Changes for page KerberosAndLDAP

Summary

• Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

...	...	@@ -27,7 +27,12 @@
27	27	Now you need to load the kerberos schema into the LDAP server on the Synology. Use the ##cn=config## DN.
28	28
29	29	(% style="color:#400" %)
30		-##{{{$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldaps://nas.example.com/ -D cn=config -W Enter LDAP Password: adding new entry "cn=kerberos,cn=schema,cn=config" $}}}##
	30	+##{{{
	31	+$ zcat /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz | ldapadd -H ldaps://nas.example.com/ -D cn=config -W
	32	+Enter LDAP Password:
	33	+adding new entry "cn=kerberos,cn=schema,cn=config"
	34	+$
	35	+}}}##
31	31
32	32
33	33	=== Create Index on krbPrincipalName ===
...	...	@@ -38,20 +38,20 @@
38	38	##{{{
39	39	dn: olcDatabase={1}bdb,cn=config
40	40	add: olcDbIndex
41		-olcDbIndex: krbPrincipalName eq,pres,sub}}}##
	46	+olcDbIndex: krbPrincipalName eq,pres,sub
	47	+}}}##
42	42
43		-
44	44	and apply it with
45	45
46	46	(% style="color:#400" %)
47		-##{{{$ ldapmodify -H ldaps://nas.example.com/ -D cn=config -W -f step1.ldif
	52	+##{{{
	53	+$ ldapmodify -H ldaps://nas.example.com/ -D cn=config -W -f step1.ldif
48	48	Enter LDAP Password:
49		-
50	50	modifying entry "olcDatabase={1}bdb,cn=config"
	56	+$
	57	+}}}##
51	51
52		-$ }}}##
53	53
54		-
55	55	=== Create principals kadmin and kdc ===
56	56
57	57	Next, you create and configure two entries which will be used by the Kerberos servers to connect to OpenLDAP. Not running the Kerberos KDC and Admin Server on the same host as OpenLDAP, these steps are required. Keeping things confined, everything will be created under a separate ##organizationalUnit##. My guide differs from the official Debian guide here. Due to Synology OpenLDAP having a strict password policy, it was necessary to adjust the DNs of ##kdc## and ##kadmin##. The official guide use placeholder passwords which does not work with the Synology LDAP server.
...	...	@@ -86,13 +86,14 @@
86	86	pwdCheckQuality: 2
87	87	pwdPolicySubentry: cn=kadmin,ou=kerberos,dc=example,dc=com
88	88	userPassword: {SSHA}<password-hash>
89		-description: Kerberos KDC Account}}}##
	94	+description: Kerberos KDC Account
	95	+}}}##
90	90
91		-
92	92	Apply it with
93	93
94	94	(% style="color:#400" %)
95		-##{{{$ ldapadd -H ldaps://nas.example.com/ -D uid=root,cn=users,dc=example,dc=com -W -f step2.ldif
	100	+##{{{
	101	+$ ldapadd -H ldaps://nas.example.com/ -D uid=root,cn=users,dc=example,dc=com -W -f step2.ldif
96	96	Enter LDAP Password:
97	97
98	98	adding new entry "ou=kerberos,dc=example,dc=com"
...	...	@@ -100,100 +100,85 @@
100	100	adding new entry "cn=kdc,ou=kerberos,dc=example,dc=com"
101	101
102	102	adding new entry "cn=kadmin,ou=kerberos,dc=example,dc=com"
	109	+}}}##
103	103
104		-$ }}}##
105	105
106	106
107		-A small note on this section:
108		-The ##objectClass: pwdPolicy## must be added to a, to LDAP, physical thing. ##objectClass: person## fits the criteria, but can not have ##uid##. So to make it work, the ##uid## is replaced with ##sn## and ##cn## (yes, both are needed). Then you can set the other four attributes and add the hashed password you got from ##slappasswd##.
109		-
110		-
111	111	=== Grant kdc and kadmin permissions ===
112	112
113		-This switches back to the ##cn=config## DN as you are changing the permissions. Note that we now reference our kdc and kadmin accounts and we grant them permission to the krbContainer which will house all our kerberos principals. Give both of them write access, because we do want to have the ability to track last login and lock accounts if there are too many login failures. We like security.
