diff --git a/nfsv4-kerberos-debian.md b/nfsv4-kerberos-debian.md index 1a722c1..f8d2ed9 100644 --- a/nfsv4-kerberos-debian.md +++ b/nfsv4-kerberos-debian.md @@ -19,18 +19,22 @@ This document will (hopefully) allow you to setup a kerberized NFSv4 server on D - [Kerberos (V5)](#kerberos-v5) - [Naming](#naming) - [Packages installation](#packages-installation) - - [Server side](#server-side) + - [Client and server side](#client-and-server-side) + - [/etc/krb5.conf - main kerberos configuration](#etckrb5conf---main-kerberos-configuration) + - [Server only](#server--only) + - [/etc/heimdal-kdc/kdc.conf - heimdal kdc configuration file](#etcheimdal-kdckdcconf---heimdal-kdc-configuration-file) + - [Master key](#master-key) + - [database initialization](#database-initialization) - [Client side](#client-side) - [Testing](#testing) - [NFSv4](#nfsv4) - - [Server side](#server-side-1) + - [Server side](#server-side) - [Client side](#client-side-1) - [Testing](#testing-1) - [Sources](#sources) - ## Introduction If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block), as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android, @@ -74,18 +78,15 @@ We will use the following conventions : ### Packages installation On server side, install the necessary packages with : ``` -$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm +$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm heimdal-docs ``` And on client(s), install the following : +``` +$ sudo apt-get install krb5-config heimdal-clients heimdal-docs +``` -``` -$ sudo apt-get install krb5-config heimdal-clients -``` -On your desktop, you may also want to install Heimdal [`info`](https://en.wikipedia.org/wiki/Info_(Unix)) documentation with: -``` -$ sudo apt-get install heimdal-docs -``` -Or, if you prefer HTML, you can install the documentation from source with the following commands : +**Note about documentation**: The `heimdal-docs` package will install [`GNU info`](https://en.wikipedia.org/wiki/Info_(Unix)). +If you want HTML documentation, you will have to manually build it from source with the following commands : ``` $ git clone https://github.com/heimdal/heimdal.git $ cd heimdal @@ -97,12 +98,13 @@ $ cd doc/heimdal.html $ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/ ``` +### Client and server side The `krb5-config` package installation will ask you some questions, just fill with the information from Table 1 : - Default Kerberos version 5 realm: `LAN` - Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan` - Administrative server for your Kerberos realm: `kadmin.lan` -After this initial configuration, `/etc/krb5.conf` should contain something like : +After this initial configuration, `/etc/krb5.conf` will have been created with some default value, which can look-like : ``` [libdefaults] default_realm = LAN @@ -121,8 +123,111 @@ After this initial configuration, `/etc/krb5.conf` should contain something like lan = LAN .lan = LAN ``` -### Server side -### Client side +#### /etc/krb5.conf - main kerberos configuration +The `/etc/krb5.conf` can be changed at any time, and we will immediately make some changes with some sane defaults (see `krb5.conf(5)` for more details) : +``` +[appdefaults] + # for testing purpose, short lifetime + ticket_lifetime = 30m + renew_lifetime = 1h + +[libdefaults] + default_realm = LAN + kdc_timesync = true + forwardable = true + proxiable = true + + #ticket_lifetime = 2 days + #renew_lifetime = 10 days + # for testing purpose, short lifetime + ticket_lifetime = 30m + renew_lifetime = 1h + + allow_weak_crypto = false + + default_keytab_name = FILE:/var/lib/heimdal-lan.keytab + + # Use DNS SRV records to lookup KDC services location. + dns_lookup_kdc = false + # Use DNS TXT records to lookup domain to realm mappings. + dns_lookup_realm = false + + # required when using basic authentication with Apache2's + # mod_auth_kerb module (`Request is a replay' errors); + # `0' for MIT library and `false' for Heimdal library + kdc_timesync = false + +[realms] + LAN = { + kdc = kdc1.lan + kdc = kdc2.lan + admin_server = kadmin.lan + } + +[domain_realm] + lan = LAN + .lan = LAN + +[logging] + # will default to /var/log/heimdal-kdc.log + # If you change destination, don't forget /etc/logrotate.d + kdc = SYSLOG:DEBUG:AUTH + admin_server = SYSLOG:DEBUG:AUTH + default = SYSLOG:DEBUG:AUTH +``` +### Server only +#### /etc/heimdal-kdc/kdc.conf - heimdal kdc configuration file +See `kdc(8)` for configuration details. In this file, we just setup the `[kdc]` section : +``` +$ grep -vE '(\#|^$)' kdc.conf +[kdc] + database = { + dbname = sqlite:/var/lib/heimdal-kdc/heimdal-lan.sqlite3 + acl_file = /etc/heimdal-kdc/kadmind.acl + mkey_file = /var/lib/heimdal-kdc/m-key + } + addresses = 0.0.0.0 +``` +#### Master key +**Note**: A master key is mainly necessary if you store the database in a shared location (think about backups), to make brute-force attacks more difficult. For testing purpose, you may skip this section. + +First, we will Use`kstash(1)` to give a master key to the database (we don't need to remember it). You should use the same `mkey-file` as the one specified in `[kdc]` section above. +``` +$ sudo kstash --random-key -k /var/lib/heimdal-kdc/m-key +``` +#### database initialization +The three `kadmin` commands below will initialize `LAN` realm, create a `bruno/admin` XXX, and list the known YYY : +``` +$ sudo kadmin -l +kadmin> init LAN +Realm max ticket life [unlimited]: +Realm max renewable ticket life [unlimited]: + +kadmin> add bruno/admin +Max ticket life [1 day]: +Max renewable life [1 week]: +Principal expiration time [never]: +Password expiration time [never]: +Attributes []: +Policy [default]: +bruno/admin@LAN's Password: +Verify password - bruno/admin@LAN's Password: + +kadmin> get -s * +Principal Expiration PW-exp PW-change Max life Max renew +krbtgt/LAN never never 2022-08-17 unlimited unlimited +kadmin/changepw never never 2022-08-17 5 minutes 5 minutes +kadmin/admin never never 2022-08-17 1 hour 1 hour +changepw/kerberos never never 2022-08-17 1 hour 1 hour +kadmin/hprop never never 2022-08-17 1 hour 1 hour +WELLKNOWN/ANONYMOUS never never 2022-08-17 1 hour 1 hour +WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L never never 2022-08-17 1 hour 1 hour +default never never 2022-08-17 1 day 1 week +bruno/admin never never 2022-08-17 1 day 1 week +``` + +Then, +### Client side ### Testing ## NFSv4 ### Server side @@ -130,7 +235,9 @@ After this initial configuration, `/etc/krb5.conf` should contain something like ### Testing ## Sources Kerberos : -- ~heimdal-docs~ package documentation : run `$ info heimdal` or, if you installed HTML documentation, visit [its index page](file:///usr/share/doc/heimdal-docs/heimdal.html/index.html). +- `heimdal-docs` package documentation : + - info help: `$ info heimdal` + - HTML documentation (if installed), it should be in `/usr/share/doc/heimdal-docs/heimdal.html/index.html` - [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml). - [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html) - [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html)