Auth krb — различия между версиями
Материал из pNp Wiki
Andy (обсуждение | вклад) (→Настройка аутентикации LDAP/Kerberos) |
Andy (обсуждение | вклад) (→Проверка) |
||
| (не показано 5 промежуточных версий этого же участника) | |||
| Строка 3: | Строка 3: | ||
==== Предварительные требования ==== | ==== Предварительные требования ==== | ||
* Две виртуальная машины с двумя сетевыми интерфейсами в каждой | * Две виртуальная машины с двумя сетевыми интерфейсами в каждой | ||
| − | * Установленные пакеты: <code>bash-completion</code>, <code>pam_krb5</code>, <code>nss-pam-ldapd</code>, <code>sssd-ldap</code>, <code>sssd</code>, <code>sssd-krb5</code>, <code>sssd-krb5-common</code>, <code>sssd-client</code>, <code>oddjob</code>, <code>oddjob-mkhomedir</code>, <code>openldap-clients</code> | + | * Установленные пакеты: <code>bash-completion</code>, <code>pam_krb5</code>, <code>nss-pam-ldapd</code>, <code>sssd-ldap</code>, <code>sssd</code>, <code>sssd-krb5</code>, <code>sssd-krb5-common</code>, <code>sssd-client</code>, <code>oddjob</code>, <code>oddjob-mkhomedir</code>, <code>openldap-clients</code>, <code>krb5-workstation</code> |
* Установленный и настроенный сервис точного времени | * Установленный и настроенный сервис точного времени | ||
* Наличие прямой и обратной записи клиента и kerberos сервера в DNS. | * Наличие прямой и обратной записи клиента и kerberos сервера в DNS. | ||
| Строка 69: | Строка 69: | ||
== Настройка аутентикации LDAP/Kerberos == | == Настройка аутентикации LDAP/Kerberos == | ||
| − | Аутентикации будет происходит посредством демона <code>SSSD</code>, однако, почему-то, после установки пакета <code>sssd-common</code>, конфигурационный файл <code>/etc/sssd/sssd.conf<code> сервиса <code>sssd</code> отсутствует, поэтому | + | Аутентикации будет происходит посредством демона <code>SSSD</code>, однако, почему-то, после установки пакета <code>sssd-common</code>, конфигурационный файл <code>/etc/sssd/sssd.conf</code> сервиса <code>sssd</code> отсутствует, поэтому |
его надо сделать самостоятельно, по примерам из манов <code>sssd</code>, <code>sssd-ldap</code>: | его надо сделать самостоятельно, по примерам из манов <code>sssd</code>, <code>sssd-ldap</code>: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
| Строка 176: | Строка 176: | ||
Authenticate system accounts against network services is disabled | Authenticate system accounts against network services is disabled | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | Если введенная информация верна, то можно заменить ключ <code>--test</code> на ключ <code>--update</code>: | + | Если введенная информация верна, то можно заменить ключ <code>--test</code> на ключ <code>--update</code>, после чего проверить файл <code>/etc/nsswitch.conf</code>, который будет иметь следующий вид: |
| − | + | <syntaxhighlight lang="bash"> | |
| + | [root@vm-01 ~]# cat /etc/nsswitch.conf | ||
| + | # | ||
| + | # /etc/nsswitch.conf | ||
| + | # | ||
| + | # An example Name Service Switch config file. This file should be | ||
| + | # sorted with the most-used services at the beginning. | ||
| + | # | ||
| + | # The entry '[NOTFOUND=return]' means that the search for an | ||
| + | # entry should stop if the search in the previous entry turned | ||
| + | # up nothing. Note that if the search failed due to some other reason | ||
| + | # (like no NIS server responding) then the search continues with the | ||
| + | # next entry. | ||
| + | # | ||
| + | # Valid entries include: | ||
| + | # | ||
| + | # nisplus Use NIS+ (NIS version 3) | ||
| + | # nis Use NIS (NIS version 2), also called YP | ||
| + | # dns Use DNS (Domain Name Service) | ||
