Importing data? - Kerberos

This is a discussion on Importing data? - Kerberos ; Hi, University of Bergen is setting up a unix/linux Kerberos realm to handle logons on our unix/linux clients and servers (about 1500). Our problem is that all 30.000 users needs principals on the KDC, and we'd rather not have to ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Importing data?

  1. Importing data?


    Hi,

    University of Bergen is setting up a unix/linux Kerberos realm to handle
    logons on our unix/linux clients and servers (about 1500). Our problem
    is that all 30.000 users needs principals on the KDC, and we'd rather
    not have to run all of them through having to type their password
    somewhere.

    They're all in AD (and in NIS), can anyone advice as to a good path to
    duplicate data over, including passwords? LDAP export and import and
    then using Heimdal's support for having an LDAP backend is the next
    thing I'll try - any better ideas out there? Google gives me nothing
    which doesn't involve having to reenter all user passwords, but we
    can't be the first large setup to have this issue?

    Bjørn
    --
    Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a
    System administrator Fax: (+47) 555-89672 fractal; universal and
    Math. Department Mobile: (+47) 918 68075 infinitely repetitive.
    University of Bergen VIP: 81724
    Support: http://bs.uib.no Contact: teknisk@mi.uib.no Direct: bjornts@mi.uib.no
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Importing data?



    On Thursday, January 12, 2006 01:42:54 PM +0100 Bjorn Tore Sund
    wrote:

    > University of Bergen is setting up a unix/linux Kerberos realm to handle
    > logons on our unix/linux clients and servers (about 1500). Our problem
    > is that all 30.000 users needs principals on the KDC, and we'd rather
    > not have to run all of them through having to type their password
    > somewhere.
    >
    > They're all in AD (and in NIS), can anyone advice as to a good path to
    > duplicate data over, including passwords? LDAP export and import and
    > then using Heimdal's support for having an LDAP backend is the next
    > thing I'll try - any better ideas out there? Google gives me nothing
    > which doesn't involve having to reenter all user passwords, but we
    > can't be the first large setup to have this issue?


    Well, the problem is that entries in NIS or in UNIX password files don't
    contain the password; they contain a one-way hash of the password. Without
    some fairly time-expensive cryptographic attacks, you can't recover the
    actual password, which is needed to add keys to the Kerberos database.

    When we first started using Kerberos many many years ago, we modified the
    login program so that when a user logged in who had no Kerberos prinicpal,
    he would be automatically registered. Of course, this also required a
    special registration service and giving login some way to authenticate to
    it.

    Since your users are in AD, you may have another option. The Active
    Directory does know the users' actual passwords (except for any users who
    were imported from an NT4 domain and haven't changed their passwords
    since). If you can extract the passwords from AD, you can build a tool
    which adds them to the Kerberos database. However, I seem to recall that
    it is difficult-to-impossible to get AD to export password information.
    Perhaps someone who knows more on that topic will comment...

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Importing data?




    >
    > On Thursday, January 12, 2006 01:42:54 PM +0100 Bjorn Tore Sund
    > wrote:
    >
    >
    >>University of Bergen is setting up a unix/linux Kerberos realm to handle
    >>logons on our unix/linux clients and servers (about 1500). Our problem
    >>is that all 30.000 users needs principals on the KDC,


    Why duplicate the user?

    You could do cross realm between the AD realm and the Kerberos realm.
    so you only need the hosts principals registered in the MIT based kerberos
    realm. Let the users stay in AD. This is what we have done for years.

    Another approach is to add the unix host principals to AD, so you
    don't have to setup any new realms. We are starting to migrate the
    host principlas to AD.



    >>and we'd rather
    >>not have to run all of them through having to type their password
    >>somewhere.


    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Importing data?

    >>>>> "JH" == Jeffrey Hutzelman writes:

    JH> Well, the problem is that entries in NIS or in UNIX password files
    JH> don't contain the password; they contain a one-way hash of the
    JH> password. Without some fairly time-expensive cryptographic
    JH> attacks, you can't recover the actual password, which is needed to
    JH> add keys to the Kerberos database.

    If you use PAM, there is the pam_krb5_migrate module which is supposed
    to stuff the password into the Kerberos database when a user
    authenticates against whatever system you are currently using.
    Unfortunately I never figured out quite how to make it work, but then
    I'm far from an expert in either PAM or Kerberos.

    - J<
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Importing data?

    Bjorn Tore Sund wrote:
    > They're all in AD (and in NIS), can anyone advice as to a good path to
    > duplicate data over, including passwords? LDAP export and import and
    > then using Heimdal's support for having an LDAP backend is the next
    > thing I'll try - any better ideas out there? Google gives me nothing
    > which doesn't involve having to reenter all user passwords, but we
    > can't be the first large setup to have this issue?


    As others suggested, you need to do this through PAM, and you might
    need to write your own PAM module.

    To migrate users from NIS to Kerberos, you should be able to use
    pam_krb5_migrate: everytime a user successfully logs in and gets
    its password authenticated in NIS, a Kerberos account is created
    for the user.

    The same would also work for AD accounts, but you really should
    consider setting up a cross-realm trust instead.

    Both approaches require that the existing infrastructures continue
    to run until all existing users have logged in atleast once.

    Regards,
    Martin

  6. Re: Importing data?


    On Thu, 12 Jan 2006, Douglas E. Engert wrote:

    > > > University of Bergen is setting up a unix/linux Kerberos realm to
    > > > handle
    > > > logons on our unix/linux clients and servers (about 1500). Our
    > > > problem
    > > > is that all 30.000 users needs principals on the KDC,

    >
    > Why duplicate the user?
    >
    > You could do cross realm between the AD realm and the Kerberos realm.
    > so you only need the hosts principals registered in the MIT based kerberos
    > realm. Let the users stay in AD. This is what we have done for years.
    >
    > Another approach is to add the unix host principals to AD, so you
    > don't have to setup any new realms. We are starting to migrate the
    > host principlas to AD.


    Several reasons why we're keeping things separate. One is that we
    have separate student and staff AD realms. This is fine in a world
    of single-user OSes, but we want both students and staff to be able
    to log in to the same unix/linux machine and be active at the same
    time.

    Second is that all our users will be accessing their home directories
    with Kerberos authentication - Samba for now, AFS or NFSv4 at some
    later time. That means our unix/linux infrastructure will be very
    dependent on Kerberos functioning, and we don't trust Microsoft to
    not break standards in new and interesting ways at some later time.
    Cross-realm trust should continue working, I expect that at some
    point in time unix client binding to AD Kerberos will break in some
    non-intuitive way.

    Thanks to all who responded, I'll see what I can drag out of AD.

    -BT
    --
    Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a
    System administrator Fax: (+47) 555-89672 fractal; universal and
    Math. Department Mobile: (+47) 918 68075 infinitely repetitive.
    University of Bergen VIP: 81724
    Support: http://bs.uib.no Contact: teknisk@mi.uib.no Direct: bjornts@mi.uib.no
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread