Samba Shares with Active Directory Login on Ubuntu Server 13.04 – Part 2

By | November 13, 2013

Configure Kerberos

What is Kerberos?

Kerberos is a computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

We need to set up Kerberos so that we can bind our machine against Active Directory and let users access the Samba share via the AD. Edit the /etc/krb5.conf file, remove everything and place the following in it, changing the TEST.NET domain to your own Active Directory Domain:

sudo vi /etc/krb5.conf

[libdefaults]

ticket_lifetime = 24000

default_realm = TEST.NET

forwardable = true

default_tgs_entypes = rc4-hmac des-cbc-md5

default_tkt__enctypes = rc4-hmac des-cbc-md5

permitted_enctypes = rc4-hmac des-cbc-md5

dns_fallback = yes

 

[realms]

TEST.NET = {

kdc = 192.168.1.100

default_domain = test.net

}

 

[domain_realm]

.test.net = TEST.NET

test.net = TEST.NET

 

[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}

 

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

We are now going to test Kerberos by getting a ticket for the Active Directory Administrator User.

sudo kinit Administrator

Password for Administrator@TEST.NET: ********

Now we check if we got a valid ticket:

sudo klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrator@TEST.NET

Valid starting Expires Service principal

3/11/2013 08:20 21/11/2013 15:11 krbtgt/TEST.NET@TEST.NET

renew until 28/11/2013 06:11

—————————————————————————————————————————————————–

Configure nsswitch

nsswitch is used to tell the system that the AD users are also valid users. We are going to configure it to accept winbind users from the AD domain server.

Edit the file /etc/nsswitch.conf in order to have the following contents:

sudo vi /etc/nsswitch.conf
passwd:        winbind compat
group:        winbind compat
shadow:        winbind compat
hosts:             files dns wins
networks:           files dns
protocols:          db files
services:           db files
ethers:             db files
rpc:                db files
netgroup:           nis

Note that this might not work for you. If you have issues with the users later on, change these lines to this:


passwd:      files winbind

shadow:      files winbind

group:      files winbind