Pages

Saturday, December 21, 2013

LDAP server with Kerberos 

 
 
OpenLDAP server: krbserver1.fireblade.com
Kerberos Server: krbserver1.fireblade.com
DNS Server: krbserver1.fireblade.com
Client machine: station13.fireblade.com

INITIAL SETUP 
Setup DNS using bind in krbserver1.fireblade.com. Both forward and reverse record should be set up properly. Kerberos need both forward and reverse dns record to work properly.

LDAP SERVER SETUP
Setup a LDAP server with the domain fireblade.com in krbserver1.fireblade.com. 
# yum install openldap-*
Setup LDAP directory manager password 
# slapasswd
Open the configuration file and make the following changes. 
# vim /etc/openldap/slapd.conf

database        bdb
suffix          "dc=fireblade,dc=com"
rootdn          "cn=Manager,dc=fireblade,dc=com"
rootpw          {SSHA}1j20X9NC+axyGp2IzcS086C7MZ6dyCQj
Save the configuration file and restart start the service. 
# service ldap start

# chkconfig ldap on
Create LDAP entries by using the following ldif file. 


# cat initial.ldif

dn: dc=fireblade,dc=com
objectclass: dcObject
objectclass: organization
o: fireblade.com
dc: fireblade

dn: ou=People,dc=fireblade,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=fireblade,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

Add the intial OU with People and Groups 
# ldapadd -x -W -D "cn=Manager,dc=fireblade,dc=com" -f initial.ldif

Create some test users using the following ldif file 
# cat firstuser.ldif

dn: uid=vasanth,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Tammy Something
uid: tammysomething
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/vasanth
loginShell: /bin/bash
gecos: Tammy Something,Karate Instructor,Room 37A,435-555-555,801-555-555
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0


Add the test user to ldap 
 # ldapadd -x -D "cn=manager,dc=fireblade,dc=com" -w redhat -f firestuser.ldif

Configuring KDC 
# yum install -y krb5-server krb5-workstation



# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults] 
default_realm = FIREBLADE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
FIREBLADE.COM = {
 kdc = server1.fireblade.com:88
 admin_server = server1.fireblade.com:749
 default_domain = fireblade.com
}

EXAMPLE.COM = {
 kdc = server.example.com
}
[domain_realm] 
.fireblade.com = FIREBLADE.COM
 fireblade.com = FIREBLADE.COM
 station13.fireblade.com = FIREBLADE.COM
[appdefaults] 
pam = {
  validate = true
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

Save the save file.
Edit /var/kerberos/krb5kdc/kdc.conf 


# vi  /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88

[realms]
FIREBLADE.COM = {
#  master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
  default_principal_flags = +preauth
}



# vi /var/kerberos/krb5kdc/kadm5.acl

*/admin@FIREBLADE.COM   *

Making the KDC to hold the kerberos data 


# kdb5_util create -r FIREBLADE.COM -s

Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'FIREBLADE.COM',
master key name 'K/M@FIREBLADE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
[root@krb-kdc1 ~]# ls /var/kerberos/krb5kdc/*
/var/kerberos/krb5kdc/kadm5.acl  /var/kerberos/krb5kdc/principal        /var/kerberos/krb5kdc/principal.kadm5.lock
/var/kerberos/krb5kdc/kdc.conf   /var/kerberos/krb5kdc/principal.kadm5  /var/kerberos/krb5kdc/principal.ok


Create a principal for the admin user as well as vasanth. Export the admin details to the kadmind key tab 


Authenticating as principal root/admin@FIREBLADE.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@FIREBLADE.COM; defaulting to no policy
Enter password for principal "root/admin@FIREBLADE.COM": 
Re-enter password for principal "root/admin@FIREBLADE.COM": 
Principal "root/admin@FIREBLADE.COM" created.
kadmin.local:  addprinc vasanth
WARNING: no policy specified for vasanth@FIREBLADE.COM; defaulting to no policy
Enter password for principal "vasanth@FIREBLADE.COM": 
Re-enter password for principal "vasanth@FIREBLADE.COM": 
Principal "vasanth@FIREBLADE.COM" created.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
kadmin.local:  exit

# /etc/init.d/krb5kdc start; /etc/init.d/kadmin start ; chkconfig krb5kdc on; chkconfig kadmin on



Copy krb5.conf file to the client machine station13.fireblade.com

# scp -r /etc/krb5.conf root@station13.fireblade.com:/etc

Add host pricipals on KDC and on the client.

Go to krbserver1.fireblade.com and kadmin.local

on krbserver1 


  # kadmin.local
  Authenticating as principal root/admin@FIREBLADE.COM with password.
  kadmin.local:  addprinc -randkey host/krbserver1.fireblade.com
  WARNING: no policy specified for host/krbserver1.fireblade.com@FIREBLADE.COM; defaulting to no policy
  Principal "host/krbserver1.fireblade.com@FIREBLADE.COM" created.
  kadmin.local:  ktadd host/krbserver1.fireblade.com

  kadmin.local:  exit

on station13 
   # kadmin
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)