(Hier gibt es die Listings der zweiten Auflage)
Komponente-1[/Komponente-2/.../Komponente-N]@REALM
Ubuntu 10.04.3 LTS lx01 tty1
lx01 login: maxm
Password: DrPig!
Last login: Sun Aug 7 09:23:44 PDT 2011 on pts/0
maxm@lx01:~$
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_nwjnEh
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:31:03 08/07/11 19:30:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:30:55
maxm@lx01:~$
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nwjnEh
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:31:03 08/07/11 19:30:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FRIA
maxm@lx01:~$
maxm@lx01:~$ ldapsearch -h kdc01 -QLLL uid=maxm uidNumber gidNumber
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
uidNumber: 10000
gidNumber: 10000
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nwjnEh
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:31:03 08/07/11 19:30:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FRIA
08/07/11 09:31:18 08/07/11 19:30:55 ldap/kdc01.example.com@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FRAT
maxm@lx01:~$
maxm@lx01:~$ ssh lx02.example.com
Last login: Sun Aug 7 09:29:01 2011 from lx01.example.com
maxm@lx02:~$ klist -f
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000)
maxm@lx02:~$ exit
logout
Connection to lx02.example.com closed.
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_VOa0tv
Default principal: maxm@EXAMPLE.COM
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:31:03 08/07/11 19:30:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FRIA
08/07/11 09:31:18 08/07/11 19:30:55 ldap/kdc01.example.com@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FRAT
08/07/11 09:31:56 08/07/11 19:30:55 host/lx02.example.com@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FRAT
maxm@lx01:~$
maxm@lx01:~$ ssh -o GSSAPIDelegateCredentials=yes lx02.example.com
Last login: Sun Aug 7 09:31:53 2011 from lx01.example.com
maxm@lx02:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_xVeYOG2418
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:33:51 08/07/11 19:30:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:30:55, Flags: FfRAT
maxm@lx02:~$ exit
logout
Connection to lx02.example.com closed.
maxm@lx01:~$
Host lx02.example.com
GSSAPIDelegateCredentials yes
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_E49B4Z
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:31:03 08/07/11 19:30:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:30:55
08/07/11 09:31:18 08/07/11 19:30:55 ldap/kdc01.example.com@EXAMPLE.COM
renew until 08/14/11 09:30:55
08/07/11 09:31:56 08/07/11 19:30:55 host/lx02.example.com@EXAMPLE.COM
renew until 08/14/11 09:30:55
08/07/11 09:33:42 08/07/11 19:30:55 HTTP/lx02.example.com@EXAMPLE.COM
renew until 08/14/11 09:30:55
maxm@lx01:~$ kdestroy
maxm@lx01:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000_nwjnEh)
maxm@lx01:~$
maxm@lx01:~$ kinit maxm@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: DrPig!
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_nwjnEh
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:37:58 08/07/11 19:37:47 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:37:47
maxm@lx01:~$
maxm@lx01:~$ kvno host/lx02.example.com@EXAMPLE.COM
host/lx02.example.com@EXAMPLE.COM: kvno = 2
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_nwjnEh
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:37:58 08/07/11 19:37:47 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 09:37:47
08/07/11 09:38:30 08/07/11 19:37:47 host/lx02.example.com@EXAMPLE.COM
renew until 08/14/11 09:37:47
maxm@lx01:~$
$ string2key -5 -k des-cbc-md5
Kerberos v5 principal: maxm@EXAMPLE.COM
Password: DrPig!
Kerberos 5 (des-cbc-md5): 868a46df45a8b57f
maxm@lx01:~$ kinit -S HTTP/lx02.example.com@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: DrPig!
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 09:40:17 08/07/11 19:40:11 HTTP/lx02.example.com@EXAMPLE.COM
renew until 08/14/11 09:40:11, Flags: FRIA
maxm@lx01:~$
maxm@lx01:~$ kinit -l 10min -r 20min
Password for maxm@EXAMPLE.COM: DrPig!
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 10:34:19 08/07/11 10:44:16 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/07/11 10:54:16, Flags: FRIA
maxm@lx01:~$
[...9 Minuten warten...]
maxm@lx01:~$ kinit -R
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 10:43:20 08/07/11 10:53:17 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/07/11 10:54:16, Flags: FRIAT
maxm@lx01:~$
[...9 Minuten warten...]
maxm@lx01:~$ kinit -R
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 10:52:20 08/07/11 10:54:16 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/07/11 10:54:16, Flags: FRIAT
maxm@lx01:~$
[...9 Minuten warten...]
maxm@lx01:~$ kinit -R
kinit(v5): Ticket expired while renewing credentials
maxm@lx01:~$
maxm@lx01:~$ kinit -s 20min -l 10min -r 20min
Password for maxm@EXAMPLE.COM: Drpig!
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 11:23:05 08/07/11 11:33:05 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/07/11 11:43:05, Flags: FDdiRIA
maxm@lx01:~$
[...9 Minuten warten...]
maxm@lx01:~$ kinit -v
kinit(v5): Ticket not yet valid while validating credentials
[...9 Minuten warten...]
maxm@lx01:~$ kinit -v
kinit(v5): Ticket not yet valid while validating credentials
[...9 Minuten warten...]
maxm@lx01:~$ kinit -v
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 11:30:07 08/07/11 11:33:05 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/07/11 11:43:05, Flags: FDdRIAT
maxm@lx01:~$
root@lx01.mydom.mit:~# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@MYDOM.MIT.EXAMPLE.COM
08/07/11 11:47:43 08/07/11 21:47:41 krbtgt/MYDOM.MIT.EXAMPLE.COM@MYDOM.MIT.EXAMPLE.COM
renew until 08/14/11 11:47:41, Flags: FRIA
08/07/11 11:47:47 08/07/11 21:47:41 krbtgt/MIT.EXAMPLE.COM@MYDOM.MIT.EXAMPLE.COM
renew until 08/14/11 11:47:41, Flags: FRAT
08/07/11 11:47:40 08/07/11 21:47:41 krbtgt/EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 08/14/11 11:47:41, Flags: FRAT
08/07/11 11:47:44 08/07/11 21:47:41 krbtgt/H5L.EXAMPLE.COM@EXAMPLE.COM
renew until 08/14/11 11:47:41, Flags: FRAT
08/07/11 11:47:47 08/07/11 21:47:41 krbtgt/OTHERDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
renew until 08/14/11 11:47:41, Flags: FRAT
08/07/11 11:47:47 08/07/11 21:47:41 host/kdc01.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM
renew until 08/14/11 11:47:41, Flags: FRAT
root@lx01.mydom.mit:~#
zone "example.com" in {
type master;
file "/etc/bind/example.com";
};
zone "100.168.192.in-addr.arpa" in {
type master;
file "/etc/bind/192.168.100";
};
$ORIGIN .
$TTL 172800 ; 2 days
example.com IN SOA kdc01.example.com root.kdc01.example.com. (
2000000000 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS kdc01.example.com.
A 192.168.100.102
MX 10 kdc01.example.com.
kdc01.example.com. A 192.168.100.102
kdc02.example.com. A 192.168.100.106
lx01.example.com. A 192.168.100.109
lx02.example.com. A 192.168.100.110
$ORIGIN .
$TTL 86400 ; 1 day
100.168.192.in-addr.arpa IN SOA kdc01.example.com. root.kdc01.example.com. (
2000000000 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS kdc01.example.com.
102.100.168.192.in-addr.arpa. PTR kdc01.example.com.
106.100.168.192.in-addr.arpa. PTR kdc02.example.com.
109.100.168.192.in-addr.arpa. PTR lx01.example.com.
110.100.168.192.in-addr.arpa. PTR lx02.example.com.
search example.com
nameserver 192.168.100.102
root@kdc01:~# host kdc01.example.com
root@kdc01.example.com has address 192.168.100.102
root@kdc01:~# host 192.168.100.102
102.100.168.192.in-addr.arpa domain name pointer kdc01.example.com.
root@kdc01:~#
root@kdc01:~# mkdir /etc/ssl/CA
root@kdc01:~# mkdir -p /etc/ssl/CA/demoCA/newcerts
root@kdc01:~# touch /etc/ssl/CA/demoCA/index.txt
root@kdc01:~# echo 03 > /etc/ssl/CA/demoCA/serial
root@kdc01:~# cd /etc/ssl/CA
root@kdc01:/etc/ssl/CA# openssl req -x509 -newkey rsa:2048 -days 9999 -out /etc/ssl/CA/CAcert.pem -keyout /etc/ssl/CA/CAprivkey.pem -nodes
Generating a 2048 bit RSA private key
.........+++
..+++
writing new private key to '/etc/ssl/CA/CAprivkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EXAMPLE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:EXAMPLE.COM Root CA
Email Address []:maxm@example.com
root@kdc01:/etc/ssl/CA#
root@kdc01:~# mkdir /etc/ldap
root@kdc01:~# openssl req -new -newkey rsa:2048 -out /etc/ldap/req.pem -keyout /etc/ldap/privkey.pem -nodes
Generating a 2048 bit RSA private key
...........................+++
..+++
writing new private key to '/etc/ldap/privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:EXAMPLE
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:kdc01.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@kdc01:~# chmod 400 /etc/ldap/privkey.pem
root@kdc01:~# cp /etc/ldap/req.pem /etc/ssl/CA/kdc01-req.pem
root@kdc01:~# cd /etc/ssl/CA
root@kdc01:/etc/ssl/CA# openssl ca -in kdc01-req.pem -out kdc01-cert.pem -keyfile /etc/ssl/CA/CAprivkey.pem -cert /etc/ssl/CA/CAcert.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Apr 17 14:47:58 2011 GMT
Not After : Apr 17 14:47:58 2012 GMT
Subject:
countryName = DE
stateOrProvinceName = Some-State
organizationName = EXAMPLE
commonName = kdc01.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6B:2A:D2:32:70:78:48:A6:DB:7E:9D:7B:4F:EF:F7:39:DB:D6:48:4F
X509v3 Authority Key Identifier:
keyid:64:76:6B:49:B6:50:24:29:B9:87:99:C5:17:DE:D2:FF:F3:1D:2C:7A
Certificate is to be certified until Apr 18 14:47:58 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@kdc01:/etc/ssl/CA#
root@kdc01:/etc/ssl/CA# cp kdc01-cert.pem /etc/ldap/cert.pem
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
adding new entry "cn=cosine,cn=schema,cn=config"
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
adding new entry "cn=nis,cn=schema,cn=config"
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
adding new entry "cn=inetorgperson,cn=schema,cn=config"
root@kdc01:~#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_bdb
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq
olcDbconfig: set_cachesize 0 2097152 0
olcDbconfig: set_lk_max_objects 1500
olcDbconfig: set_lk_max_locks 1500
olcDbconfig: set_lk_max_lockers 1500
olcAccess: to attrs=userPassword,shadowLastChange
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by anonymous auth
by self write
by * none
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,
member,memberUid,objectClass,ou,sn,uid,uidNumber,uniqueMember,entry
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by users read
by anonymous auth
by * none
olcAccess: to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by * none
root@kdc01:~# slappasswd
New password: DrPig!
Re-enter new password: DrPig!
{SSHA}vfXMCc+VdjBrVlQkppA/D0PMDtbDTR4P
root@kdc01:~#
dn: dc=example,dc=com
objectClass: domain
dc: example
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword: {SSHA}vfXMCc+VdjBrVlQkppA/D0PMDtbDTR4P
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: cn=LDAP Read Write,ou=groups,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
dn: cn=LDAP Read Only,ou=groups,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
root@kdc01:~# ldapsearch -x -LLL -H ldap://kdc01.example.com -b dc=example,dc=com -D cn=admin,dc=example,dc=com -W '(cn=admin)'
Enter LDAP Password: DrPig! '(cn=admin)'
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword:: e1NTSEF9dmZYTUNjK1ZkakJyVmxRa3BwQS9EMFBNRHRiRFRSNFA=
root@kdc01:~#
URI ldap://kdc01.example.com
BASE dc=example,dc=com
[...]
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
[...]
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/CAcert.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/cert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/privkey.pem
-
add: olcSecurity
olcSecurity: ssf=128
-
add: olcLocalSSF
olcLocalSSF: 128
URI ldaps://kdc01.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/ldap/CAcert.pem
TLS_REQCERT demand
kdc01:~# aptitude install krb5-user krb5-doc krb5-kdc krb5-admin-server
[...]
kdc01:~# /etc/init.d/krb5-kdc stop
kdc01:~# /etc/init.d/krb5-admin-server stop
kdc01:~# mv /etc/krb5kdc/kdc.conf /etc/krb5kdc/kdc.conf.BACKUP
kdc01:~# mv /etc/krb5.conf /etc/krb5.conf.BACKUP
root@kdc01:~# pwgen -snc 25 1
KEnfGfVU1LKQoZrKSBF65yfVN
root@kdc01:~#
[kdcdefaults]
Parameter-1 = Wert-1
...
[realms]
Realm_A = {
Realm_A-Parameter-1 = Wert-1
Realm_A-Parameter-2 = Wert-2
...
}
Realm_B = {
Realm_B-Parameter-1 = Wert-1
Realm_B-Parameter-2 = Wert-2
...
}
...
[logging]
kdc = Log-Datei
admin_server = Log-Datei
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
v4_mode = disable
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
#key_stash_file = /etc/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
default_principal_flags = +preauth
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
kdc01:~# kdb5_util -r EXAMPLE.COM create
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Re-enter KDC database master key to verify: KEnfGfVU1LKQoZrKSBF65yfVN
kdc01:~#
kdc01:~# kadmin.local -m -r EXAMPLE.COM
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: quit
kdc01:~#
kdc01:~# kadmin.local -m -r EXAMPLE.COM
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kadmin.local: addprinc user
WARNING: no policy specified for user@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user@EXAMPLE.COM": DrPig!
Re-enter password for principal "user@EXAMPLE.COM": DrPig!
Principal "user@EXAMPLE.COM" created.
kadmin.local: addprinc user/admin
WARNING: no policy specified for user/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user/admin@EXAMPLE.COM": DrPig!
Re-enter password for principal "user/admin@EXAMPLE.COM": DrPig!
Principal "user/admin@EXAMPLE.COM" created.
kadmin.local: quit
kdc01:~#
kdc01:~# kdb5_util -r EXAMPLE.COM stash
kdb5_util: Cannot find/read stored master key while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kdc01:~#
# Automatically generated. Only the value of DAEMON_ARGS will be
# preserved. If you change anything in this file other than
# DAEMON_ARGS, first run dpkg-reconfigure krb5-kdc and disable
# managing the KDC configuration with debconf. Otherwise,
# changes will be overwritten.
DAEMON_ARGS="-r EXAMPLE.COM"
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
root@lx01:~# kinit user@EXAMPLE.COM
Password for user@EXAMPLE.COM: DrPig!
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 11:51:34 08/07/11 21:51:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/08/11 11:51:29
root@lx01:~#
# Kommentarzeile
Principal Zugriffsmaske [Zugriffsziel]
Principal Zugriffsmaske [Zugriffsziel]
[...]
# Vollzugriff fuer jeden */admin Principal aus der EXAMPLE.COM:
*/admin@EXAMPLE.COM *
# Automatically generated. If you change anything in this file
# other than the values of RUN_KADMIND or DAEMON_ARGS, first run
# dpkg-reconfigure krb5-admin-server and disable managing the
# kadmin configuration with debconf. Otherwise, changes will be
# overwritten.
RUN_KADMIND=true
DAEMON_ARGS="-r EXAMPLE.COM"
lx01:~# kadmin -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: DrPig!
kadmin: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/www.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user/admin@EXAMPLE.COM
user@EXAMPLE.COM
kadmin: quit
lx01:~#
lx01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: DrPig!
kadmin: add_policy -maxlife 30days -minlife 1day -minlength 10 -minclasses 3 -history 10 admin
kadmin: add_policy -maxlife 180days -minlife 1day -minlength 6 -minclasses 2 -history 10 default
kadmin: list_policies
admin
default
kadmin:
kadmin: get_policy admin
Policy: admin
Maximum password life: 2592000
Minimum password life: 86400
Minimum password length: 10
Minimum number of password character classes: 3
Number of old keys kept: 10
Reference count: 0
kadmin: get_policy default
Policy: default
Maximum password life: 15552000
Minimum password life: 86400
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 10
Reference count: 0
kadmin: quit
lx01:~#
lx01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: DrPig!
kadmin: modify_principal -policy default user
Principal "user@EXAMPLE.COM" modified.
kadmin: modify_principal -policy admin user/admin
Principal "user/admin@EXAMPLE.COM" modified.
kadmin: modify_principal -allow_svr user
Principal "user@EXAMPLE.COM" modified.
kadmin: modify_principal -allow_svr user/admin
Principal "user/admin@EXAMPLE.COM" modified.
[...]
[...]
kadmin.local: add_principal -policy default -pw Start123 maxm
Principal "maxm@EXAMPLE.COM" created.
kadmin.local: add_principal -policy default -pw Start123 erim
Principal "erim@EXAMPLE.COM" created.
kadmin.local: add_principal -policy admin -pw Start12345 maxm/admin
Principal "maxm/admin@EXAMPLE.COM" created.
kadmin.local: modify_principal -allow_svr +needchange maxm
Principal "maxm@EXAMPLE.COM" modified.
kadmin.local: modify_principal -allow_svr +needchange erim
Principal "erim@EXAMPLE.COM" modified.
kadmin.local: modify_principal -allow_svr +needchange maxm/admin
Principal "maxm/admin@EXAMPLE.COM" modified.
[...]
lx01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: Start123
Password expired. You must change it now.
Enter new password: DrPig!
Enter it again: DrPig!
lx01:~#
[...]
kadmin: add_principal -clearpolicy -randkey +requires_preauth host/lx01.example.com
Principal "host/lx01.example.com@EXAMPLE.COM" created.
[...]
[...]
kadmin: ktadd -k /etc/krb5.keytab host/lx01.example.com
Entry for principal host/lx01.example.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:
kadmin: quit
lx01:~#
lx01:~# kadmin -k -t /etc/krb5.keytab -q 'ktadd -k /etc/krb5.keytab host/lx01.example.com@EXAMPLE.COM'
Authenticating as principal host/lx01.example.com@EXAMPLE.COM with keytab /etc/krb5.keytab.
kadmin: Operation requires ``change-password'' privilege while changing /etc/krb5.keytab's key
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
#!/bin/sh
KEYTAB=/etc/krb5.keytab
/bin/cp -f "$KEYTAB" "$KEYTAB.BAK"
# delete old keys:
/usr/bin/k5srvutil -f "$KEYTAB" delold
# change keys:
/usr/bin/k5srvutil -f "$KEYTAB" change
root@lx01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: DrPig!
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: DrPig!
root@lx01:~# kinit
Password for erim@EXAMPLE.COM: DrPig!
root@lx01:~#
root@lx01:~# klist -f -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 11:51:34 08/07/11 21:51:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/08/11 11:51:29, Flags: RIA
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
root@lx01:~#
root@lx01:~# klist -k -t -e -K
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 08/06/11 11:15:10 host/lx01.example.com@EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xb92a7a7c50a09cf2a07c4b8c7bfacb739cde2e2da826ff64a2840b18aa0c35e2)
2 08/06/11 11:15:10 host/lx01.example.com@EXAMPLE.COM (ArcFour with HMAC/md5) (0xd49ff61f216b6a550898293fad903669)
2 08/06/11 11:15:10 host/lx01.example.com@EXAMPLE.COM (Triple DES cbc mode with HMAC/sha1) (0x5b347583f210e9f4adf2868a2c6b542cb50154408ca8e94f)
root@lx01:~#
root@lx01:~# kinit -k host/lx01.example.com@EXAMPLE.COM
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/lx01.example.com@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 11:55:46 08/07/11 21:55:46 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/08/11 11:55:43
root@lx01:~#
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: DrPig!
root@lx01:~# kvno host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 2
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 13:38:37 08/07/11 23:38:37 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/08/11 13:38:36
08/07/11 13:38:49 08/07/11 23:38:37 host/lx01.example.com@EXAMPLE.COM
renew until 08/08/11 13:38:36
root@lx01:~#
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: DrPig!
root@lx01:~# kvno -e aes256-cts host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 2
root@lx01:~# kvno -e arcfour-hmac host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 2
root@lx01:~# kvno -e des-cbc-md5 host/lx01.example.com
kvno: No credentials found with supported encryption types while getting credentials for host/lx01.example.com@EXAMPLE.COM
root@lx01:~# kvno -k /etc/krb5.keytab host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx01:~#
root@lx01:~# kpasswd maxm
Password for maxm@EXAMPLE.COM: DrPig!
Enter new password: Geheim123
Enter it again: Geheim123
Password changed.
root@lx01:~#
root@lx01:~# kdestroy
root@lx01:~#
root@lx01:~# k5start -b -u host/lx01.example.com -k /var/cache/krb5cc/krb5cc_nslcd -f /etc/krb5.keytab -g nslcd -o nslcd -K 1
root@lx01:~#
root@lx01:~# k5start -u host/lx01.example.com -k /var/cache/krb5cc/krb5cc_nslcd -f /etc/krb5.keytab -g nslcd -o nslcd -H 240
root@lx01:~#
[Abschnitt-1]
Parameter-1 = Wert-1
Parameter-2 = Wert-2
...
[Abschnitt-2]
Parameter-3 = Wert-3
Parameter-4 = Wert-4
Unterabschnitt-A = {
Parameter-5 = Wert-5
Parameter-6 = Wert-6
...
}
Unterabschnitt-B = {
Parameter-7 = Wert-7
Parameter-8 = Wert-8
...
}
...
[Abschnitt-3]
...
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10 hours
renew_lifetime = 7 days
forwardable = true
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
EXAMPLE.COM = {
Parameter-1 = Wert-1
Parameter-2 = Wert-2
...
}
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com:88
kdc = kdc02.example.com:88
master-kdc = kdc01.example.com:88
admin_server = kdc01.example.com:749
kpasswd_server = kdc01.example.com:464
}
[realms]
EXAMPLE.COM = {
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
server.test.example.com = EXAMPLE.COM
[appdefaults]
Anwendung-1 = {
Realm-A = {
Parameter-1 = Wert-1
Parameter-2 = Wert-2
...
}
Realm-B = {
Parameter-1 = Wert-3
Parameter-2 = Wert-4
...
}
}
Anwendung-2 = {
Parameter-1 = Wert-5
Parameter-2 = Wert-6
...
}
Realm-A = {
Parameter-1 = Wert-7
Parameter-2 = Wert-8
...
}
Realm-B = {
Parameter-1 = Wert-9
Parameter-2 = Wert-10
...
}
Parameter-1 = Wert-11
Parameter-2 = Wert-12
...
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10 hours
renew_lifetime = 7 days
forwardable = true
[realms]
EXAMPLE.COM = {
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
EXAMPLE.COM = {
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
[...]
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos-master._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos-master._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc01.example.com.
