Build Kerberos Docker Image from Ubuntu: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(17 intermediate revisions by the same user not shown) | |||
Line 28: | Line 28: | ||
# apt-get in not interactive mode | # apt-get in not interactive mode | ||
export DEBIAN_FRONTEND=noninteractive && | export DEBIAN_FRONTEND=noninteractive && | ||
# debconf tzdata settings | |||
cat > /root/.docker/debconf_tzdata_settings.conf << EOF | |||
tzdata tzdata/Areas select Asia | |||
tzdata tzdata/Zones/Asia select Dhaka | |||
EOF | |||
Line 54: | Line 61: | ||
krb5-config krb5-config/default_realm string $KRB5_REALM | krb5-config krb5-config/default_realm string $KRB5_REALM | ||
krb5-config krb5-config/add_servers_realm string $KRB5_REALM | krb5-config krb5-config/add_servers_realm string $KRB5_REALM | ||
krb5-config krb5-config/kerberos_servers string | krb5-config krb5-config/kerberos_servers string chorke.org | ||
krb5-config krb5-config/admin_server string | krb5-config krb5-config/admin_server string kad.chorke.org | ||
krb5-config krb5-config/dns_for_default boolean true | krb5-config krb5-config/dns_for_default boolean true | ||
krb5-config krb5-config/add_servers boolean true | krb5-config krb5-config/add_servers boolean true | ||
krb5-config krb5-config/read_conf boolean true | |||
heimdal-kdc heimdal/realm string $KRB5_REALM | heimdal-kdc heimdal/realm string $KRB5_REALM | ||
EOF | EOF | ||
# cat /root/.docker/debconf_tzdata_settings.conf|debconf-set-selections && | |||
# cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections && | # cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections && | ||
# cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections && | # cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections && | ||
Line 69: | Line 78: | ||
apt-get update && | apt-get update && | ||
# apt-get -y install ldap-utils slapd && | # apt-get -y install ldap-utils slapd && | ||
apt-get -y install | apt-get -y install inetutils-ping && | ||
apt-get -y install openssh-client && | apt-get -y install openssh-{server,client} && | ||
# apt-get -y install phpldapadmin && | # apt-get -y install phpldapadmin && | ||
apt-get clean && | apt-get clean && | ||
Line 132: | Line 141: | ||
fi | fi | ||
# failure safe start kerberos | # failure safe start kerberos admin server and kdc | ||
if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then | if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then | ||
if [ -f '/etc/init.d/krb5- | if [ -f '/etc/init.d/krb5-admin-server' ]&&[ -f '/etc/init.d/krb5-kdc' ];then | ||
service krb5- | service krb5-admin-server start && service krb5-kdc start | ||
fi | fi | ||
fi | fi | ||
Line 155: | Line 164: | ||
@since 1.0.00.GA | @since 1.0.00.GA | ||
' | ' | ||
# host name change for kerberos admin server and kdc | |||
echo '127.0.0.1 chorke.org' >> /etc/hosts && | |||
echo '127.0.0.1 kdc.chorke.org' >> /etc/hosts && | |||
echo '127.0.0.1 kad.chorke.org' >> /etc/hosts && | |||
# apt-get in not interactive mode | # apt-get in not interactive mode | ||
Line 161: | Line 176: | ||
# debconfig set selections | # debconfig set selections | ||
cat /root/.docker/debconf_tzdata_settings.conf|debconf-set-selections && | |||
cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections && | cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections && | ||
cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections && | cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections && | ||
Line 167: | Line 183: | ||
# install slapd, openssh & phpldapadmin | # install slapd, openssh & phpldapadmin | ||
apt-get update && | apt-get update && | ||
apt-get -y install vim ssh && | |||
apt-get -y install ntp ntpdate nmap && | |||
apt-get -y install ldap-utils slapd && | apt-get -y install ldap-utils slapd && | ||
apt-get -y install krb5-{admin-server,kdc-ldap,user} && | |||
apt-get -y install phpldapadmin && | apt-get -y install phpldapadmin && | ||
apt-get clean && | apt-get clean && | ||
Line 177: | Line 194: | ||
chmod 777 /etc/ldap/ldap.conf && | chmod 777 /etc/ldap/ldap.conf && | ||
cat > /etc/ldap/ldap.conf <<'EOF' | cat > /etc/ldap/ldap.conf <<'EOF' | ||
# See ldap.conf(5) for details | # See ldap.conf(5) for details | ||
# This file should be world readable but not world writable. | # This file should be world readable but not world writable. | ||
BASE dc=chorke,dc=org | BASE dc=chorke,dc=org | ||
URI ldap://localhost ldap:// | URI ldap://localhost ldap://chorke.org ldap://kdc.chorke.org ldap://kad.chorke.org | ||
#SIZELIMIT 12 | #SIZELIMIT 12 | ||
Line 195: | Line 208: | ||
EOF | EOF | ||
chmod 744 /etc/ldap/ldap.conf && | chmod 744 /etc/ldap/ldap.conf && | ||
