From eaeb8994a17922dea0c58d29a184e2cb22a00714 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sun, 7 Jul 2024 00:07:59 +0200 Subject: [PATCH] WIP: Move krb5 realm to pvv.local, make sane ldap structure --- hosts/dagali/TODO.md | 21 ++++++++++-- hosts/dagali/configuration.nix | 10 ++++-- hosts/dagali/services/heimdal.nix | 52 +++++++++++++++++++++--------- hosts/dagali/services/openldap.nix | 10 +++--- 4 files changed, 66 insertions(+), 27 deletions(-) diff --git a/hosts/dagali/TODO.md b/hosts/dagali/TODO.md index f134ca6..865f863 100644 --- a/hosts/dagali/TODO.md +++ b/hosts/dagali/TODO.md @@ -16,11 +16,26 @@ - [x] `kadmin -l init PVV.NTNU.NO` - [x] add oysteikt/admin@PVV.NTNU.NO principal - [x] add oysteikt@PVV.NTNU.NO principal - - [ ] add krbtgt@PVV.NTNU.NO principal? + - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal? - why is this needed, and where is it documented? - `kadmin check` seems to work under sudo? - - Fix FQDN: https://github.com/NixOS/nixpkgs/issues/94011 - https://github.com/NixOS/nixpkgs/issues/261269 + - (it is included by default, just included as error message + in a weird state) + + - [x] Ensure client is working correctly + - [x] Ensure kinit works on darbu + - [x] Ensure kpasswd works on darbu + - [x] Ensure kadmin get (and other restricted commands) works on darbu + + - [ ] Ensure kdc is working correctly + - [x] Ensure kinit works on dagali + - [x] Ensure kpasswd works on dagali + - [ ] Ensure kadmin get (and other restricte commands) works on dagali + + - [x] Fix FQDN + - https://github.com/NixOS/nixpkgs/issues/94011 + - https://github.com/NixOS/nixpkgs/issues/261269 + - Possibly fixed by disabling systemd-resolved - [ ] setup cyrus sasl - [x] ensure running with systemd diff --git a/hosts/dagali/configuration.nix b/hosts/dagali/configuration.nix index 5c64273..9902e69 100644 --- a/hosts/dagali/configuration.nix +++ b/hosts/dagali/configuration.nix @@ -1,5 +1,5 @@ -{ config, pkgs, values, ... }: +{ config, pkgs, values, lib, ... }: { imports = [ ./hardware-configuration.nix @@ -7,7 +7,7 @@ ../../misc/metrics-exporters.nix ./services/heimdal.nix - ./services/openldap.nix + #./services/openldap.nix ./services/cyrus-sasl.nix ]; @@ -21,7 +21,11 @@ services.resolved.enable = false; networking.hostName = "dagali"; - networking.search = [ "pvv.ntnu.no" "pvv.org" ]; + networking.domain = lib.mkForce "pvv.local"; + networking.hosts = { + "129.241.210.185" = [ "dagali.pvv.local" ]; + }; + #networking.search = [ "pvv.ntnu.no" "pvv.org" ]; networking.nameservers = [ "129.241.0.200" "129.241.0.201" ]; networking.tempAddresses = "disabled"; networking.networkmanager.enable = true; diff --git a/hosts/dagali/services/heimdal.nix b/hosts/dagali/services/heimdal.nix index 0b07e2e..17ae4c6 100644 --- a/hosts/dagali/services/heimdal.nix +++ b/hosts/dagali/services/heimdal.nix @@ -1,22 +1,15 @@ { config, pkgs, lib, ... }: let - - realm = "PVV.NTNU.NO"; - + realm = "PVV.LOCAL"; cfg = config.security.krb5; in { security.krb5 = { enable = true; - # NOTE: This has a small edit that moves an include header to $dev/include. - # It is required in order to build smbk5pwd, because of some nested includes. + # NOTE: This is required in order to build smbk5pwd, because of some nested includes. # We should open an issue upstream (heimdal, not nixpkgs), but this patch # will do for now. - # package = pkgs.callPackage ./package.nix { - # inherit (pkgs.apple_sdk.frameworks) - # CoreFoundation Security SystemConfiguration; - # }; package = pkgs.heimdal.overrideAttrs (prev: { postInstall = prev.postInstall + '' cp include/heim_threads.h $dev/include @@ -24,10 +17,12 @@ in }); settings = { - # logging.kdc = "CONSOLE"; realms.${realm} = { - admin_server = "dagali.pvv.ntnu.no"; - kdc = [ "localhost" ]; + kdc = [ "dagali.${lib.toLower realm}" ]; + admin_server = "dagali.${lib.toLower realm}"; + kpasswd_server = "dagali.${lib.toLower realm}"; + default_domain = lib.toLower realm; + primary_kdc = "dagali.${lib.toLower realm}"; }; kadmin.default_keys = lib.concatStringsSep " " [ @@ -42,14 +37,17 @@ in libdefaults = { default_realm = realm; + dns_lookup_kdc = false; + dns_lookup_realm = false; }; domain_realm = { - "pvv.ntnu.no" = realm; - ".pvv.ntnu.no" = realm; + "${lib.toLower realm}" = realm; + ".${lib.toLower realm}" = realm; }; logging = { + # kdc = "CONSOLE"; kdc = "SYSLOG:DEBUG:AUTH"; admin_server = "SYSLOG:DEBUG:AUTH"; default = "SYSLOG:DEBUG:AUTH"; @@ -61,8 +59,22 @@ in enable = true; settings = { realms.${realm} = { - dbname = "/var/heimdal/heimdal"; - mkey = "/var/heimdal/mkey"; + dbname = "/var/lib/heimdal/heimdal"; + mkey = "/var/lib/heimdal/m-key"; + acl = [ + { + principal = "kadmin/admin"; + access = "all"; + } + { + principal = "felixalb/admin"; + access = "all"; + } + { + principal = "oysteikt/admin"; + access = "all"; + } + ]; }; # kadmin.default_keys = lib.concatStringsSep " " [ # "aes256-cts-hmac-sha1-96:pw-salt" @@ -77,4 +89,12 @@ in # password_quality.min_length = 8; }; }; + + networking.firewall.allowedTCPPorts = [ 88 464 749 ]; + networking.firewall.allowedUDPPorts = [ 88 464 749 ]; + + networking.hosts = { + "127.0.0.2" = lib.mkForce [ ]; + "::1" = lib.mkForce [ ]; + }; } diff --git a/hosts/dagali/services/openldap.nix b/hosts/dagali/services/openldap.nix index 5d8fca1..bb0c804 100644 --- a/hosts/dagali/services/openldap.nix +++ b/hosts/dagali/services/openldap.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: { services.openldap = let - dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no"; + dn = "dc=pvv,dc=ntnu,dc=no"; cfg = config.services.openldap; heimdal = config.security.krb5.package; @@ -80,7 +80,7 @@ objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ]; olcOverlay = "{0}smbk5pwd"; olcSmbK5PwdEnable = [ "krb5" "samba" ]; - olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30); + olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000); }; "olcDatabase={1}mdb".attrs = { @@ -91,7 +91,7 @@ olcSuffix = dn; # TODO: PW is supposed to be a secret, but it's probably fine for testing - olcRootDN = "cn=admin,${dn}"; + olcRootDN = "cn=users,${dn}"; # TODO: replace with proper secret olcRootPW.path = pkgs.writeText "olcRootPW" "pass"; @@ -101,7 +101,7 @@ olcAccess = [ ''{0}to attrs=userPassword,shadowLastChange - by dn.exact=cn=admin,${dn} write + by dn.exact=cn=users,${dn} write by self write by anonymous auth by * none'' @@ -111,7 +111,7 @@ /* allow read on anything else */ # ''{2}to * - # by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write + # by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write # by * read'' ]; };