This blog posting is a part of a series of blog postings:

After getting OpenLDAP running properly and the schemas in place, the next step is to get Kerberos and AutoFS running on top of it to enable centrally managed automatic NFSv4+kerberos mounts to user home directories. Here we setup kerberos using OpenLDAP as the backend to store the principals. This allows one to easily replicate the data to slave servers.

The following documents were used to get the configuration working:

This example uses kerberos realm EDU.EXAMPLE.ORG and the kdc uses fqdn kerberos.edu.example.org. The ldap database used is the same as configured in the earlier postings in this blog.

The following packages are needed to get kerberos working with ldap backend:

sudo apt-get install krb5-kdc-ldap krb5-kdc krb5-admin-server krb5-config krb5-user

/etc/krb5.conf configures the database location that is needed before initializing the ldap database. In this example the ldap connection does not use TLS as both are running on the same server.

[libdefaults]
        default_realm = EDU.EXAMPLE.ORG

[realms]
         EDU.EXAMPLE.ORG = {
             kdc = kerberos.edu.example.org
             admin_server = kerberos.edu.example.org
             master_kdc = kerberos.edu.example.org
             default_domain = edu.example.org
             database_module = ldap_edu.example.org
         }

[domain_realm]
         .edu.example.org = EDU.EXAMPLE.ORG
         edu.example.org = EDU.EXAMPLE.ORG

[dbmodules]
        ldap_edu.example.org = {
               db_library = kldap
               ldap_kerberos_container_dn = cn=krbcontainer,dc=edu,dc=example,dc=org
               ldap_kdc_dn = uid=admin,ou=People,dc=edu,dc=example,dc=org
               ldap_kadmind_dn = uid=admin,ou=People,dc=edu,dc=example,dc=org
               ldap_service_password_file = /etc/krb5.secrets
               ldap_servers = ldap://127.0.0.1
               ldap_conns_per_server = 5
        }

To get the kerberos database initialized in the ldap directory, kdb5_ldap_util is used with valid ldap credentials. Kerberos will use these credentials to create the initial entries. Also KDC database master key is set at this point. Make it difficult and write it down somewhere.

sudo kdb5_ldap_util -D uid=admin,ou=People,dc=edu,dc=example,dc=org 
create -subtrees dc=edu,dc=example,dc=org -s -H ldap://localhost -r EDU.EXAMPLE.ORG

Password for "uid=admin,ou=People,dc=edu,dc=example,dc=org":
Initializing database for realm 'EDU.EXAMPLE.ORG'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

Kerberos container is missing. Creating now...

Some hints for potential errors:

  • ”kdb5_ldap_util: Kerberos container location not specified while reading kerberos container information” – /etc/krb5.conf has
    something wrong so that the realm doesn’t map to any databases
  • Server is unwilling to perform – the ldap suffix configured for the realm is probably not valid

Next the ldap user and password are stored for KDC to access and create principals:

sudo kdb5_ldap_util -D uid=admin,ou=People,dc=edu,dc=example,dc=org 
  stashsrvpw -f /etc/krb5.secrets uid=admin,ou=People,dc=edu,dc=example,dc=org

Create an admin user named john who can modify the database:

sudo kadmin.local -q "addprinc john/admin@EDU.EXAMPLE.ORG

Finally give the user access rights in /etc/krb5kdc/kadm5.acl:

*/admin *

KDC is configured in /etc/krb5kdc/kdc.conf with fairly basic configuration:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    EDU.EXAMPLE.ORG = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

After restarting krb5-kdc and krb5-admin-server one should be able to run kinit and get a kerberos ticket:

$ kinit john/admin
Password for john/admin@EDU.EXAMPLE.ORG:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: john/admin@EDU.EXAMPLE.ORG

Valid starting     Expires            Service principal
01/28/10 03:10:20  01/29/10 03:10:20  krbtgt/EDU.EXAMPLE.ORG@EDU.EXAMPLE.ORG

If you now dump the ldap database, the principal for john/admin is stored in dn: krbPrincipalName=john/admin@EDU.EXAMPLE.ORG,cn=EDU.EXAMPLE.ORG, cn=krbcontainer,dc=edu,dc=example,dc=org

More user principals can be added with kadmin and kadmin.local using the addprinc command. The Ubuntu SingleSignOn manual page has more information about that.

Desktop logins using kerberos

Getting client machines to do PAM authentication using kerberos is easy. The libpam-krb5 package is needed for this:

sudo apt-get install libpam-krb5

/etc/krb5.conf needs to be configured on the clients to point to the right server. This can be done also using proper name server settings to instruct the kerberos clients to contact the right server based on dns names.

[libdefaults]
        default_realm = EDU.EXAMPLE.ORG

[realms]
         EDU.EXAMPLE.ORG = {
             kdc = kerberos.edu.example.org
             admin_server = kerberos.edu.example.org
             master_kdc = kerberos.edu.example.org
             default_domain = edu.example.org
         }

On Lucid the PAM settings are added automagically and you should be ready to rock. Just make sure that the user you are authenticating as actually exists in /etc/passwd or ldap as kerberos does not provide nss services.

Veli-Matti Lintu