Linux system account ticket lifetime

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Linux system account ticket lifetime

Carter, Joel
Hi there.

I have a RHEL5 machine that I want to use Kerberos tickets to access
cifs shares on my AD domain. I want this ticket to be valid all the time
(and thus able to mount using it any time) so that I don't have to go
back to the old way of passing usernames and passwords on the command
line or in a file. Here's what I do:
 
# kinit linuxserviceaccount
# mount.cifs //shares.domain.com/siv 1 -o fstype=cifs,sec=krb5

# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: linuxserviceaccount @DOMAIN.COM

Valid starting     Expires            Service principal
01/28/11 15:46:44  01/29/11 01:46:52  krbtgt/[hidden email]
        renew until 01/29/11 01:46:44
01/28/11 15:46:56  01/29/11 01:46:52  cifs/[hidden email]
        renew until 01/29/11 01:46:44

This works great, however, eventually (24 hours) the ticket expires:

mount error(126): Required key not available

I've tried a crontab like the following attempting to renew it every 6
hours, but that doesn't seem to do much:

0 */6 * * * /usr/kerberos/bin/kinit -R

There are other options that look promising for kinit like lifetime and
renewable_life Finally, I dug into the Group Policy for the domain, and
discovered the following:

Account Policies/Kerberos Policy
        Enforce user logon restrictions Enabled
        Maximum lifetime for service ticket 600 minutes
        Maximum lifetime for user ticket 10 hours
        Maximum lifetime for user ticket renewal 7 days
        Maximum tolerance for computer clock synchronization 5 minutes

Do I need to change any of these in order in order to do what I want to
do? Lastly, can I do that just my service account or do I have to change
the entire domain policy?

Thanks for the use of your eyeballs!
Joel.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Linux system account ticket lifetime

Brian Candler
On Fri, Jan 28, 2011 at 03:48:50PM -0800, Carter, Joel wrote:
> I have a RHEL5 machine that I want to use Kerberos tickets to access
> cifs shares on my AD domain. I want this ticket to be valid all the time
> (and thus able to mount using it any time) so that I don't have to go
> back to the old way of passing usernames and passwords on the command
> line or in a file.

I effectively do this for LDAP - i.e. nss_ldap uses kerberos to authenticate
and encrypt the system LDAP queries.

What I do is use the key in the system keytab, and in a cronjob get a ticket
for host/foo.example.com.  Then the ldap client is configured to use this
ticket cache.

    --- /etc/cron.hourly/kerberos ---
    #!/bin/sh
    /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host

    --- to test from command line ---
    # KRB5CCNAME=/tmp/krb5cc_host ldapsearch

    --- /etc/ldap.conf ---
    krb5_ccname /tmp/krb5cc_host
    use_sasl on
    rootuse_sasl on
    base dc=foo,dc=example,dc=com
    uri ldap://ldap.foo.example.com
    ldap_version 3
    sasl_secprops minssf=56
    nss_initgroups_ignoreusers backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nslcd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data

The LDAP server is configured to require kerberos, and permit read-only
access to any authenticated user (which includes host/xxx principals):

    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
    dn: cn=config
    replace: olcSaslSecProps
    olcSaslSecProps: noanonymous,noplain,minssf=56

    dn: olcDatabase={1}hdb,cn=config
    replace: olcAccess
    olcAccess: {0}to * by dn.regex="^uid=([^@,]+)/admin,cn=gssapi,cn=auth$" manage by users read
    -
    replace: olcRequires
    olcRequires: SASL
    EOS

Note that both the system keytab and /tmp/krb5cc_host are only readable by
root.  As it happens, nscd also runs as root, so that's not a problem.  If I
wanted it to run nscd as a different user, then in the cronjob I'd copy the
ticket cache to another file and change its ownership.

    umask 077
    cp /tmp/krb5cc_host /tmp/krb5cc_nscd
    chown nscd /tmp/krb5cc_nscd

The advantage of this approach is that it leverages the kerberos
infrastructure to protect LDAP, eliminating the need for TLS and
certificates.

I'm not a Windows user, but I imagine you could adapt it for CIFS access
too.  If necessary, you could have a separate keytab with a "real" user
principal's credentials in it, if you can't persuade your CIFS server to
accept a host/xxx principal as an authorized user.  The point is you can
convert the keytab into a ticket cache using a cronjob.

HTH,

Brian.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Linux system account ticket lifetime

Carter, Joel
Thanks for the detailed info, I'll give it a shot!

Joel.

-----Original Message-----
From: Brian Candler [mailto:[hidden email]]
Sent: January-30-11 2:13 AM
To: Carter, Joel
Cc: [hidden email]
Subject: Re: Linux system account ticket lifetime

On Fri, Jan 28, 2011 at 03:48:50PM -0800, Carter, Joel wrote:
> I have a RHEL5 machine that I want to use Kerberos tickets to access
> cifs shares on my AD domain. I want this ticket to be valid all the
time
> (and thus able to mount using it any time) so that I don't have to go
> back to the old way of passing usernames and passwords on the command
> line or in a file.

I effectively do this for LDAP - i.e. nss_ldap uses kerberos to
authenticate
and encrypt the system LDAP queries.

What I do is use the key in the system keytab, and in a cronjob get a
ticket
for host/foo.example.com.  Then the ldap client is configured to use
this
ticket cache.

    --- /etc/cron.hourly/kerberos ---
    #!/bin/sh
    /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host

    --- to test from command line ---
    # KRB5CCNAME=/tmp/krb5cc_host ldapsearch

    --- /etc/ldap.conf ---
    krb5_ccname /tmp/krb5cc_host
    use_sasl on
    rootuse_sasl on
    base dc=foo,dc=example,dc=com
    uri ldap://ldap.foo.example.com
    ldap_version 3
    sasl_secprops minssf=56
    nss_initgroups_ignoreusers
backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nsl
cd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data

The LDAP server is configured to require kerberos, and permit read-only
access to any authenticated user (which includes host/xxx principals):

    ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS
    dn: cn=config
    replace: olcSaslSecProps
    olcSaslSecProps: noanonymous,noplain,minssf=56

    dn: olcDatabase={1}hdb,cn=config
    replace: olcAccess
    olcAccess: {0}to * by
dn.regex="^uid=([^@,]+)/admin,cn=gssapi,cn=auth$" manage by users read
    -
    replace: olcRequires
    olcRequires: SASL
    EOS

Note that both the system keytab and /tmp/krb5cc_host are only readable
by
root.  As it happens, nscd also runs as root, so that's not a problem.
If I
wanted it to run nscd as a different user, then in the cronjob I'd copy
the
ticket cache to another file and change its ownership.

    umask 077
    cp /tmp/krb5cc_host /tmp/krb5cc_nscd
    chown nscd /tmp/krb5cc_nscd

The advantage of this approach is that it leverages the kerberos
infrastructure to protect LDAP, eliminating the need for TLS and
certificates.

I'm not a Windows user, but I imagine you could adapt it for CIFS access
too.  If necessary, you could have a separate keytab with a "real" user
principal's credentials in it, if you can't persuade your CIFS server to
accept a host/xxx principal as an authorized user.  The point is you can
convert the keytab into a ticket cache using a cronjob.

HTH,

Brian.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos