Environment
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
MIT Kerberos 5 Release 1.6.3
NetIQ eDirectory 8.8 SP8 (888)
MIT Kerberos 5 Release 1.6.3
NetIQ eDirectory 8.8 SP8 (888)
NetIQ Modular Authentication Service (NMAS)
NetIQ iManager 2.7 SP7 (277)
NetIQ iManager 2.7 SP7 (277)
Situation
This Kerberos Quick Start Guide has been created so that a working setup can be quickly built in a lab environment enabling the testing of Kerberos integration with eDirectory.
This includes the following products:
- SLES 11's MIT implementation of Kerberos 5 which includes the KDC server, admin server and Kerberos client
- eDirectory 8.8 SP8 and the LDAP GSSAPI extensions
- NMAS GSSAPI Method
- iManager Kerberos & NMAS Plugins
Resolution
BACKGROUND
This Quick Start is for integrating eDirectory and MIT Kerberos using the KDC Berkeley database. A solution such as this will not keep the passwords in sync. For that, the Berkeley database cannot be used and instead the NetIQ KPA (Kerberos Password Agent) must be installed. That said, many do use the solution outlined here with password changes being made to both servers: eDirectory and the KDC.
This Quick Start Guide is intended to provide a quick way to get this solution up and running from scratch in a lab environment. This guide assumes the lab has no DNS SRV or TXT records being served (recommeded), therefore, this will be a non-DNS installation: only the hosts file will be used.
Important Notes:
UP must be enabled.
UP must be enabled.
Extended characters in the password are not supported.
Password changes must be made to both systems
The key type and password selected during creation of the realm in the KDC and in eDirectory must match or the passwords cannot be unwrapped on the KDC side.
OVERVIEW
The following is an overview of the major steps involved.
- Install required Kerberos rpms
- Ensure resolves and NTP are taken care of
- Install and configure eDirectory, iManager and its plugins
- Populate the keystores read by the Kerberos plugin and the kdb5_ldap_util utility with the tree's Trusted Root
- Install the Kerberos LDAP extensions and extend schema for eDirectory
- Configure the KDC krb5.conf file
- Create the realm in the KDC and eDirectory
- Create the realm service objects, add their ACLs and stash their passwords
- Set the realm master key in eDirectory
- Start the krb5kdc and kadmind daemons
- Enable UP on the realm in eDirectory
- Create and\or verify that a NMAS UP policy is in place
- Create a user in eDirectory then on the KDC create for him both a merged and a linked standalone principal
- "Kerberize" that user object in eDirectory by modifing his krbPrincipalReferences attribute to point to his standalone principal object.
- Install the KPA and verify password changes are synchronizing from NMAS to the KDC service.
SETUP SUMMARY
KDC
Realm: SAMPLE
DNS: hv5.lab.novell.com
Backend: LDAP
LDAP Server URL: ldaps://192.168.211.41
Kerberos Container: cn=Kerberos,cn=Security
KDC bind DN: cn=kb-kdc,o=emg
Kadmin bind DN: cn=krb-admin,o=emg
DNS: hv5.lab.novell.com
Backend: LDAP
LDAP Server URL: ldaps://192.168.211.41
Kerberos Container: cn=Kerberos,cn=Security
KDC bind DN: cn=kb-kdc,o=emg
Kadmin bind DN: cn=krb-admin,o=emg
EDIRECTORY
Tree: KERBEROS_TREE_HV
Server: 888_Kerb_Svr.emg
-------------------
Kerberos container: Kerberos.Security.HV_KRB_TREE
Realm container: SAMPLE.Kerberos.Security.HV_KRB_TREE
Principal Container: emg.HV_KRB_TREE
Realm Sub Tree: emg.HV_KRB_TREE
Subtree Scope: Subtree
Users Container: krbusers.emg.HV_KRB_TREE
Kerberos container: Kerberos.Security.HV_KRB_TREE
Realm container: SAMPLE.Kerberos.Security.HV_KRB_TREE
Principal Container: emg.HV_KRB_TREE
Realm Sub Tree: emg.HV_KRB_TREE
Subtree Scope: Subtree
Users Container: krbusers.emg.HV_KRB_TREE
INSTALLATION\CONFIGURATION
1. Install SLES 11 SP3 + Kerberos
A. Install a minimal SLES11 instance (also de-selecting the Print Server and App Armor selections).
B. Install the three required Kerberos packages
- krb5-server
- krb5-client
- krb5-plugin-kdb-ldap
2. Setup the hosts file
Example:
----------------------------
127.0.0.1 localhost
----------------------------
127.0.0.1 localhost
# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
192.168.211.41 hv5.lab.novell.com
::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
192.168.211.41 hv5.lab.novell.com
#Manual Entries - last four are optional for this excercise
192.168.211.41 SAMPLE
192.168.211.41 hv5.SAMPLE hv5
192.168.211.41 kerberos.SAMPLE kerberos
192.168.211.41 _kerberos._udp.SAMPLE
192.168.211.41 _kerberos._tcp.SAMPLE
192.168.211.41 _kerberos-adm._tcp.SAMPLE
----------------------------
192.168.211.41 SAMPLE
192.168.211.41 hv5.SAMPLE hv5
192.168.211.41 kerberos.SAMPLE kerberos
192.168.211.41 _kerberos._udp.SAMPLE
192.168.211.41 _kerberos._tcp.SAMPLE
192.168.211.41 _kerberos-adm._tcp.SAMPLE
----------------------------
3. Setup DNS resolves in /etc/resolv.conf
A. Ensure this server's address is first in the list of name servers.
A. Ensure this server's address is first in the list of name servers.
Example:
----------------------------------------------------
search SAMPLE
nameserver 192.168.211.41
nameserver x.x.x.x
nameserver 192.168.211.41
nameserver x.x.x.x
nameserver x.x.x.x
----------------------------------------------------
B. Verify that the /etc/nsswitch file's hosts: section has files before dns
B. Verify that the /etc/nsswitch file's hosts: section has files before dns
Example:
----------------------------------------------------
# group: files nis
passwd: compat
group: compat
group: compat
hosts: files dns
networks: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
----------------------------------------------------
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
----------------------------------------------------
4. Setup NTP.
Normally NTP would be setup to get time from a trusted source as Kerberos is very dependandant on a reliable time source. However, since this is a single-server lab exercise, NTP will be configured to use the hardware clock.
---------------------------------
## Address: 127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer
## Address: 127.127.8.u
## Serial Port: /dev/refclock-u
##
## (create soft link /dev/refclock-0 to the particular ttyS?)
##
# server 127.127.8.0 mode 5 prefer
##
## Undisciplined Local Clock. This is a fake driver intended for backup
## and when no outside source of synchronized time is available.
##
server 127.127.1.0
# local clock (LCL)
fudge 127.127.1.0 stratum 10
# LCL is unsynchronized
## Undisciplined Local Clock. This is a fake driver intended for backup
## and when no outside source of synchronized time is available.
##
server 127.127.1.0
# local clock (LCL)
fudge 127.127.1.0 stratum 10
# LCL is unsynchronized
##
## Add external Servers using
## # rcntp addserver <yourserver>
## Add external Servers using
## # rcntp addserver <yourserver>
---------------------------------
5. Install eDirectory 8.8 SP8 and iManager 2.7 SP7 as well as their latest patches. The latest eDirectory, NMAS and Kerberos plugins will also need to be installed. At the time of this writing they were:
- eDirectory88 Plugins 2.7.20140406
- NetIQ Kerberos Plugin 2.7.20140406
- NMAS Plug-ins for iManager 8.880.20130826
- Novell iManager Password Management 10.7.20120601
- NetIQ Kerberos Plugin 2.7.20140406
- NMAS Plug-ins for iManager 8.880.20130826
- Novell iManager Password Management 10.7.20120601
6. Enable iManager to perform non-TLS binds then refresh the LDAP server. This can be re-enabled after all steps have been completed.
A. iManager - LDAP - LDAP Options - Group - Information - uncheck to require TLS for simple binds.
B. iManager - LDAP - LDAP Options - Server - Information - Refresh.
B. iManager - LDAP - LDAP Options - Server - Information - Refresh.
7. Populate KeyStores (iMgr\Tomcat & kdb5_ldap_util \OpenLDAP)
In order for the Kerberos plugin to work the following steps will need to be performed so that the tree Root CA's certificate is trusted by placing it in the appropriate keystore.
In order for the Kerberos plugin to work the following steps will need to be performed so that the tree Root CA's certificate is trusted by placing it in the appropriate keystore.
A. iManager Keystore
The Kerberos plugin does not use the default iManager keystore but "system's".
1. Copy the Root CA's exported certificate to the iManager 'system' keystore and use the password 'changeit' when prompted.
/opt/novell/jdk1.7.0_25/bin/keytool -import -alias "krb" -file /root/hvaughan/cert.der -keystore
The Kerberos plugin does not use the default iManager keystore but "system's".
1. Copy the Root CA's exported certificate to the iManager 'system' keystore and use the password 'changeit' when prompted.
/opt/novell/jdk1.7.0_25/bin/keytool -import -alias "krb" -file /root/hvaughan/cert.der -keystore
/opt/novell/jdk1.7.0_25/jre/lib/security/cacerts.
