Topic: Adding SME 6.0.1/6.5rc1 to Active Directory using Kerberos

[DarkMirage]

How to add SME to an Active Directory as a member server using kerberos

First of all, no credit to me, I just pieced this together from various posts/sites.

Notes:
  This configuration assumes DNS runs on the Active Directory Server.
  If you have DNS running as it should, their is no need to edit the hosts and resolve.conf file.
  You should however doublecheck hostname lookup and reverse lookup.

  I have tested this on a clean Sme 6.5rc1 and 6.0.1 install, 6.0.1 requires you update
  to samba 3 (look here: http://lists.contribs.org/mailman/public/devinfo/msg07291.html )
  I posted the entire contents of the files I changed, you may find differences if you
  have already made changes to these files.

  I am unfamiliar with the whole naming concept of templates, you might want to
  append items in other templates.
   
  You should not change the case of the realm/hosts in krb5.conf,
  kerberos is supposed to be sensitive about that.

  The next step for me is to look at the mail authentication,
  but I can't seem to figure out how to configure this.
  Anybody know how this is done?
  I've read about dovecot's authentication being done by mailfront,
  but I'm not sure where to look for mailfront and its config.
  (Attempts at changing dovecots config failed: no effect )

ISSUE:
  Currently home directories in samba are not automaticly created,
  and to gain access I use the following:
  root#   mkdir -p /home/e-smith/files/users/username/home
  root#   chown -R 'delirium\username' /home/e-smith/files/users/username

  Anybody know how/where to script this?
  (Probably something not that hard to find, still need to look in to that)

The sample configuration uses:
  delirium.com   As the Domain Name
  addc      As the Active Directory Server (Domain Controller)
  172.16.1.2   As the addc's ip address

-------------------------------------------------

Domain Controller should have this configured:
   DNS:
   "A"   Record for SME server
   "PTR" Record for SME server

server-manager:
   (Configuration) Workgroup -->
   Windows workgroup name: DELIRIUM

Code: [Select]


#If this is a clean install we will have to create the templates-custom/etc dir aswell
mkdir /etc/e-smith/templates-custom/etc

cd /etc/e-smith/templates-custom/etc/

#If their not already there, copy the templates to their custom location

mkdir hosts
cp /etc/e-smith/templates/etc/hosts/20hostname hosts/

mkdir resolv.conf
cp /etc/e-smith/templates/etc/resolv.conf/10domain resolv.conf/
cp /etc/e-smith/templates/etc/resolv.conf/25nameserver resolv.conf/

mkdir nsswitch.conf
cp /etc/e-smith/templates/etc/nsswitch.conf/10files nsswitch.conf

mkdir pam.d
mkdir pam.d/login
cp /etc/e-smith/templates/etc/pam.d/login/20auth pam.d/login/
cp /etc/e-smith/templates/etc/pam.d/login/30account pam.d/login/

mkdir smb.conf
cp /etc/e-smith/templates/etc/smb.conf/10globals smb.conf/
cp /etc/e-smith/templates/etc/smb.conf/11nameResolveOrder smb.conf/
cp /etc/e-smith/templates/etc/smb.conf/11security smb.conf/

#Backup /etc/krb5.conf
cp /etc/krb5.conf /etc/krb5.conf.orig

Edit the following files (still in the /etc/e-smith/templates-custom/etc/ dir)
Example: pico hosts/20hostname

-----------------hosts/20hostname----------------

Code: [Select]


{
    $OUT .= "$LocalIP\t";
    $OUT .= " ${SystemName}.${DomainName}";
    $OUT .= " ${SystemName}\n";
    $OUT .= "172.16.1.2\t";
    $OUT .= " addc.${DomainName}";
    $OUT .= " addc";
}


---------------resolv.conf/10domain--------------

Code: [Select]


{
    $OUT .= "domain $DomainName\n";
    $OUT .= "search $DomainName";
}


-------------resolv.conf/25nameserver------------

Code: [Select]


nameserver   172.16.1.2


--------------nsswitch.conf/10files--------------

Code: [Select]


passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      { ($AccessType eq "off") ? "files" : "files dns" }
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
automount:  files
aliases:    files


----------------pam.d/login/20auth----------------

Code: [Select]


{
    use esmith::db;
    use esmith::config;

    local $conf{'telnet'} = $telnet;

    my $rootLogin = db_get_prop(\%conf, "telnet", "PermitRootLogin")
|| "no";
    if (defined $rootLogin && $rootLogin eq 'no')
    {
$OUT .= "auth       required /lib/security/pam_securetty.so\n";
    }
    $OUT .= "auth       sufficient      /lib/security/pam_winbind.so\n";
    $OUT .= "auth       sufficient      /lib/security/pam_unix.so use_first_pass\n";
    $OUT .= "auth       required /lib/security/pam_stack.so service=system-auth\n";
    $OUT .= "auth       required /lib/security/pam_nologin.so\n";
}


--------------pam.d/login/30account---------------

Code: [Select]


account    sufficient   /lib/security/pam_winbind.so
account    required /lib/security/pam_stack.so service=system-auth


----------------smb.conf/10globals----------------

Code: [Select]


[global]
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = addc.delirium.com
realm = delirium.com
template homedir = /home/e-smith/files/users/%U/home
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes


-----------smb.conf/11nameResolveOrder------------

Code: [Select]


name resolve order = host wins lmhosts bcast


---------------smb.conf/11security----------------

Code: [Select]


security = ads


-------------------/etc/krb5.conf-----------------

Code: [Select]


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DELIRIUM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 DELIRIUM.COM = {
  kdc = addc.delirium.com:88
  admin_server = addc.delirium.com:749
  default_domain = delirium.com
 }

[domain_realm]
 .delirium.com = DELIRIUM.COM
 delirium.com = DELIRIUM.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }


Execute the following commands as root:

Code: [Select]


root#   /sbin/e-smith/expand-template /etc/hosts
root#   /sbin/e-smith/expand-template /etc/resolv.conf
root#   /sbin/e-smith/expand-template /etc/smb.conf
root#   /sbin/e-smith/expand-template /etc/nssswitch.conf
root#   /sbin/e-smith/expand-template /etc/pam.d/login
root#   service winbind start
root#   net ads join -U Administrator
#The above user must be authorised to add the server to the Active Directory
#Not sure how I should set winbind to enabled, so this starts winbind (in runlevel 7?) on boot
root#   ln /etc/rc.d/init.d/winbind /etc/rc.d/rc7.d/S92Winbind

#Use these for testing
#The last entries should be your ADS users:
root#   /usr/bin/getent passwd
#The last entries should be your ADS groups:
root#   /usr/bin/getent group


If I made any mistakes, be gentle, I'm pretty new at this  

[phil93]

your how to is very intéresting but i think I forgot something (excuse me for my english)

when yo edit /hosts/20hostname

when y write {SystemName} is it My system name taht i must write
idem for DomainName , is it the DomainName of SMEserver or Of AD

thank i think i am burning

[DarkMirage]

Since this how to is for adding an sme server to a domain, it's goal is to set the domain for the sme server the same as the rest of the computers already in the domain.
It seems the two options you are unsure of choosing from should be identical.

Still, try entering the domain you are trying to add the sme server to (the file is used by kerberos to find the kerberos server = AD server for validation)

Good luck

[thomastegl]

Hi, and thanks for making the HOWTO's to help out us dummies. However I am having some problems getting it to work. Can't work out where I'm supposed to replace System Name, Domain Name etc. Is it only where you have done it, or everywhere. Hope someone can help me out, cause I really need it to work!

[DarkMirage]

where I'm supposed to replace System Name, Domain Name

Only replace the following:
delirium.com with yourdomain.com
DELIRIUM.COM with YOURDOMAIN.COM
addc with yourdomaincontroller
172.16.1.2 with the ip of yourdomaincontroller

Things like

Code: [Select]

${SystemName}.${DomainName}
are scripts, leave them alone, SME will take care of those

Hth

[thomastegl]

When executing command:

/sbin/e-smith/expand-template /etc/nssswitch.conf

I get the following

ERROR: No templates were found for /etc/nssswitch.conf.
 at /sbin/e-smith/expand-template line 49

What is that???

Is it a problem??

[thomastegl]

When executing:

net ads join -U Administrator

I get:

[2006/05/01 17:42:48, 0] libads/kerberos.c:ads_kinit_password(135)
  kerberos_kinit_password Administrator@VITTRUP.LOCAL failed: Cannot resolve network address for KDC in requested realm
[2006/05/01 17:42:48, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: Cannot resolve network address for KDC in requested realm

Is this because of the previously posted problem???

[DarkMirage]

kerberos_kinit_password Administrator@VITTRUP.LOCAL failed: Cannot resolve network address for KDC in requested realm
In the /etc/kbr5.conf you specify the kdc:

Code: [Select]


kdc = addc.delirium.com:88


The message tells you the server is unable to locate the above mentioned server. Try doing a lookup on whatever kdc you specified. In the example the following command would show you if dns is failing:

Code: [Select]


nslookup addc.delirium.com


Next problem:
ERROR: No templates were found for /etc/nssswitch.conf.
at /sbin/e-smith/expand-template line 49

is not a problem. It's a typo.

There are only two s's in nsswitch.conf:

Code: [Select]


/sbin/e-smith/expand-template /etc/nsswitch.conf


[thomastegl]

Thank you so much for helping. Pls dont give up on me yet !!!

[root@server02 root]# net ads join -U Administrator
Administrator's password:
[2006/05/22 19:31:02, 0] libads/kerberos.c:ads_kinit_password(135)
  kerberos_kinit_password Administrator@VITTRUP.LOCAL failed: KDC has no support for encryption type
[2006/05/22 19:31:02, 0] utils/net_ads.c:ads_startup(183)
  ads_connect: KDC has no support for encryption type


Look to me, like it finds the kdc but cannot communicate with it...
Any ideas?

[tuxtux]

Hi all, a very interesting discussion and very helpful.

However, my requirement is the other way around and I need help from you guys.

I have 2 sites that need an authentication servers, so I thought of using SME Server as a PDC-BDC style, where the BDC is going to be deployed at the remote location and will replicate with the PDC at the central office.

I also understand that the Samba has to use an LDAP database at the backend. This  might as well do, since the LDAP can aslo be the addressbook for Outlook?

Any help is much appreciated.

Cheers.

[DarkMirage]

@thomastegl:
I have no idear why an Active Directory controller would give an error like that. Is the Active Directory modified, firewalled, or does it contain any non-standard settings which might apply to authentication encyption types?

You could try kinit, which is a program to acquire a 'ticket' for authentication, which is also the part of the join which seems to fail.

See the manual page for details:

Code: [Select]

man kinit

@tuxtux:
Although related, your target is beyond the above howto. The first problem which you will run into, is that the SME LDAP directory does not include any passwords, and for that reason is useless, without modification, for authentication. I have had a go at those modifications during my work with OpenXchange, which uses an LDAP backend. You might find some interesting possibilities there.

You mention an LDAP backend for samba, which might be required for your setup,  but is really one of many possible backends for samba. The above does use it, since Active Directory is really just a complex form of an LDAP directory.

Directory replication is beyond me, although I believe to have seen some documentation in the past. You should be able to find a howto for either LDAP or samba.

I am familiar with an LDAP addressbook for Thunderbird, not for Outlook. But I suppose it's possible.

[thomastegl]

man kinit

"No manual entry for kinit"


Have ISA-server in system. Don't know if that could be the reason???

Can't find anything else that looks suspecious

[redtechnet]

The only problem I'm experiencing thus far with doing this on 7.0rc1

Code: [Select]

root# chown -R 'delirium\username' /home/e-smith/files/users/username

It appears to not even lookup a user.  

chown: mydomain/myuser': invalid user

/usr/bin/getent passwd doesn't return any users in AD.

Anyone else successful using newer version od SME?[/code]