HOTFIX: start krb service with service manager, in kadm5.acl set every permisiion to default admin user from LDAP, bind admin Kerberos principal to LDAP admin at creation, ADDED: readme

2025-10-26 15:54:16 -04:00 · 2020-07-29 22:14:55 +02:00
parent e68a512974
commit 3b2b193a33
2 changed files with 31 additions and 25 deletions
--- a/README.md
+++ b/README.md
@@ -3,10 +3,9 @@ This image is for testing purposes for Kerberos/LDAP environments.
 With this Kerberos image you can initialize an Ubuntu based Kerberos server with LDAP connections.
 The whole project based on `mrenouf/docker-images` repository, but this codebase is not compatible with that.

-#### Quick start
-```
-docker run -d -v /dev/urandom:/dev/random --name kerberos nugaon/kerberos-with-ldap
-```
+# Quick start
+> docker run -d --net docker_overlay -v /dev/urandom:/dev/random --name kerberos nugaon/kerberos-with-ldap
+
 The containers have a pretty bad entropy level so the KDC won't start because of this. We can overcome this by using `/dev/urandom` which is less secure but does not care about entropy. 
 Obviously, this Kerberos container has to be run on the same network as the ldap container or make it possible to reach the outsider LDAP server. For the former case,
 I suggest for you to use my compatible LDAP docker with Kerberos image `nugaon/openldap-with-kerberos`, 
@@ -14,20 +13,27 @@ that you can find on [GitHub](https://github.com/nugaon/docker-openldap-with-ker

 Useful environment variables:

-| Environment variables | Description                   |
-| --------------------- | ----------------------------- |
-| `REALM`               | the Kerberos realm            |
-| `DOMAIN_REALM`        | the DNS domain for the realm  |
-| `KERB_MASTER_KEY`     | master key for the KDC        |
-| `KERB_ADMIN_USER`     | administrator account name    |
-| `KERB_ADMIN_PASS`     | administrator's password      |
-| `SEARCH_DOMAINS`      | domain suffix search list     |
-| `LDAP_DC`             | domain suffix search list     |
-| `LDAP_USER`           | ldap user                     |
-| `LDAP_PASS`           | ldap pass                     |
-| `LDAP_URL`            | ldap url                      |
+| Environment variables | Description                   | Default value            |
+| --------------------- | ----------------------------- | ------------------------ |
+| `REALM`               | the Kerberos realm            | EXAMPLE.COM              |
+| `DOMAIN_REALM`        | the DNS domain for the realm  | example.com              |
+| `KERB_MASTER_KEY`     | master key for the KDC        | masterkey                |
+| `KERB_ADMIN_USER`     | administrator account name    | admin                    |
+| `KERB_ADMIN_PASS`     | administrator's password      | admin                    |
+| `SEARCH_DOMAINS`      | domain suffix search list     | example.com              |
+| `LDAP_DC`             | domain suffix search list     | dc=example,dc=com        |
+| `LDAP_USER`           | ldap service user             | admin                    |
+| `LDAP_PASS`           | ldap service pass             | admin                    |
+| `LDAP_URL`            | ldap url                      | ldap://ldap              |

-### Test
+# Bind LDAP user to Kerberos DB
+If you add new users in LDAP you have to register them in Kerberos as well in order to utilize Kerberos authentication. It is possible by the following command:
+> docker exec -ti $KERBEROS_CONTAINER kadmin.local -q 'addprinc -x dn=$USER_DN $USER_KERB_NAME'
+
+example
+> docker exec -ti kerberos kadmin.local -q 'addprinc -x dn=cn=Teszt" "Elek,cn=users,dc=ldap,dc=hiflylabs,dc=hu telek'
+
+# Test
 Once kerberos is enabled you need a `ticket` to execute any job on the cluster. Here's an example to get a ticket:
 > docker exec -ti kerberos sh -c "kinit admin && klist"

--- a/config.sh
+++ b/config.sh
@@ -4,12 +4,12 @@ sleep 10

 [[ "TRACE" ]] && set -x

-: ${REALM:=AMAZON}
-: ${DOMAIN_REALM:=amazon}
+: ${REALM:=EXAMPLE.COM}
+: ${DOMAIN_REALM:=example.com}
 : ${KERB_MASTER_KEY:=masterkey}
 : ${KERB_ADMIN_USER:=admin}
 : ${KERB_ADMIN_PASS:=admin}
-: ${SEARCH_DOMAINS:=krb.amazon}
+: ${SEARCH_DOMAINS:=example.com}
 : ${LDAP_DC:=dc=example,dc=com}
 : ${LDAP_USER:=admin}
 : ${LDAP_PASS:=admin}
@@ -91,13 +91,13 @@ EOF
 }

 start_kdc() {
-  krb5kdc start
-  kadmind
+  service krb5-kdc start
+  service krb5-admin-server start
 }

 restart_kdc() {
-  krb5kdc restart
-  kadmind restart
+  service krb5-kdc restart
+  service krb5-admin-server restart
 }

 create_admin_user() {
@@ -105,7 +105,7 @@ create_admin_user() {
 $LDAP_PASS
 $LDAP_PASS
 EOF
-  echo "*/admin@$REALM *" > /etc/krb5kdc/kadm5.acl
+  echo "admin@$REALM *" > /etc/krb5kdc/kadm5.acl
 }

 mkdir -p /var/log/kerberos