bruno/test-repo
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

small changes

Browse Source
This commit is contained in:
Bruno Raoult
2022-08-19 21:15:18 +02:00
parent 7d3e4b31b6
commit 597a913615
1 changed files with 48 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
nfsv4-kerberos-debian.md
View File

@@ -19,12 +19,13 @@ This document will (hopefully) allow you to setup a kerberized NFSv4 server on D
- [Kerberos (V5)](#kerberos-v5) - [Kerberos (V5)](#kerberos-v5)
- [Naming](#naming) - [Naming](#naming)
- [Packages installation](#packages-installation) - [Packages installation](#packages-installation)
- [Client and server side](#client-and-server-side) - [Configuration](#configuration)
- [/etc/krb5.conf - main kerberos configuration](#etckrb5conf---main-kerberos-configuration) - [Client and server (krb5.conf)](#client-and-server-krb5conf)
- [Server only](#server--only) - [Server only](#server-only)
- [/etc/heimdal-kdc/kdc.conf - heimdal kdc configuration file](#etcheimdal-kdckdcconf---heimdal-kdc-configuration-file) - [Heimdal kdc configuration file (kdc.conf)](#heimdal-kdc-configuration-file-kdcconf)
- [Access-control lists (kadmind.acl)](#access-control-lists-kadmindacl)
- [Master key](#master-key) - [Master key](#master-key)
- [database initialization](#database-initialization) - [Database initialization](#database-initialization)
- [Client side](#client-side) - [Client side](#client-side)
- [Testing](#testing) - [Testing](#testing)
- [NFSv4](#nfsv4) - [NFSv4](#nfsv4)
@@ -35,6 +36,11 @@ This document will (hopefully) allow you to setup a kerberized NFSv4 server on D
<!-- markdown-toc end --> <!-- markdown-toc end -->
**TODO**
> glossary
## Introduction ## Introduction
If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block), If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block),
as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android,
@@ -54,7 +60,7 @@ security, on a [Debian](https://www.debian.org/)-based system (Debian, [Ubuntu](
## Pre-requisites ## Pre-requisites
- [**`NTP`**](https://en.wikipedia.org/wiki/Network_Time_Protocol) : All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps. - [**`NTP`**](https://en.wikipedia.org/wiki/Network_Time_Protocol) : All machines (clients and servers) must be time-synchronized, as Kerberos authentication is partly based on tickets timestamps.
- [**`DNS server`**](https://en.wikipedia.org/wiki/Domain_Name_System) (optional) : Kerberos may, in some configurations make use of some DNS records such as [SRV](https://en.wikipedia.org/wiki/SRV_record) or [TXT](https://en.wikipedia.org/wiki/TXT_record). - [**`DNS server`**](https://en.wikipedia.org/wiki/Domain_Name_System) (optional) : Kerberos may, in some configurations make use of some DNS records such as [SRV](https://en.wikipedia.org/wiki/SRV_record) or [TXT](https://en.wikipedia.org/wiki/TXT_record).
A lightweight DNS server like [dnsmasq](https://dnsmasq.org/) is sufficient, and will avoid the administration of a full-fledged server such as [bind](https://www.isc.org/bind/). A lightweight DNS server like [dnsmasq](https://dnsmasq.org/) is sufficient, and will avoid the administration of a full-fledged server such as [bind](https://www.isc.org/bind/).
## Kerberos (V5) ## Kerberos (V5)
There are basically two major implementations of [Kerberos V5](https://datatracker.ietf.org/doc/html/rfc4120) on GNU/Linux: The original [MIT](https://web.mit.edu/kerberos/www/) one, and the [Heimdal](https://github.com/heimdal/heimdal) one. There was also a GNU implementation [Shishi](http://www.gnu.org/software/shishi/), but developement looks stalled for 10+ years. There are basically two major implementations of [Kerberos V5](https://datatracker.ietf.org/doc/html/rfc4120) on GNU/Linux: The original [MIT](https://web.mit.edu/kerberos/www/) one, and the [Heimdal](https://github.com/heimdal/heimdal) one. There was also a GNU implementation [Shishi](http://www.gnu.org/software/shishi/), but developement looks stalled for 10+ years.
@@ -84,27 +90,12 @@ And on client(s), install the following :
``` ```
$ sudo apt-get install krb5-config heimdal-clients heimdal-docs $ sudo apt-get install krb5-config heimdal-clients heimdal-docs
``` ```
The `krb5-config` package installation will ask you some questions, just fill with the information from table above :
**Note about documentation**: The `heimdal-docs` package will install [`GNU info`](https://en.wikipedia.org/wiki/Info_(Unix)).
If you want HTML documentation, you will have to manually build it from source with the following commands :
```
$ git clone https://github.com/heimdal/heimdal.git
$ cd heimdal
$ autoreconf -f -i
$ sh autogen.sh
$ ./configure
$ make html
$ cd doc/heimdal.html
$ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
```
### Client and server side
The `krb5-config` package installation will ask you some questions, just fill with the information from Table 1 :
- Default Kerberos version 5 realm: `LAN` - Default Kerberos version 5 realm: `LAN`
- Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan` - Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan`
- Administrative server for your Kerberos realm: `kadmin.lan` - Administrative server for your Kerberos realm: `kadmin.lan`
After this initial configuration, `/etc/krb5.conf` will have been created with some default value, which can look-like : After this initial configuration, `/etc/krb5.conf` will have been created with some default value, which can look-like :
``` ```
[libdefaults] [libdefaults]
default_realm = LAN default_realm = LAN
@@ -123,7 +114,20 @@ After this initial configuration, `/etc/krb5.conf` will have been created with s
lan = LAN lan = LAN
.lan = LAN .lan = LAN
``` ```
#### /etc/krb5.conf - main kerberos configuration **Note about documentation**: The `heimdal-docs` package will install [`GNU info`](https://en.wikipedia.org/wiki/Info_(Unix)).
If you want HTML documentation, you will have to manually build it from source with the following commands :
```
$ git clone https://github.com/heimdal/heimdal.git
$ cd heimdal
$ autoreconf -f -i
$ sh autogen.sh
$ ./configure
$ make html
$ cd doc/heimdal.html
$ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
```
### Configuration
#### Client and server (krb5.conf)
The `/etc/krb5.conf` can be changed at any time, and we will immediately make some changes with some sane defaults (see `krb5.conf(5)` for more details) : The `/etc/krb5.conf` can be changed at any time, and we will immediately make some changes with some sane defaults (see `krb5.conf(5)` for more details) :
``` ```
[appdefaults] [appdefaults]
@@ -175,11 +179,11 @@ The `/etc/krb5.conf` can be changed at any time, and we will immediately make so
admin_server = SYSLOG:DEBUG:AUTH admin_server = SYSLOG:DEBUG:AUTH
default = SYSLOG:DEBUG:AUTH default = SYSLOG:DEBUG:AUTH
``` ```
### Server only ### Server only
#### /etc/heimdal-kdc/kdc.conf - heimdal kdc configuration file #### Heimdal kdc configuration file (kdc.conf)
See `kdc(8)` for configuration details. In this file, we just setup the `[kdc]` section : `/etc/heimdal-kdc/kdc.conf` (see `kdc(8)` for details) is the Heimdal KDC configuration file. In this file, we just setup the `[kdc]` section as below. Note that I prefer to use an `sqlite` database, simply because many tools allow to browse/edit the content.
``` ```
$ grep -vE '(\#|^$)' kdc.conf $ grep -vE '(\#|^$)' kdc.conf
[kdc] [kdc]
database = { database = {
dbname = sqlite:/var/lib/heimdal-kdc/heimdal-lan.sqlite3 dbname = sqlite:/var/lib/heimdal-kdc/heimdal-lan.sqlite3
@@ -188,6 +192,12 @@ $ grep -vE '(\#|^$)' kdc.conf
} }
addresses = 0.0.0.0 addresses = 0.0.0.0
``` ```
#### Access-control lists (kadmind.acl)
`/etc/heimdal-kdc/kadmind.acl` is the file giving access to non-local administration (i.e. when using `kadmin` without `-l` option). See `kadmind(8)` for syntax details. To get a simple administration, we give full admin rights to `bruno/admin@LAN` principal, and allow any principal in admin
```
bruno/admin@LAN all
*/admin@LAN add,get-keys host/*@LAN
```
#### Master key #### Master key
**Note**: A master key is mainly necessary if you store the database in a shared location (think about backups), to make brute-force attacks more difficult. For testing purpose, you may skip this section. **Note**: A master key is mainly necessary if you store the database in a shared location (think about backups), to make brute-force attacks more difficult. For testing purpose, you may skip this section.
@@ -195,14 +205,16 @@ First, we will Use`kstash(1)` to give a master key to the database (we don't nee
``` ```
$ sudo kstash --random-key -k /var/lib/heimdal-kdc/m-key $ sudo kstash --random-key -k /var/lib/heimdal-kdc/m-key
``` ```
#### database initialization #### Database initialization
The three `kadmin` commands below will initialize `LAN` realm, create a `bruno/admin` XXX, and list the known YYY : The four `kadmin` commands below will initialize `LAN` realm, create a `bruno/admin` principal, and list the known principals :
``` ```
$ sudo kadmin -l $ sudo kadmin -l
kadmin> init LAN kadmin> init LAN
Realm max ticket life [unlimited]: Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]: Realm max renewable ticket life [unlimited]:
```
Add a user
```
kadmin> add bruno/admin kadmin> add bruno/admin
Max ticket life [1 day]: Max ticket life [1 day]:
Max renewable life [1 week]: Max renewable life [1 week]:
@@ -212,7 +224,9 @@ Attributes []:
Policy [default]: Policy [default]:
bruno/admin@LAN's Password: bruno/admin@LAN's Password:
Verify password - bruno/admin@LAN's Password: Verify password - bruno/admin@LAN's Password:
```
```
kadmin> get -s * kadmin> get -s *
Principal Expiration PW-exp PW-change Max life Max renew Principal Expiration PW-exp PW-change Max life Max renew
krbtgt/LAN never never 2022-08-17 unlimited unlimited krbtgt/LAN never never 2022-08-17 unlimited unlimited
@@ -225,8 +239,7 @@ WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L never never 2022-08-17
default never never 2022-08-17 1 day 1 week default never never 2022-08-17 1 day 1 week
bruno/admin never never 2022-08-17 1 day 1 week bruno/admin never never 2022-08-17 1 day 1 week
``` ```
Then, TODO...
Then,
### Client side ### Client side
### Testing ### Testing
## NFSv4 ## NFSv4
@@ -236,8 +249,8 @@ Then,
## Sources ## Sources
Kerberos : Kerberos :
- `heimdal-docs` package documentation : - `heimdal-docs` package documentation :
- info help: `$ info heimdal` - info help: `$ info heimdal`
- HTML documentation (if installed), it should be in `/usr/share/doc/heimdal-docs/heimdal.html/index.html` - HTML documentation (if installed as above): You will find it in `/usr/share/doc/heimdal-docs/heimdal.html/index.html`
- [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml). - [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml).
- [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html) - [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html)
- [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html) - [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html)