Feeeback thread for the Kerberos for Small Networks HOWTO

[Bones]

This thread is now for offering feedback for the Kerberos for small networks, without LDAP or AD HOWTO


I just finished Kerberising my Gentoo network, and I'm willing to convert my notes into something suitable for mass consumption. That is, if there is any demand for it.

My network is somewhat different from the other Kerberos setups that are documented on the Internet:

• I don't use LDAP
• I don't use NIS
• I integrated Windows 2000/XP machines into the Kerberos realm without Active Directory

Kerberised services include Samba, SSH, and a mail system using Postfix+Dovecot with virtual users.

Anybody interested?

[johnny99]

Sure!

[smbmarek]

Could you especially tell us what is your samba configuration ?

[John R. Graham]

Anybody interested?

Yes, please!

- John

[Bones]

I started posting the HOWTO. I'm trying to keep it as short as possible, but I'm wondering if the instructions are too concise and if I'm glossing over too much. Feedback is welcome.

[bludger]

This looks interesting, although perhaps not trivial to setup and test.

How does this setup compare to a windows standard AD configuration? Are there any limitations? Will it be possible to integrate with roaming profiles? Can the user simply change his password from one workstation and have it carry through to all other applications?

[Bones]

How does this setup compare to a windows standard AD configuration? Are there any limitations?

Kerberos, by itself, is not a user management package like AD. Its purpose is authentication only, although some programs can use it as a user database like Samba and Dovecot. It doesn't store things like UIDs or home directories.

Will it be possible to integrate with roaming profiles? Can the user simply change his password from one workstation and have it carry through to all other applications?

See above. There is no reason, though, that this setup cannot be used as a foundation for implementing a fully functional user management service using LDAP that could provide roaming profiles.

As for passwords, changing the Kerberos password for a principal is possible from any workstation that participates in the realm. However, the change to the user password stored in /etc/shadow won't be propagated across all of the machines on the network, and will only be effective on the machine the password was changed from. I touch on this dual identity issue in the the section on adding new hosts to the network. There is some burden for administering users with this setup; my network has less than a dozen users, so it's no worse than not having Kerberos at all, and I now have single sign-on. However, if due diligence is not done with user passwords, it is possible for the /etc/shadow and Kerberos passwords to get out of sync, and you may not realize this until the Kerberos KDC is not available some day. And the setup I present does not offer a slave KDC for redundancy, although that is easy to implement.

Kerberos was not easy to get running, and integrating Windows into it was a frustrating and time consuming experience. The sole reason for my difficulties was that the documentation sucks and Gentoo's packaging of MIT Kerberos sucks even more. So I wrote the HOWTO with the idea that I would save the time of others who wanted to implement Kerberos in a simple way, or as part of a more complicated setup. Hopefully, the HOWTO does not suck.

[Bones]

I just posted the Windows section.

Next will be mail system setup. That will be for Dovecot, which is fully functional as an IMAP server using Kerberos auth. I intended to configure Postfix authentication to use Dovecot's SASL implementation instead of Cyrus, but dovecot-auth keeps segfaulting when I try it So I'll just post the Dovecot stuff and add Postfix later.

[Robert Sharp]

Hi

I was preparing a Howto myself, given the lack of clear info on Kerberisation so you beat me to it. A few thoughts though...

You mention problems with DNS - I use dnsmasq for dhcp and dns and it works fine. I would recommend this.

There are two /etc/init.d scripts that work fine: /etc/init.d/mit-krb5kdc, which starts the kdc, and /etc/init.d/mit-krb5kadmind, which starts both.

Under SSH may be worth mentioning the need to create a plain principal that matches your login account? I had problems because I had made myself an admin and it didn't map. Don't know if there is a way of mapping that I haven't found yet?

Finally, under Mail Server you missed out the -randkey when setting up the principal. I also had problems setting up the dovecot.conf file. userdb needs to tell dovecot where the mail directory is stored. I solved it with

Code: Select all

auth default {

  mechanisms = gssapi plain
  userdb static {
    args = uid=500 gid=500 home=/home/%u mail=maildir:/home/%u/.maildir
  }

}

I added plain as well cos I open several mail boxes at once and I can't figure how to use kerberos to do that yet.

Hope this is helpful. I will give you further feedback as I progress with my own setup.

[Bones]

Thanks, I incorporated your feedback.

I also use dnsmasq. The specific problem I was having was with the KDC machine, which was also running dnsmasq. A misconfigured /etc/hosts, and hosts file priority in /etc/nsswitch.conf, meant that queries from the KDC box for the KDC box kept returning 127.0.0.1. This broke Kerberos for just the KDC machine, and I spent a lot of time troubleshooting that problem.

So the best policy, I think, is to set dns priority in /etc/nsswitch.conf for all of the hosts on the network.

I also had problems setting up the dovecot.conf file. userdb needs to tell dovecot where the mail directory is stored. I solved it with

Code: Select all

auth default {

  mechanisms = gssapi plain
  userdb static {
    args = uid=500 gid=500 home=/home/%u mail=maildir:/home/%u/.maildir
  }

}

Oops, I had the mail location variable set in my config, and failed to note that in the howto. I prefer using the mail location variable instead of specifying that in the auth section. It works either way.

I added plain as well cos I open several mail boxes at once and I can't figure how to use kerberos to do that yet.

I'm not sure it's possible to authenticate multiple mailboxes with one Kerberos ticket. Looking at the Dovecot config docs, I don't see a way of doing that.

[tekknokrat]

You howto reads fine to fit my needs. After an overview reading for me as an kerberos/ldap newbie:

Does this guide makes the basic environment for an sso based network environment?
I mean if my windows user are authed does this inherit ticket generating for use with other services e.g. kerberos supported imap,mod_auth_kerb?

How much effort will it take to use ldap as a kerberos backend for your configuration? Some caveats?

regards

[SeeksTheMoon]

Note that kadmind tries to obtain data from /dev/random when starting up. If the KDC host machine's entropy pool is empty, the kadmind daemon will hang until it gets what it needs. The quickest way to build some entropy is to type gibberish into a terminal and/or move the mouse around a lot. This can be a problem if the KDC host is headless and without a keyboard and mouse. (need a good solution here)

emerge and start audio-entropyd or video-entropyd or (my favorite) timer_entropyd to increase the entropy pool