_kerberos.example.com TXT "EXAMPLE.COM"
root@kdc01:~# mkdir /var/lib/krb5kdc-backup
root@kdc01:~# chmod 700 /var/lib/krb5kdc-backup
0 3 * * * root /usr/sbin/kdb5_util dump "/var/lib/krb5kdc-backup/kdb-backup-$(date +\%Y-\%m-\%d)"
root@kdc02:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: DrPig!12345
kadmin:
kadmin: add_principal -clearpolicy -randkey +requires_preauth host/kdc02.example.com
Principal "host/kdc02.example.com@EXAMPLE.COM" created.
kadmin: ktadd -k /etc/krb5.keytab host/kdc02.example.com@EXAMPLE.COM
Entry for principal host/kdc02.example.com with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc02.example.com with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc02.example.com with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
root@kdc02:~#
service krb_prop
{
type = UNLISTED
id = kprop
socket_type = stream
protocol = tcp
wait = no
user = root
port = 754
server = /usr/sbin/kpropd
}
root@kdc01:~# /usr/sbin/kprop -f /var/lib/krb5kdc/kdb_repldata kdc02
Database propagation to kdc02: SUCCEEDED
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
#!/bin/sh
SLAVE_KDCS="kdc02.example.com"
REPLDATA="/var/lib/krb5kdc/kdb_repldata"
/usr/sbin/kdb5_util dump "$REPLDATA"
for slave in $SLAVE_KDCS; do
/usr/sbin/kprop -f "$REPLDATA" "$slave"
done
root@kdc01:~# zcat /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > kerberos.schema
root@kdc01:~# echo 'include kerberos.schema' > slapd.conf
root@kdc01:~# mkdir slapd.conf.d
root@kdc01:~# slaptest -f slapd.conf -F slapd.conf.d
root@kdc01:~# cp 'slapd.conf.d/cn=config/cn=schema/cn={0}kerberos.ldif' kerberos.ldif
dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1
NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1
NAME 'krbCanonicalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
[...]
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1
NAME 'krbTicketPolicyAux'
SUP top
AUXILIARY
MAY ( krbTicketFlags $ krbMaxTicketLife $
krbMaxRenewableAge ) )
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1
NAME 'krbTicketPolicy'
SUP top STRUCTURAL MUST cn )
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krbPrincipalName eq
olcDbIndex: krbPwdPolicyReference eq
root@kdc01:~# pwgen -snc 25 1
YCbi3gQH0MjkpGFVUCjS25Yto
root@kdc01:~# pwgen -snc 25 1
5OGr6m0d5baeyXlul8LmOEy0B
root@kdc01:~#
root@kdc01:~# slappasswd
New password: YCbi3gQH0MjkpGFVUCjS25Yto
Re-enter new password: YCbi3gQH0MjkpGFVUCjS25Yto
{SSHA}7OsLLHcxnmYS4CwSaqJchVtL/SZw6y3s
root@kdc01:~# slappasswd
New password: 5OGr6m0d5baeyXlul8LmOEy0B
Re-enter new password: 5OGr6m0d5baeyXlul8LmOEy0B
{SSHA}pVEPrntpmJlU2vLYgsX6/HbnSZehl8bG
root@kdc01:~#
dn: ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalUnit
ou: mit-kerberos
dn: cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kdc
userPassword: {SSHA}7OsLLHcxnmYS4CwSaqJchVtL/SZw6y3s
dn: cn=mit-kadmind,ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kadmind
userPassword: {SSHA}pVEPrntpmJlU2vLYgsX6/HbnSZehl8bG
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=mit-kdc,ou=mit-kerberos,dc=mit,dc=example,dc=com" size=unlimited
olcLimits: dn.exact="cn=mit-kadmind,ou=mit-kerberos,dc=mit,dc=example,dc=com" size=unlimited
Achtung: Der String dc=mit ist hier fälschlicherweise enthalten.
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com" size=unlimited
olcLimits: dn.exact="cn=mit-kadmind,ou=mit-kerberos,dc=example,dc=com" size=unlimited
dn: cn=LDAP Read Write,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com
member: cn=mit-kadmind,ou=mit-kerberos,dc=example,dc=com
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
v4_mode = disable
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
#key_stash_file = /etc/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
default_principal_flags = +preauth
database_module = openldap_ldapconf
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "ou=mit-kerberos,dc=example,dc=com"
ldap_kdc_dn = "cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com"
ldap_kadmind_dn = "cn=mit-kadmind,ou=mit-kerberos,dc=example,dc=com"
ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
ldap_servers = "ldapi:///"
ldap_conns_per_server = 5
}
root@kdc01:~# KRB5_CONFIG=/etc/krb5kdc/kdc.conf
root@kdc01:~# export KRB5_CONFIG
root@kdc01:~# kdb5_ldap_util create -D cn=admin,dc=example,dc=com -r EXAMPLE.COM -s -sscope sub
Password for "cn=admin,dc=example,dc=com": DrPig!
Initializing database for realm 'EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Re-enter KDC database master key to verify: KEnfGfVU1LKQoZrKSBF65yfVN
root@kdc01:~# unset KRB5_CONFIG
root@kdc01:~#
root@kdc01:~# KRB5_CONFIG=/etc/krb5kdc/kdc.conf
root@kdc01:~# export KRB5_CONFIG
root@kdc01:~# kdb5_ldap_util stashsrvpw -D cn=admin,dc=example,dc=com -f /etc/krb5kdc/service.keyfile cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com
Password for "cn=admin,dc=example,dc=com": DrPig!
Password for "cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com": YCbi3gQH0MjkpGFVUCjS25Yto
Re-enter password for "cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com": YCbi3gQH0MjkpGFVUCjS25Yto
root@kdc01:~# kdb5_ldap_util stashsrvpw -D cn=admin,dc=example,dc=com -f /etc/krb5kdc/service.keyfile cn=mit-kadmind,ou=mit-kerberos,dc=example,dc=com
Password for "cn=admin,dc=example,dc=com": DrPig!
Password for "cn=mit-kadmind,dc=example,dc=com": 5OGr6m0d5baeyXlul8LmOEy0B
Re-enter password for "cn=mit-kadmind,dc=example,dc=com": 5OGr6m0d5baeyXlul8LmOEy0B
root@kdc01:~# unset KRB5_CONFIG
root@kdc01:~#
root@kdc01:~# kdb5_util -update load example.com.dump
root@kdc01:~# kadmin.local -q listprincs
Authenticating as principal root/admin@EXAMPLE.COM with password.
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
erim@EXAMPLE.COM
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
host/lx01.example.com@EXAMPLE.COM
maxm/admin@EXAMPLE.COM
maxm@EXAMPLE.COM
user/admin@EXAMPLE.COM
user@EXAMPLE.COM
kadmin.local: list_policies
admin
default
kadmin.local: quit
root@kdc01:~#
root@kdc01:~# /etc/init.d/krb5-kdc start
* Starting Kerberos KDC krb5kdc [ OK ]
root@kdc01:~# /etc/init.d/krb5-admin-server start
* Starting Kerberos administrative servers kadmind [ OK ]
root@kdc01:~#
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: DrPig!
root@kdc01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/15/10 12:30:15 08/15/10 22:30:15 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/16/10 12:30:11
root@kdc01:~#
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
cn: Max Mustermann
sn: Mustermann
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
objectClass: person
cn: Erika Musterfrau
sn: Musterfrau
root@kdc01:~# KRB5_CONFIG=/etc/krb5kdc/kdc.conf
root@kdc01:~# export KRB5_CONFIG
root@kdc01:~# kdb5_ldap_util modify -D cn=admin,dc=example,dc=com -r EXAMPLE.COM -subtrees ou=people,dc=example,dc=com
Password for "cn=admin,dc=example,dc=com": DrPig!
root@kdc01:~# /etc/init.d/krb5-kdc restart
* Restarting Kerberos KDC krb5kdc [ OK ]
root@kdc01:~# /etc/init.d/krb5-admin-server restart
* Restarting Kerberos administrative servers kadmind
root@kdc01:~# unset KRB5_CONFIG
root@kdc01:~#
root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: DrPig!1234
kadmin: delete_principal -force maxm@EXAMPLE.COM
Principal "maxm@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: add_principal -x dn="cn=Max Mustermann,ou=people,dc=example,dc=com" -policy default -pw Start123 maxm
Principal "maxm@EXAMPLE.COM" created.
kadmin: modify_principal -allow_svr +needchange maxm
Principal "maxm@EXAMPLE.COM" modified.
kadmin: quit
root@kdc01:~#
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: Max Mustermann
sn: Mustermann
krbPrincipalName: maxm@EXAMPLE.COM
krbPwdPolicyReference: cn=default,cn=EXAMPLE.COM,ou=mit-kerberos,dc=example,dc
=com
krbTicketFlags: 4224
krbPrincipalKey:: MIIBBKADAgEBoQMCAQGiAwIBAqMDAgEBpIHtMIHqMFSgBzAFoAMCAQChSTBH
oAMCARKhQAQ+IAAwzifHz/BL1KK18ISESIU9HCy3v0WsG40Vahzn2y3Gv2G06l6KrCWP13dpIOesj
ebXNNMBA4IUUPKoAo8wRKAHMAWgAwIBAKE5MDegAwIBF6EwBC4QAG0euf3XEzFFoyb0JB6HdTaox+
MmcMHeVo2SoBBM0a4fljlvFCXZbyi/9oOtMEygBzAFoAMCAQChQTA/oAMCARChOAQ2GADhdMBZ0i/
xBU3RRZTs1MTvsLD/EHiuXi1l9X22ZXz/Naq3ztNF5wZDkyxpsfwkiR5WqijE
krbPasswordExpiration: 20120203190200Z
krbLastPwdChange: 20110807190200Z
krbLastSuccessfulAuth: 20110807190248Z
krbLoginFailedCount: 0
krbExtraData:: AAIxQIVMa2FkbWluZEBFWEFNUExFLkNPTQA=
krbExtraData:: AAgBAA==
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
changetype: modify
add: krbPrincipalName
krbPrincipalName: mmuster@EXAMPLE.COM
krbPrincipalName: max@EXAMPLE.COM
krbPrincipalName: mustermann@EXAMPLE.COM
-
add: krbCanonicalName
krbCanonicalName: maxm@EXAMPLE.COM
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcOverlay=syncprov,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0x001 ldaps://kdc01.example.com
olcServerID: 0x002 ldaps://kdc02.example.com
root@kdc01:~# pwgen -snc 25 1
QN1P5FYSPJdjssmAOlTqnlW6e
root@kdc01:~# lappasswd
New password: QN1P5FYSPJdjssmAOlTqnlW6e
Re-enter new password: QN1P5FYSPJdjssmAOlTqnlW6e
{SSHA}wsVnMfiBWPTl+cPgw3fw5dn6UIPhFztV
root@kdc01:~#
root@kdc01:~# pwgen -snc 25 1
pVelwFC7uXzKcP3lU5JCbD4tm
root@kdc01:~# slappasswd
New password: pVelwFC7uXzKcP3lU5JCbD4tm
Re-enter new password: pVelwFC7uXzKcP3lU5JCbD4tm
{SSHA}5iMQh+KoSRCX6sRg5CvdqfBa4roY4bJC
root@kdc01:~#
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=dbroot,cn=config
-
add: olcRootPW
olcRootPW: {SSHA}wsVnMfiBWPTl+cPgw3fw5dn6UIPhFztV
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=dbroot,dc=example,dc=com
-
add: olcRootPW
olcRootPW: {SSHA}5iMQh+KoSRCX6sRg5CvdqfBa4roY4bJC
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldaps://kdc01.example.com
binddn="cn=dbroot,cn=config" bindmethod=simple
credentials=QN1P5FYSPJdjssmAOlTqnlW6e
searchbase="cn=config" type=refreshAndPersist
retry="5 +" timeout=1
olcSyncRepl: rid=002 provider=ldaps://kdc02.example.com
binddn="cn=dbroot,cn=config" bindmethod=simple
credentials=QN1P5FYSPJdjssmAOlTqnlW6e
searchbase="cn=config" type=refreshAndPersist
retry="5 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=003 provider=ldaps://kdc01.example.com
binddn="cn=dbroot,dc=example,dc=com" bindmethod=simple
credentials=pVelwFC7uXzKcP3lU5JCbD4tm
searchbase="dc=example,dc=com" type=refreshAndPersist
interval=00:00:00:10 retry="5 +" timeout=1
olcSyncRepl: rid=004 provider=ldaps://kdc02.example.com
binddn="cn=dbroot,dc=example,dc=com" bindmethod=simple
credentials=pVelwFC7uXzKcP3lU5JCbD4tm
searchbase="dc=example,dc=com" type=refreshAndPersist
interval=00:00:00:10 retry="5 +" timeout=1
-
add: olcMirrorMode
olcMirrorMode: TRUE
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
root@kdc02:~# /etc/init.d/slapd stop
Stopping OpenLDAP: slapd.
root@kdc02:~# mv /etc/ldap/slapd.d/ /etc/ldap/slapd.d.OLD/
root@kdc02:~# mkdir /etc/ldap/slapd.d/
root@kdc02:~# slapadd -F /etc/ldap/slapd.d/ -n 0 -l config.ldif
root@kdc02:~# chown -R openldap:openldap /etc/ldap/slapd.d/
root@kdc02:~# /etc/init.d/slapd start
Starting OpenLDAP: slapd.
root@kdc02:~#
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc02.example.com.
root@kdc01:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: DrPig!12345
kadmin: modpol -maxfailure 3 -lockoutduration 600 -failurecountinterval 60 default
kadmin: quit
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: secret
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: geheim
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: password
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
kinit: Clients credentials have been revoked while getting initial credentials
root@kdc01:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: DrPig!12345
kadmin: getprinc maxm
Principal: maxm@EXAMPLE.COM
Expiration date: [never]
Last password change: Sun Aug 07 21:02:00 CEST 2011
Password expiration date: Fri Feb 03 20:02:00 CET 2012
Maximum ticket life: 8 days 08:00:00
Maximum renewable life: 70 days 00:00:00
Last modified: Sun Aug 07 21:02:00 CEST 2011 (kadmind@EXAMPLE.COM)
Last successful authentication: Sun Aug 07 21:02:48 CEST 2011
Last failed authentication: Sun Aug 07 21:02:42 CEST 2011
Failed password attempts: 3
Number of keys: 3
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: default
kadmin: quit
root@kdc01:~# /etc/init.d/heimdal-kdc stop
Stopping Heimdal password server: kpasswdd.
Stopping Heimdal KDC: heimdal-kdc.
root@kdc01:~# rm /var/lib/heimdal-kdc/heimdal.db
root@kdc01:~# rm /var/lib/heimdal-kdc/log
root@kdc01:~# cd /etc/
root@kdc01:/etc# mv krb5.conf krb5.conf.BACKUP
root@kdc01:/etc# cd /etc/heimdal-kdc/
root@kdc01:/etc/heimdal-kdc# mv kdc.conf kdc.conf.BACKUP
[libdefaults]
default_realm = H5L.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10 hours
renew_lifetime = 7 days
forwardable = true
[realms]
H5L.EXAMPLE.COM = {
admin_server = kdc01.h5l.example.com
}
[domain_realm]
.h5l.example.com = H5L.EXAMPLE.COM
h5l.example.com = H5L.EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
[libdefaults]
default_realm = H5L.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
H5L.EXAMPLE.COM = {
admin_server = kdc01.h5l.example.com
}
[domain_realm]
.h5l.example.com = H5L.EXAMPLE.COM
h5l.example.com = H5L.EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
[kdc]
database = {
realm = H5L.EXAMPLE.COM
dbname = /var/lib/heimdal-kdc/heimdal
acl_file = /etc/heimdal-kdc/kadmind.acl
mkey_file = /etc/heimdal-kdc/m-key
}
require-preauth = true
ports = 88
enable-kerberos4 = false
[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
root@kdc01:~# pwgen -snc 25 1
T6MBognnJGT6c37bL6dIeqqJW
root@kdc01:~#
root@kdc01:~# kstash --key-file=/etc/heimdal-kdc/m-key --enctype=aes256-cts-hmac-sha1-96
Master key: T6MBognnJGT6c37bL6dIeqqJW
Verifying - Master key: T6MBognnJGT6c37bL6dIeqqJW
kstash: writing key to `/etc/heimdal-kdc/m-key'
root@kdc01:~#
root@kdc01:~# kadmin -l
kadmin> init H5L.EXAMPLE.COM
Realm max ticket life [unlimited]:10 hours
Realm max renewable ticket life [unlimited]:7 days
kadmin> quit
root@kdc01:~#
root@kdc01:~# kadmin -l
kadmin> list *
default
kadmin/admin
kadmin/hprop
kadmin/changepw
changepw/kerberos
krbtgt/H5L.EXAMPLE.COM
kadmin> quit
kadmin> add user
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user@H5L.EXAMPLE.COM's Password: DrPig!
Verifying - user@H5L.EXAMPLE.COM's Password: DrPig!
kadmin> add user/admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user/admin@H5L.EXAMPLE.COM's Password: DrPig!
Verifying - user/admin@H5L.EXAMPLE.COM's Password: DrPig!
kadmin>
# Kommentarzeile
Principal Zugriffsmaske [Zugriffsziel]
Principal Zugriffsmaske [Zugriffsziel]
[...]
# Vollzugriff fuer user/admin aus der H5L.EXAMPLE.COM:
user/admin@H5L.EXAMPLE.COM all
root@kdc01:~# kadmin -p user/admin
kadmin> add --attributes=disallow-svr maxm
user/admin@H5L.EXAMPLE.COM's Password: DrPig!
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
maxm@H5L.EXAMPLE.COM's Password: Start123
Verifying - maxm@H5L.EXAMPLE.COM's Password: Start123
kadmin>
kadmin> add --random-key host/lx01.h5l.example.com
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [requires-pre-auth]:
kadmin>
kadmin> ext_keytab --keytab=/etc/krb5.keytab host/lx01.h5l.example.com
kadmin> quit
[...]
[kadmin]
...
password_lifetime = 30 days
[password_quality]
policies = builtin:minimum-length builtin:character-class
min_length = 6
min_classes = 3
root@kdc02:~# kadmin -p user/admin
kadmin> add --random-key hprop/kdc02.h5l.example.com
user/admin@H5L.EXAMPLE.COM's Password: DrPig!
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin>
kadmin> ext_keytab --keytab=/etc/krb5.keytab hprop/kdc02.h5l.example.com
kadmin> quit
root@kdc02:~#
[...]
krb_prop stream tcp nowait root /usr/sbin/tcpd /usr/sbin/hpropd
[...]
#!/bin/sh
SLAVE_KDCS="kdc02.h5l.example.com"
for slave in $SLAVE_KDCS; do
/usr/sbin/hprop $slave
done
# KDC replication
0,20,40 * * * * root /etc/heimdal-kdc/kdc_repl
root@kdc01:~# echo 'include /etc/ldap/schema/hdb.schema' > slapd.conf
root@kdc01:~# mkdir slapd.conf.d
root@kdc01:~# slaptest -f slapd.conf -F slapd.conf.d
config file testing succeeded
root@kdc01:~# cp slapd.conf.d/cn\=config/cn\=schema/cn\=\{0\}hdb.ldif hdb.ldif
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krb5PrincipalName eq
olcDbIndex: cn eq
olcDbIndex: uid eq
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited size.hard=unlimited
dn: ou=heimdal,dc=h5l,dc=example,dc=com
objectClass: organizationalUnit
ou: heimdal
database = {
[...]
#dbname = /var/lib/heimdal-kdc/heimdal
dbname = ldap:dc=h5l,dc=example,dc=com
[...]
}
hdb-ldap-create-base = ou=heimdal,dc=h5l,dc=example,dc=com
C:\> dcpromo.exe /unattend /ReplicaOrNewDomain:Domain /NewDomain:Forest /NewDomainDNSName:ADS.EXAMPLE.COM /DomainNetBiosName:ADS /ForestLevel:4 /DomainLevel:4 /SafeModeAdminPassword:cZi8NsK6PuptzA2DIMPF /InstallDNS:yes /RebootOnCompletion:yes
[DCInstall]
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=ADS.EXAMPLE.COM
DomainNetbiosName=ADS
ForestLevel=4
DomainLevel=4
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
SafeModeAdminPassword=cZi8NsK6PuptzA2DIMPF
RebootOnCompletion=Yes
[libdefaults]
default_realm = ADS.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10 hours
renew_lifetime = 7 days
forwardable = true
[realms]
ADS.EXAMPLE.COM = {
kpasswd_server = kdc01.ads.example.com
}
[domain_realm]
.ads.example.com = ADS.EXAMPLE.COM
ads.example.com = ADS.EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
[libdefaults]
default_realm = ADS.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
ADS.EXAMPLE.COM = {
kpasswd_server = kdc01.ads.example.com
}
[domain_realm]
.ads.example.com = ADS.EXAMPLE.COM
ads.example.com = ADS.EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
root@lx01.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: DrPig!
root@lx01.ads:~# kvno host/kdc01.ads.example.com
host/kdc01.ads.example.com@ADS.EXAMPLE.COM: kvno = 3
root@lx01.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@ADS.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 12:08:29 08/07/11 22:08:26 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 08/14/11 12:08:29
08/07/11 12:08:33 08/07/11 22:08:26 host/kdc01.ads.example.com@ADS.EXAMPLE.COM
renew until 08/14/11 12:08:29
root@lx01.ads:~#
C:\Users\Administrator>dcpromo.exe /unattend /ReplicaOrNewDomain:Replica /ReplicaDomainDNSName:ADS.EXAMPLE.COM /SafeModeAdminPassword:cZi8NsK6PuptzA2DIMPF /RebootOnCompletion:yes /UserDomain:ADS.EXAMPLE.COM /UserName:Administrator /Password:DrPig!
C:\Users\Administrator>setspn.exe -R LX01$
Dienstprinzipalnamen (SPN) für CN=lx01,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM wer
den registriert.
HOST/lx01.ADS.EXAMPLE.COM
HOST/lx01
Aktualisiertes Objekt
C:\Users\Administrator>
root@lx01.ads:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@ADS.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 12:08:29 08/07/11 22:08:26 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 08/14/11 12:08:29, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
08/07/11 12:08:33 08/07/11 22:08:26 host/lx01.ads.example.com@ADS.EXAMPLE.COM
renew until 08/14/11 12:08:29, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
root@lx01.ads:~#
C:\Users\Administrator>ktpass.exe /out lx01.keytab /mapuser LX01$@ADS.EXAMPLE.COM /princ host/lx01.ads.example.com@ADS.EXAMPLE.COM /rndPass /crypto AES256-SHA1 /ptype KRB5_NT_SRV_HST
Targeting domain controller: kdc01.ADS.EXAMPLE.COM
Using legacy password setting method
Successfully mapped host/lx01.ads.example.com to LX01$.
WARNING: Account LX01$ is not a user account (uacflags=0x1021).
WARNING: Resetting LX01$'s password may cause authentication problems if LX01$ i
s being used as a server.
Reset LX01$'s password [y/n]? y
Key created.
