Experimenting with Coda

Coda is looking like a promising piece of infrastructure. However blogging about its awesomeness (that I personally haven't experienced yet) is pointless. People usually look for solutions to problems so here is my share. The environment that kind of worked out of the box was the following:




  • All users are in Windows Active Directory

  • Clients are Linux (Fedora) workstations joined to the AD domain using samba and winbind

  • Server is also Linux (CentOS 5.4) and joined to the same domain with samba

  • Coda is using kerberos for single sign-on Now, let's try to change a few elements in this picture.



Try 1: Leave the server on the windows domain, but do not use samba to do the joining.



The procedure to do that deserves an article of its own, but the main issue here was with the case sensitivity of MIT Keberos (or should I say, the case insensitivity of Windows AD). You will never be able to get clog to authenticate because the server does not have a keytab with an all-uppercase name and coda request a ticket for the uppercase name of the host. Unless you actually did create a keytab with an uppercase principal in which case lots of other things will break (ssh-ing into the server would not work with kerberos  for example). This is not an issue when joining the domain with samba (net ads join), because in that case the server gets a keytab with both spellings of the host principal - all uppercase and all lowercase. This is not possible to do when doing things manually because windows will just tell you that the principal already exists when you try to create the other one. The only way I found to work around this problem is to just duplicate the principals on the linux side and make one of them in uppercase.



ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
  1    9 host/server.local@REALM.LOCAL
ktutil: wkt /etc/krb5.keytab
ktutil: exit


After that just use some binary editor (vim -b /etc/krb5.keytab) for example and carefully change one of the server.local occurrences to uppercase.



Try 2: Put the server on a separate Linux realm



To accomplish this you have to set up cross-realm trust between the Linux realm and the windows AD. However, in my case this was the easier thing to do since the servers can automatically join the Linux realm and the reverse DNS is already mapping them to that realm. The only problem is that the lowercase/UPPERCASE principal is still an issue. With a Linux domain it is easy to create both service principals (lower and uppercase) and add them to the server keytab. I personally was getting tired of this nonsense and decided to patch coda instead.



The other change that is needed is to make sure that Coda knows what realm the users would belong to. The default one in /etc/krb5.conf is the one used for system accounts so we had to specify the coda users' realm with kerberos5realm = WINDOWS.REALM in /etc/coda/server.conf.

Comments

Post a Comment

Popular posts from this blog

Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data. Device Start End Sectors Size Type /dev/sda1 2048 32767 30720 15M BIOS boot /dev/sda2 32768 442367 409600 200M Linux filesystem /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem Encrypt partitions number 2 and 3, and open them cryptsetup luksFormat /dev/sda2 cryptsetup luksFormat /dev/sda3 cryptsetup luksOpen /dev/sda2 crypt_boot cryptsetup luksOpen /dev/sda3 crypt_data Format the boot partition mkfs.btrfs /dev/mapper/crypt_boot Prepare LVM for the rest, and format the top level vgcreate vg0 /dev/mapper/crypt_data lvcreate -l 100%FREE -n data vg0 mkfs.btrfs /dev/vg0/data Mount and set up any subvolumes mount /dev/vg0/data /mnt/gentoo btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home umount /mnt/gentoo Now
Read more

ADSL Router Model CT-5367 user and pass (VIVACOM)

Writing down the username and password for the vivacom ADSL router, in case I need it again. user: root pass: warmWLspot Useful to telnet 192.168.1.1 and then reboot . Originally found at Neo2SHYAlien blog . And here I found passwords for other models, just in case. ZTE ZXDSL 832 username: root password: GSrootaccess ZTE ZXDSL 831 username: root password: GSrootaccess ZTE username: root password: 831access Huawei SmartAX MT882 username: root password: MT882rootaccess ZTE ZXDSL-531b username: root password: rootWLaccess Pirelli – DRG – A124G username: root password: warmWLspot Comtrend CT-5367 username: root password: warmWLspot HG530 Home Gateway username: root password: warmWLspot
Read more

FreeIPA cluster with containers

Notes on how to install a FreeIPA cluster on Ubuntu. Mostly following the instructions on https://github.com/freeipa/freeipa-container Start with what would be the primary host. If you install a third replica you would want to review the replica agreements to ensure you have a two-way replication between all pairs of nodes.
Read more