Samba 3.0 prealpha guide to Kerberos authentication
---------------------------------------------------

Andrew Tridgell
tridge@samba.org

This is a VERY ROUGH guide to setting up the current (October 2001)
pre-alpha version of Samba 3.0 with kerberos authentication against a
Windows2000 KDC. The procedures listed here are likely to change as
the code develops.

Pieces you need before you begin:

- a Windows 2000 server running at least service pack 2
- the latest CVS source code for Samba. See http://cvs.samba.org/ for how to
  fetch this.
- the MIT kerberos development libraries (either install from the
  above sources or use a package). Under debian you need "libkrb5-dev"
  and "krb5-user". The heimdal libraries will not work.
- Cyrys SASL, including the gssapi mechanism.
- the OpenLDAP development libraries. These must be compiled
  with Cyrus SASL enabled.

On RedHat this means you should have at least: 

krb5-workstation (for kinit)
krb5-libs (for linking with)
krb5-devel (because you are compiling from source)
cyrus
cyrus-sasl
cyrus-sasl-devel
cyrus-sasl-gssapi

in addition to the standard development environment.

Note that these are not standard on a RedHat install, and you may need 
to get them off CD2.

Also check that you have the latest copy of this HOWTO. It is
available from http://samba.org/ftp/tridge/kerberos/HOWTO


Step 1: Compile Samba
  
  If your kerberos libraries are in a non-standard location then
  remember to add the configure option --with-krb5=DIR. For example,
  on RedHat you will need --with-krb5=/usr/kerberos

  After you run configure make sure that include/config.h contains a
  line like this:

  #define HAVE_KRB5 1

  If it doesn't then configure did not find your krb5 libraries. Look
  in config.log to figure out why and fix it.

  Then compile and install Samba as usual. You must use at least the
  following 3 options in smb.conf:

  realm = YOUR.KERBEROS.REALM
  ads server = your.kerberos.server
  security = ADS
  encrypt passwords = yes

  You do *not* need a smbpasswd file, although it won't do any harm
  and if you have one then Samba will be able to fall back to normal
  password security for older clients. I expect that the above
  required options will change soon when we get better active
  directory integration.


Step 2: Setup your /etc/krb5.conf

  The minimal configuration for krb5.conf is:

    [libdefaults]
	    default_realm = YOUR.KERBEROS.REALM

    [realms]
    YOUR.KERBEROS.REALM = {
	kdc = your.kerberos.server
    }


  Test your config by doing a "kinit USERNAME" and making sure that
  your password is accepted by the Win2000 KDC. 

  NOTE: The realm must be uppercase. 

  You also must ensure that you can do a reverse DNS lookup on the IP
  address of your KDC. This usually either involves setting up a PTR
  record in your DNS server or adding your KDC to /etc/hosts.


* If all you want is kerberos support in smbclient then you can skip
* straight to step 5 now. Step 3 is only needed if you want kerberos
* support in smbd.


Step 3: Create the computer account

  Do a "kinit" as a user that has authority to change arbitrary
  passwords on the KDC ("Administrator" is a good choice). Then as a
  user that has write permission on the Samba private directory
  (usually root) run:

     net ads join

  Possible errors:
    - "bash: kinit: command not found":
       - kinit is in the krb5-workstation RPM on RedHat systems, and is
         in /usr/kerberos/bin, so it won't be in the path until 
         you log in again (or open a new terminal)
    - "ADS support not compiled in"
       - Samba must be reconfigured (remove config.cache) and
         recompiled (make clean all install) after the kerberos libs
         and headers are installed.
    - "Unknown authentication method"
       - the cyrus-sasl-gssapi package is not installed.  
         The RPM (assuming RedHat 7.2) is on CD2

    - "ads_add_machine_acct: Invalid DN syntax"
       - The 'realm' paramater has not been added to your smb.conf
    

Step 4: Test your server setup

  On a Windows 2000 client try "net use * \\server\share". You should
  be logged in with kerberos without needing to know a password. If
  this fails then run "klist tickets". Did you get a ticket for the
  server? Does it have an encoding type of DES-CBC-MD5 ? 

Step 5: Testing with smbclient

  On your Samba server try to login to a Win2000 server or your Samba
  server using smbclient and kerberos. Use smbclient as usual, but
  specify the -k option to choose kerberos authentication.


--------

NOTES: 
 - must change administrator password at least once after DC install,
 to create the right encoding types

 - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
   their defaults DNS setup. Maybe fixed in service packs?