This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
After getting OpenLDAP running properly and the schemas in place, the next step is to get Kerberos and AutoFS running on top of it to enable centrally managed automatic NFSv4+kerberos mounts to user home directories. Here we setup kerberos using OpenLDAP as the backend to store the principals. This allows one to easily replicate the data to slave servers.
The following documents were used to get the configuration working:
This example uses kerberos realm EDU.EXAMPLE.ORG and the kdc uses fqdn kerberos.edu.example.org. The ldap database used is the same as configured in the earlier postings in this blog.
The following packages are needed to get kerberos working with ldap backend:
sudo apt-get install krb5-kdc-ldap krb5-kdc krb5-admin-server krb5-config krb5-user
/etc/krb5.conf configures the database location that is needed before initializing the ldap database. In this example the ldap connection does not use TLS as both are running on the same server.
[libdefaults]
default_realm = EDU.EXAMPLE.ORG
[realms]
EDU.EXAMPLE.ORG = {
kdc = kerberos.edu.example.org
admin_server = kerberos.edu.example.org
master_kdc = kerberos.edu.example.org
default_domain = edu.example.org
database_module = ldap_edu.example.org
}
[domain_realm]
.edu.example.org = EDU.EXAMPLE.ORG
edu.example.org = EDU.EXAMPLE.ORG
[dbmodules]
ldap_edu.example.org = {
db_library = kldap
ldap_kerberos_container_dn = cn=krbcontainer,dc=edu,dc=example,dc=org
ldap_kdc_dn = uid=admin,ou=People,dc=edu,dc=example,dc=org
ldap_kadmind_dn = uid=admin,ou=People,dc=edu,dc=example,dc=org
ldap_service_password_file = /etc/krb5.secrets
ldap_servers = ldap://127.0.0.1
ldap_conns_per_server = 5
}
To get the kerberos database initialized in the ldap directory, kdb5_ldap_util is used with valid ldap credentials. Kerberos will use these credentials to create the initial entries. Also KDC database master key is set at this point. Make it difficult and write it down somewhere.
sudo kdb5_ldap_util -D uid=admin,ou=People,dc=edu,dc=example,dc=org create -subtrees dc=edu,dc=example,dc=org -s -H ldap://localhost -r EDU.EXAMPLE.ORG Password for "uid=admin,ou=People,dc=edu,dc=example,dc=org": Initializing database for realm 'EDU.EXAMPLE.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Kerberos container is missing. Creating now...
Some hints for potential errors:
-
”kdb5_ldap_util: Kerberos container location not specified while reading kerberos container information” – /etc/krb5.conf has
something wrong so that the realm doesn’t map to any databases - Server is unwilling to perform – the ldap suffix configured for the realm is probably not valid
Next the ldap user and password are stored for KDC to access and create principals:
sudo kdb5_ldap_util -D uid=admin,ou=People,dc=edu,dc=example,dc=org stashsrvpw -f /etc/krb5.secrets uid=admin,ou=People,dc=edu,dc=example,dc=org
Create an admin user named john who can modify the database:
sudo kadmin.local -q "addprinc john/admin@EDU.EXAMPLE.ORG
Finally give the user access rights in /etc/krb5kdc/kadm5.acl:
*/admin *
KDC is configured in /etc/krb5kdc/kdc.conf with fairly basic configuration:
[kdcdefaults]
kdc_ports = 750,88
[realms]
EDU.EXAMPLE.ORG = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
After restarting krb5-kdc and krb5-admin-server one should be able to run kinit and get a kerberos ticket:
$ kinit john/admin Password for john/admin@EDU.EXAMPLE.ORG: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: john/admin@EDU.EXAMPLE.ORG Valid starting Expires Service principal 01/28/10 03:10:20 01/29/10 03:10:20 krbtgt/EDU.EXAMPLE.ORG@EDU.EXAMPLE.ORG
If you now dump the ldap database, the principal for john/admin is stored in dn: krbPrincipalName=john/admin@EDU.EXAMPLE.ORG,cn=EDU.EXAMPLE.ORG, cn=krbcontainer,dc=edu,dc=example,dc=org
More user principals can be added with kadmin and kadmin.local using the addprinc command. The Ubuntu SingleSignOn manual page has more information about that.
Desktop logins using kerberos
Getting client machines to do PAM authentication using kerberos is easy. The libpam-krb5 package is needed for this:
sudo apt-get install libpam-krb5
/etc/krb5.conf needs to be configured on the clients to point to the right server. This can be done also using proper name server settings to instruct the kerberos clients to contact the right server based on dns names.
[libdefaults]
default_realm = EDU.EXAMPLE.ORG
[realms]
EDU.EXAMPLE.ORG = {
kdc = kerberos.edu.example.org
admin_server = kerberos.edu.example.org
master_kdc = kerberos.edu.example.org
default_domain = edu.example.org
}
On Lucid the PAM settings are added automagically and you should be ready to rock. Just make sure that the user you are authenticating as actually exists in /etc/passwd or ldap as kerberos does not provide nss services.
Veli-Matti Lintu
Note that if you are doing a setup just by following the examples blindly, the kerberos attributes are not secured by the acls.dif in the first part of the series. The attributes need to be secured according to your needs and it’s probably a good idea to also create a separate user that is the only one with access to the kerberos data. I hope to write more about this in the future.
– Veli-Matti
Hi,
great tutorial, really helped us start up! Still we encounter an error when we try to add a principal with the line:
”sudo kadmin.local -q addprinc netadmin/netadmin@BIGSISTER.COM”
The error is:
root ~ # kadmin.local -q addprinc netadmin/netadmin@BIGSISTER.COM
Authenticating as principal root/admin@BIGSISTER.COM with password.
kadmin.local: Error reading password from stash: Bind DN entry missing in stash file while initializing kadmin.local interface
Any idea where this might come from? It tries to authenticate as root, and there is no line for root in krb5.secrets only one for netadmin,.. maybe this is the error, but then again it should be possible to just sudo kadmin.local? We sticked to the tutorial thus no root user was added to the secrets.
Thanks in advance,
cheers
The error was that wen didn’t put our netadmin user in the dbmodules, it was still admin there.
Now it says that it cannot fetch the master key (no such file or directory).
The problem is now resolved.
The keystash variable in /etc/krb5kdc/kdc.conf pointed to the wrong file and we commented it out, which fixed the problem. Also you need to add the closing quotes to your kadmin.local line in the turorial.
cheers
Thanks a LOT for your guide! I’m currently installing an environment similar to yours and I’m not finished, but your site gave me some invaluable hints 🙂
@Tom
What did you change to fix the stash problem? I tried to comment out the kdc.conf variable as suggested but the problem persists.
I keep getting this error when I execute sudo kdb5_ldap_util -D cn=admin,dc=mykerb,dc=com create -subtrees dc=mykerb,dc=com -s -H ldap://localhost -r mykerb.com
Error: ”Kerberos container is missing. Creating now…
kdb5_ldap_util: Kerberos Container create FAILED: Insufficient access while creating realm ’mykerb.com”
Anyone, Please please help
Thanks,
Vicky