WIP: Move krb5 realm to pvv.local, make sane ldap structure

base/networking.nix

@@ -3,6 +3,10 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

flake.nix

@@ -145,6 +145,8 @@
           inputs.gergle.overlays.default
         ];
       };
+
+      dagali = unstableNixosConfig "dagali" { };
     };
 
     nixosModules = {

hosts/dagali/TODO.md

@@ -0,0 +1,78 @@
+# Tracking document for new PVV kerberos auth stack
+
+![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
+
+<div align="center">
+  Bensinstasjon på heimdal
+</div>
+
+### TODO:
+
+- [ ] setup heimdal
+  - [x] ensure running with systemd
+  - [x] compile smbk5pwd (part of openldap)
+  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
+  - [ ] fully initialize PVV.NTNU.NO
+    - [x] `kadmin -l init PVV.NTNU.NO`
+    - [x] add oysteikt/admin@PVV.NTNU.NO principal
+    - [x] add oysteikt@PVV.NTNU.NO principal
+    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
+      - why is this needed, and where is it documented?
+      - `kadmin check` seems to work under sudo?
+      - (it is included by default, just included as error message
+         in a weird state)
+
+    - [x] Ensure client is working correctly
+      - [x] Ensure kinit works on darbu
+      - [x] Ensure kpasswd works on darbu
+      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
+
+    - [ ] Ensure kdc is working correctly
+      - [x] Ensure kinit works on dagali
+      - [x] Ensure kpasswd works on dagali
+      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
+
+    - [x] Fix FQDN
+      - https://github.com/NixOS/nixpkgs/issues/94011
+      - https://github.com/NixOS/nixpkgs/issues/261269
+      - Possibly fixed by disabling systemd-resolved
+
+- [ ] setup cyrus sasl
+  - [x] ensure running with systemd 
+  - [x] verify GSSAPI support plugin is installed
+    - `nix-shell -p cyrus_sasl --command pluginviewer`
+  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
+  - [x] verify cyrus sasl is able to talk to heimdal
+    - `sudo testsaslauthd -u oysteikt -p <password>`
+  - [ ] provide ldap principal to cyrus sasl through keytab
+
+- [ ] setup openldap
+  - [x] ensure running with systemd
+  - [ ] verify openldap is able to talk to cyrus sasl
+  - [ ] create user for oysteikt in openldap
+  - [ ] authenticate openldap login through sasl
+    - does this require creating an ldap user?
+
+- [ ] fix smbk5pwd integration
+  - [x] add smbk5pwd schemas to openldap
+  - [x] create openldap db for smbk5pwd with overlays
+  - [ ] test to ensure that user sync is working
+  - [ ] test as user source (replace passwd)
+  - [ ] test as PAM auth source
+  - [ ] test as auth source for 3rd party appliation
+
+- [ ] Set up ldap administration panel
+  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
+
+- [ ] Set up kerberos SRV DNS entry
+
+### Information and URLS
+
+- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
+- Use a keytab: https://kb.iu.edu/d/aumh
+- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
+- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
+- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
+- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
+- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -0,0 +1,51 @@
+
+{ config, pkgs, values, lib, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../base.nix
+    ../../misc/metrics-exporters.nix
+
+    ./services/heimdal.nix
+    #./services/openldap.nix
+    ./services/cyrus-sasl.nix
+  ];
+
+  # buskerud does not support efi?
+  # boot.loader.systemd-boot.enable = true;
+  # boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  # resolved messes up FQDN coming from nscd
+  services.resolved.enable = false;
+
+  networking.hostName = "dagali";
+  networking.domain = lib.mkForce "pvv.local";
+  networking.hosts = {
+    "129.241.210.185" = [ "dagali.pvv.local" ];
+  };
+  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
+  networking.tempAddresses = "disabled";
+  networking.networkmanager.enable = true;
+
+  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
+  };
+
+  # List packages installed in system profile
+  environment.systemPackages = with pkgs; [
+    # TODO: consider adding to base.nix
+    nix-output-monitor
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

hosts/dagali/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/dagali/services/cyrus-sasl.nix

@@ -0,0 +1,21 @@
+{ config, ... }:
+let
+  cfg = config.services.saslauthd;
+in
+{
+  # TODO: This is seemingly required for openldap to authenticate
+  #       against kerberos, but I have no idea how to configure it as
+  #       such. Does it need a keytab? There's a binary "testsaslauthd"
+  #       that follows with `pkgs.cyrus_sasl` that might be useful.
+  services.saslauthd = {
+    enable = true;
+    mechanism = "kerberos5";
+    config = ''
+      mech_list: gs2-krb5 gssapi
+      keytab: /etc/krb5.keytab
+    '';
+  };
+
+  # TODO: maybe the upstream module should consider doing this?
+  environment.systemPackages = [ cfg.package ];
+}

