Home Forum Debian Programmi SSO: server kerberos lenny, client ubutu 8.10

SSO: server kerberos lenny, client ubutu 8.10

Login o registrati per inviare commenti
3 risposte [Ultimo contenuto]
Ven, 05/12/2008 - 13:26
Ritratto di cheis
cheis
(Monster)
Offline
Monster
Iscritto: 07/11/2004
Messaggi: 349

Salve a tutti,
sto cercando di realizzare un SSO con server lenny per client ubuntu 8.10. Ho seguito la guida http://www.spinlocksolutions.com/info/kerberos.html per realizzare il server; mentre per i client ho seguito la parte "5.1.3. Configuring PAM and NSS" della guida https://help.ubuntu.com/community/SingleSignOn.
Tramite kinit, dai client, gli utenti che ho creato con kerberos per effettuare il login vengono correttamete autenticati e gli viene assegat un ticket. Se invece eseguo il log-in ai client da gdm nel file di log del server /var/log/kerberos/krb5kdc.log compare:

krb5kdc...192.168.100.103: NEEDED_PREAUTH: user@EXAMPLE ... Additional pre-authentication required.<br />kb5kdc... 192.168.100.103: ISSUE: authtime 1228479358, etypes {rep=16 tkt=16 ses=16},...

Anche andando a modificare nel file /etc/krb5kdc/kdc.conf nella sezione [realms] default_principal_flags = +preauth in default_principal_flags = -preauth

Dove sbaglio?

Ringrazio in anticipo.

Share
  • del.icio.us
  • Facebook
  • Google
  • Reddit
  • Twitter

[=x-small]Knowledge is power: SHARE IT BABY!!![/]
_____________________________________________

In cima
Gio, 18/12/2008 - 14:38
#1
Ritratto di cheis
cheis
(Monster)
Offline
Monster
Iscritto: 07/11/2004
Messaggi: 349

Anzichè utilizzare come client Ubuntu 8.10 sono passato a Lenny. Ora non si verificano più i problemi che avevo con ubuntu e riesco a loggarmi con utenti presenti del database di kerberos e con le informazioni aggiuntive degli stessi presenti su server LDAP.
Vorrei fare in modo che le home dei vari utenti siano condivise sul server per questo ho configurato NFS4 ed il file /etc/exports sul server è:

<br />/home gss/krb5(fsid=0,rw,sync,no_root_squash,no_subtree_check)<br />

I file contenuti nalla directory pam.d sul server sono:

<br />common-account:<br />    account sufficient pam_krb5.so minimum_uid=1001<br />    account required pam_unix.so <br /><br />common-auth:<br />    auth required pam_nologin.so<br />    auth sufficient pam_unix.so nullok_secure<br />    auth sufficient pam_krb5.so minimum_uid=1001 use_first_pass<br />    auth required pam_deny.so <br /><br />common-password:<br />    password sufficient pam_krb5.so minimum_uid=1001<br />    password required pam_unix.so nullok obscure min=4 max=8 md5 <br /><br />common-session:<br />    session optional pam_krb5.so minimum_uid=1001<br />    session required pam_unix.so<br />    session required pam_mkhomedir.so skel=/etc/skel/<br />    session optional pam_foreground.so <br />

In /etc/fstab sul client ho la riga:
<br />server:/user  /home nfs4 rw,sec=krb5 0 0<br />

Vorrei fare in modo che ad un utente, che non ha la propria /home sul server, gli venga creata automaticamente dopo il login e venga acceduta tramite NFS4. Da quel che ho capito la riga session required pam_mkhomedir.so skel=/etc/skel/ dovrebbe creare l'home di un utente che non ce l'ha. Ma quindi su fstab come faccio a dargli un punto di mount che deve acora essere creato??
Ora come ora se cerco di accedere tramite un utente senza home, accedo ma ottengo il messaggio:
No directory, logging in with HOME=/

Grazie in anticipo.

[=x-small]Knowledge is power: SHARE IT BABY!!![/]
_____________________________________________

In cima
Gio, 25/12/2008 - 12:00
#2
Ritratto di cheis
cheis
(Monster)
Offline
Monster
Iscritto: 07/11/2004
Messaggi: 349

Mi autorispondo:

L'indipendenza del punto di mount l'ho ottenuta tramite autofs5 (la versione 5 supporta NFS4). In 2 modi.

