Topic: NFS + LDAP + Kerberos: I must be close but...

[Old Lodge Skins]

Hi all,

After two days I've finally successfully set up a Kerberos service on my 7.4...
The objective is to make secure NFS exports and I'm quite close to it, I can mount the NFS4 share from a workstation using the -o sec=krb5 option and can access the mount point if I am root (at least the first level, since I'm exporting user homes the local root obviously doesn't have the necessary rights to enter them).
The only problem I have left is that... My normal users can't access the mount point! I must be missing something... Probably just a detail... Does anybody have an idea what it could be?

I've been following these instructions:
http://www-theorie.physik.unizh.ch/~dpotter/howto/kerberos
and got a few hints from here (for the ktadd part): https://help.ubuntu.com/community/NFSv4Howto

The mount operation is successful, the only thing I can see that may be wrong is an error shown when running rpc.gssd -vvvf from the client:

CC file '/tmp/krb5cc_machine_DOMAIN' owned by 0, not 5000
WARNING: Failed to create krb5 context for user with uid 5000 [...]

5000 beign the UID of the user I'm logged as. But I have no idea where it comes from and how to solve the problem. I'm not even sure this is the reason why my normal user can't access the share.

Thanks.

Seb.

[Old Lodge Skins]

Never mind, my user's ticket had simply expired... I probably just need to raise the limits.

Seb.

[Stefano]

Seb, I suggest you to join the dev ML and ask there..
 and, naturally, I hope you will share your code via bugzilla

thank you
ciao
Stefano

[Old Lodge Skins]

Hi,

It's working now... My user's ticket was gone. Either it had expired, either I had removed it one way or an other while searching how that thing works...
The only problem I have left now is that the tickets are not required directly from my clients (OpenSUSE 11.1) upon login, I have to manually issue a kinit request once logged in, but that's a client configuration problem, I don't think it has anything to do with the server.

So if you're interested in doing something similar then the two links I have posted above should be enough for you to do it. It takes some time and requires some learning of the basics of Kerberos, but that's how I did it.

Seb.

[steever]

Seb ... Please please join the dev team and devote your efforts into developing this into a howto/contrib for inclusion in SME 8.

A lot of SME Server users live and hope for the day when we'll be able to join a Mac or Linux workstation to a SME domain for Single Sign On goodness.

Please Seb!

[Old Lodge Skins]

Well... I can but there's not much to share, really. I've just followed the tutorials I have posted above, it was quite straightforward. Still, I'll see if I can help someone make a contrib to have it done more easily as it took me a lot of time to do it all manually.

Seb.

[steever]

For the common good, Seb!

[Old Lodge Skins]

Done. Here is a copy. That's all I can do as I do not have a second server to go through the whole procedure again.

Hi all,

Someone at the forum suggested that I should send this to the list so
here it goes. I'm not able to make a contrib out of my experience on my
own but maybe someone else can.

I have only Linux workstations here (all running OpenSUSE 11.1) with an
SME 7.4 server. Since I've re-built that server recently with new
hardware I have plenty of room on it and I wanted to make some serious
file sharing, which led me to look into NFS but I was not satisfied at
all with the "security" of NFS alone... So I ended up working on NFS +
LDAD (with the LDAP contrib) + Kerberos.

I can't go through it all again now that my server is fully configured,
so if you try this it may require some tweaking.
The first step would be to install the required Kerberos server
packages, a simple yum install here is enough. I don't know in which
repo they are so here is the complete list of repos and packages I am using:

[root@sme-server-7 ~]# yum list krb5*
==============================================================
WARNING: Additional commands may be required after running yum
==============================================================
Loading "smeserver" plugin
Loading "installonlyn" plugin
Loading "fastestmirror" plugin
Setting up repositories
smeaddons                 100% |=========================|  951 B    00:00
smeextras                 100% |=========================| 1.9 kB    00:00
base                      100% |=========================| 1.1 kB    00:00
updates                   100% |=========================|  951 B    00:00
smeos                     100% |=========================| 1.9 kB    00:00
smeupdates                100% |=========================| 1.9 kB    00:00
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Excluding Packages from CentOS - os
Finished
Excluding Packages from CentOS - updates
Finished
Installed Packages
krb5-libs.i386                           1.3.4-60.el4           installed
krb5-server.i386                         1.3.4-60.el4           installed
krb5-workstation.i386                    1.3.4-60.el4           installed
Available Packages
krb5-auth-dialog.i386                    0.2-1                  base
krb5-devel.i386                          1.3.4-60.el4           base
================================================================
No new rpms were installed. No additional commands are required.
================================================================

Then I followed this tutorial:
http://www-theorie.physik.unizh.ch/~dpotter/howto/kerberos
It is quite straightforward, only you obviously have to edit and expand
a couple of templates where this tutorial says to edit some of the
config files... The main difficulties have been not to make mistakes in
the realm, domain, and hosts (make sure both your server and workstation
resolve each an other or you'll end up getting trouble). I just didn't
do the slave KDC part. I also haven't done the LDAP crash recovery part
yet but I intend to do it soon.
I also got some help from this page:
https://help.ubuntu.com/community/NFSv4Howto - the ktadd part wouldn't
work on the server in the way it was done in the tutorial, doing it like
it is shown on this page did it.

I am now to the point where I can mount the distant share (as long as
the client has been properly configured), and my users can request a
ticket and then have access to their files in the mount point. A user
who doesn't have a ticket can't access the mount point at all, users who
have their ticket can only access their own files and directories. This
is exactly what I was looking for. The only (small) difficulties I have
left is that the ticket has to be requested manually by the user by
running kinit and giving the right password, but it's more likely to be
a workstation configuration issue than a server one.

I hope someone can synthesize all this in a contrib as it's taken me a
lot of time to set it all up - probably because I hadn't heard of
Kerberos until a few days ago, though...

Seb.

[steever]

Thanks Seb.

I wonder why you chose to use Kerebos where LDAP and NFS should be sufficient ...?

[Old Lodge Skins]

I've tried LDAP + NFS but it is NOT sufficient, at all!
All it does is that by identifying your users through LDAP you make sure they have the right UID, since NFS bases its "security" on that you are then sure the user can access his files on the shared folder. Not bad... As long as everybody follows the rules!
But what if someone comes in with, let's say his laptop, or even boots one of the workstations on a Knoppix (and therefore has full root rights on the workstation), sets up a user who has the right login and the right UID (which, as I understand, can be found... After all it's just a plain simple number!)? Well that person will have full access to the shared files of the user whose UID he's using! Without being authenticated by the server! Would you call that "secure"? I don't. The only way I've found to forbid access to users who are not fully identified by the server, is through Kerberos.

Seb.

[steever]

Did you set up the linux workstations to authenticate against the SME server?  It seems to me that if you do this, the user needs to give the username and correct password to log in and have access to their files.

Maybe you're doing it some other way?

Steve

[Old Lodge Skins]

If I do this, yes.
But read again my previous post. Imagine I'm a dirty little bad guy and I want to get control over files that are not mine. I don't care how the workstations are set up, I can simply bypass them! So the set up of the workstations is simply irrelevant, if you want to have something secure you have to make sure NOBODY can access the shares without proper authentication. Regardless of the method / hardware / software they use.

Seb.

[Old Lodge Skins]

Just FYI, in case anyone else wants to set up the same thing, one RPM was missing and was preventing slapd fro mstarting: cyrus-sasl-gssapi
Once installed, /etc/init.d/ldap start doesn't throw an error anymore (I've just noticed it wouldn't start otherwise).

Seb.