| + | # files Use the local files | ||
| + | # db Use the local database (.db) files | ||
| + | # compat Use NIS on compat mode | ||
| + | # hesiod Use Hesiod for user lookups | ||
| + | # [NOTFOUND=return] Stop searching if not found so far | ||
| + | # | ||
| + | |||
| + | # To use db, put the "db" in front of "files" for entries you want to be | ||
| + | # looked up first in the databases | ||
| + | # | ||
| + | # Example: | ||
| + | #passwd: db files nisplus nis | ||
| + | #shadow: db files nisplus nis | ||
| + | #group: db files nisplus nis | ||
| + | |||
| + | passwd: files sss ldap | ||
| + | shadow: files sss ldap | ||
| + | group: files sss ldap | ||
| + | #initgroups: files | ||
| + | |||
| + | #hosts: db files nisplus nis dns | ||
| + | hosts: files dns | ||
| + | |||
| + | # Example - obey only what nisplus tells us... | ||
| + | #services: nisplus [NOTFOUND=return] files | ||
| + | #networks: nisplus [NOTFOUND=return] files | ||
| + | #protocols: nisplus [NOTFOUND=return] files | ||
| + | #rpc: nisplus [NOTFOUND=return] files | ||
| + | #ethers: nisplus [NOTFOUND=return] files | ||
| + | #netmasks: nisplus [NOTFOUND=return] files | ||
| + | |||
| + | bootparams: nisplus [NOTFOUND=return] files | ||
| + | |||
| + | ethers: files | ||
| + | netmasks: files | ||
| + | networks: files | ||
| + | protocols: files | ||
| + | rpc: files | ||
| + | services: files sss | ||
| + | |||
| + | netgroup: files sss ldap | ||
| + | |||
| + | publickey: nisplus | ||
| + | |||
| + | automount: files sss ldap | ||
| + | aliases: files nisplus | ||
| + | |||
| + | [root@vm-01 ~]# | ||
| + | </syntaxhighlight> | ||
| + | А файл <code>/etc/krb5.conf</code>, будет следующим: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 ~]# cat /etc/krb5.conf | ||
| + | [logging] | ||
| + | default = FILE:/var/log/krb5libs.log | ||
| + | kdc = FILE:/var/log/krb5kdc.log | ||
| + | admin_server = FILE:/var/log/kadmind.log | ||
| + | |||
| + | [libdefaults] | ||
| + | dns_lookup_realm = false | ||
| + | ticket_lifetime = 24h | ||
| + | renew_lifetime = 7d | ||
| + | forwardable = true | ||
| + | rdns = false | ||
| + | # default_realm = EXAMPLE.COM | ||
| + | default_ccache_name = KEYRING:persistent:%{uid} | ||
| + | |||
| + | default_realm = VIRTUAL.LAB | ||
| + | [realms] | ||
| + | # EXAMPLE.COM = { | ||
| + | # kdc = kerberos.example.com | ||
| + | # admin_server = kerberos.example.com | ||
| + | # } | ||
| + | |||
| + | VIRTUAL.LAB = { | ||
| + | admin_server = kdc1.virtual.lab | ||
| + | } | ||
| + | |||
| + | VIRTUAL.LAB = { | ||
| + | admin_server = kdc1.virtual.lab | ||
| + | } | ||
| + | |||
| + | [domain_realm] | ||
| + | # .example.com = EXAMPLE.COM | ||
| + | # example.com = EXAMPLE.COM | ||
| + | virtual.lab = VIRTUAL.LAB | ||
| + | .virtual.lab = VIRTUAL.LAB | ||
| + | [root@vm-01 ~]# | ||
| + | </syntaxhighlight> | ||
| + | Далее, необходимо включить сервис <code>sssd</code>: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 ~]# systemctl enable sssd | ||
| + | ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service' | ||
| + | [root@vm-01 ~]# systemctl start sssd | ||
| + | [root@vm-01 ~]# systemctl status -l sssd | ||
| + | sssd.service - System Security Services Daemon | ||
| + | Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled) | ||
| + | Active: active (running) since Mon 2018-11-26 17:23:10 MSK; 5s ago | ||
| + | Process: 1016 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) | ||
| + | Main PID: 1017 (sssd) | ||
| + | CGroup: /system.slice/sssd.service | ||
| + | ├─1017 /usr/sbin/sssd -D -f | ||
| + | ├─1018 /usr/libexec/sssd/sssd_be --domain LDAP --debug-to-files | ||
| + | ├─1019 /usr/libexec/sssd/sssd_nss --debug-to-files | ||
| + | └─1020 /usr/libexec/sssd/sssd_pam --debug-to-files | ||
| + | |||
| + | Nov 26 17:23:10 vm-01.virtual.lab sssd[1017]: Starting up | ||
| + | Nov 26 17:23:10 vm-01.virtual.lab sssd[be[1018]: Starting up | ||
| + | Nov 26 17:23:10 vm-01.virtual.lab sssd[1019]: Starting up | ||
| + | Nov 26 17:23:10 vm-01.virtual.lab sssd[1020]: Starting up | ||
| + | Nov 26 17:23:10 vm-01.virtual.lab systemd[1]: Started System Security Services Daemon. | ||
| + | [root@vm-01 ~]# | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==== Проверка ==== | ||
| + | С виртуальной машины <code>vm-01</code> проверяем пользователей LDAP/Kerberos: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 ~]# id | ||
| + | uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
| + | [root@vm-01 ~]# id lisa | ||
| + | uid=10000(lisa) gid=10000(virtuallab) groups=10000(virtuallab),10001(account) | ||
| + | [root@vm-01 ~]# su - lisa | ||
| + | Creating home directory for lisa. | ||
| + | [lisa@vm-01 ~]$ id | ||
| + | uid=10000(lisa) gid=10000(virtuallab) groups=10000(virtuallab),10001(account) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | ||
| + | [lisa@vm-01 ~]$ kinit lisa | ||
| + | Password for lisa@VIRTUAL.LAB: | ||
| + | [lisa@vm-01 ~]$ klist | ||
| + | Ticket cache: KEYRING:persistent:10000:10000 | ||
| + | Default principal: lisa@VIRTUAL.LAB | ||
| + | |||
| + | Valid starting Expires Service principal | ||
| + | 11/26/2018 18:10:50 11/27/2018 18:10:50 krbtgt/VIRTUAL.LAB@VIRTUAL.LAB | ||
| + | renew until 11/26/2018 18:10:50 | ||
| + | [lisa@vm-01 ~]$ | ||
| + | </syntaxhighlight> | ||
== Ссылки == | == Ссылки == | ||
| − | [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/ | + | [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide Документация по системной аутентикации] |
Текущая версия на 17:12, 26 ноября 2018
Содержание
Настройка аутентикации Kerberos
Предварительные требования
- Две виртуальная машины с двумя сетевыми интерфейсами в каждой
- Установленные пакеты:
bash-completion,pam_krb5,nss-pam-ldapd,sssd-ldap,sssd,sssd-krb5,sssd-krb5-common,sssd-client,oddjob,oddjob-mkhomedir,openldap-clients,krb5-workstation - Установленный и настроенный сервис точного времени
- Наличие прямой и обратной записи клиента и kerberos сервера в DNS.
Предварительная проверка настроек на виртуальных машинах
Сначала стоит проверить прямую и обратную записи нашего клиента:
[root@vm-01 ~]# hostnamectl
Static hostname: vm-01.virtual.lab
Icon name: computer
Chassis: n/a
Machine ID: dae7e96c98de7f40aeb335bcaf3e35c2
Boot ID: 36ea0ee3d744490e897c7f595bb98978
Virtualization: kvm
Operating System: Red Hat Enterprise Linux Server 7.0 (Maipo)
CPE OS Name: cpe:/o:redhat:enterprise_linux:7.0:GA:server
Kernel: Linux 3.10.0-123.el7.x86_64
Architecture: x86_64
[root@vm-01 ~]# dig vm-01.virtual.lab @192.168.10.10 +noall +answer
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> vm-01.virtual.lab @192.168.10.10 +noall +answer
;; global options: +cmd
vm-01.virtual.lab. 3600 IN A 192.168.10.8
[root@vm-01 ~]# dig -x 192.168.10.8 @192.168.10.10 +noall +answer
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 192.168.10.8 @192.168.10.10 +noall +answer
;; global options: +cmd
8.10.168.192.in-addr.arpa. 3600 IN PTR vm-01.virtual.lab.
[root@vm-01 ~]#
Заодно проверим записи о нашем LDAP/Kerberos сервере:
[root@vm-01 ~]# dig vm-03.virtual.lab +noall +answer
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> vm-03.virtual.lab +noall +answer
;; global options: +cmd
vm-03.virtual.lab. 3600 IN CNAME kdc1.virtual.lab.
kdc1.virtual.lab. 3600 IN A 192.168.10.10
[root@vm-01 ~]#
Далее, следует убедиться, что LDAP сервер настроен и отдает пользователей/группы:
[root@vm-01 ~]# ldapsearch -LLL -H ldap://vm-03.virtual.lab -D "cn=admin,dc=virtual,dc=lab" -b "dc=virtual,dc=lab" -W "(uid=randy)"
Enter LDAP Password:
dn: uid=randy,ou=users,dc=virtual,dc=lab
displayName: Randall Clark
uid: randy
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
userPassword:: e1NTSEF9aGdmWlNsUTlUb3g1NHVpM3lrV3FVMEo1S1hUd0s4amg=
uidNumber: 10002
gidNumber: 10000
sn: Clark
homeDirectory: /home/randy
mail: rclark@virtual.lab
givenName: Randall
cn: randy
[root@vm-01 ~]
Настройка аутентикации LDAP/Kerberos
Аутентикации будет происходит посредством демона SSSD, однако, почему-то, после установки пакета sssd-common, конфигурационный файл /etc/sssd/sssd.conf сервиса sssd отсутствует, поэтому
его надо сделать самостоятельно, по примерам из манов sssd, sssd-ldap:
[root@vm-01 ~]# cat /etc/sssd/sssd.conf
[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://kdc1.virtual.lab
ldap_search_base = dc=virtual,dc=lab
ldap_tls_reqcert = allow
auth_provider = krb5
krb5_server = kdc1.virtual.lab
krb5_realm = VIRTUAL.LAB
cache_credentials = false
[root@vm-01 ~]#
После создания файла /etc/sssd/sssd.conf, ему необходимо присвоить права:
[root@vm-01 ~]# chmod 600 /etc/sssd/sssd.conf
[root@vm-01 ~]# ls -lahi /etc/sssd/sssd.conf
780266 -rw-------. 1 root root 379 Nov 26 17:04 /etc/sssd/sssd.conf
[root@vm-01 ~]#
Для конфигурации аутентикации в LDAP будем использовать утилиту authconfig. Вывод утилиты с ключом --help обширный, поэтому ключи будем вводить сверху вниз:
[root@vm-01 ~]# authconfig --enableldap --enableldapauth --ldapserver=kdc1.virtual.lab --ldapbasedn="dc=virtual,dc=lab" --enableldaptls --enablekrb5 --krb5adminserver=kdc1.virtual.lab --krb5realm=VIRTUAL.LAB --enablesssd --enablesssdauth --disablecachecreds --enablemkhomedir --test
[root@vm-01 ~]#
Вводим команду и получаем следующий вывод:
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "kdc1.virtual.lab"
LDAP base DN = "dc=virtual,dc=lab"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is enabled
krb5 realm = "VIRTUAL.LAB"
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = "kdc1.virtual.lab"
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "kdc1.virtual.lab"
LDAP base DN = "dc=virtual,dc=lab"
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = ""
smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = ""
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_sss is enabled by default
credential caching in SSSD is disabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
Если введенная информация верна, то можно заменить ключ --test на ключ --update, после чего проверить файл /etc/nsswitch.conf, который будет иметь следующий вид:
[root@vm-01 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files sss ldap
shadow: files sss ldap
group: files sss ldap
#initgroups: files
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss ldap
publickey: nisplus
automount: files sss ldap
aliases: files nisplus
[root@vm-01 ~]#
А файл /etc/krb5.conf, будет следующим:
[root@vm-01 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = VIRTUAL.LAB
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
VIRTUAL.LAB = {
admin_server = kdc1.virtual.lab
}
VIRTUAL.LAB = {
admin_server = kdc1.virtual.lab
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
virtual.lab = VIRTUAL.LAB
.virtual.lab = VIRTUAL.LAB
[root@vm-01 ~]#
Далее, необходимо включить сервис sssd:
[root@vm-01 ~]# systemctl enable sssd
ln -s '/usr/lib/systemd/system/sssd.service' '/etc/systemd/system/multi-user.target.wants/sssd.service'
[root@vm-01 ~]# systemctl start sssd
[root@vm-01 ~]# systemctl status -l sssd
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled)
Active: active (running) since Mon 2018-11-26 17:23:10 MSK; 5s ago
Process: 1016 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
Main PID: 1017 (sssd)
CGroup: /system.slice/sssd.service
├─1017 /usr/sbin/sssd -D -f
├─1018 /usr/libexec/sssd/sssd_be --domain LDAP --debug-to-files
├─1019 /usr/libexec/sssd/sssd_nss --debug-to-files
└─1020 /usr/libexec/sssd/sssd_pam --debug-to-files
Nov 26 17:23:10 vm-01.virtual.lab sssd[1017]: Starting up
Nov 26 17:23:10 vm-01.virtual.lab sssd[be[1018]: Starting up
Nov 26 17:23:10 vm-01.virtual.lab sssd[1019]: Starting up
Nov 26 17:23:10 vm-01.virtual.lab sssd[1020]: Starting up
Nov 26 17:23:10 vm-01.virtual.lab systemd[1]: Started System Security Services Daemon.
[root@vm-01 ~]#
Проверка
С виртуальной машины vm-01 проверяем пользователей LDAP/Kerberos:
[root@vm-01 ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@vm-01 ~]# id lisa
uid=10000(lisa) gid=10000(virtuallab) groups=10000(virtuallab),10001(account)
[root@vm-01 ~]# su - lisa
Creating home directory for lisa.
[lisa@vm-01 ~]$ id
uid=10000(lisa) gid=10000(virtuallab) groups=10000(virtuallab),10001(account) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[lisa@vm-01 ~]$ kinit lisa
Password for lisa@VIRTUAL.LAB:
[lisa@vm-01 ~]$ klist
Ticket cache: KEYRING:persistent:10000:10000
Default principal: lisa@VIRTUAL.LAB
Valid starting Expires Service principal
11/26/2018 18:10:50 11/27/2018 18:10:50 krbtgt/VIRTUAL.LAB@VIRTUAL.LAB
renew until 11/26/2018 18:10:50
[lisa@vm-01 ~]$
