These notes are for MIT Kerberos 1.3 or higher.
-
/etc/krb5.conf
The /etc/krb5.conf configuration file should include rc4-hmac support under the [libdefaults] section. Windows XP uses rc4-hmac. However, do not include rc4-hmac in the default* encryption types, as older Unix clients may not support rc4-hmac.
[libdefaults]
default_realm = EXAMPLE.ORG
default_etypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = true
-
kdc.conf
The kdc.conf configuration file on the Kerberos servers must support rc4-hmac as an encryption type.
[realms]
EXAMPLE.ORG = {
database_name = /var/kerberos/krb5kdc/principal
key_stash_file = /var/kerberos/krb5kdc/.k5.EXAMPLE.ORG
supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal ?
rc4-hmac:normal
}
- Kerberos Configuration
Use the ksetup.exe command to add the site Kerberos servers.
$ ksetup.exe /addkdc EXAMPLE.ORG kerberos-1.example.org
$ ksetup.exe /addkdc EXAMPLE.ORG kerberos-2.example.org
$ ksetup.exe /addkdc EXAMPLE.ORG kerberos.example.org
$ ksetup.exe /addkpasswd EXAMPLE.ORG kerberos.example.org
$ ksetup.exe /setrealm EXAMPLE.ORG
- Host principals
Create host
principals on each Windows client, then use the same password to create
an equivalent principal in the MIT Kerberos database. If using an
installation system such as Unattended, use a script to generate the random password and setup the host principal.
#!/usr/bin/perl
my $domain = 'example.org';
my $password = '';
my @chars = grep { /[[:print:]]/ and /\S/ } map { chr } 1..128;
$password .= $chars[rand @chars] for 1..(int (rand 7)) + 8;
system qw{ksetup.exe /setcomputerpassword}, $password;
print "Principal: host/", lc( $ENV{COMPUTERNAME} ), ".$domain\n";
print "Password: $password\n";
Then, use kdamin to add an equivalent principal to the Kerberos database, using the same password as above. Use the -e rc4-hmac:normal encryption option if adding a principal for a Windows XP system.
kadmin: ank -e rc4-hmac:normal host/client.example.org
- User Mapping
User mapping translates local accounts to the Kerberos domain. See module:users for user account management under CFEngine.
$ ksetup.exe /mapuser * *
Windows clients can authenticate to Samba using Kerberos. Use Samba version 3.0.14a or higher on the server, and enable Kerberos support in the smb.conf configuration file.
[global]
use kerberos keytab = yes
realm = EXAMPLE.ORG
security = ads
Multiple host and cifs
principals must be created for each Samba server, as principals are
case sensitive, and Windows systems may randomly start using Server.example.org or SERVER.EXAMPLE.ORG when connecting. Extract these principals to the /etc/krb5.keytab file on each Samba server.
kadmin: ank -randkey host/server.example.org
kadmin: ank -randkey host/Server.example.org
kadmin: ank -randkey host/SERVER.EXAMPLE.ORG
kadmin: ank -randkey cifs/server.example.org
kadmin: ank -randkey cifs/Server.example.org
kadmin: ank -randkey cifs/SERVER.EXAMPLE.ORG
kadmin: ktadd -k /etc/krb5.keytab host/server.example.org
kadmin: ktadd -k /etc/krb5.keytab host/Server.example.org
kadmin: ktadd -k /etc/krb5.keytab host/SERVER.EXAMPLE.ORG
kadmin: ktadd -k /etc/krb5.keytab cifs/server.example.org
kadmin: ktadd -k /etc/krb5.keytab cifs/Server.example.org
kadmin: ktadd -k /etc/krb5.keytab cifs/SERVER.EXAMPLE.ORG