• krb5-user (Kerberos client, for recieving TGT and user authentication)• samba

1. • krb5-user (Kerberos client, for recieving TGT and user authentication)
2. • samba (Samba for joining the AD with the Linux-box)
3. • smbclient (mounting the home-directory)
4. • winbind (second way of user-authentication, if Kerberos fails for any reason)
5. • libpam-winbind (PA-Module for winbind)
6. • libpam-mount (Not sure about this one)
7. • libpam-ccreds (Storing credentials, if the DC is not reachable)
8. • libpam-krb5 (PAM-Module for Kerberos)
9. • cifs-utils (Mounting cif shares)
10.  
11. net ads join member -k -S DC1.DOMAIN.LOCAL -U {User_with_admin_rights} createcomputer=IT/BLA osName=Debian osVer=`cat /etc/debian_version` -d 1
12.  
13. kinit -V user@DOMAIN.LOCAL
14.  
15. root@testbox / % klist
16. Ticket cache: FILE:/tmp/krb5cc_0
17. Default principal: user@DOMAIN.LOCAL
18.  
19. Valid starting Expires Service principal
20. 14.12.2015 09:47:01 14.12.2015 19:47:01 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
21. renew until 15.12.2015 09:46:57
22.  
23. Dec 14 13:19:58 testbox login[2875]: pam_krb5(login:auth): user username@DOMAIN.LOCAL authenticated as username@DOMAIN.LOCAL
24. Dec 14 13:20:01 testbox login[2875]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'UNKNOWN', User not known to the underlying authentication module
25.  
26. [*] Kerberos authentication
27. [*] Ccreds credential caching - password saving
28. [*] Unix authentication
29. [*] Winbind NT/Active Directory authentication
30. [*] Mount volumes for user
31. [*] Ccreds credential caching - password checking
32.  
33. [libdefaults]
34. default_realm = DOMAIN
35.  
36. krb4_config = /etc/krb.conf
37. krb4_realms = /etc/krb.realms
38. kdc_timesync = 1
39. ccache_type = 4
40. forwardable = true
41. proxiable = true
42.  
43. v4_instance_resolve = false
44. v4_name_convert = {
45. host = {
46. rcmd = host
47. ftp = ftp
48. }
49. plain = {
50. something = something-else
51. }
52. }
53. fcc-mit-ticketflags = true
54.  
55. [realms]
56. DOMAIN.LOCAL = {
57. kdc = DC1.domain.local
58. kdc = DC2.domain.local
59. kdc = DC.domain.local
60. kdc = DC4.domain.local
61. kdc = DC5.domain.local
62. admin_server = DC1.domain.local
63. default_domain = domain
64. }
65.  
66. [domain_realm]
67. kerberos.server = DOMAIN.LOCAL
68.  
69. [login]
70. krb4_convert = true
71. krb4_get_tickets = false
72.  
73. [logging]
74. kdc = FILE:/var/log/krb5.log
75. admin_server = FILE:/var/log/krb5/kadmind.log
76. default = SYSLOG:NOTICE:DAEMON
77.  
78. #======================= Global Settings =======================
79. [global]
80. security = ADS
81. encrypt passwords = yes
82. realm = DOMAIN.LOCAL
83. winbind enum users = yes
84. winbind enum groups = yes
85. winbind use default domain = yes
86. winbind refresh tickets = yes
87. template homedir = /home/%D/%U
88. template shell = /bin/bash
89. client use spnego = yes
90. client ntlmv2 auth = yes
91. encrypt passwords = yes
92. restrict anonymous = 2
93. domain master = no
94. local master = no
95. preferred master = no
96. os level = 0
97.  
98. workgroup = DOMAIN
99.  
100. ; wins server = w.x.y.z
101. dns proxy = no
102. ; interfaces = 127.0.0.0/8 eth0
103. ; bind interfaces only = yes
104. log file = /var/log/samba/log.%m
105. max log size = 1000
106. syslog = 0
107. panic action = /usr/share/samba/panic-action %d
108. #####
109. server role = standalone server
110. passdb backend = tdbsam
111. obey pam restrictions = yes
112. unix password sync = yes
113. passwd program = /usr/bin/passwd %u
114. passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
115. pam password change = yes
116. map to guest = bad user
117. ########
118. ; logon path = \%Nprofiles%U
119. ; logon drive = H:
120. ; logon script = logon.cmd
121. ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
122. ; add machine script = /usr/sbin/useradd -g machines -c "%u machineaccount" -d /var/lib/samba -s /bin/false %u
123. ; add group script = /usr/sbin/addgroup --force-badname %g
124. ##########
125. ; include = /home/samba/etc/smb.conf.%m
126. ; idmap uid = 10000-20000
127. ; idmap gid = 10000-20000
128. ; template shell = /bin/bash
129. ; usershare max shares = 100
130. usershare allow guests = yes
131. #======================= Share Definitions =======================
132. [homes]
133. comment = Home Directories
134. browseable = no
135. read only = yes
136. create mask = 0700
137. directory mask = 0700
138. valid users = %S
139.  
140. ;[netlogon]
141. ; comment = Network Logon Service
142. ; path = /home/samba/netlogon
143. ; guest ok = yes
144. ; read only = yes
145.  
146. ;[profiles]
147. ; comment = Users profiles
148. ; path = /home/samba/profiles
149. ; guest ok = no
150. ; browseable = no
151. ; create mask = 0600
152. ; directory mask = 0700
153.  
154. hosts: files dns
155. networks: files
156.  
157. protocols: db files
158. services: db files
159. ethers: db files
160. rpc: db files
161.  
162. netgroup: nis
163.  
164. [global]
165.  
166. workgroup = DOMAIN
167. security = ADS
168. realm = DOMAIN.LOCAL
169. netbios name = HOSTNAME
170. dedicated keytab file = /etc/krb5.keytab
171. kerberos method = secrets and keytab
172.  
173. idmap config DOMAIN : default = yes
174. idmap config DOMAIN : backend = ad
175. idmap config DOMAIN : schema_mode = rfc2307
176. idmap config DOMAIN : readonly = yes
177. idmap config DOMAIN : range = 10000-1999999
178. idmap cache time = 604800
179.  
180. template homedir = /home/%D/%U
181. template shell = /bin/bash
182.  
183. winbind trusted domains only = no
184. winbind use default domain = yes
185. winbind enum users = no
186. winbind enum groups = no
187. winbind refresh tickets = yes
188. winbind expand groups = 4
189. winbind offline logon = true
190. winbind nss info = rfc2307
191.  
192. domain master = no
193. local master = no
194. vfs objects = acl_xattr
195. map acl inherit = yes
196. store dos attributes = yes
197. client ldap sasl wrapping = sign
198. encrypt passwords = yes
199.  
200. client use spnego = yes
201. client ntlmv2 auth = yes
202. restrict anonymous = 2
203. dns proxy = no
204. log file = /var/log/samba/log.%m
205. max log size = 1000
206. syslog = 0
207. panic action = /usr/share/samba/panic-action %d
208. server role = member server
209. passdb backend = tdbsam
210. obey pam restrictions = yes
211. unix password sync = yes
212. passwd program = /usr/bin/passwd %u
213. passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
214. pam password change = yes
215. map to guest = bad user
216.  
217. v4_instance_resolve = false
218. v4_name_convert = {
219. host = {
220. rcmd = host
221. ftp = ftp
222. }
223. plain = {
224. something = something-else
225. }
226. }
227. fcc-mit-ticketflags = true
228.  
229. [realms]
230. DOMAIN.LOCAL = {
231. kdc = DC1.DOMAIN.local
232. admin_server = DC1.DOMAIN.local
233. default_domain = DOMAIN.local
234. }
235.  
236. [domain_realm]
237. .DOMAIN.local = DOMAIN.LOCAL
238. DOMAIN.local = DOMAIN.LOCAL
239.  
240. [login]
241. krb4_convert = true
242. krb4_get_tickets = false
243.  
244. [logging]
245. default = SYSLOG:DEBUG:DAEMON
246.  
247. session optional pam_mount.so
248.  
249. <?xml version="1.0" encoding="utf-8" ?>
250. <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
251.  
252. <pam_mount>
253.  
254. <debug enable="0" />
255.  
256. <mntoptions deny="suid,dev" />
257. <mntoptions allow="*" />
258. <mntoptions deny="*" />
259. -->
260. <mntoptions require="nosuid,nodev" />
261.  
262. <logout wait="100000" hup="yes" term="yes" kill="no" />
263.  
264. <volume options="username=%(USER)" fstype="cifs" server="server.domain.local" path="User/%(USER)" mountpoint="/home/domain/%(USER)/Shares/%(DOMAIN_USER)" />
265.  
266. <volume options="username=%(USER)" fstype="cifs" server="server.domain.local" path="Data" mountpoint="/home/domain/%(USER)/Shares/Data" />
267.  
268. <umount>umount %(MNTPT)</umount>
269.  
270. <mkmountpoint enable="1" remove="false" />
271.  
272. </pam_mount>