next up previous contents
Next: Configurazione di SASL Up: Configurazione del server Previous: Configurazione di LDAP   Indice

Subsections

Configurazione di Heimdal Kerberos

Rimozione dei servizi inutili

Iniziamo modificando il file /etc/inetd.conf e rimuoviamo alcuni servizi kerberizzati attivati di default: 
....
#ident          stream  tcp     wait    identd  /usr/sbin/identd        identd
....
#krb_prop       stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/hpropd
#kshell stream  tcp     nowait  root    /usr/sbin/tcpd /usr/lib/heimdal-servers/rshd -k
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/lib/heimdal-servers/ftpd -a plain
#telnet stream  tcp     nowait  root    /usr/sbin/tcpd /usr/lib/heimdal-servers/telnetd -a none
#pop-3  stream  tcp     nowait  root    /usr/sbin/tcpd /usr/lib/heimdal-servers/popper
#kx     stream  tcp     nowait  root    /usr/sbin/tcpd /usr/lib/heimdal-servers/kxd
riavviamo quindi inetd: 
# /etc/init.d/openbsd-inetd restart

Kerberos KDC

Configuriamo il Kerberos KDC modificando il file /etc/krb5.conf 
[libdefaults]
        ticket_lifetime = 80000
        renew_lifetime = 80000
        default_realm = ESEMPIO.LAN 
        default_keytab_name = FILE:/etc/krb5.keytab
        default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-md4 aes256-cts arcfour-hmac-md5
        default_etypes_des = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-md4 aes256-cts arcfour-hmac-md5
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-md4 aes256-cts arcfour-hmac-md5
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 des-cbc-md4 aes256-cts arcfour-hmac-md5
        kdc_timesync = 1
        forwardable = true
        proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }

[realms]
ESEMPIO.LAN = {
         kdc = pdc.esempio.lan 
         admin_server = pdc.esempio.lan 
         default_domain = esempio.lan
}

[domain_realm]
        .esempio.lan  = ESEMPIO.LAN
        esempio.lan  = ESEMPIO.LAN

[kdc]
    enable-kerberos4 = false
    kdc_warn_pwexpire = 7
    database = {
        realm = ESEMPIO.LAN
        dbname = ldap:ou=Users,dc=esempio,dc=lan
        hdb-ldap-structural-object = inetOrgPerson
        mkey_file = /var/lib/heimdal-kdc/m-key
        acl_file = /etc/kadmind.acl
        log_file = /var/log/kdc-db.log
    }
    hdb-ldap-create-base = ou=KerberosPrincipals,ou=Users,dc=esempio,dc=lan
     
[logging]
        kdc = FILE:/var/log/heimdal/kdc.log
        admin_server = FILE:/var/log/heimdal/admin.log
        default = FILE:/var/log/heimdal/default.log

[appdefaults]
pam = {
   ticket_lifetime = 1d
   renew_lifetime = 1d
   forwardable = true
   proxiable = true
}

modifichiamo quindi le ACL del KDC: /etc/kadmind.acl 

ldapmaster/[email protected]   add,delete,get    host/*@ESEMPIO.LAN
*                              NO cpw            *@ESEMPIO.LAN
kadmin/[email protected]       all
root/[email protected]         all
addmachine/[email protected]   all
rimuoviamo i vecchi dati del kdc e riavviamo i servizi: 
# mkdir -p /var/log/heimdal
# rm -rf /etc/krb5.keytab
# /etc/init.d/heimdal-kcm restart
# /etc/init.d/heimdal-kdc restart

Inizializzazione reame Kerberos

Inizializziamo ora il reame kerberos: 
# kstash --random-key
# kadmin -l init --realm-max-ticket-life=unlimited --realm-max-renewable-life=unlimited ESEMPIO.LAN
e creiamo le chiavi per il server e i suoi servizi (samba e ldap): 
# kadmin -l add --random-key --max-ticket-life=unlimited --max-renewable-life=unlimited --expiration-time=never \
   --pw-expiration-time=never --attributes= host/pdc.esempio.lan
# kadmin -l add --random-key --max-ticket-life=unlimited --max-renewable-life=unlimited --expiration-time=never \
   --pw-expiration-time=never --attributes= host/pdc
# kadmin -l ext_keytab host/pdc.esempio.lan
# kadmin -l ext_keytab host/pdc
# kadmin -l add --random-key --max-ticket-life=unlimited --max-renewable-life=unlimited --expiration-time=never \
   --pw-expiration-time=never --attributes= ldap/pdc.esempio.lan
# kadmin -l add --random-key --max-ticket-life=unlimited --max-renewable-life=unlimited --expiration-time=never \
   --pw-expiration-time=never --attributes= ldap/pdc
# kadmin -l ext_keytab -k /etc/ldap/ldap.keytab ldap/pdc.esempio.lan
# kadmin -l ext_keytab -k /etc/ldap/ldap.keytab ldap/pdc
# kadmin -l add --random-key --max-ticket-life=unlimited --max-renewable-life=unlimited --expiration-time=never \
   --pw-expiration-time=never --attributes= cifs/pdc.esempio.lan
# kadmin -l add --random-key --max-ticket-life=unlimited --max-renewable-life=unlimited --expiration-time=never \
   --pw-expiration-time=never --attributes= cifs/pdc
# kadmin -l ext_keytab cifs/pdc.esempio.lan
# kadmin -l ext_keytab cifs/pdc
sistemiamo ora i permessi per il keytab ldap: 
# chown openldap.openldap /etc/ldap/ldap.keytab
# chmod 400 /etc/ldap/ldap.keytab
e impostiamo la password per due principal kerberos: 
# kadmin -l cpw --password=secret1 ldapmaster/admin
# kadmin -l cpw --password=secret1 kadmin/admin
riavviamo ancora il kdc: 
# /etc/init.d/heimdal-kcm restart
# /etc/init.d/heimdal-kdc restart

next up previous contents
Next: Configurazione di SASL Up: Configurazione del server Previous: Configurazione di LDAP   Indice
Stefano Sasso 2009-04-16