(Hier gibt es die Listings der ersten Auflage)
Komponente-1[/Komponente-2/.../Komponente-N]@REALM
CentOS Linux 8 (Core)
Kernel 4.18.0-193.14.2.el8_2.x86_64 on an x86_64
lx01 login: maxm
Password: P@ssw0rd
maxm@lx01:~$
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/23/2021 17:32:57
maxm@lx01:~$
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FRIA
maxm@lx01:~$ ldapsearch -h kdc01 -QLLL uid=maxm uidNumber gidNumber
dn: uid=maxm,ou=people,dc=example,dc=com
uidNumber: 10000
gidNumber: 10000
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FRIA
06/22/2021 17:34:07 06/23/2021 03:32:59 ldap/kdc01.example.com@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FRAT
maxm@lx01:~$
maxm@lx01:~$ ssh lx02.example.com
Last login: Fri Aug 21 14:28:07 2020 from 10.1.2.111
maxm@lx02:~$ klist -f
klist: No credentials cache found (filename: /tmp/krb5cc_10000)
maxm@lx02:~$ logout
Connection to lx02.example.com closed.
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FRIA
06/22/2021 17:34:07 06/23/2021 03:32:59 ldap/kdc01.example.com@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FRAT
06/22/2021 17:35:53 06/23/2021 03:32:59 host/lx02.example.com@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FRAT
maxm@lx01:~$
maxm@lx01:~$ ssh -o GSSAPIDelegateCredentials=yes lx02.example.com
Last login: Fri Aug 21 14:33:29 2020 from lx01.example.com
maxm@lx02:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_tYAs5NLrnP
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
06/22/2021 17:37:28 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/23/2021 17:32:57, Flags: FfRAT
maxm@lx02:~$ logout
Connection to lx02.example.com closed.
maxm@lx01:~$
Host lx02.example.com
GSSAPIDelegateCredentials yes
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
06/22/2021 17:32:59 06/23/2021 03:32:59 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/23/2021 17:32:57
06/22/2021 17:34:07 06/23/2021 03:32:59 ldap/kdc01.example.com@EXAMPLE.COM
renew until 06/23/2021 17:32:57
06/22/2021 17:35:53 06/23/2021 03:32:59 host/lx02.example.com@EXAMPLE.COM
renew until 06/23/2021 17:32:57
06/22/2021 22:29:20 06/23/2021 03:32:59 HTTP/lx02.example.com@EXAMPLE.COM
renew until 06/23/2021 17:32:57
maxm@lx01:~$ kdestroy
maxm@lx01:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10000_zGOviZ)
maxm@lx01:~$
maxm@lx01:~$ kinit maxm@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/21/2021 14:42:14 08/22/2021 00:42:14 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 14:42:11
maxm@lx01:~$
maxm@lx01:~$ kvno host/lx02.example.com@EXAMPLE.COM
host/lx02.example.com@EXAMPLE.COM: kvno = 2
maxm@lx01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/21/2021 14:42:14 08/22/2021 00:42:14 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 14:42:11
08/21/2021 14:43:44 08/22/2021 00:42:14 host/lx02.example.com@EXAMPLE.COM
renew until 08/22/2021 14:42:11
maxm@lx01:~$
$ string2key -5 -k des-cbc-md5
Kerberos v5 principal: maxm@EXAMPLE.COM
Password: P@ssw0rd
Kerberos 5 (des-cbc-md5): cdaed543802f79d0
$ string2key -5 -k AES256-CTS-HMAC-SHA384-192
Kerberos v5 principal: maxm@EXAMPLE.COM
Password: P@ssw0rd
Kerberos 5 (aes256-cts-hmac-sha384-192): 52b9d0d220c487b1d8b7d34f2a8b7e23f03179762b24612f920ce56752c3b2cb
$
$ ktutil
ktutil: addent -password -p maxm@EXAMPLE.COM -k 1 -e CAMELLIA256-CTS-CMAC
Password for maxm@EXAMPLE.COM: P@ssw0rd
ktutil: l -k
slot KVNO Principal
---- ---- ------------------------------------------------
1 1 maxm@EXAMPLE.COM (0xabb9c235054143aad37797d1504431114c2c662515d0b69cc9c0bcbfd855dd16)
ktutil: quit
$
maxm@lx01:~$ kinit -S HTTP/lx02.example.com@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_zGOviZ
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/21/2021 17:31:17 08/22/2021 03:31:17 HTTP/lx02.example.com@EXAMPLE.COM
renew until 08/22/2021 17:31:14, Flags: FRIA
maxm@lx01:~$
maxm@lx01:~$ kinit -l 10min -r 20min
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 00:44:08 08/22/2021 00:54:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 01:04:04, Flags: FRIA
[...9 Minuten warten...]
maxm@lx01:~$ kinit -R
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 00:53:53 08/22/2021 01:03:49 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 01:04:04, Flags: FRIAT
[...9 Minuten warten...]
maxm@lx01:~$ kinit -R
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 01:03:38 08/22/2021 01:04:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 01:04:04, Flags: FRIAT
[...9 Minuten warten...]
maxm@lx01:~$ kinit -R
kinit: Ticket expired while renewing credentials
maxm@lx01:~$
maxm@lx01:~$ kinit -s 20min -l 10min -r 20min
Password for maxm@EXAMPLE.COM: P@ssw0rd
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 01:37:09 08/22/2021 01:47:09 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 01:57:09, Flags: FDdiRIA
maxm@lx01:~$
[...9 Minuten warten...]
maxm@lx01:~$ kinit -v
kinit: Ticket not yet valid while validating credentials
[...9 Minuten warten...]
maxm@lx01:~$ kinit -v
kinit: Ticket not yet valid while validating credentials
[...9 Minuten warten...]
maxm@lx01:~$ kinit -v
maxm@lx01:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_10000_nBdClX
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 01:46:24 08/22/2021 01:47:09 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/22/2021 01:57:09, Flags: FDdRIAT
maxm@lx01:~$
root@lx01.mydom.mit:~# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@MYDOM.MIT.EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 11:47:43 08/22/2021 21:47:41 krbtgt/MYDOM.MIT.EXAMPLE.COM@MYDOM.MIT.EXAMPLE.COM
renew until 08/29/2021 11:47:41, Flags: FRIA
08/22/2021 11:47:47 08/22/2021 21:47:41 krbtgt/MIT.EXAMPLE.COM@MYDOM.MIT.EXAMPLE.COM
renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:40 08/22/2021 21:47:41 krbtgt/EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:44 08/22/2021 21:47:41 krbtgt/H5L.EXAMPLE.COM@EXAMPLE.COM
renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:47 08/07/2021 21:47:41 krbtgt/OTHERDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
renew until 08/29/2021 11:47:41, Flags: FRAT
08/22/2021 11:47:47 08/22/2021 21:47:41 host/kdc01.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM
renew until 08/29/2021 11:47:41, Flags: FRAT
root@lx01.mydom.mit:~#
root@kdc01:~# dnf install bind bind-utils
root@kdc01:~# systemctl stop named
root@kdc01:~# systemctl start named
root@kdc01:~# systemctl enable named
root@kdc01:~# systemctl enable named --now
root@kdc01:~# firewall-cmd --add-service=dns --permanent
root@kdc01:~# firewall-cmd --add-port=53/udp --permanent
root@kdc01:~# firewall-cmd --add-port=53/tcp --permanent
root@kdc01:~# firewall-cmd --reload
options {
listen-on port 53 { 127.0.0.1; 10.1.2.110; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
forwarders { 8.8.8.8; };
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "example.com" in {
type master;
#allow-update {10.1.2.0/24;};
file "/var/named/example.com.zone";
};
zone "2.1.10.in-addr.arpa" in {
type master;
file "/var/named/2.1.10.zone";
};
$ORIGIN .
$TTL 172800 ; 2 days
example.com IN SOA kdc01.example.com root.kdc01.example.com. (
2020000000 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS kdc01.example.com.
A 10.1.2.254
MX 10 kdc01.example.com.
kdc01.example.com. A 10.1.2.110
lx01.example.com. A 10.1.2.111
lx02.example.com. A 10.1.2.112
$ORIGIN .
$TTL 86400 ; 1 day
2.1.10.in-addr.arpa IN SOA kdc01.example.com. root.kdc01.example.com. (
2020000000 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS kdc01.example.com.
110.2.1.10.in-addr.arpa. PTR kdc01.example.com.
111.2.1.10.in-addr.arpa. PTR lx01.example.com.
112.2.1.10.in-addr.arpa. PTR lx02.example.com.
root@kdc01:~# nmcli connection modify 'System enp0s3' ipv4.dns 10.1.2.110
root@kdc01:~# nmcli connection down 'System enp0s3'
root@kdc01:~# nmcli connection up 'System enp0s3'
root@kdc01:~# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 10.1.2.110
root@kdc01:~#
root@kdc01:~# host kdc01.example.com
kdc01.example.com has address 10.1.2.110
root@kdc01:~# host 10.1.2.110
110.2.1.10.in-addr.arpa domain name pointer kdc01.example.com.
root@kdc01:~#
[...]
$ORIGIN ads.example.com.
@ IN NS kdc01.ads.example.com.
[...]
[...]
zone "ads.example.com" {
type forward;
forward only;
forwarders { 10.1.2.120; 10.1.2.121; };
};
[...]
root@kdc01:~# mkdir /etc/pki/CA
root@kdc01:~# mkdir -p /etc/pki/CA/newcerts
root@kdc01:~# touch /etc/pki/CA/index.txt
root@kdc01:~# echo 04 > /etc/pki/CA/serial
root@kdc01:~# cd /etc/pki/CA
root@kdc01:/etc/pki/CA# openssl req \
-x509 \
-newkey rsa:4096 \
-days 9999 \
-out /etc/pki/CA/CAcert.pem \
-keyout /etc/pki/CA/CAprivkey.pem \
-nodes
Generating a RSA private key
.........+++
..+++
writing new private key to '/etc/pki/CA/CAprivkey.pem'
-----
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:EXAMPLE
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:EXAMPLE
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:EXAMPLE.COM Root CA
Email Address []:maxm@example.com
root@kdc01:/etc/pki/CA#
root@kdc01:~# mkdir -p /etc/openldap/certs
root@kdc01:~# openssl req -new -newkey rsa:4096 -out /etc/openldap/certs/req.pem -keyout /etc/openldap/certs/privkey.pem -nodes
Generating a RSA private key
...........................+++
..+++
writing new private key to '/etc/openldap/privkey.pem'
-----
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:EXAMPLE
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:EXAMPLE
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:kdc01.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@kdc01:~# chmod 400 /etc/openldap/certs/privkey.pem
root@kdc01:~# cp /etc/openldap/certs/req.pem /etc/pki/CA/kdc01-req.pem
root@kdc01:~# cd /etc/pki/CA
root@kdc01:/etc/pki/CA# openssl ca \
-in kdc01-req.pem \
-out kdc01-cert.pem \
-keyfile /etc/pki/CA/CAprivkey.pem \
-cert /etc/pki/CA/CAcert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Aug 22 03:54:07 2020 GMT
Not After : Aug 22 03:54:07 2021 GMT
Subject:
countryName = DE
stateOrProvinceName = EXAMPLE
organizationName = EXAMPLE
commonName = kdc01.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
86:2B:E3:2F:E2:FB:AB:D0:98:D4:B1:B7:20:F1:E3:33:62:33:A2:1C
X509v3 Authority Key Identifier:
keyid:E7:91:43:4E:DB:AB:14:DB:55:13:4A:DA:3C:FF:9B:1E:4D:6C:05:31
Certificate is to be certified until Aug 22 03:54:07 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
root@kdc01:/etc/pki/CA#
root@kdc01:/etc/pki/CA# cp kdc01-cert.pem /etc/openldap/certs/cert.pem
[sofl]
name=Symas OpenLDAP for Linux RPM repository
baseurl=https://repo.symas.com/repo/rpm/SOFL/rhel8
gpgkey=https://repo.symas.com/repo/gpg/RPM-GPG-KEY-symas-com-signing-key
gpgcheck=1
enabled=1
dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /var/run/openldap/slapd.pid
olcArgsFile: /var/run/openldap/slapd.args
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=subschema" by * read
olcAccess: to * by * none
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
root@kdc01:~# rm -rf /etc/openldap/slapd.d/*
root@kdc01:~# slapadd -n 0 -F /etc/openldap/slapd.d -l listing-7.13.ldif
_############### 100.00% eta none elapsed none fast!
Closing DB...
root@kdc01:~# slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/core.ldif
_############### 100.00% eta none elapsed none fast!
Closing DB...
root@kdc01:~# chown -R ldap: /etc/openldap/slapd.d
root@kdc01:~# restorecon -R /etc/openldap/slapd.d
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
adding new entry "cn=cosine,cn=schema,cn=config"
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
adding new entry "cn=nis,cn=schema,cn=config"
root@kdc01:~# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
adding new entry "cn=inetorgperson,cn=schema,cn=config"
root@kdc01:~#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq
olcAccess: to attrs=userPassword,shadowLastChange
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by anonymous auth
by self write
by * none
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,
loginShell,member,memberUid,objectClass,ou,sn,uid,
uidNumber,uniqueMember,entry
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by users read
by anonymous auth
by * none
olcAccess: to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by * none
root@kdc01:~# slappasswd
New password: P@ssw0rd
Re-enter new password: P@ssw0rd
{SSHA}juTKEw47N6WSbPD+JhIL8mFUomomb+2l
root@kdc01:~#
dn: dc=example,dc=com
objectClass: domain
dc: example
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword: {SSHA}juTKEw47N6WSbPD+JhIL8mFUomomb+2l
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: cn=LDAP Read Write,ou=groups,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
dn: cn=LDAP Read Only,ou=groups,dc=example,dc=com
objectClass: groupOfNames
member: cn=admin,dc=example,dc=com
root@kdc01:~# ldapsearch -H ldap://kdc01.example.com -b dc=example,dc=com -D cn=admin,dc=example,dc=com -W -x -LLL '(cn=admin)'
Enter LDAP Password: P@ssw0rd
dn: cn=admin,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: admin
userPassword:: e1NTSEF9anVUS0V3NDdONldTYlBEK0poSUw4bUZVb21
vbWIrMmw=
root@kdc01:~#
URI ldap://kdc01.example.com
BASE dc=example,dc=com
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/CAcert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/privkey.pem
-
replace: olcTLSDHParamFile
olcTLSDHParamFile: /etc/openldap/dhparam
-
replace: olcTLSProtocolMin
olcTLSProtocolMin: 3.4
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH
-
replace: olcLocalSSF
olcLocalSSF: 128
-
replace: olcSecurity
olcSecurity: ssf=128
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: try
URI ldaps://kdc01.example.com
BASE dc=example,dc=com
TLS_CACERT /etc/openldap/CAcert.pem
TLS_REQCERT demand
TLS_CIPHER_SUITE HIGH
TLS_PROTOCOL_MIN 3.4
kdc01:~# dnf install krb5-server krb5-workstation
[...]
kdc01:~# systemctl stop krb5kdc
kdc01:~# systemctl stop kadmin
kdc01:~# mv /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.BACKUP
kdc01:~# mv /etc/krb5.conf /etc/krb5.conf.BACKUP
root@kdc01:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 25; echo
KEnfGfVU1LKQoZrKSBF65yfVN
root@kdc01:~#
[kdcdefaults]
Parameter-1 = Wert-1
...
[realms]
RealmA = {
RealmA-Parameter-1 = Wert-1
RealmA-Parameter-2 = Wert-2
...
}
RealmB = {
RealmB-Parameter-1 = Wert-1
RealmB-Parameter-2 = Wert-2
databasemodule = DBSectionX
...
}
...
[dbdefaults]
Parameter-1 = Wert-1
...
[dbmodules]
RealmA = {
RealmA-Parameter-1 = Wert-1
RealmA-Parameter-2 = Wert-2
...
}
DBSectionX = {
DBSectionX-Parameter-1 = Wert-1
DBSectionX-Parameter-2 = Wert-2
...
}
[logging]
kdc = Log-Datei
admin_server = Log-Datei
[kdcdefaults]
kdc_listen = 88
kdc_tcp_listen = 88
[realms]
EXAMPLE.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
#key_stash_file = /var/kerberos/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal camellia256-cts:normal
default_principal_flags = +preauth
}
[dbmodules]
EXAMPLE.COM = {
db_library = db2
database_name = /var/kerberos/krb5kdc/principal
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
kdc01:~# kdb5_util -r EXAMPLE.COM create
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Re-enter KDC database master key to verify: KEnfGfVU1LKQoZrKSBF65yfVN
kdc01:~#
kdc01:~# kadmin.local -m -r EXAMPLE.COM
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kadmin.local: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
kiprop/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin.local: quit
kdc01:~#
kdc01:~# kadmin.local -m -r EXAMPLE.COM
Authenticating as principal root/admin@EXAMPLE.COM with password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kadmin.local: addprinc user
WARNING: no policy specified for user@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user@EXAMPLE.COM": P@ssw0rd
Re-enter password for principal "user@EXAMPLE.COM": P@ssw0rd
Principal "user@EXAMPLE.COM" created.
kadmin.local: addprinc user/admin
WARNING: no policy specified for user/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "user/admin@EXAMPLE.COM": P@ssw0rd
Re-enter password for principal "user/admin@EXAMPLE.COM": P@ssw0rd
Principal "user/admin@EXAMPLE.COM" created.
kadmin.local: quit
kdc01:~#
kdc01:~# kdb5_util -r EXAMPLE.COM stash
kdb5_util: Can not fetch master key (error: No such file or directory). while reading master key
kdb5_util: Warning: proceeding without master key
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
kdc01:~#
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
root@lx01:~# kinit user@EXAMPLE.COM
Password for user@EXAMPLE.COM: P@ssw0rd
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@EXAMPLE.COM
Valid starting Expires Service principal
08/22/2021 13:46:23 08/22/2021 23:46:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/23/2021 13:46:21
root@lx01:~#
# Kommentarzeile
Principal Zugriffsmaske [Zugriffsziel [Restriktionen]]
Principal Zugriffsmaske [Zugriffsziel [Restriktionen]]
[...]
# Vollzugriff fuer jeden */admin Principal aus EXAMPLE.COM:
*/admin@EXAMPLE.COM *
KADMIND_ARGS="-r EXAMPLE.COM"
lx01:~# kadmin -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: listprincs
K/M@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
kiprop/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
user/admin@EXAMPLE.COM
user@EXAMPLE.COM
kadmin: quit
lx01:~#
lx01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: addpolicy -maxlife 30days -minlife 1day -minlength 10 -minclasses 3 -history 10 admin
kadmin: addpolicy -maxlife 180days -minlife 1day -minlength 8 -minclasses 2 -history 10 default
kadmin: listpolicies
admin
default
kadmin: getpolicy admin
Policy: admin
Maximum password life: 30 days 00:00:00
Minimum password life: 1 day 00:00:00
Minimum password length: 10
Minimum number of password character classes: 3
Number of old keys kept: 10
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin: getpolicy default
Policy: default
Maximum password life: 180 days 00:00:00
Minimum password life: 1 day 00:00:00
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 10
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin: quit
lx01:~#
root@kdc01:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: P@ssw0rd
kadmin: modpol -maxfailure 3 -lockoutduration 600 -failurecountinterval 60 default
kadmin: quit
root@kdc01:~#
root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: modpol -maxfailure 3 -lockoutduration 600 -failurecountinterval 60 default
kadmin: quit
root@kdc01:~#
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: secret
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: geheim
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: password
kinit: Password incorrect while getting initial credentials
root@kdc01:~# kinit maxm
kinit: Clients credentials have been revoked while getting initial credentials
root@kdc01:~#
root@kdc01:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: P@ssw0rd
kadmin: getprinc maxm
Principal: maxm@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Aug 26 19:37:26 CEST 2020
Password expiration date: Mon Feb 22 18:37:26 CET 2021
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Aug 26 19:37:26 CEST 2020 (kadmind@EXAMPLE.COM)
Last successful authentication: Wed Aug 26 19:51:06 CEST 2020
Last failed authentication: Wed Aug 26 21:24:29 CEST 2020
Failed password attempts: 3
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default
kadmin: quit
root@kdc01:~#
root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: getprinc maxm
Principal: maxm@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Aug 26 19:37:26 CEST 2020
Password expiration date: Mon Feb 22 18:37:26 CET 2021
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Aug 26 19:37:26 CEST 2020 (kadmind@EXAMPLE.COM)
Last successful authentication: Wed Aug 26 19:51:06 CEST 2020
Last failed authentication: Wed Aug 26 21:24:29 CEST 2020
Failed password attempts: 3
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, camellia256-cts-cmac
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default
kadmin: quit
root@kdc01:~#
lx01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: modifyprincipal -policy default user
Principal "user@EXAMPLE.COM" modified.
kadmin: modifyprincipal -policy admin user/admin
Principal "user/admin@EXAMPLE.COM" modified.
kadmin: modifyprincipal -allowsvr user
Principal "user@EXAMPLE.COM" modified.
kadmin: modifyprincipal -allowsvr user/admin
Principal "user/admin@EXAMPLE.COM" modified.
[...]
[...]
kadmin.local: addprincipal -policy default -pw Start123 maxm
Principal "maxm@EXAMPLE.COM" created.
kadmin.local: addprincipal -policy default -pw Start123 erim
Principal "erim@EXAMPLE.COM" created.
kadmin.local: addprincipal -policy admin -pw Start12345 maxm/admin
Principal "maxm/admin@EXAMPLE.COM" created.
kadmin.local: modifyprincipal -allowsvr +needchange maxm
Principal "maxm@EXAMPLE.COM" modified.
kadmin.local: modifyprincipal -allowsvr +needchange erim
Principal "erim@EXAMPLE.COM" modified.
kadmin.local: modifyprincipal -allowsvr +needchange maxm/admin
Principal "maxm/admin@EXAMPLE.COM" modified.
[...]
lx01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: Start123
Password expired. You must change it now.
Enter new password: P@ssw0rd
Enter it again: P@ssw0rd
lx01:~#
[...]
kadmin: addprincipal -clearpolicy -randkey host/lx01.example.com
Principal "host/lx01.example.com@EXAMPLE.COM" created.
[...]
[...]
kadmin: ktadd -k /etc/krb5.keytab host/lx01.example.com
Entry for principal host/lx01.example.com with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
kadmin:
kadmin: quit
lx01:~#
root@lx01:~# ktutil
ktutil: readkt /etc/krb5.keytab
ktutil: list -e -k
slot KVNO Principal
---- ---- ------------------------------------------------
1 2 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) (0x3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807)
2 2 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac) (0x5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90)
ktutil: addentry -key -k 2 -e aes256-cts-hmac-sha1-96 -p dummy/lx01.example.com@EXAMPLE.COM
Key for dummy/lx01.example.com@EXAMPLE.COM (hex): 3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807
ktutil: addentry -key -k 2 -e camellia256-cts-cmac -p dummy/lx01.example.com@EXAMPLE.COM
Key for dummy/lx01.example.com@EXAMPLE.COM (hex): 5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90
ktutil: list -e -k
slot KVNO Principal
---- ---- ------------------------------------------------
1 2 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) (0x3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807)
2 2 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac) (0x5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90)
3 2 dummy/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) (0x3e9e415516a0573daef999d03e982b686946a7c44d04fb2ceb3717c587c56807)
4 2 dummy/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac) (0x5def981c963abcf36cd7fedaf56b1e760a0989d538401f058fcc5638ab3f1d90)
ktutil: writekt /etc/krb5.keytab.new
ktutil: quit
root@lx01:~# mv /etc/krb5.keytab.new /etc/krb5.keytab
mv: overwrite '/etc/krb5.keytab'? y
root@lx01:~#
root@lx01:~# ktutil
ktutil: addentry -password -p erim@EXAMPLE.COM -k 2 -e aes256-cts-hmac-sha1-96
Password for erim@EXAMPLE.COM: P@ssw0rd
ktutil: list -k -e
slot KVNO Principal
---- ---- ------------------------------------------------
1 2 erim@EXAMPLE.COM (aes256-cts-hmac-sha1-96) (0x479bb8dd2f99cee4cca5e1c27943109c254a9b59646bf13db58296521ff695d4)
ktutil: writekt erim.keytab
ktutil: quit
root@lx01:~#
lx01:~# kadmin -k -t /etc/krb5.keytab -q 'ktadd -k /etc/krb5.keytab host/lx01.example.com@EXAMPLE.COM'
Authenticating as principal host/lx01.example.com@EXAMPLE.COM with keytab /etc/krb5.keytab.
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/lx01.example.com@EXAMPLE.COM with kvno 3, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
lx01:~#
#!/bin/sh
KEYTAB=/etc/krb5.keytab
/bin/cp -f "$KEYTAB" "$KEYTAB.BAK"
# delete old keys:
/usr/bin/k5srvutil -f "$KEYTAB" delold
# change keys:
/usr/bin/k5srvutil -f "$KEYTAB" change
root@lx01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kinit
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~#
root@lx01:~# klist -f -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
08/25/2021 20:03:17 08/26/2021 06:03:17 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/26/2021 20:03:15, Flags: RIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
root@lx01:~#
root@lx01:~# export KRB5CCNAME=DIR:/tmp/mycache
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kinit maxm
Password for maxm@EXAMPLE.COM: P@ssw0rd
root@lx01:~# klist -l
Principal name Cache name
-------------- ----------
erim@EXAMPLE.COM DIR::/tmp/mycache/tkt0Hw7kC
maxm@EXAMPLE.COM DIR::/tmp/mycache/tktFbyiQ7
root@lx01:~# kswitch -p erim
root@lx01:~# klist
Ticket cache: DIR::/tmp/mycache/tkt0Hw7kC
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
07/19/2021 14:58:21 07/20/2021 00:58:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/20/2021 14:58:19
root@lx01:~# kswitch -p maxm
root@lx01:~# klist
Ticket cache: DIR::/tmp/mycache/tktFbyiQ7
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
07/19/2021 14:58:27 07/20/2021 00:58:27 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/20/2021 14:58:24
root@lx01:~# klist -A
Ticket cache: DIR::/tmp/mycache/tktFbyiQ7
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
07/19/2021 14:58:27 07/20/2021 00:58:27 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/20/2021 14:58:24
Ticket cache: DIR::/tmp/mycache/tkt0Hw7kC
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
07/19/2021 14:58:21 07/20/2021 00:58:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/20/2021 14:58:19
root@lx01:~#
root@lx01:~# klist -k -t -e -K
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- -----------------------------------
4 08/25/20 19:10:31 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) (0x010348c6ce0d1a2e2f36b8e3768353f94f65dce6ecb90678fef874fe07586a8c)
4 08/25/20 19:10:31 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac) (0x5aa971b82c7295f866b5b215946119bdcb2f8ebe4fe1a88d27908d31e5787779)
3 08/25/20 19:07:32 host/lx01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) (0x3796fceb82be47b4ae13d443bef369b3d84c8d709a07501e92b7200fc7707767)
3 08/25/20 19:07:32 host/lx01.example.com@EXAMPLE.COM (camellia256-cts-cmac) (0x4aa25d9134373903717b11a59b9e041927d53951c5f0acc357cf74bf51cfac7e)
root@lx01:~# kinit -k host/lx01.example.com@EXAMPLE.COM
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/lx01.example.com@EXAMPLE.COM
Valid starting Expires Service principal
08/25/2021 20:28:50 08/26/2021 06:28:50 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/26/2021 20:28:50
root@lx01:~#
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kvno host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
08/25/2021 20:32:22 08/26/2021 06:32:22 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/26/20 20:32:19
08/25/2021 20:32:34 08/26/2021 06:32:22 host/lx01.example.com@EXAMPLE.COM
renew until 08/26/2021 20:32:19
root@lx01:~#
root@lx01:~# kinit erim
Password for erim@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kvno -e aes256-cts host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4
root@lx01:~# kvno -e camellia256-cts host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4
root@lx01:~# kvno -e arcfour-hmac host/lx01.example.com
kvno: KDC has no support for encryption type while getting credentials for host/lx01.example.com@EXAMPLE.COM
root@lx01:~# kvno -k /etc/krb5.keytab host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 4, keytab entry valid
root@lx01:~#
root@lx01:~# kpasswd maxm
Password for maxm@EXAMPLE.COM: P@ssw0rd
Enter new password: Geheim123
Enter it again: Geheim123
Password changed.
root@lx01:~#
root@lx01:~# kdestroy
root@lx01:~#
root@lx01:~# k5start -b -u host/lx01.example.com \
-k /var/cache/krb5cc/krb5ccmyapp \
-f /etc/krb5.keytab \
-g myapp -o myapp -K 1
root@lx01:~#
root@lx01:~# k5start -u host/lx01.example.com \
-k /var/cache/krb5cc/krb5ccmyapp \
-f /etc/krb5.keytab \
-g myapp -o myapp -H 240
root@lx01:~#
[Abschnitt-1]
Parameter-1 = Wert-1
Parameter-2 = Wert-2
...
[Abschnitt-2]
Parameter-3 = Wert-3
Parameter-4 = Wert-4
Unterabschnitt-A = {
Parameter-5 = Wert-5
Parameter-6 = Wert-6
...
}
Unterabschnitt-B = {
Parameter-7 = Wert-7
Parameter-8 = Wert-8
...
}
...
[Abschnitt-3]
...
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
EXAMPLE.COM = {
Parameter-1 = Wert-1
Parameter-2 = Wert-2
...
}
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com:88
kdc = kdc02.example.com:88
master_kdc = kdc01.example.com:88
admin_server = kdc01.example.com:749
kpasswd_server = kdc01.example.com:464
}
[realms]
EXAMPLE.COM = {
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
server.test.example.com = EXAMPLE.COM
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: erim@EXAMPLE.COM
Valid starting Expires Service principal
08/26/2021 01:47:55 08/26/2021 11:47:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/28/2021 01:47:55
08/26/2021 01:48:09 08/26/2021 11:47:51 host/lx01.example.com@
renew until 08/28/2021 01:47:55
08/26/2021 01:48:09 08/26/2021 11:47:51 host/lx01.example.com@EXAMPLE.COM
renew until 08/28/2021 01:47:55
root@lx01:~#
[appdefaults]
Anwendung-1 = {
Realm-A = {
Parameter-1 = Wert-1
Parameter-2 = Wert-2
...
}
Realm-B = {
Parameter-1 = Wert-3
Parameter-2 = Wert-4
...
}
}
Anwendung-2 = {
Parameter-1 = Wert-5
Parameter-2 = Wert-6
...
}
Realm-A = {
Parameter-1 = Wert-7
Parameter-2 = Wert-8
...
}
Realm-B = {
Parameter-1 = Wert-9
Parameter-2 = Wert-10
...
}
Parameter-1 = Wert-11
Parameter-2 = Wert-12
...
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
EXAMPLE.COM = {
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[...]
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos-master._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos-master._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc01.example.com.
[...]
_kerberos.example.com TXT "EXAMPLE.COM"
root@kdc01:~# mkdir /var/kerberos/krb5kdc-backup
root@kdc01:~# chmod 700 /var/kerberos/krb5kdc-backup
0 3 * * * root /usr/sbin/kdb5_util dump "/var/kerberos/krb5kdc-backup/kdb-backup-$(date +\%Y-\%m-\%d)"
root@kdc02:~# kadmin -p maxm/admin
Authenticating as principal maxm/admin with password.
Password for maxm/admin@EXAMPLE.COM: P@ssw0rd
kadmin: addprincipal -clearpolicy -randkey host/kdc02.example.com
Principal "host/kdc02.example.com@EXAMPLE.COM" created.
kadmin: ktadd -k /etc/krb5.keytab host/kdc02.example.com@EXAMPLE.COM
Entry for principal host/kdc02.example.com@EXAMPLE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/kdc02.example.com@EXAMPLE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/krb5.keytab.
kadmin: quit
root@kdc02:~#
root@kdc01:~# /usr/sbin/kprop -f /var/kerberos/krb5kdc/kdbrepldata kdc02.example.com
Database propagation to kdc02.example.com: SUCCEEDED
[...]
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
#!/bin/sh
REPLICA_KDCS="kdc02.example.com"
REPLDATA="/var/kerberos/krb5kdc/kdb_repldata"
/usr/sbin/kdb5_util dump "$REPLDATA"
for kdc in $REPLICA_KDCS; do
/usr/sbin/kprop -f "$REPLDATA" "$kdc"
done
root@kdc01:~# echo 'include /usr/share/doc/krb5-server-ldap/kerberos.schema' > slapd.conf
root@kdc01:~#
root@kdc01:~# mkdir slapd.conf.d
root@kdc01:~# slaptest -f slapd.conf -F slapd.d
config file testing succeeded
root@kdc01:~#
root@kdc01:~# cp 'slapd.d/cn=config/cn=schema/cn={0}kerberos.ldif' kerberos.ldif
dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1
NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1
NAME 'krbCanonicalName'
EQUALITY caseExactIA5Match
SUBSTR caseExactSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
[...]
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1
NAME 'krbTicketPolicyAux'
SUP top
AUXILIARY
MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) )
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1
NAME 'krbTicketPolicy'
SUP top STRUCTURAL MUST cn )
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krbPrincipalName eq
olcDbIndex: krbPwdPolicyReference eq
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size=unlimited
[kdcdefaults]
kdc_listen = 88
kdc_tcp_listen = 88
[realms]
EXAMPLE.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
key_stash_file = /var/kerberos/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal camellia256-cts:normal
default_principal_flags = +preauth
database_module = openldap_ldapconf
}
[dbmodules]
#EXAMPLE.COM = {
# db_library = db2
# database_name = /var/lib/krb5kdc/principal
#}
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "cn=mit-kerberos,dc=example,dc=com"
ldap_kdc_sasl_mech = EXTERNAL
ldap_kadmind_sasl_mech = EXTERNAL
ldap_servers = "ldapi:///"
ldap_conns_per_server = 5
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
root@kdc01:~# kdb5_ldap_util create -r EXAMPLE.COM -s -sscope sub
Initializing database for realm 'EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: KEnfGfVU1LKQoZrKSBF65yfVN
Re-enter KDC database master key to verify: KEnfGfVU1LKQoZrKSBF65yfVN
root@kdc01:~#
root@kdc01:~# kdb5_util load -update example.com.dump
root@kdc01:~# kadmin.local listprincs
Authenticating as principal root/admin@EXAMPLE.COM with password.
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
erim@EXAMPLE.COM
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
host/lx01.example.com@EXAMPLE.COM
maxm/admin@EXAMPLE.COM maxm@EXAMPLE.COM
user/admin@EXAMPLE.COM user@EXAMPLE.COM
root@kdc01:~# kadmin.local listpolicies
admin
default
root@kdc01:~# systemctl start krb5kdc
root@kdc01:~# systemctl start kadmin
root@kdc01:~# kinit maxm
Password for maxm@EXAMPLE.COM: P@ssw0rd
root@kdc01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
08/26/2021 19:26:03 08/27/2021 05:26:01 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/28/2021 19:26:03
root@kdc01:~#
[Unit]
After=syslog.target network.target network-online.target slapd.service
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
cn: Max Mustermann
sn: Mustermann
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
cn: Erika Musterfrau
sn: Musterfrau
root@kdc01:~# kdb5_ldap_util modify -r EXAMPLE.COM -subtrees ou=people,dc=example,dc=com
root@kdc01:~# systemctl restart krb5kdc
root@kdc01:~# systemctl restart kadmin
root@kdc01:~#
root@kdc01:~# kadmin -p user/admin
Authenticating as principal user/admin with password.
Password for user/admin@EXAMPLE.COM: P@ssw0rd
kadmin: deleteprincipal -force maxm@EXAMPLE.COM
Principal "maxm@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: addprincipal -x dn="cn=Max Mustermann,ou=people,dc=example,dc=com" -policy default -pw Start123 maxm
Principal "maxm@EXAMPLE.COM" created.
kadmin: modifyprincipal -allowsvr +needchange maxm
Principal "maxm@EXAMPLE.COM" modified.
kadmin: quit
root@kdc01:~#
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: Max Mustermann
sn: Mustermann
krbLoginFailedCount: 0
krbPrincipalName: maxm@EXAMPLE.COM
krbPwdPolicyReference: cn=default,cn=EXAMPLE.COM,
cn=mit-kerberos,dc=example,dc=com
krbPrincipalKey:: MIHGoAMCAQGhAwIBAaIDAgEBowMCAQGkga8wgaww
VKAHMAWgAwIBAKFJMEegAwIBEqFABD4gAAelpEL3IIfN66uhW3Nah7wy8
mghXeDQRNwIXX4zBxt/BDP7XrH+sWteJJxOtw25giEN80ll/2JwBfzlzj
BUoAcwBaADAgEAoUkwR6ADAgEaoUAEPiAAbwLIWte4SjDPJQap+c8LSvO
plZbLCKXnJ7CK4rSVMY6UmjE5BlOTNSygIcSMAzCfwDcHbJaROu4uyHta
krbLastPwdChange: 20200826173131Z
krbTicketFlags: 4736
krbExtraData:: AAKLnEZfdXNlci9hZG1pbkBFWEFNUExFLkNPTQA=
krbExtraData:: AAgBAA==
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
changetype: modify
add: krbPrincipalName
krbPrincipalName: mmuster@EXAMPLE.COM
krbPrincipalName: max@EXAMPLE.COM
krbPrincipalName: mustermann@EXAMPLE.COM
-
add: krbCanonicalName
krbCanonicalName: maxm@EXAMPLE.COM
dn: krbPrincipalName=host/lx01.example.com@EXAMPLE.COM,cn=EXAMPLE.COM,cn=mit-kerberos,dc=example,dc=com
changetype: modify
add: krbPrincipalName
krbPrincipalName: host/lx01@EXAMPLE.COM
-
add: krbCanonicalName
krbCanonicalName: host/lx01.example.com@EXAMPLE.COM
root@lx01:~# kinit -C mmuster
Password for mmuster@EXAMPLE.COM: P@ssw0rd
root@lx01:~# kvno host/lx01.example.com
host/lx01.example.com@EXAMPLE.COM: kvno = 2
root@lx01:~# kvno host/lx01
host/lx01@EXAMPLE.COM: kvno = 2
root@lx01:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@EXAMPLE.COM
Valid starting Expires Service principal
07/25/2021 11:49:47 07/25/2021 21:49:44 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 08/01/2021 11:49:44
07/25/2021 11:49:58 07/25/2021 21:49:44 host/lx01.example.com@EXAMPLE.COM
renew until 08/01/2021 11:49:44
07/25/2021 11:49:59 07/25/2021 21:49:44 host/lx01@EXAMPLE.COM
renew until 08/01/2021 11:49:44
root@lx01:~#
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModuleLoad: syncprov.la
dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 0x001 ldaps://kdc01.example.com
olcServerID: 0x002 ldaps://kdc02.example.com
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=dbroot,cn=config
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=dbroot,dc=example,dc=com
dn: cn=LDAP Read Only,ou=groups,dc=example,dc=com
changetype: modify
add: member
member: CN=kdc01.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE
member: CN=kdc02.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0, cn=peercred,cn=external,cn=auth" manage
by dn.base="CN=kdc01.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE" read
by dn.base="CN=kdc02.example.com,O=EXAMPLE,ST=EXAMPLE,C=DE" read
by * none
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl:
rid=001
provider=ldaps://kdc01.example.com
bindmethod=sasl
saslmech=EXTERNAL
tls_cacert=/etc/openldap/CAcert.pem
tls_reqcert=demand
tls_protocol_min=3.4
tls_cert=/etc/openldap/certs/cert.pem
tls_key=/etc/openldap/certs/privkey.pem
tls_cipher_suite=HIGH
searchbase="cn=config"
type=refreshAndPersist
interval=00:00:00:10
retry="10 +"
olcSyncRepl:
rid=002
provider=ldaps://kdc02.example.com
bindmethod=sasl
saslmech=EXTERNAL
tls_cacert=/etc/openldap/CAcert.pem
tls_reqcert=demand
tls_protocol_min=3.4
tls_cert=/etc/openldap/certs/cert.pem
tls_key=/etc/openldap/certs/privkey.pem
tls_cipher_suite=HIGH
searchbase="cn=config"
type=refreshAndPersist
interval=00:00:00:10
retry="10 +"
-
replace: olcMirrorMode
olcMirrorMode: TRUE
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcSyncRepl
olcSyncRepl:
rid=003
provider=ldaps://kdc01.example.com
bindmethod=sasl
saslmech=EXTERNAL
tls_cacert=/etc/openldap/CAcert.pem
tls_reqcert=demand
tls_protocol_min=3.4
tls_cert=/etc/openldap/certs/cert.pem
tls_key=/etc/openldap/certs/privkey.pem
tls_cipher_suite=HIGH
searchbase="dc=example,dc=com"
type=refreshAndPersist
interval=00:00:00:10
retry="10 +"
olcSyncRepl:
rid=004
provider=ldaps://kdc02.example.com
bindmethod=sasl
saslmech=EXTERNAL
tls_cacert=/etc/openldap/CAcert.pem
tls_reqcert=demand
tls_protocol_min=3.4
tls_cert=/etc/openldap/certs/cert.pem
tls_key=/etc/openldap/certs/privkey.pem
tls_cipher_suite=HIGH
searchbase="dc=example,dc=com"
type=refreshAndPersist
interval=00:00:00:10
retry="10 +"
-
replace: olcMirrorMode
olcMirrorMode: TRUE
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
root@kdc02:~# systemctl stop slapd
root@kdc02:~# mv /etc/openldap/slapd.d /etc/openldap/slapd.d.OLD
root@kdc02:~# mkdir /etc/openldap/slapd.d
root@kdc02:~# slapadd -F /etc/openldap/slapd.d/ -n 0 -l config.ldif
root@kdc02:~# chown -R ldap:ldap /etc/openldap/slapd.d/
root@kdc02:~# restorecon -r /etc/openldap/slapd.d
root@kdc02:~# systemctl start slapd
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kerberos._udp.EXAMPLE.COM. SRV 0 0 88 kdc02.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. SRV 0 0 464 kdc02.example.com.
root@kdc01.h5l:~# systemctl stop heimdal-kdc
root@kdc01.h5l:~# systemctl stop heimdal-kadmind
root@kdc01.h5l:~# systemctl stop heimdal-kpasswdd
root@kdc01.h5l:~# mkdir /etc/BACKUP-heimdal
root@kdc01.h5l:~# mv /etc/krb5.conf /etc/heimdal-* /etc/BACKUP-heimdal/
[libdefaults]
default_realm = H5L.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
H5L.EXAMPLE.COM = {
admin_server = kdc01.h5l.example.com
}
[domain_realm]
.h5l.example.com = H5L.EXAMPLE.COM
h5l.example.com = H5L.EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
[kdc]
database = {
realm = H5L.EXAMPLE.COM
dbname = /var/heimdal/heimdal
acl_file = /etc/heimdal-kadmind.acl
mkey_file = /var/heimdal/m-key
}
ports = 88
require-preauth = true
[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
root@kdc01.h5l:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 25; echo
T6MBognnJGT6c37bL6dIeqqJW
root@kdc01.h5l:~#
root@kdc01.h5l:~# kstash --key-file=/var/heimdal/m-key --enctype=aes256-cts-hmac-sha1-96
Master key: T6MBognnJGT6c37bL6dIeqqJW
Verifying - Master key: T6MBognnJGT6c37bL6dIeqqJW
kstash: writing key to `/var/heimdal/m-key'
root@kdc01.h5l:~#
root@kdc01.h5l:~# kadmin -l
kadmin> init H5L.EXAMPLE.COM
Realm max ticket life [unlimited]:10hours
Realm max renewable ticket life [unlimited]:7days
kadmin> quit
root@kdc01.h5l:~#
root@kdc01.h5l:~# kadmin -l
kadmin> list *
default
kadmin/admin
kadmin/hprop
kadmin/changepw
changepw/kerberos
WELLKNOWN/ANONYMOUS
krbtgt/H5L.EXAMPLE.COM
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
kadmin> add user
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user@H5L.EXAMPLE.COM's Password: P@ssw0rd
Verifying - user@H5L.EXAMPLE.COM's Password: P@ssw0rd
kadmin> add user/admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
Verifying - user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
kadmin> quit
root@kdc01.h5l:~#
# Kommentarzeile
Principal Zugriffsmaske [Zugriffsziel]
Principal Zugriffsmaske [Zugriffsziel]
[...]
# Vollzugriff fuer user/admin aus der H5L.EXAMPLE.COM:
user/admin@H5L.EXAMPLE.COM all
root@lx01.h5l:~# kadmin -p user/admin
kadmin> add --attributes=disallow-svr,requires-pw-change maxm
user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Policy [default]:
maxm@H5L.EXAMPLE.5COM's Password: Start123
Verifying - maxm@H5L.EXAMPLE.COM's Password: Start123
kadmin> quit
root@lx01.h5l:~#
root@lx01.h5l:~# kadmin -p user/admin
kadmin> add --random-key host/lx01.h5l.example.com
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin>
kadmin> extkeytab --random-key --keytab=/etc/krb5.keytab host/lx01.h5l.example.com
kadmin> quit
root@lx01.h5l:~#
[...]
[kadmin]
...
password_lifetime = 30 days
[password_quality]
policies = builtin:minimum-length builtin:character-class
min_length = 8
min_classes = 3
root@kdc02.h5l:~# kadmin -p user/admin
kadmin> add --random-key hprop/kdc02.h5l.example.com
user/admin@H5L.EXAMPLE.COM's Password: P@ssw0rd
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
kadmin> extkeytab --random-key --keytab=/etc/krb5.keytab hprop/kdc02.h5l.example.com
kadmin> quit
root@kdc02.h5l:~#
service krb5_prop
{
id = hpropd
socket_type = stream
wait = no
user = root
server = /usr/libexec/hpropd
}
root@kdc01.h5l:~# /usr/libexec/hprop kdc02.h5l.example.com
hprop: krb5_get_init_creds: Failed to find kadmin/hprop@H5L.EXAMPLE.COM in keytab HDBGET: (unknown enctype)
root@kdc01:~# kadmin -l
kadmin> extkeytab --keytab=/etc/krb5.keytab kadmin/hprop
kadmin> quit
root@kdc01.h5l:~# /usr/libexec/hprop -k FILE:/etc/krb5.keytab kdc02.h5l.example.com
root@kdc01.h5l:~#
#!/bin/sh
REPLICA_KDCS="kdc02.h5l.example.com"
HPROP_ARGS="-k FILE:/etc/krb5.keytab"
for KDC in ${REPLICA_KDCS}; do
/usr/libexec/hprop ${HPROP_ARGS} ${KDC}
done
# KDC replication
0,20,40 * * * * root /usr/local/sbin/kdc_repl
root@kdc01.h5l:~# curl -sS -O \
https://raw.githubusercontent.com/ \
heimdal/heimdal/master/lib/hdb/hdb.schema
root@kdc01.h5l:~# echo 'include hdb.schema' > slapd.conf
root@kdc01.h5l:~# mkdir slapd.conf.d
root@kdc01.h5l:~# slaptest -f slapd.conf -F slapd.conf.d
config file testing succeeded
root@kdc01.h5l:~# cp 'slapd.conf.d/cn=config/cn=schema/cn={0}hdb.ldif' hdb.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: krb5PrincipalName eq
olcDbIndex: cn eq
olcDbIndex: uid eq
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" size.soft=unlimited size.hard=unlimited
dn: ou=heimdal,dc=h5l,dc=example,dc=com
objectClass: organizationalUnit
ou: heimdal
database = {
[...]
#dbname = /var/lib/heimdal-kdc/heimdal
dbname = ldap:dc=h5l,dc=example,dc=com
[...]
}
hdb-ldap-create-base = ou=heimdal,dc=h5l,dc=example,dc=com
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Import-Module ADDSDeployment
$safemodepasswd = convertto-securestring "cZi8NsK6PuptzA2DIMPF" -asplaintext -force
Install-ADDSForest `
-DomainName "ads.example.com" `
-DomainNetbiosName "ADS" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-InstallDns:$true `
-NoRebootOnCompletion:$false `
-SafeModeAdministratorPassword $safemodepasswd `
-Force:$true
[libdefaults]
default_realm = ADS.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[realms]
ADS.EXAMPLE.COM = {
kpasswd_server = kdc01.ads.example.com
}
[domain_realm]
.ads.example.com = ADS.EXAMPLE.COM
ads.example.com = ADS.EXAMPLE.COM
[logging]
default = SYSLOG:INFO:AUTH
root@lx01.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# kvno host/kdc01.ads.example.com
host/kdc01.ads.example.com@ADS.EXAMPLE.COM: kvno = 3
root@lx01.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@ADS.EXAMPLE.COM
Valid starting Expires Service principal
08/03/2021 14:15:30 08/04/2021 00:15:27 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 08/10/2021 14:15:27
08/03/2021 14:16:48 08/04/2021 00:15:27 host/kdc01.ads.example.com@ADS.EXAMPLE.COM
renew until 08/10/2021 14:15:27
root@lx01.ads:~#
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Import-Module ADDSDeployment
$safemodepasswd = convertto-securestring "cZi8NsK6PuptzA2DIMPF" -asplaintext -force
$adminpasswd = convertto-securestring "P@ssw0rd" -asplaintext -force
$admincred = new-object `
-typename System.Management.Automation.PSCredential `
-argumentlist "ADS\Administrator", $adminpasswd
Install-ADDSDomainController `
-DomainName "ads.example.com" `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-InstallDns:$false `
-NoRebootOnCompletion:$false `
-SafeModeAdministratorPassword $safemodepasswd `
-Credential $admincred `
-Force:$true
C:\Users\Administrator>setspn.exe -R LX01
Dienstprinzipalnamen (SPN) für CN=lx01,CN=Computers,DC=ads,DC=example,DC=com werden registriert.
HOST/lx01.ADS.EXAMPLE.COM
HOST/lx01
Aktualisiertes Objekt
C:\Users\Administrator>
dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ads,DC=example,DC=com
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,
dhcp,dnscache,replicator,eventlog,eventsystem,
policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,
messenger,netlogon,netman,netdde,netddedsm,nmagent,
plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,
remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,
dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr, trkwks,
ups,time,wins,www,http,w3svc,iisadmin,msdtc
root@lx01.ads:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maxm@ADS.EXAMPLE.COM
Valid starting Expires Service principal
12/04/2021 14:45:26 12/05/2021 00:45:24 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 12/11/2021 14:45:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
12/04/2021 14:45:34 12/05/2021 00:45:24 host/lx01.ads.example.com@ADS.EXAMPLE.COM
renew until 12/11/2021 14:45:24, Etype (skey, tkt): DEPRECATED:arcfour-hmac, DEPRECATED:arcfour-hmac
root@lx01.ads:~#
C:\Users\Administrator>ktpass.exe /out lx01.keytab /mapuser LX01$@ADS.EXAMPLE.COM /princ host/lx01.ads.example.com@ADS.EXAMPLE.COM /rndPass /crypto AES256-SHA1 /ptype KRB5NTSRVHST
Targeting domain controller: kdc01.ads.example.com
Using legacy password setting method
Successfully mapped host/lx01.ads.example.com to LX01$.
WARNING: Account LX01$ is not a user account (uacflags=0x1021).
WARNING: Resetting LX01$'s password may cause authentication problems if LX01$ is being used as a server.
Reset LX01$'s password [y/n]? y
Key created.
Output keytab to lx01.keytab:
Keytab version: 0x502
keysize 92 host/lx01.ads.example.com@ADS.EXAMPLE.COM ptype 3 (KRB5_NT_SRV_HST) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x01839277d939fc874c3d96a882371e990536f4637823a83415c16834fc14e8a6)
C:\Users\Administrator>
root@lx01.ads:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
4 host/lx01.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
root@lx01.ads:~# kinit -k host/lx01.ads.example.com
root@lx01.ads:~# kvno -k /etc/krb5.keytab host/lx01.ads.example.com
host/lx01.ads.example.com@ADS.EXAMPLE.COM: kvno = 4, keytab entry valid
root@lx01.ads:~#
root@lx02.ads:~# adcli join
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
2 LX02$@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
2 LX02$@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 LX02$@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/LX02@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
2 host/LX02@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/LX02@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/LX02@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
2 RestrictedKrbHost/LX02@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/LX02@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 RestrictedKrbHost/lx02.ads.example.com@ADS.EXAMPLE.COM (DEPRECATED:arcfour-hmac)
2 RestrictedKrbHost/lx02.ads.example.com@ADS.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
2 RestrictedKrbHost/lx02.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
root@lx02.ads:~#
root@lx02.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# msktutil create --enctypes 0x10
No computer account for lx02 found, creating a new one.
root@lx02.ads:~#
root@lx02.ads:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
2 lx02$@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 LX02$@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/lx02@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
2 host/lx02.ads.example.com@ADS.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
root@lx02.ads:~# kinit -k host/lx02.ads.example.com
kinit: Client 'host/lx02.ads.example.com@ADS.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
root@lx02.ads:~# kinit -k 'LX02$@ADS.EXAMPLE.COM'
root@lx02.ads:~# kvno -k /etc/krb5.keytab host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~# kdestroy
root@lx02.ads:~#
root@lx02.ads:~# msktutil update --use-service-account --account-name techuser01 --old-account-password Start123 --keytab /etc/krb5.keytab.techuser01
root@lx02.ads:~#
root@lx02.ads:~# kinit Administrator
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# msktutil update --use-service-account --account-name techuser01 --user-creds-only --keytab /etc/krb5.keytab.techuser01
root@lx02.ads:~#
root@lx01.ads:~# ldapsearch -LLL -h kdc01.ads.example.com -b dc=ads,dc=example,dc=com cn="Max Mustermann" objectClass cn sn givenName displayName samaccountname userPrincipalName unicodePwd msDS-KeyVersionNumber
SASL/GSS-SPNEGO authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn: CN=Max Mustermann,CN=Users,DC=ads,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Max Mustermann
sn: Mustermann
givenName: Max
displayName: Max Mustermann
sAMAccountName: maxm
userPrincipalName: maxm@ads.example.com
# refldap://DomainDnsZones.ads.example.com/
DC=DomainDnsZones,DC=ads,DC=example,DC=com
# refldap://ForestDnsZones.ads.example.com/
DC=ForestDnsZones,DC=ads,DC=example,DC=com
# refldap://ads.example.com/CN=Configuration,
DC=ads,DC=example,DC=com
root@lx01.ads:~#
#!/usr/bin/env python3
import sys
import base64
if len(sys.argv) != 2:
print ('usage: ' + sys.argv[0] + ' <password>')
sys.exit()
password = sys.argv[1]
quotedPassword = '"' + password + '"'
unicodePwd = quotedPassword.encode('utf_16_le')
print ('unicodePwd:: ' + base64.b64encode(unicodePwd).decode('utf8'))
root@lx01.ads:~# ./adunicodepwd P@ssw0rd
unicodePwd:: IgBQAEAAcwBzAHcAMAByAGQAIgA=
root@lx01.ads:~#
dn: CN=Erika Musterfrau,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Erika Musterfrau
sn: Musterfrau
givenName: Erika
instanceType: 4
displayName: Erika Musterfrau
name: Erika Musterfrau
userAccountControl: 512
sAMAccountName: erim
userPrincipalName: erim@ADS.EXAMPLE.COM
unicodePwd:: IgBQAEAAcwBzAHcAMAByAGQAIgA=
pwdLastSet: 0
root@lx01.ads:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 25; echo
hNJvEb2V50YZ7PAstqQQwJah5
root@lx01.ads:~# ./adunicodepwd hNJvEb2V50YZ7PAstqQQwJah5
unicodePwd:: IgBoAE4ASgB2AEUAYgAyAFYANQAwAFkAWgA3AFAAQQBzAHQAcQBRAFEAdwBKAGEAaAA1ACIA
root@lx01.ads:~#
dn: CN=lx02,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: lx02
instanceType: 4
displayName: lx02$
name: lx02
userAccountControl: 4096
sAMAccountName: lx02$
unicodePwd:: IgBoAE4ASgB2AEUAYgAyAFYANQAwAFkAWgA3AFAAQQBzAHQAcQBRAFEAdwBKAGEAaAA1ACIA
userPrincipalName: host/lx02.ads.example.com@ADS.EXAMPLE.COM
msDS-SupportedEncryptionTypes: 24
dn: CN=lx02,CN=Computers,DC=ADS,DC=EXAMPLE,DC=COM
changetype: modify
add: servicePrincipalName
servicePrincipalName: host/lx02.ads.example.com
servicePrincipalName: host/lx02
root@lx02.ads:~# kinit Administrator
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@lx02.ads:~# kvno host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 1
root@lx02.ads:~# ktutil
ktutil: addent -password -p host/lx02.ads.example.com -k 1 -e aes256-cts
Password for host/lx02.ads.example.com@ADS.EXAMPLE.COM: hNJvEb2V50YZ7PAstqQQwJah5
ktutil: wkt /etc/krb5.keytab
ktutil: quit
root@lx02.ads:~# kinit -kt /etc/krb5.keytab host/lx02.ads.example.com
root@lx02.ads:~# kvno -k /etc/krb5.keytab host/lx02.ads.example.com
host/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 1, keytab entry valid
root@lx02.ads:~#
root@kdc01.smb:~# samba-tool domain provision --use-rfc2307 --realm SMB.EXAMPLE.COM --domain SMB --server-role dc --adminpass P@ssw0rd
[...]
root@kdc01.smb:~#
root@kdc01.smb:~# systemctl start samba.service
root@kdc01.smb:~# firewall-cmd --add-service=samba-dc --permanent
root@kdc01.smb:~# firewall-cmd --add-service=dns --permanent
root@kdc01.smb:~# firewall-cmd --reload
root@kdc01.smb:~#
[libdefaults]
default_realm = SMB.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
[domain_realm]
.smb.example.com = SMB.EXAMPLE.COM
smb.example.com = SMB.EXAMPLE.COM
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com smb.example.com kdc02 A 10.1.2.151 -U Administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com smb.example.com lx01 A 10.1.2.152 -U Administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com smb.example.com win01 A 10.1.2.154 -U Administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~#
root@kdc01.smb:~# samba-tool dns zonecreate kdc01.smb.example.com 2.1.10.in-addr.arpa -U administrator%P@ssw0rd
Zone 2.1.10.in-addr.arpa created successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 150 PTR kdc01.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 151 PTR kdc02.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 152 PTR lx01.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 153 PTR lx02.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~# samba-tool dns add kdc01.smb.example.com 2.1.10.in-addr.arpa 154 PTR win01.smb.example.com -U administrator%P@ssw0rd
Record added successfully
root@kdc01.smb:~#
root@lx01.smb:~# kinit Administrator@SMB.EXAMPLE.COM
Password for Administrator@SMB.EXAMPLE.COM: P@ssw0rd
Warning: Your password will expire in 41 days on Mi 06 Okt 2021 13:55:53 CEST
root@lx01.smb:~# kvno host/kdc01.smb.example.com
host/kdc01.smb.example.com@SMB.EXAMPLE.COM: kvno = 1
root@lx01.smb:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SMB.EXAMPLE.COM
Valid starting Expires Service principal
08/25/2021 13:56:12 08/25/2021 23:56:12 krbtgt/SMB.EXAMPLE.COM@SMB.EXAMPLE.COM
renew until 09/01/2021 13:56:12
08/25/2021 18:05:06 08/25/2021 23:56:12 host/kdc01.smb.example.com@SMB.EXAMPLE.COM
renew until 09/01/2021 13:56:12
root@kdc01.smb:/opt#
root@kdc02.smb:~# kinit Administrator@SMB.EXAMPLE.COM
Password for Administrator@SMB.EXAMPLE.COM: P@ssw0rd
Warning: Your password will expire in 41 days on Wed Oct 6 13:55:53 2021
root@kdc02.smb:~# samba-tool domain join smb.example.com DC -k yes --option='idmapldb:use rfc2307=yes'
[...]
root@kdc02.smb:~#
root@kdc02.smb:~# systemctl enable samba
root@kdc02.smb:~# systemctl start samba
root@kdc02.smb:~# firewall-cmd --add-service=samba-dc --permanent
root@kdc02.smb:~# firewall-cmd --add-service=dns --permanent
root@kdc02.smb:~# firewall-cmd --reload
root@kdc01.smb:~# samba-tool ou listobjects ""
CN=Users
CN=System
CN=Builtin
CN=Computers
CN=NTDS Quotas
CN=TPM Devices
CN=LostAndFound
CN=Program Data
CN=Infrastructure
CN=Managed Service Accounts
CN=ForeignSecurityPrincipals
OU=Domain Controllers
root@kdc01.smb:~# samba-tool user list
Guest
krbtgt
Administrator
root@kdc01.smb:~# samba-tool group list
Cryptographic Operators
Domain Guests
Domain Admins
Read-only Domain Controllers
Certificate Service DCOM Access
Administrators
Users
Domain Controllers
Group Policy Creator Owners
DnsUpdateProxy
Cert Publishers
Account Operators
Denied RODC Password Replication Group
Windows Authorization Access Group
RAS and IAS Servers
Domain Computers
Domain Users
Distributed COM Users
Schema Admins
Enterprise Admins
Performance Log Users
Replicator
Pre-Windows 2000 Compatible Access
Backup Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Enterprise Read-only Domain Controllers
Performance Monitor Users
Server Operators
Print Operators
Allowed RODC Password Replication Group Guests Network Configuration Operators Event Log Readers Remote Desktop Users DnsAdmins IIS_IUSRS root@kdc01.smb:~# samba-tool user show Administrator dn: CN=Administrator,CN=Users,DC=smb,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20210825115552.0Z uSNCreated: 3853 name: Administrator objectGUID: 7dba1aee-aeb1-48e5-9747-dcfadd36c5a5 userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 pwdLastSet: 132743661529237270 primaryGroupID: 513 objectSid: S-1-5-21-99585262-3371220738-2221323519-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=smb,DC=example,DC=com isCriticalSystemObject: TRUE memberOf: CN=Domain Admins,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Schema Admins,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Enterprise Admins,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Group Policy Creator Owners,CN=Users,DC=smb,DC=example,DC=com memberOf: CN=Administrators,CN=Builtin,DC=smb,DC=example,DC=com lastLogonTimestamp: 132743661721734680 whenChanged: 20210825115612.0Z uSNChanged: 4102 lastLogon: 132743824236789480 logonCount: 10 distinguishedName: CN=Administrator,CN=Users,DC=smb,DC=example,DC=com
root@kdc01.smb:~#
root@kdc01.smb:~# samba-tool user create maxm --surname=Mustermann --given-name=Max --must-change-at-next-login
New Password: Start123
Retype Password: Start123
User 'maxm' created successfully
root@kdc01.smb:~#
root@kdc01.smb:~# samba-tool computer create lx01
Computer 'lx01' added successfully
root@kdc01.smb:~#
root@kdc01.smb:~# samba-tool spn add host/lx01 lx01$
root@kdc01.smb:~# samba-tool spn add host/lx01.smb.example.com lx01$
root@kdc01.smb:~#
[...]
$ORIGIN example.com.
ipadns1 A 10.1.2.140
ipadns2 A 10.1.2.141
[...]
$ORIGIN ipa.example.com.
@ IN NS kdc01.ipa.example.com.
[...]
zone "ipa.example.com" {
type forward;
forward only;
forwarders { 10.1.2.140; 10.1.2.141; };
};
[...]
root@kdc01.ipa:~# dnf module list idm
Last metadata expiration check: 0:02:25 ago on Sun Sep 5 12:56:13 2021.
Rocky Linux 8 - AppStream
Name Stream Profiles [...]
idm DL1 adtrust, client, common [d], dns, [...]
idm client [d] common [d] [...]
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
root@kdc01.ipa:~# dnf module install idm:DL1
[...]
root@kdc01.ipa:~# dnf install ipa-server ipa-server-dns
[...]
root@kdc01.ipa:~# ipa-server-install --unattended --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --setup-dns --no-ntp --no-forwarders --ds-password=P@ssw0rd --admin-password=P@ssw0rd --mkhomedir --external-ca --external-ca-type=generic
The log file for this installation can be found in /var/log/ipaserver-install.log
==========================================================
This program will set up the IPA Server.
Version 4.9.2
This includes:
* Configure a stand-alone CA (dogtag) for certificate management
* Create and configure an instance of Directory Server
* Create and configure a Kerberos Key Distribution Center (KDC)
* Configure Apache (httpd)
* Configure DNS (bind)
* Configure the KDC to enable PKINIT
Excluded by options:
* Configure the NTP client (chronyd)
[...]
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-server-install command was successful
root@kdc01.ipa:~#
root@kdc01.ipa:~# scp /root/ipa.csr kdc01.example.com:/etc/pki/CA/
root@kdc01:~# cd /etc/pki/CA
root@kdc01:/etc/pki/CA# openssl ca -config subca.cnf -in ipa.csr -out ipa.pem -keyfile CAprivkey.pem -cert CAcert.pem
Using configuration from subca.cnf
[...]
root@kdc01:/etc/pki/CA# scp CAcert.pem ipa.pem kdc01.ipa.example.com:
root@kdc01.ipa:~# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/CAcert.pem --ds-password=P@ssw0rd
[...]
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
* 53: bind
UDP Ports:
* 88, 464: kerberos
* 53: bind
2. You can now obtain a kerberos ticket using the
command: 'kinit admin'
This ticket will allow you to use the IPA tools
(e.g., ipa user-add) and the web user interface.
[...]
The ipa-server-install command was successful
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa user-add maxm --first=Max --last=Mustermann
-----------------
Added user "maxm"
-----------------
User login: maxm
First name: Max
Last name: Mustermann
Full name: Max Mustermann
Display name: Max Mustermann
Initials: MM
Home directory: /home/maxm
GECOS: Max Mustermann
Login shell: /bin/sh
Principal name: maxm@IPA.EXAMPLE.COM
Principal alias: maxm@IPA.EXAMPLE.COM
Email address: maxm@ipa.example.com
UID: 779400001
GID: 779400001
Password: False
Member of groups: ipausers
Kerberos keys available: False
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa passwd maxm
New Password: Start123
Enter New Password again to verify: Start123
-------------------------------------------
Changed password for "maxm@IPA.EXAMPLE.COM"
-------------------------------------------
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa group-add lxusers --desc='Alle Linux-Benutzer:innen'
---------------------
Added group "lxusers"
---------------------
Group name: lxusers
Description: Alle Linux-Benutzer:innen
GID: 779400006
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa group-add-member lxusers --users maxm
Group name: lxusers
Description: Alle Linux-Benutzer:innen
GID: 779400006
Member users: maxm
Member of HBAC rule: lxaccess
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~# ipa group-add-member lxusers --users admin
Group name: lxusers
Description: Alle Linux-Benutzer:innen
GID: 779400006
Member users: maxm, admin
Member of HBAC rule: lxaccess
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~#
root@lx01.ipa:~# ipa-client-install --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --mkhomedir --no-ntp
This program will set up IPA client.
Version 4.9.2
[...]
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@IPA.EXAMPLE.COM: P@ssw0rd
[...]
Client configuration complete.
The ipa-client-install command was successful
root@kdc01.ipa:~# ipa hbacrule-disable allowall
------------------------------
Disabled HBAC rule "allow_all"
------------------------------
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa hostgroup-add lxhosts --desc='Alle Linux-Systeme'
-------------------------
Added hostgroup "lxhosts"
-------------------------
Host-group: lxhosts
Description: Alle Linux-Systeme
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa hostgroup-add-member --hosts=lx01.ipa.example.com
Host-group: lxhosts
Description: Alle Linux-Systeme
Member hosts: lx01.ipa.example.com
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~# ipa hostgroup-add-member --hosts=lx02.ipa.example.com
Host-group: lxhosts
Description: Alle Linux-Systeme
Member hosts: lx01.ipa.example.com, lx02.ipa.example.com
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa hbacrule-add lxaccess --desc='lxuser dürfen auf lxhosts' --servicecat=all
--------------------------
Added HBAC rule "lxaccess"
--------------------------
Rule name: lxaccess
Service category: all
Description: lxuser dürfen auf lxhosts
Enabled: TRUE
root@kdc01.ipa:~# ipa hbacrule-add-host lxaccess --hostgroups lxhosts
Rule name: lxaccess
Enabled: TRUE
Host Groups: lxhosts
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~# ipa hbacrule-add-user lxaccess --groups=lxusers
Rule name: lxaccess
Enabled: TRUE
User Groups: lxusers
Host Groups: lxhosts
-------------------------
Number of members added 1
-------------------------
root@kdc01.ipa:~#
root@kdc01.ipa:~# ipa hbactest --user maxm --host lx01.ipa.example.com --service sshd
--------------------
Access granted: True
--------------------
Matched rules: lxaccess
Not matched rules: allow_systemd-user
root@kdc01.ipa:~# ssh maxm@lx02
Password: Start123
Password expired. Change your password now.
Current Password: Start123
New password: P@ssw0rd
Retype new password: P@ssw0rd
maxm@lx02.ipa:~$
root@kdc02.ipa:~# ipa-replica-install --unattended --principal=admin@IPA.EXAMPLE.COM --admin-password=P@ssw0rd --domain=ipa.example.com --realm=IPA.EXAMPLE.COM --setup-dns --no-ntp --mkhomedir --no-forwarders
[...]
WARNING: The CA service is only installed on one server
(kdc01.ipa.example.com). It is strongly recommended to
install it on another server. Run ipa-ca-install(1) on
another master to accomplish this.
The ipa-replica-install command was successful
root@kdc02.ipa:~#
[capaths]
MYDOM.MIT.EXAMPLE.COM = {
OTHERDOM.MIT.EXAMPLE.COM = MIT.EXAMPLE.COM
MIT.EXAMPLE.COM = .
}
OTHERDOM.MIT.EXAMPLE.COM = {
MYDOM.MIT.EXAMPLE.COM = MIT.EXAMPLE.COM
MIT.EXAMPLE.COM = .
}
MIT.EXAMPLE.COM = {
OTHERDOM.MIT.EXAMPLE.COM = .
MYDOM.MIT.EXAMPLE.COM = .
}
[capaths]
MYDOM.MIT.EXAMPLE.COM = {
OTHERDOM.H5L.EXAMPLE.COM = .
}
OTHERDOM.H5L.EXAMPLE.COM = {
MYDOM.MIT.EXAMPLE.COM = .
}
root@kdc01:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 40; echo
Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
root@kdc01:~#
kadmin: addprinc -clearpolicy krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
Enter password for principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM": Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
Re-enter password for principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM": Pvg3aM5IPR08l2aTcQQGlE0aQqYoA5Sp3SYS95bM
Principal "krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM" created.
root@kdc01.mit:~# kinit user@MIT.EXAMPLE.COM
Password for user@MIT.EXAMPLE.COM: P@ssw0rd
root@kdc01.mit:~# kvno \
host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM: kvno = 1
root@kdc01.mit:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@MIT.EXAMPLE.COM
Valid starting Expires Service principal
09/15/2021 18:53:20 09/16/2021 04:53:17 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 09/22/2021 18:53:17
09/15/2021 18:54:21 09/16/2021 04:53:17 krbtgt/MYDOM.MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 09/22/2021 18:53:17
09/15/2021 18:54:21 09/16/2021 04:53:17 host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
renew until 09/22/2021 18:53:17
root@kdc01.mit:~#
root@kdc01.h5l:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 40; echo
SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
root@kdc01.h5l:~#
kadmin> add krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:
krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM's Password: SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
Verifying - krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM's Password: SQEkW8mXXZiFI01jVyjOsY7pMkQdrny0UAyTW4cg
root@kdc01.h5l:~# kinit user@H5L.EXAMPLE.COM
user@H5L.EXAMPLE.COM's Password: P@ssw0rd
root@kdc01.h5l:~# kgetcred host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
root@kdc01.h5l:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: user@H5L.EXAMPLE.COM
Issued Expires Principal
Sep 15 19:33:46 2021 Sep 16 05:33:43 2021 krbtgt/H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Sep 15 19:34:11 2021 Sep 16 05:33:43 2021 krbtgt/MYDOM.H5L.EXAMPLE.COM@H5L.EXAMPLE.COM
Sep 15 19:34:11 2021 Sep 16 05:33:43 2021 host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
root@kdc01.h5l:~#
$adminuser = "Administrator@ADS.EXAMPLE.COM"
$adminpass = convertto-securestring "P@ssw0rd"` -asplaintext -force
$creds = New-Object -TypeName PSCredential -ArgumentList $adminuser, $adminpass
$safemodepasswd = convertto-securestring "cZi8NsK6PuptzA2DIMPF" -asplaintext -force
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSDomain `
-NewDomainName "mydom" `
-NewDomainNetbiosName "MYDOM" `
-SiteName "Default-First-Site-Name" `
-ParentDomainName "ads.example.com" `
-DomainMode "WinThreshold" `
-DomainType "ChildDomain" `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-InstallDns:$false `
-NoGlobalCatalog:$false `
-NoRebootOnCompletion:$false `
-Credential $creds `
-SafeModeAdministratorPassword $adminpass `
-Force:$true
root@lx01.mydom.ads:~# kinit myuser@MYDOM.ADS.EXAMPLE.COM
Password for myuser@MYDOM.ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.mydom.ads:~# kvno host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM
host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM: kvno = 1
root@lx01.mydom.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: myuser@MYDOM.ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/16/2021 17:31:45 09/17/2021 03:31:43 krbtgt/MYDOM.ADS.EXAMPLE.COM@MYDOM.ADS.EXAMPLE.COM
renew until 09/23/2021 17:31:43
09/16/2021 17:32:05 09/17/2021 03:31:43 host/lx02.otherdom.ads.example.com@OTHERDOM.ADS.EXAMPLE.COM
renew until 09/23/2021 17:31:43
root@lx01.mydom.ads:~#
root@kdc01:~# tr -cd '[:alnum:]' < /dev/urandom | head -c 40; echo
IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
root@kdc01:~#
kadmin: addprinc -clearpolicy -pw IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs -e aes256-cts-hmac-sha1-96:normal krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM
Principal "krbtgt/EXAMPLE.COM@ADS.EXAMPLE.COM" created.
kadmin: addprinc -clearpolicy -pw IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs -e aes256-cts-hmac-sha1-96:normal krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM
Principal "krbtgt/ADS.EXAMPLE.COM@EXAMPLE.COM" created.
C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /add /realm /twoway /passwordt IJdvFZnLJ5z8FU67aWgi71EYGnQb3gl41vaKAXOs
Der Befehl wurde ausgeführt.
C:\Users\Administrator>
C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /transitive:ja
Vertrauenstellung wird als transitiv festgelegt.
[...]
C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /foresttransitive:ja
Diese Vertrauensstellung wird als transitiv auf Gesamtstrukturebene gekennzeichnet.
[...]
C:\Users\Administrator>
C:\Users\Administrator>netdom.exe trust ADS.EXAMPLE.COM /Domain EXAMPLE.COM /addtln EXAMPLE.COM
Der Name der obersten Ebene oder die Ausnahme wurde den Gesamtstrukturvertrauensstellungs-Informationen erfolgreich hinzugefügt.
[...]
C:\Users\Administrator>
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
mit.example.com = MIT.EXAMPLE.COM
.mit.example.com = MIT.EXAMPLE.COM
mydom.mit.example.com = MYDOM.MIT.EXAMPLE.COM
.mydom.mit.example.com = MYDOM.MIT.EXAMPLE.COM
otherdom.mit.example.com = OTHERDOM.MIT.EXAMPLE.COM
.otherdom.mit.example.com = OTHERDOM.MIT.EXAMPLE.COM
h5l.example.com = H5L.EXAMPLE.COM
.h5l.example.com = H5L.EXAMPLE.COM
mydom.h5l.example.com = MYDOM.H5L.EXAMPLE.COM
.mydom.h5l.example.com = MYDOM.H5L.EXAMPLE.COM
otherdom.h5l.example.com = OTHERDOM.H5L.EXAMPLE.COM
.otherdom.h5l.example.com = OTHERDOM.H5L.EXAMPLE.COM
ads.example.com = ADS.EXAMPLE.COM
.ads.example.com = ADS.EXAMPLE.COM
mydom.ads.example.com = MYDOM.ADS.EXAMPLE.COM
.mydom.ads.example.com = MYDOM.ADS.EXAMPLE.COM
otherdom.ads.example.com = OTHERDOM.ADS.EXAMPLE.COM
.otherdom.ads.example.com = OTHERDOM.ADS.EXAMPLE.COM
C:\Users\Administrator>ktpass.exe /out frontend.keytab /mapuser frontend@ADS.EXAMPLE.COM /princ frontend/lx02.ads.example.com@ADS.EXAMPLE.COM /pass P@ssw0rd /crypto AES256-SHA1 /ptype KRB5NTSRVINST
[...]
C:\Users\Administrator>ktpass.exe /out backend.keytab /mapuser backend@ADS.EXAMPLE.COM /princ backend/lx02.ads.example.com@ADS.EXAMPLE.COM /pass P@ssw0rd /crypto AES256-SHA1 /ptype KRB5NTSRVINST
[...]
root@lx01.ads:~# kinit user
Password for user@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# kvno frontend/lx02.ads.example.com
frontend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2
root@lx01.ads:~# klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/16/2021 22:12:20 09/17/2021 08:12:18 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 09/23/2021 22:12:18, Flags: FRIA
09/16/2021 22:12:22 09/17/2021 08:12:18 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
renew until 09/23/2021 22:12:18, Flags: FRAO
root@lx01.ads:~#
root@lx02.ads:~# /usr/libexec/kimpersonate --ccache=/tmp/krb5ccfrontend --keytab=/etc/backend.keytab --client=user@ADS.EXAMPLE.COM --server=backend/lx02.ads.example.com@ADS.EXAMPLE.COM --krb5 --enc-type=aes256-cts-hmac-sha1-96
root@lx02.ads:~# klist /tmp/krb5ccfrontend
Ticket cache: FILE:/tmp/krb5cc_frontend
Default principal: user@ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/16/2021 22:18:59 09/16/2021 23:18:59 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
root@lx02.ads:~#
root@lx02.ads:~# export KRB5CCNAME=/tmp/krb5ccfrontend
root@lx02.ads:~# kinit -k -t /etc/frontend.keytab frontend/lx02.ads.example.com
root@lx02.ads:~# kvno -k /etc/frontend.keytab -U user -P backend/lx02.ads.example.com
backend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~# kvno -k /etc/frontend.keytab -U Administrator -P backend/lx02.ads.example.com
backend/lx02.ads.example.com@ADS.EXAMPLE.COM: kvno = 2, keytab entry valid
root@lx02.ads:~#
root@lx02.ads:~# klist
Ticket cache: FILE:/tmp/krb5cc_frontend
Default principal: frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/16/2021 22:57:35 09/17/2021 08:57:35 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 09/23/2021 22:57:35
09/16/2021 22:57:49 09/17/2021 08:57:35 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client user@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
09/16/2021 22:57:49 09/17/2021 08:57:35 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client user@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
09/16/2021 22:58:29 09/17/2021 08:57:35 frontend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client Administrator@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
09/16/2021 22:58:29 09/17/2021 08:57:35 backend/lx02.ads.example.com@ADS.EXAMPLE.COM
for client Administrator@ADS.EXAMPLE.COM, renew until 09/23/2021 22:57:35
root@lx02.ads:~#
[ kdc_cert ]
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM}
[ client_cert ]
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:${ENV::REALM}
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:${ENV::CLIENT}
root@kdc01:/etc/ssl/CA# export REALM=MIT.EXAMPLE.COM
root@kdc01:/etc/ssl/CA# export CLIENT=dummy
root@kdc01:/etc/ssl/CA# openssl ca -in mitkdc01-req.pem -keyfile CAprivkey.pem -cert CAcert.pem -out mitkdc01.pem -extfile /etc/pki/CA/pkinit.cnf -extensions kdccert
[...]
root@kdc01:/etc/ssl/CA# export REALM=MIT.EXAMPLE.COM
root@kdc01:/etc/ssl/CA# export CLIENT=pkuser
root@kdc01:/etc/ssl/CA# openssl ca -in pkuser-req.pem -keyfile CAprivkey.pem -cert CAcert.pem -out pkuser.pem -extfile pkinit.cnf -extensions clientcert
[...]
[...]
[realms]
MIT.EXAMPLE.COM = {
[...]
pkinit_anchors = FILE:/var/kerberos/krb5kdc//CAcert.pem
pkinit_identity = FILE:/var/kerberos/krb5kdc/cert.pem,/var/kerberos/krb5kdc/privkey.pem
[...]
root@lx01.mit:~# kinit -X X509useridentity=FILE:/root/.ssl/pkuser.pem,/root/.ssl/pkuser-privkey.pem pkuser
Enter PEM pass phrase: Sichere Passphrase!
root@lx01.mit:~#
[libdefaults]
default_realm = MIT.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 10hours
renew_lifetime = 7days
forwardable = true
pkinit_anchors = FILE:/etc/openldap/CAcert.pem
#pkinit_identities = FILE:/root/.ssl/pkuser.pem,/root/.ssl/pkuser-privkey.pem
pkinit_identities = ENV:PKINIT_ID
PKINIT_ID=FILE:$HOME/.ssl/pkinit-cert.pem,$HOME/.ssl/pkinit-privkey.pem
export PKINIT_ID
root@lx01.mit:~# opensc-tool --serial
Using reader with a card: Feitian Technologies FT SCR310 00 00
29 53 42 41 13 18 12 10 )SBA....
root@lx01.mit:~#
root@lx01.mit:~# pkcs15-init --create-pkcs15 --profile pkcs15+onepin --pin 1234 --puk 12345678
Using reader with a card: Feitian Technologies FT SCR310 00 00
root@lx01.mit:~#
root@lx01.mit:~# pkcs15-init --generate-key rsa/2048 --auth-id 01 --pin 1234
Using reader with a card: Feitian Technologies FT SCR310 00 00
root@lx01.mit:~# pkcs15-tool --list-keys
Using reader with a card: Feitian Technologies FT SCR310 00 00
Private RSA Key [Private Key]
Object Flags : [0x03], private, modifiable
Usage : [0x04], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
ModLength : 2048
Key ref : 1 (0x01)
Native : yes
Path : 3f005015
Auth ID : 01
ID : 2a3c7450be18bdd68f750c697290cd8ada956bd8
MD:guid : 682da292-29ce-c0b1-0915-88d321666748
root@lx01.mit:~#
root@lx01:~# openssl
OpenSSL> engine dynamic -pre SOPATH:/usr/lib64/engines-1.1/pkcs11.so -pre ID:pkcs11 -pre LISTADD:1 -pre LOAD -pre MODULEPATH:/usr/lib64/pkcs11/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib64/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL>
OpenSSL> req -engine pkcs11 -new -key slot0-id2a3c7450be18bdd68f750c697290cd8ada956bd8 -keyform engine -out pkuser-req.pem
engine "pkcs11" set.
PKCS#11 token PIN: 1234
You are about to be asked to enter information that will be incorporated
into your certificate request.
[...]
OpenSSL> quit
root@lx01:~#
root@lx01.mit:~# pkcs15-init --store-certificate pkuser.pem --auth-id 01 --id 2a3c7450be18bdd68f750c697290cd8ada956bd8
Using reader with a card: Feitian Technologies FT SCR310 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]: 1234
root@lx01.mit:~#
root@lx01:~# kinit -X X509anchors=FILE:/etc/openldap/CAcert.pem -X X509useridentity=PKCS11:modulename=/usr/lib64/pkcs11/opensc-pkcs11.so pkuser
OpenSC Card (User PIN) PIN: 1234
root@lx01.mit:~#
root@lx01.mit:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: pkuser@MIT.EXAMPLE.COM
Valid starting Expires Service principal
09/17/2021 13:37:29 09/17/2021 23:37:20 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 09/24/2021 13:37:20
root@lx01.mit:~#
root@lx01.mit:~# kinit -n -c /tmp/krb5ccanon
root@lx01.mit:~# klist /tmp/krb5ccanon
Ticket cache: FILE:/tmp/krb5cc_anon
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
09/17/2021 17:41:02 09/18/2021 03:41:02 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 09/24/2021 17:41:02
root@lx01.mit:~#
maxm@lx01.ipa:~$ ipa otptoken-add
------------------
Added OTP token ""
------------------
Unique ID: 05c73f97-f84e-4679-9c95-6964c5c45939
Type: TOTP
Owner: maxm
Manager: maxm
Algorithm: sha1
Digits: 6
Clock interval: 30
URI: otpauth://totp/maxm@IPA.EXAMPLE.COM:05c73f97-f84e-4679-9c95-6964c5c45939?issuer=maxm%40IPA.EXAMPLE.COM&secret=NGZMZGBHLSUN6QQABKHOO6EEJQ7VTIHCHJVB7WQQ36P5R4OZ7OIU6T4X&digits=6&algorithm=SHA1&period=30
[...]
