Quartz of Silvan Kohler

Search

SearchSearch

Kerberos

Dec 21, 2023, 5 min read

Installation KDC

vmls1:

sudo apt update
sudo apt -y install krb5-user krb5-doc krb5-kdc krb5-admin-server krb5-kdc-ldap

Konfiguration KDC

vmls1:

sudo systemctl stop krb5-kdc
sudo systemctl stop krb5-admin-server
sudo mv /etc/krb5kdc/kdc.conf /etc/krb5kdc/kdc.conf.BACKUP
sudo mv /etc/krb5.conf /etc/krb5.conf.BACKUP

vmls1: /etc/krb5kdc/kdc.conf:

[libdefaults]
	default_realm = M159.IET-GIBB.CH
[kdcdefaults]
	kdc_ports = 750,88
[realms]
	M159.IET-GIBB.CH = {
		database_name = /var/lib/krb5kdc/principal
		admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
		acl_file = /etc/krb5kdc/kadm5.acl
		key_stash_file = /etc/krb5kdc/stash
		kdc_ports = 750,88
		max_life = 10h 0m 0s
		max_renewable_life = 7d 0h 0m 0s
		#master_key_type = aes256-cts
		#supported_enctypes = aes256-cts:normal aes128-cts:normal
		default_principal_flags = +preauth
	}
[logging]
	kdc = SYSLOG:INFO:AUTH
	admin_server = SYSLOG:INFO:AUTH

vmls1: /etc/krb5.conf:

[libdefaults]
	default_realm = M159.IET-GIBB.CH
	# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	# The following encryption type specification will be used by MIT Kerberos
	# if uncommented. In general, the defaults in the MIT Kerberos code are
	# correct and overriding these specifications only serves to disable new
	# encryption types as they are added, creating interoperability problems.
	#
	# The only time when you might need to uncomment these lines and change
	# the enctypes is if you have local software that will break on ticket
	# caches containing ticket encryption types it doesn't know about (such as
	# old versions of Sun Java).
	# default_tgs_enctypes = des3-hmac-sha1
	# default_tkt_enctypes = des3-hmac-sha1
	# permitted_enctypes = des3-hmac-sha1
	# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true
[realms]
	M159.IET-GIBB.CH = {
		kdc = vmLS1
		admin_server = vmLS1
	}
[domain_realm]
	.m159.iet-gibb.ch = M159.IET-GIBB.CH
	m159.iet-gibb.ch = M159.IET-GIBB.CH
[logging]
	default = SYSLOG:INFO:AUTH

vmls1:

sudo kdb5_util -r M159.IET-GIBB.CH create
 
# Loading random data
# Initializing database '/var/lib/krb5kdc/principal' for realm 'M159.IET-GIBB.CH',
# master key name 'K/M@M159.IET-GIBB.CH'
# You will be prompted for the database Master Password.
# It is important that you NOT FORGET this password.
# Enter KDC database master key:
sml12345
# Re-enter KDC database master key to verify:
sml12345

vmls1:

sudo kadmin.local -m -r M159.IET-GIBB.CH
# Authenticating as principal root/admin@M159.IET-GIBB.CH with password.
# Enter KDC database master key:
sml12345
# kadmin.local:
addprinc laura
# No policy specified for laura@M159.IET-GIBB.CH; defaulting to no policy
# Enter password for principal "laura@M159.IET-GIBB.CH":
sml12345
# Re-enter password for principal "laura@M159.IET-GIBB.CH":
sml12345
# Principal "laura@M159.IET-GIBB.CH" created.
# kadmin.local:
addprinc laura/admin
# No policy specified for laura/admin@M159.IET-GIBB.CH; defaulting to no policy
# Enter password for principal "laura/admin@M159.IET-GIBB.CH":
sml12345
# Re-enter password for principal "laura/admin@M159.IET-GIBB.CH":
sml12345
# Principal "laura/admin@M159.IET-GIBB.CH" created.

vmls1:

sudo kdb5_util -r M159.IET-GIBB.CH stash
# kdb5_util: Can not fetch master key (error: No such file or directory). while reading master key
# kdb5_util: Warning: proceeding without master key
# Enter KDC database master key:
sml12345

vmls1: /etc/default/krb5-kdc

DAEMON_ARGS="-r M159.IET-GIBB.CH"

vmls1:

sudo systemctl start krb5-kdc

Funktionstest KDC

vmls1:

kinit laura@M159.IET-GIBB.CH
klist

Installation Client

vmlp1:

sudo apt update
sudo apt -y install krb5-user
# REALM:
M159.IET-GIBB.CH
# Kerberos-Server:
vmLS1.M159.IET-GIBB.CH
# Administrations-Server:
vmLS1.M159.IET-GIBB.CH

vmlp1: /etc/krb5.conf:

[libdefaults]
	default_realm = M159.IET-GIBB.CH
	# The following krb5.conf variables are only for MIT Kerberos.
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	# The following encryption type specification will be used by MIT Kerberos
	# if uncommented. In general, the defaults in the MIT Kerberos code are
	# correct and overriding these specifications only serves to disable new
	# encryption types as they are added, creating interoperability problems.
	#
	# The only time when you might need to uncomment these lines and change
	# the enctypes is if you have local software that will break on ticket
	# caches containing ticket encryption types it doesn't know about (such as
	# old versions of Sun Java).
	# default_tgs_enctypes = des3-hmac-sha1
	# default_tkt_enctypes = des3-hmac-sha1
	# permitted_enctypes = des3-hmac-sha1
	# The following libdefaults parameters are only for Heimdal Kerberos.
	fcc-mit-ticketflags = true
[realms]
	M159.IET-GIBB.CH = {
		kdc = vmLS1.m159.iet-gibb.ch
		admin_server = vmLS1.m159.iet-gibb.ch
	}
[domain_realm]
	.m159.iet-gibb.ch = M159.IET-GIBB.CH
	m159.iet-gibb.ch = M159.IET-GIBB.CH
[logging]
	default = SYSLOG:INFO:AUTH

Kadmin Konfiguration

vmls1: /etc/krb5kdc/kadm5.acl:

*/admin@M159.IET-GIBB.CH *

vmls1: /etc/default/krb5-admin-server:

RUN_KADMIND=true
DAEMON_ARGS="-r M159.IET-GIBB.CH"
sudo systemctl start krb5-admin-server

Administration mit kadmin

vmlp1:

kadmin -p laura/admin
add_policy -maxlife 3650days -minlife 1day -minlength 4 -minclasses 3 -history 10 admin
add_policy -maxlife 1800days -minlife 1day -minlength 6 -minclasses 2 -history 8 default
modify_policy -minclasses 2 admin

vmlp1:

kadmin -p laura/admin
add_principal -policy default -pw sml12345 maxm
add_principal -policy default -pw sml12345 erim
add_principal -policy admin -pw sml12345 maxm/admin

vmlp1:

kadmin -p laura/admin
add_principal -clearpolicy -randkey +requires_preauth host/vmlp1.m159.iet-gibb.ch@M159.IET-GIBB.CH

vmlp1:

kinit erim
kvno host/vmlp1.m159.iet-gibb.ch

vmlp1:

sudo kadmin -p laura/admin
ktadd -k /etc/krb5.keytab host/vmlp1.m159.iet-gibb.ch

Installation SSSD

vmlp1:

sudo apt -y install sssd-krb5

vmlp1: /etc/sssd/sssd.conf:

[sssd]
config_file_version = 2
services = pam
domains = m159.iet-gibb.ch
[pam]
[domain/m159.iet-gibb.ch]
id_provider = proxy
proxy_lib_name = files
auth_provider = krb5
krb5_server = vmls1.m159.iet-gibb.ch
krb5_kpasswd = vmls1.m159.iet-gibb.ch
krb5_realm = M159.IET-GIBB.CH

vmlp1:

sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf
sudo systemctl start sssd

vmlp1:

sudo adduser maxm
# Benutzer »maxm« wird hinzugefügt …
# Neue Gruppe »maxm« (1003) wird hinzugefügt …
# Neuer Benutzer »maxm« (1002) mit Gruppe »maxm« wird hinzugefügt …
# Persönliche Ordner »/home/maxm« wird erstellt …
# Dateien werden von »/etc/skel« kopiert …
# Geben Sie ein neues Passwort ein:
welcome123
# /var/cache/cracklib/cracklib_dict.pwd: Datei oder Verzeichnis nicht gefunden
# Unsicheres Passwort: Das Passwort besteht den Wörterbuchtest nicht - Fehler beim Laden des Wörterbuchs
# Geben Sie das neue Passwort erneut ein: 
welcome123
# passwd: Passwort erfolgreich geändert
# Benutzerinformationen für maxm werden geändert.
# Geben Sie einen neuen Wert an oder drücken Sie ENTER für den Standardwert
# 	Vollständiger Name []: 
# 	Zimmernummer []: 
# 	Telefon geschäftlich []: 
# 	Telefon privat []: 
# 	Sonstiges []: 
# Ist diese Information richtig? [J/N]
j
sudo login maxm

Graph View

Backlinks