ich hoffe ich habe mich nicht völlig in der Wahl des Forums vertan. Es ist nur so, das ich zum Thema Kerberos nur sehr spärlich an Informationsquellen komme; da hoffe ich, gibt es hier den einen oder anderen, der sich mit Kerberos unter Debian ein wenig auskennt.
Ich setze das erste Mal ein Kerberos System auf und gehe dabei nach diesem Buch vor: http://www.kerberos-buch.de/
Ich habe für die ersten Gehversuche 2 virtuelle Maschinen mit Debian GNU/Linux 7.7 (wheezy) installiert; dieses kommt ja mit Kerberos 1.10.1(+dfsg-5+deb7u2).
Die VM, die ich als Kerberos-Server (KDC) verwende, hat die IP 10.0.2.50. Dieser habe ich in der /etc/hosts Datei der beiden VMs den DNS Namen deb-krb.example.com zugewiesen.
Die Client-VM hat die IP 10.0.2.51 und den DNS Namen deb-cl1.example.com .
Es wurden keine Firewall-Regeln definiert; ein Portscan mit nmap vom Client auf den KDC zeigt auch, das dieser erreichbar ist:
Code: Alles auswählen
root@deb-cl1:~# nmap deb-krb
Starting Nmap 6.00 ( http://nmap.org ) at 2014-12-16 09:26 CET
Nmap scan report for deb-krb (10.0.2.50)
Host is up (0.00014s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
88/tcp open kerberos-sec
111/tcp open rpcbind
389/tcp open ldap
464/tcp open kpasswd5
636/tcp open ldapssl
749/tcp open kerberos-adm
MAC Address: 08:00:27:84:40:71 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
root@deb-cl1:~#
Code: Alles auswählen
root@deb-cl1:~# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
root@deb-cl1:~# kinit
user/admin@EXAMPLE.COM
Password for user/admin@EXAMPLE.COM:
root@deb-cl1:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user/admin@EXAMPLE.COM
Valid starting Expires Service principal
16/12/2014 09:31 16/12/2014 19:31 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 17/12/2014 09:31
root@deb-cl1:~#
Code: Alles auswählen
root@deb-krb:/etc# kadmin.local -m -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin@EXAMPLE.COM with password.
Enter KDC database master key:
kadmin.local: get_policy admin
Policy: admin
Maximum password life: 3153600000
Minimum password life: 864000
Minimum password length: 12
Minimum number of password character classes: 3
Number of old keys kept: 10
Reference count: 0
Maximum password failures before lockout: 0
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00
kadmin.local: quit
root@deb-krb:/etc#
Wenn ich versuche statt kadmin.local das Netzbasierte kadmin zu verwenden, bekomme ich merkwürdige Fehler, selbst wenn ich auf dem KDC selbst bleibe. Wenn ich z.B. das gleiche versuche wie zuvor mit kadmin.local passiert folgendes:
Code: Alles auswählen
root@deb-krb:/etc# kadmin -m -p user/admin@EXAMPLE.COM
Authenticating as principal user/admin@EXAMPLE.COM with password.
Password for user/admin@EXAMPLE.COM:
kadmin: get_policy admin
get_policy: Communication failure with server while retrieving policy "admin".
kadmin: addpol -maxlife 36500days -minlife 10days -minlength 8 -minclasses 3 -history 10 default
add_policy: Communication failure with server while creating policy "default".
kadmin: quit
root@deb-krb:/etc#
Im Log von kadmind sieht das wie folgt aus:
Code: Alles auswählen
Dec 16 10:14:06 deb-krb kadmind[3058](Notice): Request: kadm5_init, user/admin@EXAMPLE.COM, success, client=user/admin@EXAMPLE.COM, service=kadmin/deb-krb@EXAMPLE.COM, addr=10.0.2.50, vers=3, flavor=6
Dec 16 10:14:12 deb-krb kadmind[3058](Notice): Request: kadm5_get_policy, admin, success, client=user/admin@EXAMPLE.COM, service=kadmin/deb-krb@EXAMPLE.COM, addr=10.0.2.50
Dec 16 10:14:12 deb-krb kadmind[3058](Error): WARNING! Unable to send function results, continuing.
Code: Alles auswählen
*/admin *
krbadm@EXAMPLE.COM *
*/admin@EXAMPLE.COM *
*/*@EXAMPLE.COM i
*@EXAMPLE.COM i
Meine Konfigurationsdateien sehen wie folgt aus:
/etc/krb5.conf:
Code: Alles auswählen
[libdefaults]
default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
EXAMPLE.COM = {
kdc = deb-krb.example.com
admin_server = deb-krb.example.com
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
Code: Alles auswählen
[kdcdefaults]
#kdc_ports = 750,88
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
#key_stash_file = /etc/krb5kdc/stash
#kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
#master_key_type = des3-hmac-sha1
master_key_type = aes256-cts
#supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
default_principal_flags = +preauth
}
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/krb_admin_server.log
Vielen Dank schonmal für Eure Hilfe!