This page explains kerberos and NIS configuration for Solaris 10 08/07 to make samba and ssh servers authenticate against MS Active Directory (AD).
This chapter assumes that a NIS server from Services for Unix (SFU), which are part of Windows 2003 Server R2, is running on AD controller. It is important that NIS passwd and shadow maps have user passwords replaced with “x”.
Here is the setup of a NIS client.
nisdomain
# domainname nisdomain
192.168.0.1 adc-1.domain.com adc-1 192.168.1.1 adc-2.domain.com adc-2
# ypinit -c
Make sure you use FQDN for NIS servers in the ypinit dialogs. Otherwise, NIS will fail to bind.
passwd: files nis group: files nis automount: files nis
# svcadm enable nis/client
# ypwhich # ypcat passwd # ypcat groups # ypcat auto.mount
#+auto_home +auto.mount
# automount
# svcadm enable nfs/client
# su - <username>
!KerberosV relies heavily on two other services: ntp and dns clients.
This might have already been setup via ops setup script.
server 192.168.0.1 prefer driftfile /etc/inet/ntp.drift restrict default ignore restrict 127.0.0.1 restrict 192.168.0.1 noquery nomodify
# svcadm enable ntp
This might have already been setup via ops setup script.
domain domain.com nameserver 192.168.0.2 nameserver 192.168.1.2 search domain.com subdomain.domain.com
hosts: files dns ipnodes: files dns
# svcadm enable dns/client
[libdefaults] default_realm = DOMAIN.COM default_keytab_name = /etc/krb5/krb5.keytab # verify_ap_req_nofail = false #See man pam_krb5 for an example when this line is needed [realms] DOMAIN.COM = { kdc = adc-1.domain.com kdc = adc-2.domain.com admin_server = adc-1.domain.com } [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM .subdomain.domain.com = DOMAIN.COM subdomain.domain.com = DOMAIN.COM [appdefaults] kinit = { renewable = true forwardable= true }
192.168.0.10 machine.domain.com machine
Otherwise joining a domain will fail.
[global] workgroup = DOMAIN realm = DOMAIN.COM security = ADS #use kerberos keytab = yes ldap ssl = no [homes] path = /export/home read only = No
“use kerberos keytab” by default is set to “no”. If “yes” worked, it would have simplified the setup of a keytab file. /etc/krb5/krb5.keytab is used by sshd with the connection to pam_krb5 module. pam_krb5 uses it to verify that a user ticket comes from a valid KDC server by trying to obtain a host service ticket. Samba does not use it, instead it relies on /etc/sfw/private/secrets.tdb. In the absence of a valid keytab file, libdefaults section in krb5.conf file would have to have
verify_ap_req_nofail = false
which would make sshd kerberos authentication vulnerable to dns spoofing. See man pam_krb5 for more details.
# /usr/sfw/sbin/net ads join -U Administrator%password
This will make samba server a member server in Active Directory. Administrator is a domain admin account. Note that attempting to avoid entering a clear text password on a command line and typing it at the password prompt does not work!
# net ads testjoin
# svcadm enable samba
# svcadm enable wins
There seem to be no reason to enable winbind.
Now we need a keytab for sshd to work. Samba apparently has a bug handling keytab file. For some reason it fails to write to it. So the command like “net ads keytab create” will fail.
Solaris ktutil doesn’t support rc4-hmac-nt encryption type, which is a default for MS ADC, even though MIT implementation of kerberos, which is used by Solaris, does support it. Therefore, we should generate the keytab file on Windows.
# tdbdump /etc/sfw/private/secrets.tdb
Look for the key(33); for example,
key(33) = "SECRETS/MACHINE_PASSWORD/NJINVIDI" data(15) = "v_sxRMSdfr48-q\00"
data(15) has the machine password, which we need at the next step, excluding the terminating \00.
# ktpass -princ host/<fqdn>@<realm> -mapuser <samba-netbios-name>$@<NT domain> -pass * -ptype KRB5_NT_SRV_HST -mapop set -out krb5.keytab
For example,
# ktpass -princ host/machine.domain.com@DOMAIN.COM -mapuser machine$@DOMAIN -pass * -ptype KRB5_NT_SRV_HST -mapop set -out krb5.keytab
At the password prompt type the machine password extracted with tdbdump command above. Because we used “-mapop set”, we need to add netbios name SPN to the mapping with
# setspn -A host/<NetBIOS-name> <computer-name>
For example,
# setspn -A host/MACHINE machine
Remember that !NetBIOS names are limited to 15 characters including the trailing “$”.
# setspn -L <computer-name>
For example,
# setspn -L machine
# ls -l /etc/krb5/krb5.keytab -rw------- 1 root root 79 Nov 28 11:34 /etc/krb5/krb5.keytab
# kinit -k # klist # kdestroy
PAMAuthenticationViaKBDInt yes
# it is necessary to comment out the line below for changing a password with passwd instead of kpasswd #passwd auth required pam_passwd_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account required pam_krb5.so.1 other account required pam_unix_account.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1
This might have already been done by osp setup
# svcadm enable ssh
# svcadm enable swat
Note that the connection is unencrypted, so the passwords transmitted for authentication will be in clear text. Use with caution!