Kerberos on Solaris

This page explains kerberos and NIS configuration for Solaris 10 08/07 to make samba and ssh servers authenticate against MS Active Directory (AD).

Authorization with NIS

This chapter assumes that a NIS server from Services for Unix (SFU), which are part of Windows 2003 Server R2, is running on AD controller. It is important that NIS passwd and shadow maps have user passwords replaced with “x”.

Here is the setup of a NIS client.

nisdomain
# domainname nisdomain
192.168.0.1 adc-1.domain.com adc-1
192.168.1.1 adc-2.domain.com adc-2
# ypinit -c

Make sure you use FQDN for NIS servers in the ypinit dialogs. Otherwise, NIS will fail to bind.

passwd:     files nis
group:      files nis
automount:  files nis
# svcadm enable nis/client
# ypwhich
# ypcat passwd
# ypcat groups
# ypcat auto.mount

NFS client and automounts

#+auto_home
+auto.mount
# automount
# svcadm enable nfs/client
# su - <username>

Authentication with kerberosV

!KerberosV relies heavily on two other services: ntp and dns clients.

NTP client config

This might have already been setup via ops setup script.

server 192.168.0.1  prefer

driftfile /etc/inet/ntp.drift
restrict default ignore
restrict 127.0.0.1

restrict 192.168.0.1 noquery nomodify
# svcadm enable ntp

DNS client config

This might have already been setup via ops setup script.

domain domain.com
nameserver 192.168.0.2
nameserver 192.168.1.2
search domain.com subdomain.domain.com
hosts:     files dns
ipnodes:   files dns
# svcadm enable dns/client

krb5.conf

[libdefaults]
        default_realm = DOMAIN.COM
        default_keytab_name = /etc/krb5/krb5.keytab
 #       verify_ap_req_nofail = false #See man pam_krb5 for an example when this line is needed

[realms]
        DOMAIN.COM = {
        kdc = adc-1.domain.com
        kdc = adc-2.domain.com
        admin_server = adc-1.domain.com
        }

[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM
        .subdomain.domain.com = DOMAIN.COM
        subdomain.domain.com = DOMAIN.COM

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

Samba configuration

192.168.0.10 machine.domain.com machine

Otherwise joining a domain will fail.

[global]
	workgroup = DOMAIN
	realm = DOMAIN.COM
	security = ADS
	#use kerberos keytab = yes 
	ldap ssl = no

[homes]
	path = /export/home
	read only = No

“use kerberos keytab” by default is set to “no”. If “yes” worked, it would have simplified the setup of a keytab file. /etc/krb5/krb5.keytab is used by sshd with the connection to pam_krb5 module. pam_krb5 uses it to verify that a user ticket comes from a valid KDC server by trying to obtain a host service ticket. Samba does not use it, instead it relies on /etc/sfw/private/secrets.tdb. In the absence of a valid keytab file, libdefaults section in krb5.conf file would have to have

verify_ap_req_nofail = false

which would make sshd kerberos authentication vulnerable to dns spoofing. See man pam_krb5 for more details.

# /usr/sfw/sbin/net ads join -U Administrator%password

This will make samba server a member server in Active Directory. Administrator is a domain admin account. Note that attempting to avoid entering a clear text password on a command line and typing it at the password prompt does not work!

# net ads testjoin
# svcadm enable samba
# svcadm enable wins

There seem to be no reason to enable winbind.

Configure ssh server to use kerberos

Now we need a keytab for sshd to work. Samba apparently has a bug handling keytab file. For some reason it fails to write to it. So the command like “net ads keytab create” will fail.

Solaris ktutil doesn’t support rc4-hmac-nt encryption type, which is a default for MS ADC, even though MIT implementation of kerberos, which is used by Solaris, does support it. Therefore, we should generate the keytab file on Windows.

# tdbdump /etc/sfw/private/secrets.tdb

Look for the key(33); for example,

key(33) = "SECRETS/MACHINE_PASSWORD/NJINVIDI"
data(15) = "v_sxRMSdfr48-q\00"

data(15) has the machine password, which we need at the next step, excluding the terminating \00.

# ktpass -princ host/<fqdn>@<realm> -mapuser <samba-netbios-name>$@<NT domain> -pass * -ptype KRB5_NT_SRV_HST -mapop set -out krb5.keytab

For example,

# ktpass -princ host/machine.domain.com@DOMAIN.COM -mapuser machine$@DOMAIN -pass * -ptype KRB5_NT_SRV_HST -mapop set -out krb5.keytab

At the password prompt type the machine password extracted with tdbdump command above. Because we used “-mapop set”, we need to add netbios name SPN to the mapping with

# setspn -A host/<NetBIOS-name> <computer-name>

For example,

# setspn -A host/MACHINE machine

Remember that !NetBIOS names are limited to 15 characters including the trailing “$”.

# setspn -L <computer-name>

For example,

# setspn -L machine
# ls -l /etc/krb5/krb5.keytab 
 -rw-------   1 root     root          79 Nov 28 11:34 /etc/krb5/krb5.keytab
# kinit -k
# klist
# kdestroy
PAMAuthenticationViaKBDInt yes
# it is necessary to comment out the line below for changing a password with passwd instead of kpasswd
#passwd auth required           pam_passwd_auth.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_krb5.so.1
other   account required        pam_unix_account.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1

This might have already been done by osp setup

# svcadm enable ssh

Web interface for samba configuration - swat

# svcadm enable swat

http://machine:901/

Note that the connection is unencrypted, so the passwords transmitted for authentication will be in clear text. Use with caution!