Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Feeeback thread for the Kerberos for Small Networks HOWTO
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Bones
n00b
n00b


Joined: 07 Dec 2002
Posts: 31

PostPosted: Sat Jun 02, 2007 3:46 am    Post subject: Feeeback thread for the Kerberos for Small Networks HOWTO Reply with quote

This thread is now for offering feedback for the Kerberos for small networks, without LDAP or AD HOWTO


I just finished Kerberising my Gentoo network, and I'm willing to convert my notes into something suitable for mass consumption. That is, if there is any demand for it.

My network is somewhat different from the other Kerberos setups that are documented on the Internet:

  • I don't use LDAP
  • I don't use NIS
  • I integrated Windows 2000/XP machines into the Kerberos realm without Active Directory


Kerberised services include Samba, SSH, and a mail system using Postfix+Dovecot with virtual users.

Anybody interested?
_________________
I have a computer.


Last edited by Bones on Thu Jun 14, 2007 7:59 am; edited 1 time in total
Back to top
View user's profile Send private message
johnny99
Apprentice
Apprentice


Joined: 24 Oct 2005
Posts: 248
Location: Berkeley, California

PostPosted: Sat Jun 02, 2007 6:46 am    Post subject: Reply with quote

Sure!
Back to top
View user's profile Send private message
smbmarek
n00b
n00b


Joined: 11 Jun 2007
Posts: 1

PostPosted: Tue Jun 12, 2007 8:44 am    Post subject: Reply with quote

Could you especially tell us what is your samba configuration ?
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10147
Location: Somewhere over Atlanta, Georgia

PostPosted: Tue Jun 12, 2007 11:53 am    Post subject: Re: Would anyone like a Kerberos howto? Reply with quote

Bones wrote:
Anybody interested?

Yes, please! :)

- John
Back to top
View user's profile Send private message
Bones
n00b
n00b


Joined: 07 Dec 2002
Posts: 31

PostPosted: Thu Jun 14, 2007 5:58 am    Post subject: Reply with quote

I started posting the HOWTO. I'm trying to keep it as short as possible, but I'm wondering if the instructions are too concise and if I'm glossing over too much. Feedback is welcome.
_________________
I have a computer.
Back to top
View user's profile Send private message
bludger
Guru
Guru


Joined: 09 Apr 2003
Posts: 389

PostPosted: Fri Jun 15, 2007 3:27 pm    Post subject: Reply with quote

This looks interesting, although perhaps not trivial to setup and test.

How does this setup compare to a windows standard AD configuration? Are there any limitations? Will it be possible to integrate with roaming profiles? Can the user simply change his password from one workstation and have it carry through to all other applications?
Back to top
View user's profile Send private message
Bones
n00b
n00b


Joined: 07 Dec 2002
Posts: 31

PostPosted: Fri Jun 15, 2007 10:47 pm    Post subject: Reply with quote

bludger wrote:
How does this setup compare to a windows standard AD configuration? Are there any limitations?


Kerberos, by itself, is not a user management package like AD. Its purpose is authentication only, although some programs can use it as a user database like Samba and Dovecot. It doesn't store things like UIDs or home directories.

Quote:
Will it be possible to integrate with roaming profiles? Can the user simply change his password from one workstation and have it carry through to all other applications?


See above. There is no reason, though, that this setup cannot be used as a foundation for implementing a fully functional user management service using LDAP that could provide roaming profiles.

As for passwords, changing the Kerberos password for a principal is possible from any workstation that participates in the realm. However, the change to the user password stored in /etc/shadow won't be propagated across all of the machines on the network, and will only be effective on the machine the password was changed from. I touch on this dual identity issue in the the section on adding new hosts to the network. There is some burden for administering users with this setup; my network has less than a dozen users, so it's no worse than not having Kerberos at all, and I now have single sign-on. However, if due diligence is not done with user passwords, it is possible for the /etc/shadow and Kerberos passwords to get out of sync, and you may not realize this until the Kerberos KDC is not available some day. And the setup I present does not offer a slave KDC for redundancy, although that is easy to implement.

Kerberos was not easy to get running, and integrating Windows into it was a frustrating and time consuming experience. The sole reason for my difficulties was that the documentation sucks and Gentoo's packaging of MIT Kerberos sucks even more. So I wrote the HOWTO with the idea that I would save the time of others who wanted to implement Kerberos in a simple way, or as part of a more complicated setup. Hopefully, the HOWTO does not suck.
_________________
I have a computer.
Back to top
View user's profile Send private message
Bones
n00b
n00b


Joined: 07 Dec 2002
Posts: 31

PostPosted: Sat Jun 16, 2007 1:53 am    Post subject: Reply with quote

I just posted the Windows section.

