Listings der zweiten Auflage

(Hier gibt es die Listings der ersten Auflage)

Listing 2.1

Komponente-1[/Komponente-2/.../Komponente-N]@REALM

Listing 3.1

CentOS Linux 8 (Core)
Kernel 4.18.0-193.14.2.el8_2.x86_64 on an x86_64

lx01 login: maxm
Password: P@ssw0rd
maxm@lx01:~$

Listing 3.2

maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 06/23/2021 17:32:57
maxm@lx01:~$

Listing 3.3

maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FRIA

Listing 3.4

maxm@lx01:~$ ldapsearch -h kdc01 -QLLL uid=maxm uidNumber gidNumber
dn: uid=maxm,ou=people,dc=example,dc=com
uidNumber: 10000
gidNumber: 10000

maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FRIA
06/22/2021 17:34:07 06/23/2021 03:32:59 ldap/kdc01.example.com@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FRAT
maxm@lx01:~$

Listing 3.5

maxm@lx01:~$ ssh lx02.example.com
Last login: Fri Aug 21 14:28:07 2020 from 10.1.2.111
maxm@lx02:~$ klist -f
klist: No credentials cache found (filename: /tmp/krb5cc_10000)
maxm@lx02:~$ logout
Connection to lx02.example.com closed.
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FRIA
06/22/2021 17:34:07 06/23/2021 03:32:59 ldap/kdc01.example.com@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FRAT
06/22/2021 17:35:53 06/23/2021 03:32:59 host/lx02.example.com@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FRAT
maxm@lx01:~$

Listing 3.6

maxm@lx01:~$ ssh -o GSSAPIDelegateCredentials=yes lx02.example.com
Last login: Fri Aug 21 14:33:29 2020 from lx01.example.com
maxm@lx02:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_tYAs5NLrnP
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
06/22/2021 17:37:28 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 06/23/2021 17:32:57, Flags: FfRAT
maxm@lx02:~$ logout
Connection to lx02.example.com closed.
maxm@lx01:~$

Listing 3.7

Host lx02.example.com
  GSSAPIDelegateCredentials yes

Listing 3.8

maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 06/23/2021 17:32:57
06/22/2021 17:34:07 06/23/2021 03:32:59 ldap/kdc01.example.com@EXAMPLE.COM
       renew until 06/23/2021 17:32:57
06/22/2021 17:35:53 06/23/2021 03:32:59 host/lx02.example.com@EXAMPLE.COM
       renew until 06/23/2021 17:32:57
06/22/2021 22:29:20 06/23/2021 03:32:59 HTTP/lx02.example.com@EXAMPLE.COM
       renew until 06/23/2021 17:32:57

Listing 3.9

maxm@lx01:~$ kdestroy
maxm@lx01:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000_zGOviZ)
maxm@lx01:~$

Listing 3.10

maxm@lx01:~$ kinit maxm@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting      Expires             Service principal
08/21/2021 14:42:14 08/22/2021 00:42:14 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 14:42:11
maxm@lx01:~$

Listing 3.11

maxm@lx01:~$ kvno host/lx02.example.com@EXAMPLE.COM
host/lx02.example.com@EXAMPLE.COM: kvno = 2
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting      Expires             Service principal
08/21/2021 14:42:14 08/22/2021 00:42:14 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 14:42:11
08/21/2021 14:43:44 08/22/2021 00:42:14 host/lx02.example.com@EXAMPLE.COM
       renew until 08/22/2021 14:42:11
maxm@lx01:~$

Listing 4.1

$ string2key -5 -k des-cbc-md5
Kerberos v5 principal: maxm@EXAMPLE.COM
Password: P@ssw0rd
Kerberos 5 (des-cbc-md5): cdaed543802f79d0
$ string2key -5 -k AES256-CTS-HMAC-SHA384-192
Kerberos v5 principal: maxm@EXAMPLE.COM
Password: P@ssw0rd
Kerberos 5 (aes256-cts-hmac-sha384-192): 52b9d0d220c487b1d8b7d34f2a8b7e23f03179762b24612f920ce56752c3b2cb
$

Listing 4.2

$ ktutil
ktutil: addent -password -p maxm@EXAMPLE.COM -k 1 -e CAMELLIA256-CTS-CMAC
Password for maxm@EXAMPLE.COM: P@ssw0rd
ktutil: l -k
slot KVNO Principal
---- ---- ------------------------------------------------
 1  1    maxm@EXAMPLE.COM (0xabb9c235054143aad37797d1504431114c2c662515d0b69cc9c0bcbfd855dd16)
ktutil: quit
$

Listing 5.1

maxm@lx01:~$ kinit -S HTTP/lx02.example.com@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/21/2021 17:31:17 08/22/2021 03:31:17 HTTP/lx02.example.com@EXAMPLE.COM
       renew until 08/22/2021 17:31:14, Flags: FRIA
maxm@lx01:~$

Listing 6.1

maxm@lx01:~$ kinit -l 10min -r 20min
Password for maxm@EXAMPLE.COM:  P@ssw0rd
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 00:44:08 08/22/2021 00:54:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 01:04:04, Flags: FRIA

[...9 Minuten warten...]

maxm@lx01:~$ kinit -R
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 00:53:53 08/22/2021 01:03:49 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 01:04:04, Flags: FRIAT

[...9 Minuten warten...]

maxm@lx01:~$ kinit -R
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 01:03:38 08/22/2021 01:04:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 01:04:04, Flags: FRIAT

[...9 Minuten warten...]

maxm@lx01:~$ kinit -R
kinit: Ticket expired while renewing credentials
maxm@lx01:~$

Listing 6.2

maxm@lx01:~$ kinit -s 20min -l 10min -r 20min
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 01:37:09 08/22/2021 01:47:09 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 01:57:09, Flags: FDdiRIA
maxm@lx01:~$

[...9 Minuten warten...]

maxm@lx01:~$ kinit -v
kinit: Ticket not yet valid while validating credentials

[...9 Minuten warten...]

maxm@lx01:~$ kinit -v
kinit: Ticket not yet valid while validating credentials

[...9 Minuten warten...]

maxm@lx01:~$ kinit -v
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 01:46:24 08/22/2021 01:47:09 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/22/2021 01:57:09, Flags: FDdRIAT
maxm@lx01:~$

Listing 6.3

root@lx01.mydom.mit:~# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@MYDOM.MIT.EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 11:47:43 08/22/2021 21:47:41 krbtgt/MYDOM.MIT.EXAMPLE.COM@MYDOM.MIT.EXAMPLE.COM
       renew until 08/29/2021 11:47:41, Flags: FRIA
08/22/2021 11:47:47 08/22/2021 21:47:41 krbtgt/MIT.EXAMPLE.COM@MYDOM.MIT.EXAMPLE.COM
       renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:40 08/22/2021 21:47:41 krbtgt/EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:44 08/22/2021 21:47:41 krbtgt/H5L.EXAMPLE.COM@EXAMPLE.COM
       renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:47 08/07/2021 21:47:41 krbtgt/OTHERDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
       renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:47 08/22/2021 21:47:41 host/kdc01.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM
       renew until 08/29/2021 11:47:41, Flags: FRAT
root@lx01.mydom.mit:~#

Listing 7.1

 root@kdc01:~# dnf install bind bind-utils
 root@kdc01:~# systemctl stop named
 root@kdc01:~# systemctl start named
 root@kdc01:~# systemctl enable named
 root@kdc01:~# systemctl enable named --now
 root@kdc01:~# firewall-cmd --add-service=dns --permanent
 root@kdc01:~# firewall-cmd --add-port=53/udp --permanent
 root@kdc01:~# firewall-cmd --add-port=53/tcp --permanent
 root@kdc01:~# firewall-cmd --reload

Listing 7.2

options {

  listen-on port 53 { 127.0.0.1; 10.1.2.110; };
  listen-on-v6 port 53 { ::1; };

  directory "/var/named";
  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  secroots-file "/var/named/data/named.secroots";
  recursing-file "/var/named/data/named.recursing";

  allow-query { any; };
  recursion yes;
  forwarders { 8.8.8.8; };
  dnssec-enable yes;
  dnssec-validation yes;

  managed-keys-directory "/var/named/dynamic";
  pid-file "/run/named/named.pid";
  session-keyfile "/run/named/session.key";
  include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

zone "example.com" in {
  type master;
  #allow-update {10.1.2.0/24;};
  file "/var/named/example.com.zone";
};

zone "2.1.10.in-addr.arpa" in {
  type master;
  file "/var/named/2.1.10.zone";
};

Listing 7.3

$ORIGIN .
$TTL 172800   ; 2 days
example.com IN SOA kdc01.example.com root.kdc01.example.com. (
           2020000000 ; serial
           10800   ; refresh (3 hours)
           3600    ; retry (1 hour)
           604800   ; expire (1 week)
           86400   ; minimum (1 day)
          )
          NS  kdc01.example.com.
          A  10.1.2.254
          MX  10 kdc01.example.com.
kdc01.example.com.  A  10.1.2.110
lx01.example.com.  A  10.1.2.111
lx02.example.com.  A  10.1.2.112

Listing 7.4

$ORIGIN .
$TTL 86400   ; 1 day
2.1.10.in-addr.arpa IN SOA kdc01.example.com. root.kdc01.example.com. (
            2020000000 ; serial
            28800   ; refresh (8 hours)
            7200    ; retry (2 hours)
            604800   ; expire (1 week)
            86400   ; minimum (1 day)
           )
             NS   kdc01.example.com.

110.2.1.10.in-addr.arpa. PTR   kdc01.example.com.
111.2.1.10.in-addr.arpa. PTR   lx01.example.com.
112.2.1.10.in-addr.arpa. PTR   lx02.example.com.

Listing 7.5

root@kdc01:~# nmcli connection modify 'System enp0s3' ipv4.dns 10.1.2.110
root@kdc01:~# nmcli connection down 'System enp0s3'
root@kdc01:~# nmcli connection up 'System enp0s3'
root@kdc01:~# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 10.1.2.110
root@kdc01:~#

Listing 7.6

root@kdc01:~# host kdc01.example.com
kdc01.example.com has address 10.1.2.110
root@kdc01:~# host 10.1.2.110
110.2.1.10.in-addr.arpa domain name pointer kdc01.example.com.
root@kdc01:~#

Listing 7.7

[...]
$ORIGIN ads.example.com.
@       IN   NS   kdc01.ads.example.com.
[...]

Listing 7.8

[...]
zone "ads.example.com" {
  type forward;
  forward only;
  forwarders { 10.1.2.120; 10.1.2.121; };
};
[...]

Listing 7.9

root@kdc01:~# mkdir /etc/pki/CA
root@kdc01:~# mkdir -p /etc/pki/CA/newcerts
root@kdc01:~# touch /etc/pki/CA/index.txt
root@kdc01:~# echo 04 > /etc/pki/CA/serial
root@kdc01:~# cd /etc/pki/CA
root@kdc01:/etc/pki/CA# openssl req \
-x509                               \
-newkey rsa:4096                    \
-days 9999                          \
-out /etc/pki/CA/CAcert.pem         \
-keyout /etc/pki/CA/CAprivkey.pem   \
-nodes
Generating a RSA private key
.........+++
..+++
writing new private key to '/etc/pki/CA/CAprivkey.pem'
-----
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:EXAMPLE
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:EXAMPLE
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:EXAMPLE.COM Root CA
Email Address []:maxm@example.com
root@kdc01:/etc/pki/CA#

Listing 7.10

root@kdc01:~# mkdir -p /etc/openldap/certs
root@kdc01:~# openssl req -new -newkey rsa:4096 -out /etc/openldap/certs/req.pem -keyout /etc/openldap/certs/privkey.pem -nodes
Generating a RSA private key
...........................+++
..+++
writing new private key to '/etc/openldap/privkey.pem'
-----
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:EXAMPLE
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:EXAMPLE
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:kdc01.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@kdc01:~# chmod 400 /etc/openldap/certs/privkey.pem 

Listing 7.11

root@kdc01:~# cp /etc/openldap/certs/req.pem /etc/pki/CA/kdc01-req.pem
root@kdc01:~# cd /etc/pki/CA
root@kdc01:/etc/pki/CA# openssl ca   \
-in kdc01-req.pem                    \
-out kdc01-cert.pem                  \
-keyfile /etc/pki/CA/CAprivkey.pem   \
-cert /etc/pki/CA/CAcert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
    Serial Number: 3 (0x3)
    Validity
      Not Before: Aug 22 03:54:07 2020 GMT
      Not After : Aug 22 03:54:07 2021 GMT
    Subject:
      countryName        = DE
      stateOrProvinceName    = EXAMPLE
      organizationName     = EXAMPLE
      commonName        = kdc01.example.com
    X509v3 extensions:
      X509v3 Basic Constraints:
        CA:FALSE
      Netscape Comment:
        OpenSSL Generated Certificate
      X509v3 Subject Key Identifier:
        86:2B:E3:2F:E2:FB:AB:D0:98:D4:B1:B7:20:F1:E3:33:62:33:A2:1C
      X509v3 Authority Key Identifier:
        keyid:E7:91:43:4E:DB:AB:14:DB:55:13:4A:DA:3C:FF:9B:1E:4D:6C:05:31

Certificate is to be certified until Aug 22 03:54:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@kdc01:/etc/pki/CA#
root@kdc01:/etc/pki/CA#  cp kdc01-cert.pem /etc/openldap/certs/cert.pem

Listing 7.12

[sofl]
name=Symas OpenLDAP for Linux RPM repository
baseurl=https://repo.symas.com/repo/rpm/SOFL/rhel8
gpgkey=https://repo.symas.com/repo/gpg/RPM-GPG-KEY-symas-com-signing-key
gpgcheck=1
enabled=1

Listing 7.13

dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /var/run/openldap/slapd.pid
olcArgsFile: /var/run/openldap/slapd.args

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=subschema" by * read
olcAccess: to * by * none

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none

Listing 7.14

root@kdc01:~#  rm -rf /etc/openldap/slapd.d/*
root@kdc01:~#  slapadd -n 0 -F /etc/openldap/slapd.d -l listing-7.13.ldif 
_############### 100.00% eta none elapsed   none fast!
Closing DB...
root@kdc01:~#  slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/core.ldif
_############### 100.00% eta none elapsed   none fast!
Closing DB...
root@kdc01:~#  chown -R ldap: /etc/openldap/slapd.d
root@kdc01:~#  restorecon -R /etc/openldap/slapd.d

Listing 7.15

root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
adding new entry "cn=cosine,cn=schema,cn=config"
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
adding new entry "cn=nis,cn=schema,cn=config"
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
adding new entry "cn=inetorgperson,cn=schema,cn=config"
root@kdc01:~#

Listing 7.16

dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword,shadowLastChange
 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
 by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
 by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
 by anonymous auth
 by self write
 by * none
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,
loginShell,member,memberUid,objectClass,ou,sn,uid,
uidNumber,uniqueMember,entry
 by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
 by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
 by users read
 by anonymous auth
 by * none
olcAccess: to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
 by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
 by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
 by * none

Listing 7.17

root@kdc01:~# slappasswd 
New password: P@ssw0rd
Re-enter new password: P@ssw0rd
{SSHA}juTKEw47N6WSbPD+JhIL8mFUomomb+2l
root@kdc01:~#

Listing 7.18

dn: dc=example,dc=com
objectClass: domain
dc: example

dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword: {SSHA}juTKEw47N6WSbPD+JhIL8mFUomomb+2l

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=LDAP Read Write,ou=groups,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com

dn: cn=LDAP Read Only,ou=groups,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com

Listing 7.19

root@kdc01:~# ldapsearch -H ldap://kdc01.example.com -b dc=example,dc=com -D cn=admin,dc=example,dc=com -W -x -LLL '(cn=admin)'
Enter LDAP Password: P@ssw0rd
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword:: e1NTSEF9anVUS0V3NDdONldTYlBEK0poSUw4bUZVb21
 vbWIrMmw=
root@kdc01:~#

Listing 7.20

URI ldap://kdc01.example.com
BASE dc=example,dc=com

Listing 7.21

dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/CAcert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
-
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/openldap/dhparam
-
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.4
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcLocalSSF
olcLocalSSF: 128
-
replace: olcSecurity
olcSecurity: ssf=128
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: try

Listing 7.22

URI ldaps://kdc01.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/openldap/CAcert.pem
TLS_REQCERT demand
TLS_CIPHER_SUITE HIGH
TLS_PROTOCOL_MIN 3.4

Listing 8.1

kdc01:~# dnf install krb5-server krb5-workstation
[...]
kdc01:~# systemctl stop krb5kdc
kdc01:~# systemctl stop kadmin
kdc01:~# mv /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.BACKUP
kdc01:~# mv /etc/krb5.conf /etc/krb5.conf.BACKUP

Listing 8.2

root@kdc01:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 25; echo
KEnfGfVU1LKQoZrKSBF65yfVN
root@kdc01:~#

Listing 8.3

[kdcdefaults]
    Parameter-1 = Wert-1
    ...

[realms]
    RealmA = {
        RealmA-Parameter-1 = Wert-1
        RealmA-Parameter-2 = Wert-2
        ...
    }
    RealmB = {
        RealmB-Parameter-1 = Wert-1
        RealmB-Parameter-2 = Wert-2
        databasemodule = DBSectionX
        ...
    }
    ...

[dbdefaults]
    Parameter-1 = Wert-1
    ...

[dbmodules]
    RealmA = {
        RealmA-Parameter-1 = Wert-1
        RealmA-Parameter-2 = Wert-2
        ...
    }
    DBSectionX = {
        DBSectionX-Parameter-1 = Wert-1
        DBSectionX-Parameter-2 = Wert-2
        ...
    }

[logging]
    kdc = Log-Datei
    admin_server = Log-Datei

Listing 8.4

[kdcdefaults]
    kdc_listen = 88
    kdc_tcp_listen = 88

[realms]
    EXAMPLE.COM = {
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        #key_stash_file = /var/kerberos/krb5kdc/stash
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = aes256-cts
        supported_enctypes = aes256-cts:normal camellia256-cts:normal
        default_principal_flags = +preauth
    }

[dbmodules]
    EXAMPLE.COM = {
        db_library = db2
        database_name = /var/kerberos/krb5kdc/principal
    }

[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH

Listing 8.5

kdc01:~# kdb5_util -r EXAMPLE.COM create
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Re-enter KDC database master key to verify: KEnfGfVU1LKQoZrKSBF65yfVN
kdc01:~#

Listing 8.6

kdc01:~# kadmin.local -m -r EXAMPLE.COM
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
kiprop/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: quit
kdc01:~#

Listing 8.7

kdc01:~# kadmin.local -m -r EXAMPLE.COM 
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kadmin.local: addprinc user
WARNING: no policy specified for user@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user@EXAMPLE.COM": P@ssw0rd
Re-enter password for principal "user@EXAMPLE.COM": P@ssw0rd
Principal "user@EXAMPLE.COM" created.
kadmin.local: addprinc user/admin
WARNING: no policy specified for user/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user/admin@EXAMPLE.COM": P@ssw0rd
Re-enter password for principal "user/admin@EXAMPLE.COM": P@ssw0rd
Principal "user/admin@EXAMPLE.COM" created.
kadmin.local: quit
kdc01:~#

Listing 8.8

kdc01:~# kdb5_util -r EXAMPLE.COM stash
kdb5_util: Can not fetch master key (error: No such file or directory). while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kdc01:~#

Listing 8.9

[libdefaults]
    default_realm = EXAMPLE.COM
[realms]
    EXAMPLE.COM = {
        kdc = kdc01.example.com
        admin_server = kdc01.example.com
    }
[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Listing 8.10

root@lx01:~# kinit user@EXAMPLE.COM
Password for user@EXAMPLE.COM: P@ssw0rd
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@EXAMPLE.COM

Valid starting      Expires             Service principal
08/22/2021 13:46:23 08/22/2021 23:46:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/23/2021 13:46:21
root@lx01:~#

Listing 9.1

# Kommentarzeile
Principal Zugriffsmaske [Zugriffsziel [Restriktionen]]
Principal Zugriffsmaske [Zugriffsziel [Restriktionen]]
[...]

Listing 9.2

# Vollzugriff fuer jeden */admin Principal aus EXAMPLE.COM:
*/admin@EXAMPLE.COM *

Listing 9.3

KADMIND_ARGS="-r EXAMPLE.COM"

Listing 9.4

lx01:~# kadmin -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
kiprop/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user/admin@EXAMPLE.COM
user@EXAMPLE.COM
kadmin: quit
lx01:~#

Listing 9.5

lx01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: addpolicy -maxlife 30days -minlife 1day -minlength 10 -minclasses 3 -history 10 admin
kadmin: addpolicy -maxlife 180days -minlife 1day -minlength 8 -minclasses 2 -history 10 default
kadmin: listpolicies
admin
default
kadmin: getpolicy admin
Policy: admin
Maximum password life: 30 days 00:00:00
Minimum password life: 1 day 00:00:00
Minimum password length: 10
Minimum number of password character classes: 3
Number of old keys kept: 10
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin: getpolicy default
Policy: default
Maximum password life: 180 days 00:00:00
Minimum password life: 1 day 00:00:00
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 10
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin: quit
lx01:~#

Listing 9.6

root@kdc01:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: P@ssw0rd
kadmin: modpol -maxfailure 3 -lockoutduration 600 -failurecountinterval 60 default
kadmin: quit
root@kdc01:~#

Listing-9.6 (korrigierte Version)

root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: modpol -maxfailure 3 -lockoutduration 600 -failurecountinterval 60 default
kadmin: quit
root@kdc01:~#

Listing 9.7

root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: secret
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: geheim
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: password
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
kinit: Clients credentials have been revoked while getting initial credentials
root@kdc01:~#

Listing 9.8

root@kdc01:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: P@ssw0rd
kadmin: getprinc maxm
Principal: maxm@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Aug 26 19:37:26 CEST 2020
Password expiration date: Mon Feb 22 18:37:26 CET 2021
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Aug 26 19:37:26 CEST 2020 (kadmind@EXAMPLE.COM)
Last successful authentication: Wed Aug 26 19:51:06 CEST 2020
Last failed authentication: Wed Aug 26 21:24:29 CEST 2020
Failed password attempts: 3
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default
kadmin: quit
root@kdc01:~#

Listing-9.8 (korrigierte Version)

root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: getprinc maxm
Principal: maxm@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Aug 26 19:37:26 CEST 2020
Password expiration date: Mon Feb 22 18:37:26 CET 2021
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Aug 26 19:37:26 CEST 2020 (kadmind@EXAMPLE.COM)
Last successful authentication: Wed Aug 26 19:51:06 CEST 2020
Last failed authentication: Wed Aug 26 21:24:29 CEST 2020
Failed password attempts: 3
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default
kadmin: quit
root@kdc01:~#

Listing 9.9

lx01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: modifyprincipal -policy default user
Principal "user@EXAMPLE.COM" modified.
kadmin: modifyprincipal -policy admin user/admin
Principal "user/admin@EXAMPLE.COM" modified.
kadmin: modifyprincipal -allowsvr user
Principal "user@EXAMPLE.COM" modified.
kadmin: modifyprincipal -allowsvr user/admin
Principal "user/admin@EXAMPLE.COM" modified.
[...]

Listing 9.10

[...]
kadmin.local: addprincipal -policy default -pw Start123 maxm
Principal "maxm@EXAMPLE.COM" created.
kadmin.local: addprincipal -policy default -pw Start123 erim
Principal "erim@EXAMPLE.COM" created.
kadmin.local: addprincipal -policy admin -pw Start12345 maxm/admin
Principal "maxm/admin@EXAMPLE.COM" created.
kadmin.local: modifyprincipal -allowsvr +needchange maxm
Principal "maxm@EXAMPLE.COM" modified.
kadmin.local: modifyprincipal -allowsvr +needchange erim
Principal "erim@EXAMPLE.COM" modified.
kadmin.local: modifyprincipal -allowsvr +needchange maxm/admin
Principal "maxm/admin@EXAMPLE.COM" modified.
[...]

Listing 9.11

lx01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: Start123
Password expired. You must change it now.
Enter new password: P@ssw0rd
Enter it again: P@ssw0rd
lx01:~#

Listing 9.12

[...]
kadmin: addprincipal -clearpolicy -randkey host/lx01.example.com
Principal "host/lx01.example.com@EXAMPLE.COM" created.
[...]

Listing 9.13

[...]
kadmin: ktadd -k /etc/krb5.keytab host/lx01.example.com
Entry for principal host/lx01.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
kadmin:
kadmin: quit
lx01:~#

Listing 9.14

root@lx01:~# ktutil 
ktutil: readkt /etc/krb5.keytab
ktutil: list -e -k
slot KVNO Principal
---- ---- ------------------------------------------------
 1  2 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)  (0x3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807)
 2  2 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac)  (0x5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90)
ktutil: addentry -key -k 2 -e aes256-cts-hmac-sha1-96 -p dummy/lx01.example.com@EXAMPLE.COM
Key for dummy/lx01.example.com@EXAMPLE.COM (hex): 3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807
ktutil: addentry -key -k 2 -e camellia256-cts-cmac -p dummy/lx01.example.com@EXAMPLE.COM
Key for dummy/lx01.example.com@EXAMPLE.COM (hex): 5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90
ktutil: list -e -k
slot KVNO Principal
---- ---- ------------------------------------------------
 1  2 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)  (0x3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807)
 2  2 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac)  (0x5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90)
 3  2 dummy/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)  (0x3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807)
 4  2 dummy/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac)  (0x5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90)
ktutil: writekt /etc/krb5.keytab.new
ktutil: quit
root@lx01:~# mv /etc/krb5.keytab.new /etc/krb5.keytab
mv: overwrite '/etc/krb5.keytab'? y
root@lx01:~#

Listing 9.15

root@lx01:~# ktutil
ktutil: addentry -password -p erim@EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
Password for erim@EXAMPLE.COM: P@ssw0rd
ktutil: list -k -e
slot KVNO Principal
---- ---- ------------------------------------------------
 1  2 erim@EXAMPLE.COM (aes256-cts-hmac-sha1-96)  (0x479bb8dd2f99cee4cca5e1c27943109c254a9b59646bf13db58296521ff695d4)
ktutil: writekt erim.keytab
ktutil: quit
root@lx01:~#

Listing 9.16

lx01:~# kadmin -k -t /etc/krb5.keytab -q 'ktadd -k /etc/krb5.keytab host/lx01.example.com@EXAMPLE.COM'
Authenticating as principal host/lx01.example.com@EXAMPLE.COM with keytab /etc/krb5.keytab.
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
lx01:~#

Listing 9.17

#!/bin/sh
KEYTAB=/etc/krb5.keytab
/bin/cp -f "$KEYTAB" "$KEYTAB.BAK"
# delete old keys:
/usr/bin/k5srvutil -f "$KEYTAB" delold
# change keys:
/usr/bin/k5srvutil -f "$KEYTAB" change

Listing 10.1

root@lx01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kinit 
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~#

Listing 10.2

root@lx01:~# klist -f -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM

Valid starting      Expires             Service principal
08/25/2021 20:03:17 08/26/2021 06:03:17 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/26/2021 20:03:15, Flags: RIA
       Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
root@lx01:~#

Listing 10.3

root@lx01:~# export KRB5CCNAME=DIR:/tmp/mycache
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kinit maxm
Password for maxm@EXAMPLE.COM: P@ssw0rd
root@lx01:~# klist -l
Principal name         Cache name
--------------         ----------
erim@EXAMPLE.COM        DIR::/tmp/mycache/tkt0Hw7kC
maxm@EXAMPLE.COM        DIR::/tmp/mycache/tktFbyiQ7
root@lx01:~# kswitch -p erim
root@lx01:~# klist
Ticket cache: DIR::/tmp/mycache/tkt0Hw7kC
Default principal: erim@EXAMPLE.COM

Valid starting      Expires             Service principal
07/19/2021 14:58:21 07/20/2021 00:58:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 07/20/2021 14:58:19
root@lx01:~# kswitch -p maxm
root@lx01:~# klist
Ticket cache: DIR::/tmp/mycache/tktFbyiQ7
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
07/19/2021 14:58:27 07/20/2021 00:58:27 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 07/20/2021 14:58:24
root@lx01:~# klist -A
Ticket cache: DIR::/tmp/mycache/tktFbyiQ7
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
07/19/2021 14:58:27 07/20/2021 00:58:27 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 07/20/2021 14:58:24

Ticket cache: DIR::/tmp/mycache/tkt0Hw7kC
Default principal: erim@EXAMPLE.COM

Valid starting      Expires             Service principal
07/19/2021 14:58:21 07/20/2021 00:58:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 07/20/2021 14:58:19
root@lx01:~#

Listing 10.4

root@lx01:~# klist -k -t -e -K
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp     Principal
---- ----------------- -----------------------------------
 4 08/25/20 19:10:31 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)  (0x010348c6ce0d1a2e2f36b8e3768353f94f65dce6ecb90678fef874fe07586a8c)
 4 08/25/20 19:10:31 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac)  (0x5aa971b82c7295f866b5b215946119bdcb2f8ebe4fe1a88d27908d31e5787779)
 3 08/25/20 19:07:32 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)  (0x3796fceb82be47b4ae13d443bef369b3d84c8d709a07501e92b7200fc7707767)
 3 08/25/20 19:07:32 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac)  (0x4aa25d9134373903717b11a59b9e041927d53951c5f0acc357cf74bf51cfac7e)
root@lx01:~# kinit -k host/lx01.example.com@EXAMPLE.COM
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/lx01.example.com@EXAMPLE.COM

Valid starting      Expires             Service principal
08/25/2021 20:28:50 08/26/2021 06:28:50 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/26/2021 20:28:50
root@lx01:~#

Listing 10.5

root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kvno host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4
root@lx01:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM

Valid starting      Expires             Service principal
08/25/2021 20:32:22 08/26/2021 06:32:22 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/26/20 20:32:19
08/25/2021 20:32:34 08/26/2021 06:32:22 host/lx01.example.com@EXAMPLE.COM
       renew until 08/26/2021 20:32:19
root@lx01:~#

Listing 10.6

root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kvno -e aes256-cts host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4
root@lx01:~# kvno -e camellia256-cts host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4
root@lx01:~# kvno -e arcfour-hmac host/lx01.example.com
kvno: KDC has no support for encryption type while getting credentials for host/lx01.example.com@EXAMPLE.COM
root@lx01:~# kvno -k /etc/krb5.keytab host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4, keytab entry valid
root@lx01:~#

Listing 10.7

root@lx01:~# kpasswd maxm
Password for maxm@EXAMPLE.COM: P@ssw0rd
Enter new password: Geheim123
Enter it again: Geheim123
Password changed.
root@lx01:~#

Listing 10.8

root@lx01:~# kdestroy
root@lx01:~#

Listing 10.9

root@lx01:~# k5start -b -u host/lx01.example.com \
-k /var/cache/krb5cc/krb5ccmyapp                 \
-f /etc/krb5.keytab                              \
-g myapp -o myapp -K 1
root@lx01:~#

Listing 10.10

root@lx01:~# k5start -u host/lx01.example.com \
-k /var/cache/krb5cc/krb5ccmyapp              \
-f /etc/krb5.keytab                           \
-g myapp -o myapp -H 240
root@lx01:~#

Listing 11.1

[Abschnitt-1]
    Parameter-1 = Wert-1
    Parameter-2 = Wert-2
    ...
[Abschnitt-2]
    Parameter-3 = Wert-3
    Parameter-4 = Wert-4
    Unterabschnitt-A = {
        Parameter-5 = Wert-5
        Parameter-6 = Wert-6
        ...
    }
    Unterabschnitt-B = {
        Parameter-7 = Wert-7
        Parameter-8 = Wert-8
        ...
    }
    ...
[Abschnitt-3]
...

Listing 11.2

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 10hours
    renew_lifetime = 7days
    forwardable = true

Listing 11.3

[realms]
    EXAMPLE.COM = {
        Parameter-1 = Wert-1
        Parameter-2 = Wert-2
        ...
    }

Listing 11.4

[realms]
    EXAMPLE.COM = {
        kdc = kdc01.example.com:88
        kdc = kdc02.example.com:88
        master_kdc = kdc01.example.com:88
        admin_server = kdc01.example.com:749
        kpasswd_server = kdc01.example.com:464
    }

Listing 11.5

[realms]
    EXAMPLE.COM = {
        admin_server = kdc01.example.com
    }

Listing 11.6

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
    server.test.example.com = EXAMPLE.COM

Listing 11.7

root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM

Valid starting      Expires             Service principal
08/26/2021 01:47:55 08/26/2021 11:47:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/28/2021 01:47:55
08/26/2021 01:48:09 08/26/2021 11:47:51 host/lx01.example.com@
       renew until 08/28/2021 01:47:55
08/26/2021 01:48:09 08/26/2021 11:47:51 host/lx01.example.com@EXAMPLE.COM
       renew until 08/28/2021 01:47:55
root@lx01:~#

Listing 11.8

[appdefaults]
    Anwendung-1 = {
        Realm-A = {
            Parameter-1 = Wert-1
            Parameter-2 = Wert-2
            ...
        }
        Realm-B = {
            Parameter-1 = Wert-3
            Parameter-2 = Wert-4
            ...
        }
    }
    Anwendung-2 = {
        Parameter-1 = Wert-5
        Parameter-2 = Wert-6
        ...
    }
    Realm-A = {
        Parameter-1 = Wert-7
        Parameter-2 = Wert-8
        ...
    }
    Realm-B = {
        Parameter-1 = Wert-9
        Parameter-2 = Wert-10
        ...
    }
    Parameter-1 = Wert-11
    Parameter-2 = Wert-12
    ...

Listing 11.9

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 10hours
    renew_lifetime = 7days
    forwardable = true
[realms]
    EXAMPLE.COM = {
        admin_server = kdc01.example.com
    }
[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Listing 11.10

[...]
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos-master._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos-master._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc01.example.com.

Listing 11.11

[...]
_kerberos.example.com TXT "EXAMPLE.COM"

Listing 12.1

root@kdc01:~# mkdir /var/kerberos/krb5kdc-backup
root@kdc01:~# chmod 700 /var/kerberos/krb5kdc-backup

Listing 12.2

0 3 * * * root /usr/sbin/kdb5_util dump "/var/kerberos/krb5kdc-backup/kdb-backup-$(date +\%Y-\%m-\%d)"

Listing 12.3

root@kdc02:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: P@ssw0rd
kadmin: addprincipal -clearpolicy -randkey host/kdc02.example.com
Principal "host/kdc02.example.com@EXAMPLE.COM" created.
kadmin: ktadd -k /etc/krb5.keytab host/kdc02.example.com@EXAMPLE.COM
Entry for principal host/kdc02.example.com@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc02.example.com@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
root@kdc02:~#

Listing 12.4

root@kdc01:~# /usr/sbin/kprop -f /var/kerberos/krb5kdc/kdbrepldata kdc02.example.com
Database propagation to kdc02.example.com: SUCCEEDED

Listing 12.5

[...]
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.

Listing 12.6

#!/bin/sh
REPLICA_KDCS="kdc02.example.com"
REPLDATA="/var/kerberos/krb5kdc/kdb_repldata"
/usr/sbin/kdb5_util dump "$REPLDATA"
for kdc in $REPLICA_KDCS; do
 /usr/sbin/kprop -f "$REPLDATA" "$kdc"
done

Listing 13.1

root@kdc01:~# echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' > slapd.conf
root@kdc01:~#
root@kdc01:~# mkdir slapd.conf.d
root@kdc01:~# slaptest -f slapd.conf -F slapd.d
config file testing succeeded
root@kdc01:~#
root@kdc01:~# cp 'slapd.d/cn=config/cn=schema/cn={0}kerberos.ldif' kerberos.ldif

Listing 13.2

dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1
  NAME 'krbPrincipalName'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1
  NAME 'krbCanonicalName'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
[...]
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1
  NAME 'krbTicketPolicyAux'
  SUP top
  AUXILIARY
  MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1
  NAME 'krbTicketPolicy'
  SUP top STRUCTURAL MUST cn )

Listing 13.3

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krbPrincipalName eq
olcDbIndex: krbPwdPolicyReference eq

Listing 13.4

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size=unlimited

Listing 13.5

[kdcdefaults]

    kdc_listen = 88
    kdc_tcp_listen = 88

[realms]

    EXAMPLE.COM = {
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        key_stash_file = /var/kerberos/krb5kdc/stash
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = aes256-cts
        supported_enctypes = aes256-cts:normal camellia256-cts:normal
        default_principal_flags = +preauth
        database_module = openldap_ldapconf
    }

[dbmodules]
    #EXAMPLE.COM = {
    #  db_library = db2
    #  database_name = /var/lib/krb5kdc/principal
    #}
    openldap_ldapconf = {
        db_library = kldap
        ldap_kerberos_container_dn = "cn=mit-kerberos,dc=example,dc=com"
        ldap_kdc_sasl_mech = EXTERNAL
        ldap_kadmind_sasl_mech = EXTERNAL
        ldap_servers = "ldapi:///"
        ldap_conns_per_server = 5
    }

[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH

Listing 13.6

root@kdc01:~# kdb5_ldap_util create -r EXAMPLE.COM -s -sscope sub
Initializing database for realm 'EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Re-enter KDC database master key to verify: KEnfGfVU1LKQoZrKSBF65yfVN
root@kdc01:~#

Listing 13.7

root@kdc01:~# kdb5_util load -update example.com.dump
root@kdc01:~# kadmin.local listprincs
Authenticating as principal root/admin@EXAMPLE.COM with password.
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
erim@EXAMPLE.COM
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
host/lx01.example.com@EXAMPLE.COM
maxm/admin@EXAMPLE.COM maxm@EXAMPLE.COM
user/admin@EXAMPLE.COM user@EXAMPLE.COM
root@kdc01:~# kadmin.local listpolicies
admin
default

Listing 13.8

root@kdc01:~# systemctl start krb5kdc
root@kdc01:~# systemctl start kadmin
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: P@ssw0rd
root@kdc01:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
08/26/2021 19:26:03 08/27/2021 05:26:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/28/2021 19:26:03
root@kdc01:~#

Listing 13.9

[Unit]
After=syslog.target network.target network-online.target slapd.service

Listing 13.10

dn: cn=Max Mustermann,ou=people,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
cn: Max Mustermann
sn: Mustermann

dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
cn: Erika Musterfrau
sn: Musterfrau

Listing 13.11

root@kdc01:~# kdb5_ldap_util modify -r EXAMPLE.COM -subtrees ou=people,dc=example,dc=com
root@kdc01:~# systemctl restart krb5kdc
root@kdc01:~# systemctl restart kadmin
root@kdc01:~#

Listing 13.12

root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: deleteprincipal -force maxm@EXAMPLE.COM
Principal "maxm@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: addprincipal -x dn="cn=Max Mustermann,ou=people,dc=example,dc=com" -policy default -pw Start123 maxm
Principal "maxm@EXAMPLE.COM" created.
kadmin: modifyprincipal -allowsvr +needchange maxm
Principal "maxm@EXAMPLE.COM" modified.
kadmin: quit
root@kdc01:~#

Listing 13.13

dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: Max Mustermann
sn: Mustermann
krbLoginFailedCount: 0
krbPrincipalName: maxm@EXAMPLE.COM
krbPwdPolicyReference: cn=default,cn=EXAMPLE.COM,
 cn=mit-kerberos,dc=example,dc=com
krbPrincipalKey:: MIHGoAMCAQGhAwIBAaIDAgEBowMCAQGkga8wgaww
 VKAHMAWgAwIBAKFJMEegAwIBEqFABD4gAAelpEL3IIfN66uhW3Nah7wy8
 mghXeDQRNwIXX4zBxt/BDP7XrH+sWteJJxOtw25giEN80ll/2JwBfzlzj
 BUoAcwBaADAgEAoUkwR6ADAgEaoUAEPiAAbwLIWte4SjDPJQap+c8LSvO
 plZbLCKXnJ7CK4rSVMY6UmjE5BlOTNSygIcSMAzCfwDcHbJaROu4uyHta
krbLastPwdChange: 20200826173131Z
krbTicketFlags: 4736
krbExtraData:: AAKLnEZfdXNlci9hZG1pbkBFWEFNUExFLkNPTQA=
krbExtraData:: AAgBAA==

Listing 13.14

dn: cn=Max Mustermann,ou=people,dc=example,dc=com
changetype: modify
add: krbPrincipalName
krbPrincipalName: mmuster@EXAMPLE.COM
krbPrincipalName: max@EXAMPLE.COM
krbPrincipalName: mustermann@EXAMPLE.COM
-
add: krbCanonicalName
krbCanonicalName: maxm@EXAMPLE.COM

Listing 13.15

dn: krbPrincipalName=host/lx01.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=mit-kerberos,dc=example,dc=com
changetype: modify
add: krbPrincipalName
krbPrincipalName: host/lx01@EXAMPLE.COM
-
add: krbCanonicalName
krbCanonicalName: host/lx01.example.com@EXAMPLE.COM

Listing 13.16

root@lx01:~# kinit -C mmuster
Password for mmuster@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kvno host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 2
root@lx01:~# kvno host/lx01
host/lx01@EXAMPLE.COM: kvno = 2
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@EXAMPLE.COM

Valid starting      Expires             Service principal
07/25/2021 11:49:47 07/25/2021 21:49:44 krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 08/01/2021 11:49:44
07/25/2021 11:49:58 07/25/2021 21:49:44 host/lx01.example.com@EXAMPLE.COM
       renew until 08/01/2021 11:49:44
07/25/2021 11:49:59 07/25/2021 21:49:44 host/lx01@EXAMPLE.COM
       renew until 08/01/2021 11:49:44
root@lx01:~#

Listing 13.17

dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModuleLoad: syncprov.la

Listing 13.18

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

Listing 13.19

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0x001 ldaps://kdc01.example.com
olcServerID: 0x002 ldaps://kdc02.example.com

Listing 13.20

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=dbroot,cn=config

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=dbroot,dc=example,dc=com

Listing 13.21

dn: cn=LDAP Read Only,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: CN=kdc01.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE
member: CN=kdc02.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE

Listing 13.22

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0, cn=peercred,cn=external,cn=auth" manage
  by dn.base="CN=kdc01.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE" read
  by dn.base="CN=kdc02.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE" read
  by * none

Listing 13.23

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl:
  rid=001
  provider=ldaps://kdc01.example.com
  bindmethod=sasl
  saslmech=EXTERNAL
  tls_cacert=/etc/openldap/CAcert.pem
  tls_reqcert=demand
  tls_protocol_min=3.4
  tls_cert=/etc/openldap/certs/cert.pem
  tls_key=/etc/openldap/certs/privkey.pem
  tls_cipher_suite=HIGH
  searchbase="cn=config"
  type=refreshAndPersist
  interval=00:00:00:10
  retry="10 +"
olcSyncRepl:
  rid=002
  provider=ldaps://kdc02.example.com
  bindmethod=sasl
  saslmech=EXTERNAL
  tls_cacert=/etc/openldap/CAcert.pem
  tls_reqcert=demand
  tls_protocol_min=3.4
  tls_cert=/etc/openldap/certs/cert.pem
  tls_key=/etc/openldap/certs/privkey.pem
  tls_cipher_suite=HIGH
  searchbase="cn=config"
  type=refreshAndPersist
  interval=00:00:00:10
  retry="10 +"
-
replace: olcMirrorMode
olcMirrorMode: TRUE

Listing 13.24

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl:
  rid=003
  provider=ldaps://kdc01.example.com
  bindmethod=sasl
  saslmech=EXTERNAL
  tls_cacert=/etc/openldap/CAcert.pem
  tls_reqcert=demand
  tls_protocol_min=3.4
  tls_cert=/etc/openldap/certs/cert.pem
  tls_key=/etc/openldap/certs/privkey.pem
  tls_cipher_suite=HIGH
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  interval=00:00:00:10
  retry="10 +"
olcSyncRepl:
  rid=004
  provider=ldaps://kdc02.example.com
  bindmethod=sasl
  saslmech=EXTERNAL
  tls_cacert=/etc/openldap/CAcert.pem
  tls_reqcert=demand
  tls_protocol_min=3.4
  tls_cert=/etc/openldap/certs/cert.pem
  tls_key=/etc/openldap/certs/privkey.pem
  tls_cipher_suite=HIGH
  searchbase="dc=example,dc=com"
  type=refreshAndPersist
  interval=00:00:00:10
  retry="10 +"
-
replace: olcMirrorMode
olcMirrorMode: TRUE

Listing 13.25

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq

Listing 13.26

root@kdc02:~# systemctl stop slapd
root@kdc02:~# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.OLD
root@kdc02:~# mkdir /etc/openldap/slapd.d
root@kdc02:~# slapadd -F /etc/openldap/slapd.d/ -n 0 -l config.ldif
root@kdc02:~# chown -R ldap:ldap /etc/openldap/slapd.d/
root@kdc02:~# restorecon -r /etc/openldap/slapd.d
root@kdc02:~# systemctl start slapd

Listing 13.27

_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc02.example.com.

Listing 14.1

root@kdc01.h5l:~# systemctl stop heimdal-kdc
root@kdc01.h5l:~# systemctl stop heimdal-kadmind
root@kdc01.h5l:~# systemctl stop heimdal-kpasswdd
root@kdc01.h5l:~# mkdir /etc/BACKUP-heimdal
root@kdc01.h5l:~# mv /etc/krb5.conf /etc/heimdal-* /etc/BACKUP-heimdal/

Listing 14.2

[libdefaults]
    default_realm = H5L.EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 10hours
    renew_lifetime = 7days
    forwardable = true
[realms]
    H5L.EXAMPLE.COM = {
        admin_server = kdc01.h5l.example.com
    }
[domain_realm]
    .h5l.example.com = H5L.EXAMPLE.COM
    h5l.example.com = H5L.EXAMPLE.COM
[logging]
    default = SYSLOG:INFO:AUTH

Listing 14.3

[kdc]
    database = {
        realm = H5L.EXAMPLE.COM
        dbname = /var/heimdal/heimdal
        acl_file = /etc/heimdal-kadmind.acl
        mkey_file = /var/heimdal/m-key
    }
    ports = 88
    require-preauth = true
[kadmin]
    default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt
[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH

Listing 14.4

root@kdc01.h5l:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 25; echo
T6MBognnJGT6c37bL6dIeqqJW
root@kdc01.h5l:~#

Listing 14.5

root@kdc01.h5l:~# kstash --key-file=/var/heimdal/m-key --enctype=aes256-cts-hmac-sha1-96
Master key: T6MBognnJGT6c37bL6dIeqqJW
Verifying - Master key: T6MBognnJGT6c37bL6dIeqqJW
kstash: writing key to `/var/heimdal/m-key'
root@kdc01.h5l:~#

Listing 14.6

root@kdc01.h5l:~# kadmin -l
kadmin> init H5L.EXAMPLE.COM
Realm max ticket life [unlimited]:10hours
Realm max renewable ticket life [unlimited]:7days
kadmin> quit
root@kdc01.h5l:~#

Listing 14.7

root@kdc01.h5l:~# kadmin -l
kadmin> list *
default
kadmin/admin
kadmin/hprop
kadmin/changepw
changepw/kerberos
WELLKNOWN/ANONYMOUS
krbtgt/H5L.EXAMPLE.COM
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L

Listing 14.8

kadmin> add user
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user@H5L.EXAMPLE.COM's Password: P@ssw0rd
Verifying - user@H5L.EXAMPLE.COM's Password: P@ssw0rd
kadmin> add user/admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
Verifying - user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
kadmin> quit
root@kdc01.h5l:~#

Listing 14.9

# Kommentarzeile
Principal Zugriffsmaske [Zugriffsziel]
Principal Zugriffsmaske [Zugriffsziel]
[...]

Listing 14.10

# Vollzugriff fuer user/admin aus der H5L.EXAMPLE.COM:
user/admin@H5L.EXAMPLE.COM all

Listing 14.11

root@lx01.h5l:~# kadmin -p user/admin
kadmin> add --attributes=disallow-svr,requires-pw-change maxm
user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Policy [default]:
maxm@H5L.EXAMPLE.5COM's Password: Start123
Verifying - maxm@H5L.EXAMPLE.COM's Password: Start123
kadmin> quit
root@lx01.h5l:~#

Listing 14.12

root@lx01.h5l:~# kadmin -p user/admin
kadmin> add --random-key host/lx01.h5l.example.com
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin>
kadmin> extkeytab --random-key --keytab=/etc/krb5.keytab host/lx01.h5l.example.com
kadmin> quit
root@lx01.h5l:~#

Listing 14.13

[...]
[kadmin]
  ...
  password_lifetime = 30 days

[password_quality]
  policies = builtin:minimum-length builtin:character-class
  min_length = 8
  min_classes = 3

Listing 14.14

root@kdc02.h5l:~# kadmin -p user/admin
kadmin> add --random-key hprop/kdc02.h5l.example.com
user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin> extkeytab --random-key --keytab=/etc/krb5.keytab hprop/kdc02.h5l.example.com
kadmin> quit
root@kdc02.h5l:~#

Listing 14.15

service krb5_prop
{
  id          = hpropd
  socket_type = stream
  wait        = no
  user        = root
  server      = /usr/libexec/hpropd
}

Listing 14.16

root@kdc01.h5l:~# /usr/libexec/hprop kdc02.h5l.example.com
hprop: krb5_get_init_creds: Failed to find kadmin/hprop@H5L.EXAMPLE.COM in keytab HDBGET: (unknown enctype)
root@kdc01:~# kadmin -l
kadmin> extkeytab --keytab=/etc/krb5.keytab kadmin/hprop
kadmin> quit
root@kdc01.h5l:~# /usr/libexec/hprop -k FILE:/etc/krb5.keytab kdc02.h5l.example.com
root@kdc01.h5l:~#

Listing 14.17

#!/bin/sh
REPLICA_KDCS="kdc02.h5l.example.com"
HPROP_ARGS="-k FILE:/etc/krb5.keytab"
for KDC in ${REPLICA_KDCS}; do
    /usr/libexec/hprop ${HPROP_ARGS} ${KDC}
done

Listing 14.18

# KDC replication
0,20,40 * * * * root /usr/local/sbin/kdc_repl

Listing 14.19

root@kdc01.h5l:~# curl -sS -O \
https://raw.githubusercontent.com/ \
heimdal/heimdal/master/lib/hdb/hdb.schema
root@kdc01.h5l:~# echo 'include hdb.schema' > slapd.conf
root@kdc01.h5l:~# mkdir slapd.conf.d
root@kdc01.h5l:~# slaptest -f slapd.conf -F slapd.conf.d
config file testing succeeded
root@kdc01.h5l:~# cp 'slapd.conf.d/cn=config/cn=schema/cn={0}hdb.ldif' hdb.ldif

Listing 14.20

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krb5PrincipalName eq
olcDbIndex: cn eq
olcDbIndex: uid eq

Listing 14.21

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited size.hard=unlimited

Listing 14.22

dn: ou=heimdal,dc=h5l,dc=example,dc=com
objectClass: organizationalUnit
ou: heimdal

Listing 14.23

database = {
    [...]
    #dbname = /var/lib/heimdal-kdc/heimdal
    dbname = ldap:dc=h5l,dc=example,dc=com
    [...]
}
hdb-ldap-create-base = ou=heimdal,dc=h5l,dc=example,dc=com

Listing 15.1

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment

$safemodepasswd = convertto-securestring "cZi8NsK6PuptzA2DIMPF" -asplaintext -force

Install-ADDSForest                                 `
 -DomainName "ads.example.com"                     `
 -DomainNetbiosName "ADS"                          `
 -ForestMode "WinThreshold"                        `
 -DomainMode "WinThreshold"                        `
 -DatabasePath "C:\Windows\NTDS"                   `
 -LogPath "C:\Windows\NTDS"                        `
 -SysvolPath "C:\Windows\SYSVOL"                   `
 -InstallDns:$true                                 `
 -NoRebootOnCompletion:$false                      `
 -SafeModeAdministratorPassword $safemodepasswd    `
 -Force:$true

Listing 15.2

[libdefaults]
    default_realm = ADS.EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 10hours
    renew_lifetime = 7days
    forwardable = true

[realms]
    ADS.EXAMPLE.COM = {
        kpasswd_server = kdc01.ads.example.com
    }

[domain_realm]
    .ads.example.com = ADS.EXAMPLE.COM
    ads.example.com = ADS.EXAMPLE.COM

[logging]
    default = SYSLOG:INFO:AUTH

Listing 15.3

root@lx01.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# kvno host/kdc01.ads.example.com
host/kdc01.ads.example.com@ADS.EXAMPLE.COM: kvno = 3
root@lx01.ads:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@ADS.EXAMPLE.COM

Valid starting      Expires             Service principal
08/03/2021 14:15:30 08/04/2021 00:15:27 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
       renew until 08/10/2021 14:15:27
08/03/2021 14:16:48 08/04/2021 00:15:27 host/kdc01.ads.example.com@ADS.EXAMPLE.COM
       renew until 08/10/2021 14:15:27
root@lx01.ads:~#

Listing 15.4

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment

$safemodepasswd = convertto-securestring "cZi8NsK6PuptzA2DIMPF" -asplaintext -force

$adminpasswd = convertto-securestring "P@ssw0rd" -asplaintext -force

$admincred = new-object                                `
  -typename System.Management.Automation.PSCredential  `
  -argumentlist "ADS\Administrator", $adminpasswd

Install-ADDSDomainController                           `
 -DomainName "ads.example.com"                         `
 -DatabasePath "C:\Windows\NTDS"                       `
 -LogPath "C:\Windows\NTDS"                            `
 -SysvolPath "C:\Windows\SYSVOL"                       `
 -InstallDns:$false                                    `
 -NoRebootOnCompletion:$false                          `
 -SafeModeAdministratorPassword $safemodepasswd        `
 -Credential $admincred                                `
 -Force:$true

Listing 15.5

C:\Users\Administrator>setspn.exe -R LX01
Dienstprinzipalnamen (SPN) für CN=lx01,CN=Computers,DC=ads,DC=example,DC=com werden registriert.
   HOST/lx01.ADS.EXAMPLE.COM
   HOST/lx01
Aktualisiertes Objekt

C:\Users\Administrator>

Listing 15.6

dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ads,DC=example,DC=com
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,
 dhcp,dnscache,replicator,eventlog,eventsystem,
 policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,
 messenger,netlogon,netman,netdde,netddedsm,nmagent,
 plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,
 remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,
 dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr, trkwks,
 ups,time,wins,www,http,w3svc,iisadmin,msdtc

Listing 15.7

root@lx01.ads:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@ADS.EXAMPLE.COM

Valid starting      Expires             Service principal
12/04/2021 14:45:26 12/05/2021 00:45:24 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
       renew until 12/11/2021 14:45:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
12/04/2021 14:45:34 12/05/2021 00:45:24 host/lx01.ads.example.com@ADS.EXAMPLE.COM
       renew until 12/11/2021 14:45:24, Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac
root@lx01.ads:~#

Listing 15.8

C:\Users\Administrator>ktpass.exe /out lx01.keytab /mapuser LX01$@ADS.EXAMPLE.COM /princ host/lx01.ads.example.com@ADS.EXAMPLE.COM /rndPass /crypto AES256-SHA1 /ptype KRB5NTSRVHST
Targeting domain controller: kdc01.ads.example.com
Using legacy password setting method
Successfully mapped host/lx01.ads.example.com to LX01$.
WARNING: Account LX01$ is not a user account (uacflags=0x1021).
WARNING: Resetting LX01$'s password may cause authentication problems if LX01$ is being used as a server.

Reset LX01$'s password [y/n]? y
Key created.
Output keytab to lx01.keytab:
Keytab version: 0x502
keysize 92 host/lx01.ads.example.com@ADS.EXAMPLE.COM ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x01839277d939fc874c3d96a882371e990536f4637823a83415c16834fc14e8a6)

C:\Users\Administrator>

Listing 15.9

root@lx01.ads:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
 4 host/lx01.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
root@lx01.ads:~# kinit -k host/lx01.ads.example.com
root@lx01.ads:~# kvno -k /etc/krb5.keytab host/lx01.ads.example.com
host/lx01.ads.example.com@ADS.EXAMPLE.COM: kvno = 4, keytab entry valid
root@lx01.ads:~#

Listing 15.10

root@lx02.ads:~# adcli join
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
 2 LX02$@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
 2 LX02$@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
 2 LX02$@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 host/LX02@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
 2 host/LX02@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
 2 host/LX02@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
 2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
 2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 RestrictedKrbHost/LX02@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
 2 RestrictedKrbHost/LX02@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
 2 RestrictedKrbHost/LX02@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 RestrictedKrbHost/lx02.ads.example.com@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
 2 RestrictedKrbHost/lx02.ads.example.com@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
 2 RestrictedKrbHost/lx02.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
root@lx02.ads:~#

Listing 15.11

root@lx02.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# msktutil create --enctypes 0x10
No computer account for lx02 found, creating a new one.
root@lx02.ads:~#

Listing 15.12

root@lx02.ads:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
 2 lx02$@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 LX02$@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 host/lx02@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
 2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
root@lx02.ads:~# kinit -k host/lx02.ads.example.com
kinit: Client 'host/lx02.ads.example.com@ADS.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
root@lx02.ads:~# kinit -k 'LX02$@ADS.EXAMPLE.COM'
root@lx02.ads:~# kvno -k /etc/krb5.keytab host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~# kdestroy
root@lx02.ads:~#

Listing 15.13

root@lx02.ads:~# msktutil update --use-service-account --account-name techuser01 --old-account-password Start123 --keytab /etc/krb5.keytab.techuser01
root@lx02.ads:~#

Listing 15.14

root@lx02.ads:~# kinit Administrator
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# msktutil update --use-service-account --account-name techuser01 --user-creds-only --keytab /etc/krb5.keytab.techuser01
root@lx02.ads:~#

Listing 15.15

root@lx01.ads:~# ldapsearch -LLL -h kdc01.ads.example.com -b dc=ads,dc=example,dc=com cn="Max Mustermann" objectClass cn sn givenName displayName samaccountname userPrincipalName unicodePwd msDS-KeyVersionNumber
SASL/GSS-SPNEGO authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn: CN=Max Mustermann,CN=Users,DC=ads,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Max Mustermann
sn: Mustermann
givenName: Max
displayName: Max Mustermann
sAMAccountName: maxm
userPrincipalName: maxm@ads.example.com

# refldap://DomainDnsZones.ads.example.com/
 DC=DomainDnsZones,DC=ads,DC=example,DC=com

# refldap://ForestDnsZones.ads.example.com/
 DC=ForestDnsZones,DC=ads,DC=example,DC=com

# refldap://ads.example.com/CN=Configuration,
 DC=ads,DC=example,DC=com

root@lx01.ads:~#

Listing 15.16

#!/usr/bin/env python3
import sys
import base64
if len(sys.argv) != 2:
    print ('usage: ' + sys.argv[0] + ' <password>')
    sys.exit()
password = sys.argv[1]
quotedPassword = '"' + password + '"'
unicodePwd = quotedPassword.encode('utf_16_le')
print ('unicodePwd:: ' + base64.b64encode(unicodePwd).decode('utf8'))

Listing 15.17

root@lx01.ads:~# ./adunicodepwd P@ssw0rd
unicodePwd:: IgBQAEAAcwBzAHcAMAByAGQAIgA=
root@lx01.ads:~#

Listing 15.18

dn: CN=Erika Musterfrau,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Erika Musterfrau
sn: Musterfrau
givenName: Erika
instanceType: 4
displayName: Erika Musterfrau
name: Erika Musterfrau
userAccountControl: 512
sAMAccountName: erim
userPrincipalName: erim@ADS.EXAMPLE.COM
unicodePwd:: IgBQAEAAcwBzAHcAMAByAGQAIgA=
pwdLastSet: 0

Listing 15.19

root@lx01.ads:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 25; echo
hNJvEb2V50YZ7PAstqQQwJah5
root@lx01.ads:~# ./adunicodepwd hNJvEb2V50YZ7PAstqQQwJah5
unicodePwd:: IgBoAE4ASgB2AEUAYgAyAFYANQAwAFkAWgA3AFAAQQBzAHQAcQBRAFEAdwBKAGEAaAA1ACIA
root@lx01.ads:~#

Listing 15.20

dn: CN=lx02,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: lx02
instanceType: 4
displayName: lx02$
name: lx02
userAccountControl: 4096
sAMAccountName: lx02$
unicodePwd:: IgBoAE4ASgB2AEUAYgAyAFYANQAwAFkAWgA3AFAAQQBzAHQAcQBRAFEAdwBKAGEAaAA1ACIA
userPrincipalName: host/lx02.ads.example.com@ADS.EXAMPLE.COM
msDS-SupportedEncryptionTypes: 24

Listing 15.21

dn: CN=lx02,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM
changetype: modify
add: servicePrincipalName
servicePrincipalName: host/lx02.ads.example.com
servicePrincipalName: host/lx02

Listing 15.22

root@lx02.ads:~# kinit Administrator
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# kvno host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 1
root@lx02.ads:~# ktutil
ktutil: addent -password -p host/lx02.ads.example.com -k 1 -e aes256-cts
Password for host/lx02.ads.example.com@ADS.EXAMPLE.COM: hNJvEb2V50YZ7PAstqQQwJah5
ktutil: wkt /etc/krb5.keytab
ktutil: quit
root@lx02.ads:~# kinit -kt /etc/krb5.keytab host/lx02.ads.example.com
root@lx02.ads:~# kvno -k /etc/krb5.keytab host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 1, keytab entry valid
root@lx02.ads:~#

