mirror of
https://github.com/samba-team/samba.git
synced 2025-01-22 22:04:08 +03:00
155 lines
5.0 KiB
Plaintext
155 lines
5.0 KiB
Plaintext
Samba 3.0 prealpha guide to Kerberos authentication
|
|
---------------------------------------------------
|
|
|
|
Andrew Tridgell
|
|
tridge@samba.org
|
|
|
|
This is a VERY ROUGH guide to setting up the current (November 2001)
|
|
pre-alpha version of Samba 3.0 with kerberos authentication against a
|
|
Windows2000 KDC. The procedures listed here are likely to change as
|
|
the code develops.
|
|
|
|
Pieces you need before you begin:
|
|
|
|
- a Windows 2000 server running at least service pack 2
|
|
- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to
|
|
fetch this.
|
|
- the MIT kerberos development libraries (either install from the
|
|
above sources or use a package). Under debian you need "libkrb5-dev"
|
|
and "krb5-user". The heimdal libraries will not work.
|
|
- Cyrys SASL, including the gssapi mechanism.
|
|
- the OpenLDAP development libraries. These must be compiled
|
|
with Cyrus SASL enabled.
|
|
|
|
On RedHat this means you should have at least:
|
|
|
|
krb5-workstation (for kinit)
|
|
krb5-libs (for linking with)
|
|
krb5-devel (because you are compiling from source)
|
|
cyrus
|
|
cyrus-sasl
|
|
cyrus-sasl-devel
|
|
cyrus-sasl-gssapi
|
|
|
|
in addition to the standard development environment.
|
|
|
|
Note that these are not standard on a RedHat install, and you may need
|
|
to get them off CD2.
|
|
|
|
Also check that you have the latest copy of this HOWTO. It is
|
|
available from http://samba.org/ftp/tridge/kerberos/HOWTO
|
|
|
|
|
|
Step 1: Compile Samba
|
|
|
|
If your kerberos libraries are in a non-standard location then
|
|
remember to add the configure option --with-krb5=DIR. For example,
|
|
on RedHat you will need --with-krb5=/usr/kerberos
|
|
|
|
After you run configure make sure that include/config.h contains a
|
|
line like this:
|
|
|
|
#define HAVE_KRB5 1
|
|
|
|
If it doesn't then configure did not find your krb5 libraries. Look
|
|
in config.log to figure out why and fix it.
|
|
|
|
Then compile and install Samba as usual. You must use at least the
|
|
following 3 options in smb.conf:
|
|
|
|
realm = YOUR.KERBEROS.REALM
|
|
ads server = your.kerberos.server
|
|
security = ADS
|
|
encrypt passwords = yes
|
|
|
|
You do *not* need a smbpasswd file, although it won't do any harm
|
|
and if you have one then Samba will be able to fall back to normal
|
|
password security for older clients. I expect that the above
|
|
required options will change soon when we get better active
|
|
directory integration.
|
|
|
|
|
|
Step 2: Setup your /etc/krb5.conf
|
|
|
|
The minimal configuration for krb5.conf is:
|
|
|
|
[libdefaults]
|
|
default_realm = YOUR.KERBEROS.REALM
|
|
|
|
[realms]
|
|
YOUR.KERBEROS.REALM = {
|
|
kdc = your.kerberos.server
|
|
}
|
|
|
|
|
|
Test your config by doing a "kinit USERNAME" and making sure that
|
|
your password is accepted by the Win2000 KDC.
|
|
|
|
NOTE: The realm must be uppercase.
|
|
|
|
You also must ensure that you can do a reverse DNS lookup on the IP
|
|
address of your KDC. Also, the name that this reverse lookup maps to
|
|
must either be the netbios name of the KDC (ie. the hostname with no
|
|
domain attached) or it can alternatively be the netbios name
|
|
followed by the realm.
|
|
|
|
The easiest way to ensure you get this right is to add a /etc/hosts
|
|
entry mapping the IP address of your KDC to its netbios name. If you
|
|
don't get this right then you will get a "local error" when you try
|
|
to join the realm.
|
|
|
|
* If all you want is kerberos support in smbclient then you can skip
|
|
* straight to step 5 now. Step 3 is only needed if you want kerberos
|
|
* support in smbd.
|
|
|
|
|
|
Step 3: Create the computer account
|
|
|
|
Do a "kinit" as a user that has authority to change arbitrary
|
|
passwords on the KDC ("Administrator" is a good choice). Then as a
|
|
user that has write permission on the Samba private directory
|
|
(usually root) run:
|
|
|
|
net ads join
|
|
|
|
Possible errors:
|
|
- "bash: kinit: command not found":
|
|
- kinit is in the krb5-workstation RPM on RedHat systems, and is
|
|
in /usr/kerberos/bin, so it won't be in the path until
|
|
you log in again (or open a new terminal)
|
|
- "ADS support not compiled in"
|
|
- Samba must be reconfigured (remove config.cache) and
|
|
recompiled (make clean all install) after the kerberos libs
|
|
and headers are installed.
|
|
- "Unknown authentication method"
|
|
- the cyrus-sasl-gssapi package is not installed.
|
|
The RPM (assuming RedHat 7.2) is on CD2
|
|
|
|
- "ads_add_machine_acct: Invalid DN syntax"
|
|
- The 'realm' paramater has not been added to your smb.conf
|
|
|
|
|
|
Step 4: Test your server setup
|
|
|
|
On a Windows 2000 client try "net use * \\server\share". You should
|
|
be logged in with kerberos without needing to know a password. If
|
|
this fails then run "klist tickets". Did you get a ticket for the
|
|
server? Does it have an encoding type of DES-CBC-MD5 ?
|
|
|
|
Step 5: Testing with smbclient
|
|
|
|
On your Samba server try to login to a Win2000 server or your Samba
|
|
server using smbclient and kerberos. Use smbclient as usual, but
|
|
specify the -k option to choose kerberos authentication.
|
|
|
|
|
|
--------
|
|
|
|
NOTES:
|
|
- must change administrator password at least once after DC install,
|
|
to create the right encoding types
|
|
|
|
- w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
|
|
their defaults DNS setup. Maybe fixed in service packs?
|
|
|