Next will be mail system setup. That will be for Dovecot, which is fully functional as an IMAP server using Kerberos auth. I intended to configure Postfix authentication to use Dovecot's SASL implementation instead of Cyrus, but dovecot-auth keeps segfaulting when I try it :( So I'll just post the Dovecot stuff and add Postfix later.
_________________
I have a computer.
Back to top
View user's profile Send private message
Robert Sharp
n00b
n00b


Joined: 21 Feb 2006
Posts: 5
Location: England

PostPosted: Tue Jun 26, 2007 6:47 pm    Post subject: Reply with quote

Hi

I was preparing a Howto myself, given the lack of clear info on Kerberisation so you beat me to it. A few thoughts though...

You mention problems with DNS - I use dnsmasq for dhcp and dns and it works fine. I would recommend this.

There are two /etc/init.d scripts that work fine: /etc/init.d/mit-krb5kdc, which starts the kdc, and /etc/init.d/mit-krb5kadmind, which starts both.

Under SSH may be worth mentioning the need to create a plain principal that matches your login account? I had problems because I had made myself an admin and it didn't map. Don't know if there is a way of mapping that I haven't found yet?

Finally, under Mail Server you missed out the -randkey when setting up the principal. I also had problems setting up the dovecot.conf file. userdb needs to tell dovecot where the mail directory is stored. I solved it with

Code:

auth default {

  mechanisms = gssapi plain
  userdb static {
    args = uid=500 gid=500 home=/home/%u mail=maildir:/home/%u/.maildir
  }

}


I added plain as well cos I open several mail boxes at once and I can't figure how to use kerberos to do that yet.

Hope this is helpful. I will give you further feedback as I progress with my own setup.
Back to top
View user's profile Send private message
Bones
n00b
n00b


Joined: 07 Dec 2002
Posts: 31

PostPosted: Tue Jun 26, 2007 11:36 pm    Post subject: Reply with quote

Thanks, I incorporated your feedback.

I also use dnsmasq. The specific problem I was having was with the KDC machine, which was also running dnsmasq. A misconfigured /etc/hosts, and hosts file priority in /etc/nsswitch.conf, meant that queries from the KDC box for the KDC box kept returning 127.0.0.1. This broke Kerberos for just the KDC machine, and I spent a lot of time troubleshooting that problem.

So the best policy, I think, is to set dns priority in /etc/nsswitch.conf for all of the hosts on the network.

Quote:

I also had problems setting up the dovecot.conf file. userdb needs to tell dovecot where the mail directory is stored. I solved it with

Code:

auth default {

  mechanisms = gssapi plain
  userdb static {
    args = uid=500 gid=500 home=/home/%u mail=maildir:/home/%u/.maildir
  }

}



Oops, I had the mail location variable set in my config, and failed to note that in the howto. I prefer using the mail location variable instead of specifying that in the auth section. It works either way.

Quote:

I added plain as well cos I open several mail boxes at once and I can't figure how to use kerberos to do that yet.

I'm not sure it's possible to authenticate multiple mailboxes with one Kerberos ticket. Looking at the Dovecot config docs, I don't see a way of doing that.
_________________
I have a computer.
Back to top
View user's profile Send private message
tekknokrat
Apprentice
Apprentice


Joined: 17 Apr 2005
Posts: 278
Location: Magdeburg

PostPosted: Sun Nov 18, 2007 6:28 pm    Post subject: Reply with quote

You howto reads fine to fit my needs. After an overview reading for me as an kerberos/ldap newbie:

Does this guide makes the basic environment for an sso based network environment?
I mean if my windows user are authed does this inherit ticket generating for use with other services e.g. kerberos supported imap,mod_auth_kerb?

How much effort will it take to use ldap as a kerberos backend for your configuration? Some caveats?

regards
_________________
Optimism is solely an absence of information. / Optimismus ist nur ein Mangel an Information.
(Arthur Schopenhauer)
Back to top
View user's profile Send private message
SeeksTheMoon
Apprentice
Apprentice


Joined: 24 Sep 2003
Posts: 163

PostPosted: Tue Sep 07, 2010 10:31 am    Post subject: Reply with quote

Quote:
Note that kadmind tries to obtain data from /dev/random when starting up. If the KDC host machine's entropy pool is empty, the kadmind daemon will hang until it gets what it needs. The quickest way to build some entropy is to type gibberish into a terminal and/or move the mouse around a lot. This can be a problem if the KDC host is headless and without a keyboard and mouse. (need a good solution here)


emerge and start audio-entropyd or video-entropyd or (my favorite) timer_entropyd to increase the entropy pool
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum