Documentation about the ncm-krb5clt component

[Params]

cern_admin_server = 'cerndc.cern.ch'
cern_kpasswd_server = 'cerndc.cern.ch'
default_realm = 'CERN.CH'
forwardable = true
pam_ticket_lifetime = '25h'
proxiable = true
allow_weak_crypto = false
renew_lifetime = '120h'
ticket_lifetime = '25h'
#I dont know if needed anymore..

$krb5pam = {'external' => 'true',
'krb4_convert' => 'false',
'krb4_convert_524' => 'false',
'krb4_use_as_req' => 'false'
}


pkinit_anchors = 'DIR:/etc/pki/tls/certs/'
pkinit_pool = 'DIR:/etc/pki/tls/certs/'


We have to configure 2 files

1) /etc/krb5.conf

2) ~/.k5login


1)

$ cat /etc/krb5.conf

[libdefaults]
default_realm = CERN.CH
ticket_lifetime = 25h
renew_lifetime = 120h
forwardable = true
proxiable = true

[realms]
CERN.CH = {
default_domain = cern.ch
kpasswd_server = cerndc.cern.ch
admin_server = cerndc.cern.ch
kdc = cerndc.cern.ch

v4_name_convert = {
host = {
rcmd = host
}
}
}
; the external institutes info is completely static for now and comes
; straight from the NCM template
FNAL.GOV = {
default_domain = fnal.gov
admin_server = krb-fnal-admin.fnal.gov
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
}
KFKI.HU = {
kdc = kerberos.kfki.hu
admin_server = kerberos.kfki.hu
}
HEP.MAN.AC.UK = {
kdc = afs4.hep.man.ac.uk
kdc = afs1.hep.man.ac.uk
kdc = afs2.hep.man.ac.uk
kdc = afs3.hep.man.ac.uk
admin_server = afs4.hep.man.ac.uk
kpasswd_server = afs4.hep.man.ac.uk
default_domain = hep.man.ac.uk
}
[domain_realm]
.cern.ch = CERN.CH
.fnal.gov = FNAL.GOV
.kfki.hu = KFKI.HU
.hep.man.ac.uk = HEP.MAN.AC.UK
[appdefaults]
pkinit_pool = DIR:/etc/pki/tls/certs/
pkinit_anchors = DIR:/etc/pki/tls/certs/
; options for Red Hat pam_krb5-2
pam = {
external = true
krb4_convert = false
krb4_convert_524 = false
krb4_use_as_req = false
ticket_lifetime = 25h
}

2) cat ~/.k5login

( We put there the user/owner and the egroup of the user if it exists)

toulevey@CERNNOSPAMPLEASE.CH <-- owner
aboutsel@CERN.CH <-- user

We can extract these values from landb or maybe directly from ldap.


#Allow AD change expired password on machine with sssd.
In the /etc/sshd_config --> ChallengeResponseAuthentication yes


We must create a keytab file (/etc/krb5.keytab) if only the /etc/krb5.conf exists and cern-get-keytab package is installed

PS: This component needs further investigation.. (not the best documentation)

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2015-11-05 - AristeidisBoutselis
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Sandbox All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback