add tasks for Kerberos

auth1/kerberos/kadm5.acl

@@ -0,0 +1,6 @@
+# This file Is the access control list for krb5 administration.
+# When this file is edited run service krb5-admin-server restart to activate
+# One common way to set up Kerberos administration is to allow any principal 
+# ending in /admin  is given full administrative rights.
+# To enable this, uncomment the following line:
+*/admin *

auth1/kerberos/kdc.conf.j2

@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports = 88
+
+[realms]
+    CSCLUB.INTERNAL = {
+        database_name = /var/lib/krb5kdc/principal
+        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+        acl_file = /etc/krb5kdc/kadm5.acl
+        key_stash_file = /etc/krb5kdc/stash
+        kdc_ports = 88
+        max_life = 10h 0m 0s
+        max_renewable_life = 7d 0h 0m 0s
+        master_key_type = des3-hmac-sha1
+        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des3-cbc-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
+        default_principal_flags = +preauth    
+        iprop_enable = true        
+        iprop_slave_poll = 2m    
+        iprop_port = 750
+    }

auth1/kerberos/krb5.conf.j2

@@ -0,0 +1,46 @@
+[libdefaults]
+	default_realm = {{ krb_realm }}
+
+# The following krb5.conf variables are only for MIT Kerberos.
+	kdc_timesync = 1
+	ccache_type = 4
+	forwardable = true
+	proxiable = true
+
+        dns_lookup_kdc = false
+        dns_lookup_realm = false
+
+        # For NFS, apparently
+        allow_weak_crypto = true
+
+# The following encryption type specification will be used by MIT Kerberos
+# if uncommented.  In general, the defaults in the MIT Kerberos code are
+# correct and overriding these specifications only serves to disable new
+# encryption types as they are added, creating interoperability problems.
+#
+# The only time when you might need to uncomment these lines and change
+# the enctypes is if you have local software that will break on ticket
+# caches containing ticket encryption types it doesn't know about (such as
+# old versions of Sun Java).
+
+#	default_tgs_enctypes = des3-hmac-sha1
+#	default_tkt_enctypes = des3-hmac-sha1
+#	permitted_enctypes = des3-hmac-sha1
+
+# The following libdefaults parameters are only for Heimdal Kerberos.
+	fcc-mit-ticketflags = true
+
+[realms]
+        {{ krb_realm }} = {
+		kdc = kdc1.{{ base_domain }}
+		admin_server = kadmin.{{ base_domain }}
+	}
+
+[domain_realm]
+        .csclub.internal = {{ krb_realm }}
+        csclub.internal = {{ krb_realm }}
+
+[logging]
+      kdc = SYSLOG:INFO:AUTH    
+      admin_server = SYSLOG:INFO:AUTH    
+      default = SYSLOG:INFO:AUTH

auth1/ldap/data.ldif.j2

@@ -45,17 +45,14 @@ sudoHost: ALL
 sudoCommand: ALL
 sudoRunAsUser: ALL
 
-# The password for each user is slapd.
-# The hashes were generated with slappasswd.
-
 dn: uid=ctdalek,ou=People,{{ ldap_base }}
 cn: Calum Dalek
-userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK
+userPassword: {SASL}ctdalek@{{ krb_realm }}
 loginShell: /bin/bash
-homeDirectory: /home/ctdalek
-uidNumber: 10101
+homeDirectory: /users/ctdalek
 uid: ctdalek
-gidNumber: 10101
+uidNumber: 20001
+gidNumber: 20001
 objectClass: top
 objectClass: account
 objectClass: posixAccount
@@ -69,4 +66,27 @@ objectClass: top
 objectClass: group
 objectClass: posixGroup
 cn: ctdalek
-gidNumber: 10101
+gidNumber: 20001
+
+dn: uid=regular1,ou=People,{{ ldap_base }}
+cn: Regular One
+userPassword: {SASL}regular1@{{ krb_realm }}
+loginShell: /bin/bash
+homeDirectory: /users/regular1
+uid: regular1
+uidNumber: 20002
+gidNumber: 20002
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: member
+program: MAT/Mathematics Computer Science
+term: s2021
+
+dn: cn=regular1,ou=Group,{{ ldap_base }}
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+cn: regular1
+gidNumber: 20002

auth1/ldap/slapd.conf.j2

@@ -45,15 +45,15 @@ timelimit unlimited
 localssf        128
 
 # map kerberos users to ldap users
-# sasl-realm      CSCLUB.UWATERLOO.CA
-# authz-regexp    "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
-#                 "uid=$1,ou=people,{{ ldap_base }}"
-# authz-regexp    "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
-#                 "cn=ceod,{{ ldap_base }}"
-# authz-regexp    "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
-#                 "cn=ldap-slave,{{ ldap_base }}"
-# authz-regexp    "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
-#                 "cn=renewal,{{ ldap_base }}"
+sasl-realm      CSCLUB.INTERNAL
+authz-regexp    "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
+                "uid=$1,ou=people,dc=csclub,dc=internal"
+authz-regexp    "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
+                "cn=ceod,dc=csclub,dc=internal"
+authz-regexp    "uid=ldap/auth2.csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
+                "cn=ldap-slave,dc=csclub,dc=internal"
+authz-regexp    "uid=renewal/([^/=]*).csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
+                "cn=renewal,dc=csclub,dc=internal"
 
 # map sasl external users to ldap users
 #authz-regexp    "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"

auth1/main.yml

@@ -2,6 +2,7 @@
 - hosts: auth1
   vars:
     ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
+    krb_realm: "{{ base_domain.upper() }}"
   tasks:
     - name: setup networking
       import_role:
@@ -9,6 +10,7 @@
       vars:
         ipv4_addr: "{{ auth1_ipv4_addr }}"
     - meta: flush_handlers
+    # LDAP
     - name: install LDAP packages
       apt:
         name: "{{ item }}"
@@ -17,7 +19,6 @@
         - ldap-utils
         - ldapvi
         - libnss-ldapd
-        - libpam-ldapd
         - nscd
         - sudo-ldap
     - name: copy slapd.conf
@@ -50,14 +51,6 @@
         - rfc2307bis.schema
         - csc.schema
       notify: restart slapd
-    - name: copy DB_CONFIG
-      copy:
-        remote_src: yes
-        src: /usr/share/slapd/DB_CONFIG
-        dest: /var/lib/ldap/DB_CONFIG
-        owner: openldap
-        group: openldap
-      notify: restart slapd
     - name: make sure slapd is running
       systemd:
         name: slapd
@@ -75,6 +68,14 @@
       shell: rm /var/lib/ldap/*
       when: cn_config_cmd.rc == 0
       notify: restart slapd
+    - name: copy DB_CONFIG
+      copy:
+        remote_src: yes
+        src: /usr/share/slapd/DB_CONFIG
+        dest: /var/lib/ldap/DB_CONFIG
+        owner: openldap
+        group: openldap
+      notify: restart slapd
     - name: copy ldap.conf
       template:
         src: ldap/ldap.conf.j2
@@ -103,8 +104,116 @@
         src: ldap/data.ldif.j2
         dest: /etc/ldap/data.ldif
     - name: load LDIF data
-      command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:///
-      ignore_errors: yes
+      shell: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// || true
+    # Kerberos
+    - name: install Kerberos packages
+      apt:
+        name: "{{ item }}"
+      loop:
+        - krb5-admin-server
+        - krb5-user
+        - libpam-krb5
+        - libsasl2-modules-gssapi-mit
+        - sasl2-bin
+    - name: override systemd services for Kerberos
+      import_role:
+        name: ../roles/systemd_workarounds
+      vars:
+        services: [ "krb5-admin-server", "krb5-kdc" ]
+    - name: copy krb5.conf
+      template:
+        src: kerberos/krb5.conf.j2
+        dest: /etc/krb5.conf
+      notify:
+        - restart kadmin
+    - name: copy kdc.conf
+      template:
+        src: kerberos/kdc.conf.j2
+        dest: /etc/krb5kdc/kdc.conf
+      notify:
+        - restart kdc
+    - name: copy kadm5.acl
+      copy:
+        src: kerberos/kadm5.acl
+        dest: /etc/krb5kdc/kadm5.acl
+      notify:
+        - restart kdc
+    - name: create new realm
+      command:
+        cmd: krb5_newrealm
+        # This is the KDC database master key
+        stdin: |
+          krb5
+          krb5
+        creates: /var/lib/krb5kdc/principal
+    - meta: flush_handlers
+    - name: add sysadmin principal
+      command:
+        cmd: kadmin.local
+        stdin: |
+          addprinc sysadmin/admin
+          krb5
+          krb5
+    - name: add user principals
+      command:
+        cmd: kadmin.local
+        stdin: |
+          addprinc {{ item }}
+          krb5
+          krb5
+      loop:
+        - ctdalek
+        - regular1
+    # TODO: add more hosts
+    - name: add host principals
+      command:
+        cmd: kadmin.local
+        stdin: |
+          addprinc -randkey host/auth1.{{ base_domain }}
+          addprinc -randkey ldap/auth1.{{ base_domain }}
+    # TODO: create an Ansible role for this
+    - name: copy keytab to host
+      command:
+        cmd: kadmin.local
+        stdin: |
+          ktadd host/auth1.{{ base_domain }}
+          ktadd ldap/auth1.{{ base_domain }}
+    - name: create keytab group
+      group:
+        name: keytab
+    - name: allow users in keytab group to read keytab
+      file:
+        path: /etc/krb5.keytab
+        group: keytab
+        mode: 0640
+    - name: add openldap user to necessary groups
+      user:
+        name: openldap
+        groups:
+          - keytab
+          - sasl
+      notify:
+        - restart slapd
+    - name: create /usr/lib/sasl2/slapd.conf
+      copy:
+        content: |
+          mech_list: plain login gssapi external
+          pwcheck_method: saslauthd
+        dest: /usr/lib/sasl2/slapd.conf
+      notify:
+        - restart slapd
+    - name: add config for saslauthd
+      replace:
+        path: /etc/default/saslauthd
+        regexp: "^{{ item.key }}=.*$"
+        replace: "{{ item.key }}={{ item.value }}"
+      loop:
+        - key: START
+          value: 'yes'
+        - key: MECHANISMS
+          value: '"kerberos5"'
+      notify:
+        - restart saslauthd
   handlers:
     - name: restart slapd
       systemd:
@@ -118,3 +227,15 @@
       systemd:
         name: nscd
         state: restarted
+    - name: restart kadmin
+      systemd:
+        name: krb5-admin-server
+        state: restarted
+    - name: restart kdc
+      systemd:
+        name: krb5-kdc
+        state: restarted
+    - name: restart saslauthd
+      systemd:
+        name: saslauthd
+        state: restarted

dns/main.yml

@@ -16,6 +16,7 @@
       copy:
         content: |
           {{ mail_ipv4_addr }} mail.{{ base_domain }}
+          {{ auth1_ipv4_addr }} auth1.{{ base_domain }}
         dest: /etc/dnsmasq_hosts
       notify: restart dnsmasq
     - name: add dnsmasq config

dns/templates/dnsmasq.conf.j2

@@ -9,3 +9,6 @@ cname=mailman.{{ base_domain }},mail.{{ base_domain }}
 mx-host={{ base_domain }},mail.{{ base_domain }},50
 address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
 address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }}
+cname=ldap1.{{ base_domain }},auth1.{{ base_domain }}
+cname=kdc1.{{ base_domain }},auth1.{{ base_domain }}
+cname=kadmin.{{ base_domain }},auth1.{{ base_domain }}

roles/systemd_workarounds/tasks/main.yml

@@ -14,6 +14,9 @@
       ProtectHome=false
       ProtectControlGroups=false
       ProtectKernelModules=false
+      InaccessibleDirectories=
+      ReadOnlyDirectories=
+      ReadWriteDirectories=
     dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
   loop: "{{ services }}"
   register: service_overrides