samba - Oct 2010 - Kerberos5 ticket renewal & 'net ads join' w/o authentication

Hello,

I have two issues with Kerberos administration using Samba and this
results from my lack of familiarity with it. I am hoping someone can
point me in the right direction.

The first issue is with automatically renewing the Kerberos tickets. The
second issue deals with my having to authenticate each time I attempt to
join an AD domain. The Samba documentation indicates that I should *not*
have to authenticate when holding a valid Kerberos ticket. When I join
an AD domain using administrator credentials, I can basically administer
a Samba server well. 'getent passwd' and 'getent group' works as
expected.

I'm running FreeBSD 8.1 using Samba 3.4.9 and using the base Heimdal.
The AD domain is a W2K3 domain in mixed mode.

I basically used the information from this link listed below to build
the configuration files listed below:

http://wiki.samba.org/index.php/Samba_%26_Active_Directory

I also looked at several other sources such as :

http://www.freebsd.org/doc/handbook/kerberos5.html

The bottom line is that I'd like to receive a Kerberos ticket using
proper authentication and use it to execute the 'net ads join' command
without authenication and then continue to renew the ticket
automatically.

Now, what changes do I need to do in order to 1) automatically renew
Kerberos tickets and 2) be able to execute the 'net ads join' command
without supplying a password?

Any pointers/assistance would be greatly appreciated! If I've left out
relevant information, please don't hesitate to let me know.

~Doug



Here are the configuration files for the various components:

=============== /etc/krb5.conf ==============
[libdefaults]
    default_realm        = DOMAIN.LOCAL
    forwardable          = true

[appdefaults]
    default_realm = DOMAIN.LOCAL
    pam = {
        forwardable      = true
        krb4_convert     = false
        debug            = false
        ticket_lifetime  = 36000
	  renew_lifetime   = 36000
    }

[realms]
    DOMAIN.LOCAL = {
        kdc              = aquila.domain.local:88
        kdc              = amd90001.domain.local:88
        admin_server     = aquila.domain.local:749
        kpasswd_server   = aquila.domain.local:464
        kpasswd_protocol = SET_CHANGE
        default_domain   = domain.local
    }

[domain_realm]
    domain.local = DOMAIN.LOCAL
   .domain.local = DOMAIN.LOCAL
   .DOMAIN.LOCAL = DOMAIN.LOCAL

[logging]
         default = FILE:/var/log/krb5lib.log
             kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
	

=============== /usr/local/etc/smb.conf ===============	

#======================= Global Settings
====================================[global]
security = ads
realm = DOMAIN.LOCAL
;workgroup = DOMAIN
workgroup = DOMAIN
;password server = aquila.domain.local 
password server = *
server string = TEST 
netbios name = test 
encrypt passwords = yes 
ldap ssl = no 
client use spnego = yes
unix extensions = no
name resolve order = hosts dns wins lmhosts bcast
wins server = 192.168.xxx.xxx
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
load printers = no
disable spoolss = yes

# Log settings
log level = 1
log file = /var/log/samba/log.%m
max log size = 50
syslog = 1

# Browser settings
local master = no
domain master = no
preferred master = no

# ACL settings
inherit acls = yes
acl compatibility = auto
acl check permissions = true
acl map full control = true
dos filemode = yes

# Config domain security
;idmap backend = ad
;idmap alloc config: range = 50001 - 60000
idmap uid = 50001 - 60000
idmap gid = 50001 - 60000

;idmap config MYDOMAIN:default      = yes
;idmap config MYDOMAIN:backend      = ad
;idmap config MYDOMAIN:range        = 10000 - 50000
;idmap config MYDOMAIN:schema-mode  = sfu
hosts allow = 192.168.101., 192.168.102., 127., 10.8.

