continue kdc config

nfsv4-kerberos-debian.md

@@ -19,18 +19,22 @@ This document will (hopefully) allow you to setup a kerberized NFSv4 server on D
 - [Kerberos (V5)](#kerberos-v5)
     - [Naming](#naming)
     - [Packages installation](#packages-installation)
-    - [Server side](#server-side)
+    - [Client and server side](#client-and-server-side)
+        - [/etc/krb5.conf - main kerberos configuration](#etckrb5conf---main-kerberos-configuration)
+    - [Server  only](#server--only)
+        - [/etc/heimdal-kdc/kdc.conf - heimdal kdc configuration file](#etcheimdal-kdckdcconf---heimdal-kdc-configuration-file)
+        - [Master key](#master-key)
+        - [database initialization](#database-initialization)
     - [Client side](#client-side)
     - [Testing](#testing)
 - [NFSv4](#nfsv4)
-    - [Server side](#server-side-1)
+    - [Server side](#server-side)
     - [Client side](#client-side-1)
     - [Testing](#testing-1)
 - [Sources](#sources)
 
 <!-- markdown-toc end -->
 
-
 ## Introduction
 If you share some files between your machines, your choice was probably [SMB/CIFS](https://en.wikipedia.org/wiki/Server_Message_Block),
 as it is supported on nearly any platform (GNU/Linux, MacOS, Windows, iOS, Android,
@@ -74,18 +78,15 @@ We will use the following conventions :
 ### Packages installation
 On server side, install the necessary packages with :
 ```
-$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm
+$ sudo apt install krb5-config heimdal-kdc heimdal-servers heimdal-clients heimdal-kcm heimdal-docs
 ```
 And on client(s), install the following :
+```
+$ sudo apt-get install krb5-config heimdal-clients heimdal-docs
+```
 
-```
+**Note about documentation**: The  `heimdal-docs` package will install [`GNU info`](https://en.wikipedia.org/wiki/Info_(Unix)).
-$ sudo apt-get install krb5-config heimdal-clients
+If you want HTML documentation, you will have to manually build it from source with the following commands :
-```
-On your desktop, you may also want to install Heimdal [`info`](https://en.wikipedia.org/wiki/Info_(Unix)) documentation with:
-```
-$ sudo apt-get install heimdal-docs
-```
-Or, if you prefer HTML, you can install the documentation from source with the following commands :
 ```
 $ git clone https://github.com/heimdal/heimdal.git
 $ cd heimdal
@@ -97,12 +98,13 @@ $ cd doc/heimdal.html
 $ sudo cp -ar heimdal.html /usr/share/doc/heimdal-docs/
 ```
 
+### Client and server side
 The `krb5-config` package installation will ask you some questions, just fill with the information from Table 1 :
 - Default Kerberos version 5 realm: `LAN`
 - Kerberos servers for your realm: `kdc1.lan` and `kdc2.lan`
 - Administrative server for your Kerberos realm: `kadmin.lan`
 
