localkdc: update demo to follow recent changes

Update the localkdc demo configuration to improve Kerberos and Samba
integration, with changes to realm generation, user management, and
authentication workflows

New Features:

 - Dynamically generate unique Kerberos realm with UUID
 - Implement new user addition tool localkdc-useradd
 - Enhance Kerberos cross-realm authentication mechanism

Enhancements:

 - Simplify Kerberos configuration generation
 - Improve Samba Kerberos integration
 - Update authentication workflow for remote Samba access

Documentation:

 - Update README with new user addition and KDC configuration instructions

Chores:

 - Update Samba and demo configuration templates
 - Modify Ansible playbook to support dynamic realm generation

Signed-off-by: Alexander Bokovoy <[email protected]>

Author: abbra

ipalab-config/localkdc/README.md

@@ -15,14 +15,14 @@ Build the container images and containers:
 ```
 ipalab-config ipalab-localkdc.yaml
 cd localkdc
-podman build -t fedora-localkdc containerfiles/Containerfile.localkdc .
+ansible-galaxy install -r requirements.yml
+podman build -t fedora-localkdc -f containerfiles/Containerfile.localkdc .
 podman-compose up -d
 ```
 
 Deploy the local KDC demo nodes:
 
 ```
-cd localkdc
 ansible-playbook -i inventory.yml playbooks/configure-localkdc.yaml
 ```
 
@@ -73,6 +73,20 @@ profile with following features enabled:
   - `with-gssapi`, to enable use of `pam_sss_gss` PAM module for GSSAPI
     authentication 
 
+### Configuring the local KDC
+
+The playbook `playbooks/configure-localkdc.yaml` calls a tool named
+`localkdc-setup` to provision the local KDC configuration. It generates a
+Kerberos realm named `LOCALKDC.<SOME UUID>` and provisions well-known Kerberos
+principals in it. There are two individual service principals and a number of
+aliases for them:
+
+ - `host/...` principal is used by the SSH and SSSD services
+ - `cifs/...` principal is used by the Samba services
+
+Each service principal is added together with own aliases that correspond to
+the various versions of the machine hostname.
+
 ### Add a new user
 
 Since authentication of the user accounts is handled with the help of local
@@ -81,14 +95,21 @@ the system-wide user store in `/etc/passwd`.
 
 A new user account can be added with `useradd` tool. However, in order to set a
 password for this new account, a Kerberos principal needs to be added with
-`localkdc-kadmin` tool. `localkdc-kadmin` is a wrapper around `kadmin.local`
+`localkdc-useradd` tool. `localkdc-useradd` is a wrapper around `kadmin.local`
 tool to work on the local KDC database.
 
 ```
 # useradd newuser
-# localkdc-kadmin addprinc newuser
+# localkdc-useradd newuser
 ```
 
+It is important to use the wrapper tools for local KDC administration. In
+particular, in order to avoid dependency on the local KDC realm, all user
+principals created with a special, randomized, salt type for their Kerberos
+keys. The keys also stored in a special aliased entry (`userdb:...`) to allow
+local KDC database driver first to validate that a Kerberos principal does
+indeed exist on the system as a user and then return this entry.
+
 ### Use of Kerberos tools
 
 MIT Kerberos library used in the local KDC demo is modified to support UNIX
@@ -108,22 +129,21 @@ module and produces an initial ticket granting ticket (TGT) in the Kerberos
 credentials cache which can be seen with the help of `klist` command:
 
 ```
-$ podman run -ti --network ipanet-localkdc registry.fedoraproject.org/fedora-toolbox:latest \
-         ssh -l testuser ab.localkdc.test
+$ podman run -ti --network ipanet-localkdc fedora-toolbox:latest ssh -l testuser ab.localkdc.test
 The authenticity of host 'ab.localkdc.test (192.168.221.2)' can't be established.
-ED25519 key fingerprint is SHA256:DJEnxvJgd50csPmB3+bgHH2+Qfgr0y3Bnfrr7lEo1nA.
+ED25519 key fingerprint is SHA256:xDUKVLHsHC7T66Q6LERBL1PSzatKFZUuI56xvpOWyw8.
 This key is not known by any other names.
 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
 Warning: Permanently added 'ab.localkdc.test' (ED25519) to the list of known hosts.
 [email protected]'s password:
-Last login: Sat Jan 25 12:00:39 2025 from 192.168.221.8
+Last login: Sat May  3 10:12:21 2025 from 192.168.221.4
 [testuser@ab ~]$ klist
-Ticket cache: KCM:1000:81791
-Default principal: testuser@AB.LOCALKDC.SITE
+Ticket cache: KCM:1000:55628
+Default principal: testuser@LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9
 
 Valid starting     Expires            Service principal
-01/25/25 12:01:21  01/26/25 12:01:21  krbtgt/AB.LOCALKDC.SITE@AB.LOCALKDC.SITE
-	renew until 02/01/25 12:01:21
+05/03/25 10:18:11  05/04/25 10:18:11  krbtgt/LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9@LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9
+	renew until 05/10/25 10:18:11
 ```
 
 In a separate console obtained with the help of `podman exec -ti ab.localkdc.test`,
@@ -132,13 +152,13 @@ issued the Kerberos ticket, as recorded in the `/var/log/localkdc.log` (the
 output excerpt has been reformatted for convenience):
 
 ```
-Jan 25 12:01:21 ab.localkdc.test krb5kdc[781](info): AS_REQ
+May 03 10:18:11 ab.localkdc.test krb5kdc[1113](info): AS_REQ
    (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
               aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
               camellia256-cts-cmac(26), camellia128-cts-cmac(25)})
-   /run/localkdc/kdc.sock: ISSUE: authtime 1737806481, 
+   /run/localkdc/kdc.sock: ISSUE: authtime 1746267491,
    etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)},
-   testuser@AB.LOCALKDC.SITE for krbtgt/AB.LOCALKDC.SITE@AB.LOCALKDC.SITE
+   testuser@LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9 for krbtgt/LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9@LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9
 ```
 
 After that, we can ask for a service ticket to a different service, in this
@@ -182,14 +202,14 @@ we can see that this connection has indeed been established:
 ```
 $ podman exec -ti ab.localkdc.test smbstatus
 
-Samba version 4.21.3
+Samba version 4.22.1
 PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
 ----------------------------------------------------------------------------------------------------------------------------------------
-1091    testuser     testuser     192.168.221.2 (ipv4:192.168.221.2:43092)  SMB3_11           AES-128-GCM          AES-128-GMAC
+1943    testuser     testuser     192.168.221.2 (ipv4:192.168.221.2:43620)  SMB3_11           partial(AES-128-GCM) AES-128-GMAC
 
 Service      pid     Machine       Connected at                     Encryption   Signing
 ---------------------------------------------------------------------------------------------
-testuser     1091    192.168.221.2 Sat Jan 25 12:17:22 PM 2025 UTC  -            -
+testuser     1943    192.168.221.2 Sat May  3 10:38:31 AM 2025 UTC  AES-128-GCM  AES-128-GMAC
 
 No locked files
 ```
@@ -199,18 +219,48 @@ No locked files
 We can connect to Samba also from the remote machine. In this case, the client
 system will not have access to the local KDC on the machine where Samba is
 running. However, `smbclient` will be able to use IAKerb protocol extension to
-proxy Kerberos requests to the local KDC.
+proxy Kerberos requests to the local KDC on the Samba server side.
 
 ```
-$ podman exec -ti asn.localkdc.test smbclient -U [email protected] //ab.localkdc.test/homes
-Password for [[email protected]]:
-....
+$ podman exec -ti asn.localkdc.test runuser -l testuser
+[testuser@asn ~]$ klist
+klist: Credentials cache 'KCM:1000' not found
+[testuser@asn ~]$ smbclient -U testuser --use-kerberos=required --use-krb5-ccache=KCM: --client-protection=encrypt //ab.localkdc.test/homes
+Password for [ASN\testuser]:
+Try "help" to get a list of possible commands.
+smb: \> dir
+  .                                   D        0  Sat May  3 09:50:07 2025
+  ..                                  D        0  Sat May  3 09:50:07 2025
+  .bash_logout                        H       18  Fri Nov  8 00:00:00 2024
+  .bash_profile                       H      144  Fri Nov  8 00:00:00 2024
+  .bashrc                             H      522  Fri Nov  8 00:00:00 2024
+  localkdc-demo.tape                  N     2604  Fri May  2 10:39:04 2025
+  .cache                             DH        0  Sat May  3 09:48:53 2025
+  .config                            DH        0  Sat May  3 09:47:28 2025
+  .pki                               DH        0  Sat May  3 09:47:29 2025
+  .local                             DH        0  Sat May  3 09:47:29 2025
+  .ssh                               DH        0  Sat May  3 09:49:52 2025
+  .bash_history                       H     1217  Sat May  3 10:18:23 2025
+  localkdc-demo.webm                  N  2702801  Sat May  3 09:51:39 2025
+
+		998540288 blocks of size 1024. 805004744 blocks available
 smb: \>
+[testuser@asn ~]$ klist
+Ticket cache: KCM:1000:33341
+Default principal: [email protected]
+
+Valid starting     Expires            Service principal
+05/03/25 10:46:41  05/04/25 10:46:41  krbtgt/LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9@LOCALKDC.2A1A0335-BF33-4B96-AC68-F98DCBF154A9
+	renew until 05/10/25 10:46:41
+05/03/25 10:46:41  05/04/25 10:46:41  cifs/ab.localkdc.test@
+	renew until 05/10/25 10:46:41
+	Ticket server: cifs/[email protected]
 ```
 
