lenosi/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Sources (Good to know)

https://web.mit.edu/kerberos/krb5-devel/doc/mitK5defaults.html#mitk5defaults
Absolutly the best summary of knowledge which you can find about (cyrus-sasl):
https://www.arschkrebs.de/slides/surviving_cyrus_sasl-handout.pdf
Required


Installed qpid-dispatch (qdrouterd)
Installed cyrus-sasl cyrus-sasl-gssapi
Configured Kerberos enviroment (TODO readme)
Prepared keytabs for qdrouterd, clients (It depends on your Kerberos enviroment)

Qdrouterd side


/etc/qpid-dispatch/qdrouterd.conf


configure router { saslConfigPath: /etc/sasl2; saslConfigName: qdrouterd}
set listener {authenticatePeer:yes; saslMechanisms: GSSAPI}


/etc/sasl2/kerberos_qdrouterd.conf


set keytab: /etc/keytabs/qdrouterd.keytab
set mech_list: GSSAPI

Kerberos enviroment


/etc/examplecom_krb5.conf (Example with Kerberos FreeIPA enviroment)

Run qdrouterd

KRB5_CONFIG=/etc/examplecom_krb5.conf qdrouterd

Try to use some client

Python

https://github.com/pematous/cli-proton-python
Sender

KRB5_CONFIG=/etc/examplecom_krb5.conf KRB5_KTNAME=/etc/keytabs/client1.keytab cli-proton-python-sender -b server.example.com:5672/example --conn-allowed-mechs=GSSAPI --log-msgs=dict --timeout=10 -c 10

Receiver

KRB5_CONFIG=/etc/examplecom_krb5.conf KRB5_KTNAME=/etc/keytabs/client2.keytab cli-proton-python-receiver -b server.example.com:5672/example  --conn-allowed-mechs=GSSAPI --log-msgs=dict --timeout=10 -c 10


## examplecom_krb5.conf
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = ipa-server.mexample.com:88
  master_kdc = ipa-server.example.com:88
  admin_server = ipa-server.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}

[domain_realm]
 .example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
 ipa-server.example.com = EXAMPLE.COM

[dbmodules]
  EXAMPLE.COM = {
    db_library = ipadb.so
}

## kerberos_qdrouterd.conf
keytab: /etc/keytabs/qdrouterd.keytab
mech_list: GSSAPI

## qdrouterd.conf
router {
    mode: standalone
    id: Kerberos
    saslConfigPath: /etc/sasl2
    saslConfigName: kerberos_qdrouterd
}

listener {
    host: 0.0.0.0
    port: amqp
    authenticatePeer: yes
    saslMechanisms: GSSAPI
}

log {
     enable: trace+
     module: DEFAULT
}
	includedir /etc/krb5.conf.d/
	includedir /var/lib/sss/pubconf/krb5.include.d/

	[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

	[libdefaults]
	default_realm = EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true
	rdns = false
	ticket_lifetime = 24h
	forwardable = true
	udp_preference_limit = 0
	default_ccache_name = KEYRING:persistent:%{uid}

	[realms]
	EXAMPLE.COM = {
	kdc = ipa-server.mexample.com:88
	master_kdc = ipa-server.example.com:88
	admin_server = ipa-server.example.com:749
	default_domain = example.com
	pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
	pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
	}

	[domain_realm]
	.example.com = EXAMPLE.COM
	example.com = EXAMPLE.COM
	ipa-server.example.com = EXAMPLE.COM

	[dbmodules]
	EXAMPLE.COM = {
	db_library = ipadb.so
	}
	router {
	mode: standalone
	id: Kerberos
	saslConfigPath: /etc/sasl2
	saslConfigName: kerberos_qdrouterd
	}

	listener {
	host: 0.0.0.0
	port: amqp
	authenticatePeer: yes
	saslMechanisms: GSSAPI
	}

	log {
	enable: trace+
	module: DEFAULT
	}