{"id":2559,"date":"2014-01-21T21:08:24","date_gmt":"2014-01-21T12:08:24","guid":{"rendered":"http:\/\/borg4.vdomains.jp\/~goro\/diary\/?p=2559"},"modified":"2014-01-21T21:08:24","modified_gmt":"2014-01-21T12:08:24","slug":"freebsd-10-r-%e3%82%92-os-x-server-3-0-%e3%81%ae-kerberos-%e3%81%ab%e8%bf%bd%e5%8a%a0%e3%81%99%e3%82%8b","status":"publish","type":"post","link":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/2014\/2559","title":{"rendered":"FreeBSD 10-R \u3092 OS X Server 3.0 \u306e Kerberos \u306b\u8ffd\u52a0\u3059\u308b"},"content":{"rendered":"

\u65e2\u306b\u5049\u5927\u306a\u5148\u9054\u304c OpenDirectory \u3067 FreeBSD\/NetBSD\u3092\u8a8d\u8a3c<\/a>\u3068\u3044\u3046\u8a18\u4e8b\u3092\u6b8b\u3055\u308c\u3066\u3044\u305f\u306e\u3067\u3059\u304c\u3001\u5f53\u6642\u3068\u6bd4\u8f03\u3059\u308b\u3068 OS X \u306e Kerberos \u5b9f\u88c5\u304c MIT Kerberos <\/a>\u304b\u3089 Heimdal<\/a> \u306b\u5909\u308f\u3063\u305f\u3068\u3044\u3046\u4e8b\u60c5\u3082\u3042\u308b\u306e\u3067\u6562\u3048\u3066\u8a18\u4e8b\u306b\u3057\u3066\u307f\u308b\u30c6\u30b9\u30c8\u3002\u307e\u3041\u3001\u9055\u3044\u306f MIT Kerberos \u306e kadmin \u3067 ktadd \u306a\u3068\u3053\u308d\u304c Heimdal \u306e kadmin \u3067\u306f ext_keytab \u306b\u306a\u308a\u307e\u3059\u3088\u3063\u3066\u3060\u3051\u306e\u3088\u3046\u306a\u6c17\u3082\u3057\u307e\u3059\u304c\u3002<\/p>\n

\u3042\u3001\u6b63\u78ba\u306b\u306f 10-R \u3058\u3083\u306a\u304f\u3066 10.0-RC5 \u3060\u3051\u3069\u3001\u8aa4\u5dee\u3063\u3066\u3053\u3068\u3067\u3044\u3044\u3088\u306d(\u7b11<\/p>\n

<\/p>\n

\u4f8b\u306b\u3088\u3063\u3066\u6211\u304c\u5bb6\u306e Kerberos \u74b0\u5883\u306f\u4ee5\u4e0b\u306e\u901a\u308a<\/p>\n

Kerberos Realm: HYRULE.JP
\nKDC: flora.hyrule.jp
\nFreeBSD: kyoka.hyrule.jp<\/p><\/blockquote>\n

