Linux system account ticket lifetime
Carter, Joel
JoelC at trailerwizards.com
Tue Feb 1 12:04:23 EST 2011
Thanks for the detailed info, I'll give it a shot!
Joel.
-----Original Message-----
From: Brian Candler [mailto:B.Candler at pobox.com]
Sent: January-30-11 2:13 AM
To: Carter, Joel
Cc: kerberos at mit.edu
Subject: Re: Linux system account ticket lifetime
On Fri, Jan 28, 2011 at 03:48:50PM -0800, Carter, Joel wrote:
> I have a RHEL5 machine that I want to use Kerberos tickets to access
> cifs shares on my AD domain. I want this ticket to be valid all the
time
> (and thus able to mount using it any time) so that I don't have to go
> back to the old way of passing usernames and passwords on the command
> line or in a file.
I effectively do this for LDAP - i.e. nss_ldap uses kerberos to
authenticate
and encrypt the system LDAP queries.
What I do is use the key in the system keytab, and in a cronjob get a
ticket
for host/foo.example.com. Then the ldap client is configured to use
this
ticket cache.
--- /etc/cron.hourly/kerberos ---
#!/bin/sh
/usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host
--- to test from command line ---
# KRB5CCNAME=/tmp/krb5cc_host ldapsearch
--- /etc/ldap.conf ---
krb5_ccname /tmp/krb5cc_host
use_sasl on
rootuse_sasl on
base dc=foo,dc=example,dc=com
uri ldap://ldap.foo.example.com
ldap_version 3
sasl_secprops minssf=56
nss_initgroups_ignoreusers
backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nsl
cd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data
The LDAP server is configured to require kerberos, and permit read-only
access to any authenticated user (which includes host/xxx principals):
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=56
dn: olcDatabase={1}hdb,cn=config
replace: olcAccess
olcAccess: {0}to * by
dn.regex="^uid=([^@,]+)/admin,cn=gssapi,cn=auth$" manage by users read
-
replace: olcRequires
olcRequires: SASL
EOS
Note that both the system keytab and /tmp/krb5cc_host are only readable
by
root. As it happens, nscd also runs as root, so that's not a problem.
If I
wanted it to run nscd as a different user, then in the cronjob I'd copy
the
ticket cache to another file and change its ownership.
umask 077
cp /tmp/krb5cc_host /tmp/krb5cc_nscd
chown nscd /tmp/krb5cc_nscd
The advantage of this approach is that it leverages the kerberos
infrastructure to protect LDAP, eliminating the need for TLS and
certificates.
I'm not a Windows user, but I imagine you could adapt it for CIFS access
too. If necessary, you could have a separate keytab with a "real" user
principal's credentials in it, if you can't persuade your CIFS server to
accept a host/xxx principal as an authorized user. The point is you can
convert the keytab into a ticket cache using a cronjob.
HTH,
Brian.
More information about the Kerberos
mailing list