Research and Development

Setting Up OpenLDAP+Kerberos on Ubuntu 10.04 Alpha 2 (Lucid), Part 5 - DNS Settings

Kerberos requires every client to know where the server is located. This can be done either by using /etc/krb5.conf file or using DNS to distribute the information. Using DNS makes it easier to do changes in the network settings as not every client needs to be updated. Next we aim to minimize the amount of configuration needed for every client so configuring DNS properly is a logical first step.

This blog posting is a part of a series of blog postings:

The following documents were used to get the configuration working: The goal of the setup is to have a single file server that shares the following directories to clients over NFSv4 with kerberos authentication:
  • /home/school1
  • /home/school2
  • /home/school3
The server will not allow root to access other users' files which makes it possible to export the shares in potentially hostile environments as the compromise of a single client host does not expose all contents of the file server. The domain name used is edu.example.org and the NFS server will be the same machine as the kerberos server. The names used in this example map to following IPs:
  • server.edu.example.org - 10.0.0.1
  • ldap.edu.example.org - 10.0.0.1
  • kerberos.edu.example.org - 10.0.0.1
  • client1.edu.example.org - 10.0.0.10
  • client2.edu.example.org - 10.0.0.11

DNS settings

Before we start with the NFS setup, we need to make sure that name resolution for the server and clients works with fully qualified domain names (fqdn). Also reverse mappings need to be working for NFSv4+krb5 to work properly. There are many DNS servers that can be used. Here we use dnsmasq:
sudo apt-get install dnsmasq
/etc/dnsmasq.conf
domain-needed
domain=edu.example.org

ptr-record=1.0.0.10.in-addr.arpa.,"server.edu.example.org"
address=/server.edu.example.org/10.0.0.1

ptr-record=10.0.0.10.in-addr.arpa.,"client1.edu.example.org"
address=/client1.edu.example.org/10.0.0.10

ptr-record=11.0.0.10.in-addr.arpa.,"client2.edu.example.org"
address=/client2.edu.example.org/10.0.0.11
After restarting dnsmasq and configuring it to be used in /etc/resolv.conf, it should resolve names properly both ways:
$ nslookup server.edu.example.org

Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	server.edu.example.org
Address: 10.0.0.1

$ nslookup 10.0.0.1

Server:		127.0.0.1
Address:	127.0.0.1#53

1.0.0.10.in-addr.arpa	name = server.edu.example.org.
Make sure that also the client machine names resolve correctly. In addition to having DNS server configured properly, if the /etc/hosts file has names configured, make sure that the FQDN is before the shortname, e.g.:
10.0.0.1 server.edu.example.org server
10.0.0.10 client1.edu.example.org client1
10.0.0.11 client2.edu.example.org client2
This makes sure that host mappings are not done from /etc/hosts using the shortname of the server. While we are at it, let's also add the SRV records for kerberos so that we don't need to configure kerberos realms for every client separately: /etc/dnsmasq.conf
address=/kerberos.edu.example.org/10.0.0.1
address=/ldap.edu.example.org/10.0.0.1

txt-record=_kerberos.edu.example.org,"EDU.EXAMPLE.ORG"
srv-host=_kerberos._udp.edu.example.org,"kerberos.edu.example.org",88
srv-host=_kerberos._tcp.edu.example.org,"kerberos.edu.example.org",88
srv-host=_kerberos-master._udp.edu.example.org,kerberos."edu.example.org",88
srv-host=_kerberos-adm._tcp.edu.example.org,"kerberos.edu.example.org",749
srv-host=_kpasswd._udp.edu.example.org,"kerberos.edu.example.org",464
Clients can now find the kerberos server automatically when the realm is given (e.g. kinit testuser@EDU.EXAMPLE.ORG). To set default realm, /etc/krb5.conf can be used:
[libdefaults]
default_realm = EDU.EXAMPLE.ORG
dns_lookup_kdc = true
dns_lookup_realm = true
Now the name server should be ready for the actual setup. The actual NFSv4+kerberos setup is described in the next part.

Comments