Linux system account ticket lifetime

[Carter, Joel]

Thanks for the detailed info, I'll give it a shot!

Joel.

-----Original Message-----
From: Brian Candler [mailto:B.Candler at pobox.com] 
Sent: January-30-11 2:13 AM
To: Carter, Joel
Cc: kerberos at mit.edu
Subject: Re: Linux system account ticket lifetime

On Fri, Jan 28, 2011 at 03:48:50PM -0800, Carter, Joel wrote:
> I have a RHEL5 machine that I want to use Kerberos tickets to access
> cifs shares on my AD domain. I want this ticket to be valid all the
time
> (and thus able to mount using it any time) so that I don't have to go
> back to the old way of passing usernames and passwords on the command
> line or in a file.

I effectively do this for LDAP - i.e. nss_ldap uses kerberos to
authenticate
and encrypt the system LDAP queries.

What I do is use the key in the system keytab, and in a cronjob get a
ticket
for host/foo.example.com.  Then the ldap client is configured to use
this
ticket cache.

    --- /etc/cron.hourly/kerberos ---
    #!/bin/sh
    /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host

    --- to test from command line ---
    # KRB5CCNAME=/tmp/krb5cc_host ldapsearch

    --- /etc/ldap.conf ---
    krb5_ccname /tmp/krb5cc_host
    use_sasl on
    rootuse_sasl on
    base dc=foo,dc=example,dc=com
    uri ldap://ldap.foo.example.com
    ldap_version 3
    sasl_secprops minssf=56
    nss_initgroups_ignoreusers
backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nsl
cd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data

The LDAP server is configured to require kerberos, and permit read-only
access to any authenticated user (which includes host/xxx principals):

    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
    dn: cn=config
    replace: olcSaslSecProps
    olcSaslSecProps: noanonymous,noplain,minssf=56

    dn: olcDatabase={1}hdb,cn=config
    replace: olcAccess
    olcAccess: {0}to * by
dn.regex="^uid=([^@,]+)/admin,cn=gssapi,cn=auth$" manage by users read
    -
    replace: olcRequires
    olcRequires: SASL
    EOS

Note that both the system keytab and /tmp/krb5cc_host are only readable
by
root.  As it happens, nscd also runs as root, so that's not a problem.
If I
wanted it to run nscd as a different user, then in the cronjob I'd copy
the
ticket cache to another file and change its ownership.

    umask 077
    cp /tmp/krb5cc_host /tmp/krb5cc_nscd
    chown nscd /tmp/krb5cc_nscd

The advantage of this approach is that it leverages the kerberos
infrastructure to protect LDAP, eliminating the need for TLS and
certificates.

I'm not a Windows user, but I imagine you could adapt it for CIFS access
too.  If necessary, you could have a separate keytab with a "real" user
principal's credentials in it, if you can't persuade your CIFS server to
accept a host/xxx principal as an authorized user.  The point is you can
convert the keytab into a ticket cache using a cronjob.

HTH,

Brian.