Running a Samba AD DC with MIT Kerberos KDC

From SambaWiki

Introduction

On an Active Directory (AD) domain controller (DC), Samba uses an external application to provide Kerberos support. In version 4.6 and earlier, Samba only supported the Heimdal Kerberos implementation for the Key Distribution Center (KDC). For this reason, vendors of operating systems that only support MIT Kerberos could not provide packages with AD DC-capabilities. On these operating systems you can build Samba or use 3rd-party packages with AD DC support to set up a DC, but Samba can not be fully integrated into operating systems that use MIT Kerberos.

Samba 4.7 and later supports building Samba with MIT Kerberos. Distributions, which previously did not provide AD DC-aware Samba packages because they use MIT Kerberos, are now able to provide such packages. For details about migrating a Samba DC, for example, from self-compiled to packages, see Migrating a Samba Installation.

Use this documentation, if you want to:

  • Build Samba with MIT Kerberos back end and set up a new AD DC.
  • Migrate a Heimdal Kerberos-based Samba DC installation to MIT Kerberos back end.



Experimental Feature


Samba 4.7 and later versions have shipped with code to support building the Samba AD DC using MIT Kerberos. Since the time of the release a number of issues, including security issues, have been found by real-world use. However sadly the Samba Team has not been able to resource the resolution of these issues to a standard that we are happy with, and so Samba 4.9.3, 4.8.7 and 4.7.12 releases mark this mode more clearly as experimental.

As an experimental feature, we will not be issuing security patches for this feature, including for:

(which is fixed in 4.7, 4.8 and 4.9 in 2018)

Known Limitations of MIT Kerberos Support in Samba

As of version 4.17, Samba DCs with MIT Kerberos KDC has the following limitations:

  • Running as a Read only domain controller (RODC) not supported
  • Authentication Audit logging not supported

Building Samba with MIT Kerberos Support

To enable MIT Kerberos support when you build Samba:

  • Pass the --with-system-mitkrb5 --with-experimental-mit-ad-dc option to the configure script when you build Samba. For further details on building Samba, see Build Samba from Source.

Verifying if Samba Has Been Built with MIT Kerberos Support

To verify if Samba has been built with MIT Kerberos support, enter:

# smbd -b | grep HAVE_LIBKADM5SRV_MIT
   HAVE_LIBKADM5SRV_MIT

If no output is displayed, Samba was compiled without MIT Kerberos support and uses Heimdal Kerberos.



Configuring the MIT KDC on a new DC

When you provision a new DC or join a DC to an existing AD, samba-tool automatically creates the /usr/local/samba/private/kdc.conf file. No further action is required.

The kdc.conf file is stored in Samba's private directory. To locate this directory:

# smbd -b | grep "PRIVATE_DIR"
  PRIVATE_DIR: /usr/local/samba/private/



Migrating a DC That Previously Used the Heimdal KDC

If you previously ran a DC that used the Heimdal KDC and want to migrate the DC to use MIT Kerberos:

  • You should be aware that until this comment is removed, using MIT on a Samba AD DC is classed as experimental and is not recommended to be used in production.
  • Build Samba with MIT Kerberos support using the same installation directories. For details, see Building Samba with MIT Kerberos Support.
  • Install the MIT Kerberos-aware Samba over your existing installation.
  • Manually create the kdc.conf file:
  • Locate the path to the Samba private directory:
# smbd -b | grep "PRIVATE_DIR"
  PRIVATE_DIR: /usr/local/samba/private/
In a later step you will create the kdc.conf in this directory.
  • Locate the path to the Samba modules directory:
# smbd -b | grep "MODULESDIR"
  MODULESDIR: /usr/local/samba/lib/
The samba.so Kerberos database module is stored in the krb5/plugins/kdb/ subdirectory of the modules directory. In the previous example, the file is located in the /usr/local/samba/lib/krb5/plugins/kdb/ directory. In the next step, set the db_module_dir parameter in the kdc.conf file to this directory.
  • Create the kdc.conf in the Samba private directory. For example, in /usr/local/samba/private/kdc.conf.
[kdcdefaults]
       kdc_ports = 88
       kdc_tcp_ports = 88
       kadmind_port = 464

[realms]
       SAMDOM.EXAMPLE.COM = {
               master_key_type = aes256-cts
               default_principal_flags = +preauth
       }

       samdom.example.com = {
               master_key_type = aes256-cts
               default_principal_flags = +preauth
       }

       SAMDOM = {
               master_key_type = aes256-cts
               default_principal_flags = +preauth
	}

[dbmodules]
       # Set the following parameter to the directory
       # that contains the samba.so database module:
       db_module_dir = /usr/local/samba/lib/krb5/plugins/kdb/

       SAMDOM.EXAMPLE.COM = {
               db_library = samba
       }

       samdom.example.com = {
               db_library = samba
       }

       SAMDOM = {
               db_library = samba
       }

[logging]
       kdc = FILE:/var/log/samba/mit_kdc.log
       admin_server = FILE:/var/log/samba/mit_kadmin.log

(It would be nice if samba were able to do generate this file either on demand automatically or at least by running a samba-tool command. See python/samba/provision/kerberos.py in the samba sources.)

Verifying that Samba uses the MIT Kerberos KDC

When you start the samba service, the process automatically starts the krb5kdc MIT Kerberos KDC.

To verify that the krb5kdc is a subprocess of the samba process, use the ps utility:

 1306 ?        Ss     0:00 samba -D
 1307 ?        S      0:00  \_ samba -D
 1315 ?        S      0:00  |   \_ samba -D
 1319 ?        Ss     0:00  |       \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
 ...                        |
 1313 ?        S      0:00  \_ samba -D
 1316 ?        S      0:00  |   \_ samba -D
 1322 ?        S      0:00  |       \_ /usr/sbin/krb5kdc -n
 ...



Debugging Samba With MIT Kerberos Support

To debug Kerberos-related problems, see the following log files:

  • Samba logs to the file set in the log file parameter in your smb.conf file. For further details about logging in Samba and how to increase the log level, see Configuring Logging on a Samba Server.
  • The MIT KDC logs to the file set in the kdc and admin_server paramter in the kdc.conf file. To increase the log out, see the kdc.conf(5) man page.