom.org/ dc=indiecom,dc=org 3 cn=admin,dc=indiecom,dc=org (password) No No ) sudo rm /etc/libnss-ldap.secret sudo vi /etc/libnss-ldap.conf (*REMOVE* the following line) rootbinddn cn=admin,dc=indiecom,dc=org sudo vi /etc/nsswitch.conf (additions/changes) passwd: compat files ldap group: compat files ldap shadow: compat files ldap sudo vi /etc/ldap/ldap.conf (additions/changes) BASE dc=indiecom,dc=org URI ldaps://forseti.indiecom.org/ ##### End Server Configuration ##### ##### Begin Client Configuration ##### sudo apt-get install libpam-krb5 libsasl2-dev libsasl2-modules-gssapi-mit libsasl2-modules krb5-user ( forseti.indiecom.org forseti.indiecom.org ) sudo vi /etc/krb5.conf (complete) [libdefaults] default_realm = INDIECOM.ORG forwardable = true proxiable = true [appdefaults] minimum_uid = 1100 [realms] INDIECOM.ORG = { kdc = forseti.indiecom.org admin_server = forseti.indiecom.org } [domain_realm] .indiecom.org = INDIECOM.ORG indiecom.org = INDIECOM.ORG [login] krb4_convert = false krb4_get_tickets = false sudo addgroup --system nvram sudo addgroup --system fuse sudo addgroup --system rdma sudo addgroup --system tss sudo addgroup --system kvm sudo adduser --system --no-create-home tss sudo vi /etc/pam.d/common-auth (complete) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_krb5.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so sudo vi /etc/pam.d/common-session (complete) session [success=2 default=ignore] pam_unix.so session [success=1 default=ignore] pam_krb5.so session requisite pam_deny.so session required pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 sudo vi /etc/pam.d/common-password (complete) password [success=2 default=ignore] pam_unix.so nullok obscure md5 password [success=1 default=ignore] pam_krb5.so password requisite pam_deny.so password required pam_permit.so sudo vi /etc/pam.d/common-account (complete) account [success=2 default=ignore] pam_unix.so account [success=1 default=ignore] pam_krb5.so account requisite pam_deny.so account required pam_permit.so sudo vi /etc/ssh/sshd_config (additions/changes) KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes UsePAM yes AllowTcpForwarding yes GSSAPIAuthentication yes GSSAPICleanupCredentials yes GSSAPIKeyExchange yes sudo vi /etc/ssh/ssh_config (additions/changes) GSSAPIAuthentication yes GSSAPIDelegateCredentials yes sudo kadmin -p krbadm -q "addprinc -randkey host/fenrir.indiecom.org" sudo kadmin -p krbadm -q "ktadd host/fenrir.indiecom.org" sudo apt-get install ntp sudo apt-get install ntpdate sudo vi /etc/ntp.conf server odin.indiecom.org sudo apt-get install ldap-utils libnss-ldap nscd ( ldaps://forseti.indiecom.org/ dc=indiecom,dc=org 3 cn=admin,dc=indiecom,dc=org (password) No No ) sudo rm /etc/libnss-ldap.secret sudo vi /etc/libnss-ldap.conf (*REMOVE* the following line) rootbinddn cn=admin,dc=indiecom,dc=org sudo vi /etc/nsswitch.conf (additions/changes) passwd: compat files ldap group: compat files ldap shadow: compat files ldap sudo vi /etc/ldap/ldap.conf (additions/changes) BASE dc=indiecom,dc=org URI ldaps://forseti.indiecom.org/ TLS_REQCERT allow ##### End Client Configuration #####