Work in progress

This site is in the process of being reviewed and updated.

Introduction

These instructions are specific to Fedora Core 6. Interoperability with other clients is possible, but is not addressed here. The goal of this document is to describe how to setup a network so that Apache Directory is used for "realm control":

  1. User information (UID/GID/home directories) accessible using LDAP.
  2. Automount information accessible using LDAP.
  3. User authentication using Kerberos.
  4. Password changes using Change Password.
  5. NFSv4 file sharing using Kerberos and Automount.
  6. Network time synchronization using NTP.
Software Requirements

You'll need the following software.

Server

  • Apache Directory 1.5.2

Client

  • krb5-libs
  • krb5-workstation
  • cyrus-sasl-gssapi
  • openldap-clients
  • pam_krb5
  • nss_ldap

pam_krb5 lets you use Kerberos for authentication, while nss_ldap uses LDAP to centralize user and group information. The getpwnam and related routines used by pam_krb5 all use nsswitch.conf. For example, a simple "ls" needs to map uid to names and will, therefore, use LDAP. If you have performance problems with the continuous use of LDAP to retrieve user and group information, there is a service called nscd that will cache information obtained via nsswitch.

Prerequisites
  • Time synchronization - Must be within clockskew.
  • Hostname resolution - All hosts must have their hostname set to the fully qualified hostname as reported by DNS. Both forward and reverse mapping must work properly. The host may be referenced by a CNAME, but the official host name (as reported by hostname) must be an 'A' record.
Firewall Configuration

It is highly recommended that a firewall (for example iptables) be used to restrict access. The following ports must be opened.

Protocol

IP Port

Description.

Kerberos

88

Authentication.

Change Password

464

Password changing.

LDAP

389

Directory access.

LDAPS

636

LDAP-over-SSL

NTP

123

Time synchronization.

NFS

2049

File sharing.

Kerberos Servers

The first thing to setup is your Kerberos servers (called KDCs).

  1. Edit /etc/krb5.conf
    1. Replace EXAMPLE.COM with your realm
    2. Replace example.com with your domain

Create KDC host principal.

Test kinit, klist.

Kerberos Clients
  1. Edit /etc/krb5.conf
    1. Replace EXAMPLE.COM with your realm
    2. Replace example.com with your domain
Configuring Kerberos logon without LDAP

Once you have Kerberos working, you'll be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you can add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to K, the convention for indicating that the password comes from Kerberos.

We can now configure PAM. By configuring PAM, we'll be able to use Kerberos with console login methods (/bin/login, Gnome, etc.).

Run authconfig, or edit /etc/pam.d/system-auth and add lines for pam_krb5 to each section.

Windows Kerberos Clients

Windows 2000 and newer versions of Windows can be Kerberos clients of Apache Directory.

  • Extract ksetup.exe from \support\tools\support.cab on the Window 2000 CD-ROM
  • ksetup /setrealm EXAMPLE.COM
    o Note that this will also set the DNS domain for your computer to EXAMPLE.COM. For Windows, the DNS domain and the Kerberos realm must be identical.
  • ksetup /addkdc EXAMPLE.COM kdc1.example.com
  • ksetup /mapuser * *

In case you make a mistake, the Kerberos configuration is stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

Kerberized Services

For any network service which accepts native Kerberos authentication (instead of taking a username and password and authenticating the user via PAM), you need to have a service principal stored in a keytab. Some common ones are:

Service

Service principal name

Description

OpenSSH, pam_krb5

host/hostname

Remote console access.

LDAP

ldap/hostname

Directory access.

NFSv4

nfs/hostname

File sharing.

HTTP

HTTP/hostname

Web server.

Kerberos Wrap-up

At this point you should have a fully functional Kerberos setup. Make sure everything is working perfectly before you move on to configuring LDAP.

LDAP Server

Add ldap service principal.
Add LDAP SSL certificate.

LDAP Clients

Copy Files

Copy the following files from the KDC or LDAP server.

  • /etc/krb5.conf
  • /etc/ldap.conf
  • /etc/openldap/ldap.conf
  • /etc/openldap/cacerts/cacert.pem

PADL nss_ldap

The configuration file for the PADL nss_ldap module is /etc/ldap.conf. You need only a few options.

host               ldap1.example.com
base               dc=example,dc=com
ssl                start_tls
tls_checkpeer      yes
tls_cacertfile     /etc/ssl/ca-cert.pem

The configuration file for the OpenLDAP clients, such as ldapsearch and ldapadd, is /etc/openldap/ldap.conf.

URI         ldaps://ldap1.example.com/
BASE        dc=example,dc=com
TLS_CACERT  /etc/ssl/ca.pem

Users can use the passwd command to change their password.

If you have a PAM environment you should make sure you have an entry like the following in your PAM configuration:

password   required     /lib/security/pam_krb5.so

Whether it should be required, sufficient, etc. and the order relative to other PAM modules will depend on your environment.

If you don't have a PAM environment then users can use kpasswd to change their password.

NFSv4

(Pointer to NFSv4 doco)

  • No labels