2. Restart Tomcat
/etc/init.d/novell-tomcat7 restart
2. Restart Tomcat
/etc/init.d/novell-tomcat7 restart
B. OpenLDAP Client Keystore
The kdb5_ldap_util utility uses the openLDAP client configuration files (ldap.conf, .ldaprc). Once the OpenLDAP client is aware of the trust the kdb5_ldap_util utility will also share that trust.
The kdb5_ldap_util utility uses the openLDAP client configuration files (ldap.conf, .ldaprc). Once the OpenLDAP client is aware of the trust the kdb5_ldap_util utility will also share that trust.
1. Copy the tree Root CA certificate (example: cp /tmp/krbcert/data/SSCert.pem /etc/ssl/certs)
2. Run c_rehash
3. Edit ldap.conf (On SLES, the file is under /etc/openldap/) to specify the trusted CA certificate:
TLS_CACERTDIR /etc/ssl/certs
4. Verify the openLDAP client works with this configuration by performing a secure ldapsearch on eDir, over LDAPS.
2. Run c_rehash
3. Edit ldap.conf (On SLES, the file is under /etc/openldap/) to specify the trusted CA certificate:
TLS_CACERTDIR /etc/ssl/certs
4. Verify the openLDAP client works with this configuration by performing a secure ldapsearch on eDir, over LDAPS.
/usr/bin/ldapsearch -x -H ldaps://hv5.lab.novell.com:636 -D cn=admin,o=emg cn
If the following is seen it is likely due to a problem with the reverse address.
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Just use the server's ip address instead of the DNS name above.
/usr/bin/ldapsearch -x -H ldaps://192.168.211.41:636 -D cn=admin,o=emg cn
8. LDAP Extensions
The Kerberos LDAP extensions must be in place for the Kerberos iManager plugin to work. The GSSAPI method is not required for the KPA to function.
The Kerberos LDAP extensions must be in place for the Kerberos iManager plugin to work. The GSSAPI method is not required for the KPA to function.
A. Unzip the nmasmethods_8881.zip file within the 8882 patch
B. Navigate to the extracted directory: NmasMethods/Novell/GSSAPI/64bit/GSSAPI/Kerberos_ldap_extensions/Linux
C. Run the following command: ./krbLdapConfig -i -D cn=admin,o=emg -w novell -h 192.168.211.41 -p 389
B. Navigate to the extracted directory: NmasMethods/Novell/GSSAPI/64bit/GSSAPI/Kerberos_ldap_extensions/Linux
C. Run the following command: ./krbLdapConfig -i -D cn=admin,o=emg -w novell -h 192.168.211.41 -p 389
9. Extend Schema
Now that the plugin should be working, extend schema using the Kerberos plugin.
iManager - Kerberos Management - Extend Schema
Now that the plugin should be working, extend schema using the Kerberos plugin.
iManager - Kerberos Management - Extend Schema
10. Customize the /etc/krb5.conf file for the environment
Example:
-------------------------------------------------
-------------------------------------------------
[libdefaults]
default_realm = SAMPLE
clockskew = 3000
default_realm = SAMPLE
clockskew = 3000
[realms]
sample.com = {
kdc = hvaughan10.SAMPLE
default_domain = SAMPLE
admin_server = hv5.SAMPLE
}
SAMPLE = {
kdc = hv5.SAMPLE
admin_server = hv5.SAMPLE
}
sample.com = {
kdc = hvaughan10.SAMPLE
default_domain = SAMPLE
admin_server = hv5.SAMPLE
}
SAMPLE = {
kdc = hv5.SAMPLE
admin_server = hv5.SAMPLE
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.sample = SAMPLE
.lab.novell.com = SAMPLE
.sample = SAMPLE
.lab.novell.com = SAMPLE
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = true
minimum_uid = 0
clockskew = 3000
external = sshd
use_shmem = sshd
}
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = true
minimum_uid = 0
clockskew = 3000
external = sshd
use_shmem = sshd
}
-------------------------------------------------
11. Copy the trusted root
cp /var/opt/novell/eDirectory/data/SSCert.der /opt/novell/kerberos/Trustedroot.der
cp /var/opt/novell/eDirectory/data/SSCert.der /opt/novell/kerberos/Trustedroot.der
12.
Run the command to create the realm on the KDC
kdb5_util create -r SAMPLE -s
13. Create the Service Objects in eDirectory and add their ACLs. Also the Security container must have its krbContainerReference attribute point to the Kerberos realm container (Kerberos.Security).
This is best done from a LDIF script.
1. ldapmodify -x -h 192.168.211.41 -D "cn=admin,o=emg" -w novell -f /root/hv5/krb_services.ldif
1. ldapmodify -x -h 192.168.211.41 -D "cn=admin,o=emg" -w novell -f /root/hv5/krb_services.ldif
Sample krb_services.ldif:
----------------------------------------
dn:cn=krb-kdc,o=emg
changetype:add
objectclass:user
sn:cn=krb-kdc
userpassword:novell
changetype:add
objectclass:user
sn:cn=krb-kdc
userpassword:novell
dn:cn=krb-admin,o=emg
changetype:add
objectclass:user
sn:cn=krb-admin
userpassword:novell
changetype:add
objectclass:user
sn:cn=krb-admin
userpassword:novell
dn:cn=Security
changetype:modify
add:objectClass
objectClass:krbContainerRefAux
changetype:modify
add:objectClass
objectClass:krbContainerRefAux
dn:cn=Security
changetype:modify
add:krbContainerReference
krbContainerReference:cn=Kerberos,cn=Security
changetype:modify
add:krbContainerReference
krbContainerReference:cn=Kerberos,cn=Security
dn:o=emg
changetype:modify
add:ACL
acl: 48#subtree#cn=krb-admin,o=emg#[Entry Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[All Attributes Rights]
acl: 33#subtree#cn=krb-kdc,o=emg#[Entry Rights]
acl: 3#subtree#cn=krb-kdc,o=emg#[All Attributes Rights]
changetype:modify
add:ACL
acl: 48#subtree#cn=krb-admin,o=emg#[Entry Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[All Attributes Rights]
acl: 33#subtree#cn=krb-kdc,o=emg#[Entry Rights]
acl: 3#subtree#cn=krb-kdc,o=emg#[All Attributes Rights]
dn:cn=SAMPLE,cn=Kerberos,cn=Security
changetype:modify
add:ACL
acl: 48#subtree#cn=krb-admin,o=emg#[Entry Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[All Attributes Rights]
acl: 33#subtree#cn=krb-kdc,o=emg#[Entry Rights]
acl: 3#subtree#cn=krb-kdc,o=emg#[All Attributes Rights]
changetype:modify
add:ACL
acl: 48#subtree#cn=krb-admin,o=emg#[Entry Rights]
acl: 48#subtree#cn=krb-admin,o=emg#[All Attributes Rights]
acl: 33#subtree#cn=krb-kdc,o=emg#[Entry Rights]
acl: 3#subtree#cn=krb-kdc,o=emg#[All Attributes Rights]
----------------------------------------
15. Ensure that krbContainerReference attribute on the Security container points to the Kerberos.Security container. iMonitor makes this easy.
=
17. Fire up the KDC daemons.
A.
A.
- /etc/init.d/krb5kdc start
- /etc/init.d/kadmind start
- /etc/init.d/kadmind start
B. Run chkconfig against the daemons so they will start when NDSD starts.
- chkconfig krb5kdc on -level 235
- chkconfig kadmind on -level 235
Verify
- chkconfig krb5kdc --list
- chkconfig kadmind --list
- chkconfig krb5kdc on -level 235
- chkconfig kadmind on -level 235
Verify
- chkconfig krb5kdc --list
- chkconfig kadmind --list
18. Using the Kerberos plugin's "Edit Realm" task, enable UP for the realm
iManager - Kerberos Management - Edit Realm - SAMPLE.Kerberos.Security - place a check in the check box for Use Universal Password
NOTE: Many of other fields that are displayed in the plugin are not applicable to using the KPA and eDir as a back-end to KDC so they are ignored.
19. Ensure a UP password policy is in place and assigned to the user.
- Verify that the "Synchronize Distribution Password while setting Universal Password" option is enabled in the password policy.
- Verify the policy either does not have the advanced rules enabled or does not allow extended characters by deselecting the options "Allow non-alphanumeric characters" and "Allow non-US ASCII characters".
- Verify that the "Synchronize Distribution Password while setting Universal Password" option is enabled in the password policy.
- Verify the policy either does not have the advanced rules enabled or does not allow extended characters by deselecting the options "Allow non-alphanumeric characters" and "Allow non-US ASCII characters".
2. iManager - Directory Administration - Modify Object - user1.krbusers.emg - Other tab - Select krbPrincipalReferences - Click on left arrow - use the object selector and select the standalone principal object created earlier: princ2@SAMPLE.emg
=
ADDITIONAL REFERENCES
KPA documentation in the eDirectory 8.8 SP8 Administration Guide: https://www.netiq.com/documentation/edir88/edir88/data/bs3o4p9.html
MIT Kerberos documentation: http://web.mit.edu/kerberos/krb5-devel/doc/admin
MIT Kerberos\LDAP Integration: http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html