From 051dd82f57a2c65c9470f999437bc774802fc06a Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felixalb@pvv.ntnu.no>
Date: Sun, 7 Jul 2024 00:07:59 +0200
Subject: [PATCH] WIP: Move krb5 realm to pvv.local, make sane ldap structure
---
hosts/dagali/TODO.md | 21 ++++++++++--
hosts/dagali/configuration.nix | 10 ++++--
hosts/dagali/services/heimdal.nix | 52 +++++++++++++++++++++---------
hosts/dagali/services/openldap.nix | 10 +++---
4 files changed, 66 insertions(+), 27 deletions(-)
diff --git a/hosts/dagali/TODO.md b/hosts/dagali/TODO.md
index f134ca6..865f863 100644
--- a/hosts/dagali/TODO.md
+++ b/hosts/dagali/TODO.md
@@ -16,11 +16,26 @@
- [x] `kadmin -l init PVV.NTNU.NO`
- [x] add oysteikt/admin@PVV.NTNU.NO principal
- [x] add oysteikt@PVV.NTNU.NO principal
- - [ ] add krbtgt@PVV.NTNU.NO principal?
+ - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
- why is this needed, and where is it documented?
- `kadmin check` seems to work under sudo?
- - Fix FQDN: https://github.com/NixOS/nixpkgs/issues/94011
- https://github.com/NixOS/nixpkgs/issues/261269
+ - (it is included by default, just included as error message
+ in a weird state)
+
+ - [x] Ensure client is working correctly
+ - [x] Ensure kinit works on darbu
+ - [x] Ensure kpasswd works on darbu
+ - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+ - [ ] Ensure kdc is working correctly
+ - [x] Ensure kinit works on dagali
+ - [x] Ensure kpasswd works on dagali
+ - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+ - [x] Fix FQDN
+ - https://github.com/NixOS/nixpkgs/issues/94011
+ - https://github.com/NixOS/nixpkgs/issues/261269
+ - Possibly fixed by disabling systemd-resolved
- [ ] setup cyrus sasl
- [x] ensure running with systemd
diff --git a/hosts/dagali/configuration.nix b/hosts/dagali/configuration.nix
index 5c64273..9902e69 100644
--- a/hosts/dagali/configuration.nix
+++ b/hosts/dagali/configuration.nix
@@ -1,5 +1,5 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, values, lib, ... }:
{
imports = [
./hardware-configuration.nix
@@ -7,7 +7,7 @@
../../misc/metrics-exporters.nix
./services/heimdal.nix
- ./services/openldap.nix
+ #./services/openldap.nix
./services/cyrus-sasl.nix
];
@@ -21,7 +21,11 @@
services.resolved.enable = false;
networking.hostName = "dagali";
- networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+ networking.domain = lib.mkForce "pvv.local";
+ networking.hosts = {
+ "129.241.210.185" = [ "dagali.pvv.local" ];
+ };
+ #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled";
networking.networkmanager.enable = true;
diff --git a/hosts/dagali/services/heimdal.nix b/hosts/dagali/services/heimdal.nix
index 0b07e2e..17ae4c6 100644
--- a/hosts/dagali/services/heimdal.nix
+++ b/hosts/dagali/services/heimdal.nix
@@ -1,22 +1,15 @@
{ config, pkgs, lib, ... }:
let
-
- realm = "PVV.NTNU.NO";
-
+ realm = "PVV.LOCAL";
cfg = config.security.krb5;
in
{
security.krb5 = {
enable = true;
- # NOTE: This has a small edit that moves an include header to $dev/include.
- # It is required in order to build smbk5pwd, because of some nested includes.
+ # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now.
- # package = pkgs.callPackage ./package.nix {
- # inherit (pkgs.apple_sdk.frameworks)
- # CoreFoundation Security SystemConfiguration;
- # };
package = pkgs.heimdal.overrideAttrs (prev: {
postInstall = prev.postInstall + ''
cp include/heim_threads.h $dev/include
@@ -24,10 +17,12 @@ in
});
settings = {
- # logging.kdc = "CONSOLE";
realms.${realm} = {
- admin_server = "dagali.pvv.ntnu.no";
- kdc = [ "localhost" ];
+ kdc = [ "dagali.${lib.toLower realm}" ];
+ admin_server = "dagali.${lib.toLower realm}";
+ kpasswd_server = "dagali.${lib.toLower realm}";
+ default_domain = lib.toLower realm;
+ primary_kdc = "dagali.${lib.toLower realm}";
};
kadmin.default_keys = lib.concatStringsSep " " [
@@ -42,14 +37,17 @@ in
libdefaults = {
default_realm = realm;
+ dns_lookup_kdc = false;
+ dns_lookup_realm = false;
};
domain_realm = {
- "pvv.ntnu.no" = realm;
- ".pvv.ntnu.no" = realm;
+ "${lib.toLower realm}" = realm;
+ ".${lib.toLower realm}" = realm;
};
logging = {
+ # kdc = "CONSOLE";
kdc = "SYSLOG:DEBUG:AUTH";
admin_server = "SYSLOG:DEBUG:AUTH";
default = "SYSLOG:DEBUG:AUTH";
@@ -61,8 +59,22 @@ in
enable = true;
settings = {
realms.${realm} = {
- dbname = "/var/heimdal/heimdal";
- mkey = "/var/heimdal/mkey";
+ dbname = "/var/lib/heimdal/heimdal";
+ mkey = "/var/lib/heimdal/m-key";
+ acl = [
+ {
+ principal = "kadmin/admin";
+ access = "all";
+ }
+ {
+ principal = "felixalb/admin";
+ access = "all";
+ }
+ {
+ principal = "oysteikt/admin";
+ access = "all";
+ }
+ ];
};
# kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt"
@@ -77,4 +89,12 @@ in
# password_quality.min_length = 8;
};
};
+
+ networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+ networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+ networking.hosts = {
+ "127.0.0.2" = lib.mkForce [ ];
+ "::1" = lib.mkForce [ ];
+ };
}
diff --git a/hosts/dagali/services/openldap.nix b/hosts/dagali/services/openldap.nix
index 5d8fca1..bb0c804 100644
--- a/hosts/dagali/services/openldap.nix
+++ b/hosts/dagali/services/openldap.nix
@@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }:
{
services.openldap = let
- dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
+ dn = "dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap;
heimdal = config.security.krb5.package;
@@ -80,7 +80,7 @@
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
olcOverlay = "{0}smbk5pwd";
olcSmbK5PwdEnable = [ "krb5" "samba" ];
- olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
+ olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
};
"olcDatabase={1}mdb".attrs = {
@@ -91,7 +91,7 @@
olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing
- olcRootDN = "cn=admin,${dn}";
+ olcRootDN = "cn=users,${dn}";
# TODO: replace with proper secret
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
@@ -101,7 +101,7 @@
olcAccess = [
''{0}to attrs=userPassword,shadowLastChange
- by dn.exact=cn=admin,${dn} write
+ by dn.exact=cn=users,${dn} write
by self write
by anonymous auth
by * none''
@@ -111,7 +111,7 @@
/* allow read on anything else */
# ''{2}to *
- # by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+ # by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read''
];
};