samba and kerberos

Gémes Géza geza at
Sat Jul 13 01:20:26 MDT 2013

2013-07-11 15:45 keltezéssel, Manuel Sabban írta:
> Hi,
> I searched for quite some time now, and I am quite clueless of how to achieve our final configuration. I am not even sure that it is possible.
> Here's the thing.
> We have a a network with around 1000 computers I would say. It is mixed between windows and linux stations. Until now we had LDAP servers to authenticate against. The windows box autentications were managed by a samba3 with ldapsam backend.
> Now, we would like to deploy windows 7, with an active directory support with samba4. But we also would like to change the authentication to a kerberos realm for the linux boxes.
> So I set up a samba4 domain controller and a MIT kerberos server. For the sake of details, the samba4 version is 4.0.3 from debian experimental (as the beta3 version in wheezy didnt'do well with external cifs server) on a wheezy.
> Now I want to set up cross-realm trust between kerberos and the internal kerberos of samba4 (I would like the ticket being useable on both realms).
> I created principals for the two realms.
> Let's say REALM1 = Kerberos MIT
> and REALM2 = samba4
> I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both realms using kadmin for the kerberos part, samba-tool (create a user, create principals for this user, and exportkeytab for these principals). I used same password. I tried to create the keytab first on samba4 and after on kerberos but none work.
> It seems that I am able to get a TGT from the foreign realm (REALM1 if I kinit-ed to REALM2 for example), but the TGS failed to be delivered, (TGS_REQ failing with   Decrypt integrity check failed). I am quite sure that ciphers are the same on both sides.
> So now here's the question :
> 1. Is this possible ?
> 2. Is there something I missed
> 3. Maybe there's a better option to achieve what I want, or nearly achieve what I want.
> Thank your for your work on samba, and for your help.
> Best regards,
> Manuel Sabban
If you don't want additional headaches forget about the MIT KDC and 
trust, simply joining the linux boxes to the samba4 AD does the trick. 
You have to install winbind (preferably 3.6.x for now), nss-winbind, 
pam-winbind and pam-krb5 (exact names depends on distribution) on the 
linux boxes, create a krb5.conf like:

     default_realm = REALM
     dns_lookup_kdc = true

and a smb.conf like:
    workgroup = WORKGROUP
    realm = REALM
    kerberos method = system keytab
    security = ads
    winbind enum groups = yes
    winbind enum users = yes
    idmap config *:backend = tdb
    idmap config *:range = 2000001-3000000
    idmap config WORKGROUP:default = yes
    idmap config WORKGROUP:backend = ad
    idmap config WORKGROUP:range = 0-1000000
    idmap config WORKGROUP:schema_mode = rfc2307
    winbind nss info = rfc2307
    winbind expand groups = 2
    winbind nested groups = yes
    winbind use default domain = yes

If you do a net ads join on them they will get the same uid/gids as 
before, assuming, that you successfully classicupgraded your samb3 
domain, which should pull those attributes as well.


Geza Gemes

More information about the samba-technical mailing list