Listing 16.1

root@kdc01.smb:~# samba-tool domain provision --use-rfc2307 --realm SMB.EXAMPLE.COM --domain SMB --server-role dc --adminpass P@ssw0rd
[...]
root@kdc01.smb:~#

Listing 16.2

root@kdc01.smb:~# systemctl start samba.service
root@kdc01.smb:~# firewall-cmd --add-service=samba-dc --permanent
root@kdc01.smb:~# firewall-cmd --add-service=dns --permanent
root@kdc01.smb:~# firewall-cmd --reload
root@kdc01.smb:~#

Listing 16.3

[libdefaults]
    default_realm = SMB.EXAMPLE.COM
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 10hours
    renew_lifetime = 7days
    forwardable = true

[domain_realm]
    .smb.example.com = SMB.EXAMPLE.COM
    smb.example.com = SMB.EXAMPLE.COM

Listing 16.4

root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com smb.example.com kdc02 A 10.1.2.151 -U Administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com smb.example.com lx01 A 10.1.2.152 -U Administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com smb.example.com win01 A 10.1.2.154 -U Administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~#

Listing 16.5

root@kdc01.smb:~# samba-tool dns zonecreate kdc01.smb.example.com 2.1.10.in-addr.arpa -U administrator%P@ssw0rd
Zone 2.1.10.in-addr.arpa created successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 150 PTR kdc01.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 151 PTR kdc02.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 152 PTR lx01.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 153 PTR lx02.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 154 PTR win01.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~#

Listing 16.6

root@lx01.smb:~# kinit Administrator@SMB.EXAMPLE.COM
Password for Administrator@SMB.EXAMPLE.COM: P@ssw0rd
Warning: Your password will expire in 41 days on Mi 06 Okt 2021 13:55:53 CEST
root@lx01.smb:~# kvno host/kdc01.smb.example.com
host/kdc01.smb.example.com@SMB.EXAMPLE.COM: kvno = 1
root@lx01.smb:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SMB.EXAMPLE.COM

Valid starting      Expires             Service principal
08/25/2021 13:56:12 08/25/2021 23:56:12 krbtgt/SMB.EXAMPLE.COM@SMB.EXAMPLE.COM
       renew until 09/01/2021 13:56:12
08/25/2021 18:05:06 08/25/2021 23:56:12 host/kdc01.smb.example.com@SMB.EXAMPLE.COM
       renew until 09/01/2021 13:56:12
root@kdc01.smb:/opt#

Listing 16.7

root@kdc02.smb:~# kinit Administrator@SMB.EXAMPLE.COM
Password for Administrator@SMB.EXAMPLE.COM: P@ssw0rd
Warning: Your password will expire in 41 days on Wed Oct 6 13:55:53 2021
root@kdc02.smb:~# samba-tool domain join smb.example.com DC -k yes --option='idmapldb:use rfc2307=yes'
[...]
root@kdc02.smb:~#
root@kdc02.smb:~# systemctl enable samba
root@kdc02.smb:~# systemctl start samba
root@kdc02.smb:~# firewall-cmd --add-service=samba-dc --permanent
root@kdc02.smb:~# firewall-cmd --add-service=dns --permanent
root@kdc02.smb:~# firewall-cmd --reload

Listing 16.8

root@kdc01.smb:~# samba-tool ou listobjects ""
CN=Users
CN=System
CN=Builtin
CN=Computers
CN=NTDS Quotas
CN=TPM Devices
CN=LostAndFound
CN=Program Data
CN=Infrastructure
CN=Managed Service Accounts
CN=ForeignSecurityPrincipals
OU=Domain Controllers
root@kdc01.smb:~# samba-tool user list
Guest
krbtgt
Administrator
root@kdc01.smb:~# samba-tool group list
Cryptographic Operators
Domain Guests
Domain Admins
Read-only Domain Controllers
Certificate Service DCOM Access
Administrators
Users
Domain Controllers
Group Policy Creator Owners
DnsUpdateProxy
Cert Publishers
Account Operators
Denied RODC Password Replication Group
Windows Authorization Access Group
RAS and IAS Servers
Domain Computers
Domain Users
Distributed COM Users
Schema Admins
Enterprise Admins
Performance Log Users
Replicator
Pre-Windows 2000 Compatible Access
Backup Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Enterprise Read-only Domain Controllers
Performance Monitor Users
Server Operators
Print Operators

Allowed RODC Password Replication Group Guests Network Configuration Operators Event Log Readers Remote Desktop Users DnsAdmins IIS_IUSRS root@kdc01.smb:~# samba-tool user show Administrator dn: CN=Administrator,CN=Users,DC=smb,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20210825115552.0Z uSNCreated: 3853 name: Administrator objectGUID: 7dba1aee-aeb1-48e5-9747-dcfadd36c5a5 userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 pwdLastSet: 132743661529237270 primaryGroupID: 513 objectSid: S-1-5-21-99585262-3371220738-2221323519-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=smb,DC=example,DC=com isCriticalSystemObject: TRUE memberOf: CN=Domain Admins,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Administrators,CN=Builtin,DC=smb,DC=example,DC=com lastLogonTimestamp: 132743661721734680 whenChanged: 20210825115612.0Z uSNChanged: 4102 lastLogon: 132743824236789480 logonCount: 10 distinguishedName: CN=Administrator,CN=Users,DC=smb,DC=example,DC=com

root@kdc01.smb:~#

Listing 16.9

root@kdc01.smb:~# samba-tool user create maxm --surname=Mustermann --given-name=Max --must-change-at-next-login
New Password: Start123
Retype Password: Start123
User 'maxm' created successfully
root@kdc01.smb:~#

Listing 16.10

root@kdc01.smb:~# samba-tool computer create lx01
Computer 'lx01' added successfully
root@kdc01.smb:~#

Listing 16.11

root@kdc01.smb:~# samba-tool spn add host/lx01 lx01$
root@kdc01.smb:~# samba-tool spn add host/lx01.smb.example.com lx01$
root@kdc01.smb:~#

Listing 17.1

[...]
$ORIGIN example.com.
ipadns1                 A    10.1.2.140
ipadns2                 A    10.1.2.141
[...]
$ORIGIN ipa.example.com.
@             IN      NS    kdc01.ipa.example.com.

Listing 17.2

[...]
zone "ipa.example.com" {
    type forward;
    forward only;
    forwarders { 10.1.2.140; 10.1.2.141; };
};
[...]

Listing 17.3

root@kdc01.ipa:~# dnf module list idm
Last metadata expiration check: 0:02:25 ago on Sun Sep 5 12:56:13 2021.
Rocky Linux 8 - AppStream

Name Stream    Profiles              [...]
idm  DL1     adtrust, client, common [d], dns, [...]
idm  client [d]  common [d]             [...]

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
root@kdc01.ipa:~# dnf module install idm:DL1
[...]
root@kdc01.ipa:~# dnf install ipa-server ipa-server-dns
[...]

Listing 17.4

root@kdc01.ipa:~# ipa-server-install --unattended --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --setup-dns --no-ntp --no-forwarders --ds-password=P@ssw0rd --admin-password=P@ssw0rd --mkhomedir --external-ca --external-ca-type=generic

The log file for this installation can be found in /var/log/ipaserver-install.log
==========================================================

This program will set up the IPA Server.
Version 4.9.2

This includes:
 * Configure a stand-alone CA (dogtag) for certificate management
 * Create and configure an instance of Directory Server
 * Create and configure a Kerberos Key Distribution Center (KDC)
 * Configure Apache (httpd)
 * Configure DNS (bind)
 * Configure the KDC to enable PKINIT

Excluded by options:
 * Configure the NTP client (chronyd)

[...]


The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-server-install command was successful
root@kdc01.ipa:~#

Listing 17.5

root@kdc01.ipa:~# scp /root/ipa.csr kdc01.example.com:/etc/pki/CA/

root@kdc01:~# cd /etc/pki/CA
root@kdc01:/etc/pki/CA# openssl ca -config subca.cnf -in ipa.csr -out ipa.pem -keyfile CAprivkey.pem -cert CAcert.pem
Using configuration from subca.cnf
[...]
root@kdc01:/etc/pki/CA# scp CAcert.pem ipa.pem kdc01.ipa.example.com:

Listing 17.6

root@kdc01.ipa:~# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/CAcert.pem --ds-password=P@ssw0rd
[...]
Setup complete

Next steps:
    1. You must make sure these network ports are open:
         TCP Ports:
           * 80, 443: HTTP/HTTPS
           * 389, 636: LDAP/LDAPS
           * 88, 464: kerberos
           * 53: bind
         UDP Ports:
           * 88, 464: kerberos
           * 53: bind

    2. You can now obtain a kerberos ticket using the
       command: 'kinit admin'
       This ticket will allow you to use the IPA tools
       (e.g., ipa user-add) and the web user interface.
[...]
The ipa-server-install command was successful
root@kdc01.ipa:~#

Listing 17.7

root@kdc01.ipa:~# ipa user-add maxm --first=Max --last=Mustermann
-----------------
Added user "maxm"
-----------------
  User login: maxm
  First name: Max
  Last name: Mustermann
  Full name: Max Mustermann
  Display name: Max Mustermann
  Initials: MM
  Home directory: /home/maxm
  GECOS: Max Mustermann
  Login shell: /bin/sh
  Principal name: maxm@IPA.EXAMPLE.COM
  Principal alias: maxm@IPA.EXAMPLE.COM
  Email address: maxm@ipa.example.com
  UID: 779400001
  GID: 779400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa passwd maxm
New Password: Start123
Enter New Password again to verify: Start123
-------------------------------------------
Changed password for "maxm@IPA.EXAMPLE.COM"
-------------------------------------------
root@kdc01.ipa:~#

Listing 17.8

root@kdc01.ipa:~# ipa group-add lxusers --desc='Alle Linux-Benutzer:innen'
---------------------
Added group "lxusers"
---------------------
  Group name: lxusers
  Description: Alle Linux-Benutzer:innen
  GID: 779400006
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa group-add-member lxusers --users maxm
  Group name: lxusers
  Description: Alle Linux-Benutzer:innen
  GID: 779400006
  Member users: maxm
  Member of HBAC rule: lxaccess
-------------------------
Number of members added 1
-------------------------

root@kdc01.ipa:~# ipa group-add-member lxusers --users admin
 Group name: lxusers
 Description: Alle Linux-Benutzer:innen
 GID: 779400006
 Member users: maxm, admin
 Member of HBAC rule: lxaccess
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~#

Listing 17.9

root@lx01.ipa:~# ipa-client-install --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --mkhomedir --no-ntp
This program will set up IPA client.
Version 4.9.2

[...]

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@IPA.EXAMPLE.COM: P@ssw0rd

[...]

Client configuration complete.
The ipa-client-install command was successful

Listing 17.10

root@kdc01.ipa:~# ipa hbacrule-disable allowall
------------------------------
Disabled HBAC rule "allow_all"
------------------------------
root@kdc01.ipa:~#

Listing 17.11

root@kdc01.ipa:~# ipa hostgroup-add lxhosts --desc='Alle Linux-Systeme'
-------------------------
Added hostgroup "lxhosts"
-------------------------
  Host-group: lxhosts
  Description: Alle Linux-Systeme
root@kdc01.ipa:~#

root@kdc01.ipa:~# ipa hostgroup-add-member --hosts=lx01.ipa.example.com
  Host-group: lxhosts
  Description: Alle Linux-Systeme
  Member hosts: lx01.ipa.example.com
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~# ipa hostgroup-add-member --hosts=lx02.ipa.example.com
  Host-group: lxhosts
  Description: Alle Linux-Systeme
  Member hosts: lx01.ipa.example.com, lx02.ipa.example.com
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~#

Listing 17.12

root@kdc01.ipa:~# ipa hbacrule-add lxaccess --desc='lxuser dürfen auf lxhosts' --servicecat=all
--------------------------
Added HBAC rule "lxaccess"
--------------------------
  Rule name: lxaccess
  Service category: all
  Description: lxuser dürfen auf lxhosts
  Enabled: TRUE
root@kdc01.ipa:~# ipa hbacrule-add-host lxaccess --hostgroups lxhosts
  Rule name: lxaccess
  Enabled: TRUE
  Host Groups: lxhosts
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~# ipa hbacrule-add-user lxaccess --groups=lxusers
  Rule name: lxaccess
  Enabled: TRUE
  User Groups: lxusers
  Host Groups: lxhosts
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~#

Listing 17.13

root@kdc01.ipa:~# ipa hbactest --user maxm --host lx01.ipa.example.com --service sshd
--------------------
Access granted: True
--------------------
  Matched rules: lxaccess
  Not matched rules: allow_systemd-user
root@kdc01.ipa:~# ssh maxm@lx02
Password: Start123
Password expired. Change your password now.
Current Password: Start123
New password: P@ssw0rd
Retype new password: P@ssw0rd
maxm@lx02.ipa:~$

Listing 17.14

root@kdc02.ipa:~# ipa-replica-install --unattended --principal=admin@IPA.EXAMPLE.COM --admin-password=P@ssw0rd --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --setup-dns --no-ntp --mkhomedir --no-forwarders

[...]

WARNING: The CA service is only installed on one server
(kdc01.ipa.example.com). It is strongly recommended to
install it on another server. Run ipa-ca-install(1) on
another master to accomplish this.

The ipa-replica-install command was successful
root@kdc02.ipa:~#

Listing 18.1

[capaths]

  MYDOM.MIT.EXAMPLE.COM = {
    OTHERDOM.MIT.EXAMPLE.COM = MIT.EXAMPLE.COM
    MIT.EXAMPLE.COM = .
  }

  OTHERDOM.MIT.EXAMPLE.COM = {
    MYDOM.MIT.EXAMPLE.COM = MIT.EXAMPLE.COM
    MIT.EXAMPLE.COM = .
  }

  MIT.EXAMPLE.COM = {
    OTHERDOM.MIT.EXAMPLE.COM = .
    MYDOM.MIT.EXAMPLE.COM = .
  }

Listing 18.2

[capaths]
  MYDOM.MIT.EXAMPLE.COM = {
    OTHERDOM.H5L.EXAMPLE.COM = .
 }
  OTHERDOM.H5L.EXAMPLE.COM = {
    MYDOM.MIT.EXAMPLE.COM = .
 }

Listing 18.3

root@kdc01:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 40; echo
Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
root@kdc01:~#

Listing 18.4

kadmin: addprinc -clearpolicy krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
Enter password for principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM": Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
Re-enter password for principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM": Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
Principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM" created.