Output keytab to lx01.keytab:
Keytab version: 0x502
keysize 92 host/lx01.ads.example.com@ADS.EXAMPLE.COM ptype 3 (KRB5_NT_SRV_HST) v
no 3 etype 0x12 (AES256-SHA1) keylength 32 (0x74c33c6ef31d30186c235ec193d84501a2
91f18537184204037d7c8038d540a6)
C:\Users\Administrator>
C:\>
root@lx01:~# kinit -k host/lx01.ads.example.com
root@lx01:~# kvno -k /etc/krb5.keytab host/lx01.ads.example.com
host/lx01.ads.example.com@ADS.EXAMPLE.COM: kvno = 3, keytab entry valid
root@lx01:~#
root@lx01.ads:~# ldapsearch -LLL -h kdc01.ads.example.com -b dc=ads,dc=example,dc=com cn="Max Mustermann" objectClass cn sn givenName displayName samaccountname userPrincipalName unicodePwd msDS-KeyVersionNumber
SASL/GSSAPI authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: CN=Max Mustermann,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Max Mustermann
sn: Mustermann
givenName: Max
displayName: Max Mustermann
sAMAccountName: maxm
userPrincipalName: maxm@ADS.EXAMPLE.COM
msDS-KeyVersionNumber: 2
# refldap://OTHERDOM.ADS.EXAMPLE.COM/DC=OTHERDOM,DC=ADS,DC=EXAMPLE,DC=COM
# refldap://MYDOM.ADS.EXAMPLE.COM/DC=MYDOM,DC=ADS,DC=EXAMPLE,DC=COM
# refldap://ADS.EXAMPLE.COM/CN=Configuration,DC=ADS,DC=EXAMPLE,DC=COM
root@lx01.ads:~#
#!/usr/bin/env python
import sys
if len(sys.argv) != 2:
print 'usage: ' + sys.argv[0] + ' password'
sys.exit()
password=sys.argv[1]
quotedPassword='"' + password + '"'
unicodePwd=quotedPassword.encode('UTF_16_LE')
print 'unicodePwd:: ' + unicodePwd.encode('BASE64')
root@lx01:~# ./ad_unicodepwd DrPig!
unicodePwd:: IgBEAHIAUABpAGcAIQAiAA==
root@lx01:~#
dn: CN=Erika Musterfrau,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Erika Musterfrau
sn: Musterfrau
givenName: Erika
instanceType: 4
displayName: Erika Musterfrau
name: Erika Musterfrau
userAccountControl: 512
sAMAccountName: erim
userPrincipalName: erim@ADS.EXAMPLE.COM
unicodePwd:: IgBEAHIAUABpAGcAIQAiAA==
pwdLastSet: 0
root@lx01:~# pwgen -snc 25 1
hNJvEb2V50YZ7PAstqQQwJah5
root@lx01:~# ./ad_unicodepwd hNJvEb2V50YZ7PAstqQQwJah5
unicodePwd:: IgBoAE4ASgB2AEUAYgAyAFYANQAwAFkAWgA3AFAAQQBzAHQAcQBRAFEAdwBKAGEAaAA1ACIA
root@lx01:~#
dn: CN=lx02,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: lx02
instanceType: 4
displayName: lx02$
name: lx02
userAccountControl: 4096
sAMAccountName: lx02$
unicodePwd:: IgBoAE4ASgB2AEUAYgAyAFYANQAwAFkAWgA3AFAAQQBzAHQAcQBRAFEAdwBKAGEAaAA1ACIA
userPrincipalName: host/lx02.ads.example.com@ADS.EXAMPLE.COM
msDS-SupportedEncryptionTypes: 24
dn: CN=lx02,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM
changetype: modify
add: servicePrincipalName
servicePrincipalName: host/lx02.ads.example.com
servicePrincipalName: host/lx02
root@lx02.ads:~# kinit Administrator
Password for Administrator@ADS.EXAMPLE.COM: DrPig!
root@lx02.ads:~# kvno host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 1
root@lx02.ads:~# ktutil
ktutil: addent -password -p host/lx02.ads.example.com -k 1 -e aes256-cts
Password for host/lx02.ads.example.com@ADS.EXAMPLE.COM: hNJvEb2V50YZ7PAstqQQwJah5
ktutil: wkt /etc/krb5.keytab
ktutil: quit
root@lx02.ads:~# kinit -kt /etc/krb5.keytab host/lx02.ads.example.com
root@lx02.ads:~# kvno -k /etc/krb5.keytab host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 1, keytab entry valid
root@lx02.ads:~#
[capaths]
MYDOM.MIT.EXAMPLE.COM = {
OTHERDOM.MIT.EXAMPLE.COM = MIT.EXAMPLE.COM
MIT.EXAMPLE.COM = .
}
OTHERDOM.MIT.EXAMPLE.COM = {
MYDOM.MIT.EXAMPLE.COM = MIT.EXAMPLE.COM
MIT.EXAMPLE.COM = .
}
MIT.EXAMPLE.COM = {
OTHERDOM.MIT.EXAMPLE.COM = .
MYDOM.MIT.EXAMPLE.COM = .
}
[capaths]
MYDOM.MIT.EXAMPLE.COM = {
OTHERDOM.H5L.EXAMPLE.COM = .
}
OTHERDOM.H5L.EXAMPLE.COM = {
MYDOM.MIT.EXAMPLE.COM = .
}
root@kdc01:~# pwgen -snc 40 1
Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
root@kdc01:~#
kadmin: addprinc -clearpolicy krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
Enter password for principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM": Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
Re-enter password for principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM": Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
Principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM" created.
root@kdc01.mit:~# kinit user@MIT.EXAMPLE.COM
Password for user@MIT.EXAMPLE.COM: DrPig!
root@kdc01:~# kvno host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM: kvno = 1
root@kdc01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MIT.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 21:12:20 08/08/11 07:12:21 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 08/14/11 21:12:21
08/07/11 21:12:28 08/08/11 07:12:21 krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 08/14/11 21:12:21
08/07/11 21:12:35 08/08/11 07:12:21 host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
renew until 08/14/11 21:12:21
root@kdc01.mit:~#
[cpaths]
OTHERDOM.H5L.EXAMPLE.COM = {
MYDOM.H5L.EXAMPLE.COM = H5L.EXAMPLE.COM
}
MYDOM.H5L.EXAMPLE.COM = {
OTHERDOM.H5L.EXAMPLE.COM = H5L.EXAMPLE.COM
}
root@kdc01:~# pwgen -snc 40 1
SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
root@kdc01:~#
kadmin> add krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM's Password: SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
Verifying - krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM's Password: SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
root@kdc01.h5l:~# kinit user@H5L.EXAMPLE.COM
user@H5L.EXAMPLE.COM's Password: DrPig!
root@kdc01.h5l:~# kgetcred host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
root@kdc01.h5l:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: user@H5L.EXAMPLE.COM
Issued Expires Principal
Aug 7 21:14:53 Aug 8 07:14:53 krbtgt/H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Aug 7 21:14:59 Aug 8 07:14:53 krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Aug 7 21:14:59 Aug 8 07:14:53 host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
root@kdc01.h5l:~#
C:\> dcpromo.exe /unattend /ReplicaOrNewDomain:Domain /NewDomain:Child /ChildName:MYDOM /DomainNetBiosName:MYDOM /ParentDomainDNSName:ADS.EXAMPLE.COM /ForestLevel:4 /DomainLevel:4 /SafeModeAdminPassword:cZi8NsK6PuptzA2DIMPF /InstallDNS:no /RebootOnCompletion:yes /userdomain:ADS.EXAMPLE.COM /username:Administrator /password:DrPig!
C:\> dcpromo.exe /unattend /ReplicaOrNewDomain:Domain /NewDomain:Child /ChildName:OTHERDOM /DomainNetBiosName:OTHERDOM /ParentDomainDNSName:ADS.EXAMPLE.COM /ForestLevel:4 /DomainLevel:4 /SafeModeAdminPassword:cZi8NsK6PuptzA2DIMPF /InstallDNS:no /RebootOnCompletion:yes /userdomain:ADS.EXAMPLE.COM /username:Administrator /password:DrPig!
root@lx01.mydom.ads:~# kinit user@MYDOM.ADS.EXAMPLE.COM
Password for user@MYDOM.ADS.EXAMPLE.COM: DrPig!
root@lx01.mydom.ads:~# kvno host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM
host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM: kvno = 2
root@lx01.mydom.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MYDOM.ADS.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 12:16:37 08/07/11 22:16:47 krbtgt/MYDOM.ADS.EXAMPLE.COM@MYDOM.ADS.EXAMPLE.COM
renew until 08/08/11 12:16:37
08/07/11 12:16:54 08/07/11 22:16:47 krbtgt/ADS.EXAMPLE.COM@MYDOM.ADS.EXAMPLE.COM
renew until 08/08/11 12:16:37
08/07/11 12:16:55 08/07/11 22:16:47 krbtgt/OTHERDOM.ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 08/08/11 12:16:37
08/07/11 12:17:08 08/07/11 22:16:47 host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM
renew until 08/08/11 12:16:37
root@lx01.mydom.ads:~#
[capaths]
H5L.EXAMPLE.COM = {
OTHERDOM.ADS.EXAMPLE.COM = EXAMPLE.COM ADS.EXAMPLE.COM
MYDOM.ADS.EXAMPLE.COM = EXAMPLE.COM ADS.EXAMPLE.COM
OTHERDOM.MIT.EXAMPLE.COM = EXAMPLE.COM MIT.EXAMPLE.COM
MYDOM.MIT.EXAMPLE.COM = EXAMPLE.COM MIT.EXAMPLE.COM
MIT.EXAMPLE.COM = EXAMPLE.COM
ADS.EXAMPLE.COM = EXAMPLE.COM
}
MYDOM.H5L.EXAMPLE.COM = {
OTHERDOM.ADS.EXAMPLE.COM = H5L.EXAMPLE.COM EXAMPLE.COM ADS.EXAMPLE.COM
MYDOM.ADS.EXAMPLE.COM = H5L.EXAMPLE.COM EXAMPLE.COM ADS.EXAMPLE.COM
OTHERDOM.MIT.EXAMPLE.COM = H5L.EXAMPLE.COM EXAMPLE.COM MIT.EXAMPLE.COM
MYDOM.MIT.EXAMPLE.COM = H5L.EXAMPLE.COM EXAMPLE.COM MIT.EXAMPLE.COM
OTHERDOM.H5L.EXAMPLE.COM = H5L.EXAMPLE.COM
ADS.EXAMPLE.COM = H5L.EXAMPLE.COM EXAMPLE.COM
MIT.EXAMPLE.COM = H5L.EXAMPLE.COM EXAMPLE.COM
EXAMPLE.COM = H5L.EXAMPLE.COM
}
[...]
root@kdc01:~# pwgen -snc 40 1
IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
root@kdc01:~#
kadmin: addprinc -clearpolicy -e "arcfour-hmac-md5:normal,aes256-cts-hmac-sha1-96:normal" krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM
Enter password for principal "krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM": IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
Re-enter password for principal "krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM": IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
Principal "krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM" created.
kadmin: addprinc -clearpolicy -e "arcfour-hmac-md5:normal,aes256-cts-hmac-sha1-96:normal" krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM
Enter password for principal "krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM": IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
Re-enter password for principal "krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM": IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
Principal "krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM" created.
C:\>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /add /realm /twoway /passwordt IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
C:\>netdom trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /transitive:ja
Vertrauenstellung wird als transitiv festgelegt.
[...]
C:\>netdom trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /foresttransitive:ja
Diese Vertrauensstellung wird als transitiv auf Gesamtstrukturebene gekennzeichnet.
C:\>netdom trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /addtln EXAMPLE.COM
Der Name der obersten Ebene oder die Ausnahme wurde den Gesamtstrukturvertrauensstellungs-Informationen erfolgreich hinzugefügt.
C:\>ksetup.exe /SetEncTypeAttr EXAMPLE.COM AES256-CTS-HMAC-SHA1-96
Festlegen der Verschlüsselungstypen für Domäne EXAMPLE.COM auf:AES256-CTS-HMAC-SHA1-96
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
mit.example.com = MIT.EXAMPLE.COM
.mit.example.com = MIT.EXAMPLE.COM
mydom.mit.example.com = MYDOM.MIT.EXAMPLE.COM
.mydom.mit.example.com = MYDOM.MIT.EXAMPLE.COM
otherdom.mit.example.com = OTHERDOM.MIT.EXAMPLE.COM
.otherdom.mit.example.com = OTHERDOM.MIT.EXAMPLE.COM
h5l.example.com = H5L.EXAMPLE.COM
.h5l.example.com = H5L.EXAMPLE.COM
mydom.h5l.example.com = MYDOM.H5L.EXAMPLE.COM
.mydom.h5l.example.com = MYDOM.H5L.EXAMPLE.COM
otherdom.h5l.example.com = OTHERDOM.H5L.EXAMPLE.COM
.otherdom.h5l.example.com = OTHERDOM.H5L.EXAMPLE.COM
ads.example.com = ADS.EXAMPLE.COM
.ads.example.com = ADS.EXAMPLE.COM
mydom.ads.example.com = MYDOM.ADS.EXAMPLE.COM
.mydom.ads.example.com = MYDOM.ADS.EXAMPLE.COM
otherdom.ads.example.com = OTHERDOM.ADS.EXAMPLE.COM
.otherdom.ads.example.com = OTHERDOM.ADS.EXAMPLE.COM
root@lx01.ads:~# kinit user
Password for user@ADS.EXAMPLE.COM: DrPig!
root@lx01.ads:~# kvno frontend/lx02.ads.example.com
frontend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2
root@lx01.ads:~# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@ADS.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 12:18:54 08/07/11 22:18:49 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 08/14/11 12:18:54
08/07/11 12:19:03 08/07/11 22:18:49 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
renew until 08/14/11 12:18:54, Flags: FRAO
root@lx01.ads:~#
root@lx01.h5l:~# /opt/heimdal/libexec/kimpersonate --ccache=/tmp/krb5cc_frontend --keytab=/etc/backend.keytab --client=user@H5L.EXAMPLE.COM --server=backend/lx02.h5l.example.com@H5L.EXAMPLE.COM --krb5 --enc-type=aes256-cts-hmac-sha1-96
root@lx01.h5l:~# klist -vf --cache=/tmp/krb5cc_frontend
Credentials cache: FILE:/tmp/krb5cc_frontend
Principal: user@H5L.EXAMPLE.COM
Cache version: 4
Server: backend/lx02.h5l.example.com@H5L.EXAMPLE.COM
Client: user@H5L.EXAMPLE.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 294
Auth time: Aug 7 12:22:08 2011
End time: Aug 7 13:22:08 2011
Ticket flags:
Addresses: IPv4:192.168.100.108
root@lx01.h5l:~#
root@lx02.ads:~# export KRB5CCNAME=/tmp/krb5cc_frontend
root@lx02.ads:~# kinit -k -t /etc/frontend.keytab frontend/lx02.ads.example.com
root@lx02.ads:~# kvno -k /etc/frontend.keytab -U user -P backend/lx02.ads.example.com
backend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~# kvno -k /etc/frontend.keytab -U Administrator -P backend/lx02.ads.example.com
backend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~#
root@lx02.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_frontend
Default principal: frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 21:24:45 08/08/11 07:24:45 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 08/14/11 21:24:45
08/07/11 21:25:03 08/08/11 07:24:45 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client user@ADS.EXAMPLE.COM, renew until 08/14/11 21:24:45
08/07/11 21:25:26 08/08/11 07:24:45 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client user@ADS.EXAMPLE.COM, renew until 08/14/11 21:24:45
08/07/11 21:25:35 08/08/11 07:24:45 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client Administrator@ADS.EXAMPLE.COM, renew until 08/14/11 21:24:45
08/07/11 21:25:56 08/08/11 07:24:45 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client Administrator@ADS.EXAMPLE.COM, renew until 08/14/11 21:24:45
root@lx02.ads:~#
[ kdc_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}
root@kdc01:/etc/ssl/CA# export REALM=MIT.EXAMPLE.COM
root@kdc01:/etc/ssl/CA# openssl ca -in mitkdc01-req.pem -keyfile CAprivkey.pem -cert CAcert.pem -out mitkdc01.pem -extfile /etc/ssl/CA/krbkdc.cnf -extensions kdc_cert
[...]
[ client_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:${ENV::CLIENT}
root@kdc01:/etc/ssl/CA# export REALM=MIT.EXAMPLE.COM
root@kdc01:/etc/ssl/CA# export CLIENT=pkuser
root@kdc01:/etc/ssl/CA# openssl ca -in pkuser-req.pem -keyfile CAprivkey.pem -cert CAcert.pem -out pkuser.pem -extfile pkinit-client.cnf -extensions client_cert
[...]
[realms]
MIT.EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
[...]
pkinit_anchors = FILE:/etc/ldap/CAcert.pem
pkinit_identity = FILE:/etc/krb5kdc/cert.pem,/etc/krb5kdc/privkey.pem
[...]
root@lx01.mit:~# kinit -X X509_user_identity=FILE:/root/.ssl/pkuser.pem,/root/.ssl/pkuser-privkey.pem pkuser
Enter PEM pass phrase: Das root Passwort ist geheim!
root@lx01.mit:~#
[libdefaults]
default_realm = MIT.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
pkinit_anchors = FILE:/etc/ldap/CAcert.pem
#pkinit_identities = FILE:/root/.ssl/pkuser.pem,/root/.ssl/pkuser-privkey.pem
pkinit_identities = ENV:PKINIT_ID
PKINIT_IDENTITIES=FILE:$HOME/.ssl/pkinit-cert.pem,$HOME/.ssl/pkinit-privkey.pem
export PKINIT_ID
root@lx01:~# pkcs15-tool --list-keys
Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Path : 3f005015
Auth ID : 01
ID : 0550935e3979b1a4eda92d6aebbfb3238b11859a
GUID : {0550935e-3979-b1a4-eda9-2d6aebbfb323}
root@lx01:~#
root@lx01:~# openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL>
OpenSSL> req -engine pkcs11 -new -key slot_1-id_0550935e3979b1a4eda92d6aebbfb3238b11859a -keyform engine -out pkuser-req.pem
engine "pkcs11" set.
PKCS#11 token PIN: 1234
You are about to be asked to enter information that will be incorporated
into your certificate request.
[...]
OpenSSL> quit
root@lx01:~#
root@lx01:~# kinit -X X509_anchors=FILE:/tmp/CAcert.pem -X X509_user_identity=PKCS11:module_name=opensc-pkcs11.so pkuser
OpenSC Card (User PIN) PIN: 1234
root@lx01:~#
root@lx01.ads:~# ldapsearch -LLL -x -h kdc01.ads.example.com -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
root@lx01.ads:~#
root@lx01.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: DrPig!
root@kdc01:~# ldapwhoami -Y GSSAPI -h kdc01.ads
SASL/GSSAPI authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
u:ADS\Administrator
root@lx01.ads:~#
root@kdc01:~# ldapsearch -LLL -x -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
root@kdc01:~#
mech_list: GSSAPI EXTERNAL
[...]
KRB5_KTNAME=/etc/ldap/krb5.keytab
export KRB5_KTNAME
root@kdc01:~# ldapsearch -LLL -H ldaps://kdc01.example.com -b dc=example,dc=com "cn=Max Mustermann" objectClass cn sn krbPrincipalName
SASL/GSSAPI authentication started
SASL username: maxm@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: Max Mustermann
sn: Mustermann
krbPrincipalName: maxm@EXAMPLE.COM
root@kdc01:~#
root@kdc01:~# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: maxm@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=maxm,cn=gssapi,cn=auth
root@kdc01:~#
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: "uid=maxm,cn=gssapi,cn=auth" "cn=Max Mustermann,ou=people,dc=example,dc=com"
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
olcAuthzRegexp: "uid=(.*),cn=gssapi,cn=auth"
ldap:///dc=example,dc=com??sub?(krbPrincipalName=$1@EXAMPLE.COM)
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalName,entry
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by anonymous auth
by self write
by * none
olcAccess: {1}to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,
member,memberUid,objectClass,ou,sn,uid,uidNumber,
uniqueMember,entry
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by users read
by * none
olcAccess: {2}to *
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by * none
root@kdc01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: DrPig!
root@kdc01:~# ldapwhoami -Q -Y GSSAPI
dn:krbPrincipalName=erim@EXAMPLE.COM,cn=example.com,ou=mit-kerberos,dc=example,dc=com
root@kdc01:~# kinit maxm@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: DrPig!
root@kdc01:~# ldapwhoami -Q -Y GSSAPI
dn:cn=max mustermann,ou=people,dc=example,dc=com
root@kdc01:~#
dn: dc=mit,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
dc: mit
ref: ldap://kdc01.mit.example.com/dc=mit,dc=example,dc=com
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
man:x:6:12:man:/var/cache/man:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
testuser1:x:998:998:Testnutzer Nr. 1:/home/testuser1:/bin/bash
testuser2:x:999:999:Testnutzer Nr. 2:/home/testuser1:/bin/bash
[...]
Benutzername:PW-Hash:UID:GID:Gecos:Heimatverzeichnis:Shell
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:testuser1,testuser2
tty:x:5:
disk:x:6:
[...]
Gruppenname:PW-Hash:GID:Mitgliederliste
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Max Mustermann
sn: Mustermann
uid: maxm
uidNumber: 10000
gidNumber: 123
gecos: Herr Mustermann
homeDirectory: /home/maxm
loginShell: /bin/bash
dn: cn=Musterleute,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Mustermaenner
gidNumber: 123
memberUid: maxm
memberUid: erim
dn: CN=Erika Musterfrau,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Erika Musterfrau
sn: Musterfrau
givenName: Erika
instanceType: 4
displayName: Erika Musterfrau
name: Erika Musterfrau
userAccountControl: 512
sAMAccountName: erim
userPrincipalName: erim@ADS.EXAMPLE.COM
unicodePwd:: IgBEAHIAUABpAGcAIQAiAA==
pwdLastSet: 0
uid: erim
uidNumber: 10001
gidNumber: 123
gecos: Frau Musterfrau
homeDirectory: /home/erim
loginShell: /bin/bash
dn: CN=Musterleute,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: group
cn: Musterleute
sAMAccountName: Musterleute
gidNumber: 123
memberUid: maxm
memberUid: erim
uid nslcd
gid nslcd
uri ldap://kdc01.mit.example.com
uri ldap://kdc02.mit.example.com
base dc=mit,dc=example,dc=com
binddn cn=nslcd,dc=mit,dc=example,dc=com
bindpw secret
passwd: files ldap
group: files ldap
shadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root@lx01.mit:~# ldapsearch -LLLQ -Y GSSAPI -h kdc01.mit.example.com -b dc=mit,dc=example,dc=com uid=user1495 uid uidNumber gidNumber gecos homeDirectory loginShell
dn: cn=user1495,ou=people,dc=mit,dc=example,dc=com
uid: user1495
uidNumber: 1495
gidNumber: 1001
gecos: user1495
homeDirectory: /home/user1495
loginShell: /bin/bash
uid nslcd
gid nslcd
uri ldap://kdc01.mit.example.com
uri ldap://kdc02.mit.example.com
base dc=mit,dc=example,dc=com
use_sasl on
sasl_mech GSSAPI
krb5_ccname FILE:/var/cache/krb5cc/krb5cc_nslcd
referrals off
#!/bin/sh
### BEGIN INIT INFO
# Provides: krb5-ticket-refresh
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Refresh Kerberos Credentials
### END INIT INFO
#
# krb5-ticket-refresh: Refresh Kerberos Credentials
#
NAME="krb5-ticket-refresh"
DESC="Refresh Kerberos Credentials"
NSLCD_CC="/var/cache/krb5cc/krb5cc_nslcd"
case "$1" in
start)
mkdir -p /var/cache/krb5cc
/usr/bin/k5start -u host/$(hostname -f) -k $NSLCD_CC \
-f /etc/krb5.keytab -g nslcd -o nslcd -H 240
;;
stop)
/usr/bin/kdestroy -c $NSLCD_CC
;;
status)
/usr/bin/klist -c $NSLCD_CC
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|status}" >&2
exit 1
;;
esac
root@lx01.mit:~# chmod +x /etc/init.d/krb5-ticket-refresh
root@lx01.mit:~# update-rc.d krb5-ticket-refresh defaults 19
Adding system startup for /etc/init.d/krb5-ticket-refresh ...
/etc/rc0.d/K19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
/etc/rc1.d/K19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
/etc/rc6.d/K19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
/etc/rc2.d/S19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
/etc/rc3.d/S19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
/etc/rc4.d/S19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
/etc/rc5.d/S19krb5-ticket-refresh -> ../init.d/krb5-ticket-refresh
root@lx01.mit:~#
#!/bin/bash
sleep $(echo "600 * $RANDOM / 32767" | bc)
/etc/init.d/krb5-ticket-refresh start
root@lx01.mit:~# touch /tmp/testfile
root@lx01.mit:~# chown user1495:group1001 /tmp/testfile
root@lx01.mit:~# ls -l /tmp/testfile
-rw-r--r-- 1 user1495 group1001 0 2011-08-07 12:28 /tmp/testfile
root@lx01.mit:~# id user1495
uid=1495(user1495) gid=1001(group1001) groups=1001(group1001)
root@lx01.mit:~# getent passwd user1495
user1495:*:1495:1001:user1495:/home/user1495:/bin/bash
root@lx01.mit:~# su - user1495
No directory, logging in with HOME=/
user1495@lx01:/$ whoami
user1495
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
account required pam_krb5.so minimum_uid=1000
password requisite pam_krb5.so minimum_uid=1000
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password [success=1 default=ignore] pam_ldap.so try_first_pass
password requisite pam_deny.so
password required pam_permit.so
password optional pam_gnome_keyring.so
session optional pam_mkhomedir.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11
lx01 login: user1495
Password: Start123
Password expired. You must change it now.
Enter new password: DrPig!
Enter it again: DrPig!
Creating directory '/home/user1495'.
user1495@lx01:~$
user1495@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1495_QtNRab
Default principal: user1495@MIT.EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 14:08:29 08/08/11 00:08:29 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 08/08/11 14:08:23
user1495@lx01:~$
uid nslcd
gid nslcd
uri ldap://kdc01.ads.example.com
base dc=ads,dc=example,dc=com
ldap_version 3
use_sasl on
sasl_mech GSSAPI
krb5_ccname FILE:/var/cache/krb5cc/krb5cc_nslcd
referrals off
pagesize 1000
filter passwd (&(objectCategory=user)(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
filter group (&(objectCategory=group)(gidNumber=*))
map group uniqueMember member
#!/bin/sh
### BEGIN INIT INFO
# Provides: krb5-ticket-refresh
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Refresh Kerberos Credentials
### END INIT INFO
#
# krb5-ticket-refresh: Refresh Kerberos Credentials
#
NAME="krb5-ticket-refresh"
DESC="Refresh Kerberos Credentials"
NSLCD_CC="/var/cache/krb5cc/krb5cc_nslcd"
SLAPD_CC="/var/cache/krb5cc/krb5cc_slapd"
case "$1" in
start)
mkdir -p /var/cache/krb5cc
/usr/bin/k5start -u host/$(hostname -f) -k $NSLCD_CC \
-f /etc/krb5.keytab -g nslcd -o nslcd -H 240
/usr/bin/k5start -u host/$(hostname -f) -k $SLAPD_CC \
-f /etc/krb5.keytab -g openldap -o openldap -H 240
echo $?
;;
stop)
/usr/bin/kdestroy -c $NSLCD_CC
/usr/bin/kdestroy -c $SLAPD_CC
;;
status)
/usr/bin/klist -c $NSLCD_CC
/usr/bin/klist -c $SLAPD_CC
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|status}" >&2
exit 1
;;
esac
[...]
SLAPD_CONF=/etc/ldap/slapd.conf
[...]
SLAPD_SERVICES="ldap://127.0.0.1:389/"
[...]
KRB5CCNAME=/var/cache/krb5cc/krb5cc_slapd
export KRB5CCNAME
mkdir -p /var/run/nslcd
chown openldap:openldap /var/run/nslcd
argsfile /var/run/slapd/slapd.args
pidfile /var/run/slapd/slapd.pid
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/ldapns.schema
modulepath /usr/lib/ldap
moduleload back_bdb.la
moduleload back_meta.la
moduleload back_ldap.la
moduleload pcache.la
moduleload nssov.la
access to * by * read
database meta
norefs yes
suffix dc=example,dc=com
rootdn dc=example,dc=com
overlay nssov
uri "ldap://kdc01.example.com/dc=example,dc=com"
ldap://kdc02.example.com
idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
uri "ldap://kdc01.mit.example.com/dc=mit,dc=example,dc=com"
ldap://kdc02.mit.example.com
idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
[...Parameter fuer die anderen MIT und H5L Realms analog...]
uri "ldap://kdc01.ads.example.com/dc=ads,dc=example,dc=com"
ldap://kdc02.ads.example.com
idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
map objectclass posixGroup group
map objectclass posixAccount user
map attribute homeDirectory unixHomeDirectory
map attribute uniqueMember member
[...Parameter fuer die anderen ADS Realms analog...]
overlay pcache
proxycache bdb 10000 1 50 3600
root@lx01.ads:~# getent passwd user1567
user1567:*:1567:1001:user1567:/home/user1567:/bin/bash
root@lx01.ads:~# getent passwd user2836
user2836:*:2836:2001:user2836:/home/user2836:/bin/bash
root@lx01.ads:~# getent passwd user7623
user7623:*:7623:7001:User 7623:/home/user7623:/bin/bash
root@lx01.ads:~# getent passwd group 1534
user1534:*:1534:1001:user1534:/home/user1534:/bin/bash
root@lx01.ads:~# getent group group1534
group1534:*:1534:
root@lx01.ads:~# getent group group2837
group2837:*:2837:
root@lx01.ads:~# getent group group7432
group7432:*:7432:
root@lx01.ads:~#
auth sufficient pam_krb5.so minimum_uid=1000 realm=EXAMPLE.COM
auth sufficient pam_krb5.so minimum_uid=1000 realm=MIT.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=MYDOM.MIT.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=OTHERDOM.MIT.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=H5L.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=MYDOM.H5L.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=OTHERDOM.H5L.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=ADS.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=MYDOM.ADS.EXAMPLE.COM use_first_pass
auth sufficient pam_krb5.so minimum_uid=1000 realm=OTHERDOM.ADS.EXAMPLE.COM use_first_pass
auth [success=2 default=ignore] pam_unix.so nullok_secure user_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
root@lx01.ads:~#
[...]
telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a valid
[...]
user1001@lx01:~$ telnet -a lx02.example.com
Trying 192.168.100.110...
Connected to lx02.example.com (192.168.100.110).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``user1001@EXAMPLE.COM'' ]
Last login: Sun Aug 7 14:16:14 2011 from lx01.example.com
user1001@lx02:~$
user1001@lx01:~$ telnet -a -F lx02.example.com
Trying 192.168.100.110...
Connected to lx02.example.com (192.168.100.110).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``user1001@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
[...]
user1001@lx01:~$ kinit user1001/admin
Password for user1001/admin@EXAMPLE.COM: DrPig!
user1001@lx01:~$ telnet -a -l root lx02.example.com
Trying 192.168.100.110...
Connected to lx02.example.com (192.168.100.110).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``user1001/admin@EXAMPLE.COM'' ]
Last login: Sun Aug 7 14:16:43 from lx01.example.com
root@lx02:~#
user1001@lx02:~$ kinit user1001/admin
Password for user1001/admin@EXAMPLE.COM: DrPig!
user1001@lx02:~$ ksu
Authenticated user1001/admin@EXAMPLE.COM
Account root: authorization for user1001/admin@EXAMPLE.COM successful
Changing uid to root (0)
root@lx02:/home/user1001#
DEFAULT
set verbose_encrypt
set autoencrypt
set autodecrypt
set autologin
forward forwardable
user1001@lx01:~$ telnet lx02.example.com
Trying 192.168.100.110...
Encryption is verbose
Automatic encryption of output is enabled
Automatic decryption of input is enabled
Will send login name and/or authentication information.
Connected to lx02.example.com (192.168.100.110).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``user1001@EXAMPLE.COM'' ]
[ Kerberos V5 accepted forwarded credentials ]
[ Output is now encrypted with type DES_CFB64 ]
[ Input is now decrypted with type DES_CFB64 ]
Last login: Sun Aug 7 14:18:45 from lx01.example.com
user1001@lx02:~$
[...]
kshell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/kshd -5ec
[...]
user1001@lx01:~$ krb5-rsh -x lx02.example.com 'whoami; hostname -f'
This rsh session is encrypting input/output data transmissions.
user1001
lx02.example.com
user1001@lx01:~$ kinit user1001/admin
Password for user1001/admin@EXAMPLE.COM: DrPig!12345
user1001@lx01:~$ krb5-rsh -x -l root lx02.example.com 'whoami; hostname -f'
This rsh session is encrypting input/output data transmissions.
root
lx02.example.com
user1001@lx01:~$
user1001@lx01:~$ krb5-ftp -x lx02
Connected to lx02.example.com.
220 lx02 FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
200 Data channel protection level set to private.
Name (lx02:user1001):
232 GSSAPI user user1001@EXAMPLE.COM is authorized as user1001
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 28
-rw------- 1 user1001 229 2011-08-07 08:56 .bash_history
-rw-r--r-- 1 user1001 220 2010-04-18 18:51 .bash_logout
-rw-r--r-- 1 user1001 3103 2011-04-17 12:30 .bashrc
-rw-r--r-- 1 user1001 675 2010-04-18 18:51 .profile
[...]
226 Transfer complete.
ftp> quit
221 Goodbye.
user1001@lx01:~$ ssh lx02
The authenticity of host 'lx02 (192.168.100.110)' can't be established.
RSA key fingerprint is 8d:13:5f:d7:59:06:45:30:22:9d:9a:53:ce:26:3d:df.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'lx02,192.168.100.110' (RSA) to the list of known hosts.
Last login: Sun Aug 7 14:27:48 2011 from lx01.example.com
user1001@lx02:~$
user1001@lx01:~$ kdestroy
user1001@lx01:~$ ssh lx02
Password: DrPig!
Password expired. You must change it now.
Enter new password: Qwert123
Enter it again: Qwert123
Last login: Sun Aug 7 14:28:08 2011 from lx01.example.com
user1001@lx02:~$
user7001@lx01.ads:~$ ssh lx02.example.com
Last login: Sun Aug 7 14:32:43 2011 from lx02.ads.example.com
user7001@lx02:~$
auth_to_local = RULE:[String-Def](Prüfung)Transformation
auth_to_local = RULE:[String-Def](Prüfung)Transformation
auth_to_local = RULE:[String-Def](Prüfung)Transformation
[...]
auth_to_local = DEFAULT
[realms]
EXAMPLE.COM = {
[...]
auth_to_local = RULE:[1:$1@$0](^.*@.*EXAMPLE.COM$)s/@.*//
auth_to_local = DEFAULT
[...]
}
user7001@lx01.ads:~$ smbclient -k //kdc01.ads.example.com/home
OS=[Windows Server 2008 R2 Datacenter 7600] Server=[Windows Server 2008 R2 Datacenter 6.1]
smb: \> dir
. D 0 Sun Aug 7 14:45:30 2011
.. D 0 Sun Apr 10 02:14:15 2011
user7001 D 0 Sun Aug 7 14:45:30 2011
40957 blocks of size 1048576. 29071 blocks available
smb: \> quit
user7001@lx01.ads:~$
root@lx01.ads:~# mkdir /mnt/cifs
root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: DrPig!
root@lx01.ads:~# smbmount //kdc01.ads.example.com/home /mnt/cifs/ -o sec=krb5i
root@lx01.ads:~# df -T /mnt/cifs
Filesystem Type 1K-blocks Used Available Use% Mounted on
//kdc01.ads.example.com/home
cifs 41940988 12384304 29556684 30% /mnt/cifs
root@lx01.ads:~#
root@lx01.ads:~# ls -l /mnt/cifs/
total 0
drwxr-xr-x 0 root root 0 2011-08-07 12:42 user7001
root@lx01.ads:~#
root@lx02.ads:~# mkdir -p /home/user7001
root@lx02.ads:~# chown user7001:group7001 /home/user7001/
root@lx02.ads:~# chmod 700 /home/user7001/
[global]
security = ads
workgroup = ADS
realm = ADS.EXAMPLE.COM
[home]
path = /home/
read only = No
root@lx02.ads:~# net ads join -U Administrator createupn=host/lx02.ads.example.com@ADS.EXAMPLE.COM
Enter Administrator's password: DrPig!