hosts/dagali/services/heimdal.nix

@@ -0,0 +1,100 @@
+{ config, pkgs, lib, ... }:
+let
+  realm = "PVV.LOCAL";
+  cfg = config.security.krb5;
+in
+{
+  security.krb5 = {
+    enable = true;
+
+    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
+    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
+    #       will do for now.
+    package = pkgs.heimdal.overrideAttrs (prev: {
+      postInstall = prev.postInstall + ''
+        cp include/heim_threads.h $dev/include
+      '';
+    });
+
+    settings = {
+      realms.${realm} = {
+        kdc = [ "dagali.${lib.toLower realm}" ];
+        admin_server = "dagali.${lib.toLower realm}";
+        kpasswd_server = "dagali.${lib.toLower realm}";
+        default_domain = lib.toLower realm;
+        primary_kdc = "dagali.${lib.toLower realm}";
+      };
+
+      kadmin.default_keys = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96:pw-salt"
+        "aes128-cts-hmac-sha1-96:pw-salt"
+      ];
+
+      libdefaults.default_etypes = lib.concatStringsSep " " [
+        "aes256-cts-hmac-sha1-96"
+        "aes128-cts-hmac-sha1-96"
+      ];
+
+      libdefaults = {
+        default_realm = realm;
+        dns_lookup_kdc = false;
+        dns_lookup_realm = false;
+      };
+
+      domain_realm = {
+        "${lib.toLower realm}" = realm;
+        ".${lib.toLower realm}" = realm;
+      };
+
+      logging = {
+        # kdc = "CONSOLE";
+        kdc = "SYSLOG:DEBUG:AUTH";
+        admin_server = "SYSLOG:DEBUG:AUTH";
+        default = "SYSLOG:DEBUG:AUTH";
+      };
+    };
+  };
+
+  services.kerberos_server = {
+    enable = true;
+    settings = {
+      realms.${realm} = {
+        dbname = "/var/lib/heimdal/heimdal";
+        mkey = "/var/lib/heimdal/m-key";
+        acl = [
+          {
+            principal = "kadmin/admin";
+            access = "all";
+          }
+          {
+            principal = "felixalb/admin";
+            access = "all";
+          }
+          {
+            principal = "oysteikt/admin";
+            access = "all";
+          }
+        ];
+      };
+      # kadmin.default_keys = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96:pw-salt"
+      #   "aes128-cts-hmac-sha1-96:pw-salt"
+      # ];
+
+      # libdefaults.default_etypes = lib.concatStringsSep " " [
+      #   "aes256-cts-hmac-sha1-96"
+      #   "aes128-cts-hmac-sha1-96"
+      # ];
+
+      # password_quality.min_length = 8;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
+  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
+
+  networking.hosts = {
+    "127.0.0.2" = lib.mkForce [ ];
+    "::1" = lib.mkForce [ ];
+  };
+}

hosts/dagali/services/openldap.nix

@@ -0,0 +1,121 @@
+{ config, pkgs, lib, ... }:
+{
+  services.openldap = let
+    dn = "dc=pvv,dc=ntnu,dc=no";
+    cfg = config.services.openldap;
+
+    heimdal = config.security.krb5.package;
+  in {
+    enable = true;
+
+    # NOTE: this is a custom build of openldap with support for
+    #       perl and kerberos.
+    package = pkgs.openldap.overrideAttrs (prev: {
+      # https://github.com/openldap/openldap/blob/master/configure
+      configureFlags = prev.configureFlags ++ [
+        # Connect to slapd via UNIX socket
+        "--enable-local"
+        # Cyrus SASL
+        "--enable-spasswd"
+        # Reverse hostname lookups
+        "--enable-rlookups"
+        # perl
+        "--enable-perl"
+      ];
+
+      buildInputs = prev.buildInputs ++ [
+        pkgs.perl
+	# NOTE: do not upstream this, it might not work with
+	#       MIT in the same way
+        heimdal
+      ];
+
+      extraContribModules = prev.extraContribModules ++ [
+        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
+        "smbk5pwd"
+      ];
+    });
+
+    settings = {
+      attrs = {
+        olcLogLevel = [ "stats" "config" "args" ];
+
+        # olcAuthzRegexp = ''
+        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
+        #         "uid=heimdal,${dn2}"
+        # '';
+
+        # olcSaslSecProps = "minssf=0";
+      };
+
+      children = {
+        "cn=schema".includes = let
+          # NOTE: needed for smbk5pwd.so module
+          schemaToLdif = name: path: pkgs.runCommandNoCC name {
+            buildInputs = with pkgs; [ schema2ldif ];
+          } ''
+            schema2ldif "${path}" > $out
+          '';
+
+          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
+          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
+        in [
+           "${cfg.package}/etc/schema/core.ldif"
+           "${cfg.package}/etc/schema/cosine.ldif"
+           "${cfg.package}/etc/schema/nis.ldif"
+           "${cfg.package}/etc/schema/inetorgperson.ldif"
+           "${hdb-ldif}"
+           "${samba-ldif}"
+        ];
+
+        # NOTE: installation of smbk5pwd.so module
+        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
+        "cn=module{0}".attrs = {
+          objectClass = [ "olcModuleList" ];
+          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
+        };
+
+        # NOTE: activation of smbk5pwd.so module for {1}mdb
+        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
+          olcOverlay = "{0}smbk5pwd";
+          olcSmbK5PwdEnable = [ "krb5" "samba" ];
+          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
+        };
+
+        "olcDatabase={1}mdb".attrs = {
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+          olcDatabase = "{1}mdb";
+
+          olcSuffix = dn;
+
+          # TODO: PW is supposed to be a secret, but it's probably fine for testing
+          olcRootDN = "cn=users,${dn}";
+
+          # TODO: replace with proper secret
+          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
+
+          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
+          olcDbIndex = "objectClass eq";
+
+          olcAccess = [
+            ''{0}to attrs=userPassword,shadowLastChange
+                by dn.exact=cn=users,${dn} write
+                by self write
+                by anonymous auth
+                by * none''
+
+            ''{1}to dn.base=""
+                by * read''
+
+            /* allow read on anything else */
+            # ''{2}to *
+            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
+            #     by * read''
+          ];
+        };
+      };
+    };
+  };
+}

values.nix

@@ -31,6 +31,10 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
+    dagali = {
+      ipv4 = pvv-ipv4 185;
+      ipv6 = pvv-ipv6 185;
+    };
     ildkule = {
       ipv4 = "129.241.153.213";
       ipv4_internal = "192.168.12.209";