Datasäkerhet och Informationssäkerhet

Robert Malmgren AB

“Trust is good, control is better.”

2009/09/21

Samba and kerberos

To use samba with kerberos is not so hard. First you need a KDC, in this example we will use Windows 2003 Server. Fix kerberos on the machine where samba will be installed.
krb5.conf
[libdefaults]
        default_realm = DOMAIN.TLD

[realms]
        DOMAIN.TLD = {
                kdc = x.x.x.x
                admin_server = x.x.x.x
                default_domain = domain.tld
        }
Simply install samba on a server, and configure it. Some other parameters can be good to, but we skip this for now.
smb.conf
[global]
   # This option specifies the kerberos realm to use.
   realm = DOMAIN.TLD

   # In this mode, Samba will act as a domain member in an ADS realm.
   security = ADS

   # Specifies whether Samba should attempt to maintain service principals
   # in the systems keytab file for host/FQDN and cifs/FQDN.
   use kerberos keytab = yes

   # This variable controls whether Samba clients will try to use Simple and
   # Protected NEGOciation (as specified by rfc2478) with supporting servers
   # (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an
   # authentication mechanism. This enables Kerberos authentication in particular.
   client use spnego = yes

   # By specifying the name of another SMB server or Active Directory domain
   # controller with this option, and using security = [ads|domain|server]
   # it is possible to get Samba to do all its username/password validation
   # using a specific remote server.
   password server = x.x.x.x

   # This sets the NetBIOS name by which a Samba server is known.
   netbios name = server_name

   # This controls what workgroup your server will appear to be in when queried
   # by clients. Note that this parameter also controls the Domain name used
   # with the security = domain  setting.
   workgroup = DOMAIN.TLD

   # This boolean controls whether encrypted passwords will be negotiated
   # with the client.
   encrypt passwords = true

   # If set to yes, Samba treats the share as a Dfs root and allows clients
   # to browse the distributed file system tree rooted at the share directory.
   # This one is for windows clients
   msdfs root = yes

[theshare]
   # This parameter specifies a directory to which the user of the service is to be given access.
   path = /tmp

   # If this parameter is yes, then users of a service may not create or modify files in the service's directory.
   read only = no

   # This controls whether this share is seen in the list of available shares in a net view and in the browse list.
   browseable = yes

   # If this parameter is yes for a service, then no password is required to connect to the service.
   guest ok = no

   # This is a list of users that should not be allowed to login to this service.
   valid users = user1 user2 user3

Add the samba users you need, set any password, it will not be used anyway.
smbpasswd -a user1
Samba used the default krb5.keytab, so you can't specify where the keytab will be located.
In this case we have a AD-server where the users are stored, add a user as a service ex. svc-computer_name-cifs. Map the user with ktpass
ktpass -princ cifs/server.domain.tld@DOMAIN.TLD mapuser svc-computer-cifs -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL +rndPass -out krb5.keytab

RC4-HMAC-NT is the strongest encryption offer on 2003 server, on 2008 server you can have up to AES-256.


Move the keytab in a safe way to the samba server(/etc/krb5.keytab).
Test if it works
smbclient //server_name/theshare -d3 -k -L server_name -U user1
Now it should be possible to mount the Sambashare on Linux and Mac after you autheticate whith kinit. A Windows computer in the domain can connect to the Sambasshare directly after you have logged on with a valid user.


----
Written by Tobbe @ 2009-09-21