-After this initial configuration, `/etc/krb5.conf` should contain something like :
+After this initial configuration, `/etc/krb5.conf` will have been created with some default value,  which can look-like :
 ```
 [libdefaults]
 	default_realm = LAN
@@ -121,8 +123,111 @@ After this initial configuration, `/etc/krb5.conf` should contain something like
     lan  = LAN
 	.lan = LAN
 ```
-### Server side
+#### /etc/krb5.conf - main kerberos configuration
-###  Client side
+The `/etc/krb5.conf` can be changed at any time, and we will immediately make some changes with some sane defaults (see `krb5.conf(5)` for more details) :
+```
+[appdefaults]
+	# for testing purpose, short lifetime
+	ticket_lifetime = 30m
+	renew_lifetime = 1h
+
+[libdefaults]
+	default_realm = LAN
+	kdc_timesync = true
+	forwardable = true
+	proxiable = true
+
+	#ticket_lifetime = 2 days
+	#renew_lifetime = 10 days
+	# for testing purpose, short lifetime
+	ticket_lifetime = 30m
+	renew_lifetime = 1h
+
+	allow_weak_crypto = false
+
+	default_keytab_name = FILE:/var/lib/heimdal-lan.keytab
+
+	# Use DNS SRV records to lookup KDC services location.
+	dns_lookup_kdc = false
+	# Use DNS TXT records to lookup domain to realm mappings.
+	dns_lookup_realm = false
+
+	# required when using basic authentication with Apache2's
+	# mod_auth_kerb module (`Request is a replay' errors);
+	# `0' for MIT library and `false' for Heimdal library
+	kdc_timesync = false
+
+[realms]
+	LAN = {
+		kdc = kdc1.lan
+		kdc = kdc2.lan
+		admin_server = kadmin.lan
+	}
+
+[domain_realm]
+	lan  = LAN
+	.lan = LAN
+
+[logging]
+	# will default to /var/log/heimdal-kdc.log
+	# If you change destination, don't forget /etc/logrotate.d
+	kdc = SYSLOG:DEBUG:AUTH
+	admin_server = SYSLOG:DEBUG:AUTH
+	default = SYSLOG:DEBUG:AUTH
+```
+### Server  only
+#### /etc/heimdal-kdc/kdc.conf - heimdal kdc configuration file
+See `kdc(8)`  for configuration details. In this file, we just setup the `[kdc]` section :
+```
+$  grep -vE '(\#|^$)' kdc.conf
+[kdc]
+	database = {
+		dbname    = sqlite:/var/lib/heimdal-kdc/heimdal-lan.sqlite3
+		acl_file  = /etc/heimdal-kdc/kadmind.acl
+		mkey_file = /var/lib/heimdal-kdc/m-key
+	}
+	addresses = 0.0.0.0
+```
+#### Master key
+**Note**: A master key is mainly necessary if you store the database in a shared location (think about backups), to make brute-force attacks more difficult. For testing purpose, you may skip this section.
+
+First, we will Use`kstash(1)` to give a master key to the database (we don't need to remember it). You should use the same `mkey-file` as the one specified in `[kdc]` section above.
+```
+$ sudo kstash --random-key -k /var/lib/heimdal-kdc/m-key
+```
+#### database initialization
+The three `kadmin` commands below will initialize `LAN` realm, create a `bruno/admin` XXX, and list the known YYY :
+```
+$ sudo kadmin -l
+kadmin> init LAN
+Realm max ticket life [unlimited]:
+Realm max renewable ticket life [unlimited]:
+
+kadmin> add bruno/admin
+Max ticket life [1 day]:
+Max renewable life [1 week]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes []:
+Policy [default]:
+bruno/admin@LAN's Password:
+Verify password - bruno/admin@LAN's Password:
+
+kadmin> get -s *
+Principal                                        Expiration  PW-exp  PW-change   Max life   Max renew
+krbtgt/LAN                                       never       never   2022-08-17  unlimited  unlimited
+kadmin/changepw                                  never       never   2022-08-17  5 minutes  5 minutes
+kadmin/admin                                     never       never   2022-08-17  1 hour     1 hour
+changepw/kerberos                                never       never   2022-08-17  1 hour     1 hour
+kadmin/hprop                                     never       never   2022-08-17  1 hour     1 hour
+WELLKNOWN/ANONYMOUS                              never       never   2022-08-17  1 hour     1 hour
+WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L  never       never   2022-08-17  1 hour     1 hour
+default                                          never       never   2022-08-17  1 day      1 week
+bruno/admin                                      never       never   2022-08-17  1 day      1 week
+```
+
+Then,
+### Client side
 ### Testing
 ## NFSv4
 ### Server side
@@ -130,7 +235,9 @@ After this initial configuration, `/etc/krb5.conf` should contain something like
 ### Testing
 ## Sources
 Kerberos :
-- ~heimdal-docs~ package documentation : run `$ info heimdal` or, if you installed HTML documentation, visit [its index page](file:///usr/share/doc/heimdal-docs/heimdal.html/index.html).
+- `heimdal-docs` package documentation :
+    - info help:  `$ info heimdal`
+    - HTML documentation (if installed), it should be in `/usr/share/doc/heimdal-docs/heimdal.html/index.html`
 - [Heimdal setup on Debian](http://chschneider.eu/linux/server/heimdal.shtml).
 - [Debian/Ubuntu Linux with Active Directory Kerberos Server](http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_kinit.html)
 - [Principal names and DNS](https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html)