thr3ads.net - samba - [Samba] Confused about Active Directory, Winbind, and Kerberos [Nov 2006]

If this information is useful, please help other people find it:
Share via:

Michael Schurter

2006-Nov-22 19:05 UTC

[Samba] Confused about Active Directory, Winbind, and Kerberos

I'm trying to learn how to integrate Linux workstations and servers into
a Windows 2000 Active Directory network.  I've read and followed the
Samba HOWTO, especially the parts about Winbind, and I got my Linux
workstation authenticating using pam_krb5 and pam_winbind.

klist would show I got a TGT after logging in.  Domain users could login
and pam_mkhomedir would properly setup a new home directory for them.
wbinfo -u/-g even worked... at least at first.

I want to use Kerberos authentication with other services (like in
Apache and for e-mail), so I began tinkering to try to get Active
Directory authentication working just using Kerberos instead of relying
on PAM + Winbind.

I tried setting up my /etc/krb5.keytab file, and now I'm afraid my
system is a mess.  I told Samba to use the system keytab, and now
Samba/Winbind related commands fail (net ads commands, wbinfo commands,
even pam_winbind).

Any suggestions would be appreciated.  I just want the tightest
integration between Linux & Active Directory that extends to Linux
services like ssh, apache, postfix/sasl, etc.

I've also been documents my efforts:
http://michael.susens-schurter.com/interop/
and on my blog:
http://michael.susens-schurter.com/blog/

Thanks in advance,
Michael Schurter

Relevant system info:
Debian Etch, 2.6.17 kernel, Samba 3.023c-4, MIT Kerberos 1.4.4-4

### relevant smb.conf lines ###
	workgroup = TREMONT
        realm = TREMONT.LOCAL
	security = ADS
        auth methods = winbind
        obey pam restrictions = Yes
	idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind offline logon = true
        winbind refresh tickets = Yes
	use kerberos keytab = true

### relevant krb5.conf lines ###
[libdefaults]
        default_realm = TREMONT.LOCAL
        clock_skew = 300
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_kdc = false
        dns_lookup_realm = false
	default_tgs_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
	default_tkt_enctypes = rc4-hmac des-cbc-md5 des-cbc-crc
	permitted_enctypes   = rc4-hmac des-cbc-md5 des-cbc-crc
[realms]
        TREMONT.LOCAL = {
                kdc = thsdc1
                kdc = thsdc2
                admin_server = thsdc1
        }
[domain_realm]
        .tremont.local = TREMONT.LOCAL
        .tremont.com = TREMONT.LOCAL

### sample valid user kerberos ticket (klist) ###
11/22/06 12:55:07  11/22/06 22:55:12  krbtgt/TREMONT.LOCAL@TREMONT.LOCAL

### /etc/krb5.keytab (sudo ktutil; rkt /etc/krb5.keytab; list) ###
   1    1 host/schurter3-linux.tremont.local@TREMONT.LOCAL
   2    0 host/schurter3-linux.tremont@TREMONT.LOCAL
   3    0 host/schurter3-linux.tremont@TREMONT.LOCAL
   4    0 host/schurter3-linux.tremont@TREMONT.LOCAL
   5    0       host/schurter3-linux@TREMONT.LOCAL
   6    0       host/schurter3-linux@TREMONT.LOCAL
   7    0       host/schurter3-linux@TREMONT.LOCAL
   8    0           schurter3-linux$@TREMONT.LOCAL
   9    0           schurter3-linux$@TREMONT.LOCAL
  10    0           schurter3-linux$@TREMONT.LOCAL

### Note Slot 1 was generated by "ktpass" on the Windows 2000 Server

Rashid N. Achilov

2006-Nov-23 03:41 UTC

head link

[Samba] Confused about Active Directory, Winbind, and Kerberos

On Thursday 23 November 2006 01:05, Michael Schurter
wrote:> Any suggestions would be appreciated.  I just want the tightest
> integration between Linux & Active Directory that extends to Linux
> services like ssh, apache, postfix/sasl, etc.
You need a krb5.conf. At least, it should be:
--- from here ---
[libdefaults]
        default_realm = YOUR.REALM

[realms]
        YOUR.REALM = {
                kdc = your_windows_dc
                kpasswd_server = your_windows_dc
                admin_server = your_windows_dc
        }

[logging]
        default = SYSLOG:INFO:LOCAL1

[domain_realm]
        .yourdomain.ru = YOUR.REALM
        yourdomain.ru = YOUR.REALM
--- krb5.conf ---

Next, you should init Kerberos:
kinit administrator@YOUR.REALM

Next. you can join a domain (supposed, security=ads in smb.conf, 
workgroup=<your_pre_Windows_2000_realm_name>
realm = your.realm)
net ads join -U administrator -w your.realm

After that, you can add winbind into a nsswitch.conf (supposed, pam_winbind.so 
lies at LDCONFIG_PATH)
-- 
   With Best Regards.
   Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton
   OOO "ACK" telecommunications administrator, e-mail: achilov-rn [at]
askd.ru
   PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A

Reasonably Related Threads

Search for more reasonably related threads

samba - Nov 2006 - Confused about Active Directory, Winbind, and Kerberos

[Samba] Confused about Active Directory, Winbind, and Kerberos

[Samba] Confused about Active Directory, Winbind, and Kerberos

Reasonably Related Threads