Using short domain name -- ADS
Joined 'LX02' to realm 'ADS.EXAMPLE.COM'
root@lx02.ads:~#
[global]
security = ADS
workgroup = ADS
realm = ADS.EXAMPLE.COM
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config ADS : backend = nss
idmap config ADS : range = 7001 - 7999
idmap config MYDOM : backend = nss
idmap config MYDOM : range = 8001 - 8999
idmap config OTHERDOM : backend = nss
idmap config OTHERDOM : range = 9001 - 9999
[home]
path = /home
read only = No
root@lx02.ads:~# wbinfo --name-to-sid ADS\\user7001
S-1-5-21-2985994875-1208933836-1633449310-2125 User (1)
root@lx02.ads:~# wbinfo --sid-to-name S-1-5-21-2985994875-1208933836-1633449310-2125
ADS\user7001 1
root@lx02.ads:~# wbinfo --sid-to-uid S-1-5-21-2985994875-1208933836-1633449310-2125
7001
root@lx02.ads:~# wbinfo --uid-to-sid 7001
S-1-5-21-2985994875-1208933836-1633449310-2125
root@lx02.ads:~#
[...]
UUID=971f4c43-8076-402a-96ba-c8fe33fd79a9 / ext4 errors=remount-ro,acl 0 1
[...]
user7001@lx02.ads:~$ touch /home/user7001/acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user7002:rwx /home/user7001/acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user8003:rw /home/user7001/acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user9004:r /home/user7001/acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group7003:rwx /home/user7001/acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group8004:rw /home/user7001/acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group9005:r /home/user7001/acl-test.txt
user7001@lx02.ads:~$ getfacl /home/user7001/acl-test.txt
getfacl: Removing leading '/' from absolute path names
# file: home/user7001/acl-test.txt
# owner: user7001
# group: group7001
user::rw-
user:user7002:rwx
user:user8003:rw-
user:user9004:r--
group::r--
group:group7003:rwx
group:group8004:rw-
group:group9005:r--
mask::rwx
other::r--
user7001@lx02.ads:~$
root@lx02:~# echo '/home lx01.example.com(rw,subtree_check)' > /etc/exports
root@lx02:~# mkdir -p /home/maxm
root@lx02:~# chown maxm:maxm /home/maxm
root@lx02:~# chmod 0700 /home/maxm
root@lx02:~# exportfs -a
root@lx01:~# mount -t nfs -o vers=3,rw lx02.example.com:/home /home
root@lx01:~# df /home
Filesystem 1K-blocks Used Available Use% Mounted on
lx02.example.com:/home
7852768 3600288 3853600 49% /home
root@lx01:~#
root@lx01:~# cd /home/maxm/
-bash: cd: /home/maxm/: Permission denied
root@lx01:~# su maxm
maxm@lx01:/root$ cd /home/maxm
maxm@lx01:~$
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com
Local-Realms = EXAMPLE.COM,MIT.EXAMPLE.COM,H5L.EXAMPLE.COM,ADS.EXAMPLE.COM,MYDOM.MIT.EXAMPLE.COM,OTHERDOM.MIT.EXAMPLE.COM,MYDOM.H5L.EXAMPLE.COM,OTHERDOM.H5L.EXAMPLE.COM,MYDOM.ADS.EXAMPLE.COM,OTHERDOM.ADS.EXAMPLE.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
#Kommentarzeile
Server-Pfad Client-Liste(Export-Option,Export-Option,...) Client-Liste(Export-Option,Export-Option,...) [...]
[...]
# /etc/exports: the access control list for filesystems
# which may be exported to NFS clients.
# See exports(5).
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home gss/krb5(rw,fsid=0,subtree_check)
root@lx01:~# mount -t nfs4 -o sec=krb5 lx02.example.com:/ /home
root@lx01:~# klist /tmp/krb5cc_machine_EXAMPLE.COM
Ticket cache: FILE:/tmp/krb5cc_machine_EXAMPLE.COM
Default principal: nfs/lx01.example.com@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 14:50:00 08/08/11 00:50:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/08/11 14:49:55
08/07/11 14:50:00 08/08/11 00:50:00 nfs/lx02.example.com@EXAMPLE.COM
renew until 08/08/11 14:49:55
root@lx01:~#
root@lx01:~# cd /home/maxm
-bash: cd: /home/maxm: Permission denied
root@lx01:~# su maxm
bash: /home/maxm/.bashrc: Permission denied
maxm@lx01:/root$ cd /home/maxm
bash: cd: /home/maxm: Permission denied
lx01 login: maxm
Password: DrPig!
Last login: Sun Aug 7 14:33:42 CEST 2011 on pts/0
maxm@lx01:~$ df .
Filesystem 1K-blocks Used Available Use% Mounted on
lx02.example.com:/ 7852768 3603136 3850720 49% /home
maxm@lx01:~$
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1502_6NAKOl
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/07/11 14:55:12 08/08/11 00:55:12 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/08/11 14:55:12
08/07/11 14:55:15 08/08/11 00:55:12 nfs/lx02.example.com@EXAMPLE.COM
renew until 08/08/11 14:55:12
maxm@lx01:~$
[...]
SSLCertificateFile /etc/apache2/cert.pem
SSLCertificateKeyFile /etc/apache2/privkey.pem
[...]
C:\Users\Administrator>setspn -A HTTP/www.ads.example.com lx02-http
Registering ServicePrincipalNames for CN=HTTP/lx02.ads.example.com,CN=Users,DC=A
DS,DC=EXAMPLE,DC=COM
HTTP/www.ads.example.com
Updated object
C:\Users\Administrator>
root@lx02.ads:~# ktutil
ktutil: rkt /etc/apache2/krb5.keytab
ktutil: list -e -k
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 HTTP/lx02.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
ktutil: addent -key -p HTTP/www.ads.example.com@ADS.EXAMPLE.COM -k 2 -e aes256-cts
Key for HTTP/www.ads.example.com@ADS.EXAMPLE.COM (hex): da05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47
ktutil: list -e -k
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 HTTP/lx02.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
2 2 HTTP/www.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
ktutil: wkt /etc/apache2/krb5.keytab.new
ktutil: quit
root@lx02.ads:~# mv /etc/apache2/krb5.keytab.new /etc/apache2/krb5.keytab
root@lx02.ads:~# chown www-data:www-data /etc/apache2/krb5.keytab
[...]
<Directory /var/www/>
AuthType Kerberos
KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/krb5.keytab
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
require valid-user
</Directory>
[...]
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Anmeldeinformationen:"
echo ""
echo "Sie sind angemeldet unter dem Kerberos-Principal-Namen"
echo $REMOTE_USER
[...]
<Directory "/usr/lib/cgi-bin">
AuthType Kerberos
KrbMethodK5Passwd Off
KrbServiceName Any
Krb5Keytab /etc/apache2/krb5.keytab
KrbSaveCredentials On
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
require valid-user
</Directory>
[...]
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Delegationsinformationen:"
echo ""
/usr/bin/klist -f 2>&1
echo ""
echo "Zugriff auf Netzwerkdienste:"
echo ""
echo "Mit den delegierten Credentials wird Apache nun unter"
echo "Ihrer Identitaet eine LDAP-Suche durchfuehren"
echo ""
USERNAME=$(echo $REMOTE_USER | sed -e 's/@.*$//')
echo "Hier der Output von "
echo "ssh -l $USERNAME lx02.ads.example.com id"
echo ""
/usr/bin/ssh -l $USERNAME lx02.ads.example.com id 2>&1
echo ""
echo "Hier der Output von "
echo "ldapsearch -QLLL userprincipalname=$REMOTE_USER uidNumber gidNumber"
echo ""
/usr/bin/ldapsearch -QLLL userprincipalname=$REMOTE_USER uidNumber gidNumber 2>&1
echo ""
echo "Delegationsinformationen:"
echo ""
/usr/bin/klist -f 2>&1
root@lx02.ads:~# a2enmod authnz_ldap
Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.
Run '/etc/init.d/apache2 restart' to activate new configuration!
root@lx02.ads:~#
[...]
<Directory /var/www/>
AuthType Kerberos
KrbMethodK5Passwd off
KrbServiceName Any
Krb5Keytab /etc/apache2/krb5.keytab
AuthLDAPURL "ldap://kdc01.ads.example.com/dc=ads,dc=example,dc=com?userPrincipalName?sub"
AuthLDAPBindDN CN=HTTP/lx02.ads.example.com,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
AuthLDAPBindPassword "66DFlocd5qMkQsh3lsX0"
AuthLDAPRemoteUserAttribute "userPrincipalName"
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
require ldap-group CN=WWW-Users,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
</Directory>
[...]
BASE dc=ads,dc=example,dc=com
URI ldap://kdc01.ads.example.com
TLS_CACERT /etc/ldap/CAcert.pem
REFERRALS off
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
[...]
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['writeapi'] = false;
Alias /mediawiki /var/lib/mediawiki
<Directory /var/lib/mediawiki/>
AuthType Kerberos
KrbMethodK5Passwd off
Krb5Keytab /etc/apache2/krb5.keytab
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
require valid-user
</Directory>
[...]
require_once( "/usr/share/mediawiki-extensions/LdapAutoAuthentication.php" );
require_once( "/usr/share/mediawiki-extensions/LdapAuthentication.php" );
$wgLDAPDomainNames = array("ADS.EXAMPLE.COM");
$wgLDAPServerNames = array("ADS.EXAMPLE.COM"=>"kdc01.ads.example.com");
$wgLDAPAutoAuthDomain = "ADS.EXAMPLE.COM";
$wgLDAPProxyAgent = array("ADS.EXAMPLE.COM"=>"CN=HTTP/lx02.ads.example.com,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM");
$wgLDAPProxyAgentPassword = array("ADS.EXAMPLE.COM"=>"66DFlocd5qMkQsh3lsX0");
$wgLDAPBaseDNs = array("ADS.EXAMPLE.COM"=>"DC=ads,DC=example,DC=com");
$wgLDAPEncryptionType = array( "ADS.EXAMPLE.COM"=>"clear" );
$wgLDAPSearchAttributes = array("ADS.EXAMPLE.COM"=>"samaccountname");
if (isset($_SERVER["REMOTE_USER"])) $wgLDAPAutoAuthUsername = preg_replace( '/@.*/', '', $_SERVER["REMOTE_USER"]);
AutoAuthSetup();
version: 1
# Max Mustermann
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
cn: Max Mustermann
sn: Mustermann
# Erika Musterfrau
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
cn: Erika Musterfrau
sn: Musterfrau
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0ZXMgZs
O8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
root@kdc01:~# echo RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo= | base64 -d
Ein Beispiel eines Benutzerobjektes für das Kerberos-Buch
root@kdc01:~#
# neues Objekt anlegen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: add
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
# ein Attribut hinzufügen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: modify
add: seeAlso
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: modify
delete: seeAlso
-
replace: description
description: Eine Beispielanwenderin
-
add: userPassword
userPassword: geheim123
# Objekt löschen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: delete
root@kdc01:~# ldapsearch -x -h kdc01 -b dc=example,dc=com '(cn=Erika*)'
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0ZXMgZs
O8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
root@kdc01:~#
root@kdc01:~# ldapsearch -x -h kdc01 -b dc=example,dc=com '(&(objectClass=person)(seeAlso=*))' cn
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
root@kdc01:~# ldapsearch -x -h kdc01 -D 'cn=Erika Musterfrau,ou=people,dc=example,dc=com' -w 'geheim123' -b dc=example,dc=com '(cn=Erika*)'
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0ZXMgZs
O8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
userPassword:: Z2VoZWltMTIz
root@kdc01:~#
root@kdc01:~# ldapmodify -x -D cn=admin,dc=example,dc=com -w 'DrPig!' -f erim.ldif
adding new entry "cn=Erika Musterfrau,ou=people,dc=example,dc=com"
modifying entry "cn=Erika Musterfrau,ou=people,dc=example,dc=com"
root@kdc01:~#
local@ubuntu:~$ sudo -s
[sudo] password for local: DrPig!
root@ubuntu:~# passwd
Enter new UNIX password: DrPig!
Retype new UNIX password: DrPig!
passwd: password updated successfully
root@ubuntu:~#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.100.102
netmask 255.255.255.0
gateway 192.168.100.1
[...]
if [ "$color_prompt" = yes ]; then
# PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@'$(hostname -f | sed -e 's/\.example\.com//')'\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
# PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
PS1='${debian_chroot:+($debian_chroot)}\u@'$(hostname -f | sed -e 's/\.example\.com//')':\w\$ '
fi
[...]