	115	+This switches back to the ##cn=config## DN as you are changing the permissions.
114	114
115		-Create ##step3.ldif## with the following content:
	117	+$ ldapmodify -H ldaps:~/~/ds723.trudheim.com -W -D cn=config <<EOF
116	116
117		-(% style="color:#400" %)
118		-##{{{
119	119	dn: olcDatabase={1}bdb,cn=config
120	120	add: olcAccess
121	121	olcAccess: {0}to attrs=krbPrincipalKey
122	122	by anonymous auth
123		- by dn.exact="cn=kdc,ou=kerberos,dc=example,dc=com" write
124		- by dn.exact="cn=kadmin,ou=kerberos,dc=example,dc=com" write
	123	+ by dn.exact="cn=kdc,ou=kerberos,dc=trudheim,dc=com" write
	124	+ by dn.exact="cn=kadmin,ou=kerberos,dc=trudheim,dc=com" write
125	125	by self write
126	126	by * none
127	127	-
128	128	add: olcAccess
129	129	olcAccess: {1}to dn.subtree="cn=krbContainer,ou=kerberos,dc=example,dc=com"
130		- by dn.exact="cn=kdc,ou=kerberos,dc=example,dc=com" write
131		- by dn.exact="cn=kadmin,ou=kerberos,dc=example,dc=com" write
	130	+ by dn.exact="cn=kdc,ou=kerberos,dc=trudheim,dc=com" write
	131	+ by dn.exact="cn=kadmin,ou=kerberos,dc=trudheim,dc=com" write
132	132	by * none
133		-}}}##
134	134
	134	+EOF
135	135
136		-**Do not get the domain part above wrong. If you do, you may not be able to use ##kadmin## or ##kinit## and fixing the permissions without breaking something else is a nervous task. Trust me on this (as I screwed them up).**
137		-
138		-Apply it with
139		-
140		-(% style="color:#400" %)
141		-##{{{
142		-$ ldapmodify -H ldaps://nas.example.com -W -D cn=config -f step3.ldif
143	143	Enter LDAP Password:
144		-
145	145	modifying entry "olcDatabase={1}bdb,cn=config"
146	146
147		-$ }}}##
	139	+$
148	148
149	149
	142	+Note that we now reference our kdc and kadmin accounts and we grant them permission to the krbContainer which will house all our kerberos principals. Give both of them write access, because we do want to have the ability to track last login and lock accounts if there are login failures. We like security.
	143	+
	144	+
150	150	=== Create krb5.conf ===
151	151
152		-Next we create (or modify) ##/etc/krb5.conf## so that it will point to the right thing later. It should look something like this:
	147	+Over to adjusting /etc/krb5.conf so that it will point to the right thing later. It should look something like this:
153	153
154		-(% style="color:#400" %)
155		-##{{{
156		-[libdefaults]
157		- default_realm = EXAMPLE.COM
158		- dns_lookup_realm = false
159		- dns_lookup_kdc = false
160		- ticket_lifetime = 24h
161		- forwardable = true
162		- proxiable = true
163		- rdns = false
164	164
	150	+{{{[libdefaults]
	151	+ default_realm = EXAMPLE.COM
	152	+ dns_lookup_realm = false
	153	+ dns_lookup_kdc = false
	154	+ ticket_lifetime = 24h
	155	+ forwardable = true
	156	+ proxiable = true
	157	+ rdns = false
	158	+
165	165	[realms]
166		- EXAMPLE.COM = {
167		- kdc = debian.example.com
168		- admin_server = debian.example.com
169		- default_domain = example.com
170		- }
171		-[domain_realm]
172		- .example.com = EXAMPLE.COM
173		- example.com = EXAMPLE.COM
174		-}}}##
	160	+ EXAMPLE.COM = {
	161	+ kdc = debian.example.com
	162	+ admin_server = debian.example.com
	163	+ default_domain = example.com
	164	+ }
	165	+ [domain_realm]
	166	+ .example.com = EXAMPLE.COM
	167	+ example.com = EXAMPLE.COM}}}
175	175
	169	+Make sure your designated debian server have ports 88, 464 and 749 open, both for TCP and UDP, in its firewall. 88 is for the kdc, 464 and 749 is for kadmin.
