asantia
asked on
Linux Samba using Kerberos to Auth from Active Directory
We are in the process of upgrading our Active Directory from 2003 to 2012R2.
During this upgrade we'd also like to move our Linux Samba file shares from using old NTLMv1 authentication to modern/native Kerberos.
We currently have our usernames in AD the same as in our Linux passwd file, and we'd like to keep account management that way.
It seems fairly easy to get Samba to use Kerberos, based on my research online.
I was hoping for feedback on my config files and the steps I believe I need to take to get this working.
Thanks.
--------------------
1. Install Samba & Kerberos-client packages (Kerberos-Client packages go by different names per distribution, I've found them listed as "krb5-user", "krb5-workstation", etc.)
2. Configure the NTP-client on the Linux server to sync with the AD domain controller.
3. Create FQDN entries in the Linux "hosts" file to resolve the AD domain controllers.
4. Configure Kerberos with config file from above.
5. Test Kerberos using "kinit".
6. Configure Samba with config file from above.
7. Join the Linux server to the AD domain using: net ads join -U administrator
8. Restart Samba daemons.
During this upgrade we'd also like to move our Linux Samba file shares from using old NTLMv1 authentication to modern/native Kerberos.
We currently have our usernames in AD the same as in our Linux passwd file, and we'd like to keep account management that way.
It seems fairly easy to get Samba to use Kerberos, based on my research online.
I was hoping for feedback on my config files and the steps I believe I need to take to get this working.
Thanks.
--------------------
krb5.conf
[libdefaults]
default_realm = AMER.EXAMPLE.ORG
dns_lookup_kdc = true
[realms]
AMER.EXAMPLE.ORG = {
kdc = ad51.amer.example.org
kdc = ad52.amer.example.org
admin_server = ad51.amer.example.org
master_kdc = ad51.amer.example.org
default_domain = amer.example.org
}
[domain_realm]
.ad51.amer.example.org = AMER.EXAMPLE.ORG
ad51.amer.example.org = AMER.EXAMPLE.ORG
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
smb.conf
[global]
workgroup = AMER
interfaces = eth0
security = ads
show add printer wizard = No
preferred master = No
local master = No
domain master = No
wins support = No
encrypt passwords = yes
ldap ssl = no
ldap ssl ads = no
client max protocol = SMB2
client min protocol = SMB2
client plaintext auth = No
client lanman auth = No
client NTLMv2 auth = Yes
client schannel = auto
client signing = mandatory
client use spnego = Yes
kerberos method = secrets only
ntlm auth = No
lanman auth = No
realm = AMER.EXAMPLE.ORG
server max protocol = SMB2
server min protocol = SMB2
server role = MEMBER SERVER
server schannel = auto
server signing = mandatory
allow trusted domains = Yes
hide dot files = No
case sensitive = No
preserve case = Yes
log level = 1
log file = /var/log/samba/log.smbd.%a
1. Install Samba & Kerberos-client packages (Kerberos-Client packages go by different names per distribution, I've found them listed as "krb5-user", "krb5-workstation", etc.)
2. Configure the NTP-client on the Linux server to sync with the AD domain controller.
3. Create FQDN entries in the Linux "hosts" file to resolve the AD domain controllers.
4. Configure Kerberos with config file from above.
5. Test Kerberos using "kinit".
6. Configure Samba with config file from above.
7. Join the Linux server to the AD domain using: net ads join -U administrator
8. Restart Samba daemons.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gheist,
Sorry but I don't understand your reply.
Thanks.
Sorry but I don't understand your reply.
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gheist,
One last question...
Do I need to enter any "idmap config" parameters in my smb.conf or is the default just to match usernames to the local passwd file?
Thanks.
One last question...
Do I need to enter any "idmap config" parameters in my smb.conf or is the default just to match usernames to the local passwd file?
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great. Thanks for your help.
Samba seems to be working great on our Linux servers.
Now on to the Solaris servers. Hopefully it will go as smoothly.
Samba seems to be working great on our Linux servers.
Now on to the Solaris servers. Hopefully it will go as smoothly.
Its been a long time.... Samba 3.6 = W2008 Samba 4.0 = W2012, basically go with latest samba you can get.
ASKER
Thanks for the input.
Yes, I know there are a lot of [now] defaults in there...I listed them specifically just so it was clearly visible what options we wanted/had preference on. I plan on making a proper file for implementation (using comments to still illustrate our setting choices).
For #4, can I use our manual krb5.conf still (ignoring the fact that SAMBA creates it's own temporary)? That way I know it will be set if we choose to use it for other solutions later.