WIP: Move krb5 realm to pvv.local, make sane ldap structure
This commit is contained in:
parent
8f30c323bc
commit
eaeb8994a1
@ -16,11 +16,26 @@
|
||||
- [x] `kadmin -l init PVV.NTNU.NO`
|
||||
- [x] add oysteikt/admin@PVV.NTNU.NO principal
|
||||
- [x] add oysteikt@PVV.NTNU.NO principal
|
||||
- [ ] add krbtgt@PVV.NTNU.NO principal?
|
||||
- [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
|
||||
- why is this needed, and where is it documented?
|
||||
- `kadmin check` seems to work under sudo?
|
||||
- Fix FQDN: https://github.com/NixOS/nixpkgs/issues/94011
|
||||
https://github.com/NixOS/nixpkgs/issues/261269
|
||||
- (it is included by default, just included as error message
|
||||
in a weird state)
|
||||
|
||||
- [x] Ensure client is working correctly
|
||||
- [x] Ensure kinit works on darbu
|
||||
- [x] Ensure kpasswd works on darbu
|
||||
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
|
||||
|
||||
- [ ] Ensure kdc is working correctly
|
||||
- [x] Ensure kinit works on dagali
|
||||
- [x] Ensure kpasswd works on dagali
|
||||
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
|
||||
|
||||
- [x] Fix FQDN
|
||||
- https://github.com/NixOS/nixpkgs/issues/94011
|
||||
- https://github.com/NixOS/nixpkgs/issues/261269
|
||||
- Possibly fixed by disabling systemd-resolved
|
||||
|
||||
- [ ] setup cyrus sasl
|
||||
- [x] ensure running with systemd
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
{ config, pkgs, values, ... }:
|
||||
{ config, pkgs, values, lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
@ -7,7 +7,7 @@
|
||||
../../misc/metrics-exporters.nix
|
||||
|
||||
./services/heimdal.nix
|
||||
./services/openldap.nix
|
||||
#./services/openldap.nix
|
||||
./services/cyrus-sasl.nix
|
||||
];
|
||||
|
||||
@ -21,7 +21,11 @@
|
||||
services.resolved.enable = false;
|
||||
|
||||
networking.hostName = "dagali";
|
||||
networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
||||
networking.domain = lib.mkForce "pvv.local";
|
||||
networking.hosts = {
|
||||
"129.241.210.185" = [ "dagali.pvv.local" ];
|
||||
};
|
||||
#networking.search = [ "pvv.ntnu.no" "pvv.org" ];
|
||||
networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
|
||||
networking.tempAddresses = "disabled";
|
||||
networking.networkmanager.enable = true;
|
||||
|
@ -1,22 +1,15 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
|
||||
realm = "PVV.NTNU.NO";
|
||||
|
||||
realm = "PVV.LOCAL";
|
||||
cfg = config.security.krb5;
|
||||
in
|
||||
{
|
||||
security.krb5 = {
|
||||
enable = true;
