IPA server with Samba


This document describes how to connect samba to IPA-server and will use Kerberos SSO for shares. It describes how to install samba on a secondary server, but will also apply for the local ipa-server server.

[edit]IPA Client Installation

One of the greatest features of IPA is that when you install the IPA client, all “Kerberised” services on that client can directly use it. The only thing you need to do is tell the service that it should use Kerberos. This is the reason why we will install the IPA client onto both the client, and the Samba server. The Samba server may be a “server”, but to the IPA server, it's a client. Simply run the following commands, which will install and configure the IPA and Samba client software:

[client]# yum -y install ipa-client samba-client
[client]# ipa-install-client

Remember, the IPA client software should be installed on both your IPA client and the Samba server.

[edit]Using the IPA Web Interface

You can administer the IPA server from both server and clients, the latter being the preferred one. Before you fire up your web browser and navigate to the IPA server's web interface, you will need to follow the instructions given by the IPA server installer. This means that you will need to obtain a Kerberos ticket for the Administrative User first. To obtain the credentials for the Administrative User, admin, run the following command on the IPA client:

[client]# kinit admin@EXAMPLE.COM
Password for admin@EXAMPLE.COM:

Your web browser should be able to use your Kerberos credentials for authenticating against the IPA server. Simply start for example Firefox, and navigate to the provided address, in our examplehttp://ipaserver.example.com. Using Firefox version 3, you will have to add an exception to connect to the IPA web server. With he instructions and links on the web page will providecarefully, and follow

[edit]Adding a user to the IPA domain

To create users within your IPA domain, you can use the IPA web interface and the IPA command line tools. From the IPA web interface, select Add User from the Tasks menu. Fill in the required fields, and press the Add User button. Please note that If you haven't configured automatic creation of home directories on your IPA clients, then you will have to create these home directories by hand. The first time the user logs on to an IPA client, he or she will have to change the initial password.

[edit]Samba Server Software Installation and Configuration

Since the IPA client software already has been installed, the only software you will need is the Samba server, which can be installed by running the following command:

[samba]# yum -y install samba

[edit]Service Principals

Using Kerberos Service Principals with IPA will allow your clients to obtain Kerberised access to all sorts of services, providing managed single-signon (SSO) connectivity from the clients to these services, and in this case, to Samba shares. It is also possible to add Service Principals for services such as NFS, SSH, and more.

To create the Service Principal for your Samba service from the IPA web interface, select Add Service Principals from the Tasks menu on the right-hand side of the screen. Enter the full Host Name of your new Samba Server, including the domain name, and select CIFS for the Service Type. Simply press the Add Principal button to add the Service Principal to the IPA server

[edit]Creating the keytab file on the Samba server

What the Samba server needs to perform Kerberos authentication for it's CIFS service, is a so called Kerberos keytab. A keytab file is an encrypted, local copy of the Samba server's key from the IPA Kerberos database. Our keytab will hold the key for the CIFS service principal on samba.example.com, which we just generated in the IPA server's web interface. The default location for the keytab file on Linux systems is /etc/krb5.keytab. From the command-line prompt of your Samba server execute the following IPA command, which will store the CIFS Service key for your Samba server in the local file /etc/krb5.keytab:

[samba]# ipa-getkeytab --server ipaserver.example.com –principal cifs/samba.example.com --keytab /etc/krb5.keytab

[edit]Creating the Samba configuration file

The only thing that needs to be done from this point on, is that Samba needs to be told to make use of this Kerberos keytab. There are two parameters within the Samba configuration file, /etc/samba/smb.conf, that are of special importance; “realm” and “use kerberos keytab”. Please note that in this example, the Samba server is a Domain Master, and not an ADS domain member.

         workgroup           = EXAMPLE.COM
         server string       = Samba Server Version %v
         security            = user
         passdb backend      = smbpasswd
         socket options      = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         os level            = 33
         domain logons       = yes
         domain master       = yes
         local master        = yes
         preferred master    = yes
         wins support        = yes
         template shell      = /bin/false
         realm               = EXAMPLE.COM
         use kerberos keytab = yes
         load printers       = yes
         cups options = raw
         log level    = 3 passdb:5 auth:10
        comment      = Home Directories
        browseable   = no
        writable     = yes
        comment      = All Printers
        path         = /var/spool/samba
        browseable   = no
        guest ok     = no
        writable     = no
        printable    = yes
        comment      = Share
        path         = /share
        browseable   = yes
        guest ok     = no
        writable     = yes
        valid users  = jeroen

After the modification of /etc/samba/smb.conf you may start, or need to restart, the Samba service

[samba]# service smb start
Starting SMB services:                                                       [     OK  ]

[edit]Testing your Kerberised Samba Server

Log into your IPA client using the account you have created earlier, in this example pkrul. You can now use the smbclient command, and examine the services that are available on your Samba server. Note the “-k” parameter, which is needed to authenticate against the IPA server.

[ipaclient]$ smbclient -k -L samba.example.com
OS=[Unix] Server=[Samba 3.0.28-0.el5.8]
        Sharename       Type     Comment
        ---------       ----     -------
        share           Disk     Share
        IPC$            IPC      IPC Service (Samba Server Version 3.0.28-0.el5.8)
        testprinter     Printer  Xerox Workcenter
        pkrul           Disk     Home Directories
OS=[Unix] Server=[Samba 3.0.28-0.el5.8]
        Server               Comment
        ---------            -------
        Workgroup            Master
        ---------            -------
        EXAMPLE.COM          SAMBA

You can also build an FTP-like remote connection to the Samba server with smbclient from the IPA client, and while connected, you can examine the status on the Samba server with the smbstatus command.

[ipaclient]$ smbclient -k //samba.example.com/share
OS=[Unix] Server=[Samba 3.0.28-0.el5.8]
smb: \>
[samba]# smbstatus
Processing section "[homes]"
Processing section "[printers]"
Processing section "[share]"
Samba version 3.0.28-0.el5.8
PID     Username      Group         Machine
22056   pkrul         ipausers (
Service       pid    machine       Connected at
share         22056 Thu Jul 10 10:08:57 2008
No locked files

The Samba log file should also display entries of your attempts to connect to the Samba services:

[samba]# view /var/log/samba/smbd.log

[2008/07/10 10:07:55, 3] libads/kerberos_verify.c:ads_keytab_verify_ticket(144)
  ads_keytab_verify_ticket: krb5_rd_req_return_keyblock_from_keytab succeeded for
principal cifs/samba.example.com@EXAMPLE.COM
[2008/07/10 10:07:55, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [jeroen@EXAMPLE.COM]