samba and kerberos

Andrew Bartlett abartlet at samba.org
Sat Jul 13 01:39:44 MDT 2013 

On Sat, 2013-07-13 at 09:20 +0200, Gémes Géza wrote:
> 2013-07-11 15:45 keltezéssel, Manuel Sabban írta:
> > Hi,
> >
> > I searched for quite some time now, and I am quite clueless of how to achieve our final configuration. I am not even sure that it is possible.
> >
> > Here's the thing.
> >
> > We have a a network with around 1000 computers I would say. It is mixed between windows and linux stations. Until now we had LDAP servers to authenticate against. The windows box autentications were managed by a samba3 with ldapsam backend.
> >
> > Now, we would like to deploy windows 7, with an active directory support with samba4. But we also would like to change the authentication to a kerberos realm for the linux boxes.
> >
> > So I set up a samba4 domain controller and a MIT kerberos server. For the sake of details, the samba4 version is 4.0.3 from debian experimental (as the beta3 version in wheezy didnt'do well with external cifs server) on a wheezy.
> >
> > Now I want to set up cross-realm trust between kerberos and the internal kerberos of samba4 (I would like the ticket being useable on both realms).
> > I created principals for the two realms.
> >
> > Let's say REALM1 = Kerberos MIT
> > and REALM2 = samba4
> >
> > I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both realms using kadmin for the kerberos part, samba-tool (create a user, create principals for this user, and exportkeytab for these principals). I used same password. I tried to create the keytab first on samba4 and after on kerberos but none work.
> >
> > It seems that I am able to get a TGT from the foreign realm (REALM1 if I kinit-ed to REALM2 for example), but the TGS failed to be delivered, (TGS_REQ failing with   Decrypt integrity check failed). I am quite sure that ciphers are the same on both sides.
> >
> > So now here's the question :
> >
> > 1. Is this possible ?
> > 2. Is there something I missed
> > 3. Maybe there's a better option to achieve what I want, or nearly achieve what I want.
> >
> > Thank your for your work on samba, and for your help.
> >
> > Best regards,
> > Manuel Sabban
> If you don't want additional headaches forget about the MIT KDC and 
> trust, simply joining the linux boxes to the samba4 AD does the trick. 

Thanks, that says exactly what I was going to say. 

> You have to install winbind (preferably 3.6.x for now), nss-winbind, 
> pam-winbind and pam-krb5 (exact names depends on distribution) on the 
> linux boxes, create a krb5.conf like:

My only question is why 3.6 winbind?   The only issues we have had that
I know of are in the winbind internal to the AD DC, the Samba 4.0
winbindd should be fine, if packaged for your distribution. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list