Shulou(Shulou.com)06/03 Report--

Kerberos+LDAP+NFSv4 implements single sign-on (part I)

Kerberos: identity authentication

LDAP: directory information service

NFSv4: network sharing

Lab environment: debian 9

Three hosts:

Nfs server: 192.168.1.103

Nfs client: 192.168.1.102 that is, SSSD client + NFS client

Kdc server: 192.168.1.101 that is Kerberos+LDAP

The following

Root@debian:~# means to run the command as root root

one。 Install NTP time synchronization

To use Kerberos to provide authentication, each host needs time to synchronize

Install a time synchronization server on a host

Root@debian:~# apt-get install ntp

Install a time synchronization client on another host

Root@debian:~# apt-get install ntpdate

two。 Configure the local domain

Assume that the domain is ctp.net

Domain is used in the process of installing Kerberos and LDAP, and domain is required for NFSv4 authentication.

The contents of the / etc/hosts files for the above three hosts are configured as follows:

127.0.0.1 localhost

127.0.1.1 debian.ctp.net debian

192.168.1.103 srvnf.ctp.net srvnf

192.168.1.102 clnf.ctp.net clnf

Note: 127.0.1.1 be sure to have the format of xxx.ctp.net to determine the domain ctp.net

Root@debian:~# hostname-dctp.net

Or

Root@debian:~# dnsdomainnamectp.net

III. Installation of KDC server

Install Kerberos and LDAP,Kerberos and LDAP on the same host

1. Install LDAP

Root@debian:~# apt-get install slapd ldap-utils

Slapd: OpenLDAP server

Ldap-utils: ldap command tool

Only the password, which is the ldap database administrator password, is required during installation. The default for setting the domain of LDAP is obtained by hostname-d (i.e. ctp.net)

Four modes were added in advance during the installation process

Core.ldif

Cosine.ldif

Nis.ldif

Inetorgperson.ldif

The installation process initializes the configuration database (cn=config) and the ldap database (dc=ctp,dc=net)

1) configure ssl

Because the SSSD client requires a ssl connection, you need to configure LDAP to enable ssl

For simplicity, establish a phrase-free password certificate that never expires

Build a certificate using the gnutls-bin tool

Root@debian:~# apt-get install gnutls-bin

1.1) Root certificate

Root@debian:~# certtool-- generate-privkey > cakey.pemGenerating a 3072 bit RSA private key...

Create a new file ca.info and edit it

Root@debian:~# cat ca.infocacert_signing_keyexpiration_days =-1root@debian:~#

Description:-1 means never expire

Carry out self-signature

Root@debian:~# certtool-generate-self-signed-load-privkey cakey.pem-template ca.info-outfile cacert.pemGenerating a self signed certificate. (slightly) Signing certificate...root@debian:~#

1.2) build server certificate

For simplicity, the certificate does not set the machine name

Generate a private key

Root@debian:~# certtool-- generate-privkey > fgkey.pemGenerating a 3072 bit RSA private key...

Create a new file srv.info and edit it

Root@debian:~# cat srv.infotls_www_serverencryption_keysigning_keyexpiration_days =-1root@debian:~#

Issue server certificate

Root@debian:~# certtool-generate-certificate-load-privkey fgkey.pem-load-ca-certificate cacert.pem-load-ca-privkey cakey.pem-template srv.info-outfile fgcert.pemGenerating a signed certificate.Signing certificate...root@debian:~#

Create a new directory to store the private key

Root@debian:~# mkdir / etc/ldap/ssl/private

Copy private key, certificate

Root@debian:~# cp fgcert.pem / etc/ldap/ssl/root@debian:~# cp fgkey.pem / etc/ldap/ssl/private/

Set the private key property to be readable only to openldap users (because debian's openldap is run as openldap users)

Root@debian:~# chown openldap / etc/ldap/ssl/private/fgkey.pemroot@debian:~# ls-1 / etc/ldap/ssl/private/fgkey.pem-rw-r--r-- 1 openldap root 8289 Oct 19 13:44 / etc/ldap/ssl/private/fgkey.pemroot@debian:~#root@debian:~# chmod Omurr / etc/ldap/ssl/private/fgkey.pemroot@debian:~# ls-l / etc/ldap/ssl/private/fgkey. Pem-rw-r- 1 openldap root 8289 Oct 19 13:44 / etc/ldap/ssl/private/fgkey.pem

1.3) configure openldap to enable ssl

Create a new file ssl.ldif and edit it

Root@debian:~# cat ssl.ldifdn: cn=configchangetype: modifyadd: olcTLSCertificateFileolcTLSCertificateFile: / etc/ldap/ssl/fgcert.pem-add: olcTLSCertificateKeyFileolcTLSCertificateKeyFile: / etc/ldap/ssl/private/fgkey.pemroot@debian:~#

The configuration of openldap does not use the traditional slapd.conf file, but operates like the configuration database of ldap database. Under the / etc/ldap/slapd.d/ directory, there are hierarchical directories and ldif files.

After installing LDAP installation, although the configuration database administrator has been created in advance, it cannot be used without a password. But it has also been set to allow root root users to read and write configuration database through EXTERNAL authentication, so this experiment runs the ldap command tool under root root users.

Root@debian:~# ldapadd-Y EXTERNAL-H ldapi:///-f ssl.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=authSASL SSF: 0modifying entry "cn=config"

1.4) modify / etc/default/slapd file

...

Set

SLAPD_SERVICES= "ldap:/// ldapi:///"

Change to

SLAPD_SERVICES= "ldap:/// ldapi:/// ldaps:///"

...

Restart openldap

2) set ACL access control list

In this lab, ldap database is used as the backend of Kerberos database. There are two ways for Kerberos to access LDAP:

Mode 1: Kerberos accesses the ldap database by binding the ldap database administrator. It is possible for Kerberos and LDAP to be on their respective hosts, but the plaintext ldap database administrator password must be stored on the Kerberos.

Method 2: Kerberos and LDAP are on the same host, and Kerberos accesses ldap database through EXTERNAL authentication without binding any ldap database users.

In order to avoid storing any plaintext passwords, the second method is used in this lab.

The Kerberos process runs as the root root user, so the ACL of openldap must be set to allow the root root user process to read and write the ldap database.

Setting ACL is to set the value of olcAccess, because olcAccess is a multi-valued attribute, I do not know how the ldapmodify command modifies a value in a multi-valued attribute.

Use a ldap client tool such as luma to connect to the configuration database to modify the olcAccess property of the entry olcDatabase= {1} mdb,cn=config

Or

Modify the file directly (although not recommended, restart openldap after modification, which is used in this lab)

Modify the / etc/ldap/slapd.d/cn=config/olcDatabase= {1} mdb.ldif file

Set

OlcAccess: {2} to * by self write by dn= "cn=admin,dc=ctp,dc=net" write by * read

Change to

OlcAccess: {2} to * by dn= "cn=admin,dc=ctp,dc=net" write by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * read

Root@debian:~# / etc/init.d/slapd stoproot@debian:~# / etc/init.d/slapd start

After restarting openldap, the root root user can run a command like ldapadd-Y EXTERNAL-H ldapi:///-f xxx.ldif to read and write the ldap database.

That is, the Kerberos process has permission to write to the ldap database without binding to the LDAP database administrator.

two。 Install Kerberos

Root@debian:~# apt-get install heimdal-kdc heimdal-clients krb5-config

Heimdal-kdc: Kerberos server

Heimdal-clients: Kerberos client

Kdc server requires Kerberos server and client

After Kerberos installation, modify the configuration files kdc.conf, krb5.conf

1) Kerberos server configuration / etc/heimdal-kdc/kdc.conf content

[logging]

Kdc = FILE:/var/log/heimdal-kdc.log

[kdc]

Database = {

#-VMI-specify to use ldap database as Kerberos database, default EXTERNAL authentication

Dbname = ldap:ou=hdkrb5,dc=ctp,dc=net

#-^-

Acl_file = / etc/heimdal-kdc/kadmind.acl

When using ldap database as backend, and using kpasswdd, you must add the following two lines.

Mkey_file = / var/lib/heimdal-kdc/m-key

Realm = CTP.NET

#-- ^-- (for example, openldap enabled slapd-smbk5pwd synchronization password

# the above two lines also solve the problem of synchronization error, but / var/lib/heimdal-kdc/m-key must be changed to owned by the openldap user)

# slapd-smbk5pwd will not be enabled in this lab, and there is no need to modify / var/lib/heimdal-kdc/m-key owner

}

[kadmin]

[password_quality]

2) Kerberos client configuration / etc/krb5.conf content

[libdefaults]

#-to support NFSv4, while NFSv4 only supports weak encryption, both the kdc server and the Kerberos client need to configure the following line

Allow_weak_crypto = true

#-^-

Default_realm = CTP.NET

# The following krb5.conf variables are only for MIT Kerberos.

Krb4_config = / etc/krb.conf

Krb4_realms = / etc/krb.realms

Kdc_timesync = 1

Ccache_type = 4

#-- vMurt-

# the original krb5.conf configuration of the kdc server and client enabled the following two lines, and the client made an error when connecting to the kdc server

# guess that the reason may be that Principal is created by default all the way, and default is disallow-proxiable,disallow-forwardable.

# so both the client and the kdc server should comment out the following two lines

# forwardable = true

# proxiable = true

#-^-

# The following libdefaults parameters are only for Heimdal Kerberos.

V4_instance_resolve = false

V4_name_convert = {

Host = {

Rcmd = host

Ftp = ftp

}

Plain = {

Something = something-else

}

}

Fcc-mit-ticketflags = true

[realms]

CTP.NET = {

Kdc = 127.0.0.1

Admin_server = 127.0.0.1

#-the following line must be added to run the kpasswd command on the kdc server

Kpasswd_server = 127.0.0.1

#-^-

}

[domain_realm]

[login]

Krb4_convert = true

Krb4_get_tickets = false

3) restart heimdal-kdc

Root@debian:~# / etc/init.d/heimdal-kdc stop root@debian:~# / etc/init.d/heimdal-kdc start

3. Install schema2ldif

Root@debian:~# apt-get install schema2ldif

Schema2ldif: schema to ldif conversion tool

LDAP mode usually provides both schema and ldif files, but heimdal-kdc only provides hdb.schema files, not LDIF format files

Openldap adds heimdal mode, and the pattern file is in / etc/ldap/schema/hdb.schema

1) convert format

Root@debian:~# schema2ldif / etc/ldap/schema/hdb.schema > hdb.ldif

2) online add mode

Root@debian:~# ldapadd-Y EXTERNAL-H ldapi:///-f hdb.ldifSASL/EXTERNAL authentication startedSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth...

4. Add database record

After completing the installation and configuration of the kdc server above, let's start to operate the database.

1) add krb5 organization entries to ldap database

Create a new file krb5.ldif and edit it

Root@debian:~# cat krb5.ldifdn: ou=hdkrb5,dc=ctp,dc=netkrb5PrincipalName: default@CTP.NETou: hdkrb5objectClass: krb5PrincipalobjectClass: organizationalUnitroot@debian:~#root@debian:~# ldapadd-x-D "cn=admin,dc=ctp,dc=net"-W-f krb5.ldifEnter LDAP Password: enter the password of the ldap database administrator (password set when installing openldap) adding new entry "ou=hdkrb5,dc=ctp,dc=net" root@debian:~#

2) initialize Kerberos database

Root@debian:~# kadmin-lkadmin > init CTP.NET

It took two minutes.

Realm max ticket life [unlimited]:

Realm max renewable ticket life [unlimited]:

...

The default is to enter all the way above.

Kadmin > exit

Exit kadmin

3) add Kerberos users

Root@debian:~# kadmin-l

Kadmin > add krblinlin

A user named krblinlin

Max ticket life [unlimited]:

Max renewable life [unlimited]:

Principal expiration time [never]:

Password expiration time [never]:

Attributes [disallow-svr, disallow-proxiable, disallow-renewable, disallow-forwardable, disallow-postdated]:

Policy [default]:

The default is to enter all the way above.

Krblinlin@CTP.NET's Password: setting password

Verify password-krblinlin@CTP.NET's Password:

4) Test the kpasswd change password on the kdc server

Log in to kdc as an ordinary user

Linlin@debian:~$ kpasswd krblinlinkrblinlin@CTP.NET's Password: enter the correct password New password for krblinlin@CTP.NET: reset the password Verify password-New password for krblinlin@CTP.NET:Success: Password changedlinlin@debian:~$

5) add posixAccount object class for user krblinlin

PosixAccount object class in nis schema

Create a new file unix.ldif and edit it

Note: when adding Kerberos users with the kadmin command, that is, an entry (including attributes such as krb5Key) has been added to the ldap database. The entry already has a uid attribute, so it is no longer necessary to add the uid attribute to add the posixAccount object class.

Root@debian:~# cat unix.ldifdn: krb5PrincipalName=krblinlin@CTP.NET,ou=hdkrb5,dc=ctp,dc=netchangetype: modifyadd: objectClassobjectClass: posixAccount-add: cncn: krblinlin-add: gidNumbergidNumber: 4001-add: homeDirectoryhomeDirectory: / home/krblinlin-add: loginShellloginShell: / bin/bash-add: uidNumberuidNumber: 4001-add: userPassworduserPassword: linlinroot@debian:~# ldapmodify-x-D "cn=admin,dc=ctp,dc=net"-W-f unix.ldifEnter LDAP Password:modifying entry "krb5PrincipalName=krblinlin@CTP.NET,ou=hdkrb5,dc=ctp,dc=net"

The userPassword attribute of the entry (krb5PrincipalName=krblinlin@CTP.NET,ou=hdkrb5,dc=ctp,dc=net) is the password of the ldap user, while the krb5Key attribute should contain Kerberos password information.

So this entry has two different cryptographic systems, Kerberos and LDAP.

6) add nfs server

Root@debian:~# kadmin-lkadmin > add-r nfs/srvnf.ctp.net

Add

Max ticket life [unlimited]:

Max renewable life [unlimited]:

Principal expiration time [never]:

Password expiration time [never]:

Attributes [disallow-svr, disallow-proxiable, disallow-renewable, disallow-forwardable, disallow-postdated]:

Policy [default]:

The default is to enter all the way above.

Kadmin > modify-a-disallow-svr nfs/srvnf.ctp.net

Since the default is disallow-svr above, you need to delete disallow-svr to make nfs/srvnf.ctp.net an application server.

Kadmin > ext-k / home/linlin/srv/krb5.keytab nfs/srvnf.ctp.net

Export keytab

Copy the krb5.keytab to the / etc directory of the nfs server through the USB disk and make sure that the krb5.keytab permission is owned by root and only root is readable.

Root@debian:~# chown root:root / etc/krb5.keytabroot@debian:~# chmod Omurr / etc/krb5.keytabroot@debian:~# chmod Gmurr / etc/krb5.keytab

7) add nfs client

Root@debian:~# kadmin-lkadmin > add-r host/clnf.ctp.net

Enter all the way by default, this is the client, not the application server, and there is no need to delete disallow-svr

Kadmin > ext-k / home/linlin/cl/krb5.keytab host/clnf.ctp.net

Copy the krb5.keytab to the / etc directory of the nfs client through the USB disk and make sure that the krb5.keytab permission is owned by root and only root is readable.

IV. Installation of Kerberos client

Both nfs client / server hosts act as Kerberos clients, and the process and configuration for installing Kerberos clients on both hosts are exactly the same.

Root@debian:~# apt-get install heimdal-clients krb5-config

After installation, modify the configuration file krb5.conf

Kerberos client configuration / etc/krb5.conf content

[libdefaults]

#-- vMurt-

Allow_weak_crypto = true

#-^-

Default_realm = CTP.NET

# The following krb5.conf variables are only for MIT Kerberos.

Krb4_config = / etc/krb.conf

Krb4_realms = / etc/krb.realms

Kdc_timesync = 1

Ccache_type = 4

# The following libdefaults parameters are only for Heimdal Kerberos.

V4_instance_resolve = false

V4_name_convert = {

Host = {

Rcmd = host

Ftp = ftp

}

Plain = {

Something = something-else

}

}

Fcc-mit-ticketflags = true

[realms]

CTP.NET = {

Kdc = 192.168.1.101

Admin_server = 192.168.1.101

#-vMurt-the client does not need to be set up, but can be commented out

# kpasswd_server = 192.168.1.101

#-^-

}

[domain_realm]

[login]

Krb4_convert = true

Krb4_get_tickets = false

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.