1) Semplicemente cofigurando di files seguenti:
auto.master:

host# cat /etc/auto.master <br /># <br /># Sample auto.master file <br /># This is an automounter map and it has the following format <br /># key [ -mount-options-separated-by-comma ] location <br /># For details of the format look at autofs(5). <br /># <br />#/misc      /etc/auto.misc <br /># <br /># NOTE: mounts done from a hosts map will be mounted with the <br />#      &quot;nosuid&quot; and &quot;nodev&quot; options unless the &quot;suid&quot; and &quot;dev&quot; <br />#        options are explicitly given. <br /># <br />#/net       -hosts <br /># <br /># Include central master map if it can be found using <br /># nsswitch sources. <br /># <br /># Note that if there are entries for /net or /misc (as <br /># above) in the included master map any keys that are the <br /># same will not be seen as the first read key seen takes <br /># precedence. <br /># <br />/home    /etc/auto.home <br />+auto.master

E il file auto.home:
host# cat /etc/auto.home <br /># <br /># This is an automounter map and it has the following format <br /># key [ -mount-options-separated-by-comma ] location <br /># Details may be found in the autofs(5) manpage <br /><br />#cd            -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom <br /><br /># the following entries are samples to pique your imagination <br />*           -fstype=nfs4,rw,sec=krb5          server.etch:/&amp; <br />#linux               -ro,soft,intr           ftp.example.org:/pub/linux <br />#boot          -fstype=ext2            :/dev/hda1 <br />#floppy                -fstype=auto            :/dev/fd0 <br />#floppy         -fstype=ext2            :/dev/fd0 <br />#e2floppy       -fstype=ext2            :/dev/fd0 <br />#jaz            -fstype=ext2            :/dev/sdc1 <br />#removable     -fstype=ext2            :/dev/hdd

Così facendo ottenevo l'indipendenza degli accessi per la macchina host. Ossia qualsiasi utente configurato nel server poteva accedere utilizzando un qualsiasi (anche se per ora ce n'è solo 1) host.

Per rendere il tutto un po' più indipendente ho pensato di attivare il supporto a LDAP di autofs. Per come avevo configurato io le cose ho dovuto attivare il supporto SASL2 per ldap kerberizzandolo leggendo:http://www.lilik.it/wiki/doku.php?id=kerberosldap. A questo punto ho kerberizzato anche autofs5. i file auto.master e auto.home non erano più necessari. Ho utilizzato:

host# cat /etc/default/autofs <br /># <br /># Define default options for autofs. <br /># <br /># MASTER_MAP_NAME - default map name for the master map. <br /># <br />#MASTER_MAP_NAME=&quot;/etc/auto.master&quot; <br /># <br /># TIMEOUT - set the default mount timeout (default 600). <br /># <br />TIMEOUT=300 <br /># <br /># NEGATIVE_TIMEOUT - set the default negative timeout for <br />#                 failed mount attempts (default 60). <br /># <br />#NEGATIVE_TIMEOUT=60 <br /># <br /># BROWSE_MODE - maps are browsable by default. <br /># <br />BROWSE_MODE=&quot;no&quot; <br /># <br /># APPEND_OPTIONS - append to global options instead of replace. <br /># <br />#APPEND_OPTIONS=&quot;yes&quot; <br /># <br /># LOGGING - set default log level &quot;none&quot;, &quot;verbose&quot; or &quot;debug&quot; <br /># <br />LOGGING=&quot;debug&quot; <br /># <br /># Define server URIs <br /># <br /># LDAP_URI - space seperated list of server uris of the form <br />#       &lt;proto&gt;://&lt;server&gt;[/] where &lt;proto&gt; can be ldap <br />#       or ldaps. The option can be given multiple times. <br />#       Map entries that include a server name override <br />#         this option. <br /># <br />LDAP_URI=&quot;ldaps://server.etch/&quot; <br /># <br /># LDAP__TIMEOUT - timeout value for the synchronous API  calls <br />#            (default is LDAP library default). <br /># <br />LDAP_TIMEOUT=-1 <br /># <br /># LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8). <br /># <br />LDAP_NETWORK_TIMEOUT=8 <br /># <br /># Define base dn for map dn lookup. <br /># <br /># SEARCH_BASE - base dn to use for searching for map search dn. <br />#            Multiple entries can be given and they are checked <br />#              in the order they occur here. <br /># <br />SEARCH_BASE=&quot;dc=server,dc=etch&quot; <br /># <br /># Define the LDAP schema to used for lookups <br /># <br /># If no schema is set autofs will check each of the schemas <br /># below in the order given to try and locate an appropriate <br /># basdn for lookups. If you want to minimize the number of <br /># queries to the server set the values here. <br /># <br />#MAP_OBJECT_CLASS=&quot;nisMap&quot; <br />#ENTRY_OBJECT_CLASS=&quot;nisObject&quot; <br />#MAP_ATTRIBUTE=&quot;nisMapName&quot; <br />#ENTRY_ATTRIBUTE=&quot;cn&quot; <br />#VALUE_ATTRIBUTE=&quot;nisMapEntry&quot; <br /># <br /># Other common LDAP nameing <br /># <br />MAP_OBJECT_CLASS=&quot;automountMap&quot; <br />ENTRY_OBJECT_CLASS=&quot;automount&quot; <br />MAP_ATTRIBUTE=&quot;ou&quot; <br />ENTRY_ATTRIBUTE=&quot;cn&quot; <br />VALUE_ATTRIBUTE=&quot;automountInformation&quot; <br /># <br />#MAP_OBJECT_CLASS=&quot;automountMap&quot; <br />#ENTRY_OBJECT_CLASS=&quot;automount&quot; <br />#MAP_ATTRIBUTE=&quot;automountMapName&quot; <br />#ENTRY_ATTRIBUTE=&quot;automountKey&quot; <br />#VALUE_ATTRIBUTE=&quot;automountInformation&quot; <br /># <br /># AUTH_CONF_FILE - set the default location for the SASL <br />#                     authentication configuration file. <br /># <br />AUTH_CONF_FILE=&quot;/etc/autofs_ldap_auth.conf&quot; <br /># <br /># General global options <br /># <br />OPTIONS=&quot;-v&quot; <br />#

E il file:
<br />host# cat /etc/autofs_ldap_auth.conf <br />&lt;?xml version=&quot;1.0&quot; ?&gt; <br />&lt;!-- <br />This files contains a single entry with multiple attributes tied to it. <br />The attributes are: <br /><br />usetls  -  Determines whether an encrypted connection to the ldap server <br />          should be attempted.  Legal values for the entry are: <br />    &quot;yes&quot; <br />          &quot;no&quot; <br /><br />tlsrequired  -  This flag tells whether the ldap connection must be <br />           encrypted.  If set to &quot;yes&quot;, the automounter will fail to start <br />        if an encrypted connection cannot be established.  Legal values <br />          for this option include: <br />         &quot;yes&quot; <br />          &quot;no&quot; <br /><br />authrequired  -  This option tells whether an authenticated connection to <br />      the ldap server is required in order to perform ldap queries. <br />            If this flag is set to yes, then only authenticated connections <br />          will be allowed. If it is set to no then authentication is not <br />           needed for ldap server connections. Finally, if it is set to <br />     autodetect then the ldap server will be queried to establish <br />     a suitable authentication mechanism. If no suitable mechanism <br />            can be found, connections to the ldap server are made without <br />            authentication. <br />          Legal values for this option include: <br />            &quot;yes&quot; <br />          &quot;no&quot; <br />           &quot;autodetect&quot; <br /><br />authtype  -  This attribute can be used to specify a preferred <br />        authentication mechanism.  In normal operations, the <br />     automounter will attempt to authenticate to the ldap server <br />      using the list of supportedSASLmechanisms obtained from the <br />      directory server.  Explicitly setting the authtype will bypass <br />           this selection and only try the mechanism specified.  Legal <br />      values for this attribute include: <br />       &quot;GSSAPI&quot; <br />       &quot;LOGIN&quot; <br />        &quot;PLAIN&quot; <br />        &quot;ANONYMOUS&quot; <br />            &quot;DIGEST-MD5&quot; <br /><br />user  -  This attribute holds the authentication identity used by <br />     authentication mechanisms that require it.  Legal values for <br />     this attribute include any printable characters that can be <br />      used by the selected authentication mechanism. <br /><br />secret  -  This attribute holds the secret used by authentication <br />     mechanisms that require it.  Legal values for this attribute <br />     include any printable characters that can be used by the <br />         selected authentication mechanism. <br /><br />clientprinc  -  When using GSSAPI authentication, this attribute is <br />       consulted to determine the principal name to use when <br />            authenticating to the directory server.  By default, this will <br />           be set to &quot;autofsclient/&lt;fqdn&gt;@&lt;REALM&gt;. <br /><br />credentialcache - When using GSSAPI authentication, this attribute <br />          can be used to specify an externally configured credential <br />       cache that is used during authentication. By default, autofs <br />     will setup a memory based credential cache. <br />--&gt; <br /><br />&lt;autofs_ldap_sasl_conf <br />       usetls=&quot;yes&quot; <br />   tlsrequired=&quot;no&quot;        <br />        authrequired=&quot;yes&quot; <br />        authtype=&quot;GSSAPI&quot; <br />        clientprinc=&quot;autofs/host.server.etch&quot;        <br />/&gt;