# update /etc/init.d/krb5-{kdc,admin-server} start | |||
SERVICE_INIT_FIND='# Required-Start: $local_fs $remote_fs $network $syslog' && | |||
SERVICE_INIT_FILL='# Required-Start: $local_fs $remote_fs $network $syslog slapd' && | |||
sed -i "s@$SERVICE_INIT_FIND.*@$SERVICE_INIT_FILL@" /etc/init.d/krb5-admin-server && | |||
sed -i "s@$SERVICE_INIT_FIND.*@$SERVICE_INIT_FILL@" /etc/init.d/krb5-kdc && | |||
# update /etc/init.d/krb5-{kdc,admin-server} stop | |||
SERVICE_STOP_FIND='# Required-Stop: $local_fs $remote_fs $network $syslog' && | |||
SERVICE_STOP_FILL='# Required-Stop: $local_fs $remote_fs $network $syslog slapd' && | |||
sed -i "s@$SERVICE_STOP_FIND.*@$SERVICE_STOP_FILL@" /etc/init.d/krb5-admin-server && | |||
sed -i "s@$SERVICE_STOP_FIND.*@$SERVICE_STOP_FILL@" /etc/init.d/krb5-kdc && | |||
Line 208: | Line 234: | ||
# ldap server name change (line 286) | # ldap server name change (line 286) | ||
LDAP_NAME_FIND="$servers->setValue('server','name','My LDAP Server');" && | LDAP_NAME_FIND="$servers->setValue('server','name','My LDAP Server');" && | ||
LDAP_NAME_FILL="$servers->setValue('server','name',' | LDAP_NAME_FILL="$servers->setValue('server','name','CKi LDAP Server');" && | ||
sed -i "s@$LDAP_NAME_FIND.*@$LDAP_NAME_FILL@" "$PHPC_FILE" && | sed -i "s@$LDAP_NAME_FIND.*@$LDAP_NAME_FILL@" "$PHPC_FILE" && | ||
Line 232: | Line 258: | ||
# kdc master key | # time zone & kdc master key | ||
krb5_newrealm && | ln -fs /usr/share/zoneinfo/Asia/Dhaka /etc/localtime && | ||
dpkg-reconfigure -f noninteractive tzdata && | |||
# krb5_newrealm && | |||
# KADM_ACL_FILL='\*\/admin \*' && | |||
# KADM_ACL_FIND='# \*\/admin \*' && | |||
# sed -i "s@$KADM_ACL_FIND.*@$KADM_ACL_FILL@g" /etc/krb5kdc/kadm5.acl && | |||
# echo 'admin *' >> /etc/krb5kdc/kadm5.acl && | |||
cp -rf ~/.docker/kadm5.acl /etc/krb5kdc/kadm5.acl && | |||
Line 241: | Line 275: | ||
# failure safe start kerberos | # import Kerberos schema for kerberos kdc | ||
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema && | |||
echo "include /etc/ldap/schema/kerberos.schema" > ~/.docker/schema_convert.conf && | |||
mkdir ~/.docker/ldif_result && | |||
slapcat -f ~/.docker/schema_convert.conf -F ~/.docker/ldif_result -s "cn=kerberos,cn=schema,cn=config" && | |||
cp ~/.docker/ldif_result/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif ~/.docker/kerberos.ldif && | |||
sed -i "s@dn: cn={0}kerberos.*@dn: cn=kerberos,cn=schema,cn=config@g" ~/.docker/kerberos.ldif && | |||
sed -i "s@cn: {0}kerberos.*@cn: kerberos@g" ~/.docker/kerberos.ldif && | |||
sed -i '/structuralObjectClass: /d' ~/.docker/kerberos.ldif && | |||
sed -i '/creatorsName: cn=config/d' ~/.docker/kerberos.ldif && | |||
sed -i '/modifiersName: cn=config/d' ~/.docker/kerberos.ldif && | |||
sed -i '/createTimestamp: /d' ~/.docker/kerberos.ldif && | |||
sed -i '/modifyTimestamp: /d' ~/.docker/kerberos.ldif && | |||
sed -i '/entryUUID: /d' ~/.docker/kerberos.ldif && | |||
sed -i '/entryCSN: /d' ~/.docker/kerberos.ldif && | |||
ldapadd -QY EXTERNAL -H ldapi:/// -f ~/.docker/kerberos.ldif && | |||
# No such attribute (16). additional info: modify/delete: olcAccess: no such value | |||
# (ldapmodify -QY EXTERNAL -H ldapi:/// -f ~/.docker/olc-mod1.ldif 2>/dev/null 2>&1) && | |||
# ldapdelete -xh chorke.org -D cn=admin,dc=chorke,dc=org -w chorkeinc cn=admin,dc=chorke,dc=org && | |||
# cp -rf ~/.docker/krb5.conf /etc/krb5.conf && | |||
# mkdir /var/log/krb5 && | |||
# cp -rf ~/.docker/krb5-kdc /etc/logrotate.d/krb5-kdc && | |||
# cp -rf ~/.docker/krb5-kadmin /etc/logrotate.d/krb5-kadmin && | |||
# ldapadd -xWD cn=admin,dc=chorke,dc=org -f ~/.docker/krb5.ldif && | |||
# kdb5_ldap_util -D cn=admin,dc=chorke,dc=org -H ldap://chorke.org create -r CHORKE.ORG -s && | |||
# failure safe start kerberos admin server & kdc | |||
if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then | if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then | ||
if [ -f '/etc/init.d/krb5- | if [ -f '/etc/init.d/krb5-admin-server' ]&&[ -f '/etc/init.d/krb5-kdc' ];then | ||
service krb5- | #service krb5-admin-server start && service krb5-kdc start | ||
echo 'kerberos admin server & kdc not running!' | |||
fi | fi | ||
fi | fi | ||
Line 251: | Line 316: | ||
# safe exit | # safe exit | ||
exit $? | exit $? | ||
</syntaxhighlight> | |||
== Kerberos Config == | |||
<code>./assets/kadm5.acl</code> | |||
<syntaxhighlight lang="ini"> | |||
# This file Is the access control list for krb5 administration. | |||
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate | |||
# One common way to set up Kerberos administration is to allow any principal | |||
# ending in /admin is given full administrative rights. | |||
# To enable this, uncomment the following line: | |||
*/admin * | |||
admin * | |||
</syntaxhighlight> | |||
<code>./assets/olc-mod1.ldif</code> | |||
<syntaxhighlight lang="ini"> | |||
dn: cn=config | |||
changetype: modify | |||
replace: olcLogLevel | |||
olcLogLevel: stats | |||
dn: olcDatabase={1}mdb,cn=config | |||
changetype: modify | |||
delete: olcAccess | |||
olcAccess: {2}to * | |||
by self write | |||
by dn="cn=admin,dc=chorke,dc=org" write | |||
by * read | |||
- | |||
delete: olcAccess | |||
olcAccess: {1}to dn.base="" | |||
by * read | |||
- | |||
delete: olcAccess | |||
olcAccess: {0}to attrs=userPassword,shadowLastChange | |||
by self write | |||
by anonymous auth | |||
by dn="cn=admin,dc=chorke,dc=org" write | |||
by * none | |||
- | |||
add: olcAccess | |||
olcAccess: to attrs=userPassword,shadowLastChange | |||
by anonymous auth | |||
by * none | |||
- | |||
add: olcAccess | |||
olcAccess: to dn.subtree="ou=krb5,dc=chorke,dc=org" | |||
by dn="cn=adm-srv,ou=krb5,dc=chorke,dc=org" write | |||
by dn="cn=kdc-srv,ou=krb5,dc=chorke,dc=org" read | |||
by * none | |||
- | |||
add: olcAccess | |||
olcAccess: to attrs=loginShell | |||
by self write | |||
by users read | |||
by * none | |||
- | |||
add: olcAccess | |||
olcAccess: to dn.base="" | |||
by * read | |||
- | |||
add: olcAccess | |||
olcAccess: to * | |||
by users read | |||
by * none | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: uid eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: cn eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: ou eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: dc eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: uidNumber eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: gidNumber eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: memberUid eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: uniqueMember eq | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: krbPrincipalName eq,pres,sub | |||
- | |||
add: olcDbIndex | |||
olcDbIndex: krbPwdPolicyReference eq | |||
</syntaxhighlight> | |||
<code>./assets/krb5.conf</code> | |||
<syntaxhighlight lang="ini"> | |||
[libdefaults] | |||
default_realm = CHORKE.ORG | |||
# The following krb5.conf variables are only for MIT Kerberos. | |||
krb4_config = /etc/krb.conf | |||
krb4_realms = /etc/krb.realms | |||
kdc_timesync = 1 | |||
ccache_type = 4 | |||
forwardable = true | |||
proxiable = true | |||
# The following libdefaults parameters are only for Heimdal Kerberos. | |||
v4_instance_resolve = false | |||
v4_name_convert = { | |||
host = { | |||
rcmd = host | |||
ftp = ftp | |||
} | |||
plain = { | |||
something = something-else | |||
} | |||
} | |||
fcc-mit-ticketflags = true | |||
[realms] | |||
CHORKE.ORG = { | |||
kdc = chorke.org | |||
admin_server = kad.chorke.org | |||
database_module = openldap_ldapconf | |||
} | |||
[domain_realm] | |||
.chorke.org = CHORKE.ORG | |||
chorke.org = CHORKE.ORG | |||
[dbdefaults] | |||
ldap_kerberos_container_dn = ou=krb5,dc=chorke,dc=org | |||
[dbmodules] | |||
openldap_ldapconf = { | |||
db_library = kldap | |||
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=chorke,dc=org | |||
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=chorke,dc=org | |||
ldap_service_password_file = /etc/krb5kdc/service.keyfile | |||
ldap_conns_per_server = 5 | |||
} | |||
[logging] | |||
kdc = FILE:/var/log/krb5/kdc.log | |||
admin_server = FILE:/var/log/krb5/kadmin.log | |||
default = FILE:/var/log/krb5/kadmin.log | |||
[login] | |||
krb4_convert = true | |||
krb4_get_tickets = false | |||
</syntaxhighlight> | |||
<code>./assets/krb5-kdc</code> | |||
<syntaxhighlight lang="ini"> | |||
/var/log/krb5/kdc.log { | |||
daily | |||
missingok | |||
rotate 7 | |||
compress | |||
delaycompress | |||
notifempty | |||
postrotate | |||
/etc/init.d/krb5-kdc restart > /dev/null | |||
endscript | |||
} | |||
</syntaxhighlight> | |||
<code>./assets/krb5-kadmin</code> | |||
<syntaxhighlight lang="ini"> | |||
/var/log/krb5/kadmin.log { | |||
daily | |||
missingok | |||
rotate 7 | |||
compress | |||
delaycompress | |||
notifempty | |||
postrotate | |||
/etc/init.d/krb5-admin-server restart > /dev/null | |||
endscript | |||
} | |||
</syntaxhighlight> | |||
<code>./assets/krb5.ldif</code> | |||
<syntaxhighlight lang="ini"> | |||
dn: ou=krb5,dc=chorke,dc=org | |||
ou: krb5 | |||
objectClass: organizationalUnit | |||
dn: cn=kdc-srv,ou=krb5,dc=chorke,dc=org | |||
cn: kdc-srv | |||
objectClass: simpleSecurityObject | |||
objectClass: organizationalRole | |||
description: Default bind DN for the Kerberos KDC server | |||
userPassword: chorkeinc | |||
dn: cn=adm-srv,ou=krb5,dc=chorke,dc=org | |||
cn: adm-srv | |||
objectClass: simpleSecurityObject | |||
objectClass: organizationalRole | |||
description: Default bind DN for the Kerberos Administration server | |||
userPassword: chorkeinc | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 278: | Line 548: | ||
docker start kerber | docker start kerber | ||
docker stop kerber | docker stop kerber | ||
</syntaxhighlight> | |||
== Kerberos Admin == | |||
<syntaxhighlight lang="bash"> | |||
kadmin.local: addprinc root/admin | |||
# WARNING: no policy specified for root/[email protected]; defaulting to no policy | |||
# Enter password for principal "root/[email protected]": | |||
# Re-enter password for principal "root/[email protected]": | |||
# Principal "root/[email protected]" created. | |||
kadmin.local: addprinc shohel | |||
# WARNING: no policy specified for [email protected]; defaulting to no policy | |||
# Enter password for principal "[email protected]": | |||
# Re-enter password for principal "[email protected]": | |||
# Principal "[email protected]" created. | |||
kadmin.local: getprinc root/admin | |||
# Principal: root/[email protected] | |||
# Expiration date: [never] | |||
# Last password change: Mon May 28 04:05:46 UTC 2018 | |||
# Password expiration date: [none] | |||
# Maximum ticket life: 0 days 10:00:00 | |||
# Maximum renewable life: 7 days 00:00:00 | |||
# ... more ... and ... more ... | |||
# Attributes: REQUIRES_PRE_AUTH | |||
# Policy: [none] | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 304: | Line 600: | ||
ldapwhoami -H ldap:// -x | ldapwhoami -H ldap:// -x | ||
cat /etc/ldap/ldap.conf | cat /etc/ldap/ldap.conf | ||
dpkg-reconfigure tzdata | |||
dpkg-reconfigure slapd | dpkg-reconfigure slapd | ||
nmap -p 389 localhost | nmap -p 389 localhost | ||
slaptest | |||
slapcat | slapcat | ||
# kerberos installation check | # kerberos installation check | ||
nmap -sU -sT -p U:88,464,T:464,749 localhost | |||
ls -la /var/lib/krb5kdc/principal | ls -la /var/lib/krb5kdc/principal | ||
ls -la /etc/krb5kdc/kadm5.acl | ls -la /etc/krb5kdc/kadm5.acl | ||
Line 320: | Line 619: | ||
* [https://github.com/NottingHack/hms/blob/master/vagrant_config/bootstrap.sh NottingHack/hms] | * [https://github.com/NottingHack/hms/blob/master/vagrant_config/bootstrap.sh NottingHack/hms] | ||
* [http://thejavamonkey.blogspot.my/2008/04/clientserver-hello-world-in-kerberos.html Kerberos Hello World] | * [http://thejavamonkey.blogspot.my/2008/04/clientserver-hello-world-in-kerberos.html Kerberos Hello World] | ||
* [http://www.rjsystems.nl/en/2100-d6-kerberos-master.php MIT Kerberos 5 master] | |||
* [https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ Administration programs] | |||
* [https://gist.github.com/ashrithr/4767927948eca70845db Installing Kerberos on Redhat 7] | |||
* [https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjrve/index.html How to Configure a Master KDC] | * [https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjrve/index.html How to Configure a Master KDC] | ||
* [https://www.certdepot.net/rhel7-configure-kerberos-kdc/ RHEL7: Configure a Kerberos KDC] | |||
* [http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php Integrated Kerberos-OpenLDAP provider] | * [http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php Integrated Kerberos-OpenLDAP provider] | ||
* [http://jurjenbokma.com/ApprenticesNotes/ad_kinit.xhtml Debian/Ubuntu Linux with AD Kerberos Server] | * [http://jurjenbokma.com/ApprenticesNotes/ad_kinit.xhtml Debian/Ubuntu Linux with AD Kerberos Server] | ||
* [https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/1404351 krb5-config missing debconf-set-selections variable] | * [https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/1404351 krb5-config missing debconf-set-selections variable] | ||
* [https://www.rootusers.com/how-to-configure-linux-to-authenticate-using-kerberos/ How To Configure Linux To Authenticate Using Kerberos] | |||
* [https://docs.oracle.com/cd/E36784_01/html/E37126/st-mkey-1.html How to Create, Use, and Store a New Master Key for the Kerberos Database] | * [https://docs.oracle.com/cd/E36784_01/html/E37126/st-mkey-1.html How to Create, Use, and Store a New Master Key for the Kerberos Database] |
Latest revision as of 00:33, 4 June 2018
Dockerfile
./Dockerfile
FROM ubuntu:16.04
MAINTAINER Chorke, Inc.<[email protected]>
ENV container=docker
ADD assets /root/.docker
RUN /root/.docker/setup.sh
EXPOSE 22 80 88 389 636 750 749
CMD /usr/sbin/startup.sh && /usr/sbin/sshd -D
Setup Script
./assets/setup.sh
#!/bin/bash
: '
@author "Chorke, Inc."<[email protected]>
@web http://chorke.org
@vendor Chorke, Inc.
@version 1.0.00.GA
@since 1.0.00.GA
'
# apt-get in not interactive mode
export DEBIAN_FRONTEND=noninteractive &&
# debconf tzdata settings
cat > /root/.docker/debconf_tzdata_settings.conf << EOF
tzdata tzdata/Areas select Asia
tzdata tzdata/Zones/Asia select Dhaka
EOF
# debconf slap settings
ADMN_PASS=chorkeinc &&
cat > /root/.docker/debconf_slapd_settings.conf << EOF
slapd slapd/root_password password $ADMN_PASS
slapd slapd/root_password_again password $ADMN_PASS
slapd slapd/internal/adminpw password $ADMN_PASS
slapd slapd/internal/generated_adminpw password $ADMN_PASS
slapd slapd/password2 password $ADMN_PASS
slapd slapd/password1 password $ADMN_PASS
slapd slapd/domain string chorke.org
slapd shared/organization string Chorke, Inc.
slapd slapd/backend string MDB
slapd slapd/purge_database boolean false
slapd slapd/move_old_database boolean true
slapd slapd/allow_ldap_v2 boolean false
slapd slapd/no_configuration boolean false
EOF
# debconf kerberos settings
KRB5_REALM=CHORKE.ORG
cat > /root/.docker/debconf_krb5_settings.conf << EOF
krb5-config krb5-config/default_realm string $KRB5_REALM
krb5-config krb5-config/add_servers_realm string $KRB5_REALM
krb5-config krb5-config/kerberos_servers string chorke.org
krb5-config krb5-config/admin_server string kad.chorke.org
krb5-config krb5-config/dns_for_default boolean true
krb5-config krb5-config/add_servers boolean true
krb5-config krb5-config/read_conf boolean true
heimdal-kdc heimdal/realm string $KRB5_REALM
EOF
# cat /root/.docker/debconf_tzdata_settings.conf|debconf-set-selections &&
# cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections &&
# cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections &&
# install slapd, openssh & phpldapadmin
apt-get update &&
# apt-get -y install ldap-utils slapd &&
apt-get -y install inetutils-ping &&
apt-get -y install openssh-{server,client} &&
# apt-get -y install phpldapadmin &&
apt-get clean &&
# config openssh
mkdir /var/run/sshd &&
echo "root:$ADMN_PASS" | chpasswd &&
sed -i 's/^PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config &&
sed -i 's/session\s*required\s*pam_loginuid.so/session optional pam_loginuid.so/g' /etc/pam.d/sshd &&
echo 'export VISIBLE=now' >> /etc/profile &&
# apache server name config
# echo 'ServerName localhost' >> /etc/apache2/conf-enabled/fqdn.conf &&
# echo 'ServerName localhost' >> /etc/apache2/conf-available/fqdn.conf &&
# env settings for chorke
echo '' >> /etc/bash.bashrc &&
echo '' >> /etc/bash.bashrc &&
echo '# env settings for chorke' >> /etc/bash.bashrc &&
echo 'export TMPDIR=/tmp' >> /etc/bash.bashrc &&
echo '' >> /etc/bash.bashrc &&
echo '' >> /etc/bash.bashrc &&
# install startup script for container
mv /root/.docker/startup.sh /usr/sbin/startup.sh &&
chmod +x /usr/sbin/startup.sh &&
# safe exit
exit $?
Startup Script
./assets/startup.sh
#!/bin/bash
: '
@author "Chorke, Inc."<[email protected]>
@web http://chorke.org
@vendor Chorke, Inc.
@version 1.0.00.GA
@since 1.0.00.GA
'
# env settings for chorke
export TMPDIR=/tmp &&
# failure safe start slapd
if [ -f '/etc/init.d/slapd' ];then
service slapd start
fi
# failure safe start apache2
if [ -f '/etc/init.d/apache2' ];then
service apache2 start
fi
# failure safe start kerberos admin server and kdc
if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then
if [ -f '/etc/init.d/krb5-admin-server' ]&&[ -f '/etc/init.d/krb5-kdc' ];then
service krb5-admin-server start && service krb5-kdc start
fi
fi
# safe exit
exit $?
Init Script
./assets/init.sh
#!/bin/bash
: '
@author "Chorke, Inc."<[email protected]>
@web http://chorke.org
@vendor Chorke, Inc.
@version 1.0.00.GA
@since 1.0.00.GA
'
# host name change for kerberos admin server and kdc
echo '127.0.0.1 chorke.org' >> /etc/hosts &&
echo '127.0.0.1 kdc.chorke.org' >> /etc/hosts &&
echo '127.0.0.1 kad.chorke.org' >> /etc/hosts &&
# apt-get in not interactive mode
export DEBIAN_FRONTEND=noninteractive &&
# debconfig set selections
cat /root/.docker/debconf_tzdata_settings.conf|debconf-set-selections &&
cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections &&
cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections &&
# install slapd, openssh & phpldapadmin
apt-get update &&
apt-get -y install vim ssh &&
apt-get -y install ntp ntpdate nmap &&
apt-get -y install ldap-utils slapd &&
apt-get -y install krb5-{admin-server,kdc-ldap,user} &&
apt-get -y install phpldapadmin &&
apt-get clean &&
# openldap(slap) client configuration
chmod 777 /etc/ldap/ldap.conf &&
cat > /etc/ldap/ldap.conf <<'EOF'
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=chorke,dc=org
URI ldap://localhost ldap://chorke.org ldap://kdc.chorke.org ldap://kad.chorke.org
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
EOF
chmod 744 /etc/ldap/ldap.conf &&
# update /etc/init.d/krb5-{kdc,admin-server} start
SERVICE_INIT_FIND='# Required-Start: $local_fs $remote_fs $network $syslog' &&
SERVICE_INIT_FILL='# Required-Start: $local_fs $remote_fs $network $syslog slapd' &&
sed -i "s@$SERVICE_INIT_FIND.*@$SERVICE_INIT_FILL@" /etc/init.d/krb5-admin-server &&
sed -i "s@$SERVICE_INIT_FIND.*@$SERVICE_INIT_FILL@" /etc/init.d/krb5-kdc &&
# update /etc/init.d/krb5-{kdc,admin-server} stop
SERVICE_STOP_FIND='# Required-Stop: $local_fs $remote_fs $network $syslog' &&
SERVICE_STOP_FILL='# Required-Stop: $local_fs $remote_fs $network $syslog slapd' &&
sed -i "s@$SERVICE_STOP_FIND.*@$SERVICE_STOP_FILL@" /etc/init.d/krb5-admin-server &&
sed -i "s@$SERVICE_STOP_FIND.*@$SERVICE_STOP_FILL@" /etc/init.d/krb5-kdc &&
# apache server name config
echo 'ServerName localhost' >> /etc/apache2/conf-enabled/fqdn.conf &&
echo 'ServerName localhost' >> /etc/apache2/conf-available/fqdn.conf &&
# phpldapadmin config update for localhost
PHPC_FILE='/etc/phpldapadmin/config.php' &&
TMPL_FILE='/usr/share/phpldapadmin/lib/TemplateRender.php' &&
# ldap server name change (line 286)
LDAP_NAME_FIND="$servers->setValue('server','name','My LDAP Server');" &&
LDAP_NAME_FILL="$servers->setValue('server','name','CKi LDAP Server');" &&
sed -i "s@$LDAP_NAME_FIND.*@$LDAP_NAME_FILL@" "$PHPC_FILE" &&
# ldap server host change (line 293)
LDAP_HOST_FIND="$servers->setValue('server','host','127.0.0.1');" &&
LDAP_HOST_FILL="$servers->setValue('server','host','127.0.0.1');" &&
sed -i "s@$LDAP_HOST_FIND.*@$LDAP_HOST_FILL@" "$PHPC_FILE" &&
