Recently I took a project to setup a SSO (Single Sign On) System for a small lab. We had a set of 25 computers, each with the following configuration:
The Incremental Model:
1st architecture:
1 Server, the master server, who shall be thus referred to as cnl.cnl.net. (cnl stands for computer networks lab, for the more inquisitive readers). cnl.net is the realm/ring that we label all the computers in the lab with.
Setting up the Kerberos Server.
I followed this to setup the Kerberos Server. Its pretty much self explanatory. Few changes :
[realms]
CNL.NET = {
kdc = cnl.cnl.net:88
admin_server = cnl.cnl.net:749
default_domain = cnl.net
}
[domain_realm]
.cnl.net = CNL.NET
[libdefaults]
default_realm = CNL.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
Troubleshooting and Testing The server:
principal : any identity that asks for a ticket is called a principal [READ THIS]. For our usage, we setup the following principals.
primary/instance@REALM
Note that for shehbaz, the default non-admin instance is taken.
some useful krb server commands:
server# kadmin -p krbadmin/admin
kadmin: listprincs
kadmin: addprinc root/admin
kadmin: addprinc shehbaz
Setting up LDAP
Running into a lot of issues right now. Messed up slapd configuration files. restoration took a lot of effort.
[TODO] Read up on ldap before trying to configure it.
LDAP terminologies given here
After a lot of reading, understood a bit of LDAP structure. Refer this this and this for a more detailed understanding.
Heres are some interesting things that one should know:
- i3 processors (two cores)
- 500 GB HDD
- 4GB RAM
The Incremental Model:
1st architecture:
1 Server, the master server, who shall be thus referred to as cnl.cnl.net. (cnl stands for computer networks lab, for the more inquisitive readers). cnl.net is the realm/ring that we label all the computers in the lab with.
Day 1:
Setting up Server, DHCP Hostname.- We setup a single server, a Debian OS. (We do that because of an innate bias towards Debian OS, also due to over familiarity with using Ubuntu. :P)
- We configure the servers dhcp client name (Note that all the machines in the lab are dhcp clients, including our Kerberos server, LDAP Server). for this we need to make changes in /etc/hosts file.
- We decide to name the realm cnl.net . (A better extension would have been cnl.lab, but that is something we are going to ignore).
- Hence the name assigned to the server ends with cnl.net. The hostname is now cnl.cnl.net. (This can be checked using the command hostname -f )
Setting up the Kerberos Server.
I followed this to setup the Kerberos Server. Its pretty much self explanatory. Few changes :
- During installation of krb5-admin-server , there are a few default realm names, passwords, and principal users that are asked for. They are also self explanatory, just keep in mind to end the hostname with cnl.net.
- My /etc/krb5.conf file looks like this:
[realms]
CNL.NET = {
kdc = cnl.cnl.net:88
admin_server = cnl.cnl.net:749
default_domain = cnl.net
}
[domain_realm]
.cnl.net = CNL.NET
[libdefaults]
default_realm = CNL.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
Troubleshooting and Testing The server:
principal : any identity that asks for a ticket is called a principal [READ THIS]. For our usage, we setup the following principals.
- harshal/admin@cnl.net
- shehbaz@cnl.net.
primary/instance@REALM
Note that for shehbaz, the default non-admin instance is taken.
some useful krb server commands:
server# kadmin -p krbadmin/admin
kadmin: listprincs
kadmin: addprinc root/admin
kadmin: addprinc shehbaz
Kerberos testing
Create ticket
server# kinit shehbaz Password for shehbaz@CNL.NET:
Create ticket
server# kinit shehbaz Password for shehbaz@CNL.NET:
Verify ticket
server# klist
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: shehbaz@CNL.NET
Valid starting Expires Service principal 09/01/11 00:56:58 09/01/11 10:56:58 krbtgt/CNL.NET@CNL.NET renew until 09/02/11 00:56:53
2. copy the /etc/krb.conf file from the server to the client machine.
Installing Kerberos clients for Debian and Fedora.
server# klist
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: shehbaz@CNL.NET
Valid starting Expires Service principal 09/01/11 00:56:58 09/01/11 10:56:58 krbtgt/CNL.NET@CNL.NET renew until 09/02/11 00:56:53
Day 2
1. Options to install Fedora on the Client Machine are here.2. copy the /etc/krb.conf file from the server to the client machine.
