With Kerberos, not only human users have principals (~accounts), hosts have accounts as well. In order to use NFS4 or CIFS with Kerberos authentication, both the file server and the client must “join the domain”, i.e. there must be an object in the LDAP tree that represents them, and they must have Kerberos principals for which they can accept tickets.
There are multiple methods to join an AD domain. To cut short this article of mine, one can manually add the machine from within AD, or use an account with appropriate rights from the Linux host, combined with either Likewise, Centrify or Winbind, which are Samba-oriented, or msktutil. (Strictly speaking there is yet another: by hand with ldapsearch.)
Of the Samba-oriented methods, I like Winbind best. But I like msktutil better still, so much so that I decided to try and package it. (Until it gets into Debian, it is available for Ubuntu Precise from one of my repositories.)
ToDo: explain how to use msktutil. | |
---|---|
For RuG usage, I created a package 'adjoin' that uses msktutil and can be preseeded like this. Other readers will have to figure msktutil out themselves, or use WinBind, which I explain further down. |
Procedure 19. Joining the domain using msktutil (RuG only)
Preseeding adjoin
Note | |
---|---|
It is assumed you 've already added the appropriate repositories to the sources.list. |
Create a file - say - debconf-adjoin-settings
:
adjoin adjoin/realm string WSPACE.MYDOMAIN.NL adjoin adjoin/admin-uname string unixJOINer adjoin adjoin/admin-pwd password JOINpwd adjoin adjoin/preferred-encryption string AES256-CTS-HMAC-SHA1-96 adjoin adjoin/ldap-computer-base string CN=unixJOINer,OU=Service Accounts,OU=Users,OU=MYDOMAIN,DC=wspace,DC adjoin adjoin/services string
... and preseed the package with it:
apprentice@clnt-3-53:~$ cat debconf-adjoin-settings|sudo debconf-set-selections -
Install the package
apprentice@clnt-3-53:~$ sudo apt-get install adjoin
Configure adjoin
In /etc/default/adjoin
, put:
SERVICES="root nfs"
Restart the service
apprentice@clnt-3-53:~$ sudo service adjoin start
Procedure 20. Joining the AD domain using WinBind
Install samba-common-bin
apprentice@nfsserv-pc:~$ sudo apt-get install -qy samba-common-bin
Configure samba
My /etc/samba/smb.conf
is the default, except the following settings are merged in in the [global]
section[2]:
workgroup = WSPACE realm = WSPACE.MYDOMAIN.NL kerberos method = system keytab security = ADS
This leads to Samba conveniently using |
With comment removed, that leads to this /etc/samba/smb.conf
:
[global] workgroup = WSPACE realm = WSPACE.MYDOMAIN.NL kerberos method = system keytab server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = ADS encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no
The actual join
apprentice@nfsserv-pc:~$ sudo net ADS JOIN -U 'unixJOINer%JOINpwd' createupn=host/$(hostname -f)@WSPACE.MYDOMAIN.NL createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'
Using short domain name -- WSPACE
Joined 'NFSSERV-PC' to realm 'wspace.mydomain.com'
DNS Update for nfsserv-pc.ict.mydomain.com failed: ERROR_DNS_GSS_ERROR
DNS update failed!
apprentice@nfsserv-pc:~$ sudo net ads testjoin
Join is OK
Let's verify that:
apprentice@nfsserv-pc:~$ ldapsearch -LLL -H ldap://wspace.mydomain.com -x -D 'WSPACE\ENUMuser' -w 'ENUMpass' -b 'OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com' cn=nfsserv-pc dn servicePrincipalName
dn: CN=NFSSERV-PC,OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=worksp
ace,DC=mydomain,DC=com
servicePrincipalName: HOST/nfsserv-pc.ict.mydomain.com
servicePrincipalName: HOST/NFSSERV-PC
If you wish (or are forced) to use Kerberos binding instead of plain text passwords with WinBind joining, that is also possible.
In /etc/samba/smb.conf
, add:
client ldap sasl wrapping = sign
Then do
apprentice@nfsserv-pc:~$ kinit unixJOINer
apprentice@nfsserv-pc:~$ net ADS JOIN -k -w TSPACE.MYDOMAIN.NL -U 'unixJOINer%Pr13pwd' createupn=host/$(hostname -f)@TSPACE.MYDOMAIN.NL
apprentice@nfsserv-pc:~$ net ads testjoin -k
Note | |
---|---|
On Windows 2008R2 Server, the keys stored in a keytab are by default expired server side after 30 days.
In this case, setting
But if keys are never expired, e.g. because |