This is a rough guide to setting up Samba-3 with Kerberos authentication against a Windows 200x KDC. A familiarity with Kerberos is assumed. 6.4.1 Configure smb.confYou must use at least the following three options in smb.conf: relam = your.kerberos.REALM security = ADS encrypt passwords = yes In case samba cannot correctly identify the appropriate ADS server using the realm name , use the password server option in smb.conf: password server = your.kerberos.server
6.4.2 Configure /etc/krb5.confWith both MIT and Heimdal Kerberos, this is unnecessary, and may be detrimental. All ADS domains will automatically create SRV records in the DNS zone _kerberos.REALM.NAME for each KDC in the realm. MIT's, as well as Heimdal's, KRB5 libraries default to checking for these records, so they will automatically find the KDCs. In addition, krb5.conf only allows specifying a single KDC, even there if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. When manually configuring krb5.conf , the minimal configuration is: [libdefaults] default_realm = YOUR.KERBEROS.REALM [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } [domain_realms] .kerberos.server = YOUR.KERBEROS.REALM When using Heimdal versions before 0.6 use the following configuration settings: [libdefaults] default_realm = YOUR.KERBEROS.REALM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } [domain_realms] .kerberos.server = YOUR.KERBEROS.REALM Test your config by doing a kinit USERNAME@REALM and making sure that your password is accepted by the Win2000 KDC. With Heimdal versions earlier than 0.6.x you only can use newly created accounts in ADS or accounts that have had the password changed once after migration, or in case of Administrator after installation. At the moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6 (and no default etypes in krb5.conf). Unfortunately this whole area is still in a state of flux.
You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain attached) or it can alternately be the NetBIOS name followed by the realm. The easiest way to ensure you get this right is to add a /etc/ hosts entry mapping the IP address of your KDC to its NetBIOS name. If you do not get this correct then you will get a local error when you try to join the realm. If all you want is Kerberos support in smbclient then you can skip directly to Section 6.4.5 now. Section 6.4.3 and Section 6.4.4 are needed only if you want Kerberos support for smbd and winbindd . 6.4.3 Create the Computer AccountAs a user who has write permission on the Samba private directory (usually root), run: root# net ads join -U Administrator%password When making a Windows client a member of an ADS domain within a complex organization, you may want to create the machine account within a particular organizational unit. Samba-3 permits this to be done using the following syntax: root# kinit Administrator@your.kerberos.REALM root# net ads join organizational_unit For example, you may want to create the machine account in a container called " Servers " under the organizational directory " Computer\BusinessUnit\Department " like this: root# net ads join "Computer\BusinessUnit\Department\Servers" 6.4.3.1 Possible ErrorsADS support not compiled in ” Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the Kerberos libiraries and headers files are installed. net ads join prompts for user name ” You need to login to the domain using kinit USERNAME@REALM. USERNAME must be a user who has rights to add a machine to the domain. Unsupported encryption/or checksum types ” Make sure that the /etc/krb5.conf is correctly configured for the type and version of Kerberos installed on the system. 6.4.4 Testing Server SetupIf the join was successful, you will see a new computer account with the NetBIOS name of your Samba server in Active Directory (in the " Computers " folder under Users and Computers. On a Windows 2000 client, try net use * \\server\share . You should be logged in with Kerberos without needing to know a password. If this fails then run klist tickets . Did you get a ticket for the server? Does it have an encryption type of DES-CBC-MD5?
6.4.5 Testing with smbclientOn your Samba server try to login to a Win2000 server or your Samba server using smbclient and Kerberos. Use smbclient as usual, but specify the -k option to choose Kerberos authentication. 6.4.6 NotesYou must change administrator password at least once after DC install, to create the right encryption types. Windows 200x does not seem to create the _kerberos._udp and _ldap._tcp in the default DNS setup. Perhaps this will be fixed later in service packs . |