Prepare for Kerberos installation
Create any file - say - debconf-kerberos-settings
(see for explanations):
# Kerberos servers for your realm: krb5-config krb5-config/kerberos_servers string wspace.mydomain.com adsvr01.wspace.mydomain.com adsvr02.wspace.mydomain.com adsvr03.wspace.mydomain.com adsvr04.wspace.mydomain.com # Default Kerberos version 5 realm: krb5-config krb5-config/default_realm string WSPACE.MYDOMAIN.NL # Local realm name: heimdal-kdc heimdal/realm string WSPACE.MYDOMAIN.NL # Administrative server for your Kerberos realm: krb5-config krb5-config/admin_server string wspace.mydomain.com # Does DNS contain pointers to your realm's Kerberos Servers? krb5-config krb5-config/dns_for_default boolean true # Add locations of default Kerberos servers to /etc/krb5.conf? krb5-config krb5-config/add_servers boolean false
... and feed them into debconf
:
apprentice@srv25:~$ cat debconf-kerberos-settings |sudo debconf-set-selections
Install packages
apprentice@srv25:~$ sudo apt-get install samba sssd heimdal-clients libnss-sss libpam-sss
<snip>
Configure sssd
/etc/default/sssd
:
DAEMON_OPTS="-d3 -f /var/log/sssd.log"
/etc/sssd/sssd.conf
(be sure to chmod to 600):
[sssd] config_file_version = 2 domains = wspace.mydomain.com services = nss, pam [nss] [pam] [domain/wspace.mydomain.com] description = LDAP domain with AD server debug_level = 9 cache_credentials = true enumerate = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 #access_provider = ldap access_provider = permit # Uncomment if service discovery is not working ldap_uri = ldap://wspace.mydomain.com/ # Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists #ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available #ldap_sasl_authid = CLIENT$@REALM # Define these only if anonymous binds are not allowed and no keytab is available ldap_default_bind_dn = CN=ListAccount,OU=Maintenance accounts,OU=Users,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com?sub?uid=* ldap_default_authtok_type = password ldap_default_authtok = ENUMpass ldap_schema = rfc2307bis ldap_search_base = dc=wspace,dc=mydomain,dc=com # It looks like the ?sub?search notation is also accepted: (albeit not needed) #ldap_user_search_base = ou=users,ou=mydomain,dc=wspace,dc=mydomain,dc=com?sub?uid=* ldap_user_search_base = ou=users,ou=mydomain,dc=wspace,dc=mydomain,dc=com ldap_user_object_class = person ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = ou=workgroups,ou=mydomain,dc=wspace,dc=mydomain,dc=com ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_pwd_policy = none #krb5_server = wspace.mydomain.com krb5_realm = WSPACE.MYDOMAIN.NL # Don't forget the trailing newline
... then (re)start the daemon:
apprentice@srv25:~$ sudo service sssd restart
Configure libnss
/etc/nsswitch.conf
:
passwd: compat sss group: compat sss shadow: compat sss hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss
Configure Kerberos
/etc/krb5.conf
needs this in the libdefaults
section:
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 permitted_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
Configuring Samba
/etc/samba/smb.conf
(diff from distributed file):
realm = WSPACE.MYDOMAIN.NL kerberos method = system keytab log level = 1 ; tdb:1 ; printdrivers:0 ; lanman:0 ; smb:1 ; rpc_parse:1 ; rpc_srv:1 ; rpc_cli:1 ; passdb:1 ; sam:0 ; auth:3 ; winbind:3 ; vfs:1 ; idmap:1 ; quota:0 ; acls:1 ; locking:0 ; msdfs:0 ; dmapi:0 ; registry:0 security = ADS # Something to mount [exported] comment = Exported dir browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = U1234567 path = /srv/exported guest ok = no
apprentice@srv25:~$ /etc/init.d/samba restart
Joining the Domain
apprentice@srv25:~$ sudo net ADS JOIN -U 'unixJOINer%JOINpwd' createupn=host/$(hostname -f)@WSPACE.MYDOMAIN.NL createcomputer='OU=Extra Workstations,OU=Computers,OU=MYDOMAIN,DC=wspace,DC=mydomain,DC=com'
Adding a principal for CIFS
This may be unnecessary...
apprentice@srv25:~$ sudo net ADS keytab add cifs/$(hostname -f)@WSPACE.MYDOMAIN.NL -U 'unixJOINer%JOINpwd'
Testing
(On the client (Ubuntu, configured as in :)
root@clnt-3-53:~# smbclient -k -L //srv25.srvlan.mydomain.com/exported
<snip>
root@clnt-3-53:~# mount.cifs //srv25.srvlan.mydomain.com/exported /mnt/srv25/ -o sec=krb5 -v
mount.cifs kernel mount options: ip=192.168.63.120,unc=\\srv25.srvlan.mydomain.com\exported,sec=krb5,ver=1,user=root,pass=********