6.4 Samba ADS Domain Membership


This is a rough guide to setting up Samba-3 with Kerberos authentication against a Windows 200x KDC. A familiarity with Kerberos is assumed.

6.4.1 Configure smb.conf

You must use at least the following three options in smb.conf:

 
  relam = your.kerberos.REALM   security = ADS   encrypt passwords = yes  

In case samba cannot correctly identify the appropriate ADS server using the realm name , use the password server option in smb.conf:

 
  password server = your.kerberos.server  

N OTE

graphics/round_pencil.gif

You do not need a smbpasswd file, and older clients will be authenticated as if security = domain, although it will not do any harm and allows you to have local users not in the domain.


6.4.2 Configure /etc/krb5.conf

With both MIT and Heimdal Kerberos, this is unnecessary, and may be detrimental. All ADS domains will automatically create SRV records in the DNS zone _kerberos.REALM.NAME for each KDC in the realm. MIT's, as well as Heimdal's, KRB5 libraries default to checking for these records, so they will automatically find the KDCs. In addition, krb5.conf only allows specifying a single KDC, even there if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available.

When manually configuring krb5.conf , the minimal configuration is:

 
 [libdefaults] default_realm = YOUR.KERBEROS.REALM [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } [domain_realms] .kerberos.server = YOUR.KERBEROS.REALM 

When using Heimdal versions before 0.6 use the following configuration settings:

 
 [libdefaults] default_realm = YOUR.KERBEROS.REALM default_etypes = des-cbc-crc des-cbc-md5 default_etypes_des = des-cbc-crc des-cbc-md5 [realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server } [domain_realms] .kerberos.server = YOUR.KERBEROS.REALM 

Test your config by doing a kinit USERNAME@REALM and making sure that your password is accepted by the Win2000 KDC.

With Heimdal versions earlier than 0.6.x you only can use newly created accounts in ADS or accounts that have had the password changed once after migration, or in case of Administrator after installation. At the moment, a Windows 2003 KDC can only be used with a Heimdal releases later than 0.6 (and no default etypes in krb5.conf). Unfortunately this whole area is still in a state of flux.

N OTE

graphics/round_pencil.gif

The realm must be in uppercase or you will get " Cannot find KDC for requested realm while getting initial credentials " error (Kerberos is case-sensitive!).


N OTE

graphics/round_pencil.gif

Time between the two servers must be synchronized. You will get a " kinit(v5): Clock skew too great while getting initial credentials " if the time difference is more than five minutes. Clock skew limits are configurable in the Kerberos protocols. The default setting is five minutes.


You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain attached) or it can alternately be the NetBIOS name followed by the realm.

The easiest way to ensure you get this right is to add a /etc/ hosts entry mapping the IP address of your KDC to its NetBIOS name. If you do not get this correct then you will get a local error when you try to join the realm.

If all you want is Kerberos support in smbclient then you can skip directly to Section 6.4.5 now. Section 6.4.3 and Section 6.4.4 are needed only if you want Kerberos support for smbd and winbindd .

6.4.3 Create the Computer Account

As a user who has write permission on the Samba private directory (usually root), run:

 
 root# net ads join -U Administrator%password 

When making a Windows client a member of an ADS domain within a complex organization, you may want to create the machine account within a particular organizational unit. Samba-3 permits this to be done using the following syntax:

 
 root# kinit Administrator@your.kerberos.REALM root# net ads join organizational_unit 

For example, you may want to create the machine account in a container called " Servers " under the organizational directory " Computer\BusinessUnit\Department " like this:

 
 root# net ads join "Computer\BusinessUnit\Department\Servers" 
6.4.3.1 Possible Errors

ADS support not compiled in ” Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the Kerberos libiraries and headers files are installed.

net ads join prompts for user name ” You need to login to the domain using kinit USERNAME@REALM. USERNAME must be a user who has rights to add a machine to the domain.

Unsupported encryption/or checksum types ” Make sure that the /etc/krb5.conf is correctly configured for the type and version of Kerberos installed on the system.

6.4.4 Testing Server Setup

If the join was successful, you will see a new computer account with the NetBIOS name of your Samba server in Active Directory (in the " Computers " folder under Users and Computers.

On a Windows 2000 client, try net use * \\server\share . You should be logged in with Kerberos without needing to know a password. If this fails then run klist tickets . Did you get a ticket for the server? Does it have an encryption type of DES-CBC-MD5?

N OTE

graphics/round_pencil.gif

Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5 encoding.


6.4.5 Testing with smbclient

On your Samba server try to login to a Win2000 server or your Samba server using smbclient and Kerberos. Use smbclient as usual, but specify the -k option to choose Kerberos authentication.

6.4.6 Notes

You must change administrator password at least once after DC install, to create the right encryption types.

Windows 200x does not seem to create the _kerberos._udp and _ldap._tcp in the default DNS setup. Perhaps this will be fixed later in service packs .



Official Samba-3 HOWTO and Reference Guide
The Official Samba-3 HOWTO and Reference Guide, 2nd Edition
ISBN: 0131882228
EAN: 2147483647
Year: 2005
Pages: 297

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net