Windows systems can authenticate to MIT Kerberos servers. With other software providing configuration management, Active Directory can be eliminated. These notes based on configuration work done by Alex Dioso at the department of Genome Sciences.
Kerberos Server Configuration
These notes are for MIT Kerberos 1.3 or higher.
- /etc/krb5.conf
- kdc.conf
The /etc/krb5.conf configuration file should include rc4-hmac support under the [libdefaults] section. Windows XP uses rc4-hmac. However, do not include rc4-hmac in the default* encryption types, as older Unix clients may not support rc4-hmac.
[libdefaults]
default_realm = EXAMPLE.ORG
default_etypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = true
The kdc.conf configuration file on the Kerberos servers must support rc4-hmac as an encryption type.
[realms]
EXAMPLE.ORG = {
database_name = /var/kerberos/krb5kdc/principal
key_stash_file = /var/kerberos/krb5kdc/.k5.EXAMPLE.ORG
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal ↵
rc4-hmac:normal
}
Windows Client Setup
- Kerberos Configuration
- Host principals
- User Mapping
Use the ksetup.exe command to add the site Kerberos servers.
$ ksetup.exe /addkdc EXAMPLE.ORG kerberos-1.example.org
$ ksetup.exe /addkdc EXAMPLE.ORG kerberos-2.example.org
$ ksetup.exe /addkdc EXAMPLE.ORG kerberos.example.org
$ ksetup.exe /addkpasswd EXAMPLE.ORG kerberos.example.org
$ ksetup.exe /setrealm EXAMPLE.ORG
Create host principals on each Windows client, then use the same password to create an equivalent principal in the MIT Kerberos database. If using an installation system such as Unattended, use a script to generate the random password and setup the host principal.
#!/usr/bin/perl
my $domain = 'example.org';
my $password = '';
my @chars = grep { /[[:print:]]/ and /\S/ } map { chr } 1..128;
$password .= $chars[rand @chars] for 1..(int (rand 7)) + 8;
system qw{ksetup.exe /setcomputerpassword}, $password;
print "Principal: host/", lc( $ENV{COMPUTERNAME} ), ".$domain\n";
print "Password: $password\n";
Then, use kdamin to add an equivalent principal to the Kerberos database, using the same password as above. Use the -e rc4-hmac:normal encryption option if adding a principal for a Windows XP system.
kadmin: ank -e rc4-hmac:normal host/client.example.org
User mapping translates local accounts to the Kerberos domain. See module:users for user account management under CFEngine.
$ ksetup.exe /mapuser * *
Samba
Windows clients can authenticate to Samba using Kerberos. Use Samba version 3.0.14a or higher on the server, and enable Kerberos support in the smb.conf configuration file.
[global]
use kerberos keytab = yes
realm = EXAMPLE.ORG
security = ads
Multiple host and cifs principals must be created for each Samba server, as principals are case sensitive, and Windows systems may randomly start using Server.example.org or SERVER.EXAMPLE.ORG when connecting. Extract these principals to the /etc/krb5.keytab file on each Samba server.
kadmin: ank -randkey host/server.example.org
kadmin: ank -randkey host/Server.example.org
kadmin: ank -randkey host/SERVER.EXAMPLE.ORG
kadmin: ank -randkey cifs/server.example.org
kadmin: ank -randkey cifs/Server.example.org
kadmin: ank -randkey cifs/SERVER.EXAMPLE.ORG
kadmin: ktadd -k /etc/krb5.keytab host/server.example.org
kadmin: ktadd -k /etc/krb5.keytab host/Server.example.org
kadmin: ktadd -k /etc/krb5.keytab host/SERVER.EXAMPLE.ORG
kadmin: ktadd -k /etc/krb5.keytab cifs/server.example.org
kadmin: ktadd -k /etc/krb5.keytab cifs/Server.example.org
kadmin: ktadd -k /etc/krb5.keytab cifs/SERVER.EXAMPLE.ORG
