||<>|| = Introduction = Kerberos is an authentication protocol using secret-key cryptography. There are several implementations of the Kerberos protocol used in both commercial and open-source software. This guide covers configuring the Samba server and clients to utilize Kerberos authentication services. = Active Directory = [[http://wiki.samba.org/index.php/Samba_%26_Active_Directory|Detailed instructions]] for integrating Samba with Active Directory are available on the [[http://wiki.samba.org/|Samba wiki]]. The linked page gives the location of the PAM configuration files for Red Hat. In Ubuntu, the PAM configuration files are located in `/etc/pam.d/` directory. The auth, account, and passwd stanzas are split into three files in Ubuntu: `/etc/pam.d/common-auth` for auth stanzas; `/etc-pam.d/common-account` for account stanzas; and `/etc/pam.d/common-passwd` for passwd stanzas. Ubuntu versions 9.04 (Jaunty Jackalope) and newer automatically update the PAM configuration files using the `pam-auth-update` utility. In previous versions, the configuration files must be edited manually. = MIT Kerberos = Instructions for installing and configuring MIT Kerberos are available on [[Kerberos|its wiki page]]. Samba is just another service to Kerberos, so to allow Samba to authenticate users via Kerberos, simply generate a principal for the Samba server, place the service key in a keytab, and configure Samba to use it. The name of this principal must take the form `cifs/server.example.com@EXAMPLE.REALM`, and '''the encryption type must be rc4-hmac:normal.''' Here is a step-by-step guide: 1. Launch the `kadmin` utility as the realm administrator or as a user authorized to add principals: {{{ $ kadmin -p admin/admin }}} 2. In the `kadmin` interface, issue the following command: {{{ kadmin: addprinc -randkey cifs/server.example.com }}} A message indicating the principal `cifs/server.example.com@EXAMPLE.REALM` should be displayed. 3. Generate a keytab for the new principal: {{{ kadmin: ktadd -k /path/to/keytab -e rc4-hmac:normal cifs/server.example.com }}} '''Make sure to include the encryption type.''' The default encryption type is not compatible with the Samba client utilities. 4. Securely copy the keytab to `/etc/krb5.keytab` on the server that will be running Samba. 5. Make sure only the root user can access the keytab: {{{ $ chown root:root /etc/krb5.keytab $ chmod 0600 /etc/krb5.keytab }}} 6. Edit the `smb.conf` file (located in `/etc/samba/` by default) as indicated below: {{{ ... security = ADS realm = KERBEROS_REALM encrypt passwords = yes #Samba 3.0 requires "kerberos keytab = yes" instead of the next line. #Samba < 3.5 might require "kerberos method = system keytab" instead of the next line. kerberos method = secrets and keytab #optional password server = kdc.fdqn ... }}} The password server option is only required if you intend to use a password server other than the one configured in `/etc/krb5.conf`. 7. Restart Samba: {{{ $ sudo /etc/init.d/samba restart }}} == User Administration == Add users to the Kerberos database using the `kadmin` interface: {{{ kadmin: addprinc [@REALM.NAME] }}} The realm name is optional in properly configured Kerberos environments. You will be prompted to enter a password for the user. Once a user is added you should be able to acquire Ticket-Granting Tickets with `kinit` from any system that is configured to authenticate using your Kerberos domain. See the [[Kerberos]] page for more details. Note that '''Samba maps authenticated users to a system users'''. This means that if you add a user to the Kerberos database that does not exist as a system user, you will not be able to authenticate using your Kerberos credentials until a user of the same name is added as a system user. See AddUsersHowto for details on adding users. Other options such as pulling user information from LDAP are possible, but outside the scope of this guide. The existence of a user can be checked with this command: {{{ $ id }}} = Testing = {{{ $ kinit $ smbclient -k -L //server/ }}} If all is well, a listing of active shares will be displayed.