\u307e\u305a\u306f KDC \u305f\u308b OS X \u5074<\/p>\n

goro@flora:~$ sudo kadmin -l\r\nkadmin> add --random-key host\/kyoka.hyrule.jp\r\nMax ticket life [unlimited]:\r\nMax renewable life [unlimited]:\r\nPrincipal expiration time [never]:\r\nPassword expiration time [never]:\r\nAttributes []:\r\nPolicy [default]:\r\nkadmin> ext_keytab -k \/tmp\/freebsd.keytab host\/kyoka.hyrule.jp\r\nkadmin> exit\r\ngoro@flora:~$ sudo chown goro \/tmp\/freebsd.keytab\r\ngoro@flora:~$ scp \/tmp\/freebsd.keytab kyoka:~<\/pre>\n
krb5.conf \u66f8\u3051\u3070 krb5.keytab \u306f\u5fc5\u8981\u306a\u90e8\u5206\u3060\u3051\u52dd\u624b\u306b\u30b3\u30d4\u30fc\u3055\u308c\u308b\u3093\u3058\u3083\u306a\u3044\u304b\u3068\u5922\u898b\u3066\u305f\u3093\u3060\u3051\u3069\u3001\u624b\u52d5\u30b3\u30d4\u30fc\u304c\u5fc5\u8981\u306a\u306e\u304b\u306a\u2026\u3002\u7ba1\u7406\u3059\u308b\u30b5\u30fc\u30d0\u30fc\u304c 1 \u6841\u53f0\u306a\u3089\u3044\u3044\u3051\u3069\u3001\u305d\u308c\u4ee5\u4e0a\u306b\u306a\u308b\u3068\u8f9b\u305d\u3046\u3002\u3053\u3053\u3089\u8fba\u306e\u30b3\u30c4\u307f\u305f\u3044\u306a\u306e\u306f\u3069\u3063\u304b\u306b\u307e\u3068\u307e\u3063\u3066\u306a\u3044\u304b\u306a\u2026\u3002<\/p>\n
\u7d9a\u3044\u3066 FreeBSD \u5074\u3002\u3042\u3001\u524d\u306b\u66f8\u3044\u305f<\/a>\u3088\u3046\u306b FreeBSD \u5074\u306f\u65e2\u306b nss_ldap \u3068\u304b\u5165\u3063\u3066\u308b\u524d\u63d0\u3067\u3059(\u3068\u8a00\u3063\u3066\u3082\u95a2\u308f\u308a\u304c\u3042\u308b\u306e\u306f \/etc\/pam.d \u3050\u3089\u3044?)<\/p>\n
goro@kyoka:~$ sudo mv freebsd.keytab \/etc\/krb5.keytab\r\ngoro@kyoka:~$ sudo chown root \/etc\/krb5.keytab\r\ngoro@kyoka:~$ ls -l \/etc\/krb5.keytab\r\n-rw-------\u00a0 1 root\u00a0 staff\u00a0 257\u00a0 1\u6708 19 13:33 \/etc\/krb5.keytab\r\ngoro@kyoka:~$ cat \/etc\/krb5.conf\r\n[libdefaults]\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default_realm = HYRULE.JP\r\n[domain_realm]\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 .hyrule.jp = HYRULE.JP\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 hyrule.jp = HYRULE.JP\r\n[realms]\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 HYRULE.JP = {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 kdc = flora.hyrule.jp\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 default_domain = hyrule.jp\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/pre>\n
\u3042\u3068\u306f \/etc\/pam.d\/system \u3068 \/etc\/pam.d\/sshd \u306e\u30b3\u30e1\u30f3\u30c8\u30a2\u30a6\u30c8\u3055\u308c\u3066\u308b pam_krb5.so \u884c\u3092\u6709\u52b9\u5316\u3057\u3066\u3001 \/etc\/ssh\/sshd_config \u306b GSSAPIAuthentication yes \u3092\u8ffd\u52a0(\u30c7\u30d5\u30a9\u30eb\u30c8\u306f no )<\/p>\n
\u3053\u308c\u3067\u30c1\u30b1\u30c3\u30c8\u53d6\u3063\u3066 ssh \u3059\u308b\u3068<\/p>\n
goro@sara:~$ klist\r\nklist: krb5_cc_get_principal: No credentials cache file found\r\ngoro@sara:~$ kinit\r\ngoro@HYRULE.JP's Password:\r\ngoro@sara:~$ klist\r\nCredentials cache: API:A5ED05A0-2020-4272-AAEE-BF7B5679D777\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Principal: goro@HYRULE.JP\r\n\r\n\u00a0 Issued\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Expires\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Principal\r\nJan 19 14:25:08 2014\u00a0 Jan 20 00:25:05 2014\u00a0 krbtgt\/HYRULE.JP@HYRULE.JP\r\ngoro@sara:~$ ssh -v -K kyoka.hyrule.jp\r\nOpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011\r\ndebug1: Reading configuration data \/Users\/goro\/.ssh\/config\r\ndebug1: Reading configuration data \/etc\/ssh_config\r\ndebug1: \/etc\/ssh_config line 20: Applying options for *\r\ndebug1: Connecting to kyoka.hyrule.jp [192.168.0.4] port 22.\r\ndebug1: Connection established.