darkness

Check out this article on Windows 2000 authentication under “Basic SNTP operation.”

Started to move OpenLDAP and my LDAP DB to OpenBSD today… and I think I may have basically finished. The directions in this OpenBSD/Cyrus IMAP HOWTO for installing OpenLDAP were pretty much what I was interested in. Particularly the slapcat and slapadd commands worked wonders. A lot of tests in the LDAPv3 HOWTO don’t work since they assume SASL madness, and I’m not sure the OpenLDAP distributed in 3.3 packages includes this functionality.

I don’t particularly care. SSL seems to work. I can bind to it with GQ. I need to test to make sure my Red Hat clients can use it for name services like they have been. After that, we’re good.

BTW, if you’re looking for the list of symbolic names for ICMP types in pfctl, you apparently need to go to the sources: sbin/pfctl/pfctl_parser.c.

I’ve decided to move a few of my security-conscious services over to an OpenBSD box. Today I moved my Kerberos domain.

A quick note. OpenBSD is fun. It’s kind of nice to get back to not feeling like your system might be laden with cruft you won’t use. Of course, I got annoyed that I didn’t have a simple ntp.conf, for example, to start with. I also hate the way init is laid out; give me SysV-style init any day.

So Red Hat 8.0 ships with MIT Kerberos V 1.2.5. OpenBSD 3.3 ships with Heimdal. I followed the instructions for setting up a Kerberos V server in the Red Hat 8.0 manual when I did this originally. All the paths I give pretty much depend on you configuring things like they’re described there.

First, kdb5_util dump -b7 -verbose krb5-dump as root on the Linux box. This gives you a krb5-dump file. This, combined with /var/kerberos/krb5kdc/.k5.YOUR.REALM (where YOUR.REALM is really your Kerberos realm name) will need to be copied to the OpenBSD box. krb5-dump is a dump of all your principals, and the .k5… file is your “master key stash.” I think. If you don’t use -b7 to dump in what appears to be a slightly older format, the Heimdal tools won’t understand the dump.

Now hop on over to your OpenBSD box and create /var/heimdal, root:wheel, 0640. Next, /usr/libexec/hprop -m the-stash-file -d krb5-dump --source=mit-dump -n | /usr/libexec/hpropd -n on the OpenBSD box. Note that hpropd needs to be run as root as it’s going to write out your database, so if you’re a fan of running as a regular user and using sudo, tack sudo in front of hpropd. Now move the stash file to /var/heimdal/m-key and make sure that file is 0640 root:wheel. By now you hopefully have /var/heimdal/heimdal.db from hpropd.

You’re pretty much done at this point. You need to configure /etc/kerberosV/krb5.conf; there’s a sample file in that directory as well. Don’t forget to create a host principal for your KDC if you need one. Instructions for doing that are in info heimdal and krb5.conf(5). You can run verify_krb5_conf and get a little help making sure your krb5.conf is at least possibly OK. You probably want a /var/heimdal/kadmind.acl file, also described in the Heimdal info pages. You also probably want krb5_master_kdc=YES in /etc/rc.conf.local.

One more note about OpenBSD, unrelated to Kerberos. Here’s information on the stable branch of OpenBSD, packages fixed in 3.3-stable, OpenBSD anonymous CVS instructions, and if you want to know what’s changed in -stable you need (I think) the OpenBSD errata. (Honestly, this is more for my future benefit than yours. Sorry you had to sit through it.)