One day, I found one of our Kerberos servers was out of space. I found Kerberos does not handle logs rotate by default. That’s why it ate a lot of space. So, here is the way to make Kerberos logs rotate.

Editing /etc/logrotate.d/krb5kdc file

# vi /etc/logrotate.d/krb5kdc
/var/log/krb5kdc.log {
    missingok
    notifempty
    create 0640 root root
    postrotate
        /etc/init.d/krb5kdc condrestart >/dev/null 2>&1 || true
    endscript
}

And editing /etc/logrotate.d/kadmin file

/var/log/kadmind.log {
    missingok
    notifempty
    create 0640 root root
    postrotate
        /etc/init.d/kadmin condrestart >/dev/null 2>&1 || true
    endscript
}

After you edited these two files, it will do the logs rotate by itself, weekly. If you would like to test logs rotate, you can use following command :

# logrotate -f -v /etc/logrotate.conf

When I use freeradius-1.1.3-1.2.el5 on SL5(RHEL5) to authenticate with Kerberos, it always displayed “Segmentation fault”. The error messages like below:

modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type Kerberos
auth: type “Kerberos”
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 1
Segmentation fault

I searched google for while. It turned out nothing. Those results are helpless for me. Finally, I gave up. Then, I went to the FreeRADIUS web site to look for answers. I downloaded FreeRADIUS version 2.1.4 to build it on SL5(RHEL5). Wow~ It works!! I would like to share with you how to build FreeRADIUS 2.1.4 on SL5(RHEL5).

Step 1 : Download freeradius-server-2.1.4.tar.gz. Please visit http://freeradius.org/download.html to download the latest version. Normally, I put the file at /usr/local/src directory.

Step 2 : Extract the freeradius-server-2.1.4.tar.gz file.

# tar zxvf freeradius-server-2.1.4.tar.gz

Step 3: Build the freeradius-server rpm. Copy the freeradius-server-2.1.4.tar.gz file at /usr/src/redhat/SOURCES/ directory.

# cp freeradius-server-2.1.4.tar.gz /usr/src/redhat/SOURCES/

Change directory into “freeradius-server-2.1.4/redhat/” :

# cd freeradius-server-2.1.4/redhat/

Start to build the freeradius rpm :

# rpmbuild -bb freeradius.spec

If you see the messages like below, just install the libtool-ltdl-devel packages.

error: Failed build dependencies:
libtool-ltdl-devel is needed by freeradius-server-2.1.4-0.x86_64

Follow command to install libtool-ltdl-devel :

# yum install libtool-ltdl-devel

After installed libtool-ltdl-devel packages, please rebuild the freeradius rpm. It will take couple of mins.

Step 4 : Installing freeradius-server-2.1.4-0.x86_64.rpm. Switch directoy into “/usr/src/redhat/RPMS/x86_64″. Using following command to install freeradius-server rpm.

# rpm -ivh freeradius-server-2.1.4-0.x86_64.rpm

Step 5 : configure your FreeRADIUS to authenticate with Kerberos. You’ll need to have a radius/hostname.domain key in your keytab. In my case, I have radius/host1.liho.tw key in /etc/krb5.keytab file. So, following are my configuration.

# vi /etc/raddb/modules/krb5

krb5 {
keytab = /etc/krb5.keytab
service_principal = radius/host1.liho.tw
}

# vi /etc/raddb/users

DEFAULT Auth-Type = Kerberos

# vi /etc/raddb/proxy.conf

realm LOCAL {
# If we do not specify a server pool, the realm is LOCAL, and
# requests are not proxied to it.
}

realm LIHO.TW {
authhost = host1.liho.tw:1812
accthost = host1.liho.tw:1813
secret = testing123
}

Step 6 : Starting FreeRADIUS services by following command :

# service radiusd start

If you want to start the FreeRADIUS services when you turn on the server, you need to use following command :

# chkconfig radiusd on

Step 7 : Testing your FreeRADIUS authenticating with Kerberos. Please replace the “USERNAME” to your username and the “PASSWORD” to your password. Because, I configured the LIHO.TW realm with “testing123″ secret at /etc/raddb/proxy.conf file. So, the following command I use “testing123″. You should create your own secret.

# radtest USERNAME PASSWORD localhost 0 testing123

Sending Access-Request of id 170 to 127.0.0.1 port 1812
User-Name = “USERNAME”
User-Password = “PASSWORD”
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=170, length=20

If you see “Access-Accept packet” message, congregation! your configuration of FreeRADIUS and Kerberos without having any problem. If you see “(Shared secret is incorrect.)”, please check /etc/raddb/proxy.conf file to find out your secret. If you see “Access-Reject”, it means you input the wrong password or your configuration is incorrect. You can stop your freeradius services. Using “radiusd -X” command to see more debug messages.

由於要使用 OpenAFS 所以必需在 Mac 上設定成 Kerberos 認證. 但是光有 Kerberos 認證密碼還不夠. 還要取得 afs 的認可. 通常可以在 Terminal 下打 aklog 的命令. 但是當使用者登入 Mac 後, 還要要求使用者打一個指令, 使用者會跳腳. 只好努力的問 Google 大師. 慶幸的是終於有突破了. 使用者不用在敲 aklog 就可以取得 afs token.

首先, 先去下載 http://www.ibiblio.org/macsupport/kerberos/10.4/afs-login.sh 這個 script. 主要讓使用者登入後再後置執行 aklog. 在蘋果上的設定是

sudo defaults write com.apple.loginwindow LoginHook /Library/Management/afs-login.sh

編輯 /etc/ttys 檔案

vi /etc/ttys

# Look for a line that reads:
#console “/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow” vt100 on secure window=/System/Library/CoreServices/WindowServer onoption=”/usr/libexec/getty std.9600″

# Edit this line so that it reads as follows (there are no breaks in this line):
#console “/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /Library/Management/afs-login.sh” vt100 on secure window=/System/Library/CoreServices/WindowServer onoption=”/usr/libexec/getty std.9600″

這樣就可以了 這個搞好久. 終於搞定

–

HOWTO Get AFS token (aklog) Mac OS X after Login Kerberos?

To get afs token in Linux is quite easy. But, getting afs token in Mac OS X is very painful. After you login Kerberos in Mac OS X, you have to type “aklog” command to get your AFS token when you use OpenAFS. Otherwise, you have no permission to access OpenAFS files. This problem was stuck me for while. Finally, I found the solution. I asume you already have Kerberos servers ready and your Mac could talk with Kerveros servers.

You have to download this (http://www.ibiblio.org/macsupport/kerberos/10.4/afs-login.sh) script. In my case, I modified  the script as following:

########## Begin Script ##########

#!/bin/tcsh -f
############################ afs-login.sh ##########################
# Mike Bydalek | mbydalek at contentconnections com
# Use 'defaults write com.apple.loginwindow LoginHook' to make this
# script run upon user login.
####################################################################
# very minor mods by bil hays (bil_hays at unc edu)
############

### Description ###
#
# This script runs aklog for the particular user upon logging in
# to grab AFS tokens.

### Debug/testing sanity check ###
if ( $#argv < 1 ) then
echo "No user specified!"
exit 1
endif

### Script action ###
# We just need to run aklog
/usr/bin/aklog
su $1 -c /usr/bin/aklog

### Always exit with 0 status
exit 0
########## End Script ##########

After you got the script, you could put that script whatever you like. I prefer to put the script in /Library/Management directory. We also need to tell Mac OS X to do the Login Hook. Please see the following command :


sudo defaults write com.apple.loginwindow LoginHook /Library/Management/afs-login.sh

You also need to edit /etc/ttys file in order to make Login Hook functional.


vi /etc/ttys

# Look for a line that reads:
#console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"

# Edit this line so that it reads as follows (there are no breaks in this line):
#console "/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -LoginHook /Library/Management/afs-login.sh" vt100 on secure window=/System/Library/CoreServices/WindowServer onoption="/usr/libexec/getty std.9600"

You could use "klist" command to check your tokens.
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: USERNAME@XXXXX.EDU.TW

Valid Starting     Expires            Service Principal
01/23/09 16:11:42  02/22/09 16:11:42  krbtgt/XXXXX.EDU.TW@XXXXX.EDU.TW
	renew until 01/23/09 16:11:42
01/23/09 16:11:43  02/22/09 16:11:42  afs@XXXXX.EDU.TW
	renew until 01/23/09 16:11:42
References :

• Customizing Login and Logout

• Mac OS X: Creating a login hook

• Kerberos/AFS Login Additions to OS X 10.4.x

• AFS aklog Login Script
  

這篇文章假設你已經有 Kerberos 伺服器. 也假設你建立好 Kerberos 使用者帳號.

在開始設定 SSO(Single Sign On) 之前必需先設定與網路時間協定(ntp)同步. 否則無法自動登入

先在 Kerberos 伺服器上產生對應的電腦 key.

[root@kerberos ~]# kadmin
Authenticating as principal root/admin@EXAMPLE.COM with password.
Password for root/admin@EXAMPLE.COM:
kadmin: addprinc -randkey host/test.example.com
NOTICE: no policy specified for host/test.example.com@EXAMPLE.COM; assigning “default”
Principal “host/test.example.com@EXAMPLE.COM” created.
kadmin: ktadd -k /tmp/test.keytab host/test.example.com
Entry for principal host/test.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal host/test.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal host/test.example.com with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/tmp/test.keytab.
Entry for principal host/test.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/tmp/test.keytab.
kadmin: quit
[root@kerberos ~]# ktutil
ktutil: rkt /tmp/test.keytab
ktutil: list
slot KVNO Principal
—- —- ———————————————————————
1 3 host/test.example.com@EXAMPLE.COM
2 3 host/test.example.com@EXAMPLE.COM
3 3 host/test.example.com@EXAMPLE.COM
4 3 host/test.example.com@EXAMPLE.COM
ktutil: wkt /etc/krb5.keytab
ktutil: quit

複製產生的 key 到要被設定 SSO 的機器.

[root@kerberos ~]# scp /tmp/test.keytab test:/etc/krb5.keytab

再來就要修改 sshd 讓該機器能允許用 Kerberos tokens 認證. 首先編輯 /etc/ssh/sshd_config , 把Kerberos & GSSAPI 打開

# Kerberos options
KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

再編輯 /etc/ssh/ssh_config

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

然後重新啓動 sshd

service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

這樣的設定就可以使用 Kerberos tokens 認證,也就達成了 SSO 的功能

使用 ssh -v 來驗證是否真的使用 Kerberos tokens 認證.

[username@kerberos ~]$ ssh test -v
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to test [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ‘test’ is known and matches the RSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:108
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Apr 1 10:55:39 2008 from where
Welcome to Linux!
[username@test ~]$