Research and Development Network

h1. Kerberos Server

[[Kerberos Tests]]

h2. Server Installation

h3. Guides

* MIT Kerberos KDC guide http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/install_kdc.html

* Kerberos/LDAP on Ubuntu http://bobcares.com/blog/?p=435

* Spinlock Guide on Kerberos http://techpubs.spinlocksolutions.com/dklar/kerberos.html

* http://www.rjsystems.nl/en/2100-kerberos-openldap-openafs-client.php

* Ubuntu Single Sign On https://help.ubuntu.com/community/SingleSignOn

* Ubuntu Kerberos https://help.ubuntu.com/community/Kerberos

* VISolve's guide http://www.visolve.com/system_services/opensource/security/ssh.php

* Stanford Guide to Kerberos on Debian http://itservices.stanford.edu/service/kerberos/install_debian

* Illinois NCSA Guide to Using Kerberos http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/unix_clients.html

h3. DNS autodiscovery

http://www.rjsystems.nl/en/2100-dns-discovery-kerberos.php

<pre>

_kerberos._udp.DEV.RU.IS.         IN  SRV  10  0   88  gryla.dev.ru.is.

_kerberos._udp.DEV.RU.IS.         IN  SRV  20  0   88  stekkjarstaur.dev.ru.is.

_kerberos-master._udp.DEV.RU.IS.  IN  SRV   0  0   88  gryla.dev.ru.is.

_kerberos-adm._tcp.DEV.RU.IS.     IN  SRV   0  0  749  stekkjarstaur.dev.ru.is.

_kpasswd._udp.DEV.RU.IS.          IN  SRV   0  0  464  gryla.dev.ru.is.

</pre>

Don't forget to set autodiscovery up for [[AFS_Server]] also!

h3. Getting started

# Install the packages and setup the cache

<pre>

apt-get install krb5-kdc krb5-admin-server

</pre>

** Our realm is @DEV.RU.IS@

** Kerberos server: @kerberos.dev.ru.is@

** Kerberos authoritative server: @kerberos.dev.ru.is@

** If you need to fix this later, run @dpkg-reconfigure krb5-config@

# Setup the realm, including keys

<pre>krb5_newrealm</pre>

** Temp master password: DrWhoNemesis

# Edit the @/etc/krb5.conf@ 

## search for @[domain_realm]@ and add these lines after

<pre>

.dev.ru.is = DEV.RU.IS

dev.ru.is = DEV.RU.IS

[logging]

	kdc = FILE:/var/log/kerberos/krb5kdc.log

	admin_server = FILE:/var/log/kerberos/kadmin.log

	default = FILE:/var/log/kerberos/krb5lib.log

</pre>

## Near the top under [libdefaults]

<pre>

       dns_lookup_realm = true

       dns_lookup_kdc = true

# need this for AFS                                                              

       allow_weak_crypto = true

</pre>

# Make the empty log files

<pre>

sudo mkdir /var/log/kerberos

sudo touch /var/log/kerberos/{krb5kdc,kadmin,krb5lib}.log

sudo chmod -R 750  /var/log/kerberos

</pre>

h3. Time

# Kerberos only works if the clocks on clients and servers differ no more than a few minutes.  SEtup an NTP server, preferably local.

<pre>sudo apt-get install ntp ntpdate</pre>

h3. Administrative user and KDC config

# Create an administrative user through @kadmin.local@

<pre>kadmin.local

addprinc -policy admin administrator

addprinc -policy admin root/admin

</pre>

** Our temp admin password is: MadameMing!

<pre>quit</pre>

# Edit @/etc/krb5kdc/kadm5.acl@ and add

<pre>*/admin *

administrator *

* il

*/root admc host/*

</pre>

# Then restart the servers

<pre>service krb5-admin-server restart

service krb5-kdc restart

</pre>

# Set some requirements for principals

<pre>sudo kadmin.local

Authenticating as principal root/admin@SPINLOCK.HR with password.

kadmin.local:  add_policy -minlength 8 -minclasses 3 admin

kadmin.local:  add_policy -minlength 16 -minclasses 4 host

kadmin.local:  add_policy -minlength 8 -minclasses 4 service

kadmin.local:  add_policy -minlength 8 -minclasses 2 user

kadmin.local:  quit

</pre>

h2. Configuration

# @/etc/krb5kdcs/krb5prop.sh@ is run every hour on @kerberos.dev.ru.is@ which propogates the full database to @kerberos-1@ and @kerberos-2@

# crontab entry for root

<pre>23 * * * * /etc/krb5kdc/krb5prop.sh # sync from master</pre>

h3. Server Keys

* Make a principal and a keytab

<pre>

sudo kadmin -p root/admin

[sudo] password for foley: 

Authenticating as principal root/admin with password.

Password for root/admin@DEV.RU.IS: 

kadmin:  addprinc -policy service -randkey host/gryla.dev.ru.is

Principal "host/gryla.dev.ru.is@DEV.RU.IS" created.

kadmin:  ktadd -k /etc/krb5.keytab -norandkey host/gryla.dev.ru.is

kadmin: Principal -norandkey does not exist.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

</pre>

h2. Kerberos slave server

* http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/server-replication.html

* http://www.rjsystems.nl/en/2100-kerberos-slave.php

h3. Install for kerberos master 

# Setup the dump location

<pre>mkdir -p /var/lib/krb5dc/

/var/lib/krb5dc/from_master</pre>

# Now setup the dump and sync scripts into @/etc/krb5kdc/krb5prop.sh@

<pre>

#!/bin/bash

/usr/sbin/kdb5_util dump /var/lib/krb5kdc/slave_datatrans

/usr/sbin/kprop kerberos-1.dev.ru.is

/usr/sbin/kprop kerberos-2.dev.ru.is

chmod o+x krb5prop.sh@

Now setup the crontab

sudo crontab -e@

30 * * * * /etc/krb5kdc/krb5prop.sh # sync from master</pre>

h3. Install for slave

This example is for stekkjarstaur.dev.ru.is.  Change the hostname as neccessary.