|
||||
|
||||
# NOTE: This has a small edit that moves an include header to $dev/include.
|
||||
# It is required in order to build smbk5pwd, because of some nested includes.
|
||||
# NOTE: This is required in order to build smbk5pwd, because of some nested includes.
|
||||
# We should open an issue upstream (heimdal, not nixpkgs), but this patch
|
||||
# will do for now.
|
||||
# package = pkgs.callPackage ./package.nix {
|
||||
# inherit (pkgs.apple_sdk.frameworks)
|
||||
# CoreFoundation Security SystemConfiguration;
|
||||
# };
|
||||
package = pkgs.heimdal.overrideAttrs (prev: {
|
||||
postInstall = prev.postInstall + ''
|
||||
cp include/heim_threads.h $dev/include
|
||||
@ -24,10 +17,12 @@ in
|
||||
});
|
||||
|
||||
settings = {
|
||||
# logging.kdc = "CONSOLE";
|
||||
realms.${realm} = {
|
||||
admin_server = "dagali.pvv.ntnu.no";
|
||||
kdc = [ "localhost" ];
|
||||
kdc = [ "dagali.${lib.toLower realm}" ];
|
||||
admin_server = "dagali.${lib.toLower realm}";
|
||||
kpasswd_server = "dagali.${lib.toLower realm}";
|
||||
default_domain = lib.toLower realm;
|
||||
primary_kdc = "dagali.${lib.toLower realm}";
|
||||
};
|
||||
|
||||
kadmin.default_keys = lib.concatStringsSep " " [
|
||||
@ -42,14 +37,17 @@ in
|
||||
|
||||
libdefaults = {
|
||||
default_realm = realm;
|
||||
dns_lookup_kdc = false;
|
||||
dns_lookup_realm = false;
|
||||
};
|
||||
|
||||
domain_realm = {
|
||||
"pvv.ntnu.no" = realm;
|
||||
".pvv.ntnu.no" = realm;
|
||||
"${lib.toLower realm}" = realm;
|
||||
".${lib.toLower realm}" = realm;
|
||||
};
|
||||
|
||||
logging = {
|
||||
# kdc = "CONSOLE";
|
||||
kdc = "SYSLOG:DEBUG:AUTH";
|
||||
admin_server = "SYSLOG:DEBUG:AUTH";
|
||||
default = "SYSLOG:DEBUG:AUTH";
|
||||
@ -61,8 +59,22 @@ in
|
||||
enable = true;
|
||||
settings = {
|
||||
realms.${realm} = {
|
||||
dbname = "/var/heimdal/heimdal";
|
||||
mkey = "/var/heimdal/mkey";
|
||||
dbname = "/var/lib/heimdal/heimdal";
|
||||
mkey = "/var/lib/heimdal/m-key";
|
||||
acl = [
|
||||
{
|
||||
principal = "kadmin/admin";
|
||||
access = "all";
|
||||
}
|
||||
{
|
||||
principal = "felixalb/admin";
|
||||
access = "all";
|
||||
}
|
||||
{
|
||||
principal = "oysteikt/admin";
|
||||
access = "all";
|
||||
}
|
||||
];
|
||||
};
|
||||
# kadmin.default_keys = lib.concatStringsSep " " [
|
||||
# "aes256-cts-hmac-sha1-96:pw-salt"
|
||||
@ -77,4 +89,12 @@ in
|
||||
# password_quality.min_length = 8;
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 88 464 749 ];
|
||||
networking.firewall.allowedUDPPorts = [ 88 464 749 ];
|
||||
|
||||
networking.hosts = {
|
||||
"127.0.0.2" = lib.mkForce [ ];
|
||||
"::1" = lib.mkForce [ ];
|
||||
};
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
services.openldap = let
|
||||
dn = "dc=kerberos,dc=pvv,dc=ntnu,dc=no";
|
||||
dn = "dc=pvv,dc=ntnu,dc=no";
|
||||
cfg = config.services.openldap;
|
||||
|
||||
heimdal = config.security.krb5.package;
|
||||
@ -80,7 +80,7 @@
|
||||
objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
|
||||
olcOverlay = "{0}smbk5pwd";
|
||||
olcSmbK5PwdEnable = [ "krb5" "samba" ];
|
||||
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 30);
|
||||
olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
|
||||
};
|
||||
|
||||
"olcDatabase={1}mdb".attrs = {
|
||||
@ -91,7 +91,7 @@
|
||||
olcSuffix = dn;
|
||||
|
||||
# TODO: PW is supposed to be a secret, but it's probably fine for testing
|
||||
olcRootDN = "cn=admin,${dn}";
|
||||
olcRootDN = "cn=users,${dn}";
|
||||
|
||||
# TODO: replace with proper secret
|
||||
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
|
||||
@ -101,7 +101,7 @@
|
||||
|
||||
olcAccess = [
|
||||
''{0}to attrs=userPassword,shadowLastChange
|
||||
by dn.exact=cn=admin,${dn} write
|
||||
by dn.exact=cn=users,${dn} write
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none''
|
||||
@ -111,7 +111,7 @@
|
||||
|
||||
/* allow read on anything else */
|
||||
# ''{2}to *
|
||||
# by cn=admin,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
|
||||
# by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
|
||||
# by * read''
|
||||
];
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user