This is a setup (work in progres) for NFS4 with Kerberos and secure LDAP on Debian Squeeze. Kerberos will use LDAP as backend database. Most information in this setup comes from Heiko Noordhof. I know, there are allready pages in this wiki about NFS4, Kerberos and LDAP. This howto tries to give an easy start. The setup is not very secure, but in most cases secure enough.
This page is about the server setup. You can find the client setup here: http://wiki.debian.org/nfs4-kerberos-ldap-client
The idea is, that you copy/paste parts of the howto to your console. Look out when you copy many lines, some commands (like "apt-get" and "read") will remove later lines from memory. That's why I made an empty line after that commands.
First of all, you will need a correct FQDN hostname on both client and server. If you give the command "hostname --fqdn" this should give something like "anja.example.com" and not only "anja". You can change the hostname in /etc/hostname, after changing it you must run /etc/init.d/hostname.sh and logout and login. You can change the domain-part in /etc/hosts. You need there a line like:
127.0.1.1 anja.example.com anja
where "anja" is the hostname of the machine, and "example.com" is your domain. Every machine needs an unique name.
In your firewall you have to open these ports for the server: 636 TCP (ldaps), 2049 TCP (nfs), 88 UDP and 88 TCP (kerberos), 749 TCP (kadmin).
Server setup:
# become root: su - # When you did install LDAP or Kerberos or NFS before, it is a good idea to remove it to # have a clean start. Backup it first if you want to keep it! apt-get purge krb5-kdc-ldap gnutls-bin krb5-admin-server nfs-kernel-server \ ldap-utils slapd krb5-kdc rm -rv /var/lib/ldap/ rm -rv /etc/ldap/ rm -rv /etc/krb5kdc/ rm -rv /root/kerberos-setup/ rm -r /etc/krb5.keytab rm -v /etc/krb5.conf rm -v /etc/ssl/certs/CAself-cert.pem rm -v /etc/ssl/certs/*_slapd_cert.pem rm -v /etc/ssl/*.info rm -v /etc/ssl/private/*_slapd_key.pem rm -v /etc/ssl/private/CAself-key.pem # check your hostname if it's correct. When not, see the part at the begin of the howto hostname --fqdn # Main setup variables defaults SERVER=$(hostname --fqdn) # something like: server1.example.com DOMAIN=${SERVER#*.} # something like: example.com REALM=$(echo "${DOMAIN}" | tr '[:lower:]' '[:upper:]') # something like: EXAMPLE.COM LDAPROOT=""; IFS="."; for DC in $DOMAIN ; do LDAPROOT="${LDAPROOT},dc=$DC"; done; LDAPROOT="${LDAPROOT#,}" # something like: dc=example,dc=com echo -e "\nSERVER: $SERVER \nDOMAIN: $DOMAIN \nREALM: $REALM \nLDAPROOT: $LDAPROOT \n\ Change this defaults when needed with something like: DOMAIN='example2.com' \n" # Install packages without questions. You can also answer the questions but this is # pointless, because the configuration will be overwritten later. # Some errors are normal because of the noninteractive install DEBIAN_FRONTEND=noninteractive apt-get install ldap-utils slapd nfs-kernel-server \ krb5-admin-server krb5-kdc krb5-kdc-ldap krb5-doc libnss-ldap nscd libpam-ldap \ gnutls-bin ssl-cert ntp pwgen ssh rpl # Directory for temporary setup files SETUPDIR=/root/kerberos-setup/ mkdir "$SETUPDIR" chmod 700 "$SETUPDIR" cd "$SETUPDIR" # Setup ldap.conf for clients cat <<EOF >/etc/ldap/ldap.conf BASE ${LDAPROOT} URI ldapi:// EOF # Setup SSL/TLS certificate (self-signed) for TLS on LDAP CA_KEY=/etc/ssl/private/CAself-key.pem CA_INFO=/etc/ssl/CAself.info CA_CERT=/etc/ssl/certs/CAself-cert.pem certtool --generate-privkey >"${CA_KEY}" cat <<EOF >"${CA_INFO}" cn = ${DOMAIN} ca cert_signing_key EOF certtool \ --generate-self-signed \ --load-privkey "${CA_KEY}" \ --template "${CA_INFO}" \ --outfile "${CA_CERT}" chgrp ssl-cert "${CA_KEY}" chmod 0640 "${CA_KEY}" # Generate private-key for TLS on the LDAP-service LDAP_TLS_KEY="/etc/ssl/private/${SERVER}_slapd_key.pem" LDAP_TLS_INFO="/etc/ssl/${SERVER}.info" LDAP_TLS_CERT="/etc/ssl/certs/${SERVER}_slapd_cert.pem" certtool --generate-privkey >"${LDAP_TLS_KEY}" cat <<EOF >"${LDAP_TLS_INFO}" organization = ${DOMAIN} cn = ${SERVER} tls_www_server encryption_key signing_key EOF certtool \ --generate-certificate \ --load-privkey "${LDAP_TLS_KEY}" \ --load-ca-certificate "${CA_CERT}" \ --load-ca-privkey "${CA_KEY}" \ --template "${LDAP_TLS_INFO}" \ --outfile "${LDAP_TLS_CERT}" chgrp ssl-cert "${LDAP_TLS_KEY}" chmod 0640 "${LDAP_TLS_KEY}" # Set access to ssl keys for LDAP-daemon (slapd) adduser openldap ssl-cert # Generate hash from admin password LDAP_ADMIN_PW=$(pwgen -s 10 1) echo -n "$LDAP_ADMIN_PW" >ldap-admin-pw.txt chmod 600 ldap-admin-pw.txt LDAP_ADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap-admin-pw.txt) touch passwords.txt; chmod 600 passwords.txt echo "LDAP admin password: $LDAP_ADMIN_PW" >> passwords.txt # Create ldifs and load them into LDAP cat <<EOF >slapd-loglevel.ldif dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: stats EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-loglevel.ldif cat <<EOF >slapd-tls.ldif dn: cn=config changeType: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: ${CA_CERT} - add: olcTLSCertificateFile olcTLSCertificateFile: ${LDAP_TLS_CERT} - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: ${LDAP_TLS_KEY} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-tls.ldif cat <<EOF >slapd-database.ldif dn: olcDatabase={1}hdb,cn=config changeType: modify replace: olcDbConfig olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE - replace: olcRootPW olcRootPW: ${LDAP_ADMIN_HASH} EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f slapd-database.ldif # Do not listen on the clear-text port (389) only SSL/LDAPS (636) sed -i 's|^SLAPD_SERVICES.*|SLAPD_SERVICES="ldaps:/// ldapi:///"|' /etc/default/slapd # Add indices cat <<EOF >indices.ldif dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: cn eq,pres olcDbIndex: uid eq,pres olcDbIndex: uidNumber eq,pres olcDbIndex: gidNumber eq,pres EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f indices.ldif # Restart LDAP-server /etc/init.d/slapd restart # Setup LDAP structure # Generate random password for kerberos-admin account in LDAP, and a hash. LDAP_KRBADMIN_PW=$(pwgen -s 12 1) echo -n "$LDAP_KRBADMIN_PW" >ldap-krbadmin-pw.txt chmod 600 ldap-krbadmin-pw.txt LDAP_KRBADMIN_HASH=$(slappasswd -h '{SHA}' -T ldap-krbadmin-pw.txt) cat <<EOF >structure.ldif dn: cn=krb-admin,${LDAPROOT} cn: krb-admin objectClass: organizationalRole objectClass: simpleSecurityObject userPassword: ${LDAP_KRBADMIN_HASH} dn: ou=groups,${LDAPROOT} objectClass: organizationalUnit ou: groups dn: ou=users,${LDAPROOT} objectClass: organizationalUnit ou: users EOF ldapadd -x -D cn=admin,"${LDAPROOT}" -y ldap-admin-pw.txt -f structure.ldif # Setup kerberos services, with backend database in LDAP gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz >krb.schema echo 'include krb.schema' >slapd.tmp.conf slaptest -f slapd.tmp.conf -F ./ mv 'cn=config/cn=schema/cn={0}krb.ldif' krb.schema.ldif sed -i 's/^dn: cn={0}krb/dn: cn=kerberos,cn=schema,cn=config/' krb.schema.ldif sed -i 's/^cn: {0}krb/cn: kerberos/' krb.schema.ldif sed -i '/^structuralObjectClass/,$d' krb.schema.ldif ldapadd -QY EXTERNAL -H ldapi:/// -f krb.schema.ldif # Add index cat <<EOF >krbindex.ldif dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f krbindex.ldif # Add some ACL's cat <<EOF >krbacl.ldif dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=krb-admin,${LDAPROOT}" write by anonymous auth by self write by * none - add: olcAccess olcAccess: to dn.base="" by * read - add: olcAccess olcAccess: to * by dn="cn=krb-admin,${LDAPROOT}" write by * read EOF ldapmodify -v -Y EXTERNAL -H ldapi:/// -f krbacl.ldif # Setup MIT-kerberos cp /etc/krb5.conf /etc/krb5.conf.bak-$(date +%Y%m%d_%H%M) cat <<EOF >/etc/krb5.conf [libdefaults] default_realm = ${REALM} allow_weak_crypto = true default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc permitted_enctypes = des-cbc-crc krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ticket_lifetime = 525600 [realms] ${REALM} = { kdc = ${SERVER} admin_server = ${SERVER} default_domain = ${DOMAIN} database_module = openldap_ldapconf } [domain_realm] .${DOMAIN} = ${REALM} [login] krb4_convert = true krb4_get_tickets = false [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON [dbdefaults] ldap_kerberos_container_dn = ${LDAPROOT} [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=krb-admin,${LDAPROOT}" ldap_kadmind_dn = "cn=krb-admin,${LDAPROOT}" ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldapi:/// ldap_conns_per_server = 5 EOF # Change security settings Kerberos (this is not very secure) rpl "max_life = 10h 0m 0s" "max_life = 365d 0h 0m 0s" /etc/krb5kdc/kdc.conf # ACL to grant all permissions to principals like "<name>/admin@<REALM>" echo '*/admin *' >>/etc/krb5kdc/kadm5.acl # Ask for password for kerberos LDAP backend KLDAPPWD=`pwgen -s 10 1` read -p "Password for Kerberos LDAP backend, specify a password (return='$KLDAPPWD') : " KLDAPPW if test "$KLDAPPW" = ""; then KLDAPPW="$KLDAPPWD"; fi echo "$KLDAPPW" > $SETUPDIR/kerberos-ldap-password.txt echo "Kerberos LDAP password: $KLDAPPW" >> passwords.txt # Create basic entries in the kerberos LDAP backend echo -e "You will now be asked to enter the password (twice). \n Please copy and paste the password, it is: $KLDAPPW\n" kdb5_ldap_util -w "$LDAP_KRBADMIN_PW" \ -D "cn=krb-admin,$LDAPROOT" \ create \ -subtrees "$LDAPROOT" \ -r "$REALM" \ -s \ -H ldapi:/// # Stash the LDAP-password for the account the kerberos daemons use to # read and write to LDAP echo -e "You will now be asked to enter another password (twice). \n Please copy/paste the following password in there: $LDAP_KRBADMIN_PW\n" kdb5_ldap_util -w "$LDAP_KRBADMIN_PW" \ -D "cn=krb-admin,$LDAPROOT" \ stashsrvpw \ -f /etc/krb5kdc/service.keyfile \ "cn=krb-admin,$LDAPROOT" # Restart the Kerberos daemons /etc/init.d/krb5-kdc restart /etc/init.d/krb5-admin-server restart # kerberos admin user: read -p "Kerberos admin username, normally your name (without '/admin'): " KADMIN echo "kerberos admin username: $KADMIN/admin" >> passwords.txt KADMINPWD=`pwgen -s 10 1` read -p "Password for Kerberos admin user, specify a password (return='$KADMINPWD') : " KADMINPW if test "$KADMINPW" = ""; then KADMINPW="$KADMINPWD"; fi echo "kerberos admin paswword: $KADMINPW" >> passwords.txt kadmin.local -q "addprinc -pw $KADMINPW $KADMIN/admin" # The NFS-server must know the same user names and UID's as the clients. # Therefore our server name service switch needs to be a client of the server itself. cp /etc/libnss-ldap.conf /etc/libnss-ldap.conf -$(date +%Y%m%d_%H%M) cat <<EOF >/etc/libnss-ldap.conf uri ldapi:// ldap_version 3 base ${LDAPROOT} scope sub EOF # Activate LDAP in name service switch sed -i 's/compat/files ldap/' /etc/nsswitch.conf /etc/init.d/nscd restart # Setup NFS4-service # ==> Security level "krb5i" is middle level. More secure (everything encrypted) # would be: "krb5p". This must match mount option on the client. mkdir -p /srv/nfs4/home echo "/srv/nfs4 *.${DOMAIN}(rw,sync,sec=krb5i,fsid=0,crossmnt,no_subtree_check) " >> /etc/exports echo "/srv/nfs4/home *.${DOMAIN}(rw,sync,sec=krb5i,no_subtree_check) " >> /etc/exports # Create kerberos principal for NFS-server kadmin.local -q "addprinc -randkey nfs/${SERVER}" # Store the key for the nfs-service principal in (default) keytab file kadmin.local -q "ktadd nfs/${SERVER}" # Configure NFS-service daemons for kerberized NFS4: sed -i 's/^ *NEED_SVCGSSD=.*$/NEED_SVCGSSD=yes/' /etc/default/nfs-kernel-server sed -i 's/^ *NEED_IDMAPD=.*$/NEED_IDMAPD=yes/' /etc/default/nfs-common # Restart the NFS4 (related) services /etc/init.d/nfs-kernel-server stop /etc/init.d/nfs-common restart /etc/init.d/nfs-kernel-server start # Download and install some usefull scripts in /usr/local/sbin/ # maybe take a look first in http://vandervlis.nl/krb5/ mkdir scripts; cd scripts wget -qr -nd --no-parent http://vandervlis.nl/krb5/ rm index.html* rpl "dc=example,dc=com" "$LDAPROOT" variables rpl "secret" "$LDAP_ADMIN_PW" variables chmod +x * chmod 600 variables uid guid cp -a * /usr/local/sbin/ cd $SETUPDIR touch /var/log/au.log chmod 600 /var/log/au.log # Test creating users au jan25 # creates a user "jan25" in Kerberos and LDAP getent passwd jan25 # check if the user excists ru jan25 # removes the test user # Add a real user and an machine account au # add user ama # add machine account # There is a problem starting the daemons, see: # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582122 rpl '"exit 0"' '"exit 0"' /etc/rc.local rpl "exit 0" "krb5-admin-server start krb5-kdc start exit 0" /etc/rc.local #I did this too, not sure it's needed: #disable ipv6 #echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf #reboot #and I made the reverse DNS correct # Give information about the setup on the screen: echo -e "\nSave this information on a good place:\n ==> LDAP root: ${LDAPROOT} ==> LDAP super-user account: cn=admin,${LDAPROOT} ==> LDAP super-user password: ${LDAP_ADMIN_PW} ==> Kerberos realm: ${REALM} ==> Kerberos LDAP password: $KLDAPPW ==> Kerberos admin username: $KADMIN/admin ==> Kerberos admin paswword: $KADMINPW \n"
The setupdir contains all passwords among other things. Please make sure to remove this directory later.
When you have troubles, it's a good idea to check if all the daemons are running:
# nfs-common root@server:~# ps aux | grep [r]pc.gssd root 2394 0.0 0.0 32164 1948 ? Ss 21:58 0:00 /usr/sbin/rpc.gssd root@mama1:~# ps aux | grep [i]dmap root 2390 0.0 0.0 21176 540 ? Ss 21:58 0:00 /usr/sbin/rpc.idmapd # nfs-kernel-server root@mama1:/etc/init.d# ps aux | grep [r]pc.svcgssd root 2271 0.0 0.0 32128 1420 ? Ss 17:02 0:00 /usr/sbin/rpc.svcgssd # krb5-kdc root@mama1:~# ps aux | grep [k]rbkdc root 2318 0.0 0.0 56948 1772 ? Ss 21:51 0:00 /usr/sbin/krb5kdc # krb5-admin-server root@server:/etc/init.d# ps aux | grep [k]admind root 2309 0.0 0.0 54856 1164 ? Ss 21:50 0:00 /usr/sbin/kadmind # not sure this is all