5.4.5. HOWTO Enable Kerberos
For the latest documentation, see the documentation in the SIMP KRB5 Puppet Module.
The simp-krb5
Puppet module helps administrators get a working KDC
in place and clients configured to use the KDC.
The module, by default, sets up a fully functional KDC in your environment and generates keytabs for one admin user, and all of your hosts that it can discover via keydist.
Important
If you want to let SIMP automatically handle all of your hosts, you should
follow the README included with the simp-krb5
Puppet module and you
should NOT proceed with this guide.
Note
The keydist
discovery only works if the KDC is on the same system as
your Puppet Server!
Warning
For distribution of keys to work properly, you must add
/var/simp/environments/<environment>/site_files
to your environment’s
environment.conf
file and restart the puppetserver
process.
The default in a production
SIMP Omni-Environment is:
modulepath = modules:/var/simp/environments/**production**/site_files:$basemodulepath
5.4.5.1. Beginning with krb5
The following sections give a brief guide on how to get started with manual Kerberos configuration and distribution of keytabs, for more information, please see the MIT Kerberos documentation.
5.4.5.1.1. Creating Admin Principals
5.4.5.1.1.1. ACL Configuration
The following Puppet code snippet will create an ACL for your admin user that is probably appropriate for your organization.
krb5_acl { "${facts['domain']}_admin":
principal => "*/admin@${facts['domain']}",
operation_mask => '*'
}
5.4.5.1.1.2. Create Your Admin Principal
Your first principal will be an admin principal and will be allowed to manage
the environment since it is in the admin
group. This must be created on
the KDC system.
Run the following command, as root, to create your principal:
# /usr/sbin/kadmin.local -r YOUR.DOMAIN -q "addprinc <username>/admin"
You can now do everything remotely using this principal. Load it using:
# /usr/bin/kinit <username>/admin
5.4.5.1.2. Creating Host Principals
Before you can really do anything with your hosts, you need to ensure that the host itself has a keytab.
SIMP uses the /var/simp/environments/<client_environment>/site_files/krb5_files/files/keytabs/<client_fqdn>
directory for each host to securely distribute keytabs to the clients.
On the KDC, generate a principal for each host in your environment using the following command:
# /usr/sbin/kadmin.local -r YOUR.DOMAIN -q 'addprinc -randkey host/<fqdn>'
5.4.5.1.2.1. Create Your Keytabs
Then, create a separate keytab file for each of your created hosts using the following command:
# /usr/sbin/kadmin.local -r YOUR.DOMAIN -q 'ktadd -k <fqdn>.keytab host/<fqdn>'
5.4.5.1.3. Propagate the Keytabs
Move all of the resulting keytab files SECURELY to
/var/simp/environments/<client_environment>/site_files/krb5_files/keytabs/<fqdn>
on the Puppet Server as appropriate for each file.
Note
Make sure that all of your keytab directories are readable by the group puppet and not the entire world!
Then, update your node declarations to include 'krb5::keytab'
.
Once the Puppet Agent runs on the clients, your keytabs will copied to
/etc/krb5_keytabs
. The keytab matching the system fqdn
will be set in
place as the default system keytab.