#  Install the servers and xinetd

## sudo apt-get install krb5-kdc xinetd

# Get kerberos principals setup

<pre>addprinc -randkey host/stekkjarstaur.dev.ru.is

ktadd host/stekkjarstaur.dev.ru.is

Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/stekkjarstaur.dev.ru.is with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

</pre>

# Login to the slaves and make sure that kpropd is setup in xinetd

<pre>sudo emacs /etc/xinetd.d/krb_prop</pre>

## Put this inside the file

<pre># default: on

service krb_prop

{

        disable         = no

        socket_type     = stream

        id              = krb_prop

        protocol        = tcp

        user            = root

        wait            = no

        server          = /usr/sbin/kpropd

}</pre>

## Restart xinetd

<pre>sudo service xinetd restart</pre>

## Note that this will not show up as an open port in nmap, I do not know why.

# Initialize an empty kerberos database

<pre>kdb5_util create

Loading random data

Initializing database '/etc/krb5kdc/principal' for realm 'DEV.RU.IS',

master key name 'K/M@DEV.RU.IS'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key: 

Re-enter KDC database master key to verify: 

</pre>

## Make sure this password is the same as the main master password to avoid a possible problem

# Setup the ACL file

<pre>vi /etc/krb5kdc/kpropd.acl</pre>

## Add the principals of the master server

<pre>host/gryla.dev.ru.is@DEV.RU.IS</pre>

h1. Kerberized Clients

h2. Install

# Install the packages

<pre>sudo apt-get install krb5-clients</pre>

# Install openbsd's inetd server and config

<pre>sudo apt-get install openbsd-inetd

sudo apt-get install krb5-rsh-server

sudo update-rc.d -f openbsd-inetd remove

sudo update-rc.d openbsd-inetd defaults

sudo update-inetd --enable kshell

sudo update-inetd --enable eklogin

sudo invoke-rc.d openbsd-inetd restart

</pre>

# Setup the keytab on the host

<pre>sudo kadmin

[sudo] password for foley: 

Authenticating as principal foley/admin@DEV.RU.IS with password.

Password for foley/admin@DEV.RU.IS: 

kadmin:  addprinc -policy service -randkey host/stekkjarstaur.dev.ru.is

Principal "host/stekkjarstaur.dev.ru.is@DEV.RU.IS" created.

kadmin:  ktadd -k /etc/krb5.keytab -norandkey host/gryla.dev.ru.is

kadmin: Principal -norandkey does not exist.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.

Entry for principal host/gryla.dev.ru.is with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

</pre>

# Test with encryption and the ProtocolNew

<pre>krb5-rsh -x -PN gryla.dev.ru.is /bin/bash</pre>

## You should now be able to run commands on the host!

h2. Changing Max Ticket Lifetime

From http://serverfault.com/questions/132123/how-to-change-the-kerberos-default-ticket-lifetime

Do this on each of the kerberos servers: kerberos, kerberos-1, kerberos-2

# Become root

<pre> ksu </pre>

# edit /etc/krb5kdc/kdc.conf

# Change these values to ones you want.

<pre>        max_life = 168h 0m 0s

        max_renewable_life = 30d 0h 0m 0s

</pre>

# Restart the kdc

<pre>service krb5-kdc restart</pre>

# Fire up kadmin

<pre>kadmin</pre>

## Change the max lifetime of the main tgt

<pre>modprinc -maxlife 168hours krbtgt/DEV.RU.IS</pre>

## Change the max lifetime of the principal you want to be longer

<pre>modprinc -maxlife 168hours host/syslab.hir.is</pre>

# Test the modification 

## As a host

<pre>kinit -k -l 168h</pre>

## or for a normal principal

<pre>kinit -l 168h foley</pre>

h3. AFS token lifetime

This is controlled partially by the afs entry in kerberos database.  From http://docs.openafs.org/AdminGuide/ch02s10.html

# Fire up kadmin

<pre>kadmin</pre>

# Set the lifetimes on the AFS principal

<pre>modprinc -maxlife 168hours afs/dev.ru.is

h2. Issues

* You may get an connection refused.  It usually means that the port is not correct.  Add this line to the server's /etc/inetd.conf

<pre> klogin          stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/klogin\

d -5ec

</pre>

* If kerberos has issues, check on the PTR records and other DNS config.  It is one of the things that gets checked by kerberos

** Look into /etc/hosts and make sure that it matches the hostname in the ke

h1. LDAP install

# Install packages

<pre>apt-get install slapd ldap-utils libsasl2-modules-gssapi-mit</pre>

# Configure the administrator password for slapd (https://help.ubuntu.com/community/OpenLDAPServer)

<pre>slappasswd</pre>

## Set password to: waynegretzky

## Take the output: {SSHA}7UP8FDS0CZ8H8Hj8XPEtYkoeg0Cgy9bh

# Create organizational units in initial file @tree.ldif

<pre>dn: ou=users,dc=dev,dc=ru,dc=is

objectClass: organizationalUnit

ou:users

dn: ou=groups,dc=dev,dc=ru,dc=is

objectClass: organizationalUnit

ou: groups

</pre>

# Then add it to the ldap database

<pre>ldapadd -x -D "cn=admin,dc=dev,dc=ru,dc=is" -W -f tree.ldif</pre>

# These directions are unfinished due to inconsistencies in the config files and Ubuntu 10.04.  LDAP is not critical to AFS, so installation and instructions will be delayed for now --foley