Re: Kerberos on diskless clients
to, 2010-07-08 kello 11:45 +0200, John S. Skogtvedt kirjoitti: > Den 07. juli 2010 00:43, skrev Veli-Matti Lintu: > > > > I've been dealing with these same issues recently and after testing it > > looks like machine credentials are not needed to get diskless clients > > working with kerberos. > > > > What I have understood is that with NFSv4 the machine credentials are > > used for the initial mount + root access. For the initial mount > > credentials any credentials are actually ok and if rpc.gssd is run with > > -n option, it uses existing credentials for the mount. When using > > sec=krb5 access to users' home directories on the mounted directory then > > requires valid credentials for the user. > > > > I haven't really tested the root access part here as I have always used > > root_squash on all the exports. > Kiitos, this is very helpful. Which DM/desktop did you test with? gdm > for instance used to (or still does) check as root if the user's > homedirectory existed, which might cause problems. > > I will try to test with debian-edu within the next two weeks. We got it to work with both ldm (LTSP 5) and gdm with Gnome on Ubuntu 10.04. I do not know the current differences between Debian and Ubuntu versions of ldm, but I'd guess they are pretty close and scripting should be possible. Using ldm does require custom scripts to get the kerberos ticket on the client as normally the ticket is acquired on the server when ssh login is made. Using gdm should be possible on all platforms (netboot or local install) as it really doesn't depend on any ltsp specific stuff. Some creative PAM stack hacking is required to get the user's kerberos ticket in correct places right after authentication so that rpc.gssd can be (re)started. Now this is done with a script that is run by pam_exec module. There are still untested pieces in the puzzle, so something else might still come up, but I hope this helps.. Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1278669412.3993.66.ca...@punajuuri.liitu.vm.opinsys.fi
Re: Kerberos on diskless clients
ti, 2010-06-15 kello 13:44 +0200, John S. Skogtvedt kirjoitti: > Den 15. juni 2010 12:51, skrev Jonas Smedegaard: > > On Tue, Jun 15, 2010 at 12:02:57PM +0200, John S. Skogtvedt wrote: > >> > >> With /skole/tjener/home0, the problem is that the machine itself needs a > >> "$hostname/nfs" principal with corresponding secret key. It's not enough > >> that the user can authenticate to Kerberos. > > > > Oh. I was unaware that the machine needed a separate key for NFS. > > Problem, yes! > > > > What exactly do a $host/nfs key grant access to? The whole partition, > > encrypted by user keys, or the whole partition, unencrypted? > > > > I'm not a Kerberos/NFSv4 expert, but AFAIK it's a ticket-granting ticket > (TGT) which firstly gives the machine read-only access to the entire > exported filesystem, and secondly allows the machine to grant a RW > ticket to the user. Kerberos is used to authenticate writes, and > optionally for encryption as well. > > > Would AFS perhaps provide a key structure better suited for this? My > > question here is _only_ about the key structure - AFS might have other > > limitations making it unsuitable, but the act of comparing key handling > > might help understand possible/sane approaches. > > > > Ideally we would use a filesystem requiring only user key to > > authenticate. Hmm - would it perhaps be possible (while still secure) > > to create and permiy a $user/nfs keypair acting as host key for > > .../home* mount points? Hi, I've been dealing with these same issues recently and after testing it looks like machine credentials are not needed to get diskless clients working with kerberos. What I have understood is that with NFSv4 the machine credentials are used for the initial mount + root access. For the initial mount credentials any credentials are actually ok and if rpc.gssd is run with -n option, it uses existing credentials for the mount. When using sec=krb5 access to users' home directories on the mounted directory then requires valid credentials for the user. I haven't really tested the root access part here as I have always used root_squash on all the exports. Using user's credentials instead of a keytab means of course that the mount works only as long as the credentials are valid. man rpc.gssd -n By default, rpc.gssd treats accesses by the user with UID 0 spe‐ cially, and uses "machine credentials" for all accesses by that user which require Kerberos authentication. With the -n option, "machine credentials" will not be used for accesses by UID 0. Instead, credentials must be obtained manually like all other users. Use of this option means that "root" must manually obtain Kerberos credentials before attempting to mount an nfs filesystem requiring Kerberos authentication. Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1278456218.3993.30.ca...@punajuuri.liitu.vm.opinsys.fi
Re: password synchronization
ke, 2010-05-12 kello 16:22 +0200, Andreas B. Mundt kirjoitti: > On Wed, May 05, 2010 at 04:41:41PM +0300, Veli-Matti Lintu wrote: > > ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti: > > > > > The critical point in using kerberos is the synchronization > > > i.e. integration of all passwords: posix, samba and kerberos. > [...] > > We've been figuring out for a while what to do with this syncing problem > > and we just finished smbkrb5pwd for MIT kerberos. Its implementation > Many thanks for these links. I am currently investigating pros and > cons of the various methods used to achive synchronized passwords. > Do you know of any activities to get this package into mainline > Ubuntu/Debian? We haven't looked into getting it in mainline or in OpenLDAP yet as we are still testing it. There have been some issues in multi-realm kdc/kadmin setups, but those should be fixed now in the Launchpad version. We should get out tools to setup ldap+kerberos and manage users with the overlay really soon now. I hope to be able to think about packaging after that. Do you see any problems with the approach used in smbkrb5pwd? Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1273674798.3388.18.ca...@punajuuri.liitu.vm.opinsys.fi
Re: MIT-kerberos versus Heimdal
ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti: > The critical point in using kerberos is the synchronization > i.e. integration of all passwords: posix, samba and kerberos. Again, > [1] gives an idea how it can be done with Heimdal and smbk5pwd, an > (ldap-) overlay which will soon be in testing [2]. > In general, I got the impression that MIT-Kerberos is kind of more > "mainstream", there is more info on the web. Heimdal's documentation > can be rather short sometimes. > > To sum up: The only advantage I see for Heimdal currently might be the > use of smbk5pwd. However, if we need scripts anyway, I think it's > better to add the few lines of code necessary for synchronization and > use MIT. > [1] http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT > [2] http://packages.qa.debian.org/o/openldap.html Hi, We've been figuring out for a while what to do with this syncing problem and we just finished smbkrb5pwd for MIT kerberos. Its implementation differs from smbk5pwd for Heimdal, but the idea is to sync all the passwords at once when ldap password is changed. This is the first version and it still needs work, but if you are interested testing it, here are instructions on how to use it: http://www.opinsys.fi/en/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba smbkrb5pwd does not alter the kerberos ldap entries directly, but connects kadmind to do the work. This has pros and cons, but for us it seems to work nicely in test environments. The testing has been done on Ubuntu 10.04, but I cannot see why it wouldn't work in Debian also. Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1273066901.2643.13397.ca...@vm-lucid
Re: Thoughts on roaming laptop setup for Debian Edu
ke, 2010-04-28 kello 20:43 +0200, Petter Reinholdtsen kirjoitti: > For some years now, I have wondered how we should handle laptops in > Debian Edu. The Debian Edu infrastructure is mostly designed to handle > stationary computers, and less suited for computers that come and go. > > Now I finally believe I have an sensible idea on how to adjust Debian > Edu for laptops, by introducing a new profile for them, for example > called Roaming Workstations. Here are my thought on this. The setup > would consist of the following: Hi, I'm not using Debian Edu myself, but I've been dealing with the same issues on Ubuntu/Edubuntu in schools where laptops are shared between pupils and wlan is used for network connection. We have ldap/kerberos infrastructure in place and we wanted to use either ldap or kerberos authentication for laptops too. At first we tried using pam-ccreds and libnss-db/updatedb, but for some reason we never got it stable. It could be that missing network connection would sometimes break authentication even if user had authenticated before and sometimes it would work perfectly. Debugging the modules didn't reveal the problem, so we tried something else. Next we did https based authentication where a script run from pam would contact https server with user's credentials and transfer user and group information if authentication succeeded. This worked nicely and as a bonus no firewall seemed to stop it. Next we discovered sssd that was written as part of FreeIPA project by Fedora. sssd is packaged in Ubuntu, but seems to be missing from Debian. It loads user information from ldap and authenticates the user against ldap or kerberos. Once the information is on the laptop, it works in offline mode also. So far it's been working really nicely, so I can recommend this solution. For file synchronisation we've been using Unison and besides localisation and UI issues it's been working nicely. CUPS printer information broadcasting to local network works also with little configuration. Users see the available printers automatically and they disappear if the network goes down. There's more information about sssd on shared laptops in our blog: http://www.opinsys.fi/en/user-management-with-sssd-on-shared-laptops sssd homepage: https://fedorahosted.org/sssd/ I'm just a happy user and not involved in sssd's development or Ubuntu packaging. I hope this helps! Veli-Matti -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1272484997.2643.6344.ca...@vm-lucid
