Wednesday, 28 May 2014

Configure Fedora 19 to authenticate with Samba4 AD using kerberos

Introduction
The data used in this tutorial:
  • Samba4 Active Directory Domain: example.com
  • Samba4 Active Directory host: host.example.com
  • Realm/workgroup: EXAMPLE.COM
  • Samba4 Active Directory, DNS & NTP IP Address: 192.168.1.2
  • Fedora19 Client machine hostname : FEDCLIENT1

Overview
A summary of the steps we are going to do:
  • Install Packages
  • Configure NTP & DNS
  • Configure Kerberos
  • Configure nsswitch
  • Configure Samba
  • Join the Domain
  • Test the setup
 Need to have a privileged account to join the Active Directory Domain.

Install Packages
Install the following packages on a freshly install Fedora 19 machine
#yum install krb5-workstation krb5-libs samba-winbind samba-winbind-clients samba samba-client samba-libs samba-winbind-krb5-locator samba-common ntp

Configure NTP & DNS
Inorder to synchronize active directory and the client's time for kerberos
#/etc/ntp.conf
server 192.168.1.2

For DNS
#/etc/resolv.conf
domain example.com
search example.com
nameserver 192.168.1.6


Configure Kerberos
What is Kerberos?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:
  • It is secure: it never sends a password unless it is encrypted.  
  • Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.
  • The concept depends on a trusted party – a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.
  • It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.
Edit the /etc/krb5.conf file, remove everything and place the following in it, changing the EXAMPLE.COM domain to your own Active Directory Domain:

[libdefaults]
  ticket_lifetime = 24h
  default_realm = EXAMPLE.COM
  forwardable = true

[realms]
  EXAMPLE.COM = {
  kdc = EXAMPLE.COM
  default_domain = EXAMPLE.COM
  admin_server = 192.168.1.2
  kdc = host.example.com
  }

[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM

[appdefaults]
  pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
  }

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log

Test Kerberos by getting a ticket for the Active Directory Administrator User.
#kinit Administrator
Password for Administrator@EXAMPLE.COM:

The following command should list a valid ticket for kinit.
#klist
Ticket cache: DIR::/run/user/0/krb5cc/tktgdYTR
Default principal: administrator@EXAMPLE.COM

Valid starting       Expires              Service principal
05/28/2014 16:43:40  05/29/2014 02:43:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 05/29/2014 16:43:35

If youo get error, check your Kerberos and DNS and NTP (time) settings and try again.

Configure nsswitch 
nsswitch is used to tell the system that the Active Directory users are also valid users. We are going to configure it to also accept winbind users, which is what Samba uses after it has bound to the domain.

Edit the /etc/nsswitch.conf
passwd:     files ldap winbind
group:        files ldap winbind
shadow:     files ldap winbind

Configure Samba
Now we need to set up Samba to also support the domain.
Edit /etc/samba/smb.conf


[global]
      workgroup = EXAMPLE
      realm = EXAMPLE.COM
      password server = host.example.com
      security = ads
      domain master = no
      local master = no
      preferred master = no
      idmap config * : backend = rid
      idmap config * : range = 2000-50000000
      template homedir = /home/%U
      template shell = /bin/bash
      winbind use default domain = yes
      winbind offline logon = yes
      winbind enum users = yes
      winbind enum groups = yes
      winbind nested groups = yes
      winbind refresh tickets = yes
      wins support = yes
     dns proxy = yes
     wins proxy = yes

Save the file and restart all the daemons:
#service smb restart
#service nmb restart
#service ntp restart
#service winbind restart

Join the domain

Make sure you still have a valid Kerberos ticket. If not, do a new kinit Administrator. Then execute the following command:

#net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLE
Joined FEDCLIENT1 to realm 'example.org'
DNS Update for fedclient1.example.org failed: ERROR_DNS_GSS_ERROR
DNS update failed!

The DNS error can be ignored, make sure you create an A record and a PTR record manually.

Restart all the daemons:
#service smb restart
#service nmb restart

#service winbind restart

Update pam:
#authconfig --enableshadow --enablewinbind --update

check if winbind and nsswitch are correctly working and displays the list of all active directory users and group:
#getent passwd
#getent group



No comments:

Post a Comment