176	176
177		-Make sure your designated debian server have ports **88**, **464** and **749** open, both for TCP and UDP, in its firewall. 88 is for the kdc, 464 and 749 is for kadmin.
178	178
179		-
180	180	=== Create kdc.conf ===
181	181
182		-Now we do /etc/krb5kdc/kdc.conf. Something like this should work
	174	+Next, we need to write up /etc/krb5kdc/kdc.conf. Something like this should work
183	183
184		-(% style="color:#400" %)
185		-##{{{
	176	+
186	186	[libdefaults]
187	187
188	188	[realms]
189		- EXAMPLE.COM = {
190		- database_module = openldap_ldapconf
191		- max_life = 7d
192		- max_renewable_life = 6d
	180	+ TRUDHEIM.COM = {
	181	+ database_module = openldap_ldapconf
	182	+ max_life = 7d
	183	+ max_renewable_life = 6d
193	193	}
194	194
195	195	[dbdefaults]
196		- ldap_kerberos_container_dn = cn=krbContainer,ou=kerberos,dc=example,dc=com
	187	+ ldap_kerberos_container_dn = cn=krbContainer,ou=kerberos,dc=trudheim,dc=com
197	197
198	198	[dbmodules]
199	199	openldap_ldapconf = {
...	...	@@ -201,110 +201,78 @@
201	201	disable_last_success = false
202	202	disable_lockout = false
203	203	ldap_conns_per_server = 5
204		- ldap_servers = ldaps:~/~/nas.example.com
205		- ldap_kdc_dn = "cn=kdc,ou=kerberos,dc=example,dc=com"
206		- ldap_kadmind_dn = "cn=kadmin,ou=kerberos,dc=example,dc=com"
	195	+ ldap_servers = ldaps:~/~/ds723.trudheim.com
	196	+ ldap_kdc_dn = "cn=kdc,ou=kerberos,dc=trudheim,dc=com"
	197	+ ldap_kadmind_dn = "cn=kadmin,ou=kerberos,dc=trudheim,dc=com"
207	207	ldap_service_password_file = /etc/krb5kdc/service.keyfile
208	208	}
209		-}}}##
210	210
211	211
212	212	=== Create kadm5.acl ===
213	213
214		-Create ##/etc/krb5kdc/kadm5.acl with the following content so that kerberos administrator principals can run ##kadmin##
	204	+Then you need to create ##/etc/krb5kdc/kadm5.acl and put in it##
215	215
216		-(% style="color:#400" %)
217		-##{{{
218		-*/admin@EXAMPLE.COM *
219		-}}}##
	206	+##*/admin@EXAMPLE.COM *##
220	220
221	221
	209	+so that administrator principals can run kadmin. Now we are ready to create the domain. And that we do with
	210	+
	211	+
222	222	=== Create the kerberos domain ===
223	223
224		-Now we are ready to create the domain. And that we do with ##kdb5_ldap_util## as ##root##. Note that this commandline is deceptive and you need all of it.
	214	+#
225	225
226		-(% style="color:#400" %)
227		-##{{{
228		-# kdb5_ldap_util -D uid=root,cn=users,dc=example,dc=com -H ldaps://nas.example.com -r EXAMPLE.COM create -subtrees dc=example,dc=com -maxtktlife '7 Days' -maxrenewlife '6 Days' -s
	216	+kdb5_ldap_util -D uid=root,cn=users,dc=trudheim,dc=com -H ldaps:~/~/ds723.trudheim.com -r TRUDHEIM.COM create -subtrees dc=trudheim,dc=com -maxtktlife '7 Days' -maxrenewlife '6 Days' -s
229	229	Password for "uid=root,cn=users,dc=trudheim,dc=com":
230		-Initializing database for realm 'EXAMPLE.COM'
	218	+Initializing database for realm 'TRUDHEIM.COM'
231	231	You will be prompted for the database Master Password.
232	232	It is important that you NOT FORGET this password.
