NFSv4: is KRB needed???
Aleksandar Milivojevic
amilivojevic at pbl.ca
Thu Jan 6 14:52:09 UTC 2005
Damir Dezeljin wrote:
> I guess that the problem is related to KRB (Kerberos-5). My authentication
> backend is OpenLDAP. I don't want to change.
> Do I really need KRB to use NFSv4? If yes ... is it posible to use data
> from OpenLDAP for KRB?
I can't answer your first question.
As for your second qestion, getting Kerberos and OpenLDAP to work
together is simple.
There's apperently two ways of doing it.
First approach is to let Kerberos handle authentication, and use LDAP
for everything else. Using this approach, you can use either Kerberos
or LDAP to check passwords (in later case, LDAP server will check
password against Kerberos for you). Check this page for some hints:
http://www.ofb.net/~jheiss/krbldap/howto.html
In short (plus some hints not present on that page), you setup Kerberos
as usual, define users (now called principals) and so on. I will assume
that you have setup /etc/krb5.conf and placed key for
host/hostname.yourdomain.com at YOUR.KRB.REALM.COM into /etc/krb5.keytab
file as part of this setup on your LDAP server.
On your OpenLDAP server, create file /usr/lib/sasl2/slapd.conf, and
place single line in it:
pwcheck_method: saslauthd
(or you can simply copy existing Sendmail.conf file).
Edit /etc/sysconfig/saslauthd file and make sure this two are defined as
follows:
MECH=kerberos5
FLAGS=-r
Enable saslauthd and start it:
# chkconfig saslauthd on
# /etc/init.d/saslauthd start
Then in your LDAP database, instead of placing passwords in userPassword
attribute, you place something like this (note that by convention, realm
names should always be uppercase, and rembmer that Kerberos names are
case sensitive):
userPassword: {SASL}username at YOUR.KRB.REALM.COM
When slapd encounters this in userPassword attribute, it will connect to
saslauthd, and saslauthd will check the password against your Kerberos
realm (based on the config from /etc/krb5.conf). If using MIT
implementation, you must have key for
host/hostname.yourdomain.com at YOUR.KRB.REALM.COM principal in
/etc/krb5.keytab file (this file should be readable only by root).
You can also define ldap principal
(ldap/hostname.yourdomain.com at YOUR.KRB.REALM.COM), place key for it in
/etc/openldap/ldap.key on your LDAP server (make the file readable only
by ldap user), and place "KRB5_KTNAME=/etc/openldap/ldap.keytab" in
/etc/sysconfig/ldap.
It is also possible to go the other way around, and use OpenLDAP as
store for Kerberos (you'll need krb5-kdc.schema included in your
slapd.conf file). I've never done that, but a bit searching on the web
should help you.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list