Adding kerberos authentication to existing network with LDAP already deployed
 

Hi All,

I have a bit of a dilemma. We have have a fairly large network (several hundred machines) with several file servers that are accessed via NFS. We're considering moving from NFSv3 to NFSv4, mostly to gain improved security (some users have root on their local workstations, and although all filesystems are exported root_squash, it's easy for a malicious user to su to some other account and access files their own account does not have privileges on). Local root access is only given out to trusted end users, but I'd still like to tighten this down (if for no other reason than to allow me sleep a bit better at night). My understanding is that NFSv4 can use GSSAPI with kerberos to verify which user is actually making a request on a file rather than taking the client's word on the UID and GID of the request. Therefore, I'm considering deploying Kerberos, but there are a few constraints/issues:

1. Currently, we have an LDAP directory set up and functioning that handles all user authentication and authorization.

2. Some critical pieces of network/software infrastructure (proprietary kit) only support LDAP authentication and can't authenticate against Kerberos.

3. I'd like to have a consistent user password, so I'd like the hypothetical new Kerberos password and the LDAP password to be kept in synch.

4. It looks like there's a way to do #3 (as per this thread, however it only seems to work if the Heimdal implementation of Kerberos is used.

5. A number of the Red Hat and Ubuntu boxes authenticate against LDAP using Red Hat's sssd (pam_sssd, so sssd does the talking to LDAP, rather than using pam_ldap). I've found this to work better than using pam_ldap (which seemed to fail randomly in strange ways). However, sssd only seems to be able to talk to MIT krb5 and not Heimdal.

At this point, I'm a bit stuck, and I'm not sure if there's a good way to do what I want. So, my questions are as follows:

- Is it possible to have users authenticate against both LDAP and get a Kerberos TGT from the MIT krb5 KDC using the same password that is kept in sync somehow?

- Assuming this is possible, how do I make sure that users are given the right Kerberos tickets upon login so that they can access their NFS home directories (all systems that have NFS mounted home directories can use Kerberos for authentication -- the ones that can only use LDAP are specialized systems with local home directories).

- Am I totally barking up the wrong tree with this? I'd rather not limit users' ability to gain root via sudo on their workstations, but I could probably lock this down if I absolutely had to. It seems like NFSv4 will do what I want it to do, if only I can get the Kerberos bits & pieces set up the way I want them.

I had a (similar...though not exact) situation.

Have you looked at IPA? http://freeipa.org

It has a built in LDAP migrating tool that was REALLY simple and easy to use - https://docs.fedoraproject.org/en-US...igrate-ds.html

FreeIPA worked well for us because

1) Those applications that can use Kerberos was configured to do so
2) Those applications still ONLY using LDAP; can continue doing so

Take a quick glance at the documentation - https://docs.fedoraproject.org/en-US...ide/index.html - it answers most of your questions (regarding NFS and such)

If you don't want to use Fedora (we didn't) - FreeIPA is included in the CentOS repos for EL 6.x

HTH

--C

I will check out the UPA links you provided, thank you very much!