diff --git a/auth1/kerberos/kadm5.acl b/auth1/kerberos/kadm5.acl new file mode 100644 index 0000000..76df603 --- /dev/null +++ b/auth1/kerberos/kadm5.acl @@ -0,0 +1,6 @@ +# This file Is the access control list for krb5 administration. +# When this file is edited run service krb5-admin-server restart to activate +# One common way to set up Kerberos administration is to allow any principal +# ending in /admin is given full administrative rights. +# To enable this, uncomment the following line: +*/admin * diff --git a/auth1/kerberos/kdc.conf.j2 b/auth1/kerberos/kdc.conf.j2 new file mode 100644 index 0000000..0c4a444 --- /dev/null +++ b/auth1/kerberos/kdc.conf.j2 @@ -0,0 +1,19 @@ +[kdcdefaults] + kdc_ports = 88 + +[realms] + CSCLUB.INTERNAL = { + database_name = /var/lib/krb5kdc/principal + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /etc/krb5kdc/stash + kdc_ports = 88 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3-hmac-sha1 + supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des3-cbc-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 + default_principal_flags = +preauth + iprop_enable = true + iprop_slave_poll = 2m + iprop_port = 750 + } diff --git a/auth1/kerberos/krb5.conf.j2 b/auth1/kerberos/krb5.conf.j2 new file mode 100644 index 0000000..4a07911 --- /dev/null +++ b/auth1/kerberos/krb5.conf.j2 @@ -0,0 +1,46 @@ +[libdefaults] + default_realm = {{ krb_realm }} + +# The following krb5.conf variables are only for MIT Kerberos. + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true + + dns_lookup_kdc = false + dns_lookup_realm = false + + # For NFS, apparently + allow_weak_crypto = true + +# The following encryption type specification will be used by MIT Kerberos +# if uncommented. In general, the defaults in the MIT Kerberos code are +# correct and overriding these specifications only serves to disable new +# encryption types as they are added, creating interoperability problems. +# +# The only time when you might need to uncomment these lines and change +# the enctypes is if you have local software that will break on ticket +# caches containing ticket encryption types it doesn't know about (such as +# old versions of Sun Java). + +# default_tgs_enctypes = des3-hmac-sha1 +# default_tkt_enctypes = des3-hmac-sha1 +# permitted_enctypes = des3-hmac-sha1 + +# The following libdefaults parameters are only for Heimdal Kerberos. + fcc-mit-ticketflags = true + +[realms] + {{ krb_realm }} = { + kdc = kdc1.{{ base_domain }} + admin_server = kadmin.{{ base_domain }} + } + +[domain_realm] + .csclub.internal = {{ krb_realm }} + csclub.internal = {{ krb_realm }} + +[logging] + kdc = SYSLOG:INFO:AUTH + admin_server = SYSLOG:INFO:AUTH + default = SYSLOG:INFO:AUTH diff --git a/auth1/ldap/data.ldif.j2 b/auth1/ldap/data.ldif.j2 index f4ce33c..34be863 100644 --- a/auth1/ldap/data.ldif.j2 +++ b/auth1/ldap/data.ldif.j2 @@ -45,17 +45,14 @@ sudoHost: ALL sudoCommand: ALL sudoRunAsUser: ALL -# The password for each user is slapd. -# The hashes were generated with slappasswd. - dn: uid=ctdalek,ou=People,{{ ldap_base }} cn: Calum Dalek -userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK +userPassword: {SASL}ctdalek@{{ krb_realm }} loginShell: /bin/bash -homeDirectory: /home/ctdalek -uidNumber: 10101 +homeDirectory: /users/ctdalek uid: ctdalek -gidNumber: 10101 +uidNumber: 20001 +gidNumber: 20001 objectClass: top objectClass: account objectClass: posixAccount @@ -69,4 +66,27 @@ objectClass: top objectClass: group objectClass: posixGroup cn: ctdalek -gidNumber: 10101 +gidNumber: 20001 + +dn: uid=regular1,ou=People,{{ ldap_base }} +cn: Regular One +userPassword: {SASL}regular1@{{ krb_realm }} +loginShell: /bin/bash +homeDirectory: /users/regular1 +uid: regular1 +uidNumber: 20002 +gidNumber: 20002 +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +objectClass: member +program: MAT/Mathematics Computer Science +term: s2021 + +dn: cn=regular1,ou=Group,{{ ldap_base }} +objectClass: top +objectClass: group +objectClass: posixGroup +cn: regular1 +gidNumber: 20002 diff --git a/auth1/ldap/slapd.conf.j2 b/auth1/ldap/slapd.conf.j2 index 360f354..52cc2c1 100644 --- a/auth1/ldap/slapd.conf.j2 +++ b/auth1/ldap/slapd.conf.j2 @@ -45,15 +45,15 @@ timelimit unlimited localssf 128 # map kerberos users to ldap users -# sasl-realm CSCLUB.UWATERLOO.CA -# authz-regexp "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" -# "uid=$1,ou=people,{{ ldap_base }}" -# authz-regexp "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" -# "cn=ceod,{{ ldap_base }}" -# authz-regexp "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" -# "cn=ldap-slave,{{ ldap_base }}" -# authz-regexp "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" -# "cn=renewal,{{ ldap_base }}" +sasl-realm CSCLUB.INTERNAL +authz-regexp "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth" + "uid=$1,ou=people,dc=csclub,dc=internal" +authz-regexp "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth" + "cn=ceod,dc=csclub,dc=internal" +authz-regexp "uid=ldap/auth2.csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth" + "cn=ldap-slave,dc=csclub,dc=internal" +authz-regexp "uid=renewal/([^/=]*).csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth" + "cn=renewal,dc=csclub,dc=internal" # map sasl external users to ldap users #authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca" diff --git a/auth1/main.yml b/auth1/main.yml index 1447270..c2bf563 100644 --- a/auth1/main.yml +++ b/auth1/main.yml @@ -2,6 +2,7 @@ - hosts: auth1 vars: ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}" + krb_realm: "{{ base_domain.upper() }}" tasks: - name: setup networking import_role: @@ -9,6 +10,7 @@ vars: ipv4_addr: "{{ auth1_ipv4_addr }}" - meta: flush_handlers + # LDAP - name: install LDAP packages apt: name: "{{ item }}" @@ -17,7 +19,6 @@ - ldap-utils - ldapvi - libnss-ldapd - - libpam-ldapd - nscd - sudo-ldap - name: copy slapd.conf @@ -50,14 +51,6 @@ - rfc2307bis.schema - csc.schema notify: restart slapd - - name: copy DB_CONFIG - copy: - remote_src: yes - src: /usr/share/slapd/DB_CONFIG - dest: /var/lib/ldap/DB_CONFIG - owner: openldap - group: openldap - notify: restart slapd - name: make sure slapd is running systemd: name: slapd @@ -75,6 +68,14 @@ shell: rm /var/lib/ldap/* when: cn_config_cmd.rc == 0 notify: restart slapd + - name: copy DB_CONFIG + copy: + remote_src: yes + src: /usr/share/slapd/DB_CONFIG + dest: /var/lib/ldap/DB_CONFIG + owner: openldap + group: openldap + notify: restart slapd - name: copy ldap.conf template: src: ldap/ldap.conf.j2 @@ -103,8 +104,116 @@ src: ldap/data.ldif.j2 dest: /etc/ldap/data.ldif - name: load LDIF data - command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// - ignore_errors: yes + shell: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// || true + # Kerberos + - name: install Kerberos packages + apt: + name: "{{ item }}" + loop: + - krb5-admin-server + - krb5-user + - libpam-krb5 + - libsasl2-modules-gssapi-mit + - sasl2-bin + - name: override systemd services for Kerberos + import_role: + name: ../roles/systemd_workarounds + vars: + services: [ "krb5-admin-server", "krb5-kdc" ] + - name: copy krb5.conf + template: + src: kerberos/krb5.conf.j2 + dest: /etc/krb5.conf + notify: + - restart kadmin + - name: copy kdc.conf + template: + src: kerberos/kdc.conf.j2 + dest: /etc/krb5kdc/kdc.conf + notify: + - restart kdc + - name: copy kadm5.acl + copy: + src: kerberos/kadm5.acl + dest: /etc/krb5kdc/kadm5.acl + notify: + - restart kdc + - name: create new realm + command: + cmd: krb5_newrealm + # This is the KDC database master key + stdin: | + krb5 + krb5 + creates: /var/lib/krb5kdc/principal + - meta: flush_handlers + - name: add sysadmin principal + command: + cmd: kadmin.local + stdin: | + addprinc sysadmin/admin + krb5 + krb5 + - name: add user principals + command: + cmd: kadmin.local + stdin: | + addprinc {{ item }} + krb5 + krb5 + loop: + - ctdalek + - regular1 + # TODO: add more hosts + - name: add host principals + command: + cmd: kadmin.local + stdin: | + addprinc -randkey host/auth1.{{ base_domain }} + addprinc -randkey ldap/auth1.{{ base_domain }} + # TODO: create an Ansible role for this + - name: copy keytab to host + command: + cmd: kadmin.local + stdin: | + ktadd host/auth1.{{ base_domain }} + ktadd ldap/auth1.{{ base_domain }} + - name: create keytab group + group: + name: keytab + - name: allow users in keytab group to read keytab + file: + path: /etc/krb5.keytab + group: keytab + mode: 0640 + - name: add openldap user to necessary groups + user: + name: openldap + groups: + - keytab + - sasl + notify: + - restart slapd + - name: create /usr/lib/sasl2/slapd.conf + copy: + content: | + mech_list: plain login gssapi external + pwcheck_method: saslauthd + dest: /usr/lib/sasl2/slapd.conf + notify: + - restart slapd + - name: add config for saslauthd + replace: + path: /etc/default/saslauthd + regexp: "^{{ item.key }}=.*$" + replace: "{{ item.key }}={{ item.value }}" + loop: + - key: START + value: 'yes' + - key: MECHANISMS + value: '"kerberos5"' + notify: + - restart saslauthd handlers: - name: restart slapd systemd: @@ -118,3 +227,15 @@ systemd: name: nscd state: restarted + - name: restart kadmin + systemd: + name: krb5-admin-server + state: restarted + - name: restart kdc + systemd: + name: krb5-kdc + state: restarted + - name: restart saslauthd + systemd: + name: saslauthd + state: restarted diff --git a/dns/main.yml b/dns/main.yml index 225f7ce..34da500 100644 --- a/dns/main.yml +++ b/dns/main.yml @@ -16,6 +16,7 @@ copy: content: | {{ mail_ipv4_addr }} mail.{{ base_domain }} + {{ auth1_ipv4_addr }} auth1.{{ base_domain }} dest: /etc/dnsmasq_hosts notify: restart dnsmasq - name: add dnsmasq config diff --git a/dns/templates/dnsmasq.conf.j2 b/dns/templates/dnsmasq.conf.j2 index fac609d..fb6031a 100644 --- a/dns/templates/dnsmasq.conf.j2 +++ b/dns/templates/dnsmasq.conf.j2 @@ -9,3 +9,6 @@ cname=mailman.{{ base_domain }},mail.{{ base_domain }} mx-host={{ base_domain }},mail.{{ base_domain }},50 address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }} address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }} +cname=ldap1.{{ base_domain }},auth1.{{ base_domain }} +cname=kdc1.{{ base_domain }},auth1.{{ base_domain }} +cname=kadmin.{{ base_domain }},auth1.{{ base_domain }} diff --git a/roles/systemd_workarounds/tasks/main.yml b/roles/systemd_workarounds/tasks/main.yml index 59c88d9..cd780bc 100644 --- a/roles/systemd_workarounds/tasks/main.yml +++ b/roles/systemd_workarounds/tasks/main.yml @@ -14,6 +14,9 @@ ProtectHome=false ProtectControlGroups=false ProtectKernelModules=false + InaccessibleDirectories= + ReadOnlyDirectories= + ReadWriteDirectories= dest: "/etc/systemd/system/{{ item }}.service.d/override.conf" loop: "{{ services }}" register: service_overrides