add tasks for Kerberos
This commit is contained in:
parent
3e6247e181
commit
3f977516cd
|
@ -0,0 +1,6 @@
|
|||
# This file Is the access control list for krb5 administration.
|
||||
# When this file is edited run service krb5-admin-server restart to activate
|
||||
# One common way to set up Kerberos administration is to allow any principal
|
||||
# ending in /admin is given full administrative rights.
|
||||
# To enable this, uncomment the following line:
|
||||
*/admin *
|
|
@ -0,0 +1,19 @@
|
|||
[kdcdefaults]
|
||||
kdc_ports = 88
|
||||
|
||||
[realms]
|
||||
CSCLUB.INTERNAL = {
|
||||
database_name = /var/lib/krb5kdc/principal
|
||||
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
|
||||
acl_file = /etc/krb5kdc/kadm5.acl
|
||||
key_stash_file = /etc/krb5kdc/stash
|
||||
kdc_ports = 88
|
||||
max_life = 10h 0m 0s
|
||||
max_renewable_life = 7d 0h 0m 0s
|
||||
master_key_type = des3-hmac-sha1
|
||||
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des3-cbc-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
|
||||
default_principal_flags = +preauth
|
||||
iprop_enable = true
|
||||
iprop_slave_poll = 2m
|
||||
iprop_port = 750
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
[libdefaults]
|
||||
default_realm = {{ krb_realm }}
|
||||
|
||||
# The following krb5.conf variables are only for MIT Kerberos.
|
||||
kdc_timesync = 1
|
||||
ccache_type = 4
|
||||
forwardable = true
|
||||
proxiable = true
|
||||
|
||||
dns_lookup_kdc = false
|
||||
dns_lookup_realm = false
|
||||
|
||||
# For NFS, apparently
|
||||
allow_weak_crypto = true
|
||||
|
||||
# The following encryption type specification will be used by MIT Kerberos
|
||||
# if uncommented. In general, the defaults in the MIT Kerberos code are
|
||||
# correct and overriding these specifications only serves to disable new
|
||||
# encryption types as they are added, creating interoperability problems.
|
||||
#
|
||||
# The only time when you might need to uncomment these lines and change
|
||||
# the enctypes is if you have local software that will break on ticket
|
||||
# caches containing ticket encryption types it doesn't know about (such as
|
||||
# old versions of Sun Java).
|
||||
|
||||
# default_tgs_enctypes = des3-hmac-sha1
|
||||
# default_tkt_enctypes = des3-hmac-sha1
|
||||
# permitted_enctypes = des3-hmac-sha1
|
||||
|
||||
# The following libdefaults parameters are only for Heimdal Kerberos.
|
||||
fcc-mit-ticketflags = true
|
||||
|
||||
[realms]
|
||||
{{ krb_realm }} = {
|
||||
kdc = kdc1.{{ base_domain }}
|
||||
admin_server = kadmin.{{ base_domain }}
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.csclub.internal = {{ krb_realm }}
|
||||
csclub.internal = {{ krb_realm }}
|
||||
|
||||
[logging]
|
||||
kdc = SYSLOG:INFO:AUTH
|
||||
admin_server = SYSLOG:INFO:AUTH
|
||||
default = SYSLOG:INFO:AUTH
|
|
@ -45,17 +45,14 @@ sudoHost: ALL
|
|||
sudoCommand: ALL
|
||||
sudoRunAsUser: ALL
|
||||
|
||||
# The password for each user is slapd.
|
||||
# The hashes were generated with slappasswd.
|
||||
|
||||
dn: uid=ctdalek,ou=People,{{ ldap_base }}
|
||||
cn: Calum Dalek
|
||||
userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK
|
||||
userPassword: {SASL}ctdalek@{{ krb_realm }}
|
||||
loginShell: /bin/bash
|
||||
homeDirectory: /home/ctdalek
|
||||
uidNumber: 10101
|
||||
homeDirectory: /users/ctdalek
|
||||
uid: ctdalek
|
||||
gidNumber: 10101
|
||||
uidNumber: 20001
|
||||
gidNumber: 20001
|
||||
objectClass: top
|
||||
objectClass: account
|
||||
objectClass: posixAccount
|
||||
|
@ -69,4 +66,27 @@ objectClass: top
|
|||
objectClass: group
|
||||
objectClass: posixGroup
|
||||
cn: ctdalek
|
||||
gidNumber: 10101
|
||||
gidNumber: 20001
|
||||
|
||||
dn: uid=regular1,ou=People,{{ ldap_base }}
|
||||
cn: Regular One
|
||||
userPassword: {SASL}regular1@{{ krb_realm }}
|
||||
loginShell: /bin/bash
|
||||
homeDirectory: /users/regular1
|
||||
uid: regular1
|
||||
uidNumber: 20002
|
||||
gidNumber: 20002
|
||||
objectClass: top
|
||||
objectClass: account
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: member
|
||||
program: MAT/Mathematics Computer Science
|
||||
term: s2021
|
||||
|
||||
dn: cn=regular1,ou=Group,{{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: group
|
||||
objectClass: posixGroup
|
||||
cn: regular1
|
||||
gidNumber: 20002
|
||||
|
|
|
@ -45,15 +45,15 @@ timelimit unlimited
|
|||
localssf 128
|
||||
|
||||
# map kerberos users to ldap users
|
||||
# sasl-realm CSCLUB.UWATERLOO.CA
|
||||
# authz-regexp "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "uid=$1,ou=people,{{ ldap_base }}"
|
||||
# authz-regexp "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "cn=ceod,{{ ldap_base }}"
|
||||
# authz-regexp "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "cn=ldap-slave,{{ ldap_base }}"
|
||||
# authz-regexp "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "cn=renewal,{{ ldap_base }}"
|
||||
sasl-realm CSCLUB.INTERNAL
|
||||
authz-regexp "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||
"uid=$1,ou=people,dc=csclub,dc=internal"
|
||||
authz-regexp "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||
"cn=ceod,dc=csclub,dc=internal"
|
||||
authz-regexp "uid=ldap/auth2.csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||
"cn=ldap-slave,dc=csclub,dc=internal"
|
||||
authz-regexp "uid=renewal/([^/=]*).csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||
"cn=renewal,dc=csclub,dc=internal"
|
||||
|
||||
# map sasl external users to ldap users
|
||||
#authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
||||
|
|
143
auth1/main.yml
143
auth1/main.yml
|
@ -2,6 +2,7 @@
|
|||
- hosts: auth1
|
||||
vars:
|
||||
ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
||||
krb_realm: "{{ base_domain.upper() }}"
|
||||
tasks:
|
||||
- name: setup networking
|
||||
import_role:
|
||||
|
@ -9,6 +10,7 @@
|
|||
vars:
|
||||
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
||||
- meta: flush_handlers
|
||||
# LDAP
|
||||
- name: install LDAP packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
|
@ -17,7 +19,6 @@
|
|||
- ldap-utils
|
||||
- ldapvi
|
||||
- libnss-ldapd
|
||||
- libpam-ldapd
|
||||
- nscd
|
||||
- sudo-ldap
|
||||
- name: copy slapd.conf
|
||||
|
@ -50,14 +51,6 @@
|
|||
- rfc2307bis.schema
|
||||
- csc.schema
|
||||
notify: restart slapd
|
||||
- name: copy DB_CONFIG
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: /usr/share/slapd/DB_CONFIG
|
||||
dest: /var/lib/ldap/DB_CONFIG
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify: restart slapd
|
||||
- name: make sure slapd is running
|
||||
systemd:
|
||||
name: slapd
|
||||
|
@ -75,6 +68,14 @@
|
|||
shell: rm /var/lib/ldap/*
|
||||
when: cn_config_cmd.rc == 0
|
||||
notify: restart slapd
|
||||
- name: copy DB_CONFIG
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: /usr/share/slapd/DB_CONFIG
|
||||
dest: /var/lib/ldap/DB_CONFIG
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify: restart slapd
|
||||
- name: copy ldap.conf
|
||||
template:
|
||||
src: ldap/ldap.conf.j2
|
||||
|
@ -103,8 +104,116 @@
|
|||
src: ldap/data.ldif.j2
|
||||
dest: /etc/ldap/data.ldif
|
||||
- name: load LDIF data
|
||||
command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:///
|
||||