Per ottenere la funzione equivalente dei file auto.master e auto.home ho letto: http://www.openldap.org/lists/openldap-software/200106/msg00355.html Ed ho esportato tutto su LDAP.
Così l'accesso avviene sulla home indipendente dall'host e corretta.

Ora ho il problema delle quote della home da usare: ho letto in velocità dal man che mount ignora usrquota grpquota. Poi c'è il problema di accesso degli utenti alle home di altri utenti: infatti dalla propria home un utente riesce a fare cd .. e vedere quelle degli altri. La soluzione pernso sia chroot ma devo ancora informarmi meglio. Se qualcuno avesse delle dritte mentre mi informo ben vengano.

Per ora saluti. Big Grin

[=x-small]Knowledge is power: SHARE IT BABY!!![/]
_____________________________________________

In cima
Gio, 25/12/2008 - 12:00
#3
Ritratto di cheis
cheis
(Monster)
Offline
Monster
Iscritto: 07/11/2004
Messaggi: 349

Mi autorispondo:

L'indipendenza del punto di mount l'ho ottenuta tramite autofs5 (la versione 5 supporta NFS4). In 2 modi.

1) Semplicemente cofigurando di files seguenti:
auto.master:

host# cat /etc/auto.master <br /># <br /># Sample auto.master file <br /># This is an automounter map and it has the following format <br /># key [ -mount-options-separated-by-comma ] location <br /># For details of the format look at autofs(5). <br /># <br />#/misc      /etc/auto.misc <br /># <br /># NOTE: mounts done from a hosts map will be mounted with the <br />#      &quot;nosuid&quot; and &quot;nodev&quot; options unless the &quot;suid&quot; and &quot;dev&quot; <br />#        options are explicitly given. <br /># <br />#/net       -hosts <br /># <br /># Include central master map if it can be found using <br /># nsswitch sources. <br /># <br /># Note that if there are entries for /net or /misc (as <br /># above) in the included master map any keys that are the <br /># same will not be seen as the first read key seen takes <br /># precedence. <br /># <br />/home    /etc/auto.home <br />+auto.master

E il file auto.home:
host# cat /etc/auto.home <br /># <br /># This is an automounter map and it has the following format <br /># key [ -mount-options-separated-by-comma ] location <br /># Details may be found in the autofs(5) manpage <br /><br />#cd            -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom <br /><br /># the following entries are samples to pique your imagination <br />*           -fstype=nfs4,rw,sec=krb5          server.etch:/&amp; <br />#linux               -ro,soft,intr           ftp.example.org:/pub/linux <br />#boot          -fstype=ext2            :/dev/hda1 <br />#floppy                -fstype=auto            :/dev/fd0 <br />#floppy         -fstype=ext2            :/dev/fd0 <br />#e2floppy       -fstype=ext2            :/dev/fd0 <br />#jaz            -fstype=ext2            :/dev/sdc1 <br />#removable     -fstype=ext2            :/dev/hdd

Così facendo ottenevo l'indipendenza degli accessi per la macchina host. Ossia qualsiasi utente configurato nel server poteva accedere utilizzando un qualsiasi (anche se per ora ce n'è solo 1) host.

