Know How
Page tree

Versions Compared

Old Version 2

changes.mady.by.user Klaus Keipke

Saved on

compared with

New Version 3

changes.mady.by.user Klaus Keipke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Danach muss noch die Kerberos-Konfigurationsdatei kontrolliert / angepasst werden.
Wie bereits erwähnt: Nur wenn man ADS verwenden möchte....

Code Block
[logging]
    default = FILE:/var/log/krb5.log

[libdefaults]
	default_realm = LEMAKER.FRITZ.BOX

# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	ticket_lifetime = 24000
	clock_skew = 300

# The following libdefaults parameters are only for Heimdal Kerberos.
	v4_instance_resolve = false
	v4_name_convert = {
		host = {
			rcmd = host
			ftp = ftp
		}
		plain = {
			something = something-else
		}
	}
	fcc-mit-ticketflags = true

[realms]
	LEMAKER.FRITZ.BOX = {
		kdc = lemaker.fritz.box:88
		admin_server = lemaker.fritz.box:464
		default_domain = LEMAKER.FRITZ.BOX
	}

[domain_realm]
	.lemaker.fritz.box = LEMAKER.FRITZ.BOX
	lemaker.fritz.box = LEMAKER.FRITZ.BOX

[login]
	krb4_convert = true
	krb4_get_tickets = false

Kerberos-Installation testen

(Im Normalfall muss Samba auf dem lokalen System nicht gestartet sein und winbind auch noch nicht)
Selbstverständlich muss aber Samba auf dem Domaincontroller gestartet sein ... 

Code Block
root@ubu:~# kinit Administrator@LEMAKER.FRITZ.BOX
Password for Administrator@LEMAKER.FRITZ.BOX: 
Warning: Your password will expire in 36 days on So 06 Mär 2016 12:37:47 CET
root@ubu:~#
Code Block
root@ubu:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@LEMAKER.FRITZ.BOX

Valid starting       Expires              Service principal
29.01.2016 22:43:29  30.01.2016 05:23:23  krbtgt/LEMAKER.FRITZ.BOX@LEMAKER.FRITZ.BOX
root@ubu:~#

Samba konfigurieren

Code Block
[global]
   security = ads
   realm = LEMAKER.FRITZ.BOX
   #Der folgende Eintrag wird nicht benötigt
   #password server = IPADRESSE     #IP des Domain Controllers

   workgroup = MB
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind cache time = 10
   winbind use default domain = yes
   template homedir = /home/%U
   template shell = /bin/bash
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   restrict anonymous = 2
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no