Samba and kerberos
To use samba with kerberos is not so hard. First you need a KDC, in this example we will use Windows 2003 Server. Fix kerberos on the machine where samba will be installed.krb5.conf
[libdefaults]
default_realm = DOMAIN.TLD
[realms]
DOMAIN.TLD = {
kdc = x.x.x.x
admin_server = x.x.x.x
default_domain = domain.tld
}
Simply install samba on a server, and configure it.
Some other parameters can be good to, but we skip this for now.
smb.conf
[global] # This option specifies the kerberos realm to use. realm = DOMAIN.TLD # In this mode, Samba will act as a domain member in an ADS realm. security = ADS # Specifies whether Samba should attempt to maintain service principals # in the systems keytab file for host/FQDN and cifs/FQDN. use kerberos keytab = yes # This variable controls whether Samba clients will try to use Simple and # Protected NEGOciation (as specified by rfc2478) with supporting servers # (including WindowsXP, Windows2000 and Samba 3.0) to agree upon an # authentication mechanism. This enables Kerberos authentication in particular. client use spnego = yes # By specifying the name of another SMB server or Active Directory domain # controller with this option, and using security = [ads|domain|server] # it is possible to get Samba to do all its username/password validation # using a specific remote server. password server = x.x.x.x # This sets the NetBIOS name by which a Samba server is known. netbios name = server_name # This controls what workgroup your server will appear to be in when queried # by clients. Note that this parameter also controls the Domain name used # with the security = domain setting. workgroup = DOMAIN.TLD # This boolean controls whether encrypted passwords will be negotiated # with the client. encrypt passwords = true # If set to yes, Samba treats the share as a Dfs root and allows clients # to browse the distributed file system tree rooted at the share directory. # This one is for windows clients msdfs root = yes [theshare] # This parameter specifies a directory to which the user of the service is to be given access. path = /tmp # If this parameter is yes, then users of a service may not create or modify files in the service's directory. read only = no # This controls whether this share is seen in the list of available shares in a net view and in the browse list. browseable = yes # If this parameter is yes for a service, then no password is required to connect to the service. guest ok = no # This is a list of users that should not be allowed to login to this service. valid users = user1 user2 user3Add the samba users you need, set any password, it will not be used anyway.
smbpasswd -a user1Samba used the default krb5.keytab, so you can't specify where the keytab will be located.
In this case we have a AD-server where the users are stored, add a user as a service ex. svc-computer_name-cifs. Map the user with ktpass
ktpass -princ cifs/server.domain.tld@DOMAIN.TLD mapuser svc-computer-cifs -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL +rndPass -out krb5.keytab
RC4-HMAC-NT is the strongest encryption offer on 2003 server, on 2008 server you can have up to AES-256.
Move the keytab in a safe way to the samba server(/etc/krb5.keytab).
Test if it works
smbclient //server_name/theshare -d3 -k -L server_name -U user1Now it should be possible to mount the Sambashare on Linux and Mac after you autheticate whith kinit. A Windows computer in the domain can connect to the Sambasshare directly after you have logged on with a valid user.
----
Written by Tobbe @ 2009-09-21