Bug#1002018: debian-edu-config: provide means to deploy a proper krb5.keytab to diskless workstations

To: 1002018@bugs.debian.org
Subject: Bug#1002018: debian-edu-config: provide means to deploy a proper krb5.keytab to diskless workstations
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Tue, 21 Dec 2021 14:15:29 +0000
Message-id: <[🔎] 20211221141529.Horde.icsxNoEGI6cWzq0lLwAdHyA@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 1002018@bugs.debian.org
In-reply-to: <[🔎] 20211220142226.Horde.kQAcV8vFKG85dg8vTe8hmSI@mail.das-netzwerkteam.de>
References: <[🔎] 20211220142226.Horde.kQAcV8vFKG85dg8vTe8hmSI@mail.das-netzwerkteam.de>

Hi all, hi esp. Wolfgang,

On  Mo 20 Dez 2021 15:22:26 CET, Mike Gabriel wrote:

Package: debian-edu-config
Severity: wishlist
Version: 2.12.14
On a Debian Edu 11 network, NFS home mounts are only allowed viaNFSv4 + sec=krb5i. For this, the user and the host need to acquirevalid Kerberos ticket.
While the user can acquire their ticket via login (pam_krb5.so), thehost needs to obtain two tickets (a host and a service ticket)elsewhere. This is normally done via two key entries in/etc/krb5.keytab.
Those host / service key entries are tied to the hostname of themachine, which is problematic on diskless machines (because the samesystem (chroot / squashfs image) can be used on several hosts on thenetwork, with different hostnames.
The idea here is to deploy a specific (optional) hack on the DebianEdu network that will allow us to boot diskless workstations withsupport for NFSv4 and krb5i.
The idea outline for this is this:

  * add a "diskless-workstation-hosts" NIS netgroup to LDAP
  * let the admins put all their DLW hosts into that NIS netgroup
  * on host modification, gosa-modify-host will update a file e.g.
    /var/lib/debian/krb5.keytab_dlw; this file contains all
    host/<client> and nfs/<client> principal keys for all known
    diskless workstations
  * on DLW boot, root@DLW will be able to SSH into tjener (as
    unprivileged user with access to /var/lib/debian/krb5.keytab_dlw
    and copy that file onto the DLW as /etc/krb5.keytab at runtime).
  * on the DLW some more permission adjustments are required root:root:0600
    for /etc/krb5.keytab)
  * with this, NFS krb5i should work on DLWs just fine and we don't
    expose any information to non-root users on the network

light+love
Mike


I have the above approach up and running and it works like charme.

Finally, we (Debian Edu, my customers) have krb5i based NFS homes for DLWs!!!

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpVcL2PB1DhH.pgp
Description: Digitale PGP-Signatur

Reply to:

References:
- Bug#1002018: debian-edu-config: provide means to deploy a proper krb5.keytab to diskless workstations
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: Bug#1002019: debian-edu-config: /etc/debian-edu/host-keytabs/ contain non-config data
Next by Date: Bug#1002299: debian-edu-config: hosts installed via the minimal profile lack libpam-krb5 and fail to mount NFS krb5i shares on TJENER
Previous by thread: Bug#1002018: debian-edu-config: provide means to deploy a proper krb5.keytab to diskless workstations
Next by thread: Bug#1002019: debian-edu-config: /etc/debian-edu/host-keytabs/ contain non-config data
Index(es):
- Date
- Thread