# ldap server base chagne (line 300)
LDAP_BASE_FIND="$servers->setValue('server','base',array('dc=example,dc=com'));" &&
LDAP_BASE_FILL="$servers->setValue('server','base',array('dc=chorke,dc=org'));" &&
sed -i "s@$LDAP_BASE_FIND.*@$LDAP_BASE_FILL@" "$PHPC_FILE" &&
# ldap server base chagne (line 326)
LDAP_BASE_FIND="$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');" &&
LDAP_BASE_FILL="$servers->setValue('login','bind_id','cn=admin,dc=chorke,dc=org');" &&
sed -i "s@$LDAP_BASE_FIND.*@$LDAP_BASE_FILL@" "$PHPC_FILE" &&
# ldap password hash change (line 2469)
LDAP_HASH_FIND="$default = $this->getServer()->getValue('appearance','password_hash');" &&
LDAP_HASH_FILL="$default = $this->getServer()->getValue('appearance','password_hash_custom');" &&
sed -i "s@$LDAP_HASH_FIND.*@$LDAP_HASH_FILL@g" "$TMPL_FILE" &&
# time zone & kdc master key
ln -fs /usr/share/zoneinfo/Asia/Dhaka /etc/localtime &&
dpkg-reconfigure -f noninteractive tzdata &&
# krb5_newrealm &&
# KADM_ACL_FILL='\*\/admin \*' &&
# KADM_ACL_FIND='# \*\/admin \*' &&
# sed -i "s@$KADM_ACL_FIND.*@$KADM_ACL_FILL@g" /etc/krb5kdc/kadm5.acl &&
# echo 'admin *' >> /etc/krb5kdc/kadm5.acl &&
cp -rf ~/.docker/kadm5.acl /etc/krb5kdc/kadm5.acl &&
# start slapd & apache2
service slapd start &&
service apache2 start &&
# import Kerberos schema for kerberos kdc
gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz > /etc/ldap/schema/kerberos.schema &&
echo "include /etc/ldap/schema/kerberos.schema" > ~/.docker/schema_convert.conf &&
mkdir ~/.docker/ldif_result &&
slapcat -f ~/.docker/schema_convert.conf -F ~/.docker/ldif_result -s "cn=kerberos,cn=schema,cn=config" &&
cp ~/.docker/ldif_result/cn\=config/cn\=schema/cn\=\{0\}kerberos.ldif ~/.docker/kerberos.ldif &&
sed -i "s@dn: cn={0}kerberos.*@dn: cn=kerberos,cn=schema,cn=config@g" ~/.docker/kerberos.ldif &&
sed -i "s@cn: {0}kerberos.*@cn: kerberos@g" ~/.docker/kerberos.ldif &&
sed -i '/structuralObjectClass: /d' ~/.docker/kerberos.ldif &&
sed -i '/creatorsName: cn=config/d' ~/.docker/kerberos.ldif &&
sed -i '/modifiersName: cn=config/d' ~/.docker/kerberos.ldif &&
sed -i '/createTimestamp: /d' ~/.docker/kerberos.ldif &&
sed -i '/modifyTimestamp: /d' ~/.docker/kerberos.ldif &&
sed -i '/entryUUID: /d' ~/.docker/kerberos.ldif &&
sed -i '/entryCSN: /d' ~/.docker/kerberos.ldif &&
ldapadd -QY EXTERNAL -H ldapi:/// -f ~/.docker/kerberos.ldif &&
# No such attribute (16). additional info: modify/delete: olcAccess: no such value
# (ldapmodify -QY EXTERNAL -H ldapi:/// -f ~/.docker/olc-mod1.ldif 2>/dev/null 2>&1) &&
# ldapdelete -xh chorke.org -D cn=admin,dc=chorke,dc=org -w chorkeinc cn=admin,dc=chorke,dc=org &&
# cp -rf ~/.docker/krb5.conf /etc/krb5.conf &&
# mkdir /var/log/krb5 &&
# cp -rf ~/.docker/krb5-kdc /etc/logrotate.d/krb5-kdc &&
# cp -rf ~/.docker/krb5-kadmin /etc/logrotate.d/krb5-kadmin &&
# ldapadd -xWD cn=admin,dc=chorke,dc=org -f ~/.docker/krb5.ldif &&
# kdb5_ldap_util -D cn=admin,dc=chorke,dc=org -H ldap://chorke.org create -r CHORKE.ORG -s &&
# failure safe start kerberos admin server & kdc
if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then
if [ -f '/etc/init.d/krb5-admin-server' ]&&[ -f '/etc/init.d/krb5-kdc' ];then
#service krb5-admin-server start && service krb5-kdc start
echo 'kerberos admin server & kdc not running!'
fi
fi
# safe exit
exit $?
Kerberos Config
./assets/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
admin *
./assets/olc-mod1.ldif
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: stats
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}to *
by self write
by dn="cn=admin,dc=chorke,dc=org" write
by * read
-
delete: olcAccess
olcAccess: {1}to dn.base=""
by * read
-
delete: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=chorke,dc=org" write
by * none
-
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange
by anonymous auth
by * none
-
add: olcAccess
olcAccess: to dn.subtree="ou=krb5,dc=chorke,dc=org"
by dn="cn=adm-srv,ou=krb5,dc=chorke,dc=org" write
by dn="cn=kdc-srv,ou=krb5,dc=chorke,dc=org" read
by * none
-
add: olcAccess
olcAccess: to attrs=loginShell
by self write
by users read
by * none
-
add: olcAccess
olcAccess: to dn.base=""
by * read
-
add: olcAccess
olcAccess: to *
by users read
by * none
-
add: olcDbIndex
olcDbIndex: uid eq
-
add: olcDbIndex
olcDbIndex: cn eq
-
add: olcDbIndex
olcDbIndex: ou eq
-
add: olcDbIndex
olcDbIndex: dc eq
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: memberUid eq
-
add: olcDbIndex
olcDbIndex: uniqueMember eq
-
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
-
add: olcDbIndex
olcDbIndex: krbPwdPolicyReference eq
./assets/krb5.conf
[libdefaults]
default_realm = CHORKE.ORG
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
CHORKE.ORG = {
kdc = chorke.org
admin_server = kad.chorke.org
database_module = openldap_ldapconf
}
[domain_realm]
.chorke.org = CHORKE.ORG
chorke.org = CHORKE.ORG
[dbdefaults]
ldap_kerberos_container_dn = ou=krb5,dc=chorke,dc=org
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = cn=kdc-srv,ou=krb5,dc=chorke,dc=org
ldap_kadmind_dn = cn=adm-srv,ou=krb5,dc=chorke,dc=org
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_conns_per_server = 5
}
[logging]
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log
default = FILE:/var/log/krb5/kadmin.log
[login]
krb4_convert = true
krb4_get_tickets = false
./assets/krb5-kdc
/var/log/krb5/kdc.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
postrotate
/etc/init.d/krb5-kdc restart > /dev/null
endscript
}
./assets/krb5-kadmin
/var/log/krb5/kadmin.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
postrotate
/etc/init.d/krb5-admin-server restart > /dev/null
endscript
}
./assets/krb5.ldif
dn: ou=krb5,dc=chorke,dc=org
ou: krb5
objectClass: organizationalUnit
dn: cn=kdc-srv,ou=krb5,dc=chorke,dc=org
cn: kdc-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos KDC server
userPassword: chorkeinc
dn: cn=adm-srv,ou=krb5,dc=chorke,dc=org
cn: adm-srv
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: Default bind DN for the Kerberos Administration server
userPassword: chorkeinc
How to Build
# continuous integration and deployment
docker stop kerber;docker rm kerber;\
docker build --rm -t 'chorke/krb5:16.04' ./;\
docker rmi $(docker images -qa -f 'dangling=true');\
docker run --name='kerber' -d -p 9030:80 -p 389:389 chorke/krb5:16.04;\
docker exec -it kerber bash
How to Create
# for first time to create container from docker image and shell access
docker run --name='kerber' -d -p 9030:80 -p 389:389 chorke/krb5:16.04
docker exec -it kerber bash
/root/.docker/init.sh
How to Control
# access, start, stop & restart
docker exec -it kerber bash
docker restart kerber
docker start kerber
docker stop kerber
Kerberos Admin
kadmin.local: addprinc root/admin
# WARNING: no policy specified for root/[email protected]; defaulting to no policy
# Enter password for principal "root/[email protected]":
# Re-enter password for principal "root/[email protected]":
# Principal "root/[email protected]" created.
kadmin.local: addprinc shohel
# WARNING: no policy specified for [email protected]; defaulting to no policy
# Enter password for principal "[email protected]":
# Re-enter password for principal "[email protected]":
# Principal "[email protected]" created.
kadmin.local: getprinc root/admin
# Principal: root/[email protected]
# Expiration date: [never]
# Last password change: Mon May 28 04:05:46 UTC 2018
# Password expiration date: [none]
# Maximum ticket life: 0 days 10:00:00
# Maximum renewable life: 7 days 00:00:00
# ... more ... and ... more ...
# Attributes: REQUIRES_PRE_AUTH
# Policy: [none]
Good to Know
# filter and remove docker images, containers
docker rm $(docker ps --all -q -f status=dead)
docker rmi $(docker images -qa -f 'dangling=true')
docker rm kerber && docker rmi chorke/krb5:16.04
# docker container debug, checking history & service
docker run --name='kerber' -it chorke/krb5:16.04 bash
docker history chorke/krb5:16.04
docker exec -it kerber bash
service --status-all
apachectl -t
# openldap(slapd) configuration check
ls -la /etc/ldap/slapd.d/cn\=config
ls -la /etc/ldap/slapd.d/
ls -la /usr/share/slapd/
ls -la /var/lib/ldap/
ls -la /var/backups/*
# openldap(slapd) check
ldapwhoami -H ldap:// -x
cat /etc/ldap/ldap.conf
dpkg-reconfigure tzdata
dpkg-reconfigure slapd
nmap -p 389 localhost
slaptest
slapcat
# kerberos installation check
nmap -sU -sT -p U:88,464,T:464,749 localhost
ls -la /var/lib/krb5kdc/principal
ls -la /etc/krb5kdc/kadm5.acl
ls -la /etc/krb5kdc/stash
kdb5_util list_mkeys
krb5_newrealm
References
- Kadmin Local
- NottingHack/hms
- Kerberos Hello World
- MIT Kerberos 5 master
- Administration programs
- Installing Kerberos on Redhat 7
- How to Configure a Master KDC
- RHEL7: Configure a Kerberos KDC
- Integrated Kerberos-OpenLDAP provider
- Debian/Ubuntu Linux with AD Kerberos Server
- krb5-config missing debconf-set-selections variable
- How To Configure Linux To Authenticate Using Kerberos
- How to Create, Use, and Store a New Master Key for the Kerberos Database