LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Kerberos Slackware (https://www.linuxquestions.org/questions/slackware-14/kerberos-slackware-4175501488/)

mostlyharmless 04-12-2014 08:30 PM
Kerberos Slackware
 
Anyone here have Kerberos setup in Slackware 14.1 ?

Ser Olmy 04-12-2014 08:35 PM
I have Heimdal installed on most of my Slackware boxes as part of a Samba/AD integration setup. I don't have a "pure" Kerberos-based environment.

mostlyharmless 04-13-2014 09:21 AM
Could you give me some tips on setup?

Per https://wiki.samba.org/index.php/Sam...ur_Samba_AD_DC

I ran
Code:
samba-tool domain provision --use-rfc2307 --interactive
and then samba
and then smbclient -L localhost -U%
and now get
Quote:
Domain=[KINGDOM] OS=[Unix] Server=[Samba 4.1.6]

Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.6)
Domain=[KINGDOM] OS=[Unix] Server=[Samba 4.1.6]

Server Comment
--------- -------

Workgroup Master
--------- -------
DOGPACK ANIMALS
I also tried
Code:
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[KINGDOM] OS=[Unix] Server=[Samba 4.1.6]
  .                                  D        0  Sat Apr 12 17:11:21 2014
  ..                                  D        0  Sat Apr 12 17:13:40 2014

                64251 blocks of size 524288. 60017 blocks available
So far so good, right? Now for the kerberos part:

I tried downloading the krb5 SlackBuild form SlackBuilds, but building it failed with
Code:
sh krb5.SlackBuild
.....
making all in kadmin/testing/util...
make[3]: Entering directory `/tmp/SBo/krb5-1.7.1/src/kadmin/testing/util'
gcc  -DHAS_STDARG -I../../../include -I./../../../include  -I../../../lib/kdb/ -DKRB5_DEPRECATED=1  -O2 -fPIC -Wall -Wcast-qual -Wcast-align -Wshadow -Wmissing-prototypes -Wno-format-zero-length -Woverflow -Wstrict-overflow -Wmissing-format-attribute -Wmissing-prototypes -Wreturn-type -Wmissing-braces -Wparentheses -Wswitch -Wunused-function -Wunused-label -Wunused-variable -Wunused-value -Wunknown-pragmas -Wsign-compare -Werror=declaration-after-statement -Werror=variadic-macros -pthread -c tcl_ovsec_kadm.c
tcl_ovsec_kadm.c: In function 'parse_str':
tcl_ovsec_kadm.c:241:14: warning: cast discards '__attribute__((const))' qualifier from pointer target type [-Wcast-qual]
  *out_str = (char *) in_str;
              ^
tcl_ovsec_kadm.c: In function 'parse_principal_ent':
tcl_ovsec_kadm.c:676:18: error: 'Tcl_Interp' has no member named 'result'
    sprintf(interp->result, "wrong # args in principal structure (%d should be 12)",
                  ^
tcl_ovsec_kadm.c: In function 'parse_policy_ent':
tcl_ovsec_kadm.c:860:18: error: 'Tcl_Interp' has no member named 'result'
    sprintf(interp->result, "wrong # args in policy structure (%d should be 7)",
                  ^
tcl_ovsec_kadm.c: In function 'unparse_keyblock':
tcl_ovsec_kadm.c:1001:18: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    for (i = 0; i < keyblock->length; i++) {
                  ^
make[3]: *** [tcl_ovsec_kadm.o] Error 1
make[3]: Leaving directory `/tmp/SBo/krb5-1.7.1/src/kadmin/testing/util'
make[2]: *** [all-recurse] Error 1
make[2]: Leaving directory `/tmp/SBo/krb5-1.7.1/src/kadmin/testing'
make[1]: *** [all-recurse] Error 1
make[1]: Leaving directory `/tmp/SBo/krb5-1.7.1/src/kadmin'
make: *** [all-recurse] Error 1
So I downloaded a binary from slacky.eu krb5-1.12, which seems to have installed OK.
However "klist" gets "command not found, as does "kinit".

Frankly, heimdall would suit me fine also, as I just want the Samba AD DC part working. I looked at http://canich.net/slackware/krb5.html#krb5-pkg, but it is from 2011, so before I try to follow that guide, I was wondering if you had any suggestions or could let me know how you set up your samba.

Alien Bob 04-13-2014 09:55 AM
Quote:
Originally Posted by mostlyharmless (Post 5151700)
Could you give me some tips on setup?
Do you realize that you already have Heimdall installed on your server? It comes with Samba 4. It is private to Samba so there is no way to use it system-wide. Samba uses this internal Heimdall implementation for its Active Directory Domain Controller role.
If you want to test communication with the Samba server, with a kerberos client on another computer or even on the server itself, then you will need a separate Heimdall package, like the one in my repository: http://www.slackware.com/~alien/slackbuilds/heimdall/

Eric

mostlyharmless 04-13-2014 11:44 AM
Quote:
Do you realize that you already have Heimdall installed on your server?
Hmm, obviously not, I'm equally obviously over my head. I'm just trying to get AD DC working right now, and was running through the testing steps. It doesn't appear that what I have done so far is sufficient to allow any Windows machines to see an AD domain, which doesn't surprise me. I've really only used the old samba workgroups in the past.

Ser Olmy 04-13-2014 12:31 PM
Quote:
Originally Posted by Alien Bob (Post 5151715)
If you want to test communication with the Samba server, with a kerberos client on another computer or even on the server itself, then you will need a separate Heimdall package, like the one in my repository: http://www.slackware.com/~alien/slackbuilds/heimdall/
It seems that's not the "Heimdal" (one l) included with Samba, but something else entirely.

The home page for Heimdal is http://www.h5l.org. The latest stable version (1.5.3) compiles without issues on Slackware.

Ser Olmy 04-13-2014 12:37 PM
Quote:
Originally Posted by mostlyharmless (Post 5151765)
Hmm, obviously not, I'm equally obviously over my head. I'm just trying to get AD DC working right now, and was running through the testing steps.
As AlienBob said, a version of Heimdal Kerberos is included with Samba 4. You don't need to install anything else.

Quote:
Originally Posted by mostlyharmless (Post 5151765)
It doesn't appear that what I have done so far is sufficient to allow any Windows machines to see an AD domain, which doesn't surprise me. I've really only used the old samba workgroups in the past.
If samba-tool domain provision completed successfully, you have a working AD DC.

Clients will need to use the Samba or BIND DNS server you specified during provisioning, and you should join Samba/Windows clients to the domain. Logging on from a client without a domain account will work if your smb.conf allows NTLM fallback, but you'll miss out on all the useful AD features (Kerberos, ID mapping, RFC 2307 Unix attributes etc).

mostlyharmless 04-13-2014 02:47 PM
Ok, so it's probably working; I'll fiddle with the windows clients to see why they're not seeing it.

Alien Bob 04-13-2014 02:47 PM
Quote:
Originally Posted by Ser Olmy (Post 5151795)
It seems that's not the "Heimdal" (one l) included with Samba, but something else entirely.

The home page for Heimdal is http://www.h5l.org. The latest stable version (1.5.3) compiles without issues on Slackware.
Ah, shoot :-) I never published my heimdal (kerberos) package.
And you are right, the Heimdall I point to by mistake is a program which is used to flash Samsung phones... my apologies for causing confusion.

Eric

mostlyharmless 04-13-2014 07:20 PM
Well, I built heimdal (the correct one), and it installed its binaries into /usr/heimdal. Tried adding /usr/bin/heimdal/bin and sbin to the PATH in /etc/profile, but that didn't quite seem to work right. Is there a better way?

In the mean time, I can go to that directory and run ./kinit. Still have my hands full trying to figure out how to set it all up though

Ser Olmy 04-13-2014 09:21 PM
Quote:
Originally Posted by mostlyharmless (Post 5151994)
Well, I built heimdal (the correct one), and it installed its binaries into /usr/heimdal. Tried adding /usr/bin/heimdal/bin and sbin to the PATH in /etc/profile, but that didn't quite seem to work right. Is there a better way?
I consider Heimdal to be a system component in a Kerberized environment, so I usually install directly to /usr/bin. If you want to keep it separate from "native" Slackware packages, /opt/heimdal would be the natoural choice in my opinion.

Quote:
Originally Posted by mostlyharmless (Post 5151994)
In the mean time, I can go to that directory and run ./kinit. Still have my hands full trying to figure out how to set it all up though
Set up what exactly? Once you've provisioned the domain, there's literally nothing more you need to do. The provisioning scripts will have created the Kerberos realm, populated the AD database and created the necessary DNS records.

In order to locate the domain controllers in the AD domain, client computers will need to use whichever DNS server holds the AD-specific records.

Mark Pettit 04-14-2014 12:39 AM
I think getting Samba to work with A/D is non-trivial. I've battled in the past. I now have a recipe which involves rebuilding Samba from scratch using kerberos. I had no idea Slack was supposedly able to work with A/D out-of-the-box. Would someone (perhaps @Ser Olmy) be able to give us a for-dummies rundown please ?

Ser Olmy 04-14-2014 12:52 AM
Samba 4.x is the first major version to support being an Active Directory Domain Controller. Setting up a Samba AD domain from scratch is pretty straightforward:
  1. Decide on an Active Directory domain name
  2. Decide whether you want to use a BIND dlz zone or the built-in Samba DNS server
  3. Configure the BIND dlz zone if necessary
  4. Run samba-tool domain provision with the correct parameters or in interactive mode
That's all there is to it, really. I did this only a few days ago, and it worked like a charm. I then configured a Windows 7 workstation to use the proper DNS server and had it join the domain.

You'll still have to configure winbind, NSS and PAM if you want to log on to a Linux system with AD credentials and be able to map Windows SIDs to Unix UIDs and GIDs, just like before.

Mark Pettit 04-14-2014 01:29 AM
Thanks ... And what if you were working in a pre-existing A/D environment and just wanted to hook up your Slack box so that it could create shares ? (The A/D environment would be 100% genuine Microsoft - not Samba acting as A/D domain controller). Again - I have this working via a convoluted method which involves add kerberos and recompiling from scratch. I'd love to use Samba 4 from Slack as-is !

Ser Olmy 04-14-2014 02:42 AM
Quote:
Originally Posted by Mark Pettit (Post 5152110)
Thanks ... And what if you were working in a pre-existing A/D environment and just wanted to hook up your Slack box so that it could create shares ?
You can skip the Kerberos installation steps, as a version of Heimdal is bundled with Samba 4. Just go straight to the step where you put the IP addresses of the AD DCs (and ONLY the AD DCs) as name servers in /etc/resolv.conf and configure smb.conf with "security = ads", but make sure you read up on the current syntax for the settings related to ID mapping. Then run net ads join as before.

Mark Pettit 04-14-2014 02:54 AM
Cool - I shall try this over the next few days. I'm a lonely slacker in a company of over 500 microsofities ... :-(

mostlyharmless 04-14-2014 10:11 AM
Quote:
Set up what exactly? Once you've provisioned the domain, there's literally nothing more you need to do. The provisioning scripts will have created the Kerberos realm, populated the AD database and created the necessary DNS records.

In order to locate the domain controllers in the AD domain, client computers will need to use whichever DNS server holds the AD-specific records.
I guess I mean setup DNS properly. Undoubtedly that's why I can't see my DC from the Windows computers.
Quote:
Configure the BIND dlz zone if necessary....You'll still have to configure winbind, NSS and PAM
I believe that's what I've got to get a better grasp of.
Quote:
I think getting Samba to work with A/D is non-trivial
Well, I couldn't agree more. The thing is, setting up Samba 3 was pretty trivial; start it up and there are the shares. I used to have domain logons for Win 98 and XP several years ago, but can't remember how I setup DNS.

mfoley 10-07-2015 11:56 PM
Quote:
Originally Posted by Ser Olmy (Post 5152098)
You'll still have to configure winbind, NSS and PAM if you want to log on to a Linux system with AD credentials and be able to map Windows SIDs to Unix UIDs and GIDs, just like before.
Hopefully, there is still activity on this thread ...

Your last statement caught my attention. I too have easily and simply provisioned Samba4 AD/DC as a replacement for SBS 2008 and have 10+ Windows workstations authenticating with no problem.

Now, I want to implement Single-Sign-On for Linux workstations. All documentation on the web shows how to do this with OpenLDAP, but as we know, the Samba4 server uses its own Heimdal LDAP, so the web instructions are apparently useless.

Since you say, "You'll still have to configure winbind, NSS and PAM if you want to log on to a Linux system ...", it appears you have some knowledge in this area. What is my first step in getting a Linux workstation to log on using the Samba4 server for authentication?

Need a push in the right direction. I'm lost!

ivandi 10-08-2015 09:14 AM
http://www.linuxquestions.org/questi...ml#post5395994


All times are GMT -5. The time now is 04:02 PM.