2012. június 14., csütörtök

Kerberos with LDAP Backend on Ubuntu 12.04 - Part Three

A few days ago we have set up an MIT Kerberos V server using the OpenLDAP backend. We installed the kerberos-schema some time earlier. Today we are going to log in the Kerberos server.
(Ez a cikk magyarul is olvasható)
Install the nessecary PAM library:
sudo apt-get install libpam-krb5
Login as a Unix user - you can use the account you have been working as. Look at the file /etc/pam.d/common-auth :
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
As you can see the system will try to log you in using Kerberos. If that fails then the local accounts are tried an if that too fails a final chance is taken against LDAP. Logon with an LDAP user jdoe. John does not have a Kerberos principal yet, but LDAP will let him in. Observe the login process:
tail -f /var/log/auth.log
You can see that first we try to auth against the Kerberos server and we fail. And the we get in by other means. Once logged in try and issu the command klist . You will have no results. Try issuing kinit but as jdoe ha no principal of his own, he has to use one belonging to someone else.
Let us cretate the Kerberos principal  of jdoe (our commands in bold):
kadmin.local:  addprinc -x dn="uid=jdoe,ou=People,dc=itthon,dc=cucc" jdoe
WARNING: no policy specified for jdoe@ITTHON.CUCC; defaulting to no policy
Enter password for principal "jdoe@ITTHON.CUCC": password
Re-enter password for principal "jdoe@ITTHON.CUCC": password
Principal "jdoe@ITTHON.CUCC" created.
The passwords for LDAP and for Kerberos are different. Both can be used to log on.
We have seen what happens if we use the LDAP password. The command klist does not give output but you can use kinit (in this case you have to enter the Kerberos password). After that the output of klist tells that Kerberos knows you.
If you log on using the Kerberos password in auth.log the following can be observed:
ubuserver login[779]: pam_krb5(login:auth): user jdoe authenticated as jdoe@ITTHON.CUCC
And klist can confirm that.
If you issue the command passwd Ubuntu tries to change the Kerberos password in both cases (try it, you will see that you will be asked the Kerberos password). If you fail to enter the password then you will be asked for the LDAP password too in both cases. The cause of this behaviour are the settings in /etc/pam.d/common-password :
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
password requisite   pam_deny.so
password required   pam_permit.so
We have still some things to arrange:
  • We have to enable logon to the clients - this means slightly more that installing libpam-krb5.
  • We have to arrange things in a way that we will not have to create a Kerberos principal for every LDAP user by hand. To achieve this we are going to use the LDAP overlay smbkrb5pwd . This is the one we have been using to sync the Linux-Samba passwords so far.
  • We have to come up with a soultion that prevents the users form having two unsynchronised passwords.

Nincsenek megjegyzések: