WIP: Move krb5 realm to pvv.local, make sane ldap structure

hosts/dagali/TODO.md

@@ -16,11 +16,26 @@
     - [x] `kadmin -l init PVV.NTNU.NO`
     - [x] add oysteikt/admin@PVV.NTNU.NO principal
     - [x] add oysteikt@PVV.NTNU.NO principal
-    - [ ] add krbtgt@PVV.NTNU.NO principal?
+    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
       - why is this needed, and where is it documented?
       - `kadmin check` seems to work under sudo?
-    - Fix FQDN: https://github.com/NixOS/nixpkgs/issues/94011
+      - (it is included by default, just included as error message
-                https://github.com/NixOS/nixpkgs/issues/261269
+         in a weird state)
+
+    - [x] Ensure client is working correctly
+      - [x] Ensure kinit works on darbu
+      - [x] Ensure kpasswd works on darbu
+      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+    - [ ] Ensure kdc is working correctly
+      - [x] Ensure kinit works on dagali
+      - [x] Ensure kpasswd works on dagali
+      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+    - [x] Fix FQDN
+      - https://github.com/NixOS/nixpkgs/issues/94011
+      - https://github.com/NixOS/nixpkgs/issues/261269
+      - Possibly fixed by disabling systemd-resolved
 
 - [ ] setup cyrus sasl
   - [x] ensure running with systemd 

hosts/dagali/configuration.nix

@@ -1,5 +1,5 @@
 
-{ config, pkgs, values, ... }:
+{ config, pkgs, values, lib, ... }:
 {
   imports = [
     ./hardware-configuration.nix
@@ -7,7 +7,7 @@
     ../../misc/metrics-exporters.nix
 
     ./services/heimdal.nix
-    ./services/openldap.nix
+    #./services/openldap.nix
     ./services/cyrus-sasl.nix
   ];
 
@@ -21,7 +21,11 @@
   services.resolved.enable = false;
 
   networking.hostName = "dagali";
-  networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.domain = lib.mkForce "pvv.local";
+  networking.hosts = {
+    "129.241.210.185" = [ "dagali.pvv.local" ];
+  };
+  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
   networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
   networking.tempAddresses = "disabled";
   networking.networkmanager.enable = true;

hosts/dagali/services/heimdal.nix

@@ -1,22 +1,15 @@
 { config, pkgs, lib, ... }:
 let
-
+  realm = "PVV.LOCAL";
-  realm = "PVV.NTNU.NO";
-
   cfg = config.security.krb5;
 in
 {
   security.krb5 = {
     enable = true;
 
-    # NOTE: This has a small edit that moves an include header to $dev/include.
+    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
-    #       It is required in order to build smbk5pwd, because of some nested includes.
     #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
     #       will do for now.
-    # package = pkgs.callPackage ./package.nix {
-    #   inherit (pkgs.apple_sdk.frameworks)
-    #     CoreFoundation Security SystemConfiguration;
-    # };
     package = pkgs.heimdal.overrideAttrs (prev: {
       postInstall = prev.postInstall + ''
         cp include/heim_threads.h $dev/include
@@ -24,10 +17,12 @@ in
     });
 
     settings = {
-      # logging.kdc = "CONSOLE";
       realms.${realm} = {
-        admin_server = "dagali.pvv.ntnu.no";
+        kdc = [ "dagali.${lib.toLower realm}" ];
-        kdc = [ "localhost" ];
+        admin_server = "dagali.${lib.toLower realm}";
+        kpasswd_server = "dagali.${lib.toLower realm}";
+        default_domain = lib.toLower realm;
+        primary_kdc = "dagali.${lib.toLower realm}";
       };
 
       kadmin.default_keys = lib.concatStringsSep " " [
@@ -42,14 +37,17 @@ in
 
       libdefaults = {
         default_realm = realm;
+        dns_lookup_kdc = false;
+        dns_lookup_realm = false;
       };
 
       domain_realm = {
-        "pvv.ntnu.no" = realm;
+        "${lib.toLower realm}" = realm;
-        ".pvv.ntnu.no" = realm;
+        ".${lib.toLower realm}" = realm;
       };
 
       logging = {
+        # kdc = "CONSOLE";
         kdc = "SYSLOG:DEBUG:AUTH";
         admin_server = "SYSLOG:DEBUG:AUTH";
         default = "SYSLOG:DEBUG:AUTH";
@@ -61,8 +59,22 @@ in
     enable = true;
     settings = {
       realms.${realm} = {
-        dbname = "/var/heimdal/heimdal";
+        dbname = "/var/lib/heimdal/heimdal";
-        mkey = "/var/heimdal/mkey";
+        mkey = "/var/lib/heimdal/m-key";
+        acl = [
+          {
+            principal = "kadmin/admin";
+            access = "all";
+          }
+          {
+            principal = "felixalb/admin";
+            access = "all";
+          }
+          {
+            principal = "oysteikt/admin";
+            access = "all";
+          }
+        ];
       };
       # kadmin.default_keys = lib.concatStringsSep " " [
       #   "aes256-cts-hmac-sha1-96:pw-salt"
@@ -77,4 +89,12 @@ in
       # password_quality.min_length = 8;
     };
   };
+
+  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+  networking.hosts = {
+    "127.0.0.2" = lib.mkForce [ ];
+    "::1" = lib.mkForce [ ];
+  };
 }

hosts/dagali/services/openldap.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 {
   services.openldap = let
-    dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
+    dn = "dc=pvv,dc=ntnu,dc=no";
     cfg = config.services.openldap;
 
     heimdal = config.security.krb5.package;
@@ -80,7 +80,7 @@
           objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
           olcOverlay = "{0}smbk5pwd";
           olcSmbK5PwdEnable = [ "krb5" "samba" ];
-          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
+          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
         };
 
         "olcDatabase={1}mdb".attrs = {
@@ -91,7 +91,7 @@
           olcSuffix = dn;
 
           # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=admin,${dn}";
+          olcRootDN = "cn=users,${dn}";
 
           # TODO: replace with proper secret
           olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
@@ -101,7 +101,7 @@
 
           olcAccess = [
             ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=admin,${dn} write
+                by dn.exact=cn=users,${dn} write
                 by self write
                 by anonymous auth
                 by * none''
@@ -111,7 +111,7 @@
 
             /* allow read on anything else */
             # ''{2}to *
-            #     by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
             #     by * read''
           ];
         };