ActiveDirectory KDC¶

• Kerberos Explained http://technet.microsoft.com/en-us/library/bb742516.aspx
• Notes about using AD KDC with Openafs http://docs.openafs.org/ReleaseNotesWindows/ch03s02.html
• Derrick's Presentation on AD KDC for AFS http://workshop.openafs.org/afsbpw06/talks/shadow-AD.pdf
• Ktpass information: http://technet.microsoft.com/en-us/library/cc753771(ws.10).aspx
• How SPNs and instances work http://thejavamonkey.blogspot.com/2008/03/active-directory-and-kerberos-service.html
• Linux, openssh, Kerberos, AD http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-86-46-PDFs/3716.OpenSSH-on-Linux-using-Windows.pdf
• MS Kerberos debuggin http://technet.microsoft.com/en-us/library/bb463167.aspx
• Windows Security and Directory Services for UNIX guide http://www.microsoft.com/en-us/download/details.aspx?id=6899
  • Of interest, Chapter 4, page 205
• Iowa State guide (thanks to gendalia@iastate.edu) http://tech.its.iastate.edu/win2000/admin/Rhel6-AD-samba-winbind-keytab.pdf
• Backup AD http://technet.microsoft.com/library/cc771290(WS.10).aspx
• DNS records needed for AD http://technet.microsoft.com/en-us/library/bb727055.aspx

Initial¶

• Install MS Server 2008
• Do not install the DNS Server unless you really need to.

Alternatives¶

• Apache Directory project http://directory.apache.org/

Creating instances¶

Separation of privileges in Kerberos needs multiple accounts. These are done by creating "instances" which
each control a subset. Replace instance with the one you want. In this example, the user will be "foley", instance "root".

1. Open Active Directory Users and Groups
2. make the username: foley
   1. Set the password to not need changing and not expire
3. make the username: foley/root
4. Make sure that the Name information reflects this being different than the primary account
5. Give this account the administrator priviledges

Allowing logins and administration on the server¶

1. Open ActiveDirectory Users and Groups
2. Right click on the user in question, and choose "Properties"
3. Click on the "members-of" tab
4. Add the user to the "Administrators" group.
5. Note that you login with "foley.root" instead of "foley/root"

Config¶

Starting with Windows 7 and Windows Server 2008 R2, Microsoft has disabled the single DES encryption type. Changes in Kerberos Authentication. DES must be enabled via Group Policy in order for Active Directory to be used as a KDC for OpenAFS. Enable weak encryption becuase of AFS...
We will also set the password requirements to be closer to an MIT KDC.

1. Start > Administrative Tools > Group Policy Management
2. Expand Forest > Domains > (domain name)
3. Right-click "Create a GPO in this domain, and Link it here.."
4. Make a new policy "AFS"
5. "Edit" Expand "Computer Configuration" > "Policies" > "Windows Settings” > "Security Settings” > "Local Policies” > "Security Options”
6. Double click "Network security: Configure encryption types allowed for Kerberos”
7. Select "Define this policy setting", then select "DES_CBC_CRC" and all the others... Press "OK" (from the openafs.org guide)
8. Expand "Computer configuration", "Windows Settings", "Security Settings", "Account Policies", "Password Policy"
   1. Enforce password history: 2
   2. Minimum password length: 6
   3. Password must meet complexity requirements: Disabled
9. Now put it at the top of the policy list so that it takes precedence

AFS user/key¶

• Create an "afs" user.
  • Long password
  • Unchangable and never expires
• make the srvtab
  

  ktpass -princ afs/afs.ru.is@RU.IS -mapuser afs -pass * -crypto DES-CBC-MD5 -out afs-ru.is-keytab

Securely transferring the keytab¶

1. Install cygwin
   1. Make sure you install openssh in addition to the normal packages
2. Copy the keytab somewhere useful
   

   ssh afs-ru.is-keytab root@ruafs1.dev.ru.is:/usr/afs/etc/.

Setting the time¶

For kerberos and AD to work properly, you need a good clock. We have one on time.dev.ru.is, use it.

Instructions on how to set an external sync at http://defaultreasoning.com/2009/11/16/synchronize-time-with-external-ntp-server-on-windows-server-2008-r2/

1. