Samba + Kerberos backend - AD backend
Neil Hoggarth
neil.hoggarth at physiol.ox.ac.uk
Tue Dec 16 12:01:59 GMT 2008
On Tue, 16 Dec 2008, kronda wrote:
> What I have:
> I have a Kerberos server for authentication. I have an OpenLDAP server with
> account information. They're running on the same (Gentoo) Linux machine.
>
> What I don't (want to) have:
> Active Directory.
>
> What I want to do:
> Set up Samba (on the same server as Kerberos and LDAP but I guess that
> should not make any difference) to use my Kerberos and OpenLDAP as backends
> for authentication and account information.
I am just in the process of exploring the same sort of thing, so the
instructions that follow are very prelimiary, based on my own testing,
using Samba 3.2.6 built from source:
Suppose that your KDC is kdc.example.org and your Samba server will be
running at samba.example.org.
Create "host" and "cifs" Kerberos principals for your Samba server:
host/samba.example.org at YOUR.REALM
cifs/samba.example.org at YOUR.REALM
Extract the keys so created to an /etc/krb5.keytab file on the Samba
server using kadmin.
Teach your Windows workstations about the Kerberos realm and how to
reach the KDC. This is normally done using a utility called ksetup.exe
(which you can find amongst the support tools on a Windows Server CD in
the \support\tools directory):
ksetup /addkdc YOUR.REALM kdc.example.org
Reputedly this just sets a registry entry, so you can probably just hack
it with regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa\Kerberos\Domains\YOUR.REALM
create a multi-string (REG_MULTI_SZ) value called "KdcNames" which
contains the name of your KDC (or a list of KDCs if you have more than
one).
Reboot the Windows client.
Set up your smb.conf file for a Samba server in User security mode, with
the following settings:
[global]
use kerberos keytab = yes
realm = YOUR.REALM
>From the Windows workstation, it should now be possible for you to map a
network share such as "\\samba.example.org\homes" using the username
"YOUR.REALM\username".
The authentication all works via Kerberos (the workstation fetches a TGT
and a CIFS service ticket from the KDC on behalf of the user, then uses
it to authenticate the SMB connection to the Samba server rather than
passing usernames and passwords over the wire).
Regards,
--
Neil Hoggarth -------------- Department of Physiology, Anatomy and Genetics
Head of IT --------------------------------------- University of Oxford, UK
More information about the samba-technical
mailing list