UbuntuHelp:Samba/Kerberos
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
Introduction
Kerberos is an authentication protocol using secret-key cryptography. There are several implementations of the Kerberos protocol used in both commercial and Open Source software. This guide will cover setting up Kerberos on a Ubuntu system with the intent of joining an Active Directory Domain.
Installation
There are several packages that provide Kerberos services and utilities:
- krb5-user: Basic programs to authenticate using MIT Kerberos.
- libpam-krb5: PAM module for MIT Kerberos.
- krb5-config: Configuration files for Kerberos Version 5.
- libkadm55: MIT Kerberos administration runtime libraries. (No longer available in Karmic)
All these packages are available from the Main repository. See InstallingSoftware for details on using repositories and package managers.
If you do not intend to acquire a Kerberos ticket at login, you need not install the libpam-krb5 package.
Configuration
The following examples use example.com as the Active Directory Domain, and win2k3.example.com as the name of the Domain Controller. Change example.com and win2k3.example.com to reflect your AD Domain name and Domain Controller. NOTE: This appears to work to the point of passing the login test and ticket-retrieval described below with Windows 2008 Server with AD running in Native Mode.
Pre-Kerberos Configuration
Confirm Connectivity
The first step to configuring an Ubuntu client for participation in an Active Directory (AD) network is to confirm network connectivity and name resolution for the Active Directory domain controller. An easy way to verify both of these is to ping the Fully Qualified Domain Name (FQDN) of the AD DC on your network.
ping win2k3.example.com PING win2k3.example.com (10.0.0.1) 56(84) bytes of data. 64 bytes from win2k3.lab.example.com (10.0.0.1): icmp_seq=1 ttl=128 time=0.176ms
The output of the ping response shows successful resolution of the FQDN to an IP Address, and the confirmation of connectivity between your Ubuntu workstation and the AD DC.
Connectivity failures when pinging the FQDN usually point to DNS server or client configuration errors. Make sure that your /etc/resolv.conf contains a pointer to your DNS server. See the Network Configuration for information on getting all your network settings correct.
Time settings
Time is essential for Kerberos, which is used for authentication in Active Directory networks. The easiest way to ensure correct time synchronization is to use a NTP Server. Every Active Directory Domain Controller is also an NTP server, so for best results, use the FQDN of an AD DC in Ubuntu's default ntpdate application, which syncs time at startup or on demand.
NB: On Ubuntu 8.04 Desktop Edition, it appears that the time server program is ntp and may be installed using apt-get install ntp. The configuration file may be edited as described below.
For Kubuntu 7.10 (and likely other versions as well) ntpdate does not pull the server name from any config files, instead it expects the NTP server as an argument on the command line. Therefore it is simplest to work with the options of adjust date and time of the GUI clock. Choose set date and time automatically, and then enter your AD DC as the NTP server. If it is reading from the config files then set things up in /etc/default/ntpdate as below.
file: /etc/default/ntpdate
# servers to check NTPSERVERS="win2k3.example.com" # additional options for ntpdate NTPOPTIONS="-u"
sudo /etc/init.d/ntpdate restart (May be "sudo /etc/init.d/ntp restart") * Synchronizing clock to win2k3.example.com... [ ok ]
FQDN
A valid FQDN is essential for Kerberos and Active Directory. Active Directory is heavily dependent upon DNS, and it is likely that your Active Directory Domain Controllers are also running the Microsoft DNS server package. Here, we will edit the local hosts file on your Ubuntu workstation to make sure that your FQDN is resolvable.
file: /etc/hosts
127.0.0.1 linuxwork.example.com localhost linuxwork
You can test your configurating by PINGING your own FQDN. The output should be similar to the PING output above, from the Network Connectivity test (of course, the FQDN will be your own, and the IP address will be 127.0.0.1).
krb5-config
If you choose to install the krb5-config package, the installation will present a prompt:
What are the Kerberos servers for your realm? win2k3.example.com What is the administrative server for your Kerberos realm? win2k3.example.com
These prompts should be answered according to the Active Directory Domain Controller in charge of your domain. The krb5-config process customizes the /etc/krb5.conf file for your installation.
/etc/krb5.conf
Another way to configure Kerberos is to simply edit the /etc/krb5.conf file by hand. This approach allows greater customization of the file, but lacks the automation of the krb5-config package. Both paths take you to the same destination.
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = EXAMPLE.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
EXAMPLE.COM = {
kdc = win2k3.example.com
admin_server = win2k3.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Testing
The krb5-user package contains utilities to help test and authenticate to a Kerberos server. Request a Ticket-Granting Ticket (TGT) by issuing the kinit command, as shown (you can use any valid domain account, it doesn't have to be Administrator). Note that the domain name must be in UPPER CASE!!!. You can also omit the domain name (in upper case!) from the command if the "default_realm" directive is properly applied in the /etc/krb5.conf file.
kinit [email protected] Password for [email protected]: ****
Check if ticket request was valid using the klist command.
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 01/21/05 10:28:51 01/21/05 20:27:43 krbtgt/[email protected] renew until 01/21/05 20:28:51
At this point, your Kerberos installation and configuration is operating correctly. You can release your test ticket by issuing the kdestroy command. Note: this guide has been tested on Ubuntu 8.04 (Hardy Heron) and Ubuntu 9.10 (Karmic)
