Linux system account ticket lifetime

Brian Candler B.Candler at pobox.com
Sun Jan 30 05:13:14 EST 2011 

On Fri, Jan 28, 2011 at 03:48:50PM -0800, Carter, Joel wrote:
> I have a RHEL5 machine that I want to use Kerberos tickets to access
> cifs shares on my AD domain. I want this ticket to be valid all the time
> (and thus able to mount using it any time) so that I don't have to go
> back to the old way of passing usernames and passwords on the command
> line or in a file.

I effectively do this for LDAP - i.e. nss_ldap uses kerberos to authenticate
and encrypt the system LDAP queries.

What I do is use the key in the system keytab, and in a cronjob get a ticket
for host/foo.example.com.  Then the ldap client is configured to use this
ticket cache.

    --- /etc/cron.hourly/kerberos ---
    #!/bin/sh
    /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host

    --- to test from command line ---
    # KRB5CCNAME=/tmp/krb5cc_host ldapsearch

    --- /etc/ldap.conf ---
    krb5_ccname /tmp/krb5cc_host
    use_sasl on
    rootuse_sasl on
    base dc=foo,dc=example,dc=com
    uri ldap://ldap.foo.example.com
    ldap_version 3
    sasl_secprops minssf=56
    nss_initgroups_ignoreusers backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nslcd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data

The LDAP server is configured to require kerberos, and permit read-only
access to any authenticated user (which includes host/xxx principals):

    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
    dn: cn=config
    replace: olcSaslSecProps
    olcSaslSecProps: noanonymous,noplain,minssf=56

    dn: olcDatabase={1}hdb,cn=config
    replace: olcAccess
    olcAccess: {0}to * by dn.regex="^uid=([^@,]+)/admin,cn=gssapi,cn=auth$" manage by users read
    -
    replace: olcRequires
    olcRequires: SASL
    EOS

Note that both the system keytab and /tmp/krb5cc_host are only readable by
root.  As it happens, nscd also runs as root, so that's not a problem.  If I
wanted it to run nscd as a different user, then in the cronjob I'd copy the
ticket cache to another file and change its ownership.

    umask 077
    cp /tmp/krb5cc_host /tmp/krb5cc_nscd
    chown nscd /tmp/krb5cc_nscd

The advantage of this approach is that it leverages the kerberos
infrastructure to protect LDAP, eliminating the need for TLS and
certificates.

I'm not a Windows user, but I imagine you could adapt it for CIFS access
too.  If necessary, you could have a separate keytab with a "real" user
principal's credentials in it, if you can't persuade your CIFS server to
accept a host/xxx principal as an authorized user.  The point is you can
convert the keytab into a ticket cache using a cronjob.

HTH,

Brian.

More information about the Kerberos mailing list