\r\ndebug1: identity file \/Users\/goro\/.ssh\/id_rsa type -1\r\ndebug1: identity file \/Users\/goro\/.ssh\/id_rsa-cert type -1\r\ndebug1: identity file \/Users\/goro\/.ssh\/id_dsa type 2\r\ndebug1: identity file \/Users\/goro\/.ssh\/id_dsa-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.2\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.4_hpn13v11 FreeBSD-20131111\r\ndebug1: match: OpenSSH_6.4_hpn13v11 FreeBSD-20131111 pat OpenSSH*\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none\r\ndebug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none\r\ndebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent\r\ndebug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP\r\ndebug1: SSH2_MSG_KEX_DH_GEX_INIT sent\r\ndebug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY\r\ndebug1: Server host key: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\r\ndebug1: Host 'kyoka.hyrule.jp' is known and matches the RSA host key.\r\ndebug1: Found key in \/Users\/goro\/.ssh\/known_hosts:20\r\ndebug1: ssh_rsa_verify: signature correct\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: Roaming not allowed by server\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none\r\ndebug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none\r\ndebug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent\r\ndebug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP\r\ndebug1: SSH2_MSG_KEX_DH_GEX_INIT sent\r\ndebug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY\r\ndebug1: Server host key: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\r\ndebug1: Host 'kyoka.hyrule.jp' is known and matches the RSA host key.\r\ndebug1: Found key in \/Users\/goro\/.ssh\/known_hosts:20\r\ndebug1: ssh_rsa_verify: signature correct\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: Roaming not allowed by server\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive\r\ndebug1: Next authentication method: gssapi-with-mic<\/span>\r\ndebug1: Delegating credentials\r\ndebug1: Delegating credentials\r\ndebug1: Authentication succeeded (gssapi-with-mic<\/span>).\r\nAuthenticated<\/span> to kyoka.hyrule.jp ([192.168.0.4]:22).\r\ndebug1: channel 0: new [client-session]\r\ndebug1: Requesting no-more-sessions@openssh.com\r\ndebug1: Entering interactive session.\r\ndebug1: Sending environment.\r\ndebug1: Sending env LANG = ja_JP.UTF-8\r\nLast login: Fri Jan 19 13:40:31 2014 from flora.hyrule.jp\r\nFreeBSD 10.0-RC5 (GENERIC) #0 r260430: Wed Jan\u00a0 8 05:10:04 UTC 2014\r\n\r\nWelcome to FreeBSD!\r\ngoro@kyoka:~$<\/pre>\n
\u76ee\u51fa\u5ea6\u304f gssapi \u3067\u8a8d\u8a3c\u304c\u901a\u308b\u3088\u3046\u3067\u3059\u3002<\/p>\n
\u3061\u306a\u307f\u306b netatalk \u306e\u5834\u5408\u306f OS X Server \u3068\u540c\u3058 principal \u3067\u3044\u3044\u307f\u305f\u3044\u306a\u3093\u3067\u3053\u3093\u306a\u5177\u5408<\/p>\n
goro@flora:~$ sudo kadmin -l\r\nkadmin> add --random-key afpserver\/kyoka.hyrule.jp\r\nMax ticket life [unlimited]:\r\nMax renewable life [unlimited]:\r\nPrincipal expiration time [never]:\r\nPassword expiration time [never]:\r\nAttributes []:\r\nPolicy [default]:\r\nkadmin> ext_keytab -k \/tmp\/freebsd2.keytab host\/kyoka.hyrule.jp afpserver\/kyoka.hyrule.jp\r\nkadmin> exit\r\ngoro@flora:~$ sudo chown goro \/tmp\/freebsd2.keytab\r\ngoro@flora:~$ scp \/tmp\/freebsd2.keytab kyoka:~<\/pre>\n
goro@kyoka:~$ sudo mv freebsd2.keytab \/etc\/krb5.keytab\r\ngoro@kyoka:~$ sudo chown root \/etc\/krb5.keytab\r\ngoro@kyoka:~$ goro@kyoka:~$ grep uam \/usr\/local\/etc\/afp.conf\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uam list = uams_dhx2.so uams_gss.so<\/span><\/pre>\n
\/etc\/pam.d\/netatalk \u3067\u3082 pam_krb5.so \u3092\u6709\u52b9\u5316\u3057\u3066\u308b\u306e\u3067 afp.conf \u306b uams_gss.so \u3092\u66f8\u304f\u5fc5\u8981\u304c\u3042\u308b\u304b\u3069\u30fc\u304b\u306f\u6b63\u76f4\u308f\u304b\u308a\u307e\u305b\u3093\u3002\u304c log level = default:maxdebug \u306b\u3057\u3066\u307f\u308b\u3068<\/p>\n
Jan 19 21:10:59.876239 afpd[68076] {auth.c:1043} (D5:AFPDaemon): uam: loading (\/usr\/local\/libexec\/netatalk-uams\/\/uams_gss.so)\r\nJan 19 21:10:59.877414 afpd[68076] {uams_gss.c:567} (D5:AFPDaemon): gss_create_principal: using first entry from keytab as service principal\r\nJan 19 21:10:59.877569 afpd[68076] {uams_gss.c:506} (I:AFPDaemon): Using AFP Kerberos service principal name: host\/kyoka.hyrule.jp@HYRULE.JP\r\nJan 19 21:10:59.877616 afpd[68076] {auth.c:1050} (D5:AFPDaemon): uam: uams_gss.so loaded\r\nJan 19 21:10:59.877678 afpd[68076] {status.c:644} (I:AFPDaemon): signature is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\nJan 19 21:10:59.877697 afpd[68076] {afp_config.c:106} (D5:AFPDaemon): DSIConfigInit: hostname: kyoka, listen: -, interfaces: -, port: 548\r\nJan 19 21:10:59.879796 afpd[68076] {auth.c:110} (I:AFPDaemon): uam: \"Client Krbv2\" available<\/pre>\n
\u3068\u304b<\/p>\n
Jan 19 21:13:44.277424 afpd[68092] {afp_dsi.c:610} (D5:AFPDaemon): <== Start AFP command: AFP_LOGINCONT\r\nJan 19 21:13:44.277680 afpd[68092] {uams_gss.c:438} (D5:UAMS): FPLoginCont: client thinks user is goro\r\nJan 19 21:13:44.277949 afpd[68092] {uams_gss.c:251} (D5:UAMS): FPLoginCont: accepting context (ticketlen: 639)\r\nJan 19 21:13:44.300978 afpd[68092] {uams_gss.c:85} (D5:UAMS): FPLoginCont: context flag: GSS_C_MUTUAL_FLAG\r\nJan 19 21:13:44.301237 afpd[68092] {uams_gss.c:87} (D5:UAMS): FPLoginCont: context flag: GSS_C_REPLAY_FLAG\r\nJan 19 21:13:44.301272 afpd[68092] {uams_gss.c:91} (D5:UAMS): FPLoginCont: context flag: GSS_C_CONF_FLAG\r\nJan 19 21:13:44.301513 afpd[68092] {uams_gss.c:93} (D5:UAMS): FPLoginCont: context flag: GSS_C_INTEG_FLAG\r\nJan 19 21:13:44.302270 afpd[68092] {uams_gss.c:123} (D5:UAMS): FPLoginCont: service principal is `afpserver\/kyoka.hyrule.jp@HYRULE.JP'\r\nJan 19 21:13:44.302727 afpd[68092] {uams_gss.c:160} (D5:UAMS): FPLoginCont: user principal is `goro@HYRULE.JP'\r\nJan 19 21:13:44.411188 afpd[68092] {auth.c:232} (N:AFPDaemon): AFP3.3 Login by goro<\/pre>\n
\u3068\u3044\u3046\u5177\u5408\u306b\u5c11\u306a\u304f\u3068\u3082 uams_gss \u306f\u4ed5\u4e8b\u3057\u3066\u308b\u3088\u3046\u3067\u3059\u3002<\/p>\n
\u3061\u306a\u307f\u306b\u524d\u306b\u4f5c\u3063\u305f keytab \u304c\u6b8b\u3063\u3066\u308b\u306a\u3089 ext_keytab \u306f afpserver \u3060\u3051\u66f8\u3051\u3070\u52dd\u624b\u306b\u30de\u30fc\u30b8\u3057\u3066\u304f\u308c\u308b\u307f\u305f\u3044\u3067\u3059\u3002\u3068\u3044\u3046\u304b\u305d\u308c\u3092\u77e5\u3089\u305a\u306b\u4e21\u65b9\u6307\u5b9a\u3057\u305f\u3089 host \u304c\u4e8c\u3064\u3042\u308b\u30c0\u30e1\u306a\u611f\u3058\u306e keytab \u304c\u51fa\u6765\u4e0a\u304c\u3063\u305f\u3068\u3044\u3046\u2026\u3002<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
\u65e2\u306b\u5049\u5927\u306a\u5148\u9054\u304c OpenDirectory \u3067 FreeBSD\/NetBSD\u3092\u8a8d\u8a3c\u3068\u3044\u3046\u8a18\u4e8b\u3092\u6b8b\u3055\u308c\u3066\u3044\u305f\u306e\u3067\u3059\u304c\u3001\u5f53\u6642\u3068\u6bd4\u8f03\u3059\u308b\u3068 OS X \u306e Kerberos \u5b9f\u88c5\u304c MIT Kerberos \u304b\u3089 Heimda […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,11],"tags":[56,77,71,57,62,23],"class_list":["post-2559","post","type-post","status-publish","format-standard","hentry","category-freebsd","category-mac","tag-kerberos","tag-mac","tag-netatalk","tag-open-directory","tag-os-x-server","tag-software"],"_links":{"self":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts\/2559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/comments?post=2559"}],"version-history":[{"count":11,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts\/2559\/revisions"}],"predecessor-version":[{"id":2570,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/posts\/2559\/revisions\/2570"}],"wp:attachment":[{"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/media?parent=2559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/categories?post=2559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borg4.vdomains.jp\/~goro\/diary\/wp-json\/wp\/v2\/tags?post=2559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}