Создал и начал перевод страницы с английского на русский.
New page
[[Category:Networking]]
{{Related articles start}}
{{Related|Samba}}
{{Related|Samba/Tips and tricks}}
{{Related|Samba 4 Active Directory domain controller}}
{{Related|OpenChange server}}
{{Related articles end}}
{{Warning|Так как Arch Linux использует систему распространения rolling release,возможно,некоторая информация на странице может быть устаревшей из-за изменений в пакетах или конфигурациях,сделанных разработчиками. Никогда слепо не следуйте этой или любой другой инструкции. Когда в инструкции сказано изменить какой-либо файл, обязательно сделайте бэкап. Проверяйте дату последней проверки статьи.}}
Основной задачей системных администраторов являются попытки совместного изпользования разнообразных окружений. Мы имеем в виду смешивание разных серверных операционных систем (Обычно Microsoft Windows & Unix/Linux). Управление пользователями и аутентификацией на данный момент является наиболее сложной задачей. Популярнейший способ решения это задачи - Directory Server. Существует много открытых и коммерческих решений для разный типов *NIX; однако, только немногие решают проблему взаимодействия с Windows. Активный Каталог (AD) - служба каталогов созданная Microsoft для доменных сетей Windows. Он входит в большинство операционных систем Windows Server. Сервера,на которых запущен AD, называются контроллерами доменов(domain controllers)
[[Wikipedia:Active Directory|Активный каталог]] используется как главное средство администрирования сети и безопасности.Он отвечает за аутентификацию и авторизацию все пользователей и компьютеров в доменной сети Windows, назначая и следя за правилами безопасности для всех компьютеров в сети, также устанавливая и обновляя ПО на компьютерах в этой сети. Например,когда пользователь авторизуется в компьютер,который является частью доменной сети, AD проверяет его пароль и яляется он обычным пользователем или же системным администратором.
Активный католог использует [[Wikipedia:Ldap|Lightweight Directory Access Protocol (LDAP)]] версий 2 и 3, [[Wikipedia:Kerberos_(protocol)|Kerberos]] и DNS.
Эти же стандарты доступны в Linux, но их комбинирование - непростая задача. Эта статья поможнт вам настроить хост ArchLinux для аутентификация в домене AD.
Эта статья объясняет, как интегрировать хост Arch Linux в сущестующий домен AD.
Перед продолжением у вас должен быть существубщий домен AD, и пользователь с правами на добавление пользователей и компьютерных аккаунтов.
Эта сатья не предназначена ни как полное описание AD,ни как полно описание работы с Samba. Обратитесь к разделу ресурсов для дополнительной информации.
== Терминология ==
Если вы не знакомы с AD, здесь приведены некоторые ключевые слова, которые будет полезно знать.
* '''Домен(Domain)''' : Имя,используемое для группы компьютеров и аккаунтов.
* '''SID''' : Каждый компьютер,присоединяющийся к сети должен иметь уникальный SID / Системный идентификатор.
* '''SMB''' : Блок сообщения сервера.
* '''NETBIOS''': Network naming protocol used as an alternative to DNS. Mostly legacy, but still used in Windows Networking.
* '''WINS''': Windows Information Naming Service. Used for resolving Netbios names to windows hosts.
* '''Winbind''': Protocol for windows authentication. Протокол для авторизации windows.
== Configuration ==
=== Active Directory Configuration ===
{{Warning|This section has not been validated. Proceed with caution}}
==== Updating the GPO ====
It may be necessary to disable ''Digital Sign Communication (Always)'' in the AD group policies. Dive into:
{{ic|Local policies}} -> {{ic|Security policies}} -> {{ic|Microsoft Network Server}} -> {{ic|Digital sign communication (Always)}} -> activate {{ic|define this policy}} and use the {{ic|disable}} radio button.
If you use Windows Server 2008 R2, you need to modify that in GPO for Default Domain Controller Policy -> Computer Setting -> Policies -> Windows Setting -> Security Setting -> Local Policies -> Security Option -> ''Microsoft network client: Digitally sign communications (always)''
=== Linux Host Configuration ===
The next few steps will begin the process of configuring the Host. You will need root or sudo access to complete these steps.
=== Installation ===
[[Pacman|Install]] the following packages:
* {{Pkg|samba}}, see also [[Samba]]
* {{AUR|pam-krb5}} from the [[AUR]]
* {{Pkg|ntp}} or {{Pkg|openntpd}}, see also [[NTPd]] or [[OpenNTPD]]
=== Updating DNS ===
Active Directory is heavily dependent upon DNS. You will need to update {{ic|/etc/resolv.conf}} to use one or more of the Active Directory domain controllers:
{{hc|/etc/resolv.conf|
nameserver <IP1>
nameserver <IP2>
}}
Replacing <IP1> and <IP2> with valid IP addresses for the AD servers. If your AD domains do not permit DNS forwarding or recursion, you may need to add additional resolvers.
{{Note|If your machine dual boots Windows and Linux, you should use a different DNS hostname and netbios name for the linux configuration if both operating systems will be members of the same domain.}}
=== Configuring NTP ===
Read [[NTPd]] or [[OpenNTPD]] to configure a NTP service. Note that OpenNTPD is no longer maintained.
On the configuration, use the IP addresses for the AD servers. Alternatively, you can use other known NTP servers provided the Active directory servers sync to the same stratum. However, AD servers typically run NTP as a service.
Ensure the daemon is configured to '''sync automatically on startup'''.
=== Kerberos ===
Let us assume that your AD is named example.com. Let us further assume your AD is ruled by two domain controllers, the primary and secondary one, which are named PDC and BDC, pdc.example.com and bdc.example.com respectively. Their IP adresses will be 192.168.1.2 and 192.168.1.3 in this example. Take care to watch your syntax; upper-case is very important here.
{{hc|/etc/krb5.conf|<nowiki>
[libdefaults]
default_realm = EXAMPLE.COM
clockskew = 300
ticket_lifetime = 1d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = PDC.EXAMPLE.COM
admin_server = PDC.EXAMPLE.COM
default_domain = EXAMPLE.COM
}
[domain_realm]
.kerberos.server = EXAMPLE.COM
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
example = EXAMPLE.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
</nowiki>}}
{{Note|Heimdal 1.3.1 deprecated DES encryption which is required for AD authentication before Windows Server 2008. You will probably have to add {{bc|1=allow_weak_crypto = true}} to the {{Ic|[libdefaults]}} section.}}
==== Creating a Kerberos Ticket ====
Now you can query the AD domain controllers and request a kerberos ticket ('''uppercase is necessary'''):
{{bc|kinit administrator@EXAMPLE.COM}}
You can use any username that has rights as a Domain Administrator.
==== Validating the Ticket ====
Run '''klist''' to verify you did receive the token. You should see something similar to:
{{hc|# klist|
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM
Valid starting Expires Service principal
02/04/12 21:27:47 02/05/12 07:27:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/05/12 21:27:47
}}
=== pam_winbind.conf ===
If you get errors stating that /etc/security/pam_winbind.conf was not found, create the file and add the following:
{{hc|/etc/security/pam_winbind.conf|<nowiki>
debug=no
debug_state=no
try_first_pass=yes
krb5_auth=yes
krb5_cache_type=FILE
cached_login=yes
silent=no
mkhomedir=yes
</nowiki>}}
=== Samba ===
Samba is a free software re-implementation of the SMB/CIFS networking protocol. It also includes tools for Linux machines to act as Windows networking servers and clients.
{{Note|The configuration can vary greatly depending on how the Windows environment is deployed. Be prepared to troubleshoot and research}}
In this section, we will focus on getting Authentication to work first by editing the 'Global' section first. Later, we will go back and add shares.
{{hc|/etc/samba/smb.conf|<nowiki>
[Global]
netbios name = MYARCHLINUX
workgroup = EXAMPLE
realm = EXAMPLE.COM
server string = %h ArchLinux Host
security = ads
encrypt passwords = yes
password server = pdc.example.com
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins server = pdc.example.com
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
</nowiki>}}
We shall now explain to Samba that it shall use the PDC´s database for authentication queries. Again, we use winbindd which is a part of the samba package. Winbind maps the UID and GID of the AD to our Linux-machine. Winbind uses a Unix-implementation of RPC-calls, Pluggable Authentication Modules (aka PAM) and Name Service Switch (NSS) to allow Windows AD and users accessing and to grant permissions on the Linux-machine. The best part of winbindd is, that you don´t have to define the mapping yourself, but only define a range of UID and GID. That´s what we defined in smb.conf.
Update the samba configuration file to enable the winbind daemon
{{hc|/etc/conf.d/samba|<nowiki>
##### /etc/conf.d/samba #####
#SAMBA_DAEMONS=(smbd nmbd)
SAMBA_DAEMONS=(smbd nmbd winbindd)
</nowiki>}}
Next, configure {{ic|samba}} to startup at boot. Read [[Daemons]] for more details.
== Starting and testing services ==
=== Starting Samba ===
Hopefully, you have not rebooted yet! Fine. If you are in an X-session, quit it, so you can test login into another console, while you are still logged in.
[[Daemons|Start]] Samba (including smbd, nmbd and winbindd):
If you check the processes, you will see that winbind did not actually start. A quick review of the logs shows that the SID for this host could be obtained from the domain:
{{hc|# tail /var/log/samba/log.winbindd|
[2012/02/05 21:51:30.085574, 0] winbindd/winbindd_cache.c:3147(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2012/02/05 21:51:30.086137, 2] winbindd/winbindd_util.c:233(add_trusted_domain)
Added domain BUILTIN S-1-5-32
[2012/02/05 21:51:30.086223, 2] winbindd/winbindd_util.c:233(add_trusted_domain)
Added domain MYARCHLINUX S-1-5-21-3777857242-3272519233-2385508432
[2012/02/05 21:51:30.086254, 0] winbindd/winbindd_util.c:635(init_domain_list)
Could not fetch our SID - did we join?
[2012/02/05 21:51:30.086408, 0] winbindd/winbindd.c:1105(winbindd_register_handlers)
unable to initialize domain list
}}
=== Join the Domain ===
You need an AD Administrator account to do this. Let us assume this is named Administrator. The command is 'net ads join'
{{hc|# net ads join -U Administrator|
Administrator's password: xxx
Using short domain name -- EXAMPLE
Joined 'MYARCHLINUX' to realm 'EXAMPLE.COM'
}}
See screenshot of Active Directory Users and Computers
[[wikipedia:File:Ads myarchlinux computer account.png]]
=== Restart Samba ===
'''winbindd''' failed to start on the first try because we were not yet a domain.
[[Daemons|Restart]] the Samba service and winbind should fire up as well.
NSSwitch tells the Linux host how to retrieve information from various sources and in which order to do so. In this case, we are appending Active Directory as additional sources for Users, Groups, and Hosts.
{{hc|/etc/nsswitch.conf|
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
}}
=== Testing Winbind ===
Let us check if winbind is able to query the AD. The following command should return a list of AD users:
{{hc|# wbinfo -u|
administrator
guest
krbtgt
test.user
}}
* Note we created an Active Directory user called 'test.user' on the domain controller
We can do the same for AD groups:
{{hc|# wbinfo -g|
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
dnsadmins
dnsupdateproxy
}}
=== Testing nsswitch ===
To ensure that our host is able to query the domain for users and groups, we test nsswitch settings by issuing the 'getent' command. The following output shows what a stock ArchLinux install looks like:
{{hc|# getent passwd|
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
mail:x:8:12:mail:/var/spool/mail:/bin/false
ftp:x:14:11:ftp:/srv/ftp:/bin/false
http:x:33:33:http:/srv/http:/bin/false
nobody:x:99:99:nobody:/:/bin/false
dbus:x:81:81:System message bus:/:/bin/false
ntp:x:87:87:Network Time Protocol:/var/empty:/bin/false
avahi:x:84:84:avahi:/:/bin/false
administrator:*:10001:10006:Administrator:/home/EXAMPLE/administrator:/bin/bash
guest:*:10002:10007:Guest:/home/EXAMPLE/guest:/bin/bash
krbtgt:*:10003:10006:krbtgt:/home/EXAMPLE/krbtgt:/bin/bash
test.user:*:10000:10006:Test User:/home/EXAMPLE/test.user:/bin/bash
}}
And for groups:
{{hc|# getent group|
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
adm:x:4:root,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon
mem:x:8:
kmem:x:9:
wheel:x:10:root
ftp:x:11:
mail:x:12:
uucp:x:14:
log:x:19:root
utmp:x:20:
locate:x:21:
rfkill:x:24:
smmsp:x:25:
http:x:33:
games:x:50:
network:x:90:
video:x:91:
audio:x:92:
optical:x:93:
floppy:x:94:
storage:x:95:
scanner:x:96:
power:x:98:
nobody:x:99:
users:x:100:
dbus:x:81:
ntp:x:87:
avahi:x:84:
domain computers:x:10008:
domain controllers:x:10009:
schema admins:x:10010:administrator
enterprise admins:x:10011:administrator
cert publishers:x:10012:
domain admins:x:10013:test.user,administrator
domain users:x:10006:
domain guests:x:10007:
group policy creator owners:x:10014:administrator
ras and ias servers:x:10015:
allowed rodc password replication group:x:10016:
denied rodc password replication group:x:10017:krbtgt
read-only domain controllers:x:10018:
enterprise read-only domain controllers:x:10019:
dnsadmins:x:10020:
dnsupdateproxy:x:10021:
}}
=== Testing Samba commands ===
Try out some net commands to see if Samba can communicate with AD:
{{hc|# net ads info|<nowiki>
[2012/02/05 20:21:36.473559, 0] param/loadparm.c:7599(lp_do_parameter)
Ignoring unknown parameter "idmapd backend"
LDAP server: 192.168.1.2
LDAP server name: PDC.example.com
Realm: EXAMPLE.COM
Bind Path: dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Sun, 05 Feb 2012 20:21:33 CST
KDC server: 192.168.1.2
Server time offset: -3
</nowiki>}}
{{hc|# net ads lookup|
[2012/02/05 20:22:39.298823, 0] param/loadparm.c:7599(lp_do_parameter)
Ignoring unknown parameter "idmapd backend"
Information for Domain Controller: 192.168.1.2
Response Type: LOGON_SAM_LOGON_RESPONSE_EX
GUID: 2a098512-4c9f-4fe4-ac22-8f9231fabbad
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Is NT6 DC that has some secrets: no
Is NT6 DC that has all secrets: yes
Forest: example.com
Domain: example.com
Domain Controller: PDC.example.com
Pre-Win2k Domain: EXAMPLE
Pre-Win2k Hostname: PDC
Server Site Name : Office
Client Site Name : Office
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
}}
{{hc|<nowiki># net ads status -U administrator | less</nowiki>|<nowiki>
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: myarchlinux
distinguishedName: CN=myarchlinux,CN=Computers,DC=leafscale,DC=inc
instanceType: 4
whenCreated: 20120206043413.0Z
whenChanged: 20120206043414.0Z
uSNCreated: 16556
uSNChanged: 16563
name: myarchlinux
objectGUID: 2c24029c-8422-42b2-83b3-a255b9cb41b3
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 129729780312632000
localPolicyFlags: 0
pwdLastSet: 129729764538848000
primaryGroupID: 515
objectSid: S-1-5-21-719106045-3766251393-3909931865-1105
...<snip>...
</nowiki>}}
== Configuring PAM ==
Now we will change various rules in PAM to allow Active Directory users to use the system for things like login and sudo access. When changing the rules, note the order of these items and whether they are marked as '''required''' or '''sufficient''' is critical to things working as expected. You should not deviate from these rules unless you know how to write PAM rules.
In case of logins, PAM should first ask for AD accounts, and for local accounts if no matching AD account was found. Therefore, we add entries to include {{ic|pam_winbindd.so}} into the authentication process.
The Arch Linux PAM configuration keeps the central auth process in {{ic|/etc/pam.d/system-auth}}. Starting with the stock configuration from {{ic|pambase}}, change it like this:
=== system-auth ===
==== "auth" section" ====
Find the line:
auth required pam_unix.so ...
Delete it, and replace with:
auth [success=1 default=ignore] pam_localuser.so
auth [success=2 default=die] pam_winbind.so
auth [success=1 default=die] pam_unix.so nullok
auth requisite pam_deny.so
==== "account" section ====
Find the line:
account required pam_unix.so
Keep it, and add this below:
account [success=1 default=ignore] pam_localuser.so
account required pam_winbind.so
==== "session" section ====
Find the line:
session required pam_unix.so
Keep it, and add this below:
session [success=1 default=ignore] pam_localuser.so
session required pam_winbind.so
==== "password" section ====
Find the line:
password required pam_unix.so ...
Delete it, and replace with:
password [success=1 default=ignore] pam_localuser.so
password [success=2 default=die] pam_winbind.so
password [success=1 default=die] pam_unix.so sha512 shadow
password requisite pam_deny.so
=== Testing login ===
Now, start a new console session (or ssh) and try to login using the AD credentials. The domain name is optional, as this was set in the Winbind configuration as 'default realm'. Please note that in the case of ssh, you will need to modify the {{ic|/etc/ssh/sshd_config}} file to allow kerberos authentication {{ic|(KerberosAuthentication yes)}}.
{{bc|
test.user
EXAMPLE+test.user
}}
Both should work. You should notice that {{ic|/home/example/test.user}} will be automatically created.
'''Log into another session using an linux account. Check that you still be able to log in as root - but keep in mind to be logged in as root in at least one session!'''
== Configuring Shares ==
Earlier we skipped configuration of the shares. Now that things are working, go back to {{ic|/etc/smb.conf}}, and add the exports for the host that you want available on the windows network.
{{hc|/etc/smb.conf|<nowiki>
[MyShare]
comment = Example Share
path = /srv/exports/myshare
read only = no
browseable = yes
valid users = @NETWORK+"Domain Admins" NETWORK+test.user
</nowiki>}}
In the above example, the keyword '''NETWORK''' is to be used. Do not mistakenly substitute this with your domain name. For adding groups, prepend the '@' symbol to the group. Note that {{ic|Domain Admins}} is encapsulated in quotes so Samba correctly parses it when reading the configuration file.
== Adding a machine keytab file and activating password-free kerberized ssh to the machine ==
This explains how to generate a machine keytab file which you will need e.g. to enable password-free kerberized ssh to your machine from other machines in the domain. The scenario in mind is that you have a bunch of systems in your domain and you just added a server/workstation using the above description to your domain onto which a lot of users need to ssh in order to work - e.g. GPU workstation or an OpenMP compute node, etc. In this case you might not want to type your password every time you log in. On the other hand the key authentication used by many users in this case can not give you the necessary credentials to e.g. mount kerberized NFSv4 shares. So this will help you to enable password-free logins from your clients to the machine in question using kerberos ticket forwarding.
=== Creating a machine key tab file ===
run 'net ads keytab create -U administrator' as root to create a machine keytab file in /etc/krb5.keytab. It will promt you with a warning that we need to enable keytab authentication in our configuration file, so we will do that in the next step. In my case it had problems when a key tab file is already in place - the command just did not come back it hang ... In that case you should rename the existing /etc/krb5.keytab and run the command again - it should work now.
{{bc|# net ads keytab create -U administrator}}
verify the content of your keytab by running:
{{hc|# klist -k /etc/krb5.keytab|<nowiki>
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/myarchlinux.example.com@EXAMPLE.COM
4 host/myarchlinux.example.com@EXAMPLE.COM
4 host/myarchlinux.example.com@EXAMPLE.COM
4 host/myarchlinux.example.com@EXAMPLE.COM
4 host/myarchlinux.example.com@EXAMPLE.COM
4 host/MYARCHLINUX@EXAMPLE.COM
4 host/MYARCHLINUX@EXAMPLE.COM
4 host/MYARCHLINUX@EXAMPLE.COM
4 host/MYARCHLINUX@EXAMPLE.COM
4 host/MYARCHLINUX@EXAMPLE.COM
4 MYARCHLINUX$@EXAMPLE.COM
4 MYARCHLINUX$@EXAMPLE.COM
4 MYARCHLINUX$@EXAMPLE.COM
4 MYARCHLINUX$@EXAMPLE.COM
4 MYARCHLINUX$@EXAMPLE.COM
</nowiki>}}
=== Enabling keytab authentication ===
Now you need to tell winbind to use the file by adding these lines to the /etc/samba/smb.conf:
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
It should look sth. like this:
{{hc|/etc/samba/smb.conf|<nowiki>
[Global]
netbios name = MYARCHLINUX
workgroup = EXAMPLE
realm = EXAMPLE.COM
server string = %h ArchLinux Host
security = ads
encrypt passwords = yes
password server = pdc.example.com
kerberos method = system keytab
dedicated keytab file = /etc/krb5.keytab
idmap config * : backend = tdb
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins server = pdc.example.com
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
</nowiki>}}
Restart the winbind.service using 'systemctl restart winbind.service' with root privileges.
{{bc|# systemctl restart winbind.service}}
Check if everything works by getting a machine ticket for your system by running
{{bc|# kinit MYARCHLINUX$ -kt /etc/krb5.keytab}}
This should not give you any feedback but running 'klist' should show you sth like:
{{hc|# klist|
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MYARCHLINUX$@EXAMPLE.COM
Valid starting Expires Service principal
02/04/12 21:27:47 02/05/12 07:27:42 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/05/12 21:27:47
}}
Some common mistakes here are a) forgetting the trailing $ or b) ignoring case sensitivity - it needs to look exactly like the entry in the keytab (usually you cannot to much wrong with all capital)
=== Preparing sshd on server ===
All we need to do is add some options to our sshd_config and restart the sshd.service.
Edit /etc/ssh/sshd_config to look like this in the appropriate places:
{{hc|# /etc/ssh/sshd_config|
...
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
...
}}
Restart the sshd.service using:
{{bc|# systemctl restart sshd.service}}
=== Adding necessary options on client ===
First we need to make sure that the tickets on our client are forwardable. This is usually standard but we better check anyways. You have to look for the forwardable option and set it to 'true'
{{bc|<nowiki>forwardable = true</nowiki>}}
Secondly we need to add the options
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
to our .ssh/config file to tell ssh to use this options - alternatively they can be invoked using the -o options directly in the ssh command (see 'man ssh' for help).
=== Testing the setup ===
On Client:
make sure you have a valid ticket - if in doubt run 'kinit'
then use ssh to connect to you machine
{{bc|ssh myarchlinux.example.com }}
you should get connected without needing to enter your password.
if you have key authentication additionally activated then you should perform
{{bc|ssh -v myarchlinux.example.com }}
to see which authentication method it actually uses.
For debugging you can enable DEBUG3 on the server and look into the journal using journalctl
=== Nifty fine-tuning for complete password-free kerberos handling. ===
In case your clients are not using domain accounts on their local machines (for whatever reason) it can be hard to actually teach them to kinit before ssh to the workstation. Therefore I came up with a nice workaround:
== Generating user Keytabs which are accepted by AD ==
On a system let the user run:
{{bc|<nowiki>
ktutil
addent -password -p username@EXAMPLE.COM -k 1 -e RC4-HMAC
- enter password for username -
wkt username.keytab
q
</nowiki>}}
Now test the file by invoking:
{{bc|kinit -kt username.keytab}}
It should not promt you to give your password nor should it give any other feedback. If it worked you are basically done - just put the line above into your ~./bashrc - you can now get kerberos tickets without typing a password and with that you can connect to your workstation without typing a password while being completely kerberized and able to authenticate against NFSv4 and CIFS via tickets - pretty neat.
=== Nice to know ===
The file 'username.keytab' is not machinespecific and can therefore be copied around. E.g. we created the files on a linux machine and copied them to our Mac clients as the commands on Macs are different ...
== See also ==
* [[wikipedia:Active_Directory|Wikipedia: Active Directory]]
* [[wikipedia:Samba_(software)|Wikipedia: Samba]]
* [[wikipedia:Kerberos_(protocol)|Wikipedia: Kerberos]]
* [http://www.samba.org/samba/docs Samba: Documentation]
* [http://wiki.samba.org/index.php/Samba_&_Active_Directory Samba Wiki: Samba & Active Directory]
* [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html Samba Man Page: smb.conf]
=== Commercial Solutions ===
* Centrify
* Likewise