This article will help you to configure LDAP and Kerberos on Debian server and Debian client machine. We will configure Kerberos first. After we have got Kerberos working, we will move to LDAP configuration. It good practice to do it in this order, because it let us to test each component separately.
ENVIRONMENT
-
Server - Debian Wheezy
-
Client - Debian Sid on Lenovo notebook
REQUIREMENT
-
Base Debian installation
-
IP Configuration
-
Working DNS or entries in /etc/hosts file (DNS preffered)
-
Working DHCP for the clients
KERBEROS Server
Kerberos Installation and Configuration
Install packages
server# apt-get install krb5-admin-server krb5-kdc
Edit /etc/krb5.conf
[realms] FIRM.LOCAL = { kdc = server.firm.local:88 admin_server = server.firm.local:749 default_domain = firm.local } [domain_realm] .firm.local = FIRM=.LOCAL firm=.local = FIRM.LOCAL [libdefaults] default_realm = FIRM.LOCAL dns_lookup_realm = false dns_lookup_kdc = false [kdc] profile = /etc/krb5kdc/kdc.conf [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log
Create log directory and files:
mkdir /var/log/kerberos touch /var/log/kerberos/krb5libs.log touch /var/log/kerberos/krb5kdc.log touch /var/log/kerberos/kadmind.log
Configure KDC by editing /etc/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 750,88 [realms] FIRM.LOCAL = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth,+forwardable,+renewable }
Important: Please pay special attention to +preauth attribute (What is preauthentication). You may want to remove it if you do not plan to use preauthentication. If you keep the atribute in default configuration every principal will be created with such attribute. You can remove preauthentication attribute manually from each principal later, however that might be additional work. Please see section LDAP_and_Kerberos_on_Debian_Wheezy#Pre-authentication_attribute. I recommend to not include the attribute in default configuration if you do not plan to use it or if you are trying Kerberos for the first time.
Create krb5 database
server# krb5_newrealm
Restart Kerberos services
server# service krb5-admin-server restart server# service krb5-kdc restart
Configure access control list by editing /etc/krb5kdc/kadm.acl. The following configuration is required for administering Kerberos database using kadmin tool. If you do not configure access list you will not be able to create/modify principles/users in the database.
*/This email address is being protected from spambots. You need JavaScript enabled to view it. *
Create admin principal
server# kadmin.local -q "addprinc krbadmin/admin"
Restart Services
server# service krb5-admin-server restart server# service krb5-kdc restart
Kerberos administration
Run kadmin tool
server# kadmin -p krbadmin/admin
Authenticating as principal krbadmin/admin with password.
Password for krbadmin/This email address is being protected from spambots. You need JavaScript enabled to view it.:
kadmin:
List Principles
kadmin: listprincs K/This email address is being protected from spambots. You need JavaScript enabled to view it. kadmin/This email address is being protected from spambots. You need JavaScript enabled to view it. kadmin/This email address is being protected from spambots. You need JavaScript enabled to view it. kadmin/This email address is being protected from spambots. You need JavaScript enabled to view it. krbadmin/This email address is being protected from spambots. You need JavaScript enabled to view it. krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it.
Create Principles
Note: You might prefer to use root/admin principle for Kerberos administration to keep it consistent with root user in Linux distributions. However, please don't mistake this principal with root user. This principal is for Kerberos administration and is same as krbadmin/admin created previously.
kadmin: addprinc root/admin WARNING: no policy specified for root/This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy Enter password for principal "root/This email address is being protected from spambots. You need JavaScript enabled to view it.": Re-enter password for principal "root/This email address is being protected from spambots. You need JavaScript enabled to view it.": Principal "root/This email address is being protected from spambots. You need JavaScript enabled to view it." created. kadmin:
Create principal for the local user created in pre-installation steps. We will use it for testing.
kadmin: addprinc george WARNING: no policy specified for This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy Enter password for principal "This email address is being protected from spambots. You need JavaScript enabled to view it.": Re-enter password for principal "This email address is being protected from spambots. You need JavaScript enabled to view it.": Principal "This email address is being protected from spambots. You need JavaScript enabled to view it." created. kadmin:
Kerberos testing
Note: You have to install and configure Kerberos Client and test the following from the client. Please see the Client section bellow.
Create ticket
server# kinit george
Password for This email address is being protected from spambots. You need JavaScript enabled to view it.:
Verify ticket
server# klist # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it. Valid starting Expires Service principal 09/01/11 00:56:58 09/01/11 10:56:58 krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it. renew until 09/02/11 00:56:53
If you get similar output Kerberos is working at this point and you can move to LDAP configuration.
Kerberos troubleshooting
Pre-authentication attribute
If you don't receive a ticket after login, but you are able to get a ticket with kinit manually, you should check krb5lib.log on the server. You may see the following messages which indicate an issue with pre-authentication.
Sep 03 01:20:23 server.firm.local krb5kdc[1150](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.30.10: NO PREAUTH: authtime 0, This email address is being protected from spambots. You need JavaScript enabled to view it. for host/This email address is being protected from spambots. You need JavaScript enabled to view it., Generic error (see e-text)
The issue is related to the following attribute:
+requires_preauth - requires this principal to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.)
-requires_preauth - clears this flag.
To resolve this issue you have to remove the attribute from all problematic principles listed in the logs
kadmin: modprinc -requires_preauth host/This email address is being protected from spambots. You need JavaScript enabled to view it.
To verify the attribute on principle use:
kadmin: getprinc host/This email address is being protected from spambots. You need JavaScript enabled to view it.
LDAP Server
Installation
server# apt-get install slapd ldapscripts
Answer the prompts as follows:
- For the DNS domain name, enter your domain name. This will be translated to an LDAP DN (for example, 'firm.local' would become 'dc=firm, dc=local'). This becomes what is known as your BaseDN, the root of your database.
- For your organization you can enter any string; this becomes associated to the 'o' field of your BaseDN record.
- Next enter your LDAP administrator password twice. This will set the password for 'cn=admin, BaseDN' and give 'cn=admin, BaseDN' write access to everything in your LDAP tree.
- Accept the default of No to the question Allow LDAPv2 protocol.
- Use the default database backend.
Note: if you don't get these options use "dpkg-reconfigure -plow slapd" after installation. With the latest version, it only asks you for admin user password and none of the rest, because the DNS domain name is taken from configured machine FQDN name.
Verify LDAP
server# slapcat
Administration Tools
You can use GUI tool "jxplorer" from a desktop (do not install jxplorer on the server), or we can import entries using "ldapadd" command. We will use ldapadd for importing a basic OU structure and jxplorer to create users in this example.
Create basic OU structure by creating a file "base.ldif" with the following content:
dn: ou=hosts,dc=firm,dc=local ou: hosts objectClass: top objectClass: organizationalunit dn: ou=rpc,dc=firm,dc=local ou: rpc objectClass: top objectClass: organizationalUnit dn: ou=services,dc=firm,dc=local ou: services objectClass: top objectClass: organizationalUnit dn: ou=users,dc=firm,dc=local ou: users objectClass: top objectClass: organizationalUnit dn: ou=group,dc=firm,dc=local ou: group objectClass: top objectClass: organizationalUnit dn: ou=aliases,dc=firm,dc=local ou: aliases objectClass: top objectClass: organizationalUnit
Add entries to LDAP database
server# ldapadd -H ldap://server.firm.local -x -D "cn=admin,dc=firm,dc=local" -f ./base.ldif -w password
Create users
Use jxplorer or other GUI tool which can manage LDAP from your desktop.
LDAP PAM (client on the server)
You have to install LDAP client on the LDAP server itself. Please follow CLIENT section.
CLIENT
You can either use:
- SSSD Client; or
- Kerberos +LDAP Client
1. LDAP and Kerberos Client (sssd)
sssd is the most recent LDAP+Kerberos client implementation. This is the best method for online or offline (cached) login.
Install sssd
client# apt-get install sssd krb5-user
Configure /etc/sssd/sssd.conf
Update: Newer distributions might have a /usr/share/sssd/generate-config script which will generate the sssd config automatically. In this case you can run:
# /usr/share/sssd/generate-config > /etc/sssd/sssd.conf; chmod 600 /etc/sssd/sssd.conf
Example of sssd.conf:
# SSSD configuration generated using /usr/share/sssd/generate-config [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = nike.corp [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/nike.corp] ; Using enumerate = true leads to high load and slow response enumerate = false cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://maverick.nike.corp ldap_search_base = dc=nike,dc=corp ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt krb5_kdcip = maverick.nike.corp krb5_realm = NIKE.CORP krb5_changepw_principle = kadmin/changepw krb5_auth_timeout = 15
Test to get Kerberos ticket:
# knit <username
Find a user:
# getent passwd <username>
2. Kerberos +LDAP Client
Kerberos Client
This is a standalone Kerberos client installation.
Install kerberos client
client# apt-get install krb5-user
Configure /etc/krb5.conf
[realms] FIRMA.LOCAL = { kdc = server.firm.local:88 admin_server = server.firm.local:749 default_domain = firma.local } [domain_realm] .firma.local = FIRM.LOCAL firma.local = FIRM.LOCAL [libdefaults] default_realm = FIRM.LOCAL dns_lookup_realm = false dns_lookup_kdc = false forwardable = yes [logging]
default = FILE:/var/log/kerberos/krb5libs.log
LDAP Client (No Caching LDAP credentials for offline use)
Note: This client installation is not suitable for notebooks.
Install LDAP Client
client# apt-get install libpam-ldapd nslcd nscd libnss-ldapd
LDAP server URI: --> FQDN of the LDAP server
LDAP server search base: --> dc=,dc=
LDAP database user: --> leave it empty
Use StartTLS? --> no
Name services to configure: --> do not choose anything
PAM profiles to enable: --> select all
Important: Please do not select the services during package configuration, because there seems to be a bug (Debian 640185).
Change /etc/nsswitch.conf manually and add ldap to the following servises:
passwd: files ldap group: files ldap shadow: files ldap hosts: files dns ldap networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
Reconfigure client
client# dpkg-reconfigure nslcd client# dpkg-reconfigure libpam-ldapd client# dpkg-reconfigure libnss-ldapd
Install client - Caching LDAP credentials for offline use (optional)
client# apt-get install libpam-ccreds libpam-mklocaluser
Reconfigure /etc/nscd.conf
Note: The changes are in the fields reload-count and positive-time-to-live. We have to extent the timeout.
debug-level 0 reload-count unlimited paranoia no enable-cache passwd yes positive-time-to-live passwd 2592000 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 2592000 negative-time-to-live group 20 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 2592000 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 2592000 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432
Restart NSCD
client# /etc/init.d/nscd restart
After user logs in the credentials will be cached. You can test it by trying to login again without network connection.
Issues
I found out that there is some issue with nslcd service and after successful login using cached credentials, the screen stays blank.
To resolve this issue stop nslcd service before you login. (you can do this by changing terminal with CTRL+ALT+F! and login as root)
# /etc/init.d/nscld stop
Troubleshooting
Flush cache
client# nscd -i passwd client# nscd -i group client# nscd -i hosts client# nscd -i services