233	233	Enter KDC database master key:
234	234	Re-enter KDC database master key to verify:
235		-# }}}##
236	236
	224	+kdb5_ldap_util -D uid=root,cn=users,dc=trudheim,dc=com -H ldaps:~/~/ds723.trudheim.com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc,ou=kerberos,dc=trudheim,dc=com
	225	+Password for "uid=root,cn=users,dc=trudheim,dc=com":
	226	+Password for "cn=kdc,ou=kerberos,dc=trudheim,dc=com":
	227	+Re-enter password for "cn=kdc,ou=kerberos,dc=trudheim,dc=com":
237	237
238		-=== Stash the passwords for ##kdc## and ##kadmin## ===
	229	+kdb5_ldap_util -D uid=root,cn=users,dc=trudheim,dc=com -H ldaps:~/~/ds723.trudheim.com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kadmin,ou=kerberos,dc=trudheim,dc=com
	230	+Password for "uid=root,cn=users,dc=trudheim,dc=com":
	231	+Password for "cn=kadmin,ou=kerberos,dc=trudheim,dc=com":
	232	+Re-enter password for "cn=kadmin,ou=kerberos,dc=trudheim,dc=com":
239	239
240		-Most likely, you will want your KDC and KAdmin server to start at boot, and for that, we can stash the passwords (into LDAP) for ##cn=kdc,ou=kerberos,dc=example,dc=com## and ##cn=kdc,ou=kerberos,dc=example,dc=com## using the same tool as in the previous step.
241	241
242		-(% style="color:#400" %)
243		-##{{{
244		-# kdb5_ldap_util -D uid=root,cn=users,dc=example,dc=com -H ldaps://nas.example.com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kdc,ou=kerberos,dc=example,dc=com
245		-Password for "uid=root,cn=users,dc=example,dc=com":
246		-Password for "cn=kdc,ou=kerberos,dc=example,dc=com":
247		-Re-enter password for "cn=kdc,ou=kerberos,dc=example,dc=com":
248		-# kdb5_ldap_util -D uid=root,cn=users,dc=example,dc=com -H ldaps://nas.example.com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=kadmin,ou=kerberos,dc=example,dc=com
249		-Password for "uid=root,cn=users,dc=example,dc=com":
250		-Password for "cn=kadmin,ou=kerberos,dc=example,dc=com":
251		-Re-enter password for "cn=kadmin,ou=kerberos,dc=example,dc=com":
252		-# }}}##
253		-
254		-
255		-=== Start the services ===
256		-
257		-We are now ready to start the services. If this does not work, you need to backtrack and find out where you made a mistake, rectify it, and then walk forward again.
258		-
259		-(% style="color:#400" %)
260		-##{{{
261		-# systemctl enable --now krb5-kdc krb5-admin-server
262		-#
263		-}}}##
264		-
265		-
266		-Check that they are running and not giving off errors with ##systemctl status krb5-kdc## and ##systemctl status krb5-admin-server##.
267		-
268		-
269	269	=== Create the first regular principals ===
270	270
271		-Providing you got to here without issues it is now time to generate your principals that you will use to authenticate into systems with. Run ##kadmin.local## as root to create first a regular user, and then an admin version of that user.
	237	+Here, you will run kadmin.local to create first a regular user, and then an admin version of that user.
272	272
273		-(% style="color:#400" %)
274		-##{{{
275	275	# kadmin.local
276	276
277		-Authenticating as principal root/admin@EXAMPLE.COM with password.
	241	+Authenticating as principal root/admin@TRUDHEIM.COM with password.
278	278	kadmin.local:  addprinc user
279	279
280		-No policy specified for user@EXAMPLE.COM; defaulting to no policy
281		-Enter password for principal "user@EXAMPLE.COM":
282		-Re-enter password for principal "user@EXAMPLE.COM":
283		-Principal "user@EXAMPLE.COM" created.
	244	+No policy specified for user@TRUDHEIM.COM; defaulting to no policy
	245	+Enter password for principal "user@TRUDHEIM.COM":
	246	+Re-enter password for principal "user@TRUDHEIM.COM":
	247	+Principal "user@TRUDHEIM.COM" created.
284	284
285	285	kadmin.local:  addprinc user/admin
286		-No policy specified for user/admin@EXAMPLE.COM; defaulting to no policy
287		-Enter password for principal "user/admin@EXAMPLE.COM":
288		-Re-enter password for principal "user/admin@EXAMPLE.COM":
289		-Principal "user/admin@EXAMPLE.COM" created.
	250	+No policy specified for user/admin@TRUDHEIM.COM; defaulting to no policy
	251	+Enter password for principal "user/admin@TRUDHEIM.COM":
	252	+Re-enter password for principal "user/admin@TRUDHEIM.COM":
	253	+Principal "user/admin@TRUDHEIM.COM" created.
290	290	kadmin.local:  q
291	291
292		-# }}}##
	256	+#
293	293
	258	+Worth to note here is that [[user@EXAMPLE.COM>>mailto:user@EXAMPLE.COM]] and [[user/admin@EXAMPLE.COM>>mailto:user/admin@EXAMPLE.COM]] can have (and should have) different passwords as the admin variant is allowed to do things to the kerberos database. And this is why you want to have the registering of failures to login enabled. Should you have the system exposed to the internet, you can and should expect intrusion attempts. Having Kerberos deployed makes it harder for perpetrators to gain access, but not impossible.
294	294
295		-Worth to note here is that ##user@EXAMPLE.COM## and ##user/admin@EXAMPLE.COM## can have (and probably should have) different passwords. The admin variant is allowed to do things to the kerberos database and should therefore have greater security. This is why you want to have the registering of failures to login enabled. Should you have the system exposed to the internet, you can and should expect intrusion attempts. Having Kerberos deployed makes it harder for perpetrators to gain access, but not impossible.
	260	+If you later kerberise your storage and leverage it for NFS4 mounts from your NAS, you can have NFS exposed to the internet as well. Unless someone has a valid kerberos ticket, even if they somehow could mount the share, they see nothing on it without the krbtgt.
296	296
297		-If you later kerberise your storage and leverage it for NFS4 mounts from your NAS, you can have NFS exposed to the internet as well. Unless someone has a valid kerberos ticket, even if they somehow could mount a share, they see nothing on it without the krbtgt.
298	298
299		-
300	300	=== Test your new principal ===
301	301
302		-Acid test is, can you authenticate with kinit?
	265	+$ kinit [[user@EXAMPLE.COM>>mailto:user@EXAMPLE.COM]]
303	303
304		-(% style="color:#400" %)
305		-##{{{
306		-$ kinit user@EXAMPLE.COM
307		-
308	308	Password for user@EXAMPLE.COM:
309	309
310	310	$ klist
...	...	@@ -314,29 +314,9 @@
314	314	Valid starting     Expires            Service principal
315	315	09/05/24 08:07:35  10/05/24 08:07:35  krbtgt/EXAMPLE.COM@EXAMPLE.COM
316	316
317		-$ }}}##
	276	+$
318	318
319	319
320		-Congratulations - you now have Kerberos working, and to boot, the database sits in LDAP. Which you can inspect with something like:
321		-
322		-(% style="color:#400" %)
323		-##{{{
324		-$ ldapsearch -H ldaps://nas.example.com -D uid=root,cn=users,dc=example,dc=com -W -b ou=kerberos,dc=example,dc=com
325		-}}}##
326		-
327		-
328	328	=== Set up pam and sssd ===
329	329
330		- To fully leverage your shiny new KDC, you will want to install the Kerberos authentication pieces for ##PAM## and also ##sssd## to facilitate caching of authentication, in case your KDC is offline for some reason when you try to authenticate into another system.
331		-
332		-(% style="color:#400" %)
333		-##{{{
334		-$ sudo apt install krb5-user libpam-krb5 sssd-krb5
335		-...
336		-$ sudo pam-auth-update
337		-}}}##
338		-
339		-
340		-With ##pam-auth-update## you want to enable Kerberos and SSS authentication (and flip on the auto-creation of home directories while you are there). If you now want to test login on another system with kerberos, you need ##/etc/krb5.conf## and the ##krb5-user##, ##libpam-krb5## and ##sssd-krb5## packages installed on this new system and you need to run ##pam-auth-update## to enable Kerberos and SSS. After that, the system does not need local ##user## (in /etc/passwd) - the kerberos ##user## will work instead.
341		-
342		-/S
	281	+