Installing heimdal-kdc

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Installing heimdal-kdc

Lothar Schilling
Hi,

being a newbie to kerberos I am trying to setup heimdal-kdc 7.1.0 on a
Debian 9.8 VM. Heimdal because we need Kerberos to be compliant with
Samba 4 acting as an ADDC. So here's what I did:

/apt-get install heimdal-kdc. /It's up and running: ps ax => 
/usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf/
//systemctl stop heimdal-kdc//
//
///etc/heimdal-kdc/kdc-conf//
//[libdefaults]//
//        default_realm = MYDOMAIN.DE//
//[domain_realm]//
//        .MYDOMAIN.DE = MYDOMAIN.DE//
//[logging]//
//kdc = FILE:/var/log/heimdal-kdc.log//
//[kdc]//
//database = {//
//  dbname = /var/lib/heimdal-kdc/heimdal//
//  kdc = KDC.MYDOMAIN.DE:88//
//  realm = MYDOMAIN.DE//
//  mkey_file = /var/lib/heimdal-kdc/m-key//
//  acl_file = /etc/heimdal-kdc/kadmind.acl//
//  log_file = /var/lib/heimdal-kdc/log//
//}//
//
//systemctl start heimdal-kdc//
/
/kadmin -l/ is working, /list */ is giving me this:
admin
default
kadmin/admin
kadmin/hprop
kadmin/changepw
krbtgt/MYDOMAIN.DE
changepw/kerberos
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L

But /kadmin/ (not-local) is not: kadm5_init_with_password: No KDC found
for realm MYDOMAIN.DE.

I thought it might be DNS-related, so I made sure nsswitch.conf fits the
bill, added the server's name to /etc/hosts. I even set up bind9 on that
very machine:
KDC.MYDOMAIN.DE.     43200   IN      A       192.168.27.3
Also made sure Kerberos is listening on port 88. I even tried localhost
and IP address instead of KDC.MYDOMAIN.DE in kdc.conf - didn't help either.

I've been trying now for 2 days, it's driving me nuts. Would anybody
please enlighten me what kind of mistake I make?

Thank you

Lothar Schilling
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Installing heimdal-kdc

Jeffrey Hutzelman
You need to tell the Kerberos library where to find your kdc. You have basically two options:


1) Add the following to /etc/krb5.conf on every client:


[realms]

MYDOMAIN.DE = {

  kdc = kdc.mydomain.de:88

}



2) Publish SRV records in DNS:


_kerberos._udp.mydomain.de IN SRV kdc.mydomain.de 88 1 1

_kerberos._tcp.mydomain.de IN SRV kdc.mydomain.de 88 1 1



I strongly recommend the SRV approach, particularly if you have a lot of clients, or expect any that you don't directly control.

________________________________
From: Lothar Schilling <[hidden email]>
Sent: Wednesday, March 6, 2019 08:30
To: [hidden email]
Subject: Installing heimdal-kdc

Hi,

being a newbie to kerberos I am trying to setup heimdal-kdc 7.1.0 on a
Debian 9.8 VM. Heimdal because we need Kerberos to be compliant with
Samba 4 acting as an ADDC. So here's what I did:

/apt-get install heimdal-kdc. /It's up and running: ps ax =>
/usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf/
//systemctl stop heimdal-kdc//
//
///etc/heimdal-kdc/kdc-conf//
//[libdefaults]//
//        default_realm = MYDOMAIN.DE//
//[domain_realm]//
//        .MYDOMAIN.DE = MYDOMAIN.DE//
//[logging]//
//kdc = FILE:/var/log/heimdal-kdc.log//
//[kdc]//
//database = {//
//  dbname = /var/lib/heimdal-kdc/heimdal//
//  kdc = KDC.MYDOMAIN.DE:88//
//  realm = MYDOMAIN.DE//
//  mkey_file = /var/lib/heimdal-kdc/m-key//
//  acl_file = /etc/heimdal-kdc/kadmind.acl//
//  log_file = /var/lib/heimdal-kdc/log//
//}//
//
//systemctl start heimdal-kdc//
/
/kadmin -l/ is working, /list */ is giving me this:
admin
default
kadmin/admin
kadmin/hprop
kadmin/changepw
krbtgt/MYDOMAIN.DE
changepw/kerberos
WELLKNOWN/ANONYMOUS
WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L

But /kadmin/ (not-local) is not: kadm5_init_with_password: No KDC found
for realm MYDOMAIN.DE.

I thought it might be DNS-related, so I made sure nsswitch.conf fits the
bill, added the server's name to /etc/hosts. I even set up bind9 on that
very machine:
KDC.MYDOMAIN.DE.     43200   IN      A       192.168.27.3
Also made sure Kerberos is listening on port 88. I even tried localhost
and IP address instead of KDC.MYDOMAIN.DE in kdc.conf - didn't help either.

I've been trying now for 2 days, it's driving me nuts. Would anybody
please enlighten me what kind of mistake I make?

Thank you

Lothar Schilling
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Installing heimdal-kdc

Lothar Schilling
Thank you for putting me on the right track though I had to modify your
instructions:

_kerberos._udp          IN      SRV     0       0       88    
kdc.mydomain.de.
_kerberos._tcp          IN      SRV     0       0       88     
kdc.mydomain.de.
_kerberos-adm._tcp      IN      SRV     0       0       749    
kdc.mydomain.de.

A record for *_kerberos-adm._tcp* is required, too.

Am 06.03.2019 um 14:47 schrieb Jeffrey Hutzelman:

>
> You need to tell the Kerberos library where to find your kdc. You have
> basically two options:
>
>
> 1) Add the following to /etc/krb5.conf on every client:
>
>
> [realms]
>
> MYDOMAIN.DE = {
>
>   kdc = kdc.mydomain.de:88
>
> }
>
>
>
> 2) Publish SRV records in DNS:
>
>
> _kerberos._udp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
>
> _kerberos._tcp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
>
>
>
> I strongly recommend the SRV approach, particularly if you have a lot
> of clients, or expect any that you don't directly control.
>
>
> ------------------------------------------------------------------------
> *From:* Lothar Schilling <[hidden email]>
> *Sent:* Wednesday, March 6, 2019 08:30
> *To:* [hidden email]
> *Subject:* Installing heimdal-kdc
>
> Hi,
>
> being a newbie to kerberos I am trying to setup heimdal-kdc 7.1.0 on a
> Debian 9.8 VM. Heimdal because we need Kerberos to be compliant with
> Samba 4 acting as an ADDC. So here's what I did:
>
> /apt-get install heimdal-kdc. /It's up and running: ps ax => 
> /usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf/
> //systemctl stop heimdal-kdc//
> //
> ///etc/heimdal-kdc/kdc-conf//
> //[libdefaults]//
> //        default_realm = MYDOMAIN.DE//
> //[domain_realm]//
> //        .MYDOMAIN.DE = MYDOMAIN.DE//
> //[logging]//
> //kdc = FILE:/var/log/heimdal-kdc.log//
> //[kdc]//
> //database = {//
> //  dbname = /var/lib/heimdal-kdc/heimdal//
> //  kdc = KDC.MYDOMAIN.DE:88//
> //  realm = MYDOMAIN.DE//
> //  mkey_file = /var/lib/heimdal-kdc/m-key//
> //  acl_file = /etc/heimdal-kdc/kadmind.acl//
> //  log_file = /var/lib/heimdal-kdc/log//
> //}//
> //
> //systemctl start heimdal-kdc//
> /
> /kadmin -l/ is working, /list */ is giving me this:
> admin
> default
> kadmin/admin
> kadmin/hprop
> kadmin/changepw
> krbtgt/MYDOMAIN.DE
> changepw/kerberos
> WELLKNOWN/ANONYMOUS
> WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
>
> But /kadmin/ (not-local) is not: kadm5_init_with_password: No KDC found
> for realm MYDOMAIN.DE.
>
> I thought it might be DNS-related, so I made sure nsswitch.conf fits the
> bill, added the server's name to /etc/hosts. I even set up bind9 on that
> very machine:
> KDC.MYDOMAIN.DE.     43200   IN      A       192.168.27.3
> Also made sure Kerberos is listening on port 88. I even tried localhost
> and IP address instead of KDC.MYDOMAIN.DE in kdc.conf - didn't help
> either.
>
> I've been trying now for 2 days, it's driving me nuts. Would anybody
> please enlighten me what kind of mistake I make?
>
> Thank you
>
> Lothar Schilling
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Installing heimdal-kdc

Lothar Schilling
Hi,

I got stuck again with putting heimdal-kdc to work.

/etc/heimdal-kdc/kdc.conf
[kdcdefaults]
[realms]
    MYDOMAIN.DE = {
        database_name = /var/lib/heimdal-kdc/heimdal.db
        #admin_keytab = FILE:/etc/heimdal-kdc/kadm5.keytab
        acl_file = /etc/heimdal-kdc/kadmind.acl
        #key_stash_file = /etc/heimdal-kdc/stash
        kdc = kdc.mydomain.de
        admin_server = kdc.mydomain.de
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac normal
des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm
des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }
[logging]
    kdc = FILE:/var/log/kdc.log
    admin_server = FILE:/var/log/kadmind.log

/etc/kdc.conf
[realms]
    MYDOMAIN.DE = {
        kdc = kdc.mydomain.de
        admin_server = kdc.mydomain.de
        default_domain = mydomain.de
    }
[domain_realm]
    .mydomain.de = MYDOMAIN.DE
    mydomain.de = MYDOMAIN.DE

/etc/heimdal-kdc/kadmind.acl
*/[hidden email]    *
*@MYDOMAIN.DE        il

KCM and KDC are up an running, ps ax:

/usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf
/usr/sbin/kcm --detach

netstat -tulpen
tcp        0      0 192.168.27.3:88         0.0.0.0:*              
LISTEN      0          1059909    16596/kdc
tcp        0      0 127.0.0.1:88            0.0.0.0:*              
LISTEN      0          1059908    16596/kdc
tcp        0      0 0.0.0.0:749             0.0.0.0:*              
LISTEN      0          1060381    16715/inetd
udp        0      0 192.168.27.3:464       
0.0.0.0:*                           0          1060878    16599/kpasswdd
udp        0      0 127.0.0.1:464          
0.0.0.0:*                           0          1060877    16599/kpasswdd
udp        0      0 192.168.27.3:88        
0.0.0.0:*                           0          1059907    16596/kdc
udp        0      0 127.0.0.1:88           
0.0.0.0:*                           0          1059906    16596/kdc

Having initiated the database I logged in locally (kadmin -l). There is
no such command as "add_principals" or "addprinc". Availabe are:
stash, kstash / dump / init / load / merge / add, ank, add_new_key /
passwd, cpw, change_password / delete, del, del_entry / del_enctype /
add_enctype / ext_keytab / get, get_entry / rename / modify /
privileges, privs / list / verify-password-quality, pwq / check / lock/
unlock / help, ? /  exit, quit /

So I used "add root/admin". Then I logged in again via "kadmin -p
root/admin" or simply "kadmin" and issued a command, let's say "add
[user]". I was asked for root/[hidden email]'s password. After having
entered the password what I got is:
kadmin: kadm5_create_principal: Operation requires `add' privilege
kadmin: adding fh: Operation requires `add' privilege

Also nothing gets logged in /var/log/kadmind.log.

Appreciating help very much, thank you!

Lothar Schilling

Am 07.03.2019 um 12:35 schrieb Lothar Schilling:

> Thank you for putting me on the right track though I had to modify
> your instructions:
>
> _kerberos._udp          IN      SRV     0       0       88    
> kdc.mydomain.de.
> _kerberos._tcp          IN      SRV     0       0       88     
> kdc.mydomain.de.
> _kerberos-adm._tcp      IN      SRV     0       0       749    
> kdc.mydomain.de.
>
> A record for *_kerberos-adm._tcp* is required, too.
>
> Am 06.03.2019 um 14:47 schrieb Jeffrey Hutzelman:
>>
>> You need to tell the Kerberos library where to find your kdc. You
>> have basically two options:
>>
>>
>> 1) Add the following to /etc/krb5.conf on every client:
>>
>>
>> [realms]
>>
>> MYDOMAIN.DE = {
>>
>>   kdc = kdc.mydomain.de:88
>>
>> }
>>
>>
>>
>> 2) Publish SRV records in DNS:
>>
>>
>> _kerberos._udp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
>>
>> _kerberos._tcp.mydomain.de IN SRV kdc.mydomain.de 88 1 1
>>
>>
>>
>> I strongly recommend the SRV approach, particularly if you have a lot
>> of clients, or expect any that you don't directly control.
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Lothar Schilling <[hidden email]>
>> *Sent:* Wednesday, March 6, 2019 08:30
>> *To:* [hidden email]
>> *Subject:* Installing heimdal-kdc
>>
>> Hi,
>>
>> being a newbie to kerberos I am trying to setup heimdal-kdc 7.1.0 on a
>> Debian 9.8 VM. Heimdal because we need Kerberos to be compliant with
>> Samba 4 acting as an ADDC. So here's what I did:
>>
>> /apt-get install heimdal-kdc. /It's up and running: ps ax => 
>> /usr/lib/heimdal-servers/kdc --config-file=/etc/heimdal-kdc/kdc.conf/
>> //systemctl stop heimdal-kdc//
>> //
>> ///etc/heimdal-kdc/kdc-conf//
>> //[libdefaults]//
>> //        default_realm = MYDOMAIN.DE//
>> //[domain_realm]//
>> //        .MYDOMAIN.DE = MYDOMAIN.DE//
>> //[logging]//
>> //kdc = FILE:/var/log/heimdal-kdc.log//
>> //[kdc]//
>> //database = {//
>> //  dbname = /var/lib/heimdal-kdc/heimdal//
>> //  kdc = KDC.MYDOMAIN.DE:88//
>> //  realm = MYDOMAIN.DE//
>> //  mkey_file = /var/lib/heimdal-kdc/m-key//
>> //  acl_file = /etc/heimdal-kdc/kadmind.acl//
>> //  log_file = /var/lib/heimdal-kdc/log//
>> //}//
>> //
>> //systemctl start heimdal-kdc//
>> /
>> /kadmin -l/ is working, /list */ is giving me this:
>> admin
>> default
>> kadmin/admin
>> kadmin/hprop
>> kadmin/changepw
>> krbtgt/MYDOMAIN.DE
>> changepw/kerberos
>> WELLKNOWN/ANONYMOUS
>> WELLKNOWN/org.h5l.fast-cookie@WELLKNOWN:ORG.H5L
>>
>> But /kadmin/ (not-local) is not: kadm5_init_with_password: No KDC found
>> for realm MYDOMAIN.DE.
>>
>> I thought it might be DNS-related, so I made sure nsswitch.conf fits the
>> bill, added the server's name to /etc/hosts. I even set up bind9 on that
>> very machine:
>> KDC.MYDOMAIN.DE.     43200   IN      A       192.168.27.3
>> Also made sure Kerberos is listening on port 88. I even tried localhost
>> and IP address instead of KDC.MYDOMAIN.DE in kdc.conf - didn't help
>> either.
>>
>> I've been trying now for 2 days, it's driving me nuts. Would anybody
>> please enlighten me what kind of mistake I make?
>>
>> Thank you
>>
>> Lothar Schilling
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Installing heimdal-kdc

Robbie Harwood
Lothar Schilling <[hidden email]> writes:

> I got stuck again with putting heimdal-kdc to work.
>
> Having initiated the database I logged in locally (kadmin -l). There is
> no such command as "add_principals" or "addprinc". Availabe are:
> stash, kstash / dump / init / load / merge / add, ank, add_new_key /
> passwd, cpw, change_password / delete, del, del_entry / del_enctype /
> add_enctype / ext_keytab / get, get_entry / rename / modify /
> privileges, privs / list / verify-password-quality, pwq / check / lock/
> unlock / help, ? /  exit, quit /

add_principals and addprinc are commands for MIT krb5's kadmin, not
Heimdal.  Heimdal uses different commands; I think "ank" is the right
one here, but it's been a while so I'll defer to those folk if they're
around.

Thanks,
--Robbie

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Installing heimdal-kdc

Jeffrey Hutzelman
add, add_new_key, and ank are synonyms. The last dates back to krb4

________________________________
From: Robbie Harwood <[hidden email]>
Sent: Monday, March 11, 2019 13:49
To: Lothar Schilling; [hidden email]
Subject: Re: Installing heimdal-kdc

Lothar Schilling <[hidden email]> writes:

> I got stuck again with putting heimdal-kdc to work.
>
> Having initiated the database I logged in locally (kadmin -l). There is
> no such command as "add_principals" or "addprinc". Availabe are:
> stash, kstash / dump / init / load / merge / add, ank, add_new_key /
> passwd, cpw, change_password / delete, del, del_entry / del_enctype /
> add_enctype / ext_keytab / get, get_entry / rename / modify /
> privileges, privs / list / verify-password-quality, pwq / check / lock/
> unlock / help, ? /  exit, quit /

add_principals and addprinc are commands for MIT krb5's kadmin, not
Heimdal.  Heimdal uses different commands; I think "ank" is the right
one here, but it's been a while so I'll defer to those folk if they're
around.

Thanks,
--Robbie
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Installing heimdal-kdc

Lothar Schilling
Am 11.03.2019 um 20:14 schrieb Jeffrey Hutzelman:

>
> add, add_new_key, and ank are synonyms. The last dates back to krb4
>
>
> ------------------------------------------------------------------------
> *From:* Robbie Harwood <[hidden email]>
> *Sent:* Monday, March 11, 2019 13:49
> *To:* Lothar Schilling; [hidden email]
> *Subject:* Re: Installing heimdal-kdc
>
> Lothar Schilling <[hidden email]> writes:
>
> > I got stuck again with putting heimdal-kdc to work.
> >
> > Having initiated the database I logged in locally (kadmin -l). There is
> > no such command as "add_principals" or "addprinc". Availabe are:
> > stash, kstash / dump / init / load / merge / add, ank, add_new_key /
> > passwd, cpw, change_password / delete, del, del_entry / del_enctype /
> > add_enctype / ext_keytab / get, get_entry / rename / modify /
> > privileges, privs / list / verify-password-quality, pwq / check / lock/
> > unlock / help, ? /  exit, quit /
>
> add_principals and addprinc are commands for MIT krb5's kadmin, not
> Heimdal.  Heimdal uses different commands; I think "ank" is the right
> one here, but it's been a while so I'll defer to those folk if they're
> around.
>
> Thanks,
> --Robbie
Finally solved the problem (which certainly was a newbie one...): In
MIT-kadmind.acl the placeholder for global permissions is *.
Heimdal-kadmind.acl uses "all".
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos