Linux Small Business Server - LDAP and Kerberos (part 2)

Category: myblog Written by Jiri Kanicky Hits: 3383

This article will help you to configure LDAP and Kerberos on Debian server and Debian client machine.  We will configure Kerberos first. After we have got Kerberos working, we will move to LDAP configuration. It good practice to do it in this order, because it let us to test each component separately.

ENVIRONMENT

REQUIREMENT

KERBEROS Server

Kerberos Installation and Configuration

Install packages

server# apt-get install krb5-admin-server krb5-kdc

Edit /etc/krb5.conf

[realms]
FIRM.LOCAL = {
kdc = server.firm.local:88
admin_server = server.firm.local:749
default_domain = firm.local
}

[domain_realm]
.firm.local = FIRM=.LOCAL
firm=.local = FIRM.LOCAL

[libdefaults]
default_realm = FIRM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log

Create log directory and files:

mkdir /var/log/kerberos
touch /var/log/kerberos/krb5libs.log
touch /var/log/kerberos/krb5kdc.log
touch /var/log/kerberos/kadmind.log

Configure KDC by editing /etc/krb5kdc/kdc.conf

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    FIRM.LOCAL = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth,+forwardable,+renewable
    }

Important: Please pay special attention to +preauth attribute (What is preauthentication). You may want to remove it if you do not plan to use preauthentication. If you keep the atribute in default configuration every principal will be created with such attribute. You can remove preauthentication attribute manually from each principal later, however that might be additional work. Please see section LDAP_and_Kerberos_on_Debian_Wheezy#Pre-authentication_attribute. I recommend to not include the attribute in default configuration if you do not plan to use it or if you are trying Kerberos for the first time.

Create krb5 database

server# krb5_newrealm

Restart Kerberos services

server# service krb5-admin-server restart
server# service krb5-kdc restart

Configure access control list by editing /etc/krb5kdc/kadm.acl. The following configuration is required for administering Kerberos database using kadmin tool. If you do not configure access list you will not be able to create/modify principles/users in the database.

*/This email address is being protected from spambots. You need JavaScript enabled to view it. *

Create admin principal

server# kadmin.local -q "addprinc krbadmin/admin"

Restart Services

server# service krb5-admin-server restart
server# service krb5-kdc restart

Kerberos administration

Run kadmin tool

server#  kadmin -p krbadmin/admin
Authenticating as principal krbadmin/admin with password.
Password for krbadmin/This email address is being protected from spambots. You need JavaScript enabled to view it.: 
kadmin:

List Principles

kadmin:  listprincs
K/This email address is being protected from spambots. You need JavaScript enabled to view it.
kadmin/This email address is being protected from spambots. You need JavaScript enabled to view it.
kadmin/This email address is being protected from spambots. You need JavaScript enabled to view it.
kadmin/This email address is being protected from spambots. You need JavaScript enabled to view it.
krbadmin/This email address is being protected from spambots. You need JavaScript enabled to view it.
krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it.

Create Principles

Note: You might prefer to use root/admin principle for Kerberos administration to keep it consistent with root user in Linux distributions. However, please don't mistake this principal with root user. This principal is for Kerberos administration and is same as krbadmin/admin created previously.

kadmin:  addprinc root/admin
WARNING: no policy specified for root/This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy
Enter password for principal "root/This email address is being protected from spambots. You need JavaScript enabled to view it.": 
Re-enter password for principal "root/This email address is being protected from spambots. You need JavaScript enabled to view it.": 
Principal "root/This email address is being protected from spambots. You need JavaScript enabled to view it." created.
kadmin:

Create principal for the local user created in pre-installation steps. We will use it for testing.

kadmin:  addprinc george
WARNING: no policy specified for This email address is being protected from spambots. You need JavaScript enabled to view it.; defaulting to no policy
Enter password for principal "This email address is being protected from spambots. You need JavaScript enabled to view it.": 
Re-enter password for principal "This email address is being protected from spambots. You need JavaScript enabled to view it.": 
Principal "This email address is being protected from spambots. You need JavaScript enabled to view it." created.
kadmin:

Kerberos testing

Note: You have to install and configure Kerberos Client and test the following from the client. Please see the Client section bellow.

Create ticket

server# kinit george
Password for This email address is being protected from spambots. You need JavaScript enabled to view it.:

Verify ticket

server# klist
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: This email address is being protected from spambots. You need JavaScript enabled to view it.

Valid starting     Expires            Service principal
09/01/11 00:56:58  09/01/11 10:56:58  krbtgt/This email address is being protected from spambots. You need JavaScript enabled to view it.
	renew until 09/02/11 00:56:53


If you get similar output Kerberos is working at this point and you can move to LDAP configuration.

Kerberos troubleshooting

Pre-authentication attribute

What is preauthentication

If you don't receive a ticket after login, but you are able to get a ticket with kinit manually, you should check krb5lib.log on the server. You may see the following messages which indicate an issue with pre-authentication.

Sep 03 01:20:23 server.firm.local krb5kdc[1150](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.30.10: NO PREAUTH: authtime 0,  This email address is being protected from spambots. You need JavaScript enabled to view it. for host/This email address is being protected from spambots. You need JavaScript enabled to view it., Generic error (see e-text)

The issue is related to the following attribute:

+requires_preauth - requires this principal to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.)

-requires_preauth - clears this flag.

To resolve this issue you have to remove the attribute from all problematic principles listed in the logs

kadmin:  modprinc -requires_preauth host/This email address is being protected from spambots. You need JavaScript enabled to view it.

To verify the attribute on principle use:

kadmin:  getprinc host/This email address is being protected from spambots. You need JavaScript enabled to view it.

LDAP Server

Installation

server# apt-get install slapd ldapscripts

Answer the prompts as follows:

Note: if you don't get these options use "dpkg-reconfigure -plow slapd" after installation. With the latest version, it only asks you for admin user password and none of the rest, because the DNS domain name is taken from configured machine FQDN name.

Verify LDAP

server# slapcat

Administration Tools

You can use GUI tool "jxplorer" from a desktop (do not install jxplorer on the server), or we can import entries using "ldapadd" command. We will use ldapadd for importing a basic OU structure and jxplorer to create users in this example.

Create basic OU structure by creating a file "base.ldif" with the following content:

dn: ou=hosts,dc=firm,dc=local
ou: hosts
objectClass: top
objectClass: organizationalunit

dn: ou=rpc,dc=firm,dc=local
ou: rpc
objectClass: top
objectClass: organizationalUnit

dn: ou=services,dc=firm,dc=local
ou: services
objectClass: top
objectClass: organizationalUnit

dn: ou=users,dc=firm,dc=local
ou: users
objectClass: top
objectClass: organizationalUnit

dn: ou=group,dc=firm,dc=local
ou: group
objectClass: top
objectClass: organizationalUnit

dn: ou=aliases,dc=firm,dc=local
ou: aliases
objectClass: top
objectClass: organizationalUnit

Add entries to LDAP database

server# ldapadd -H ldap://server.firm.local -x -D "cn=admin,dc=firm,dc=local" -f ./base.ldif -w password

Create users

Use jxplorer or other GUI tool which can manage LDAP from your desktop.

LDAP PAM (client on the server)

You have to install LDAP client on the LDAP server itself. Please follow CLIENT section.

CLIENT

You can either use:

  1. SSSD Client; or
  2. Kerberos +LDAP Client

1. LDAP and Kerberos Client (sssd)

sssd is the most recent LDAP+Kerberos client implementation. This is the best method for online or offline (cached) login.

Install sssd

client# apt-get install sssd krb5-user

Configure /etc/sssd/sssd.conf

Update: Newer distributions might have a /usr/share/sssd/generate-config script which will generate the sssd config automatically. In this case you can run:

# /usr/share/sssd/generate-config > /etc/sssd/sssd.conf; chmod 600 /etc/sssd/sssd.conf

Example of sssd.conf:

# SSSD configuration generated using /usr/share/sssd/generate-config
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = nike.corp

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/nike.corp]
; Using enumerate = true leads to high load and slow response
enumerate = false
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://maverick.nike.corp
ldap_search_base = dc=nike,dc=corp
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

krb5_kdcip = maverick.nike.corp
krb5_realm = NIKE.CORP
krb5_changepw_principle = kadmin/changepw
krb5_auth_timeout = 15

Test to get Kerberos ticket:

# knit <username

Find a user:

# getent passwd <username>

2. Kerberos +LDAP Client

Kerberos Client

This is a standalone Kerberos client installation.

Install kerberos client

client# apt-get install krb5-user

Configure /etc/krb5.conf

[realms]
FIRMA.LOCAL = {
kdc = server.firm.local:88
admin_server = server.firm.local:749
default_domain = firma.local
}

[domain_realm]
.firma.local = FIRM.LOCAL
firma.local = FIRM.LOCAL

[libdefaults]
default_realm = FIRM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = yes

[logging] 
default = FILE:/var/log/kerberos/krb5libs.log

LDAP Client (No Caching LDAP credentials for offline use)

Note: This client installation is not suitable for notebooks.

Install LDAP Client

client# apt-get install libpam-ldapd nslcd nscd libnss-ldapd

LDAP server URI: --> FQDN of the LDAP server 
LDAP server search base: --> dc=,dc= 
LDAP database user: --> leave it empty 
Use StartTLS? --> no 
Name services to configure: --> do not choose anything 
PAM profiles to enable: --> select all

Important: Please do not select the services during package configuration, because there seems to be a bug (Debian 640185).

Change /etc/nsswitch.conf manually and add ldap to the following servises:

  passwd:         files ldap
  group:          files ldap
  shadow:         files ldap

  hosts:          files dns ldap
  networks:       files

  protocols:      db files
  services:       db files
  ethers:         db files
  rpc:            db files

  netgroup:       nis

Reconfigure client

client# dpkg-reconfigure nslcd
client# dpkg-reconfigure libpam-ldapd
client# dpkg-reconfigure libnss-ldapd

Install client - Caching LDAP credentials for offline use (optional)

client# apt-get install libpam-ccreds libpam-mklocaluser

Reconfigure /etc/nscd.conf

Note: The changes are in the fields reload-count and positive-time-to-live. We have to extent the timeout.

        debug-level		0
	reload-count		unlimited
	paranoia		no

	enable-cache		passwd		yes
	positive-time-to-live	passwd		2592000
	negative-time-to-live	passwd		20
	suggested-size		passwd		211
	check-files		passwd		yes
	persistent		passwd		yes
	shared			passwd		yes
	max-db-size		passwd		33554432
	auto-propagate		passwd		yes

	enable-cache		group		yes
	positive-time-to-live	group		2592000
	negative-time-to-live	group		20
	suggested-size		group		211
	check-files		group		yes
	persistent		group		yes
	shared			group		yes
	max-db-size		group		33554432
	auto-propagate		group		yes

	enable-cache		hosts		no
	positive-time-to-live	hosts		2592000
	negative-time-to-live	hosts		20
	suggested-size		hosts		211
	check-files		hosts		yes
	persistent		hosts		yes
	shared			hosts		yes
	max-db-size		hosts		33554432

	enable-cache		services	yes
	positive-time-to-live	services	2592000
	negative-time-to-live	services	20
	suggested-size		services	211
	check-files		services	yes
	persistent		services	yes
	shared			services	yes
	max-db-size		services	33554432

Restart NSCD

client# /etc/init.d/nscd restart


After user logs in the credentials will be cached. You can test it by trying to login again without network connection.

Issues

I found out that there is some issue with nslcd service and after successful login using cached credentials, the screen stays blank.

To resolve this issue stop nslcd service before you login. (you can do this by changing terminal with CTRL+ALT+F! and login as root)

# /etc/init.d/nscld stop

Troubleshooting

Flush cache

client# nscd -i passwd
client# nscd -i group
client# nscd -i hosts
client# nscd -i services