Listing 18.5

root@kdc01.mit:~# kinit user@MIT.EXAMPLE.COM
Password for user@MIT.EXAMPLE.COM: P@ssw0rd
root@kdc01.mit:~# kvno \
host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM: kvno = 1
root@kdc01.mit:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MIT.EXAMPLE.COM

Valid starting      Expires             Service principal
09/15/2021 18:53:20 09/16/2021 04:53:17 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 09/22/2021 18:53:17
09/15/2021 18:54:21 09/16/2021 04:53:17 krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 09/22/2021 18:53:17
09/15/2021 18:54:21 09/16/2021 04:53:17 host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
       renew until 09/22/2021 18:53:17
root@kdc01.mit:~#

Listing 18.6

root@kdc01.h5l:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 40; echo
SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
root@kdc01.h5l:~#

Listing 18.7

kadmin> add krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM's Password: SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
Verifying - krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM's Password: SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg

Listing 18.8

root@kdc01.h5l:~# kinit user@H5L.EXAMPLE.COM
user@H5L.EXAMPLE.COM's Password: P@ssw0rd
root@kdc01.h5l:~# kgetcred host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
root@kdc01.h5l:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user@H5L.EXAMPLE.COM

 Issued        Expires        Principal
Sep 15 19:33:46 2021 Sep 16 05:33:43 2021 krbtgt/H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Sep 15 19:34:11 2021 Sep 16 05:33:43 2021 krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Sep 15 19:34:11 2021 Sep 16 05:33:43 2021 host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
root@kdc01.h5l:~#

Listing 18.9

$adminuser = "Administrator@ADS.EXAMPLE.COM"
$adminpass = convertto-securestring "P@ssw0rd"` -asplaintext -force
$creds = New-Object -TypeName PSCredential -ArgumentList $adminuser, $adminpass
$safemodepasswd = convertto-securestring "cZi8NsK6PuptzA2DIMPF" -asplaintext -force

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Install-ADDSDomain                           `
  -NewDomainName "mydom"                     `
  -NewDomainNetbiosName "MYDOM"              `
  -SiteName "Default-First-Site-Name"        `
  -ParentDomainName "ads.example.com"        `
  -DomainMode "WinThreshold"                 `
  -DomainType "ChildDomain"                  `
  -DatabasePath "C:\Windows\NTDS"            `
  -LogPath "C:\Windows\NTDS"                 `
  -SysvolPath "C:\Windows\SYSVOL"            `
  -InstallDns:$false                         `
  -NoGlobalCatalog:$false                    `
  -NoRebootOnCompletion:$false               `
  -Credential $creds                         `
  -SafeModeAdministratorPassword $adminpass  `
  -Force:$true

Listing 18.10

root@lx01.mydom.ads:~# kinit myuser@MYDOM.ADS.EXAMPLE.COM
Password for myuser@MYDOM.ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.mydom.ads:~# kvno host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM
host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM: kvno = 1
root@lx01.mydom.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: myuser@MYDOM.ADS.EXAMPLE.COM

Valid starting      Expires             Service principal
09/16/2021 17:31:45 09/17/2021 03:31:43 krbtgt/MYDOM.ADS.EXAMPLE.COM@MYDOM.ADS.EXAMPLE.COM
       renew until 09/23/2021 17:31:43
09/16/2021 17:32:05 09/17/2021 03:31:43 host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM
       renew until 09/23/2021 17:31:43
root@lx01.mydom.ads:~#

Listing 18.11

root@kdc01:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 40; echo
IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
root@kdc01:~#

Listing 18.12

kadmin: addprinc -clearpolicy -pw IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs -e aes256-cts-hmac-sha1-96:normal krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM
Principal "krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM" created.
kadmin: addprinc -clearpolicy -pw IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs -e aes256-cts-hmac-sha1-96:normal krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM
Principal "krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM" created.

Listing 18.13

C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /add /realm /twoway /passwordt IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
Der Befehl wurde ausgeführt.
C:\Users\Administrator>

Listing 18.14

C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /transitive:ja
Vertrauenstellung wird als transitiv festgelegt.

[...]

C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /foresttransitive:ja
Diese Vertrauensstellung wird als transitiv auf Gesamtstrukturebene gekennzeichnet.

[...]
C:\Users\Administrator>

Listing 18.15

C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /addtln EXAMPLE.COM
Der Name der obersten Ebene oder die Ausnahme wurde den Gesamtstrukturvertrauensstellungs-Informationen erfolgreich hinzugefügt.

[...]

C:\Users\Administrator>

Listing 18.16

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM
    mit.example.com = MIT.EXAMPLE.COM
    .mit.example.com = MIT.EXAMPLE.COM
    mydom.mit.example.com = MYDOM.MIT.EXAMPLE.COM
    .mydom.mit.example.com = MYDOM.MIT.EXAMPLE.COM
    otherdom.mit.example.com = OTHERDOM.MIT.EXAMPLE.COM
    .otherdom.mit.example.com = OTHERDOM.MIT.EXAMPLE.COM
    h5l.example.com = H5L.EXAMPLE.COM
    .h5l.example.com = H5L.EXAMPLE.COM
    mydom.h5l.example.com = MYDOM.H5L.EXAMPLE.COM
    .mydom.h5l.example.com = MYDOM.H5L.EXAMPLE.COM
    otherdom.h5l.example.com = OTHERDOM.H5L.EXAMPLE.COM
    .otherdom.h5l.example.com = OTHERDOM.H5L.EXAMPLE.COM
    ads.example.com = ADS.EXAMPLE.COM
    .ads.example.com = ADS.EXAMPLE.COM
    mydom.ads.example.com = MYDOM.ADS.EXAMPLE.COM
    .mydom.ads.example.com = MYDOM.ADS.EXAMPLE.COM
    otherdom.ads.example.com = OTHERDOM.ADS.EXAMPLE.COM
    .otherdom.ads.example.com = OTHERDOM.ADS.EXAMPLE.COM

Listing 18.17

C:\Users\Administrator>ktpass.exe /out frontend.keytab /mapuser frontend@ADS.EXAMPLE.COM /princ frontend/lx02.ads.example.com@ADS.EXAMPLE.COM /pass P@ssw0rd /crypto AES256-SHA1 /ptype KRB5NTSRVINST

[...]

C:\Users\Administrator>ktpass.exe /out backend.keytab /mapuser backend@ADS.EXAMPLE.COM /princ backend/lx02.ads.example.com@ADS.EXAMPLE.COM /pass P@ssw0rd /crypto AES256-SHA1 /ptype KRB5NTSRVINST
[...]

Listing 18.18

root@lx01.ads:~# kinit user
Password for user@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# kvno frontend/lx02.ads.example.com
frontend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2
root@lx01.ads:~# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@ADS.EXAMPLE.COM

Valid starting      Expires             Service principal
09/16/2021 22:12:20 09/17/2021 08:12:18 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
       renew until 09/23/2021 22:12:18, Flags: FRIA
09/16/2021 22:12:22 09/17/2021 08:12:18 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
       renew until 09/23/2021 22:12:18, Flags: FRAO
root@lx01.ads:~#

Listing 18.19

root@lx02.ads:~# /usr/libexec/kimpersonate --ccache=/tmp/krb5ccfrontend --keytab=/etc/backend.keytab --client=user@ADS.EXAMPLE.COM --server=backend/lx02.ads.example.com@ADS.EXAMPLE.COM --krb5 --enc-type=aes256-cts-hmac-sha1-96
root@lx02.ads:~# klist /tmp/krb5ccfrontend
Ticket cache: FILE:/tmp/krb5cc_frontend
Default principal: user@ADS.EXAMPLE.COM

Valid starting       Expires            Service principal
09/16/2021 22:18:59 09/16/2021 23:18:59 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
root@lx02.ads:~#

Listing 18.20

root@lx02.ads:~# export KRB5CCNAME=/tmp/krb5ccfrontend
root@lx02.ads:~# kinit -k -t /etc/frontend.keytab frontend/lx02.ads.example.com
root@lx02.ads:~# kvno -k /etc/frontend.keytab -U user -P backend/lx02.ads.example.com
backend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~# kvno -k /etc/frontend.keytab -U Administrator -P backend/lx02.ads.example.com
backend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~#

Listing 18.21

root@lx02.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_frontend
Default principal: frontend/lx02.ads.example.com@ADS.EXAMPLE.COM

Valid starting      Expires             Service principal
09/16/2021 22:57:35 09/17/2021 08:57:35 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
       renew until 09/23/2021 22:57:35
09/16/2021 22:57:49 09/17/2021 08:57:35 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
       for client user@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
09/16/2021 22:57:49 09/17/2021 08:57:35 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
       for client user@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
09/16/2021 22:58:29 09/17/2021 08:57:35 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
       for client Administrator@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
09/16/2021 22:58:29 09/17/2021 08:57:35 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
       for client Administrator@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
root@lx02.ads:~#

Listing 18.22

[ kdc_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name

[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq

[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals

[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}

[ client_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
issuerAltName=issuer:copy

[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq

[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals

[principals]
princ1 = GeneralString:${ENV::CLIENT}

Listing 18.23

root@kdc01:/etc/ssl/CA# export REALM=MIT.EXAMPLE.COM
root@kdc01:/etc/ssl/CA# export CLIENT=dummy
root@kdc01:/etc/ssl/CA# openssl ca -in mitkdc01-req.pem -keyfile CAprivkey.pem -cert CAcert.pem -out mitkdc01.pem -extfile /etc/pki/CA/pkinit.cnf -extensions kdccert

[...]

Listing 18.24

root@kdc01:/etc/ssl/CA# export REALM=MIT.EXAMPLE.COM
root@kdc01:/etc/ssl/CA# export CLIENT=pkuser 
root@kdc01:/etc/ssl/CA# openssl ca -in pkuser-req.pem -keyfile CAprivkey.pem -cert CAcert.pem -out pkuser.pem -extfile pkinit.cnf -extensions clientcert

[...]

Listing 18.25

[...]
[realms]
 MIT.EXAMPLE.COM = {
    [...]
    pkinit_anchors = FILE:/var/kerberos/krb5kdc//CAcert.pem
    pkinit_identity = FILE:/var/kerberos/krb5kdc/cert.pem,/var/kerberos/krb5kdc/privkey.pem
[...]

Listing 18.26

root@lx01.mit:~# kinit -X X509useridentity=FILE:/root/.ssl/pkuser.pem,/root/.ssl/pkuser-privkey.pem pkuser
Enter PEM pass phrase: Sichere Passphrase!
root@lx01.mit:~#

Listing 18.27

[libdefaults]
  default_realm = MIT.EXAMPLE.COM
  dns_lookup_kdc = true
  dns_lookup_realm = false
  ticket_lifetime = 10hours
  renew_lifetime = 7days
  forwardable = true

  pkinit_anchors = FILE:/etc/openldap/CAcert.pem
  #pkinit_identities = FILE:/root/.ssl/pkuser.pem,/root/.ssl/pkuser-privkey.pem
  pkinit_identities = ENV:PKINIT_ID

Listing 18.28

PKINIT_ID=FILE:$HOME/.ssl/pkinit-cert.pem,$HOME/.ssl/pkinit-privkey.pem
export PKINIT_ID

Listing 18.29

root@lx01.mit:~# opensc-tool --serial
Using reader with a card: Feitian Technologies FT SCR310 00 00
29 53 42 41 13 18 12 10 )SBA....
root@lx01.mit:~#

Listing 18.30

root@lx01.mit:~# pkcs15-init --create-pkcs15 --profile pkcs15+onepin --pin 1234 --puk 12345678
Using reader with a card: Feitian Technologies FT SCR310 00 00
root@lx01.mit:~#

Listing 18.31

root@lx01.mit:~# pkcs15-init --generate-key rsa/2048 --auth-id 01 --pin 1234
Using reader with a card: Feitian Technologies FT SCR310 00 00
root@lx01.mit:~# pkcs15-tool --list-keys
Using reader with a card: Feitian Technologies FT SCR310 00 00
Private RSA Key [Private Key]
  Object Flags : [0x03], private, modifiable
  Usage    : [0x04], sign
  Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
  Algo_refs  : 0
  ModLength  : 2048
  Key ref   : 1 (0x01)
  Native    : yes
  Path     : 3f005015
  Auth ID   : 01
  ID      : 2a3c7450be18bdd68f750c697290cd8ada956bd8
  MD:guid   : 682da292-29ce-c0b1-0915-88d321666748

root@lx01.mit:~#

Listing 18.32

root@lx01:~# openssl
OpenSSL> engine dynamic -pre SOPATH:/usr/lib64/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LISTADD:1 -pre LOAD -pre MODULEPATH:/usr/lib64/pkcs11/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib64/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL>
OpenSSL>  req -engine pkcs11 -new -key slot0-id2a3c7450be18bdd68f750c697290cd8ada956bd8 -keyform engine -out pkuser-req.pem
engine "pkcs11" set.
PKCS#11 token PIN: 1234
You are about to be asked to enter information that will be incorporated
into your certificate request.

[...]

OpenSSL> quit
root@lx01:~#

Listing 18.33

root@lx01.mit:~# pkcs15-init --store-certificate pkuser.pem --auth-id 01 --id 2a3c7450be18bdd68f750c697290cd8ada956bd8
Using reader with a card: Feitian Technologies FT SCR310 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]: 1234
root@lx01.mit:~#

Listing 18.34

root@lx01:~# kinit -X X509anchors=FILE:/etc/openldap/CAcert.pem -X X509useridentity=PKCS11:modulename=/usr/lib64/pkcs11/opensc-pkcs11.so pkuser
OpenSC Card (User PIN)      PIN: 1234
root@lx01.mit:~#
root@lx01.mit:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pkuser@MIT.EXAMPLE.COM

Valid starting      Expires             Service principal
09/17/2021 13:37:29 09/17/2021 23:37:20 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 09/24/2021 13:37:20
root@lx01.mit:~#

Listing 18.35

root@lx01.mit:~# kinit -n -c /tmp/krb5ccanon
root@lx01.mit:~# klist /tmp/krb5ccanon
Ticket cache: FILE:/tmp/krb5cc_anon
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting      Expires             Service principal
09/17/2021 17:41:02 09/18/2021 03:41:02 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 09/24/2021 17:41:02
root@lx01.mit:~#

Listing 18.36

maxm@lx01.ipa:~$ ipa otptoken-add
------------------
Added OTP token ""
------------------
  Unique ID: 05c73f97-f84e-4679-9c95-6964c5c45939
  Type: TOTP
  Owner: maxm
  Manager: maxm
  Algorithm: sha1
  Digits: 6
  Clock interval: 30
  URI: otpauth://totp/maxm@IPA.EXAMPLE.COM:05c73f97-f84e-4679-9c95-6964c5c45939?issuer=maxm%40IPA.EXAMPLE.COM&secret=NGZMZGBHLSUN6QQABKHOO6EEJQ7VTIHCHJVB7WQQ36P5R4OZ7OIU6T4X&digits=6&algorithm=SHA1&period=30

[...]

maxm@lx01.ipa:~$

Listing 18.37

root@lx01.kdc01.ipa:~# ssh -l maxm lx01.ipa.example.com
First Factor: P@ssw0rd
Second Factor: 757761
maxm@lx01.ipa:~$

Listing 18.38

maxm@lx01.ipa:~$ kinit maxm
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
maxm@lx01.ipa:~$ kinit -n -c /tmp/armorcache
maxm@lx01.ipa:~$ kinit -T /tmp/armorcache maxm
Enter OTP Token Value: P@ssw0rd205789
maxm@lx01.ipa:~$

Listing 20.1

root@lx01.ads:~# ldapsearch -LLL -x -h kdc01.ads.example.com -b "" -s base supportedSASLMechanisms
dn: supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

root@lx01.ads:~#

Listing 20.2

root@lx01.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@kdc01:~# ldapwhoami -Y GSSAPI -h kdc01.ads.example.com
SASL/GSSAPI authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
u:ADS\Administrator
root@lx01.ads:~#

Listing 20.3

root@kdc01:~# ldapsearch -LLL -x -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

root@kdc01:~#

Listing 20.4

mech_list: GSSAPI EXTERNAL

Listing 20.5

[Service]
Environment="KRB5_KTNAME=/etc/openldap/krb5.keytab"

Listing 20.6

root@kdc01:~# ldapsearch -LLL -H ldaps://kdc01.example.com -b dc=example,dc=com "cn=Max Mustermann" objectClass cn sn krbPrincipalName
SASL/GSSAPI authentication started
SASL username: maxm@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: Max Mustermann
sn: Mustermann
krbPrincipalName: maxm@EXAMPLE.COM

root@kdc01:~#

Listing 20.7

root@kdc01:~# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: maxm@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn:uid=maxm,cn=gssapi,cn=auth
root@kdc01:~#

Listing 20.8

dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: "uid=maxm,cn=gssapi,cn=auth" "cn=Max Mustermann,ou=people,dc=example,dc=com"

Listing 20.9

dn: cn=config
changetype: modify
replace: olcAuthzRegexp
olcAuthzRegexp: "uid=(.*),cn=gssapi,cn=auth" ldap:///dc=example,dc=com??sub?(krbPrincipalName=$1@EXAMPLE.COM)

Listing 20.10

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
  by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
  by anonymous auth
  by self write
  by * none
olcAccess: to attrs=krbPrincipalName,entry
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
  by users read
  by anonymous auth
  by * none
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,member,memberUid,objectClass,ou,sn,uid,uidNumber,uniqueMember
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
  by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
  by users read
  by * none
olcAccess: to *
  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth" write
  by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
  by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
  by * none

Listing 20.11

root@kdc01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: P@ssw0rd
root@kdc01:~# ldapwhoami -Q -Y GSSAPI
dn:krbPrincipalName=erim@EXAMPLE.COM,cn=example.com,cn=realms,ou=mit-kerberos,dc=example,dc=com
root@kdc01:~# kinit maxm@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: P@ssw0rd
root@kdc01:~# ldapwhoami -Q -Y GSSAPI
dn:cn=max mustermann,ou=people,dc=example,dc=com
root@kdc01:~#

Listing 21.1

root@lx01.ads:~# realm join -U Administrator ADS.EXAMPLE.COM
Password for Administrator: P@ssw0rd
root@lx01.ads:~#

Listing 21.2

root@lx01.ads:~# ssh -l administrator@ads.example.com lx01.ads.example.com
administrator@ads.example.com@lx01.ads's password: P@ssw0rd
[administrator@ads.example.com@lx01 ~]$ ldapwhoami -Y GSSAPI -H ldap://kdc01.ads.example.com
SASL/GSSAPI authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
u:ADS\Administrator
[administrator@ads.example.com@lx01 ~]$

Listing 21.3

root@lx01.ads:~# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
 2 LX01$@ADS.EXAMPLE.COM
 2 LX01$@ADS.EXAMPLE.COM
 2 host/LX01@ADS.EXAMPLE.COM
 2 host/LX01@ADS.EXAMPLE.COM
 2 host/lx01.ads.example.com@ADS.EXAMPLE.COM
 2 host/lx01.ads.example.com@ADS.EXAMPLE.COM
 2 RestrictedKrbHost/LX01@ADS.EXAMPLE.COM
 2 RestrictedKrbHost/LX01@ADS.EXAMPLE.COM
 2 RestrictedKrbHost/lx01.ads.example.com@ADS.EXAMPLE.COM
 2 RestrictedKrbHost/lx01.ads.example.com@ADS.EXAMPLE.COM

Listing 21.4

[sssd]
domains = ads.example.com
config_file_version = 2
services = nss, pam

[domain/ads.example.com]
ad_domain = ads.example.com
krb5_realm = ADS.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

Listing 21.5

[...]
passwd:    sss files systemd
group:     sss files systemd
[...]

Listing 21.6

auth required  pam_env.so
auth required  pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required  pam_deny.so

account required  pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required  pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

Listing 21.7

[sssd]
domains = ads.example.com
config_file_version = 2
services = nss, pam
domain_resolution_order = ads.example.com, mydom.ads.example.com, otherdom.ads.example.com
full_name_format = %1$s

[domain/ads.example.com]
ad_domain = ads.example.com
krb5_realm = ADS.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

Listing 21.8

[sssd]
domains = ads.example.com
[...]
[domain/ads.example.com/mydom.ads.example.com]
use_fully_qualified_names = True

[domain/ads.example.com/otherdom.ads.example.com]
use_fully_qualified_names = True

Listing 21.9

[sssd]
domains = ipa.example.com
services = nss, pam, ssh, sudo

[domain/ipa.example.com]
id_provider = ipa
ipa_server = _srv_, kdc01.ipa.example.com
ipa_domain = ipa.example.com
ipa_hostname = lx02.ipa.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[...]

Listing 21.10

[sssd]
domains = mit.example.com, h5l.example.com
services = nss, pam
config_file_version = 2

[domain/mit.example.com]
id_provider = ldap
ldap_uri = ldap://kdc01.mit.example.com
ldap_search_base = dc=mit,dc=example,dc=com
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
auth_provider = krb5
krb5_server = kdc01.mit.example.com
krb5_realm = MIT.EXAMPLE.COM
krb5_validate = true

[domain/h5l.example.com]
id_provider = ldap
ldap_uri = ldap://kdc01.h5l.example.com
ldap_search_base = dc=h5l,dc=example,dc=com
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
auth_provider = krb5
krb5_server = kdc01.h5l.example.com
krb5_realm = h5l.EXAMPLE.COM
krb5_validate = true

Listing 21.11

dn: dc=mit,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
dc: mit
ref: ldap://kdc01.mit.example.com/dc=mit,dc=example,dc=com

Listing 21.12

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
man:x:6:12:man:/var/cache/man:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
testuser1:x:998:998:Testnutzer Nr. 1:/home/testuser1:/bin/bash
testuser2:x:999:999:Testnutzer Nr. 2:/home/testuser1:/bin/bash
[...]
Benutzername:PW-Hash:UID:GID:Gecos:Heimatverzeichnis:Shell

Listing 21.13

root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:testuser1,testuser2
tty:x:5:
disk:x:6:
[...]
Gruppenname:PW-Hash:GID:Mitgliederliste

Listing 21.14

dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Max Mustermann
sn: Mustermann
uid: maxm
uidNumber: 10000
gidNumber: 123
gecos: Herr Mustermann
homeDirectory: /home/maxm
loginShell: /bin/bash

dn: cn=Musterleute,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Musterleute
gidNumber: 123
memberUid: maxm
memberUid: erim

Listing 21.15

dn: CN=Erika Musterfrau,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Erika Musterfrau
sn: Musterfrau
givenName: Erika
instanceType: 4
displayName: Erika Musterfrau
name: Erika Musterfrau
userAccountControl: 512
sAMAccountName: erim
userPrincipalName: erim@ADS.EXAMPLE.COM
unicodePwd:: IgBTAHQAYQByAHQAMQAyADMAIgA=
pwdLastSet: 0
uid: erim
uidNumber: 10001
gidNumber: 123
gecos: Frau Musterfrau
unixHomeDirectory: /home/erim
loginShell: /bin/bash

dn: CN=Musterleute,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: group
cn: Musterleute
sAMAccountName: Musterleute
gidNumber: 123
memberUid: maxm
memberUid: erim

Listing 21.16

root@lx01.ads:~# touch /tmp/testfile
root@lx01.ads:~# chown user7495:group7001 /tmp/testfile
root@lx01.ads:~# ls -l /tmp/testfile
-rw-r--r--. 1 user7495 group7001 0 Sep 18 18:15 /tmp/testfile
root@lx01.ads:~# id user7495
uid=7495(user7495) gid=7495(group7495) groups=7495(group7495)
root@lx01.ads:~# getent passwd user7495
user7495:*:7495:7495:ADS Testuser 495:/home/user7495:/bin/bash
root@lx01.ads:~# su - user7495
Creating home directory for user7495.
[user7495@lx01.ads ~]$ whoami
user7495

Listing 21.17

root@lx01.ads:~# id user7495
uid=518602595(user7495) gid=518600513(domain users) groups=518600513(domain users)

Listing 21.18

root@lx01.ads:~# ssh -l user7495 lx01.ads.example.com
user7495@lx01.ads's password: P@ssw0rd
[user7495@lx01.ads ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_7495_ DfK3feZYlZ
Default principal: user7495@ADS.EXAMPLE.COM

Valid starting    Expires           Service principal
09/18/21 18:58:18 09/19/21 04:58:18 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
    renew until 09/25/21 18:58:18
[user7495@lx01.ads ~]$

Listing 21.19

[sssd]
domains = mit.example.com, ads.example.com
services = nss, pam
config_file_version = 2
domain_resolution_order = ads.example.com, mydom.ads.example.com, otherdom.ads.example.com
full_name_format = %1$s

[domain/mit.example.com]
id_provider = ldap
ldap_uri = ldap://kdc01.mit.example.com
ldap_search_base = dc=mit,dc=example,dc=com
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = lx02$@ADS.EXAMPLE.COM
auth_provider = krb5
chpass_provider = krb5
access_provider = krb5
krb5_server = kdc01.mit.example.com
krb5_realm = MIT.EXAMPLE.COM
krb5_validate = true
min_id = 1001
max_id = 1999

[domain/ads.example.com]
id_provider = ad
ldap_id_mapping = False
min_id = 7001
max_id = 9999

Listing 21.20

dn: CN=nonad,CN=Computers,DC=ads,DC=example,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: nonad
userAccountControl: 4128
sAMAccountName: nonad$
unicodePwd:: IgBhAGUAUQB2AEcAagBpAEoAegBwAFYANgBoADMAQgBhAEIATQBFAFIANwBWAHEAbABDADUAeABTAEIAcQB2AEIAdwB4AEUAMQAzAEgAaABEACIA
altSecurityIdentities: Kerberos:host/lx01.mit.example.com@MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.mit.example.com@MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.otherdom.mit.example.com@OTHERDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.otherdom.mit.example.com@OTHERDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.h5l.example.com@H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.h5l.example.com@H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM

Listing 22.1

user1001@lx01.mit:~$ ssh lx02
The authenticity of host 'lx02 (10.1.2.173)' can't be established.
ECDSA key fingerprint is SHA256:B0xylUorv65Weh5OzjSej37BHK0gRNXzdfdSvFoSF+0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'lx02,10.1.2.173' (ECDSA) to the list of known hosts.

Last login: Sun Sep 19 13:21:07 2021 from 10.1.2.172
user1001@lx02.mit:~$

Listing 22.2

user1001@lx01.mit:~$ kdestroy
user1001@lx01.mit:~$ ssh lx02
Password: P@ssw0rd
Password expired. You must change it now.
Current Password: P@ssw0rd
New password: N3xtP@ss
Retype new password: N3xtP@ss

Last login: Sun Sep 19 14:34:08 2021 from 10.1.2.172
user1001@lx02.mit:~$

Listing 22.3

user7001@lx01.ads:~$ ssh lx02.mit.example.com
Last login: Fri Aug 28 14:32:43 2020 from lx02.ads.example.com
user7001@lx02.mit:~$

Listing 22.4

auth_to_local = RULE:[String-Def](Prüfung)Transformation
auth_to_local = RULE:[String-Def](Prüfung)Transformation
auth_to_local = RULE:[String-Def](Prüfung)Transformation
[...]
auth_to_local = DEFAULT

Listing 22.5

[realms]
  MIT.EXAMPLE.COM = {
    [...]
    auth_to_local = RULE:[1:$1@$0](^.*@.*EXAMPLE.COM$)s/@.*//
    auth_to_local = DEFAULT
    [...]
  }

Listing 22.6

[plugins]
  localauth = {
    module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
  }

Listing 23.1

user7001@lx01.ads:~$ smbclient -m SMB3 -k //kdc01.ads.example.com/home
Try "help" to get a list of possible commands.
smb: \> dir
  .                     D   0 Sun Sep 19 16:07:01 2021
  ..                    D   0 Sun Sep 19 16:07:01 2021
  user7001              D   0 Sun Sep 19 16:07:01 2021

        25024767 blocks of size 4096. 19899859 blocks available
smb: \> quit
user7001@lx01.ads:~$

Listing 23.2

root@lx01.ads:~# mkdir /mnt/cifs
root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# mount -t cifs //kdc01.ads.example.com/home /mnt/cifs/ -o sec=krb5i
root@lx01.ads:~# df -T /mnt/cifs
Filesystem          Type 1K-blocks   Used Available Use% Mounted on
//kdc01.ads.example.com/home cifs 100099068 20499344 79599724 21% /mnt/cifs
root@lx01.ads:~#
root@lx01.ads:~# ls -l /mnt/cifs/
drwxr-xr-x. 2 root root 0 Sep 19 16:07 user7001
root@lx01.ads:~#

Listing 23.3

root@lx02.ads:~# mkdir -p /home/user7001
root@lx02.ads:~# chown user7001:group7001 /home/user7001/
root@lx02.ads:~# chmod 700 /home/user7001/

Listing 23.4

[global]
    security = ads
    workgroup = ADS
    realm = ADS.EXAMPLE.COM
    kerberos method = system keytab

[home]
    path = /home/
    read only = No

Listing 23.5

root@lx02.ads:~# net ads join -U Administrator
Enter Administrator's password: P@ssw0rd
Using short domain name -- ADS
Joined 'LX02' to dns domain 'ads.example.com'
root@lx02.ads:~#

Listing 23.6

[global]
    security = ADS
    workgroup = ADS
    realm = ADS.EXAMPLE.COM
    kerberos method = system keytab

    idmap backend = tdb
    idmap uid = 1000000-1999999
    idmap gid = 1000000-1999999
    idmap config ADS : backend = sss
    idmap config ADS : range = 7001 - 7999
    idmap config MYDOM : backend = sss
    idmap config MYDOM : range = 8001 - 8999
    idmap config OTHERDOM : backend = sss
    idmap config OTHERDOM : range = 9001 - 9999
[home]
    path = /home
    read only = No

Listing 23.7

root@lx02.ads:~# wbinfo --name-to-sid 'ADS\user7001'
S-1-5-21-3034790193-1933111306-388740863-2600 SID_USER (1)
root@lx02.ads:~# wbinfo --sid-to-name S-1-5-21-3034790193-1933111306-388740863-2600
ADS\user7001 1
root@lx02.ads:~# wbinfo --sid-to-uid S-1-5-21-3034790193-1933111306-388740863-2600
7001
root@lx02.ads:~# wbinfo --uid-to-sid 7001
S-1-5-21-3034790193-1933111306-388740863-2600
root@lx02.ads:~#

Listing 23.8

user7001@lx02.ads:~$ touch acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user7002:rwx acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user8003:rw acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user9004:r acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group7003:rwx acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group8004:rw acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group9005:r acl-test.txt
user7001@lx02.ads:~$ getfacl acl-test.txt
# file: acl-test.txt
# owner: user7001
# group: group7001
user::rw-
user:user7002:rwx
user:user8003:rw-
user:user9004:r--
group::r--
group:group7003:rwx
group:group8004:rw-
group:group9005:r--
mask::rwx
other::r--
user7001@lx02.ads:~$

Listing 23.9

root@lx02.mit:~# echo '/home lx01.mit.example.com(rw,subtreecheck)' > /etc/exports
root@lx02.mit:~# mkdir -p /home/user1001
root@lx02.mit:~# chown user1001: /home/user1001
root@lx02.mit:~# chmod 0700 /home/user1001
root@lx02.mit:~# systemctl start nfs-server

Listing 23.10

root@lx01.mit:~# mount -t nfs -o vers=3,rw lx02.mit.example.com:/home /home
root@lx01.mit:~# df /home
Filesystem    1K-blocks  Used Available Use% Mounted on
lx02.example.com:/home
          7852768 3600288  3853600  49% /home
root@lx01.mit:~#

Listing 23.11

root@lx01.mit:~# cd /home/user1001/
-bash: cd: /home/user1001/: Permission denied
root@lx01.mit:~# su user1001
user1001@lx01.mit:/root$ cd /home/user1001
user1001@lx01.mit:~$

Listing 23.12

[General]
Verbosity = 0
Domain = example.com
Local-Realms = EXAMPLE.COM,MIT.EXAMPLE.COM,H5L.EXAMPLE.COM,ADS.EXAMPLE.COM,MYDOM.MIT.EXAMPLE.COM,OTHERDOM.MIT.EXAMPLE.COM,MYDOM.H5L.EXAMPLE.COM,OTHERDOM.H5L.EXAMPLE.COM,MYDOM.ADS.EXAMPLE.COM,OTHERDOM.ADS.EXAMPLE.COM

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

Listing 23.13

#Kommentarzeile
Server-Pfad Client-Liste(Export-Option,Export-Option,...) Client-Liste(Export-Option,Export-Option,...)
[...] [...]

Listing 23.14

# Ein Export für /home
/home *(rw,subtree_check,sec=krb5)

Listing 23.15

root@lx01.mit:~# mount -t nfs4 -o sec=krb5 lx02.mit.example.com:/ /home
root@lx01.mit:~# klist /tmp/krb5ccmachineMIT.EXAMPLE.COM 
root@lx01.mit:~# klist /tmp/krb5ccmachine_MIT.EXAMPLE.COM
Ticket cache: FILE:/tmp/krb5ccmachine_MIT.EXAMPLE.COM
Default principal: host/lx01.mit.example.com@MIT.EXAMPLE.COM

Valid starting      Expires             Service principal
08/31/2021 02:07:53 08/31/2021 12:07:53 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 09/02/2021 02:07:53
08/31/20 02:07:53  08/31/2021 12:07:53 nfs/lx02.mit.example.com@MIT.EXAMPLE.COM
       renew until 09/02/2021 02:07:53
root@lx01.mit:~#

Listing 23.16

root@lx01.mit:~# cd /home/user1001
-bash: cd: /home/user1001: Permission denied
root@lx01.mit:~# su user1001
bash: /home/user1001/.bashrc: Permission denied
user1001@lx01.mit:/root$ cd /home/user1001
bash: cd: /home/user1001: Permission denied

Listing 23.17

lx01 login: user1001
Password: P@ssw0rd
Last login: Mon Aug 31 02:22:10 2020 from 10.1.2.111
user1001@lx01.mit:~$ df .
Filesystem       1K-blocks  Used Available Use% Mounted on
lx02.mit.example.com:/home 95017472 2895360 87252352  4% /home
user1001@lx01.mit:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_Z5QziMAGK7
Default principal: user1001@MIT.EXAMPLE.COM

Valid starting      Expires             Service principal
08/31/2021 02:24:11 08/31/2021 12:21:16 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
       renew until 09/02/2021 02:21:19
08/31/2021 02:24:11 08/31/2021 12:21:16 nfs/lx02.mit.example.com@MIT.EXAMPLE.COM
       renew until 09/02/2021 02:21:19
user1001@lx01.mit:~$

Listing 24.1

[...]
SSLCertificateFile /etc/pki/tls/certs/lx02.ads-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/lx02.ads.key
[...]

Listing 24.2

C:\Users\Administrator>setspn.exe -A HTTP/www.ads.example.com lx02-http
Registering ServicePrincipalNames for CN=HTTP/lx02.ads.example.com,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
    HTTP/www.ads.example.com
Updated object

C:\Users\Administrator>

Listing 24.3

root@lx02.ads:~# ktutil
ktutil: rkt /etc/http.keytab
ktutil: list -e -k
slot KVNO Principal ---- ---- ----------------------------
1  2  HTTP/lx02.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)  (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
ktutil: addent -key -p HTTP/www.ads.example.com@ADS.EXAMPLE.COM -k 2 -e aes256-cts
Key for HTTP/www.ads.example.com@ADS.EXAMPLE.COM (hex): da05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47
ktutil: list -e -k
slot KVNO Principal ---- ---- ---------------------------
1  2  HTTP/lx02.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)  (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
2  2  HTTP/www.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)  (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
ktutil: wkt /etc/http.keytab.new
ktutil: quit
root@lx02.ads:~# mv /etc/http.keytab.new /etc/http.keytab
root@lx02.ads:~# chown apache:apache /etc/http.keytab

Listing 24.4

<Directory /var/www/html>
   AuthType GSSAPI
   AuthName "GSSAPI SSO Login"
   GssapiAllowedMech krb5
   GssapiBasicAuth Off
   GssapiCredStore keytab:/etc/http.keytab
   GssapiSSLonly On
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
   require valid-user
</Directory>

Listing 24.5

root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl --negotiate -u : https://www.ads.example.com
It works!

Listing 24.6

#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Anmeldeinformationen:"
echo ""
echo "Sie sind angemeldet unter dem Kerberos-Principal"
echo "$REMOTE_USER"

Listing 24.7

<Directory /var/www/cgi-bin>
   AuthType GSSAPI
   AuthName "GSSAPI SSO Login"
   GssapiAllowedMech krb5
   GssapiBasicAuth Off
   GssapiCredStore keytab:/etc/http.keytab
   GssapiDelegCcacheDir /tmp
   GssapiSSLonly On
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
   require valid-user
</Directory>

Listing 24.8

root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl --negotiate -u : https://www.ads.example.com/cgi-bin/login-info

Anmeldeinformationen:

Sie sind angemeldet unter dem Kerberos-Principal
user7001@ADS.EXAMPLE.COM

Listing 24.9

#!/bin/sh
echo "Content-type: text/plain"
echo ""

echo "Delegationsinformationen:"
echo ""
/usr/bin/klist -f 2>&1
echo ""

echo "Zugriff auf Netzwerkdienste:"
echo ""
echo "Mit den delegierten Credentials wird Apache nun"
echo "unter Ihrer Identitaet eine SSH-Sitzung und"
echo "eine LDAP-Suche durchfuehren ..."
echo ""
USERNAME=$(echo $REMOTE_USER | sed -e 's/@.*$//')

echo "Hier der Output einer SSH-Sitzung: "
echo ""
/usr/bin/ssh -l $USERNAME  \
             -o StrictHostKeyChecking=no  \
             -o UserKnownHostsFile=/dev/null  \
                lx02.ads.example.com id 2>&1

echo ""
echo "Hier der Output einer LDAP-Suche"
echo ""
/usr/bin/ldapsearch -QLLL  \
                    -b dc=ads,dc=example,dc=com  \
                    -h kdc01.ads.example.com  \
                       userPrincipalName=$REMOTE_USER  \
                       uidNumber gidNumber 2>&1

echo ""

echo "Delegationsinformationen:"
echo ""
/usr/bin/klist -f 2>&1

Listing 24.10

root@lx01.ads:~# kinit -f user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl --delegation always --negotiate -u : https://www.ads.example.com/cgi-bin/delegation-info
Delegationsinformationen:

Ticket cache: FILE:/tmp/user7001@ADS.EXAMPLE.COM
Default principal: user7001@ADS.EXAMPLE.COM

Valid starting    Expires           Service principal
09/19/21 22:17:54 09/20/21 08:17:45 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
    renew until 09/26/21 22:17:45, Flags: FfRA

Zugriff auf Netzwerkdienste:

Mit den delegierten Credentials wird Apache nun
unter Ihrer Identitaet eine SSH-Sitzung und
eine LDAP-Suche durchfuehren ...

Hier der Output einer SSH-Sitzung:

uid=7001(user7001) gid=7001(group7001) groups=7001(group7001) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Hier der Output einer LDAP-Suche

dn: CN=user7001,CN=Users,DC=ads,DC=example,DC=com
uidNumber: 7001
gidNumber: 7001

[...]

Delegationsinformationen:

Ticket cache: FILE:/tmp/user7001@ADS.EXAMPLE.COM
Default principal: user7001@ADS.EXAMPLE.COM

Valid starting      Expires             Service principal
09/19/2021 22:17:54 09/20/2021 08:17:45 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
       renew until 09/26/2021 22:17:45, Flags: FfRA
09/19/2021 22:18:00 09/20/2021 08:17:45 host/lx02.ads.example.com@ADS.EXAMPLE.COM
       renew until 09/26/2021 22:17:45, Flags: FfRA
09/19/2021 22:18:01 09/20/2021 08:17:45 ldap/kdc01.ads.example.com@ADS.EXAMPLE.COM
       renew until 09/26/2021 22:17:45, Flags: FfRAO
root@lx01.ads:~#

Listing 24.11

<Directory /var/www/html>
   AuthType GSSAPI
   AuthName "GSSAPI SSO Login"
   GssapiAllowedMech krb5
   GssapiBasicAuth Off
   GssapiCredStore keytab:/etc/http.keytab
   GssapiSSLonly On
   AuthLDAPURL "ldap://kdc01.ads.example.com/dc=ads,dc=example,dc=com?userPrincipalName?sub"
   AuthLDAPBindDN CN=HTTP/lx02.ads.example.com,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
   AuthLDAPBindPassword "P@ssw0rd"
   AuthLDAPRemoteUserAttribute "userPrincipalName"
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
   require ldap-group CN=WWW-Users,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
</Directory>

Listing 24.12

BASE dc=ads,dc=example,dc=com
URI ldap://kdc01.ads.example.com
TLS_CACERT /etc/openldap/CAcert.pem
REFERRALS off
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

Listing 24.13

root@lx02.ads:~# adduser --system --user-group --create-home --home-dir /opt/keycloak keycloak
root@lx02.ads:~# su - keycloak
keycloak@lx02.ads:~$ curl -sL -O https://github.com/ keycloak/keycloak/releases/download/15.0.2/ keycloak-15.0.2.tar.gz
keycloak@lx02.ads:~$ tar xfz keycloak-15.0.2.tar.gz --strip-components=1
keycloak@lx02.ads:~$ ./bin/add-user-keycloak.sh -r master -u admin -p P@ssw0rd
Added 'admin' to '/opt/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user

Listing 24.14

root@lx02.ads:~# openssl pkcs12 -export -in /etc/pki/tls/certs/lx02.ads-cert.pem -inkey /etc/pki/tls/private/lx02.ads.key -name server -out /opt/keycloak/standalone/configuration/ application.keystore -chain -CAfile /etc/openldap/CAcert.pem
Enter Export Password: password
Verifying - Enter Export Password: password
root@lx02.ads:~# chown keycloak /opt/keycloak/standalone/configuration/application.keystore
root@lx02.ads:~# chmod 0400 /opt/keycloak/standalone/configuration/application.keystore

Listing 24.15

keycloak@lx02.ads:~$ cp docs/contrib/scripts/systemd/wildfly.conf keycloak.conf
keycloak@lx02.ads:~$ sed -e 's/wildfly/keycloak/g' docs/contrib/scripts/systemd/launch.sh > bin/launch.sh
keycloak@lx02.ads:~$ chmod +x bin/launch.sh
keycloak@lx02.ads:~$ sed -e 's/wildfly/keycloak/g' -e 's,/etc,/opt,' docs/contrib/scripts/systemd/wildfly.service > keycloak.service
keycloak@lx02.ads:~$ exit
root@lx02.ads:~# systemctl link /opt/keycloak/keycloak.service
root@lx02.ads:~# systemctl enable --now keycloak.service

Listing 24.16

root@lx02.ads:~# setfacl -m u:keycloak:r /etc/http.keytab

Listing 24.17

root@lx02.ads:~# dnf install squid
root@lx02.ads:~# systemctl enable squid
root@lx02.ads:~# firewall-cmd --permanent --add-service=squid
root@lx02.ads:~# firewall-cmd --reload

Listing 24.18

root@lx02.ads:~# setfacl -m u:squid:r /etc/http.keytab
root@lx02.ads:~# systemctl restart squid

Listing 24.19

[...]
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/http.keytab -s GSS_C_NO_NAME
acl auth proxy_auth REQUIRED
[...]

Listing 24.20

[...]
# alle existierenden http_access-Anweisungen entfernen und
# durch folgende Zeilen ersetzen:
http_access deny !auth
http_access allow auth
http_access deny all
[...]

Listing 24.21

root@lx01.ads:~# curl -L https://www.kerberos-buch.de/ -x lx02.ads.example.com:3128
curl: (56) Received HTTP code 407 from proxy after CONNECT
root@lx01.ads:~# kinit user7001@EXAMPLE.COM
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl -sL https://www.kerberos-buch.de/ --proxy-negotiate -U : -x lx02.ads.example.com:3128
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
       "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
[...]

Listing A.1

version: 1

# Max Mustermann
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
cn: Max Mustermann
sn: Mustermann

# Erika Musterfrau
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
cn: Erika Musterfrau
sn: Musterfrau
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0
 ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo=

Listing A.2

root@kdc01:~# echo RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo= | base64 -d
Ein Beispiel eines Benutzerobjektes für das Kerberos-Buch
root@kdc01:~#

Listing A.3

# neues Objekt anlegen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: add
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person

# ein Attribut hinzufügen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: modify
add: seeAlso
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com

Listing A.4

dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: modify
delete: seeAlso
-
replace: description
description: Eine Beispielanwenderin
-
add: userPassword
userPassword: P@ssw0rd

Listing A.5

# Objekt löschen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: delete

Listing A.6

root@kdc01:~# ldapsearch -x -h kdc01.example.com' -b dc=example,dc=com '(cn=Erika*)'
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0
 ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com

root@kdc01:~#

Listing A.7

root@kdc01:~# ldapsearch -x -h kdc01.example.com -b dc=example,dc=com '(&(objectClass=person)(seeAlso=*))' cn
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau

Listing A.8

root@kdc01:~# ldapsearch -x -h kdc01.example.com -D 'cn=Erika Musterfrau,ou=people,dc=example,dc=com' -w 'P@ssw0rd' -b dc=example,dc=com '(cn=Erika*)'
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0
ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
userPassword:: Z2VoZWltMTIz

root@kdc01:~#

Listing A.9

root@kdc01:~# ldapmodify -x -D cn=admin,dc=example,dc=com -w 'P@ssw0rd' -f erim.ldif
adding new entry "cn=Erika Musterfrau,ou=people,dc=example,dc=com"

modifying entry "cn=Erika Musterfrau,ou=people,dc=example,dc=com"

root@kdc01:~#

Listing B.1

install
cdrom
rootpw --plaintext P@ssw0rd
auth --useshadow --passalgo=sha512
text
keyboard de
lang en_US
selinux --enforcing
logging --level=info
timezone Europe/Berlin

# IP-Adressen, Netzmaske und Device-Name anpassen an Netzwerk der Testumgebung!
network --device=enp0s3 --bootproto=static --activate --bootproto=static --ip=10.1.2.XXX --gateway=10.1.2.254 --netmask=255.255.255.0 --nameserver=8.8.8.8 --onboot=true

bootloader --location=mbr --append="nomodeset crashkernel=auto"
zerombr
clearpart --all --initlabel
part / --fstype ext4 --size 6000 --grow --asprimary
part /boot --fstype ext4 --size 200 --grow --asprimary
part swap --size 2048
reboot --eject

%packages --ignoremissing
@base
@core
kernel-headers
kernel-devel
glibc-devel
glibc-headers
gcc
dkms
make
bzip2
perl
python36
%end

%post --nochroot --log=/mnt/sysimage/root/ks-post.log
df -h
%end