Per rendere il tutto un po' più indipendente ho pensato di attivare il supporto a LDAP di autofs. Per come avevo configurato io le cose ho dovuto attivare il supporto SASL2 per ldap kerberizzandolo leggendo:http://www.lilik.it/wiki/doku.php?id=kerberosldap. A questo punto ho kerberizzato anche autofs5. i file auto.master e auto.home non erano più necessari. Ho utilizzato:

host# cat /etc/default/autofs <br /># <br /># Define default options for autofs. <br /># <br /># MASTER_MAP_NAME - default map name for the master map. <br /># <br />#MASTER_MAP_NAME=&quot;/etc/auto.master&quot; <br /># <br /># TIMEOUT - set the default mount timeout (default 600). <br /># <br />TIMEOUT=300 <br /># <br /># NEGATIVE_TIMEOUT - set the default negative timeout for <br />#                 failed mount attempts (default 60). <br /># <br />#NEGATIVE_TIMEOUT=60 <br /># <br /># BROWSE_MODE - maps are browsable by default. <br /># <br />BROWSE_MODE=&quot;no&quot; <br /># <br /># APPEND_OPTIONS - append to global options instead of replace. <br /># <br />#APPEND_OPTIONS=&quot;yes&quot; <br /># <br /># LOGGING - set default log level &quot;none&quot;, &quot;verbose&quot; or &quot;debug&quot; <br /># <br />LOGGING=&quot;debug&quot; <br /># <br /># Define server URIs <br /># <br /># LDAP_URI - space seperated list of server uris of the form <br />#       &lt;proto&gt;://&lt;server&gt;[/] where &lt;proto&gt; can be ldap <br />#       or ldaps. The option can be given multiple times. <br />#       Map entries that include a server name override <br />#         this option. <br /># <br />LDAP_URI=&quot;ldaps://server.etch/&quot; <br /># <br /># LDAP__TIMEOUT - timeout value for the synchronous API  calls <br />#            (default is LDAP library default). <br /># <br />LDAP_TIMEOUT=-1 <br /># <br /># LDAP_NETWORK_TIMEOUT - set the network response timeout (default 8). <br /># <br />LDAP_NETWORK_TIMEOUT=8 <br /># <br /># Define base dn for map dn lookup. <br /># <br /># SEARCH_BASE - base dn to use for searching for map search dn. <br />#            Multiple entries can be given and they are checked <br />#              in the order they occur here. <br /># <br />SEARCH_BASE=&quot;dc=server,dc=etch&quot; <br /># <br /># Define the LDAP schema to used for lookups <br /># <br /># If no schema is set autofs will check each of the schemas <br /># below in the order given to try and locate an appropriate <br /># basdn for lookups. If you want to minimize the number of <br /># queries to the server set the values here. <br /># <br />#MAP_OBJECT_CLASS=&quot;nisMap&quot; <br />#ENTRY_OBJECT_CLASS=&quot;nisObject&quot; <br />#MAP_ATTRIBUTE=&quot;nisMapName&quot; <br />#ENTRY_ATTRIBUTE=&quot;cn&quot; <br />#VALUE_ATTRIBUTE=&quot;nisMapEntry&quot; <br /># <br /><br /># Other common LDAP nameing <br /># <br />MAP_OBJECT_CLASS=&quot;automountMap&quot; <br />ENTRY_OBJECT_CLASS=&quot;automount&quot; <br />MAP_ATTRIBUTE=&quot;ou&quot; <br />ENTRY_ATTRIBUTE=&quot;cn&quot; <br />VALUE_ATTRIBUTE=&quot;automountInformation&quot; <br /># <br />#MAP_OBJECT_CLASS=&quot;automountMap&quot; <br />#ENTRY_OBJECT_CLASS=&quot;automount&quot; <br />#MAP_ATTRIBUTE=&quot;automountMapName&quot; <br />#ENTRY_ATTRIBUTE=&quot;automountKey&quot; <br />#VALUE_ATTRIBUTE=&quot;automountInformation&quot; <br /># <br /># AUTH_CONF_FILE - set the default location for the SASL <br />#                       authentication configuration file. <br /># <br />AUTH_CONF_FILE=&quot;/etc/autofs_ldap_auth.conf&quot; <br /># <br /># General global options <br /># <br />OPTIONS=&quot;-v&quot; <br />#