Installing Kerberos clients for Debian and Fedora.
Setting up LDAP
Running into a lot of issues right now. Messed up slapd configuration files. restoration took a lot of effort.
[TODO] Read up on ldap before trying to configure it.
Day 3
Continuing with LDAP. Reading this and this to configure LDAP.LDAP terminologies given here
Day 4
Sweet Success!! :DAfter a lot of reading, understood a bit of LDAP structure. Refer this this and this for a more detailed understanding.
Heres are some interesting things that one should know:
- LDAP is basically a database in the form of a tree, just like a phonebook or yellow-pages.
- It is a database structure optimized for reads rather than writes, so you basically make lots of searches and less number of additions/deletions/modifications.
- Three things: schema , objectclass , attributes :
schema is the template on which the entries (actual physical elements of the database are configured). these are located in /etc/ldap/schema folder. these are of three types : structural, abstract, and auxillary.
objectclass is a label on the schema. first node in the tree is top. other objectclasses inherit top and have other child objectclasses.
attributes are properties of the objectclass, some are mandatory, while others are optional. - Main operations performed on an ldap database ldapadd, ldapsearch, ldapmodify.
NOTE :
ldapadd -H ldap://cnl.cnl.net -x -D "cn=admin,dc=cnl,dc=net" -f demo.ldif -w <password>
My sample demo.ldif file:
dn: ou=admin,dc=cnl,dc=net
objectclass:top
objectclass: organizationalUnit
ou: admin
dn: ou=student,dc=cnl,dc=net
objectclass: top
objectclass: organizationalUnit
ou: student
dn: cn=harshal,ou=admin,dc=cnl,dc=net
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: Muknak
cn: Harshal Muknak
ou: admin
dn: cn=shehbaz,ou=student,dc=cnl,dc=net
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: Jaffer
cn: Shehbaz Jaffer
ou: student
NOTE that I did not have to add any schema definitions for creating the ldap directory structure (i.e. adding objectclass). I have used inbuilt schemas like person and organizationalUnit.
For LDAP Clients, on Fedora use this.
/media/student *(rw,nohide,no_root_squash,no_subtree_check,sync,fsid=0)
alternatively, for mounting on boot, add this to the end of /etc/fstab of the client:
192.168.10.150:/ /home/students nfs4 defaults 0 0
Note that the ip mentioned is the server IP. We mounted the whole '/' directory, however, only /media/student (the mountable directory on the server) gets mounted.
Follow the above statements as-is, or you will get lots of issues (No route to host etc).
- There are a lot of objectclasses already available (defined in ldap), like person, organization etc.
- slapd.conf is outdated, now they use OLC (Online control) (cn=config) file for ldap support. Though support for slapd.conf is still supported.
ldapadd -H ldap://cnl.cnl.net -x -D "cn=admin,dc=cnl,dc=net" -f demo.ldif -w <password>
My sample demo.ldif file:
dn: ou=admin,dc=cnl,dc=net
objectclass:top
objectclass: organizationalUnit
ou: admin
dn: ou=student,dc=cnl,dc=net
objectclass: top
objectclass: organizationalUnit
ou: student
dn: cn=harshal,ou=admin,dc=cnl,dc=net
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: Muknak
cn: Harshal Muknak
ou: admin
dn: cn=shehbaz,ou=student,dc=cnl,dc=net
objectclass: top
objectclass: person
objectclass: organizationalPerson
sn: Jaffer
cn: Shehbaz Jaffer
ou: student
NOTE that I did not have to add any schema definitions for creating the ldap directory structure (i.e. adding objectclass). I have used inbuilt schemas like person and organizationalUnit.
For LDAP Clients, on Fedora use this.
Day 6
Setting up NFSv4.
/etc/exports file:
/media/student *(rw,nohide,no_root_squash,no_subtree_check,sync,fsid=0)
mount command:
sudo mount -v -t nfs4 192.168.10.150:/ /home/student
alternatively, for mounting on boot, add this to the end of /etc/fstab of the client:
192.168.10.150:/ /home/students nfs4 defaults 0 0
Note that the ip mentioned is the server IP. We mounted the whole '/' directory, however, only /media/student (the mountable directory on the server) gets mounted.
Follow the above statements as-is, or you will get lots of issues (No route to host etc).
