...
Editer /etc/samba/smb.conf comme suit :
Bloc de code |
---|
[global] use kerberos keytabmethod = system yeskeytab realm = UNIV-RENNES1.FR security = ADS log file = /var/log/samba/log.%m max log size = 50 log level = 3 hosts allow = 148.60.10. 127. [tmp] comment = Temporary file space path = /tmp read only = no public = yes |
...
Il faut à la fois déclarer le client (host) et le service SMB (cifs) dans le royaume Kerberos :
Bloc de code |
---|
[root@server ~]# kadmin Authenticating as principal root/admin@UNIV-RENNES1.FR with password. Password for root/admin@UNIV-RENNES1.FR: kadmin: addprinc -randkey host/server.ifsic.univ-rennes1.fr WARNING: no policy specified for host/server.ifsic.univ-rennes1.fr@UNIV-RENNES1.FR; defaulting to no policy Principal "host/server.ifsic.univ-rennes1.fr@UNIV-RENNES1.FR" created. kadmin: ktadd host/server.ifsic.univ-rennes1.fr Entry for principal host/server.ifsic.univ-rennes1.fr with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/server.ifsic.univ-rennes1.fr with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/server.ifsic.univ-rennes1.fr with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/server.ifsic.univ-rennes1.fr with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: addprinc -randkey cifs/server.ifsic.univ-rennes1.fr WARNING: no policy specified for cifs/server.ifsic.univ-rennes1.fr@UNIV-RENNES1.FR; defaulting to no policy Principal "cifs/server.ifsic.univ-rennes1.fr@UNIV-RENNES1.FR" created. kadmin: ktadd cifs/server.ifsic.univ-rennes1.fr Entry for principal cifs/server.ifsic.univ-rennes1.fr with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal cifs/server.ifsic.univ-rennes1.fr with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal cifs/server.ifsic.univ-rennes1.fr with kvno 3, encryption type DES with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal cifs/server.ifsic.univ-rennes1.fr with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5.keytab. kadmin: exit [root@server ~]# |
...
Le fichier /etc/krb5.conf du serveur samba ne doit pas permettre l'usage du chiffrement 3DES. Le fichier /etc/krb5.conf du serveur kerberos doit être répliqué sur tous les principaux de services (HTTP, cifs, ...).
Tests
Clients Windows
Connecter un lecteur réseau sur \\casserver.ifsic.univ-rennes1.fr\tmp.
...
Bloc de code |
---|
[paubry@clinux ~]$ smbclient //casserver.ifsic.univ-rennes1.fr/tmp -k Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.4.2-47.fc12] smb: \> ls . D 0 Fri Jan 22 15:25:32 2010 .. DR 0 Fri Jan 15 15:15:44 2010 [...] 36048 blocks of size 2097152. 32054 blocks available smb: \> exit [paubry@clinux ~]$ |