samba and kerberos
geza at kzsdabas.hu
Sat Jul 13 01:20:26 MDT 2013
2013-07-11 15:45 keltezéssel, Manuel Sabban írta:
> I searched for quite some time now, and I am quite clueless of how to achieve our final configuration. I am not even sure that it is possible.
> Here's the thing.
> We have a a network with around 1000 computers I would say. It is mixed between windows and linux stations. Until now we had LDAP servers to authenticate against. The windows box autentications were managed by a samba3 with ldapsam backend.
> Now, we would like to deploy windows 7, with an active directory support with samba4. But we also would like to change the authentication to a kerberos realm for the linux boxes.
> So I set up a samba4 domain controller and a MIT kerberos server. For the sake of details, the samba4 version is 4.0.3 from debian experimental (as the beta3 version in wheezy didnt'do well with external cifs server) on a wheezy.
> Now I want to set up cross-realm trust between kerberos and the internal kerberos of samba4 (I would like the ticket being useable on both realms).
> I created principals for the two realms.
> Let's say REALM1 = Kerberos MIT
> and REALM2 = samba4
> I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both realms using kadmin for the kerberos part, samba-tool (create a user, create principals for this user, and exportkeytab for these principals). I used same password. I tried to create the keytab first on samba4 and after on kerberos but none work.
> It seems that I am able to get a TGT from the foreign realm (REALM1 if I kinit-ed to REALM2 for example), but the TGS failed to be delivered, (TGS_REQ failing with Decrypt integrity check failed). I am quite sure that ciphers are the same on both sides.
> So now here's the question :
> 1. Is this possible ?
> 2. Is there something I missed
> 3. Maybe there's a better option to achieve what I want, or nearly achieve what I want.
> Thank your for your work on samba, and for your help.
> Best regards,
> Manuel Sabban
If you don't want additional headaches forget about the MIT KDC and
trust, simply joining the linux boxes to the samba4 AD does the trick.
You have to install winbind (preferably 3.6.x for now), nss-winbind,
pam-winbind and pam-krb5 (exact names depends on distribution) on the
linux boxes, create a krb5.conf like:
default_realm = REALM
dns_lookup_kdc = true
and a smb.conf like:
workgroup = WORKGROUP
realm = REALM
kerberos method = system keytab
security = ads
winbind enum groups = yes
winbind enum users = yes
idmap config *:backend = tdb
idmap config *:range = 2000001-3000000
idmap config WORKGROUP:default = yes
idmap config WORKGROUP:backend = ad
idmap config WORKGROUP:range = 0-1000000
idmap config WORKGROUP:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
If you do a net ads join on them they will get the same uid/gids as
before, assuming, that you successfully classicupgraded your samb3
domain, which should pull those attributes as well.
More information about the samba-technical