Hello list,
I'd like to share with you my experience with Samba4 AD-DC and Mac OSX
Mountain Lion 10.8.4 joining it to the domain and using kerberos
implementation on OSX to authenticate users against the AD.
Maybe it's useful to anyone here
My scenario:
My domain controller is on a remote location and I've got my router
(Mikrotik) setup to create a PPTP tunnel to the w2k8 server as a domain
user, NAT and routes setup accordingly, not covered here.
Desktop computer running OSX ML 10.8.4 (mine is a custom build)
Domain: example.local
PDC: samba.example.local (10.10.10.5) Samba4
BDC1: bdc.example.local (10.10.10.20) Samba4
BDC2: w2k8.example.local (10.10.10.15) W2K8 R2
Now for the exciting part
1. Configure OSX for Kerberos authentication
Copy krb5.conf from your Samba4 Domain controller to your Mac then
from a Terminal:
|$ sudo mv /Path/To/krb5.conf /etc/|
|$ sudo chown root:wheel /etc/krb5.conf|
|$ sudo chmod ||644| |/etc/krb5.conf|
Confirm that you can successfully obtain a Kerberos Ticket Granting
Ticket (TGT):
Use "kinit" with your username to generate a ticket. Use "kilst" to show
that your userID has a "krbtgt" ticket, then use "kdestroy" to
destroy/invalidate the ticket.
Last login: Sat Jun 22 20:59:53 on console
localhost:~ dave$ kinit david [PRESS ENTER]
david@EXAMPLE.LOCAL's Password: [ENTER USER'S PASSWORD]
localhost:~ dave$ klist [PRESS ENTER]
Credentials cache: API:501:5
Principal: david@EXAMPLE.LOCAL
Issued Expires Principal
Jun 23 15:02:28 2013 Jun 24 01:02:20 2013
krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL
localhost:~ dave$ kdestroy [PRESS ENTER]
localhost:~ dave$
If everything goes as expected you've got Kerberos working on your OSX ML
2) Configure Active Directory for Authorization
Enable Directory Services with Active Directory for Authorization
From a Finder window
- open /System/Library/CoreServices/Directory\ Utility.app
- Unlock, authenticate as the local admin.
- Select Active Directory
- On active directory forest nothing, it'll automatocally be filled
- On active directory domain input your domain name in our case
example.local
- On computerID input your computer's name
- Optional: check create mobile account at login (roaming profile-like
account I guess)
- Hit Bind button
- You'll be prompted for the administrator credentials, so input them
- Computer OU leave as default CN=Computers,DC=example,DC=local
- Check Use for authentication
- Check Use for Contacts (optional)
You'll see the litle thing spinning and if you've got your samba running
on another terminal you'll see how the computer account is created and
the workstation is joined to the domain and the Bind button will change
to Unbind, so if no errors showed you've just joined your Mac OSX 10.8.4
to your Samba 4 domain.
Enable logins for Network Users at OSX's Login Window:
- Apple Menu -> System Preferences
- Users & Groups Pref Pane
- Unlock the Pad Lock and Authenticate as local admin
- Click "Login Options"
- Turn OFF Automatic Login
- Set "Display login window as" to "Name and password"
- This setting can also be configured with a command. Run the following
line in the terminal to set the login window to show username and
password fields:
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
SHOWFULLNAME -bool "TRUE"
- Enable "Allow network users to log in at login window",
- Click "Options..." and set "All Network users", Click DONE.
- Network Account Server: EXAMPLE server should be listed and showing a
green "gum drop" icon.
Confirm that you can identify Active Directory users:
localhost:~ dave$ id david
uid=2002409141(david) gid=2125881087(EXAPLE\Domain Users)
groups=2125881087(EXAPLE\Domain Users),704058724(EXAPLE\Group Policy
Creator Owners),1845177527(EXAPLE\Denied RODC Password Replication
Group),2097499953(EXAPLE\RAS and IAS Servers),316274987(EXAPLE\VPN
Users),620839770(EXAPLE\EXAPLE),12(everyone),62(netaccounts),863062263(EXAPLE\Enterprise
Admins)
localhost:~ dave$
3) Enable Kerberos tickets at login
Applying the below configuration changes will enable OSX to
automatically obtain a Kerberos TGT for the logged in user. This is
quite handy when you want the user to be able to mount servers that are
"kerberized".
First make a backup copy of the file, edit the /etc/pam.d/authorization
file and add two additional lines to the top:
Insert these two additional lines:
auth optional pam_krb5.so use_first_pass use_kcminit
default_principal
auth sufficient pam_krb5.so use_first_pass default_principal
Use a Terminal.app text editor like 'vi' or 'nano', use a GUI editor
like TextWrangler, BBEdit, or TextMate, or use this terminal command:
/usr/bin/perl -pi -e 's/auth optional pam_krb5.so
use_first_pass use_kcminit/auth optional pam_krb5.so
use_first_pass use_kcminit default_principal
auth sufficient pam_krb5.so use_first_pass
default_principal/g' "/etc/pam.d/authorization"
Check the /etc/pam.d/authorization looks like the following example:
$ cat /etc/pam.d/authorization
# authorization: auth account
auth optional pam_krb5.so use_first_pass use_kcminit
default_principal
auth sufficient pam_krb5.so use_first_pass default_principal
auth optional pam_ntlm.so use_first_pass
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
4) Test Logins
Restart, login with your Penn State Access ID, open terminal and verify
that you have a ticket with "klist". Open System Preferences and
"Accounts" to verify you are a network user.
If you have some users that can login and others that can't, it's
possible that they are not yet listed in LDAP, OR their LDAP attributes
might be missing or have the wrong case. To check for a userid, do the
follow from the command line (terminal.app):
$ ldapsearch -h example.local -x -b "dc=example,dc=local" "uid=david" >
/tmp/ldap-data.txt
$ grep "uid:" /tmp/ldap-data.txt ; grep "psDirIDN:" /tmp/ldap-data.txt ;
grep "cn:" /tmp/ldap-data.txt ; grep "psUidNumber:" /tmp/ldap-data.txt
uid: david
psDirIDN: 367777
cn: JUSTIN DAVID GONZALEZ
psUidNumber: 493417
If any of the attributes do NOT appear, then there might be an issue
with the user's Active Directory record, with either missing attributes
or attributes with non matching case of letters.
5) Additional System Changes
LoginWindow StartupDelay
To help curb the loginwindow from showing the status of the EXAMPLE
server as red, you can use this command to tell the it to wait until DNS
is ready before starting. Doing this helps keep the "red dot of despair"
from appearing after boot.
sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
StartupDelay -int 60
Voila, you can now have your Mac joined to your shinny samba4 DC and you
can login with any domain user and use your mac as usual with the added
benefit of the network shares and the thrill and pride that you made it
yourself.
I changed some of the steps to work on Samba / Active Directory as these
steps were all for LDAP.
Source:
https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2)ConfigureLDAPforAuthorization
<https://wikispaces.psu.edu/display/clcmaclinuxwikipublic/Mountain+Lion+Authentication+Configuration#MountainLionAuthenticationConfiguration-2%29ConfigureLDAPforAuthorization>
Note: This was also on the PSU site but I haven't tried it yet as I
don't use scrren saver and Ialso hate it when I have to type a password
to get out of it.
I hope this comes in handy for someone out there.
Note 2: This is on a production environment for the company I do IT for
and it's been working like a charm.
Cheers.
SAY IT LOUD: SAMBA 4 RULES!!!
so k$ that won't go to Micro$oft's pockets but neither to mine :-(
--
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
