WIP: Move krb5 realm to pvv.local, make sane ldap structure

This commit is contained in:
Felix Albrigtsen 2024-07-07 00:07:59 +02:00 committed by Øystein Tveit
parent 8f30c323bc
commit a215a3c0a5
4 changed files with 54 additions and 27 deletions

View File

@ -16,11 +16,26 @@
- [x] `kadmin -l init PVV.NTNU.NO` - [x] `kadmin -l init PVV.NTNU.NO`
- [x] add oysteikt/admin@PVV.NTNU.NO principal - [x] add oysteikt/admin@PVV.NTNU.NO principal
- [x] add oysteikt@PVV.NTNU.NO principal - [x] add oysteikt@PVV.NTNU.NO principal
- [ ] add krbtgt@PVV.NTNU.NO principal? - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
- why is this needed, and where is it documented? - why is this needed, and where is it documented?
- `kadmin check` seems to work under sudo? - `kadmin check` seems to work under sudo?
- Fix FQDN: https://github.com/NixOS/nixpkgs/issues/94011 - (it is included by default, just included as error message
https://github.com/NixOS/nixpkgs/issues/261269 in a weird state)
- [x] Ensure client is working correctly
- [x] Ensure kinit works on darbu
- [x] Ensure kpasswd works on darbu
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
- [ ] Ensure kdc is working correctly
- [x] Ensure kinit works on dagali
- [x] Ensure kpasswd works on dagali
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
- [x] Fix FQDN
- https://github.com/NixOS/nixpkgs/issues/94011
- https://github.com/NixOS/nixpkgs/issues/261269
- Possibly fixed by disabling systemd-resolved
- [ ] setup cyrus sasl - [ ] setup cyrus sasl
- [x] ensure running with systemd - [x] ensure running with systemd

View File

@ -1,5 +1,5 @@
{ config, pkgs, values, ... }: { config, pkgs, values, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@ -7,7 +7,7 @@
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
./services/heimdal.nix ./services/heimdal.nix
./services/openldap.nix #./services/openldap.nix
./services/cyrus-sasl.nix ./services/cyrus-sasl.nix
]; ];
@ -21,7 +21,11 @@
services.resolved.enable = false; services.resolved.enable = false;
networking.hostName = "dagali"; networking.hostName = "dagali";
networking.search = [ "pvv.ntnu.no" "pvv.org" ]; networking.domain = lib.mkForce "pvv.local";
networking.hosts = {
"129.241.210.185" = [ "dagali.pvv.local" ];
};
#networking.search = [ "pvv.ntnu.no" "pvv.org" ];
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
networking.tempAddresses = "disabled"; networking.tempAddresses = "disabled";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;

View File

@ -1,22 +1,15 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
realm = "PVV.LOCAL";
realm = "PVV.NTNU.NO";
cfg = config.security.krb5; cfg = config.security.krb5;
in in
{ {
security.krb5 = { security.krb5 = {
enable = true; enable = true;
# NOTE: This has a small edit that moves an include header to $dev/include. # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
# It is required in order to build smbk5pwd, because of some nested includes.
# We should open an issue upstream (heimdal, not nixpkgs), but this patch # We should open an issue upstream (heimdal, not nixpkgs), but this patch
# will do for now. # will do for now.
# package = pkgs.callPackage ./package.nix {
# inherit (pkgs.apple_sdk.frameworks)
# CoreFoundation Security SystemConfiguration;
# };
package = pkgs.heimdal.overrideAttrs (prev: { package = pkgs.heimdal.overrideAttrs (prev: {
postInstall = prev.postInstall + '' postInstall = prev.postInstall + ''
cp include/heim_threads.h $dev/include cp include/heim_threads.h $dev/include
@ -24,10 +17,11 @@ in
}); });
settings = { settings = {
# logging.kdc = "CONSOLE";
realms.${realm} = { realms.${realm} = {
admin_server = "dagali.pvv.ntnu.no"; kdc = [ "dagali.${lib.toLower realm}" ];
kdc = [ "localhost" ]; admin_server = "dagali.${lib.toLower realm}";
kpasswd_server = "dagali.${lib.toLower realm}";
default_domain = lib.toLower realm;
}; };
kadmin.default_keys = lib.concatStringsSep " " [ kadmin.default_keys = lib.concatStringsSep " " [
@ -45,11 +39,12 @@ in
}; };
domain_realm = { domain_realm = {
"pvv.ntnu.no" = realm; "${lib.toLower realm}" = realm;
".pvv.ntnu.no" = realm; ".${lib.toLower realm}" = realm;
}; };
logging = { logging = {
# kdc = "CONSOLE";
kdc = "SYSLOG:DEBUG:AUTH"; kdc = "SYSLOG:DEBUG:AUTH";
admin_server = "SYSLOG:DEBUG:AUTH"; admin_server = "SYSLOG:DEBUG:AUTH";
default = "SYSLOG:DEBUG:AUTH"; default = "SYSLOG:DEBUG:AUTH";
@ -61,8 +56,18 @@ in
enable = true; enable = true;
settings = { settings = {
realms.${realm} = { realms.${realm} = {
dbname = "/var/heimdal/heimdal"; dbname = "/var/lib/heimdal/heimdal";
mkey = "/var/heimdal/mkey"; mkey = "/var/lib/heimdal/m-key";
acl = [
{
principal = "felixalb/admin";
access = "all";
}
{
principal = "oysteikt/admin";
access = "all";
}
];
}; };
# kadmin.default_keys = lib.concatStringsSep " " [ # kadmin.default_keys = lib.concatStringsSep " " [
# "aes256-cts-hmac-sha1-96:pw-salt" # "aes256-cts-hmac-sha1-96:pw-salt"
@ -77,4 +82,7 @@ in
# password_quality.min_length = 8; # password_quality.min_length = 8;
}; };
}; };
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
} }

View File

@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
services.openldap = let services.openldap = let
dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no"; dn = "dc=pvv,dc=ntnu,dc=no";
cfg = config.services.openldap; cfg = config.services.openldap;
heimdal = config.security.krb5.package; heimdal = config.security.krb5.package;
@ -80,7 +80,7 @@
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ]; objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
olcOverlay = "{0}smbk5pwd"; olcOverlay = "{0}smbk5pwd";
olcSmbK5PwdEnable = [ "krb5" "samba" ]; olcSmbK5PwdEnable = [ "krb5" "samba" ];
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30); olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
}; };
"olcDatabase={1}mdb".attrs = { "olcDatabase={1}mdb".attrs = {
@ -91,7 +91,7 @@
olcSuffix = dn; olcSuffix = dn;
# TODO: PW is supposed to be a secret, but it's probably fine for testing # TODO: PW is supposed to be a secret, but it's probably fine for testing
olcRootDN = "cn=admin,${dn}"; olcRootDN = "cn=users,${dn}";
# TODO: replace with proper secret # TODO: replace with proper secret
olcRootPW.path = pkgs.writeText "olcRootPW" "pass"; olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
@ -101,7 +101,7 @@
olcAccess = [ olcAccess = [
''{0}to attrs=userPassword,shadowLastChange ''{0}to attrs=userPassword,shadowLastChange
by dn.exact=cn=admin,${dn} write by dn.exact=cn=users,${dn} write
by self write by self write
by anonymous auth by anonymous auth
by * none'' by * none''
@ -111,7 +111,7 @@
/* allow read on anything else */ /* allow read on anything else */
# ''{2}to * # ''{2}to *
# by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write # by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
# by * read'' # by * read''
]; ];
}; };