Difference between revisions of "HowTos/Active Directory/Kerberos"
m (added naviagtion to top of page) |
|||
Line 1: | Line 1: | ||
+ | [[Scalix Wiki]] -> [[How-Tos]] -> '''Active Directory/Kerberos''' | ||
+ | |||
Here is an easier way to setup Scalix to authenticate against AD. | Here is an easier way to setup Scalix to authenticate against AD. | ||
This is an alternative to what is documented in the Scalix Setup and Configuration Guide. | This is an alternative to what is documented in the Scalix Setup and Configuration Guide. |
Latest revision as of 14:58, 30 June 2010
Scalix Wiki -> How-Tos -> Active Directory/Kerberos
Here is an easier way to setup Scalix to authenticate against AD. This is an alternative to what is documented in the Scalix Setup and Configuration Guide.
These instructions assume you are not using Samba for anything on your Scalix server. If you are, please adjust accordingly.
Active Directory domains are closely tied to DNS domain names and kerberos realms. For example:
AD Domain Name = mydomain.local Pre-Windows 2000 Domain Name = MYDOMAIN DNS Domain = mydomain.local Kerberos Realm = MYDOMAIN.LOCAL
Step 1 /etc/krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] MYDOMAIN.LOCAL = { kdc = mydc1.mydomain.local:88 admin_server = mydc1.mydomain.local:749 default_domain = mydomain.local } [domain_realm] .mydomain.local = MYDOMAIN.LOCAL mydomain.local = MYDOMAIN.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
Note: I don't know if it's possible to either have the Kerberos library lookup kdc/admin_server in DNS, or specify multiple servers for redundancy.
Step 2 Test Kerberos:
[root@mail ~]# kinit administrator@MYDOMAIN.LOCAL Password for administrator@MYDOMAIN.LOCAL: [root@mail ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@MYDOMAIN.LOCAL Valid starting Expires Service principal 10/20/08 16:21:43 10/21/08 02:21:46 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 10/21/08 16:21:43 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
Note: If this step does not succeed, nothing will work.
Step 3 /etc/samba/smb.conf (path mary vary by distro):
workgroup = MYDOMAIN security = ads realm = mydomain.local use kerberos keytab = true password server = *
Note: The realm does not need to be upper-case here, but it does elsewhere. A '*' for the password server causes Samba to lookup your domain controllers in DNS. If you have issues you may want to try listing them here explicitly (space delimited).
Step 4 Join AD Domain:
net -UAdministrator ads join
This should prompt for you AD Administrator account's password, then report success.
Step 5 Add keytab entry for Scalix:
net -UAdministrator ads keytab add scalix-ual
You can confirm this worked with:
klist -k /etc/krb5.keytab
It should list six principal entries for scalix-ual.
Step 6 Follow instructions in Scalix Setup and Configuration guide to adjust PAM configuration for various services.