samba and kerberos
geza at kzsdabas.hu
Sat Jul 13 02:48:22 MDT 2013
2013-07-13 09:39 keltezéssel, Andrew Bartlett írta:
> On Sat, 2013-07-13 at 09:20 +0200, Gémes Géza wrote:
>> 2013-07-11 15:45 keltezéssel, Manuel Sabban írta:
>>> I searched for quite some time now, and I am quite clueless of how to achieve our final configuration. I am not even sure that it is possible.
>>> Here's the thing.
>>> We have a a network with around 1000 computers I would say. It is mixed between windows and linux stations. Until now we had LDAP servers to authenticate against. The windows box autentications were managed by a samba3 with ldapsam backend.
>>> Now, we would like to deploy windows 7, with an active directory support with samba4. But we also would like to change the authentication to a kerberos realm for the linux boxes.
>>> So I set up a samba4 domain controller and a MIT kerberos server. For the sake of details, the samba4 version is 4.0.3 from debian experimental (as the beta3 version in wheezy didnt'do well with external cifs server) on a wheezy.
>>> Now I want to set up cross-realm trust between kerberos and the internal kerberos of samba4 (I would like the ticket being useable on both realms).
>>> I created principals for the two realms.
>>> Let's say REALM1 = Kerberos MIT
>>> and REALM2 = samba4
>>> I created krbtgt/REALM1 at REALM2 and krbtgt/REALM2 at REALM1 on both realms using kadmin for the kerberos part, samba-tool (create a user, create principals for this user, and exportkeytab for these principals). I used same password. I tried to create the keytab first on samba4 and after on kerberos but none work.
>>> It seems that I am able to get a TGT from the foreign realm (REALM1 if I kinit-ed to REALM2 for example), but the TGS failed to be delivered, (TGS_REQ failing with Decrypt integrity check failed). I am quite sure that ciphers are the same on both sides.
>>> So now here's the question :
>>> 1. Is this possible ?
>>> 2. Is there something I missed
>>> 3. Maybe there's a better option to achieve what I want, or nearly achieve what I want.
>>> Thank your for your work on samba, and for your help.
>>> Best regards,
>>> Manuel Sabban
>> If you don't want additional headaches forget about the MIT KDC and
>> trust, simply joining the linux boxes to the samba4 AD does the trick.
> Thanks, that says exactly what I was going to say.
>> You have to install winbind (preferably 3.6.x for now), nss-winbind,
>> pam-winbind and pam-krb5 (exact names depends on distribution) on the
>> linux boxes, create a krb5.conf like:
> My only question is why 3.6 winbind? The only issues we have had that
> I know of are in the winbind internal to the AD DC, the Samba 4.0
> winbindd should be fine, if packaged for your distribution.
> Andrew Bartlett
Mostly because of the packaging, on the other hand IMHO winbind wise
samba 4.0 (winbind binary) with samba 3.6 are on par.
More information about the samba-technical