ignore_errors: yes
|
||||
shell: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// || true
|
||||
# Kerberos
|
||||
- name: install Kerberos packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
loop:
|
||||
- krb5-admin-server
|
||||
- krb5-user
|
||||
- libpam-krb5
|
||||
- libsasl2-modules-gssapi-mit
|
||||
- sasl2-bin
|
||||
- name: override systemd services for Kerberos
|
||||
import_role:
|
||||
name: ../roles/systemd_workarounds
|
||||
vars:
|
||||
services: [ "krb5-admin-server", "krb5-kdc" ]
|
||||
- name: copy krb5.conf
|
||||
template:
|
||||
src: kerberos/krb5.conf.j2
|
||||
dest: /etc/krb5.conf
|
||||
notify:
|
||||
- restart kadmin
|
||||
- name: copy kdc.conf
|
||||
template:
|
||||
src: kerberos/kdc.conf.j2
|
||||
dest: /etc/krb5kdc/kdc.conf
|
||||
notify:
|
||||
- restart kdc
|
||||
- name: copy kadm5.acl
|
||||
copy:
|
||||
src: kerberos/kadm5.acl
|
||||
dest: /etc/krb5kdc/kadm5.acl
|
||||
notify:
|
||||
- restart kdc
|
||||
- name: create new realm
|
||||
command:
|
||||
cmd: krb5_newrealm
|
||||
# This is the KDC database master key
|
||||
stdin: |
|
||||
krb5
|
||||
krb5
|
||||
creates: /var/lib/krb5kdc/principal
|
||||
- meta: flush_handlers
|
||||
- name: add sysadmin principal
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
stdin: |
|
||||
addprinc sysadmin/admin
|
||||
krb5
|
||||
krb5
|
||||
- name: add user principals
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
stdin: |
|
||||
addprinc {{ item }}
|
||||
krb5
|
||||
krb5
|
||||
loop:
|
||||
- ctdalek
|
||||
- regular1
|
||||
# TODO: add more hosts
|
||||
- name: add host principals
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
stdin: |
|
||||
addprinc -randkey host/auth1.{{ base_domain }}
|
||||
addprinc -randkey ldap/auth1.{{ base_domain }}
|
||||
# TODO: create an Ansible role for this
|
||||
- name: copy keytab to host
|
||||
command:
|
||||
cmd: kadmin.local
|
||||
stdin: |
|
||||
ktadd host/auth1.{{ base_domain }}
|
||||
ktadd ldap/auth1.{{ base_domain }}
|
||||
- name: create keytab group
|
||||
group:
|
||||
name: keytab
|
||||
- name: allow users in keytab group to read keytab
|
||||
file:
|
||||
path: /etc/krb5.keytab
|
||||
group: keytab
|
||||
mode: 0640
|
||||
- name: add openldap user to necessary groups
|
||||
user:
|
||||
name: openldap
|
||||
groups:
|
||||
- keytab
|
||||
- sasl
|
||||
notify:
|
||||
- restart slapd
|
||||
- name: create /usr/lib/sasl2/slapd.conf
|
||||
copy:
|
||||
content: |
|
||||
mech_list: plain login gssapi external
|
||||
pwcheck_method: saslauthd
|
||||
dest: /usr/lib/sasl2/slapd.conf
|
||||
notify:
|
||||
- restart slapd
|
||||
- name: add config for saslauthd
|
||||
replace:
|
||||
path: /etc/default/saslauthd
|
||||
regexp: "^{{ item.key }}=.*$"
|
||||
replace: "{{ item.key }}={{ item.value }}"
|
||||
loop:
|
||||
- key: START
|
||||
value: 'yes'
|
||||
- key: MECHANISMS
|
||||
value: '"kerberos5"'
|
||||
notify:
|
||||
- restart saslauthd
|
||||
handlers:
|
||||
- name: restart slapd
|
||||
systemd:
|
||||
|
@ -118,3 +227,15 @@
|
|||
systemd:
|
||||
name: nscd
|
||||
state: restarted
|
||||
- name: restart kadmin
|
||||
systemd:
|
||||
name: krb5-admin-server
|
||||
state: restarted
|
||||
- name: restart kdc
|
||||
systemd:
|
||||
name: krb5-kdc
|
||||
state: restarted
|
||||
- name: restart saslauthd
|
||||
systemd:
|
||||
name: saslauthd
|
||||
state: restarted
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
copy:
|
||||
content: |
|
||||
{{ mail_ipv4_addr }} mail.{{ base_domain }}
|
||||
{{ auth1_ipv4_addr }} auth1.{{ base_domain }}
|
||||
dest: /etc/dnsmasq_hosts
|
||||
notify: restart dnsmasq
|
||||
- name: add dnsmasq config
|
||||
|
|
|
@ -9,3 +9,6 @@ cname=mailman.{{ base_domain }},mail.{{ base_domain }}
|
|||
mx-host={{ base_domain }},mail.{{ base_domain }},50
|
||||
address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
|
||||
address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }}
|
||||
cname=ldap1.{{ base_domain }},auth1.{{ base_domain }}
|
||||
cname=kdc1.{{ base_domain }},auth1.{{ base_domain }}
|
||||
cname=kadmin.{{ base_domain }},auth1.{{ base_domain }}
|
||||
|
|
|
@ -14,6 +14,9 @@
|
|||
ProtectHome=false
|
||||
ProtectControlGroups=false
|
||||
ProtectKernelModules=false
|
||||
InaccessibleDirectories=
|
||||
ReadOnlyDirectories=
|
||||
ReadWriteDirectories=
|
||||
dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
|
||||
loop: "{{ services }}"
|
||||
register: service_overrides
|
||||
|
|
Loading…
Reference in New Issue