E il file:
<br />host# cat /etc/autofs_ldap_auth.conf <br />&lt;?xml version=&quot;1.0&quot; ?&gt; <br />&lt;!-- <br />This files contains a single entry with multiple attributes tied to it. <br />The attributes are: <br /><br />usetls  -  Determines whether an encrypted connection to the ldap server <br />          should be attempted.  Legal values for the entry are: <br />    &quot;yes&quot; <br />          &quot;no&quot; <br /><br />tlsrequired  -  This flag tells whether the ldap connection must be <br />           encrypted.  If set to &quot;yes&quot;, the automounter will fail to start <br />        if an encrypted connection cannot be established.  Legal values <br />          for this option include: <br />         &quot;yes&quot; <br />          &quot;no&quot; <br /><br />authrequired  -  This option tells whether an authenticated connection to <br />      the ldap server is required in order to perform ldap queries. <br />            If this flag is set to yes, then only authenticated connections <br />          will be allowed. If it is set to no then authentication is not <br />           needed for ldap server connections. Finally, if it is set to <br />     autodetect then the ldap server will be queried to establish <br />     a suitable authentication mechanism. If no suitable mechanism <br />            can be found, connections to the ldap server are made without <br />            authentication. <br />          Legal values for this option include: <br />            &quot;yes&quot; <br />          &quot;no&quot; <br />           &quot;autodetect&quot; <br /><br />authtype  -  This attribute can be used to specify a preferred <br />        authentication mechanism.  In normal operations, the <br />     automounter will attempt to authenticate to the ldap server <br />      using the list of supportedSASLmechanisms obtained from the <br />      directory server.  Explicitly setting the authtype will bypass <br />           this selection and only try the mechanism specified.  Legal <br />      values for this attribute include: <br />       &quot;GSSAPI&quot; <br />       &quot;LOGIN&quot; <br />        &quot;PLAIN&quot; <br />        &quot;ANONYMOUS&quot; <br />            &quot;DIGEST-MD5&quot; <br /><br />user  -  This attribute holds the authentication identity used by <br />     authentication mechanisms that require it.  Legal values for <br />     this attribute include any printable characters that can be <br />      used by the selected authentication mechanism. <br /><br />secret  -  This attribute holds the secret used by authentication <br />     mechanisms that require it.  Legal values for this attribute <br />     include any printable characters that can be used by the <br />         selected authentication mechanism. <br /><br />clientprinc  -  When using GSSAPI authentication, this attribute is <br />       consulted to determine the principal name to use when <br />            authenticating to the directory server.  By default, this will <br />           be set to &quot;autofsclient/&lt;fqdn&gt;@&lt;REALM&gt;. <br /><br />credentialcache - When using GSSAPI authentication, this attribute <br />          can be used to specify an externally configured credential <br />       cache that is used during authentication. By default, autofs <br />     will setup a memory based credential cache. <br />--&gt; <br /><br />&lt;autofs_ldap_sasl_conf <br />       usetls=&quot;yes&quot; <br />   tlsrequired=&quot;no&quot;        <br />        authrequired=&quot;yes&quot; <br />        authtype=&quot;GSSAPI&quot; <br />        clientprinc=&quot;autofs/host.server.etch&quot;        <br />/&gt;

Per ottenere la funzione equivalente dei file auto.master e auto.home ho letto: http://www.openldap.org/lists/openldap-software/200106/msg00355.html Ed ho esportato tutto su LDAP.
Così l'accesso avviene sulla home indipendente dall'host e corretta.

Ora ho il problema delle quote della home da usare: ho letto in velocità qualcosa su quota usrquota e grpquota. Poi c'è il problema di accesso degli utenti alle home di altri utenti: infatti dalla propria home un utente riesce a fare cd .. e vedere quelle degli altri. La soluzione pernso sia chroot ma devo ancora informarmi meglio. Se qualcuno avesse delle dritte mentre mi informo ben vengano.

Per ora saluti. Big Grin

[=x-small]Knowledge is power: SHARE IT BABY!!![/]
_____________________________________________

In cima
Login o registrati per inviare commenti
‹ Previous topic: compiz Next topic: mldonkey.......aiuto ›