maxm@lx01.ipa:~$
root@lx01.kdc01.ipa:~# ssh -l maxm lx01.ipa.example.com
First Factor: P@ssw0rd
Second Factor: 757761
maxm@lx01.ipa:~$
maxm@lx01.ipa:~$ kinit maxm
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
maxm@lx01.ipa:~$ kinit -n -c /tmp/armorcache
maxm@lx01.ipa:~$ kinit -T /tmp/armorcache maxm
Enter OTP Token Value: P@ssw0rd205789
maxm@lx01.ipa:~$
root@lx01.ads:~# ldapsearch -LLL -x -h kdc01.ads.example.com -b "" -s base supportedSASLMechanisms
dn: supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
root@lx01.ads:~#
root@lx01.ads:~# kinit Administrator@ADS.EXAMPLE.COM
Password for Administrator@ADS.EXAMPLE.COM: P@ssw0rd
root@kdc01:~# ldapwhoami -Y GSSAPI -h kdc01.ads.example.com
SASL/GSSAPI authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
u:ADS\Administrator
root@lx01.ads:~#
root@kdc01:~# ldapsearch -LLL -x -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
root@kdc01:~#
mech_list: GSSAPI EXTERNAL
[Service]
Environment="KRB5_KTNAME=/etc/openldap/krb5.keytab"
root@kdc01:~# ldapsearch -LLL -H ldaps://kdc01.example.com -b dc=example,dc=com "cn=Max Mustermann" objectClass cn sn krbPrincipalName
SASL/GSSAPI authentication started
SASL username: maxm@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
cn: Max Mustermann
sn: Mustermann
krbPrincipalName: maxm@EXAMPLE.COM
root@kdc01:~#
root@kdc01:~# ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: maxm@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn:uid=maxm,cn=gssapi,cn=auth
root@kdc01:~#
dn: cn=config
changetype: modify
add: olcAuthzRegexp
olcAuthzRegexp: "uid=maxm,cn=gssapi,cn=auth" "cn=Max Mustermann,ou=people,dc=example,dc=com"
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
olcAuthzRegexp: "uid=(.*),cn=gssapi,cn=auth" ldap:///dc=example,dc=com??sub?(krbPrincipalName=$1@EXAMPLE.COM)
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by anonymous auth
by self write
by * none
olcAccess: to attrs=krbPrincipalName,entry
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by users read
by anonymous auth
by * none
olcAccess: to attrs=cn,dc,gecos,gidNumber,homeDirectory,loginShell,member,memberUid,objectClass,ou,sn,uid,uidNumber,uniqueMember
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by users read
by * none
olcAccess: to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth" write
by group="cn=LDAP Read Write,ou=groups,dc=example,dc=com" write
by group="cn=LDAP Read Only,ou=groups,dc=example,dc=com" read
by * none
root@kdc01:~# kinit erim@EXAMPLE.COM
Password for erim@EXAMPLE.COM: P@ssw0rd
root@kdc01:~# ldapwhoami -Q -Y GSSAPI
dn:krbPrincipalName=erim@EXAMPLE.COM,cn=example.com,cn=realms,ou=mit-kerberos,dc=example,dc=com
root@kdc01:~# kinit maxm@EXAMPLE.COM
Password for maxm@EXAMPLE.COM: P@ssw0rd
root@kdc01:~# ldapwhoami -Q -Y GSSAPI
dn:cn=max mustermann,ou=people,dc=example,dc=com
root@kdc01:~#
root@lx01.ads:~# realm join -U Administrator ADS.EXAMPLE.COM
Password for Administrator: P@ssw0rd
root@lx01.ads:~#
root@lx01.ads:~# ssh -l administrator@ads.example.com lx01.ads.example.com
administrator@ads.example.com@lx01.ads's password: P@ssw0rd
[administrator@ads.example.com@lx01 ~]$ ldapwhoami -Y GSSAPI -H ldap://kdc01.ads.example.com
SASL/GSSAPI authentication started
SASL username: Administrator@ADS.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
u:ADS\Administrator
[administrator@ads.example.com@lx01 ~]$
root@lx01.ads:~# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------------------
2 LX01$@ADS.EXAMPLE.COM
2 LX01$@ADS.EXAMPLE.COM
2 host/LX01@ADS.EXAMPLE.COM
2 host/LX01@ADS.EXAMPLE.COM
2 host/lx01.ads.example.com@ADS.EXAMPLE.COM
2 host/lx01.ads.example.com@ADS.EXAMPLE.COM
2 RestrictedKrbHost/LX01@ADS.EXAMPLE.COM
2 RestrictedKrbHost/LX01@ADS.EXAMPLE.COM
2 RestrictedKrbHost/lx01.ads.example.com@ADS.EXAMPLE.COM
2 RestrictedKrbHost/lx01.ads.example.com@ADS.EXAMPLE.COM
[sssd]
domains = ads.example.com
config_file_version = 2
services = nss, pam
[domain/ads.example.com]
ad_domain = ads.example.com
krb5_realm = ADS.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
[...]
passwd: sss files systemd
group: sss files systemd
[...]
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[sssd]
domains = ads.example.com
config_file_version = 2
services = nss, pam
domain_resolution_order = ads.example.com, mydom.ads.example.com, otherdom.ads.example.com
full_name_format = %1$s
[domain/ads.example.com]
ad_domain = ads.example.com
krb5_realm = ADS.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
[sssd]
domains = ads.example.com
[...]
[domain/ads.example.com/mydom.ads.example.com]
use_fully_qualified_names = True
[domain/ads.example.com/otherdom.ads.example.com]
use_fully_qualified_names = True
[sssd]
domains = ipa.example.com
services = nss, pam, ssh, sudo
[domain/ipa.example.com]
id_provider = ipa
ipa_server = _srv_, kdc01.ipa.example.com
ipa_domain = ipa.example.com
ipa_hostname = lx02.ipa.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_store_password_if_offline = True
[...]
[sssd]
domains = mit.example.com, h5l.example.com
services = nss, pam
config_file_version = 2
[domain/mit.example.com]
id_provider = ldap
ldap_uri = ldap://kdc01.mit.example.com
ldap_search_base = dc=mit,dc=example,dc=com
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
auth_provider = krb5
krb5_server = kdc01.mit.example.com
krb5_realm = MIT.EXAMPLE.COM
krb5_validate = true
[domain/h5l.example.com]
id_provider = ldap
ldap_uri = ldap://kdc01.h5l.example.com
ldap_search_base = dc=h5l,dc=example,dc=com
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
auth_provider = krb5
krb5_server = kdc01.h5l.example.com
krb5_realm = h5l.EXAMPLE.COM
krb5_validate = true
dn: dc=mit,dc=example,dc=com
objectClass: referral
objectClass: extensibleObject
dc: mit
ref: ldap://kdc01.mit.example.com/dc=mit,dc=example,dc=com
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
man:x:6:12:man:/var/cache/man:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
testuser1:x:998:998:Testnutzer Nr. 1:/home/testuser1:/bin/bash
testuser2:x:999:999:Testnutzer Nr. 2:/home/testuser1:/bin/bash
[...]
Benutzername:PW-Hash:UID:GID:Gecos:Heimatverzeichnis:Shell
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:testuser1,testuser2
tty:x:5:
disk:x:6:
[...]
Gruppenname:PW-Hash:GID:Mitgliederliste
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Max Mustermann
sn: Mustermann
uid: maxm
uidNumber: 10000
gidNumber: 123
gecos: Herr Mustermann
homeDirectory: /home/maxm
loginShell: /bin/bash
dn: cn=Musterleute,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Musterleute
gidNumber: 123
memberUid: maxm
memberUid: erim
dn: CN=Erika Musterfrau,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Erika Musterfrau
sn: Musterfrau
givenName: Erika
instanceType: 4
displayName: Erika Musterfrau
name: Erika Musterfrau
userAccountControl: 512
sAMAccountName: erim
userPrincipalName: erim@ADS.EXAMPLE.COM
unicodePwd:: IgBTAHQAYQByAHQAMQAyADMAIgA=
pwdLastSet: 0
uid: erim
uidNumber: 10001
gidNumber: 123
gecos: Frau Musterfrau
unixHomeDirectory: /home/erim
loginShell: /bin/bash
dn: CN=Musterleute,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
objectClass: top
objectClass: group
cn: Musterleute
sAMAccountName: Musterleute
gidNumber: 123
memberUid: maxm
memberUid: erim
root@lx01.ads:~# touch /tmp/testfile
root@lx01.ads:~# chown user7495:group7001 /tmp/testfile
root@lx01.ads:~# ls -l /tmp/testfile
-rw-r--r--. 1 user7495 group7001 0 Sep 18 18:15 /tmp/testfile
root@lx01.ads:~# id user7495
uid=7495(user7495) gid=7495(group7495) groups=7495(group7495)
root@lx01.ads:~# getent passwd user7495
user7495:*:7495:7495:ADS Testuser 495:/home/user7495:/bin/bash
root@lx01.ads:~# su - user7495
Creating home directory for user7495.
[user7495@lx01.ads ~]$ whoami
user7495
root@lx01.ads:~# id user7495
uid=518602595(user7495) gid=518600513(domain users) groups=518600513(domain users)
root@lx01.ads:~# ssh -l user7495 lx01.ads.example.com
user7495@lx01.ads's password: P@ssw0rd
[user7495@lx01.ads ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_7495_ DfK3feZYlZ
Default principal: user7495@ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/18/21 18:58:18 09/19/21 04:58:18 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 09/25/21 18:58:18
[user7495@lx01.ads ~]$
[sssd]
domains = mit.example.com, ads.example.com
services = nss, pam
config_file_version = 2
domain_resolution_order = ads.example.com, mydom.ads.example.com, otherdom.ads.example.com
full_name_format = %1$s
[domain/mit.example.com]
id_provider = ldap
ldap_uri = ldap://kdc01.mit.example.com
ldap_search_base = dc=mit,dc=example,dc=com
ldap_schema = rfc2307
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = lx02$@ADS.EXAMPLE.COM
auth_provider = krb5
chpass_provider = krb5
access_provider = krb5
krb5_server = kdc01.mit.example.com
krb5_realm = MIT.EXAMPLE.COM
krb5_validate = true
min_id = 1001
max_id = 1999
[domain/ads.example.com]
id_provider = ad
ldap_id_mapping = False
min_id = 7001
max_id = 9999
dn: CN=nonad,CN=Computers,DC=ads,DC=example,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: nonad
userAccountControl: 4128
sAMAccountName: nonad$
unicodePwd:: IgBhAGUAUQB2AEcAagBpAEoAegBwAFYANgBoADMAQgBhAEIATQBFAFIANwBWAHEAbABDADUAeABTAEIAcQB2AEIAdwB4AEUAMQAzAEgAaABEACIA
altSecurityIdentities: Kerberos:host/lx01.mit.example.com@MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.mit.example.com@MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.mydom.mit.example.com@MYDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.otherdom.mit.example.com@OTHERDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.otherdom.mit.example.com@OTHERDOM.MIT.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.h5l.example.com@H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.h5l.example.com@H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.mydom.h5l.example.com@MYDOM.H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx01.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM
altSecurityIdentities: Kerberos:host/lx02.otherdom.h5l.example.com@OTHERDOM.H5L.EXAMPLE.COM
user1001@lx01.mit:~$ ssh lx02
The authenticity of host 'lx02 (10.1.2.173)' can't be established.
ECDSA key fingerprint is SHA256:B0xylUorv65Weh5OzjSej37BHK0gRNXzdfdSvFoSF+0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'lx02,10.1.2.173' (ECDSA) to the list of known hosts.
Last login: Sun Sep 19 13:21:07 2021 from 10.1.2.172
user1001@lx02.mit:~$
user1001@lx01.mit:~$ kdestroy
user1001@lx01.mit:~$ ssh lx02
Password: P@ssw0rd
Password expired. You must change it now.
Current Password: P@ssw0rd
New password: N3xtP@ss
Retype new password: N3xtP@ss
Last login: Sun Sep 19 14:34:08 2021 from 10.1.2.172
user1001@lx02.mit:~$
user7001@lx01.ads:~$ ssh lx02.mit.example.com
Last login: Fri Aug 28 14:32:43 2020 from lx02.ads.example.com
user7001@lx02.mit:~$
auth_to_local = RULE:[String-Def](Prüfung)Transformation
auth_to_local = RULE:[String-Def](Prüfung)Transformation
auth_to_local = RULE:[String-Def](Prüfung)Transformation
[...]
auth_to_local = DEFAULT
[realms]
MIT.EXAMPLE.COM = {
[...]
auth_to_local = RULE:[1:$1@$0](^.*@.*EXAMPLE.COM$)s/@.*//
auth_to_local = DEFAULT
[...]
}
[plugins]
localauth = {
module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so
}
user7001@lx01.ads:~$ smbclient -m SMB3 -k //kdc01.ads.example.com/home
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Sep 19 16:07:01 2021
.. D 0 Sun Sep 19 16:07:01 2021
user7001 D 0 Sun Sep 19 16:07:01 2021
25024767 blocks of size 4096. 19899859 blocks available
smb: \> quit
user7001@lx01.ads:~$
root@lx01.ads:~# mkdir /mnt/cifs
root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# mount -t cifs //kdc01.ads.example.com/home /mnt/cifs/ -o sec=krb5i
root@lx01.ads:~# df -T /mnt/cifs
Filesystem Type 1K-blocks Used Available Use% Mounted on
//kdc01.ads.example.com/home cifs 100099068 20499344 79599724 21% /mnt/cifs
root@lx01.ads:~#
root@lx01.ads:~# ls -l /mnt/cifs/
drwxr-xr-x. 2 root root 0 Sep 19 16:07 user7001
root@lx01.ads:~#
root@lx02.ads:~# mkdir -p /home/user7001
root@lx02.ads:~# chown user7001:group7001 /home/user7001/
root@lx02.ads:~# chmod 700 /home/user7001/
[global]
security = ads
workgroup = ADS
realm = ADS.EXAMPLE.COM
kerberos method = system keytab
[home]
path = /home/
read only = No
root@lx02.ads:~# net ads join -U Administrator
Enter Administrator's password: P@ssw0rd
Using short domain name -- ADS
Joined 'LX02' to dns domain 'ads.example.com'
root@lx02.ads:~#
[global]
security = ADS
workgroup = ADS
realm = ADS.EXAMPLE.COM
kerberos method = system keytab
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap config ADS : backend = sss
idmap config ADS : range = 7001 - 7999
idmap config MYDOM : backend = sss
idmap config MYDOM : range = 8001 - 8999
idmap config OTHERDOM : backend = sss
idmap config OTHERDOM : range = 9001 - 9999
[home]
path = /home
read only = No
root@lx02.ads:~# wbinfo --name-to-sid 'ADS\user7001'
S-1-5-21-3034790193-1933111306-388740863-2600 SID_USER (1)
root@lx02.ads:~# wbinfo --sid-to-name S-1-5-21-3034790193-1933111306-388740863-2600
ADS\user7001 1
root@lx02.ads:~# wbinfo --sid-to-uid S-1-5-21-3034790193-1933111306-388740863-2600
7001
root@lx02.ads:~# wbinfo --uid-to-sid 7001
S-1-5-21-3034790193-1933111306-388740863-2600
root@lx02.ads:~#
user7001@lx02.ads:~$ touch acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user7002:rwx acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user8003:rw acl-test.txt
user7001@lx02.ads:~$ setfacl -m u:user9004:r acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group7003:rwx acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group8004:rw acl-test.txt
user7001@lx02.ads:~$ setfacl -m g:group9005:r acl-test.txt
user7001@lx02.ads:~$ getfacl acl-test.txt
# file: acl-test.txt
# owner: user7001
# group: group7001
user::rw-
user:user7002:rwx
user:user8003:rw-
user:user9004:r--
group::r--
group:group7003:rwx
group:group8004:rw-
group:group9005:r--
mask::rwx
other::r--
user7001@lx02.ads:~$
root@lx02.mit:~# echo '/home lx01.mit.example.com(rw,subtreecheck)' > /etc/exports
root@lx02.mit:~# mkdir -p /home/user1001
root@lx02.mit:~# chown user1001: /home/user1001
root@lx02.mit:~# chmod 0700 /home/user1001
root@lx02.mit:~# systemctl start nfs-server
root@lx01.mit:~# mount -t nfs -o vers=3,rw lx02.mit.example.com:/home /home
root@lx01.mit:~# df /home
Filesystem 1K-blocks Used Available Use% Mounted on
lx02.example.com:/home
7852768 3600288 3853600 49% /home
root@lx01.mit:~#
root@lx01.mit:~# cd /home/user1001/
-bash: cd: /home/user1001/: Permission denied
root@lx01.mit:~# su user1001
user1001@lx01.mit:/root$ cd /home/user1001
user1001@lx01.mit:~$
[General]
Verbosity = 0
Domain = example.com
Local-Realms = EXAMPLE.COM,MIT.EXAMPLE.COM,H5L.EXAMPLE.COM,ADS.EXAMPLE.COM,MYDOM.MIT.EXAMPLE.COM,OTHERDOM.MIT.EXAMPLE.COM,MYDOM.H5L.EXAMPLE.COM,OTHERDOM.H5L.EXAMPLE.COM,MYDOM.ADS.EXAMPLE.COM,OTHERDOM.ADS.EXAMPLE.COM
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
#Kommentarzeile
Server-Pfad Client-Liste(Export-Option,Export-Option,...) Client-Liste(Export-Option,Export-Option,...)
[...] [...]
# Ein Export für /home
/home *(rw,subtree_check,sec=krb5)
root@lx01.mit:~# mount -t nfs4 -o sec=krb5 lx02.mit.example.com:/ /home
root@lx01.mit:~# klist /tmp/krb5ccmachineMIT.EXAMPLE.COM
root@lx01.mit:~# klist /tmp/krb5ccmachine_MIT.EXAMPLE.COM
Ticket cache: FILE:/tmp/krb5ccmachine_MIT.EXAMPLE.COM
Default principal: host/lx01.mit.example.com@MIT.EXAMPLE.COM
Valid starting Expires Service principal
08/31/2021 02:07:53 08/31/2021 12:07:53 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 09/02/2021 02:07:53
08/31/20 02:07:53 08/31/2021 12:07:53 nfs/lx02.mit.example.com@MIT.EXAMPLE.COM
renew until 09/02/2021 02:07:53
root@lx01.mit:~#
root@lx01.mit:~# cd /home/user1001
-bash: cd: /home/user1001: Permission denied
root@lx01.mit:~# su user1001
bash: /home/user1001/.bashrc: Permission denied
user1001@lx01.mit:/root$ cd /home/user1001
bash: cd: /home/user1001: Permission denied
lx01 login: user1001
Password: P@ssw0rd
Last login: Mon Aug 31 02:22:10 2020 from 10.1.2.111
user1001@lx01.mit:~$ df .
Filesystem 1K-blocks Used Available Use% Mounted on
lx02.mit.example.com:/home 95017472 2895360 87252352 4% /home
user1001@lx01.mit:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_Z5QziMAGK7
Default principal: user1001@MIT.EXAMPLE.COM
Valid starting Expires Service principal
08/31/2021 02:24:11 08/31/2021 12:21:16 krbtgt/MIT.EXAMPLE.COM@MIT.EXAMPLE.COM
renew until 09/02/2021 02:21:19
08/31/2021 02:24:11 08/31/2021 12:21:16 nfs/lx02.mit.example.com@MIT.EXAMPLE.COM
renew until 09/02/2021 02:21:19
user1001@lx01.mit:~$
[...]
SSLCertificateFile /etc/pki/tls/certs/lx02.ads-cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/lx02.ads.key
[...]
C:\Users\Administrator>setspn.exe -A HTTP/www.ads.example.com lx02-http
Registering ServicePrincipalNames for CN=HTTP/lx02.ads.example.com,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
HTTP/www.ads.example.com
Updated object
C:\Users\Administrator>
root@lx02.ads:~# ktutil
ktutil: rkt /etc/http.keytab
ktutil: list -e -k
slot KVNO Principal ---- ---- ----------------------------
1 2 HTTP/lx02.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
ktutil: addent -key -p HTTP/www.ads.example.com@ADS.EXAMPLE.COM -k 2 -e aes256-cts
Key for HTTP/www.ads.example.com@ADS.EXAMPLE.COM (hex): da05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47
ktutil: list -e -k
slot KVNO Principal ---- ---- ---------------------------
1 2 HTTP/lx02.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
2 2 HTTP/www.ads.example.com@ADS.EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) (0xda05d7e7c3aabd4097b2bba63c0f3eb3afd303669f009d67a09011f9a4fafa47)
ktutil: wkt /etc/http.keytab.new
ktutil: quit
root@lx02.ads:~# mv /etc/http.keytab.new /etc/http.keytab
root@lx02.ads:~# chown apache:apache /etc/http.keytab
<Directory /var/www/html>
AuthType GSSAPI
AuthName "GSSAPI SSO Login"
GssapiAllowedMech krb5
GssapiBasicAuth Off
GssapiCredStore keytab:/etc/http.keytab
GssapiSSLonly On
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
require valid-user
</Directory>
root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl --negotiate -u : https://www.ads.example.com
It works!
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Anmeldeinformationen:"
echo ""
echo "Sie sind angemeldet unter dem Kerberos-Principal"
echo "$REMOTE_USER"
<Directory /var/www/cgi-bin>
AuthType GSSAPI
AuthName "GSSAPI SSO Login"
GssapiAllowedMech krb5
GssapiBasicAuth Off
GssapiCredStore keytab:/etc/http.keytab
GssapiDelegCcacheDir /tmp
GssapiSSLonly On
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
require valid-user
</Directory>
root@lx01.ads:~# kinit user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl --negotiate -u : https://www.ads.example.com/cgi-bin/login-info
Anmeldeinformationen:
Sie sind angemeldet unter dem Kerberos-Principal
user7001@ADS.EXAMPLE.COM
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo "Delegationsinformationen:"
echo ""
/usr/bin/klist -f 2>&1
echo ""
echo "Zugriff auf Netzwerkdienste:"
echo ""
echo "Mit den delegierten Credentials wird Apache nun"
echo "unter Ihrer Identitaet eine SSH-Sitzung und"
echo "eine LDAP-Suche durchfuehren ..."
echo ""
USERNAME=$(echo $REMOTE_USER | sed -e 's/@.*$//')
echo "Hier der Output einer SSH-Sitzung: "
echo ""
/usr/bin/ssh -l $USERNAME \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
lx02.ads.example.com id 2>&1
echo ""
echo "Hier der Output einer LDAP-Suche"
echo ""
/usr/bin/ldapsearch -QLLL \
-b dc=ads,dc=example,dc=com \
-h kdc01.ads.example.com \
userPrincipalName=$REMOTE_USER \
uidNumber gidNumber 2>&1
echo ""
echo "Delegationsinformationen:"
echo ""
/usr/bin/klist -f 2>&1
root@lx01.ads:~# kinit -f user7001
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl --delegation always --negotiate -u : https://www.ads.example.com/cgi-bin/delegation-info
Delegationsinformationen:
Ticket cache: FILE:/tmp/user7001@ADS.EXAMPLE.COM
Default principal: user7001@ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/19/21 22:17:54 09/20/21 08:17:45 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 09/26/21 22:17:45, Flags: FfRA
Zugriff auf Netzwerkdienste:
Mit den delegierten Credentials wird Apache nun
unter Ihrer Identitaet eine SSH-Sitzung und
eine LDAP-Suche durchfuehren ...
Hier der Output einer SSH-Sitzung:
uid=7001(user7001) gid=7001(group7001) groups=7001(group7001) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Hier der Output einer LDAP-Suche
dn: CN=user7001,CN=Users,DC=ads,DC=example,DC=com
uidNumber: 7001
gidNumber: 7001
[...]
Delegationsinformationen:
Ticket cache: FILE:/tmp/user7001@ADS.EXAMPLE.COM
Default principal: user7001@ADS.EXAMPLE.COM
Valid starting Expires Service principal
09/19/2021 22:17:54 09/20/2021 08:17:45 krbtgt/ADS.EXAMPLE.COM@ADS.EXAMPLE.COM
renew until 09/26/2021 22:17:45, Flags: FfRA
09/19/2021 22:18:00 09/20/2021 08:17:45 host/lx02.ads.example.com@ADS.EXAMPLE.COM
renew until 09/26/2021 22:17:45, Flags: FfRA
09/19/2021 22:18:01 09/20/2021 08:17:45 ldap/kdc01.ads.example.com@ADS.EXAMPLE.COM
renew until 09/26/2021 22:17:45, Flags: FfRAO
root@lx01.ads:~#
<Directory /var/www/html>
AuthType GSSAPI
AuthName "GSSAPI SSO Login"
GssapiAllowedMech krb5
GssapiBasicAuth Off
GssapiCredStore keytab:/etc/http.keytab
GssapiSSLonly On
AuthLDAPURL "ldap://kdc01.ads.example.com/dc=ads,dc=example,dc=com?userPrincipalName?sub"
AuthLDAPBindDN CN=HTTP/lx02.ads.example.com,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
AuthLDAPBindPassword "P@ssw0rd"
AuthLDAPRemoteUserAttribute "userPrincipalName"
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
require ldap-group CN=WWW-Users,CN=Users,DC=ADS,DC=EXAMPLE,DC=COM
</Directory>
BASE dc=ads,dc=example,dc=com
URI ldap://kdc01.ads.example.com
TLS_CACERT /etc/openldap/CAcert.pem
REFERRALS off
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
root@lx02.ads:~# adduser --system --user-group --create-home --home-dir /opt/keycloak keycloak
root@lx02.ads:~# su - keycloak
keycloak@lx02.ads:~$ curl -sL -O https://github.com/ keycloak/keycloak/releases/download/15.0.2/ keycloak-15.0.2.tar.gz
keycloak@lx02.ads:~$ tar xfz keycloak-15.0.2.tar.gz --strip-components=1
keycloak@lx02.ads:~$ ./bin/add-user-keycloak.sh -r master -u admin -p P@ssw0rd
Added 'admin' to '/opt/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user
root@lx02.ads:~# openssl pkcs12 -export -in /etc/pki/tls/certs/lx02.ads-cert.pem -inkey /etc/pki/tls/private/lx02.ads.key -name server -out /opt/keycloak/standalone/configuration/ application.keystore -chain -CAfile /etc/openldap/CAcert.pem
Enter Export Password: password
Verifying - Enter Export Password: password
root@lx02.ads:~# chown keycloak /opt/keycloak/standalone/configuration/application.keystore
root@lx02.ads:~# chmod 0400 /opt/keycloak/standalone/configuration/application.keystore
keycloak@lx02.ads:~$ cp docs/contrib/scripts/systemd/wildfly.conf keycloak.conf
keycloak@lx02.ads:~$ sed -e 's/wildfly/keycloak/g' docs/contrib/scripts/systemd/launch.sh > bin/launch.sh
keycloak@lx02.ads:~$ chmod +x bin/launch.sh
keycloak@lx02.ads:~$ sed -e 's/wildfly/keycloak/g' -e 's,/etc,/opt,' docs/contrib/scripts/systemd/wildfly.service > keycloak.service
keycloak@lx02.ads:~$ exit
root@lx02.ads:~# systemctl link /opt/keycloak/keycloak.service
root@lx02.ads:~# systemctl enable --now keycloak.service
root@lx02.ads:~# setfacl -m u:keycloak:r /etc/http.keytab
root@lx02.ads:~# dnf install squid
root@lx02.ads:~# systemctl enable squid
root@lx02.ads:~# firewall-cmd --permanent --add-service=squid
root@lx02.ads:~# firewall-cmd --reload
root@lx02.ads:~# setfacl -m u:squid:r /etc/http.keytab
root@lx02.ads:~# systemctl restart squid
[...]
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/http.keytab -s GSS_C_NO_NAME
acl auth proxy_auth REQUIRED
[...]
[...]
# alle existierenden http_access-Anweisungen entfernen und
# durch folgende Zeilen ersetzen:
http_access deny !auth
http_access allow auth
http_access deny all
[...]
root@lx01.ads:~# curl -L https://www.kerberos-buch.de/ -x lx02.ads.example.com:3128
curl: (56) Received HTTP code 407 from proxy after CONNECT
root@lx01.ads:~# kinit user7001@EXAMPLE.COM
Password for user7001@ADS.EXAMPLE.COM: P@ssw0rd
root@lx01.ads:~# curl -sL https://www.kerberos-buch.de/ --proxy-negotiate -U : -x lx02.ads.example.com:3128
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
[...]
version: 1
# Max Mustermann
dn: cn=Max Mustermann,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
cn: Max Mustermann
sn: Mustermann
# Erika Musterfrau
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
cn: Erika Musterfrau
sn: Musterfrau
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0
ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
root@kdc01:~# echo RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo= | base64 -d
Ein Beispiel eines Benutzerobjektes für das Kerberos-Buch
root@kdc01:~#
# neues Objekt anlegen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: add
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
# ein Attribut hinzufügen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: modify
add: seeAlso
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: modify
delete: seeAlso
-
replace: description
description: Eine Beispielanwenderin
-
add: userPassword
userPassword: P@ssw0rd
# Objekt löschen
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
changetype: delete
root@kdc01:~# ldapsearch -x -h kdc01.example.com' -b dc=example,dc=com '(cn=Erika*)'
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0
ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
root@kdc01:~#
root@kdc01:~# ldapsearch -x -h kdc01.example.com -b dc=example,dc=com '(&(objectClass=person)(seeAlso=*))' cn
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
root@kdc01:~# ldapsearch -x -h kdc01.example.com -D 'cn=Erika Musterfrau,ou=people,dc=example,dc=com' -w 'P@ssw0rd' -b dc=example,dc=com '(cn=Erika*)'
dn: cn=Erika Musterfrau,ou=people,dc=example,dc=com
cn: Erika Musterfrau
sn: Musterfrau
objectClass: top
objectClass: person
description:: RWluIEJlaXNwaWVsIGVpbmVzIEJlbnV0emVyb2JqZWt0
ZXMgZsO8ciBkYXMgS2VyYmVyb3MtQnVjaAo=
seeAlso: cn=Max Mustermann,ou=people,dc=example,dc=com
userPassword:: Z2VoZWltMTIz
root@kdc01:~#
root@kdc01:~# ldapmodify -x -D cn=admin,dc=example,dc=com -w 'P@ssw0rd' -f erim.ldif
adding new entry "cn=Erika Musterfrau,ou=people,dc=example,dc=com"
modifying entry "cn=Erika Musterfrau,ou=people,dc=example,dc=com"
root@kdc01:~#
install
cdrom
rootpw --plaintext P@ssw0rd
auth --useshadow --passalgo=sha512
text
keyboard de
lang en_US
selinux --enforcing
logging --level=info
timezone Europe/Berlin
# IP-Adressen, Netzmaske und Device-Name anpassen an Netzwerk der Testumgebung!
network --device=enp0s3 --bootproto=static --activate --bootproto=static --ip=10.1.2.XXX --gateway=10.1.2.254 --netmask=255.255.255.0 --nameserver=8.8.8.8 --onboot=true
bootloader --location=mbr --append="nomodeset crashkernel=auto"
zerombr
clearpart --all --initlabel
part / --fstype ext4 --size 6000 --grow --asprimary
part /boot --fstype ext4 --size 200 --grow --asprimary
part swap --size 2048
reboot --eject
%packages --ignoremissing
@base
@core
kernel-headers
kernel-devel
glibc-devel
glibc-headers
gcc
dkms
make
bzip2
perl
python36
%end
%post --nochroot --log=/mnt/sysimage/root/ks-post.log
df -h
%end