1 Samba 3.0 prealpha guide to Kerberos authentication
2 ---------------------------------------------------
7 This is a VERY ROUGH guide to setting up the current (October 2001)
8 pre-alpha version of Samba 3.0 with kerberos authentication against a
9 Windows2000 KDC. The procedures listed here are likely to change as
12 Pieces you need before you begin:
14 - a Windows 2000 server running at least service pack 2
15 - the latest CVS source code for Samba. See http://cvs.samba.org/ for how to
17 - the MIT kerberos development libraries (either install from the
18 above sources or use a package). Under debian you need "libkrb5-dev"
19 and "krb5-user". The heimdal libraries will not work.
20 - the OpenLDAP development libraries. These must be compiled
21 with Cyrus SASL enabled.
23 Also check that you have the latest copy of this HOWTO. It is
24 available from http://samba.org/ftp/tridge/kerberos/HOWTO
29 If your kerberos libraries are in a non-standard location then
30 remember to add the configure option --with-krb5=DIR. For example,
31 on RedHat you will need --with-krb5=/usr/kerberos
33 After you run configure make sure that include/config.h contains a
38 If it doesn't then configure did not find your krb5 libraries. Look
39 in config.log to figure out why and fix it.
41 Then compile and install Samba as usual. You must use at least the
42 following 3 options in smb.conf:
44 realm = YOUR.KERBEROS.REALM
45 ads server = your.kerberos.server
47 encrypt passwords = yes
49 You do *not* need a smbpasswd file, although it won't do any harm
50 and if you have one then Samba will be able to fall back to normal
51 password security for older clients. I expect that the above
52 required options will change soon when we get better active
53 directory integration.
56 Step 2: Setup your /etc/krb5.conf
58 The minimal configuration for krb5.conf is:
61 default_realm = YOUR.KERBEROS.REALM
64 YOUR.KERBEROS.REALM = {
65 kdc = your.kerberos.server
69 Test your config by doing a "kinit USERNAME" and making sure that
70 your password is accepted by the Win2000 KDC.
72 NOTE: The realm must be uppercase.
74 You also must ensure that you can do a reverse DNS lookup on the IP
75 address of your KDC. This usually either involves setting up a PTR
76 record in your DNS server or adding your KDC to /etc/hosts.
79 * If all you want is kerberos support in smbclient then you can skip
80 * straight to step 5 now. Step 3 is only needed if you want kerberos
84 Step 3: Create the computer account
86 Do a "kinit" as a user that has authority to change arbitrary
87 passwords on the KDC ("Administrator" is a good choice). Then as a
88 user that has write permission on the Samba private directory
93 Step 4: Test your server setup
95 On a Windows 2000 client try "net use * \\server\share". You should
96 be logged in with kerberos without needing to know a password. If
97 this fails then run "klist tickets". Did you get a ticket for the
98 server? Does it have an encoding type of DES-CBC-MD5 ?
100 Step 5: Testing with smbclient
102 On your Samba server try to login to a Win2000 server or your Samba
103 server using smbclient and kerberos. Use smbclient as usual, but
104 specify the -k option to choose kerberos authentication.
110 - must change administrator password at least once after DC install,
111 to create the right encoding types
113 - w2k doesn't seem to create the _kerberos._udp and _ldap._tcp in
114 their defaults DNS setup. Maybe fixed in service packs?