WIP: Move krb5 realm to pvv.local, make sane ldap structure
This commit is contained in:
parent
8f30c323bc
commit
a215a3c0a5
|
@ -16,11 +16,26 @@
|
||||||
- [x] `kadmin -l init PVV.NTNU.NO`
|
- [x] `kadmin -l init PVV.NTNU.NO`
|
||||||
- [x] add oysteikt/admin@PVV.NTNU.NO principal
|
- [x] add oysteikt/admin@PVV.NTNU.NO principal
|
||||||
- [x] add oysteikt@PVV.NTNU.NO principal
|
- [x] add oysteikt@PVV.NTNU.NO principal
|
||||||
- [ ] add krbtgt@PVV.NTNU.NO principal?
|
- [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
|
||||||
- why is this needed, and where is it documented?
|
- why is this needed, and where is it documented?
|
||||||
- `kadmin check` seems to work under sudo?
|
- `kadmin check` seems to work under sudo?
|
||||||
- Fix FQDN: https://github.com/NixOS/nixpkgs/issues/94011
|
- (it is included by default, just included as error message
|
||||||
https://github.com/NixOS/nixpkgs/issues/261269
|
in a weird state)
|
||||||
|
|
||||||
|
- [x] Ensure client is working correctly
|
||||||
|
- [x] Ensure kinit works on darbu
|
||||||
|
- [x] Ensure kpasswd works on darbu
|
||||||
|
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
|
||||||
|
|
||||||
|
- [ ] Ensure kdc is working correctly
|
||||||
|
- [x] Ensure kinit works on dagali
|
||||||
|
- [x] Ensure kpasswd works on dagali
|
||||||
|
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
|
||||||
|
|
||||||
|
- [x] Fix FQDN
|
||||||
|
- https://github.com/NixOS/nixpkgs/issues/94011
|
||||||
|
- https://github.com/NixOS/nixpkgs/issues/261269
|
||||||
|
- Possibly fixed by disabling systemd-resolved
|
||||||
|
|
||||||
- [ ] setup cyrus sasl
|
- [ ] setup cyrus sasl
|
||||||
- [x] ensure running with systemd
|
- [x] ensure running with systemd
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
{ config, pkgs, values, ... }:
|
{ config, pkgs, values, lib, ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
@ -7,7 +7,7 @@
|
||||||
../../misc/metrics-exporters.nix
|
../../misc/metrics-exporters.nix
|
||||||
|
|
||||||
./services/heimdal.nix
|
./services/heimdal.nix
|
||||||
./services/openldap.nix
|
#./services/openldap.nix
|
||||||
./services/cyrus-sasl.nix
|
./services/cyrus-sasl.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -21,7 +21,11 @@
|
||||||
services.resolved.enable = false;
|
services.resolved.enable = false;
|
||||||
|
|
||||||
networking.hostName = "dagali";
|
networking.hostName = "dagali";
|
||||||
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
networking.domain = lib.mkForce "pvv.local";
|
||||||
|
networking.hosts = {
|
||||||
|
"129.241.210.185" = [ "dagali.pvv.local" ];
|
||||||
|
};
|
||||||
|
#networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
||||||
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
|
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
|
||||||
networking.tempAddresses = "disabled";
|
networking.tempAddresses = "disabled";
|
||||||
networking.networkmanager.enable = true;
|
networking.networkmanager.enable = true;
|
||||||
|
|
|
@ -1,22 +1,15 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
|
realm = "PVV.LOCAL";
|
||||||
realm = "PVV.NTNU.NO";
|
|
||||||
|
|
||||||
cfg = config.security.krb5;
