From 2b05e1d33eff84aec21202d09821a54c95446a24 Mon Sep 17 00:00:00 2001 From: Bill MacAllister Date: Sun, 3 Apr 2016 18:40:00 +0000 Subject: Add ad-keytab, update Wallet::Config * This ad-keytab is useful in the initial setup of AD as a keytab store for wallet. * Change configuration variables to correctly reflect that some values are relative distinguished names. * Add a configuration variable for the base distinguished name for ActiveDirectory. --- perl/lib/Wallet/Config.pm | 78 +++++++++++++++++++++++++++++++------------- perl/lib/Wallet/Kadmin/AD.pm | 51 +++++++++++++++-------------- 2 files changed, 81 insertions(+), 48 deletions(-) (limited to 'perl') diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm index 6515756..2222aba 100644 --- a/perl/lib/Wallet/Config.pm +++ b/perl/lib/Wallet/Config.pm @@ -415,40 +415,39 @@ our $KEYTAB_TMP; =back -The following parameters are specific to generating keytabs from Active -Directory (KEYTAB_KRBTYPE is set to C). +The following parameters are specific to generating keytabs from +Active Directory (KEYTAB_KRBTYPE is set to C). =over 4 -=item AD_CACHE - -Specifies the ticket cache to use when manipulating Active Directory objects. -The ticket cache must be for a principal able to bind to Active Directory and -run B. +=item AD_BASE_DN -AD_CACHE must be set to use Active Directory support. +The base distinguished name of the ActiveDirectory instance. This is +use when Wallet uses LDAP directly to examine objects in Active +Directory. =cut -our $AD_CACHE; +our $AD_BASE_DN; -=item AD_COMPUTER_DN +=item AD_COMPUTER_RDN -The LDAP base DN for computer objects inside Active Directory. All keytabs of -the form host/ will be mapped to objects with a C of -the portion under this DN. +The LDAP base DN for computer objects inside Active Directory. All +keytabs of the form host/ will be mapped to objects with a +C of the portion under this DN. -AD_COMPUTER_DN must be set if using Active Directory as the keytab backend. +AD_COMPUTER_RDN must be set if using Active Directory as the keytab +backend. =cut -our $AD_COMPUTER_DN; +our $AD_COMPUTER_RDN; =item AD_DEBUG -If set to true, asks for some additional debugging information, such as the -B command, to be logged to syslog. These debugging messages will be -logged to the C facility. +If set to true, asks for some additional debugging information, such +as the B command, to be logged to syslog. These debugging +messages will be logged to the C facility. =cut @@ -464,17 +463,25 @@ default PATH. our $AD_MSKTUTIL = 'msktutil'; -=item AD_USER_DN +=item AD_SERVER + +The hostname of the Active Directory Domain Controller. + +=cut + +our $AD_SERVER; + +=item AD_USER_RDN The LDAP base DN for user objects inside Active Directory. All keytabs of the form service/ will be mapped to objects with a C matching the wallet object name under this DN. -AD_USER_DN must be set if using Active Directory as the keytab backend. +AD_USER_RDN must be set if using Active Directory as the keytab backend. =cut -our $AD_USER_DN; +our $AD_USER_RDN; =back @@ -482,8 +489,9 @@ our $AD_USER_DN; Heimdal provides the choice, over the network protocol, of either downloading the existing keys for a principal or generating new random -keys. MIT Kerberos does not; downloading a keytab over the kadmin -protocol always rekeys the principal. +keys. Neither MIT Kerberos or ActiveDirectory support retrieving an +existing keytab; downloading a keytab over the kadmin protocol or +using msktutil always rekeys the principal. For MIT Kerberos, the keytab object backend therefore optionally supports retrieving existing keys, and hence keytabs, for Kerberos principals by @@ -491,6 +499,11 @@ contacting the KDC via remctl and talking to B. This is enabled by setting the C flag on keytab objects. To configure that support, set the following variables. +For ActiveDirectory Kerberos, the keytab object backend supports +storing the keytabs on the wallet server. This functionality is +enabled by setting the configuration variable AD_KEYTAB_BUCKET. (This +had not been implemented yet.) + This is not required for Heimdal; for Heimdal, setting the C flag is all that's needed. @@ -542,6 +555,25 @@ will be used. our $KEYTAB_REMCTL_PORT; +=item AD_CACHE + +The ticket cache that hold credentials used to access the +ActiveDirectory KDC. This must be created and maintained externally. + +=cut + +our $AD_CACHE; + +=item AD_KEYTAB_BUCKET + +The path to store a copy of keytabs created. This is required for the +support of unchanging keytabs with an ActiveDirectory KDC. (This has +not been implemented yet.) + +=cut + +our $AD_KEYTAB_BUCKET = '/var/lib/wallet/keytabs'; + =back =head1 WEBAUTH KEYRING OBJECT CONFIGURATION diff --git a/perl/lib/Wallet/Kadmin/AD.pm b/perl/lib/Wallet/Kadmin/AD.pm index ec60af9..1c13ab6 100644 --- a/perl/lib/Wallet/Kadmin/AD.pm +++ b/perl/lib/Wallet/Kadmin/AD.pm @@ -1,8 +1,8 @@ # Wallet::Kadmin::AD -- Wallet Kerberos administration API for AD # -# Written by Bill MacAllister +# Written by Bill MacAllister # Copyright 2016 Russ Allbery -# Copyright 2015 Dropbox, Inc. +# Copyright 2015,2016 Dropbox, Inc. # Copyright 2007, 2008, 2009, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # @@ -100,17 +100,19 @@ sub ldap_base_filter { my $fqdn = $1; my $host = $fqdn; $host =~ s/[.].*//xms; - $base = $Wallet::Config::AD_COMPUTER_DN; $filter = "(samAccountName=${host}\$)"; + $base = $Wallet::Config::AD_COMPUTER_RDN . ',' + . $Wallet::Config::AD_BASE_DN; } elsif ($principal =~ m,^service/(\S+),xms) { my $id = $1; - $base = $Wallet::Config::AD_USER_DN; $filter = "(servicePrincipalName=service/${id})"; + $base + = $Wallet::Config::AD_USER_RDN . ',' . $Wallet::Config::AD_BASE_DN; } return ($base, $filter); } -# TODO: Get a keytab from the keytab cache. +# TODO: Get a keytab from the keytab bucket. sub get_ad_keytab { my ($self, $principal) = @_; return; @@ -125,13 +127,16 @@ sub get_ad_keytab { sub msktutil { my ($self, $args_ref) = @_; unless (defined($Wallet::Config::KEYTAB_HOST) + and defined($Wallet::Config::KEYTAB_PRINCIPAL) + and defined($Wallet::Config::KEYTAB_FILE) and defined($Wallet::Config::KEYTAB_REALM)) { die "keytab object implementation not configured\n"; } - unless (defined($Wallet::Config::AD_CACHE) - and defined($Wallet::Config::AD_COMPUTER_DN) - and defined($Wallet::Config::AD_USER_DN)) + unless (-e $Wallet::Config::AD_MSKTUTIL + and defined($Wallet::Config::AD_BASE_DN) + and defined($Wallet::Config::AD_COMPUTER_RDN) + and defined($Wallet::Config::AD_USER_RDN)) { die "Active Directory support not configured\n"; } @@ -192,14 +197,16 @@ sub ad_create_update { my $fqdn = $1; my $host = $fqdn; $host =~ s/[.].*//xms; + push @cmd, '--base', $Wallet::Config::COMPUTER_RDN; push @cmd, '--dont-expire-password'; push @cmd, '--computer-name', $host; - push @cmd, '--upn', "host/$fqdn"; - push @cmd, '--hostname', $fqdn; + push @cmd, '--upn', "host/$fqdn"; + push @cmd, '--hostname', $fqdn; } elsif ($principal =~ m,^service/(\S+),xms) { my $service_id = $1; + push @cmd, '--base', $Wallet::Config::USER_RDN; push @cmd, '--use-service-account'; - push @cmd, '--service', "service/$service_id"; + push @cmd, '--service', "service/$service_id"; push @cmd, '--account-name', "srv-${service_id}"; push @cmd, '--no-pac'; } @@ -365,9 +372,15 @@ sub ad_delete { if ($k_type eq 'host') { my $host = $k_id; $host =~ s/[.].*//; - $dn = "cn=${host}," . $Wallet::Config::AD_COMPUTER_DN; + $dn + = "cn=${host}," + . $Wallet::Config::AD_COMPUTER_RDN . ',' + . $Wallet::Config::AD_BASE_DN; } elsif ($k_type eq 'service') { - $dn = "cn=srv-${k_id}," . $Wallet::Config::AD_USER_DN; + $dn + = "cn=srv-${k_id}," + . $Wallet::Config::AD_USER_RDN . ',' + . $Wallet::Config::AD_BASE_DN; } } @@ -435,18 +448,6 @@ using a local keytab cache. To use this class, several configuration parameters must be set. See L for details. -=head1 FILES - -=over 4 - -=item KEYTAB_TMP/keytab. - -The keytab is created in this file and then read into memory. KEYTAB_TMP -is set in the wallet configuration, and is the process ID of the -current process. The file is unlinked after being read. - -=back - =head1 LIMITATIONS Currently, this implementation calls an external B program rather -- cgit v1.2.3