This blog posting is a part of a series of blog postings:
- Part 1 – OpenLDAP setup
- Part 2 – SSL/TLS
- Part 3 – Schemas for samba, autofs and kerberos
- Part 4 – Kerberos setup
- Part 5 – DNS settings for kerberos using dnsmasq
- Part 6 – NFSv4 with kerberos
- Part 7 – Autofs
After getting OpenLDAP running properly and the schemas in place, the next step is to get Kerberos and AutoFS running on top of it to enable centrally managed automatic NFSv4+kerberos mounts to user home directories. Here we setup kerberos using OpenLDAP as the backend to store the principals. This allows one to easily replicate the data to slave servers.
The following documents were used to get the configuration working:
This example uses kerberos realm EDU.EXAMPLE.ORG and the kdc uses fqdn kerberos.edu.example.org. The ldap database used is the same as configured in the earlier postings in this blog.
The following packages are needed to get kerberos working with ldap backend:
/etc/krb5.conf configures the database location that is needed before initializing the ldap database. In this example the ldap connection does not use TLS as both are running on the same server.
To get the kerberos database initialized in the ldap directory, kdb5_ldap_util is used with valid ldap credentials. Kerberos will use these credentials to create the initial entries. Also KDC database master key is set at this point. Make it difficult and write it down somewhere.
Some hints for potential errors:
”kdb5_ldap_util: Kerberos container location not specified while reading kerberos container information” – /etc/krb5.conf has
something wrong so that the realm doesn’t map to any databases
- Server is unwilling to perform – the ldap suffix configured for the realm is probably not valid
Next the ldap user and password are stored for KDC to access and create principals:
Create an admin user named john who can modify the database:
Finally give the user access rights in /etc/krb5kdc/kadm5.acl:
KDC is configured in /etc/krb5kdc/kdc.conf with fairly basic configuration:
After restarting krb5-kdc and krb5-admin-server one should be able to run kinit and get a kerberos ticket:
If you now dump the ldap database, the principal for john/admin is stored in dn: krbPrincipalName=john/admin@EDU.EXAMPLE.ORG,cn=EDU.EXAMPLE.ORG, cn=krbcontainer,dc=edu,dc=example,dc=org
More user principals can be added with kadmin and kadmin.local using the addprinc command. The Ubuntu SingleSignOn manual page has more information about that.
Desktop logins using kerberos
Getting client machines to do PAM authentication using kerberos is easy. The libpam-krb5 package is needed for this:
/etc/krb5.conf needs to be configured on the clients to point to the right server. This can be done also using proper name server settings to instruct the kerberos clients to contact the right server based on dns names.
On Lucid the PAM settings are added automagically and you should be ready to rock. Just make sure that the user you are authenticating as actually exists in /etc/passwd or ldap as kerberos does not provide nss services.