pvv-nixos-config/hosts/dagali/TODO.md

Tracking document for new PVV kerberos auth stack

Bensinstasjon på heimdal

TODO:

• setup heimdal

  • ensure running with systemd
  • compile smbk5pwd (part of openldap)
  • set modify -a -disallow-all-tix,requires-pre-auth default declaratively
  • fully initialize PVV.NTNU.NO

    • kadmin -l init PVV.NTNU.NO

    • add oysteikt/admin@PVV.NTNU.NO principal

    • add oysteikt@PVV.NTNU.NO principal

    • add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?

      • why is this needed, and where is it documented?
      • kadmin check seems to work under sudo?
      • (it is included by default, just included as error message in a weird state)

    • Ensure client is working correctly

      • Ensure kinit works on darbu
      • Ensure kpasswd works on darbu
      • Ensure kadmin get (and other restricted commands) works on darbu

    • Ensure kdc is working correctly

      • Ensure kinit works on dagali
      • Ensure kpasswd works on dagali
      • Ensure kadmin get (and other restricte commands) works on dagali

    • Fix FQDN

      • https://github.com/NixOS/nixpkgs/issues/94011
      • https://github.com/NixOS/nixpkgs/issues/261269
      • Possibly fixed by disabling systemd-resolved

• setup cyrus sasl

  • ensure running with systemd
  • verify GSSAPI support plugin is installed
    • nix-shell -p cyrus_sasl --command pluginviewer
  • create "host/localhost@PVV.NTNU.NO" and export to keytab
  • verify cyrus sasl is able to talk to heimdal
    • sudo testsaslauthd -u oysteikt -p <password>
  • provide ldap principal to cyrus sasl through keytab

• setup openldap

  • ensure running with systemd
  • verify openldap is able to talk to cyrus sasl
  • create user for oysteikt in openldap
  • authenticate openldap login through sasl
    • does this require creating an ldap user?

• fix smbk5pwd integration

  • add smbk5pwd schemas to openldap
  • create openldap db for smbk5pwd with overlays
  • test to ensure that user sync is working
  • test as user source (replace passwd)
  • test as PAM auth source
  • test as auth source for 3rd party appliation

• Set up ldap administration panel

  • Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?

• Set up kerberos SRV DNS entry

Information and URLS

• OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
• Use a keytab: https://kb.iu.edu/d/aumh
• 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
• Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
• Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
• PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
• OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
• saslauthd(8): https://linux.die.net/man/8/saslauthd