Ubuntu server version of krb5kdc with augmented configuration

2025-10-26 15:54:16 -04:00 · 2020-07-23 16:59:22 +02:00
commit 48d6d53cc4
3 changed files with 172 additions and 0 deletions
--- a/13
+++ b/13
@@ -0,0 +1,13 @@
+FROM ubuntu
+
+LABEL MAINTAINER nugaon <toth.viktor.levente@gmail.com>
+
+# kerberos
+RUN apt-get update -y && apt-get install -y krb5-kdc-ldap krb5-admin-server \
+ldap-utils
+
+EXPOSE 88 464 749
+
+ADD ./config.sh /config.sh
+
+ENTRYPOINT ["/config.sh"]
--- a/README.md
+++ b/README.md
@@ -0,0 +1,34 @@
+## Docker kerberos
+This image is for testing purposes for Kerberos/LDAP environments. 
+With this Kerberos image you can initialize an Ubuntu based Kerberos server with LDAP connections.
+The whole project based on `mrenouf/docker-images` repository, but this codebase not compatible with that.
+
+#### Quick start
+```
+docker run -d -v /dev/urandom:/dev/random --name kerberos nugaon/kerberos-with-ldap
+```
+The containers have a pretty bad entropy level so the KDC won't start because of this. We can overcome this by using `/dev/urandom` which is less secure but does not care about entropy. 
+Obviously, this Kerberos container has to be run on the same network as the ldap container or make it possible to reach the outsider LDAP server. For the former case,
+I suggest for you to use my compatible LDAP docker with Kerberos image `nugaon/openldap-with-kerberos`, 
+that you can find on [GitHub](https://github.com/nugaon/docker-openldap-with-kerberos) as well.
+
+Useful environment variables:
+
+| Environment variables | Description                   |
+| --------------------- | ----------------------------- |
+| `REALM`               | the Kerberos realm            |
+| `DOMAIN_REALM`        | the DNS domain for the realm  |
+| `KERB_MASTER_KEY`     | master key for the KDC        |
+| `KERB_ADMIN_USER`     | administrator account name    |
+| `KERB_ADMIN_PASS`     | administrator's password      |
+| `SEARCH_DOMAINS`      | domain suffix search list     |
+| `LDAP_DC`             | domain suffix search list     |
+| `LDAP_USER`           | ldap user                     |
+| `LDAP_PASS`           | ldap pass                     |
+| `LDAP_URL`            | ldap url                      |
+
+### Test
+Once kerberos is enabled you need a `ticket` to execute any job on the cluster. Here's an example to get a ticket:
+> docker exec -ti kerberos sh -c "kinit admin && klist"
+
+It authenticates the LDAP associated admin user by the Kerberos server.
--- a/config.sh
+++ b/config.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+
+sleep 10
+
+[[ "TRACE" ]] && set -x
+
+: ${REALM:=AMAZON}
+: ${DOMAIN_REALM:=amazon}
+: ${KERB_MASTER_KEY:=masterkey}
+: ${KERB_ADMIN_USER:=admin}
+: ${KERB_ADMIN_PASS:=admin}
+: ${SEARCH_DOMAINS:=krb.amazon}
+: ${LDAP_DC:=dc=example,dc=com}
+: ${LDAP_USER:=admin}
+: ${LDAP_PASS:=admin}
+: ${LDAP_URL:=ldap://ldap}
+
+fix_nameserver() {
+  cat>/etc/resolv.conf<<EOF
+nameserver $NAMESERVER_IP
+search $SEARCH_DOMAINS
+EOF
+}
+
+create_config() {
+  KDC_ADDRESS=$(hostname -f)
+
+  cat>/etc/krb5.conf<<EOF
+[logging]
+ default = FILE:/var/log/kerberos/krb5libs.log
+ kdc = FILE:/var/log/kerberos/krb5kdc.log
+ admin_server = FILE:/var/log/kerberos/kadmind.log
+
+[libdefaults]
+ default_realm = $REALM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+ $REALM = {
+  kdc = $KDC_ADDRESS
+  admin_server = $KDC_ADDRESS
+  default_domain = $DOMAIN_REALM
+  database_module = openldap_ldapconf
+ }
+
+[domain_realm]
+ .$DOMAIN_REALM = $REALM
+ $DOMAIN_REALM = $REALM
+
+[dbdefaults]
+  ldap_kerberos_container_dn = cn=krbContainer,$LDAP_DC
+
+[dbmodules]
+  openldap_ldapconf = {
+          db_library = kldap
+          ldap_kdc_dn = "cn=$LDAP_USER,$LDAP_DC"
+
+          # this object needs to have read rights on
+          # the realm container, principal container and realm sub-trees
+          ldap_kadmind_dn = "cn=$LDAP_USER,$LDAP_DC"
+
+          # this object needs to have read and write rights on
+          # the realm container, principal container and realm sub-trees
+          ldap_service_password_file = /etc/krb5kdc/service.keyfile
+          ldap_servers = $LDAP_URL
+          ldap_conns_per_server = 5
+  }
+EOF
+}
+
+create_db() {
+  kdb5_util -P $KERB_MASTER_KEY -r $REALM create -s
+}
+
+init_ldap() {
+  kdb5_ldap_util -D cn=$LDAP_USER,$LDAP_DC create -subtrees $LDAP_DC -r $REALM -s -H $LDAP_URL <<EOF
+$LDAP_PASS
+$KERB_ADMIN_PASS
+$KERB_ADMIN_PASS
+EOF
+
+  kdb5_ldap_util -D cn=$LDAP_USER.,$LDAP_DC stashsrvpw -f /etc/krb5kdc/service.keyfile cn=$LDAP_USER,$LDAP_DC <<EOF
+$LDAP_PASS
+$LDAP_PASS
+$LDAP_PASS
+EOF
+}
+
+start_kdc() {
+  krb5kdc start
+  kadmind
+}
+
+restart_kdc() {
+  krb5kdc restart
+  kadmind restart
+}
+
+create_admin_user() {
+  kadmin.local -q "addprinc -x dn=cn=$KERB_ADMIN_USER,$LDAP_DC admin" <<EOF
+$LDAP_PASS
+$LDAP_PASS
+EOF
+  echo "*/admin@$REALM *" > /etc/krb5kdc/kadm5.acl
+}
+
+mkdir -p /var/log/kerberos
+
+if [ ! -f /kerberos_initialized ]; then
+  create_config
+  init_ldap
+  create_admin_user
+  create_db
+  start_kdc
+
+  touch /kerberos_initialized
+else
+  start_kdc
+fi
+
+tail -F /var/log/kerberos/krb5kdc.log