SSSD/Kerberos/LDAP Authentication: Difference between revisions

From UNIX Systems Administration
Jump to navigation Jump to search
Line 48: Line 48:
#Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
#Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
###:<tt>[global]
###:<tt>[global]
####:workgroup = '''''<AD DOMAIN minus top level domain>'''''
###:workgroup = '''''<AD DOMAIN minus top level domain>'''''
####:''''';'''''  server string = Samba Server Version %v
###:''''';'''''  server string = Samba Server Version %v
####:.'''''
###:.'''''
####:.'''''
###:.'''''
####:.'''''
###:.'''''
####:''''';'''''  security = user
###:''''';'''''  security = user
####:''''';'''''  passdb backend = tdbsam
###:''''';'''''  passdb backend = tdbsam
####:.'''''
###:.'''''
####:.'''''
###:.'''''
####:.'''''
###:.'''''
####:'''''client signing = yes'''''
###:'''''client signing = yes'''''
####:'''''client use spnego = yes
###:'''''client use spnego = yes
####:'''''kerberos method = secrets and keytab
###:'''''kerberos method = secrets and keytab
####:'''''security = ads
###:'''''security = ads
####:'''''passdb backend = tdbsam
###:'''''passdb backend = tdbsam
####:'''''realm = <AD DOMAIN>
###:'''''realm = <AD DOMAIN>
####:'''''.'''''
###:'''''.'''''
####:'''''.'''''
###:'''''.'''''
####:''''';'''''  load printers = yes
###:''''';'''''  load printers = yes
####:''''';'''''  cups options = raw
###:''''';'''''  cups options = raw
####:'''''.'''''
###:'''''.'''''
####:'''''.'''''
###:'''''.'''''
####:'''''.'''''
###:'''''.'''''
####:''''';'''''[printers]
###:''''';'''''[printers]
####:''''';'''''comment = All Printers
###:''''';'''''comment = All Printers
####:''''';'''''path = /var/spool/samba
###:''''';'''''path = /var/spool/samba
####:''''';'''''      browseable = no
###:''''';'''''      browseable = no
####:''''';'''''      guest ok = no
###:''''';'''''      guest ok = no
####:''''';'''''      writable = no
###:''''';'''''      writable = no
####:''''';'''''      printable = yes</tt>
###:''''';'''''      printable = yes</tt>

Revision as of 16:44, 21 July 2016

Install Required Packages

  1. RHEL6: Install the following packages.
    1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients ipa-client sssd-common krb5-devel
  2. RHEL7: Install the following packages
    1. # yum install sssd krb5-workstation samba-common authconfig oddjob oddjob-mkhomedir openldap-clients sssd-libwbclient sssd-tools ipa-client sssd-common krb5-devel
  3. UBUNTU: Install the following packages
    1. $ sudo apt-get install krb5-user krb5-config samba sssd ntp nscd libpam-sss libnss-sss sssd-tools sssd-ad libpam-modules

Configure Kerberos

  1. Gather the list of KDCs for the realm, the KDCs are bold italic.
    1. # nslookup -type=SRV _kerberos._tcp.<domain in lowercase>
      1. Output of previous command:
        Server: <ip address>
        Address: <ip address>#53

        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc1.<domain in lowercase>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc2.<domain in lowercase>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc3.<domain in lowercase>.
        _kerberos._tcp.<domain in lowercase> service = 0 100 88 dc4.<domain in lowercase>.
  2. Create a backup of the /etc/krb5.conf file.
    1. # cp -p /etc/krb5.conf{,.bak}
    2. Modify the /etc/krb5.conf file as follows, changes are bold italic.
      1. [logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        [libdefaults]
        default_realm = <AD DOMAIN>
        dns_lookup_realm = false
        dns_lookup_kdc = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

        [realms]
        <AD DOMAIN> = {
        kdc = dc1.<AD DOMAIN>
        kdc = dc2.<AD DOMAIN>
        kdc = dc3.<AD DOMAIN>
        kdc = dc4.<AD DOMAIN>
        admin_server = <AD DOMAIN>
        }

        [domain_realm]
        .<ad domain> = <AD DOMAIN>
        <ad domain> = <AD DOMAIN>

Configure Samba

  1. Create a backup of the /etc/samba/smb.conf file.
    1. # cp -p /etc/samba/smb.conf{,.bak}
  2. Modify the /etc/samba/smb.conf file as follows, changes are are in bold italic.
      1. [global]
        workgroup = <AD DOMAIN minus top level domain>
        ; server string = Samba Server Version %v
        .
        .
        .
        ; security = user
        ; passdb backend = tdbsam
        .
        .
        .
        client signing = yes
        client use spnego = yes
        kerberos method = secrets and keytab
        security = ads
        passdb backend = tdbsam
        realm = <AD DOMAIN>
        .
        .
        ; load printers = yes
        ; cups options = raw
        .
        .
        .
        ;[printers]
        ;comment = All Printers
        ;path = /var/spool/samba
        ; browseable = no
        ; guest ok = no
        ; writable = no
        ; printable = yes


3. Verify the Samba configuration. # testparm

4. The output should be similar to [global] workgroup = <AD DOMAIN minus top level domain> realm = <AD DOMAIN> security = ADS kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 50 client signing = required idmap config * : backend = tdb

[homes] comment = Home Directories read only = No browseable = No

Retrieved from "http://www.outlandsmud.com/wiki/index.php?title=SSSD/Kerberos/LDAP_Authentication&oldid=883"