Build Kerberos Docker Image from Ubuntu: Difference between revisions
Jump to navigation
Jump to search
| Line 314: | Line 314: | ||
kdb5_util list_mkeys | kdb5_util list_mkeys | ||
krb5_newrealm | krb5_newrealm | ||
</syntaxhighlight> | |||
== Kerberos Admin == | |||
<syntaxhighlight lang="bash"> | |||
kadmin.local: addprinc root/admin | |||
# WARNING: no policy specified for root/[email protected]; defaulting to no policy | |||
# Enter password for principal "root/[email protected]": | |||
# Re-enter password for principal "root/[email protected]": | |||
# Principal "root/[email protected]" created. | |||
kadmin.local: addprinc shahed | |||
# WARNING: no policy specified for [email protected]; defaulting to no policy | |||
# Enter password for principal "[email protected]": | |||
# Re-enter password for principal "[email protected]": | |||
# Principal "[email protected]" created. | |||
kadmin.local: getprinc root/admin | |||
# Principal: root/[email protected] | |||
# Expiration date: [never] | |||
# Last password change: Mon May 28 04:05:46 UTC 2018 | |||
# Password expiration date: [none] | |||
# Maximum ticket life: 0 days 10:00:00 | |||
# Maximum renewable life: 7 days 00:00:00 | |||
# Last modified: Mon May 28 04:05:46 UTC 2018 (root/[email protected]) | |||
# Last successful authentication: [never] | |||
# Last failed authentication: [never] | |||
# Failed password attempts: 0 | |||
# Number of keys: 8 | |||
# Key: vno 1, aes256-cts-hmac-sha1-96 | |||
# Key: vno 1, arcfour-hmac | |||
# Key: vno 1, des3-cbc-sha1 | |||
# Key: vno 1, des-cbc-crc | |||
# Key: vno 1, des-cbc-md5:v4 | |||
# Key: vno 1, des-cbc-md5:norealm | |||
# Key: vno 1, des-cbc-md5:onlyrealm | |||
# Key: vno 1, des-cbc-md5:afs3 | |||
# MKey: vno 1 | |||
# Attributes: REQUIRES_PRE_AUTH | |||
# Policy: [none] | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 23:14, 27 May 2018
Dockerfile
./Dockerfile
FROM ubuntu:16.04
MAINTAINER Chorke, Inc.<[email protected]>
ENV container=docker
ADD assets /root/.docker
RUN /root/.docker/setup.sh
EXPOSE 22 80 88 389 636 750 749
CMD /usr/sbin/startup.sh && /usr/sbin/sshd -D
Setup Script
./assets/setup.sh
#!/bin/bash
: '
@author "Chorke, Inc."<[email protected]>
@web http://chorke.org
@vendor Chorke, Inc.
@version 1.0.00.GA
@since 1.0.00.GA
'
# apt-get in not interactive mode
export DEBIAN_FRONTEND=noninteractive &&
# debconf slap settings
ADMN_PASS=chorkeinc &&
cat > /root/.docker/debconf_slapd_settings.conf << EOF
slapd slapd/root_password password $ADMN_PASS
slapd slapd/root_password_again password $ADMN_PASS
slapd slapd/internal/adminpw password $ADMN_PASS
slapd slapd/internal/generated_adminpw password $ADMN_PASS
slapd slapd/password2 password $ADMN_PASS
slapd slapd/password1 password $ADMN_PASS
slapd slapd/domain string chorke.org
slapd shared/organization string Chorke, Inc.
slapd slapd/backend string MDB
slapd slapd/purge_database boolean false
slapd slapd/move_old_database boolean true
slapd slapd/allow_ldap_v2 boolean false
slapd slapd/no_configuration boolean false
EOF
# debconf kerberos settings
KRB5_REALM=CHORKE.ORG
cat > /root/.docker/debconf_krb5_settings.conf << EOF
krb5-config krb5-config/default_realm string $KRB5_REALM
krb5-config krb5-config/add_servers_realm string $KRB5_REALM
krb5-config krb5-config/kerberos_servers string localhost
krb5-config krb5-config/admin_server string localhost
krb5-config krb5-config/dns_for_default boolean true
krb5-config krb5-config/add_servers boolean true
heimdal-kdc heimdal/realm string $KRB5_REALM
EOF
# cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections &&
# cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections &&
# install slapd, openssh & phpldapadmin
apt-get update &&
# apt-get -y install ldap-utils slapd &&
apt-get -y install openssh-server &&
apt-get -y install openssh-client &&
# apt-get -y install phpldapadmin &&
apt-get clean &&
# config openssh
mkdir /var/run/sshd &&
echo "root:$ADMN_PASS" | chpasswd &&
sed -i 's/^PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config &&
sed -i 's/session\s*required\s*pam_loginuid.so/session optional pam_loginuid.so/g' /etc/pam.d/sshd &&
echo 'export VISIBLE=now' >> /etc/profile &&
# apache server name config
# echo 'ServerName localhost' >> /etc/apache2/conf-enabled/fqdn.conf &&
# echo 'ServerName localhost' >> /etc/apache2/conf-available/fqdn.conf &&
# env settings for chorke
echo '' >> /etc/bash.bashrc &&
echo '' >> /etc/bash.bashrc &&
echo '# env settings for chorke' >> /etc/bash.bashrc &&
echo 'export TMPDIR=/tmp' >> /etc/bash.bashrc &&
echo '' >> /etc/bash.bashrc &&
echo '' >> /etc/bash.bashrc &&
# install startup script for container
mv /root/.docker/startup.sh /usr/sbin/startup.sh &&
chmod +x /usr/sbin/startup.sh &&
# safe exit
exit $?
Startup Script
./assets/startup.sh
#!/bin/bash
: '
@author "Chorke, Inc."<[email protected]>
@web http://chorke.org
@vendor Chorke, Inc.
@version 1.0.00.GA
@since 1.0.00.GA
'
# env settings for chorke
export TMPDIR=/tmp &&
# failure safe start slapd
if [ -f '/etc/init.d/slapd' ];then
service slapd start
fi
# failure safe start apache2
if [ -f '/etc/init.d/apache2' ];then
service apache2 start
fi
# failure safe start kerberos kdc and admin server
if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then
if [ -f '/etc/init.d/krb5-kdc' ]&&[ -f '/etc/init.d/krb5-admin-server' ];then
service krb5-kdc start && service krb5-admin-server start
fi
fi
# safe exit
exit $?
Init Script
./assets/init.sh
#!/bin/bash
: '
@author "Chorke, Inc."<[email protected]>
@web http://chorke.org
@vendor Chorke, Inc.
@version 1.0.00.GA
@since 1.0.00.GA
'
# apt-get in not interactive mode
export DEBIAN_FRONTEND=noninteractive &&
# debconfig set selections
cat /root/.docker/debconf_slapd_settings.conf|debconf-set-selections &&
cat /root/.docker/debconf_krb5_settings.conf|debconf-set-selections &&
# install slapd, openssh & phpldapadmin
apt-get update &&
apt-get -y install ldap-utils slapd &&
apt-get -y install phpldapadmin &&
apt-get -y install ntp ntpdate &&
apt-get -y install krb5-{admin-server,kdc-ldap,user} &&
apt-get clean &&
# openldap(slap) client configuration
chmod 777 /etc/ldap/ldap.conf &&
cat > /etc/ldap/ldap.conf <<'EOF'
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=chorke,dc=org
URI ldap://localhost ldap://localhost:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
EOF
chmod 744 /etc/ldap/ldap.conf &&
# apache server name config
echo 'ServerName localhost' >> /etc/apache2/conf-enabled/fqdn.conf &&
echo 'ServerName localhost' >> /etc/apache2/conf-available/fqdn.conf &&
# phpldapadmin config update for localhost
PHPC_FILE='/etc/phpldapadmin/config.php' &&
TMPL_FILE='/usr/share/phpldapadmin/lib/TemplateRender.php' &&
# ldap server name change (line 286)
LDAP_NAME_FIND="$servers->setValue('server','name','My LDAP Server');" &&
LDAP_NAME_FILL="$servers->setValue('server','name','IHE LDAP Server');" &&
sed -i "s@$LDAP_NAME_FIND.*@$LDAP_NAME_FILL@" "$PHPC_FILE" &&
# ldap server host change (line 293)
LDAP_HOST_FIND="$servers->setValue('server','host','127.0.0.1');" &&
LDAP_HOST_FILL="$servers->setValue('server','host','127.0.0.1');" &&
sed -i "s@$LDAP_HOST_FIND.*@$LDAP_HOST_FILL@" "$PHPC_FILE" &&
# ldap server base chagne (line 300)
LDAP_BASE_FIND="$servers->setValue('server','base',array('dc=example,dc=com'));" &&
LDAP_BASE_FILL="$servers->setValue('server','base',array('dc=chorke,dc=org'));" &&
sed -i "s@$LDAP_BASE_FIND.*@$LDAP_BASE_FILL@" "$PHPC_FILE" &&
# ldap server base chagne (line 326)
LDAP_BASE_FIND="$servers->setValue('login','bind_id','cn=admin,dc=example,dc=com');" &&
LDAP_BASE_FILL="$servers->setValue('login','bind_id','cn=admin,dc=chorke,dc=org');" &&
sed -i "s@$LDAP_BASE_FIND.*@$LDAP_BASE_FILL@" "$PHPC_FILE" &&
# ldap password hash change (line 2469)
LDAP_HASH_FIND="$default = $this->getServer()->getValue('appearance','password_hash');" &&
LDAP_HASH_FILL="$default = $this->getServer()->getValue('appearance','password_hash_custom');" &&
sed -i "s@$LDAP_HASH_FIND.*@$LDAP_HASH_FILL@g" "$TMPL_FILE" &&
# kdc master key prompt
krb5_newrealm &&
# start slapd & apache2
service slapd start &&
service apache2 start &&
# failure safe start kerberos kdc and admin server
if [ -f '/etc/krb5kdc/stash' ]&&[ -f '/etc/krb5kdc/kadm5.acl' ]&&[ -f '/var/lib/krb5kdc/principal' ];then
if [ -f '/etc/init.d/krb5-kdc' ]&&[ -f '/etc/init.d/krb5-admin-server' ];then
service krb5-kdc start && service krb5-admin-server start
fi
fi
# safe exit
exit $?
How to Build
# continuous integration and deployment
docker stop kerber;docker rm kerber;\
docker build --rm -t 'chorke/krb5:16.04' ./;\
docker rmi $(docker images -qa -f 'dangling=true');\
docker run --name='kerber' -d -p 9030:80 -p 389:389 chorke/krb5:16.04;\
docker exec -it kerber bash
How to Create
# for first time to create container from docker image and shell access
docker run --name='kerber' -d -p 9030:80 -p 389:389 chorke/krb5:16.04
docker exec -it kerber bash
/root/.docker/init.sh
How to Control
# access, start, stop & restart
docker exec -it kerber bash
docker restart kerber
docker start kerber
docker stop kerber
Good to Know
# filter and remove docker images, containers
docker rm $(docker ps --all -q -f status=dead)
docker rmi $(docker images -qa -f 'dangling=true')
docker rm kerber && docker rmi chorke/krb5:16.04
# docker container debug, checking history & service
docker run --name='kerber' -it chorke/krb5:16.04 bash
docker history chorke/krb5:16.04
docker exec -it kerber bash
service --status-all
apachectl -t
# openldap(slapd) configuration check
ls -la /etc/ldap/slapd.d/cn\=config
ls -la /etc/ldap/slapd.d/
ls -la /usr/share/slapd/
ls -la /var/lib/ldap/
ls -la /var/backups/*
# openldap(slapd) check
ldapwhoami -H ldap:// -x
cat /etc/ldap/ldap.conf
dpkg-reconfigure slapd
nmap -p 389 localhost
slapcat
# kerberos installation check
ls -la /var/lib/krb5kdc/principal
ls -la /etc/krb5kdc/kadm5.acl
ls -la /etc/krb5kdc/stash
kdb5_util list_mkeys
krb5_newrealm
Kerberos Admin
kadmin.local: addprinc root/admin
# WARNING: no policy specified for root/[email protected]; defaulting to no policy
# Enter password for principal "root/[email protected]":
# Re-enter password for principal "root/[email protected]":
# Principal "root/[email protected]" created.
kadmin.local: addprinc shahed
# WARNING: no policy specified for [email protected]; defaulting to no policy
# Enter password for principal "[email protected]":
# Re-enter password for principal "[email protected]":
# Principal "[email protected]" created.
kadmin.local: getprinc root/admin
# Principal: root/[email protected]
# Expiration date: [never]
# Last password change: Mon May 28 04:05:46 UTC 2018
# Password expiration date: [none]
# Maximum ticket life: 0 days 10:00:00
# Maximum renewable life: 7 days 00:00:00
# Last modified: Mon May 28 04:05:46 UTC 2018 (root/[email protected])
# Last successful authentication: [never]
# Last failed authentication: [never]
# Failed password attempts: 0
# Number of keys: 8
# Key: vno 1, aes256-cts-hmac-sha1-96
# Key: vno 1, arcfour-hmac
# Key: vno 1, des3-cbc-sha1
# Key: vno 1, des-cbc-crc
# Key: vno 1, des-cbc-md5:v4
# Key: vno 1, des-cbc-md5:norealm
# Key: vno 1, des-cbc-md5:onlyrealm
# Key: vno 1, des-cbc-md5:afs3
# MKey: vno 1
# Attributes: REQUIRES_PRE_AUTH
# Policy: [none]
References
- Kadmin Local
- NottingHack/hms
- Kerberos Hello World
- Administration programs
- How to Configure a Master KDC
- RHEL7: Configure a Kerberos KDC
- Integrated Kerberos-OpenLDAP provider
- Debian/Ubuntu Linux with AD Kerberos Server
- krb5-config missing debconf-set-selections variable
- How to Create, Use, and Store a New Master Key for the Kerberos Database