# Winbind settings
# Enable offline logon support
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind separator = -
winbind use default domain = no
allow trusted domains = no
;client schannel = no
winbind refresh tickets = yes

# client settings
;template homedir = /usr/home/%D/%U

admin users = @"DOMAIN-domain admins"

#============================ Share Definitions
=============================
[install-public]
   comment = /home/install
   browseable = yes
   path = /home/install
   writable = yes
   create mask = 0774
   directory mask = 0774
   valid users = @"DOMAIN-domain admins"


Samba was installed using the following options:

OPTIONS=        LDAP            "With LDAP support" off \
                ADS             "With Active Directory support" on \
                CUPS            "With CUPS printing support" on \
                WINBIND         "With WinBIND support" on \
                SWAT            "With SWAT WebGUI" off \
                ACL_SUPPORT     "With ACL support" on \
                AIO_SUPPORT     "With Asyncronous IO support" on \
                FAM_SUPPORT     "With File Alteration Monitor" off \
                SYSLOG          "With Syslog support" off \
                QUOTAS          "With Disk quota support" off \
                UTMP            "With UTMP accounting support" off \
                PAM_SMBPASS     "With PAM authentication vs passdb
backends" off \
                DNSUPDATE       "With dynamic DNS update(require ADS)"
off \
                AVAHI           "With Bonjour service discovery
support"
off \
                EXP_MODULES     "With experimental modules" off \
                POPT            "With system-wide POPT library" on \
                MAX_DEBUG       "With maximum debugging" off \
                SMBTORTURE      "With smbtorture" off


=============== /etc/nsswitch.conf ===============	

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1 2009/08/03 08:13:06
kensmith Exp $
#
#group: compat
group: files winbind
group_compat: nis
#hosts: files dns wins
hosts: files dns
networks: files
#passwd: compat
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

> Hello,
> 
> I have two issues with Kerberos administration using Samba and this results
> from my lack of familiarity with it. I am hoping someone can point me in
the
> right direction.
> 
> The first issue is with automatically renewing the Kerberos tickets. The
> second issue deals with my having to authenticate each time I attempt to
join
> an AD domain. The Samba documentation indicates that I should *not* have
> to authenticate when holding a valid Kerberos ticket. When I join an AD
> domain using administrator credentials, I can basically administer a Samba
> server well. 'getent passwd' and 'getent group' works as
expected.
> 
> I'm running FreeBSD 8.1 using Samba 3.4.9 and using the base Heimdal.
> The AD domain is a W2K3 domain in mixed mode.
> 
> I basically used the information from this link listed below to build the
> configuration files listed below:
> 
> http://wiki.samba.org/index.php/Samba_%26_Active_Directory
> 
> I also looked at several other sources such as :
> 
> http://www.freebsd.org/doc/handbook/kerberos5.html
> 
> The bottom line is that I'd like to receive a Kerberos ticket using
proper
> authentication and use it to execute the 'net ads join' command
without
> authenication and then continue to renew the ticket automatically.
> 
> Now, what changes do I need to do in order to 1) automatically renew
> Kerberos tickets and 2) be able to execute the 'net ads join'
command
> without supplying a password?
> 
> Any pointers/assistance would be greatly appreciated! If I've left out
> relevant information, please don't hesitate to let me know.
> 
> ~Doug
Doug,

To address the Kerberos ticket issue, on my RHEL 5.5 servers, I enabled
"use Kerberos keytab" in my smb.conf:

1. Edit your smb.conf, add "use kerberos keytab = YES"
Run testparm
Restart Samba

2. Create a kerberos keytab in the location is defined in your krb5.conf file.
Mine has "default_keytab_name = FILE:/etc/krb5.keytab" in the
[libdefaults] section :
net ads keytab create

3. Verify the contents of the Kerberos keytab file:
klist -ke

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/server1.domain.forest.org @ DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
3 host/server1.domain.forest.org@ DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
3 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
3 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
3 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
3 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32)
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (DES cbc mode with
RSA-MD5)
4 host/server1.domain.forest.org at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
4 host/SERVER1 at DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
4 host/SERVER1 at DOMAIN.FOREST.ORG (ArcFour with HMAC/md5) 
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with CRC-32) 
4 SERVER1$@DOMAIN.FOREST.ORG (DES cbc mode with RSA-MD5) 
4 SERVER1$@DOMAIN.FOREST.ORG (ArcFour with HMAC/md5)

However I do not know how to enable the execution the 'net ads join'
command without supplying a password.

Regards,

Andrew Philipoff
Infrastructure Coordinator
UCSF Department of Medicine - IT Services