Introduction

Kerberos is an authentication protocol using secret-key cryptography. There are several implementations of the Kerberos protocol used in both commercial and open-source software. This guide covers configuring the Samba server and clients to utilize Kerberos authentication services.

Active Directory

Detailed instructions for integrating Samba with Active Directory are available on the Samba wiki.

The linked page gives the location of the PAM configuration files for Red Hat. In Ubuntu, the PAM configuration files are located in /etc/pam.d/ directory. The auth, account, and passwd stanzas are split into three files in Ubuntu: /etc/pam.d/common-auth for auth stanzas; /etc-pam.d/common-account for account stanzas; and /etc/pam.d/common-passwd for passwd stanzas.

Ubuntu versions 9.04 (Jaunty Jackalope) and newer automatically update the PAM configuration files using the pam-auth-update utility. In previous versions, the configuration files must be edited manually.

MIT Kerberos

Instructions for installing and configuring MIT Kerberos are available on its wiki page. Samba is just another service to Kerberos, so to allow Samba to authenticate users via Kerberos, simply generate a principal for the Samba server, place the service key in a keytab, and configure Samba to use it.

The name of this principal must take the form cifs/server.example.com@EXAMPLE.REALM, and the encryption type must be rc4-hmac:normal.

Here is a step-by-step guide:

1. Launch the kadmin utility as the realm administrator or as a user authorized to add principals:

$ kadmin -p admin/admin

2. In the kadmin interface, issue the following command:

kadmin: addprinc -randkey cifs/server.example.com

A message indicating the principal cifs/server.example.com@EXAMPLE.REALM should be displayed.

3. Generate a keytab for the new principal:

kadmin: ktadd -k /path/to/keytab -e rc4-hmac:normal cifs/server.example.com

Make sure to include the encryption type. The default encryption type is not compatible with the Samba client utilities.

4. Securely copy the keytab to /etc/krb5.keytab on the server that will be running Samba.

5. Make sure only the root user can access the keytab:

$ chown root:root /etc/krb5.keytab
$ chmod 0600 /etc/krb5.keytab

6. Edit the smb.conf file (located in /etc/samba/ by default) as indicated below:

...
security = ADS
realm = KERBEROS_REALM
encrypt passwords = yes
#Samba 3.0 requires "kerberos keytab = yes" instead of the next line.
#Samba < 3.5 might require "kerberos method = system keytab" instead of the next line.
kerberos method = secrets and keytab
#optional
password server = kdc.fdqn
...

The password server option is only required if you intend to use a password server other than the one configured in /etc/krb5.conf.

7. Restart Samba:

$ sudo /etc/init.d/samba restart

User Administration

Add users to the Kerberos database using the kadmin interface:

kadmin: addprinc <username>[@REALM.NAME]

The realm name is optional in properly configured Kerberos environments.

You will be prompted to enter a password for the user. Once a user is added you should be able to acquire Ticket-Granting Tickets with kinit from any system that is configured to authenticate using your Kerberos domain. See the Kerberos page for more details.

Note that Samba maps authenticated users to a system users. This means that if you add a user to the Kerberos database that does not exist as a system user, you will not be able to authenticate using your Kerberos credentials until a user of the same name is added as a system user. See AddUsersHowto for details on adding users. Other options such as pulling user information from LDAP are possible, but outside the scope of this guide.

The existence of a user can be checked with this command:

$ id <username>

Testing

$ kinit <Kerberos username>
$ smbclient -k -L //server/

If all is well, a listing of active shares will be displayed.

Samba/Kerberos (last edited 2012-12-09 13:09:02 by n18-29)