Professional Documents
Culture Documents
To understand the Samba configuration to integrate with Windows ADS, we need to understand
below fundamental concepts
Kerberos Authentication:
Kerberos is a trusted third-party authentication service, keeps a database of its clients and
their private keys. The private key is a large number known only to Kerberos and the client
it belongs to.In Kerberos, both users and servers are named. As far as the authentication
server is concerned, they are equivalent. A name consists of a primary name, an instance,
and a realm, expressed as name.instance@realm.
Linux winbind Service:
Winbind unifies UNIX and Windows account management by allowing a UNIX box to
become a full member of a Windows domain. The service provided by winbind daemon, is
called winbind and can be used to resolve user and group information from a Windows
Domain Controller, which makes it understandable by UNIX platforms. The service can also
provide authentication services via an associated PAM module. The pam_winbind module
supports the auth, account and password module-types. The winbind service is provided
by samba-common package, as a component of samba.
In this first part of the samba configuration, I am presenting a quick overview of
Kerberos authentication , and Linux configuration as a Kerberos client. And also
demonstrating the procedure to add the Linux Samba server to windows domain using the
winbind.
Step 2: Client Requests to Ticket Granting Server, for a ticket to access Samba Server
The Client creates a Authenticator (AUTH1) using the session key (SK1) and ticket (TKT-
1) received in the first step. The Client Send this authenticator, along with the ticket (TKT)
to Ticket Granting Server.
Ticket Granting Server validates Authenticator and generates new tickets ( TKT-2) session
key ( SK-2) for the client and samba server to use.
Step 3: Client Access to the Samba Server
The Client uses the recently received Session Key (SK-2) to create new Authenticator ( Auth-
2) . And Then Client Sends both Session Key ( SK-2) and Authenticator ( AUTH-2)
to the samba server. The Samba server validates both Authenticator and Session Key, and if
all matches it authenticate client Connection.
In addition to authenticating client connection, the samba server sends a new session Key
( SK-3) encrypted with new time-stamp, and returns the Session key to Client.
Client Validates the new session key ( SK-3) and confirms that it is is communicating with
the right server. Then the connection establishes between client and the Samba server.
nameserver 10.200.202.84
search gurkulindia.com
Note 2 : To keep the system time in sync, I have configured WINDOWS 2003 SERVER to use
local system clock and configured Linux to refer the Windows as NTP server.
>> Comment out current NTP servers, and add the Server Entry referring to Windows Server.
example Below
Modify /etc/krb5.conf to refer to Windows ADS server as Kerberoes Authentication Server. Under
the Kerberos, [realms] is set to the kerberos server definitions and [domain_realm] defines the
active directory server.Both are in gurkulindia.com. Below will show the file before and after the
change
Just to make sure that we have no expired tickets and cleanup if any existing tickets just run below
kerberos commands
That Concludes the Kerberos Authentication part. I will be posting continuation post about Samba
configuration procedure, joining Linux server to Windows domain using winbind and testing the
samba setup.