-An authentication in this case will use Kerberos mechanism but will require
-password to proxy the request to the local KDC on Samba server side over the
-SMB3 connection.
+An authentication in this case will use Kerberos mechanism. However, Samba client will require
+a password because there are no valid credentials (yet) to authenticate. On its
+side, Samba server will then proxy the request to the local KDC on Samba server
+side. This Kerberos exchange will happen completely over SMB3 connection.
 
 ## Recording video of the demo operations
 
@@ -220,9 +270,7 @@ The lab also includes a tape to record a video. Ansible playbook
 Video recording is built upon excellent
 [VHS](https://github.com/charmbracelet/vhs) tool. A pre-built version for
 Fedora is provided in [COPR
-abbra/vhs](https://copr.fedorainfracloud.org/coprs/abbra/vhs/). This build also
-includes a fix from the upstream
-[PR#551](https://github.com/charmbracelet/vhs/pull/551).
+abbra/vhs](https://copr.fedorainfracloud.org/coprs/abbra/vhs/).
 
 ```
 [in the generated localkdc directory]

ipalab-config/localkdc/configs/00-krb5.conf.d-defaults.conf

@@ -1,15 +1,9 @@
 [libdefaults]
 default_ccache_name = KCM:
+canonicalize = true
 default_realm = %REALM%
 
 [domain_realm]
-    ab.localkdc.test = AB.LOCALKDC.SITE
-    asn.localkdc.test = ASN.LOCALKDC.SITE
+    ab.localkdc.test = %REALM_AB%
+    asn.localkdc.test = %REALM_ASN%
 
-[capaths]
-    AB.LOCALKDC.SITE = {
-        ASN.LOCALKDC.SITE = .
-    }
-    ASN.LOCALKDC.SITE = {
-        AB.LOCALKDC.SITE = .
-    }

ipalab-config/localkdc/configs/00-samba-smb.conf

@@ -3,10 +3,8 @@
  # Limit number of forked processes to avoid SMBLoris attack
  max smbd processes = 1000
 
- # Use dedicated Samba keytab. The key there must be synchronized
- # with Samba tdb databases or nothing will work
- dedicated keytab file = FILE:/etc/samba/localkdc.keytab
- kerberos method = dedicated keytab
+ # Include localkdc configuration generated by localkdc-setup
+ include = /etc/samba/localkdc.conf
 
  # Set up logging per machine and Samba process
  log file = /var/log/samba/log.%m
@@ -15,8 +13,6 @@
  server role = standalone
  obey pam restrictions = yes
 
-realm = %REALM%
-
 netbios name = %WORKGROUP%
 workgroup = %WORKGROUP%
 

ipalab-config/localkdc/playbooks/configure-localkdc.yaml

@@ -5,18 +5,31 @@
   gather_facts: true
 
   vars:
-    ab_realm: AB.LOCALKDC.SITE
-    asn_realm: ASN.LOCALKDC.SITE
+    host_ab: ab.localkdc.test
+    host_asn: asn.localkdc.test
+    test_user: testuser
+    test_pass: Secret123
 
   tasks:
+    - name: Configure Local KDC
+      ansible.builtin.shell: |
+        /usr/sbin/localkdc-setup
+
+    - name: Collect local KDC information
+      shell: |
+        grep default_realm /etc/krb5.conf.d/localkdc | cut -d= -f2
+      register: localkdc_info
+
     - name: Generate realm name based on the host name
       ansible.builtin.set_fact:
         workgroup_name: "{{ ansible_facts.fqdn.split('.')[0] | upper }}"
-        realm_name: "{{ ansible_facts.fqdn.split('.')[0] | upper }}.LOCALKDC.SITE"
+        realm_name: "{{ localkdc_info.stdout | trim }}"
 
     - name: Modify configuration templates to apply realm name
       ansible.builtin.shell: |
         sed -i "s@%REALM%@{{ realm_name }}@g" /root/configs/00-*
+        sed -i "s@%REALM_AB%@{{ hostvars[host_ab]['realm_name'] }}@g" /root/configs/00-*
+        sed -i "s@%REALM_ASN%@{{ hostvars[host_asn]['realm_name'] }}@g" /root/configs/00-*
         sed -i "s@%WORKGROUP%@{{ workgroup_name }}@g" /root/configs/00-*
 
     - name: Set local KDC configuration defaults
@@ -61,10 +74,6 @@
         enabled: true
         state: started
 
-    - name: Configure Local KDC
-      ansible.builtin.shell: |
-        /usr/sbin/localkdc-setup
-
     - name: Enable LocalKDC socket
       ansible.builtin.systemd_service:
         name: localkdc.socket
@@ -89,19 +98,19 @@
         enabled: true
         state: started
 
-    - name: Create a user 'testuser' with a home directory
+    - name: Create a user '{{ test_user }}' with a home directory
       ansible.builtin.user:
-        name: testuser
+        name: {{ test_user }}
         create_home: yes
         groups: wheel
         append: true
 
     - name: Add local KDC credentials for user 'testuser'
       ansible.builtin.shell: |
-        /usr/sbin/localkdc-kadmin addprinc -pw Secret123 testuser
+        echo -e "{{ test_pass }}\n{{ test_pass }}\n" | /usr/sbin/localkdc-useradd "{{ test_user }}"
 
     - name: Add local KDC cross-realm trust between machines
       ansible.builtin.shell: |
-        /usr/sbin/localkdc-kadmin addprinc -pw Secret123 krbtgt/{{ ab_realm }}@{{ asn_realm }}
-        /usr/sbin/localkdc-kadmin addprinc -pw Secret123 krbtgt/{{ asn_realm }}@{{ ab_realm }}
+        /usr/sbin/localkdc-kadmin addprinc -pw Secret123 "krbtgt/{{ hostvars[host_ab]['realm_name'] }}@{{  hostvars[host_asn]['realm_name'] }}"
+        /usr/sbin/localkdc-kadmin addprinc -pw Secret123 "krbtgt/{{ hostvars[host_asn]['realm_name'] }}@{{ hostvars[host_ab]['realm_name'] }}"