SSSD/Kerberos/LDAP Authentication: Difference between revisions
Jump to navigation
Jump to search
Line 44: | Line 44: | ||
===Configure Samba=== | ===Configure Samba=== | ||
#Create a backup of the /etc/samba/smb.conf file. | |||
##<tt>'''# cp -p /etc/samba/smb.conf{,.bak}'''</tt> | |||
#Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic. | |||
###:<tt>[global] | |||
####:workgroup = '''''<AD DOMAIN minus top level domain>''''' | |||
####:''''';''''' server string = Samba Server Version %v | |||
####:.''''' | |||
####:.''''' | |||
####:.''''' | |||
####:''''';''''' security = user | |||
####:''''';''''' passdb backend = tdbsam | |||
####:.''''' | |||
####:.''''' | |||
####:.''''' | |||
####:'''''client signing = yes''''' | |||
####:'''''client use spnego = yes | |||
####:'''''kerberos method = secrets and keytab | |||
####:'''''security = ads | |||
####:'''''passdb backend = tdbsam | |||
####:'''''realm = <AD DOMAIN> | |||
####:'''''.''''' | |||
####:'''''.''''' | |||
####:''''';''''' load printers = yes | |||
####:''''';''''' cups options = raw | |||
####:'''''.''''' | |||
####:'''''.''''' | |||
####:'''''.''''' | |||
####:''''';'''''[printers] | |||
####:''''';'''''comment = All Printers | |||
####:''''';'''''path = /var/spool/samba | |||
####:''''';''''' browseable = no | |||
####:''''';''''' guest ok = no | |||
####:''''';''''' writable = no | |||
####:''''';''''' printable = yes</tt> | |||
3. Verify the Samba configuration. | |||
# testparm | |||
4. The output should be similar to | |||
[global] | |||
workgroup = <AD DOMAIN minus top level domain> | |||
realm = <AD DOMAIN> | |||
security = ADS | |||
kerberos method = secrets and keytab | |||
log file = /var/log/samba/log.%m | |||
max log size = 50 | |||
client signing = required | |||
idmap config * : backend = tdb | |||
[homes] | |||
comment = Home Directories | |||
read only = No | |||
browseable = No |
Revision as of 16:43, 21 July 2016
Install Required Packages
- RHEL6: Install the following packages.
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
- RHEL7: Install the following packages
- # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
- UBUNTU: Install the following packages
- $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules
Configure Kerberos
- Gather the list of KDCs for the realm, the KDCs are bold italic.
- # nslookup -type=SRV _kerberos._tcp.<domain in lowercase>
- Output of previous command:
- Server: <ip address>
- Address: <ip address>#53
_kerberos._tcp.<domain in lowercase> service = 0 100 88 dc1.<domain in lowercase>.- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc2.<domain in lowercase>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc3.<domain in lowercase>.
- _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc4.<domain in lowercase>.
- # nslookup -type=SRV _kerberos._tcp.<domain in lowercase>
- Create a backup of the /etc/krb5.conf file.
- # cp -p /etc/krb5.conf{,.bak}
- Modify the /etc/krb5.conf file as follows, changes are bold italic.
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
[libdefaults]- default_realm = <AD DOMAIN>
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
[realms]- <AD DOMAIN> = {
- kdc = dc1.<AD DOMAIN>
- kdc = dc2.<AD DOMAIN>
- kdc = dc3.<AD DOMAIN>
- kdc = dc4.<AD DOMAIN>
- admin_server = <AD DOMAIN>
- }
[domain_realm]- .<ad domain> = <AD DOMAIN>
- <ad domain> = <AD DOMAIN>
Configure Samba
- Create a backup of the /etc/samba/smb.conf file.
- # cp -p /etc/samba/smb.conf{,.bak}
- Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
- [global]
- workgroup = <AD DOMAIN minus top level domain>
- ; server string = Samba Server Version %v
- .
- .
- .
- ; security = user
- ; passdb backend = tdbsam
- .
- .
- .
- client signing = yes
- client use spnego = yes
- kerberos method = secrets and keytab
- security = ads
- passdb backend = tdbsam
- realm = <AD DOMAIN>
- .
- .
- ; load printers = yes
- ; cups options = raw
- .
- .
- .
- ;[printers]
- ;comment = All Printers
- ;path = /var/spool/samba
- ; browseable = no
- ; guest ok = no
- ; writable = no
- ; printable = yes
3. Verify the Samba configuration.
# testparm
4. The output should be similar to [global] workgroup = <AD DOMAIN minus top level domain> realm = <AD DOMAIN> security = ADS kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 50 client signing = required idmap config * : backend = tdb
[homes] comment = Home Directories read only = No browseable = No