From 515e30b51fe2d2e34ed30de4fd3cdc0e50244f6c Mon Sep 17 00:00:00 2001 From: Bruno Raoult Date: Mon, 21 Feb 2022 17:59:37 +0100 Subject: [PATCH] more testing --- nfsv4-kerberos-debian.org | 116 +++++++++++++++++++++++++------------- 1 file changed, 77 insertions(+), 39 deletions(-) diff --git a/nfsv4-kerberos-debian.org b/nfsv4-kerberos-debian.org index 42e2ebf..82ff26b 100644 --- a/nfsv4-kerberos-debian.org +++ b/nfsv4-kerberos-debian.org @@ -36,7 +36,7 @@ This document is about a third solution : NFSv4 coupled with Kerberos security, on a [[https://www.debian.org/][Debian]] based system (Debian, [[https://ubuntu.com/][Ubuntu]], etc...). * Pre-requisites -- NTP :: All machines (clients and servers) must be time-synchronized, as kerberos authentication is partly based on tickets timestamps. +- NTP :: All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps. - DNS server (optional) :: Kerberos may, in some configurations make use of some DNS records such as [[https://en.wikipedia.org/wiki/SRV_record][SRV]] or [[https://en.wikipedia.org/wiki/TXT_record][TXT]]. A lightweight DNS server like [[https://dnsmasq.org/][dnsmasq]] is sufficient, and will avoid the administration of a full-fledged server such as [[https://www.isc.org/bind/][bind]]. @@ -46,52 +46,90 @@ There are basically two major implementations of [[https://datatracker.ietf.org/ It appears that the MIT implementation may have some [[https://web.mit.edu/kerberos/dist/index.html][export restrictions]] due to U.S. regulation. Heimdal implementation (explicitely developed outside the USA, in Sweden) does not suffer such limitations. We will therefore use the "/un-regulated/" implementation. ** Naming +:PROPERTIES: +:custom_id: table-1 +:END: We will use the following conventions : -#+CAPTION: Table 1: Kerberos hosts naming -| Name | Value | Comment | -|-----------------------+--------------+-------------------------------| -| Domain name | =.lan= | Typical hostname: machine.lan | -| Kerberos realm | =LAN= | Always capital | -| Kerberos KDC 1 | =kdc1.lan= | Key Distribution Center | -| Kerberos KDC 2 | =kdc2.lan= | | -| Kerberos admin server | =kadmin.lan= | | +#+CAPTION: Table 1: Local names +| Name | Value | Comment | +|-----------------------+-----------------+---------------------------------| +| Kerberos realm | =LAN= | Always capital | +| Local DNS name | =lan= | Typical hostname: machine.lan | +| Kerberos KDC 1 | =kdc1.lan= | Primary Key Distribution Center | +| Kerberos KDC 2 | =kdc2.lan= | Secondary KDC | +| Kerberos admin server | =kadmin.lan= | Administrative server | +| Kerberos client 1 | =kclient1.lan= | Test client 1 | +| Kerberos client 2 | =kclient2.lan= | Test client 2 | +| Kerberos credentials | =krb5/password= | Kerberos admin login/password | + +** Packages installation +On server side, install the necessary packages with : +#+BEGIN_SRC sh +sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm +#+END_SRC +And on client(s), install the following : +#+BEGIN_SRC sh +sudo apt-get install krb5-config heimdal-clients +#+END_SRC +On your desktop, you may also want to install some documentation with: +#+BEGIN_SRC +sudo apt-get install heimdal-docs +#+END_SRC + +The ~krb5-config~ package installation will ask you some questions, you can just answer with the information from [[#table-1][Table 1]] (we will change configuration manually after that): +- Default Kerberos version 5 realm: ~LAN~ +- Kerberos servers for your realm: ~kdc1.lan kdc2.lan~ +- Administrative server for your Kerberos realm: ~kadmin.lan~ + +After this initial configutation, edit ~/etc/krb5.conf~, clean up everything and add a section in domain_realm section for your local network. You should end up with something similar to : +#+BEGIN_SRC conf +[libdefaults] + default_realm = LAN + kdc_timesync = true + forwardable = true + proxiable = true + +[realms] + LAN = { + kdc = kdc1.lan + kdc = kdc2.lan + admin_server = kadmin.lan + } + +[domain_realm] + .lan = LAN +#+END_SRC + +** Kerberos database initialization +It is possible installation process may have created files in ~/var/lib/heimdal-kdc~, manual is unclear. To be on secure side, we remove everything before going further : + +#+BEGIN_SRC conf +[libdefaults] + default_realm = LAN +[realms] + LAN = { + kdc = kdc1.lan + kdc = kdc2.lan + admin_server = kadmin.lan + } +#+END_SRC ** Server side -For resilience reasons, I will use two kb +*** Heimdal Kerberos installation ** Client side +heimdal-docs heimdal-clients ** Testing * NFSv4 ** Server side ** Client side ** Testing -#+BEGIN_VERSE -zobi zoba -titi toto * Sources Kerberos setup: -- - ---prout -#+END_VERSE -#+CAPTION: and _multiple_ -#+CAPTION: lines of *captions*! -#+ATTR_HTML: :class a b -#+ATTR_HTML: :id it :class c d -#+BEGIN_SRC sh -echo "a bash source block with custom html attributes" -#+END_SRC - -#+BEGIN_EXPORT html - -#+END_EXPORT - -#+BEGIN_VERSE -Great clouds overhead -Tiny black birds rise and fall -Snow covers Emacs - ----AlexSchroeder -#+END_VERSE +- ~info heimdal~ (documentation from heimdal-docs). +- [[http://chschneider.eu/linux/server/heimdal.shtml][Heimdal setup on Debian]] +- [[http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html][Debian/Ubuntu Linux with Active Directory Kerberos Server]] +- [[https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html][Principal names and DNS]] +- [[https://www.atlantic.net/dedicated-server-hosting/how-to-setup-kerberos-server-and-client-on-ubuntu-20-04/][Setup (MIT) Kerberos Server and Client on Ubuntu 20.04]] +- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html][MIT Kerberos Documentation: Installing KDCs]] +- [[https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html#mapping-hostnames][MIT Kerberos Documentation: Realm configuration decisions]] +- [[https://www.linuxfromscratch.org/blfs/view/6.3/postlfs/heimdal.html][Beyond Linux From Scratch - Heimdal]]