HowTos/Active Directory/Kerberos

From Scalix Wiki
Jump to: navigation, search

Scalix Wiki -> How-Tos -> Active Directory/Kerberos

Here is an easier way to setup Scalix to authenticate against AD. This is an alternative to what is documented in the Scalix Setup and Configuration Guide.

These instructions assume you are not using Samba for anything on your Scalix server. If you are, please adjust accordingly.

Active Directory domains are closely tied to DNS domain names and kerberos realms. For example:

AD Domain Name = mydomain.local
Pre-Windows 2000 Domain Name = MYDOMAIN
DNS Domain = mydomain.local
Kerberos Realm = MYDOMAIN.LOCAL

Step 1 /etc/krb5.conf:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = MYDOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

 kdc = mydc1.mydomain.local:88
 admin_server = mydc1.mydomain.local:749
 default_domain = mydomain.local

.mydomain.local = MYDOMAIN.LOCAL
mydomain.local = MYDOMAIN.LOCAL

pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false

Note: I don't know if it's possible to either have the Kerberos library lookup kdc/admin_server in DNS, or specify multiple servers for redundancy.

Step 2 Test Kerberos:

[root@mail ~]# kinit administrator@MYDOMAIN.LOCAL
Password for administrator@MYDOMAIN.LOCAL:
[root@mail ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@MYDOMAIN.LOCAL 

Valid starting     Expires            Service principal
10/20/08 16:21:43  10/21/08 02:21:46  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
       renew until 10/21/08 16:21:43

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Note: If this step does not succeed, nothing will work.

Step 3 /etc/samba/smb.conf (path mary vary by distro):

workgroup = MYDOMAIN
security = ads
realm = mydomain.local
use kerberos keytab = true
password server = *

Note: The realm does not need to be upper-case here, but it does elsewhere. A '*' for the password server causes Samba to lookup your domain controllers in DNS. If you have issues you may want to try listing them here explicitly (space delimited).

Step 4 Join AD Domain:

net -UAdministrator ads join

This should prompt for you AD Administrator account's password, then report success.

Step 5 Add keytab entry for Scalix:

net -UAdministrator ads keytab add scalix-ual

You can confirm this worked with:

klist -k /etc/krb5.keytab

It should list six principal entries for scalix-ual.

Step 6 Follow instructions in Scalix Setup and Configuration guide to adjust PAM configuration for various services.