This is a rough guide to setting up Samba 3.0 with kerberos authentication against a Windows2000 KDC.
Pieces you need before you begin:
a Windows 2000 server. |
samba 3.0 or higher. |
the MIT kerberos development libraries (either install from the above sources or use a package). The heimdal libraries will not work. |
the OpenLDAP development libraries. |
On Debian you need to install the following packages:
libkrb5-dev |
krb5-user |
On RedHat this means you should have at least:
krb5-workstation (for kinit) |
krb5-libs (for linking with) |
krb5-devel (because you are compiling from source) |
in addition to the standard development environment.
Note that these are not standard on a RedHat install, and you may need to get them off CD2.
If your kerberos libraries are in a non-standard location then remember to add the configure option --with-krb5=DIR.
After you run configure make sure that include/config.h contains lines like this:
#define HAVE_KRB5 1 #define HAVE_LDAP 1
If it doesn't then configure did not find your krb5 libraries or your ldap libraries. Look in config.log to figure out why and fix it.
Then compile and install Samba as usual. You must use at least the following 3 options in smb.conf:
realm = YOUR.KERBEROS.REALM security = ADS encrypt passwords = yes
In case samba can't figure out your ads server using your realm name, use the ads server option in smb.conf:
ads server = your.kerberos.server
You do *not* need a smbpasswd file, although it won't do any harm and if you have one then Samba will be able to fall back to normal password security for older clients. I expect that the above required options will change soon when we get better active directory integration.
The minimal configuration for krb5.conf is:
[realms] YOUR.KERBEROS.REALM = { kdc = your.kerberos.server }
Test your config by doing a "kinit USERNAME@REALM" and making sure that your password is accepted by the Win2000 KDC.
NOTE: The realm must be uppercase.
You also must ensure that you can do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to must either be the netbios name of the KDC (ie. the hostname with no domain attached) or it can alternatively be the netbios name followed by the realm.
The easiest way to ensure you get this right is to add a /etc/hosts entry mapping the IP address of your KDC to its netbios name. If you don't get this right then you will get a "local error" when you try to join the realm.
If all you want is kerberos support in smbclient then you can skip straight to step 5 now. Step 3 is only needed if you want kerberos support in smbd.
Do a "kinit" as a user that has authority to change arbitrary passwords on the KDC ("Administrator" is a good choice). Then as a user that has write permission on the Samba private directory (usually root) run: net ads join
kinit is in the krb5-workstation RPM on RedHat systems, and is in /usr/kerberos/bin, so it won't be in the path until you log in again (or open a new terminal)
Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.
On a Windows 2000 client try net use * \\server\share. You should be logged in with kerberos without needing to know a password. If this fails then run klist tickets. Did you get a ticket for the server? Does it have an encoding type of DES-CBC-MD5 ?
On your Samba server try to login to a Win2000 server or your Samba server using smbclient and kerberos. Use smbclient as usual, but specify the -k option to choose kerberos authentication.
You must change administrator password at least once after DC install, to create the right encoding types
w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in their defaults DNS setup. Maybe fixed in service packs?