Kerberos-Anaconda Repository setup example
==========================================

Kerberos authentication adds a layer of security to Anaconda Repository. The
following example show how to set up a minimal working installation with three
machines: One running anaconda server, one running the MIT Kerberos Key
Distribution Center (KDC), and a client from where we are going to connect to
both services.

For this example we assume that both the KDC and Anaconda Repository are
already configured and the 3 systems have the Network Time Protocol (NTP)
service working.


Initial Setup
~~~~~~~~~~~~~

All 3 machines are running CentOS 7 but the configurations mentioned here apply
for many other Linux distributions.  We are going to use the following domain
names:

* Anaconda Repository: ``anaconda.kerberos.local``
* Kerberos KDC: ``kdc.kerberos.local``
* Client: ``client.kerberos.local``

Make sure that the information is correct in the configuration files
``/etc/hostname`` and ``/etc/hosts`` to allow reverse-DNS lookups. 

The name of the Kerberos realm is ``KERBEROS.LOCAL``. The 3 machines have the
same configuration file ``/etc/krb5.conf``:

.. code-block:: bash

	[logging]
	    kdc = FILE:/var/log/krb5kdc.log
	    admin_server = FILE:/var/log/kadmind.log
	    default = SYSLOG:NOTICE:DAEMON
	
	[libdefaults]
	    dns_lookup_realm = true
	    dns_lookup_kdc = true
	    ticket_lifetime = 24h
	    renew_lifetime = 7d
	    forwardable = true
	    rdns = false
	    default_realm = KERBEROS.LOCAL
	    default_ccache_name = KEYRING:persistent:%{uid}
	
	[realms]
	    KERBEROS.LOCAL = {
	        kdc = kdc.kerberos.local
	        admin_server = kdc.kerberos.local
	 }
	
	[domain_realm]
	    .kerberos.local = KERBEROS.LOCAL
	    kerberos.local = KERBEROS.LOCAL

On ``kdc.kerberos.local`` the files ``/var/kerberos/krb5kdc/kdc.conf`` and
``/var/kerberos/krb5kdc/kadm5.acl`` should be configured accordingly.


Configure Anaconda Repostiory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At this point Anaconda Repository is up and running, it's installed on
``/home/anaconda-server/repo``, the administrator account in this example is
``superuser``. To allow authentication we first create a service principal and
the keytab containing this principal. This is accomplished running the
following commands as root from a terminal on ``anaconda.kerberos.local``.

.. code-block:: bash

   kadmin -q "addprinc HTTP/anaconda.kerberos.local"
   kadmin -q "ktadd -k /home/anaconda-server/repo/etc/anaconda-server/http.keytab HTTP/anaconda.kerberos.local"
   chown anaconda-server:anaconda-server \
      /home/anaconda-server/repo/etc/anaconda-server/http.keytab
   chmod 600 /home/anaconda-server/repo/etc/anaconda-server/http.keytab
   
Now edit the configuration file
``/home/anaconda-server/repo/etc/anaconda-server/config.yaml`` and add the
following lines:

.. code-block:: bash

	AUTH_TYPE: KERBEROS
	KRB5_KTNAME: /home/anaconda-server/repo/etc/anaconda-server/http.keytab

Finally, add the principal for the admin account on the kerberos realm:

.. code-block:: bash

	kadmin -q "addprinc superuser@KERBEROS.LOCAL"

Reboot the server for the changes to take effect.

Client Configuration
~~~~~~~~~~~~~~~~~~~~

To log in to Anaconda Repository with Kerberos Authentication, a browser that
supports said authentication protocol is necessary. In this example we are
using Firefox. Some extra tweaking is required. 

* Open Firefox and type **about:config** in the navigation bar, click the
  confirmation button if necessary to proceed to the configuration page.

* Type **negotiate** in the Search field to filter out the options, double
  click **network.negotiate-auth.trusted-uris** and enter ``.kerberos.local``
  in the text box.

* Do the same for **network.negotiate-auth.delegation-uris**.

Finally a ticket for the ``superuser`` should be stored on the local machine.
The following command will request it:

.. code-block:: bash

   kinit superuser@KERBEROS.LOCAL

Now it is possible to open anaconda server on firefox, in this case the URL is
``anaconda.kerberos.local:8080``, after clicking **Sign In**, the user should
be able to log in immediately without having to enter any credentials.