|
cfg = config.security.krb5;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
security.krb5 = {
|
security.krb5 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
# NOTE: This has a small edit that moves an include header to $dev/include.
|
# NOTE: This is required in order to build smbk5pwd, because of some nested includes.
|
||||||
# It is required in order to build smbk5pwd, because of some nested includes.
|
|
||||||
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
|
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
|
||||||
# will do for now.
|
# will do for now.
|
||||||
# package = pkgs.callPackage ./package.nix {
|
|
||||||
# inherit (pkgs.apple_sdk.frameworks)
|
|
||||||
# CoreFoundation Security SystemConfiguration;
|
|
||||||
# };
|
|
||||||
package = pkgs.heimdal.overrideAttrs (prev: {
|
package = pkgs.heimdal.overrideAttrs (prev: {
|
||||||
postInstall = prev.postInstall + ''
|
postInstall = prev.postInstall + ''
|
||||||
cp include/heim_threads.h $dev/include
|
cp include/heim_threads.h $dev/include
|
||||||
|
@ -24,10 +17,11 @@ in
|
||||||
});
|
});
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
# logging.kdc = "CONSOLE";
|
|
||||||
realms.${realm} = {
|
realms.${realm} = {
|
||||||
admin_server = "dagali.pvv.ntnu.no";
|
kdc = [ "dagali.${lib.toLower realm}" ];
|
||||||
kdc = [ "localhost" ];
|
admin_server = "dagali.${lib.toLower realm}";
|
||||||
|
kpasswd_server = "dagali.${lib.toLower realm}";
|
||||||
|
default_domain = lib.toLower realm;
|
||||||
};
|
};
|
||||||
|
|
||||||
kadmin.default_keys = lib.concatStringsSep " " [
|
kadmin.default_keys = lib.concatStringsSep " " [
|
||||||
|
@ -45,11 +39,12 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
domain_realm = {
|
domain_realm = {
|
||||||
"pvv.ntnu.no" = realm;
|
"${lib.toLower realm}" = realm;
|
||||||
".pvv.ntnu.no" = realm;
|
".${lib.toLower realm}" = realm;
|
||||||
};
|
};
|
||||||
|
|
||||||
logging = {
|
logging = {
|
||||||
|
# kdc = "CONSOLE";
|
||||||
kdc = "SYSLOG:DEBUG:AUTH";
|
kdc = "SYSLOG:DEBUG:AUTH";
|
||||||
admin_server = "SYSLOG:DEBUG:AUTH";
|
admin_server = "SYSLOG:DEBUG:AUTH";
|
||||||
default = "SYSLOG:DEBUG:AUTH";
|
default = "SYSLOG:DEBUG:AUTH";
|
||||||
|
@ -61,8 +56,18 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
realms.${realm} = {
|
realms.${realm} = {
|
||||||
dbname = "/var/heimdal/heimdal";
|
dbname = "/var/lib/heimdal/heimdal";
|
||||||
mkey = "/var/heimdal/mkey";
|
mkey = "/var/lib/heimdal/m-key";
|
||||||
|
acl = [
|
||||||
|
{
|
||||||
|
principal = "felixalb/admin";
|
||||||
|
access = "all";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
principal = "oysteikt/admin";
|
||||||
|
access = "all";
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
# kadmin.default_keys = lib.concatStringsSep " " [
|
# kadmin.default_keys = lib.concatStringsSep " " [
|
||||||
# "aes256-cts-hmac-sha1-96:pw-salt"
|
# "aes256-cts-hmac-sha1-96:pw-salt"
|
||||||
|
@ -77,4 +82,7 @@ in
|
||||||
# password_quality.min_length = 8;
|
# password_quality.min_length = 8;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
{
|
{
|
||||||
services.openldap = let
|
services.openldap = let
|
||||||
dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
|
dn = "dc=pvv,dc=ntnu,dc=no";
|
||||||
cfg = config.services.openldap;
|
cfg = config.services.openldap;
|
||||||
|
|
||||||
heimdal = config.security.krb5.package;
|
heimdal = config.security.krb5.package;
|
||||||
|
@ -80,7 +80,7 @@
|
||||||
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
|
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
|
||||||
olcOverlay = "{0}smbk5pwd";
|
olcOverlay = "{0}smbk5pwd";
|
||||||
olcSmbK5PwdEnable = [ "krb5" "samba" ];
|
olcSmbK5PwdEnable = [ "krb5" "samba" ];
|
||||||
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
|
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
|
||||||
};
|
};
|
||||||
|
|
||||||
"olcDatabase={1}mdb".attrs = {
|
"olcDatabase={1}mdb".attrs = {
|
||||||
|
@ -91,7 +91,7 @@
|
||||||
olcSuffix = dn;
|
olcSuffix = dn;
|
||||||
|
|
||||||
# TODO: PW is supposed to be a secret, but it's probably fine for testing
|
# TODO: PW is supposed to be a secret, but it's probably fine for testing
|
||||||
olcRootDN = "cn=admin,${dn}";
|
olcRootDN = "cn=users,${dn}";
|
||||||
|
|
||||||
# TODO: replace with proper secret
|
# TODO: replace with proper secret
|
||||||
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
|
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
|
||||||
|
@ -101,7 +101,7 @@
|
||||||
|
|
||||||
olcAccess = [
|
olcAccess = [
|
||||||
''{0}to attrs=userPassword,shadowLastChange
|
''{0}to attrs=userPassword,shadowLastChange
|
||||||
by dn.exact=cn=admin,${dn} write
|
by dn.exact=cn=users,${dn} write
|
||||||
by self write
|
by self write
|
||||||
by anonymous auth
|
by anonymous auth
|
||||||
by * none''
|
by * none''
|
||||||
|
@ -111,7 +111,7 @@
|
||||||
|
|
||||||
/* allow read on anything else */
|
/* allow read on anything else */
|
||||||
# ''{2}to *
|
# ''{2}to *
|
||||||
# by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
|
# by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
|
||||||
# by * read''
|
# by * read''
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue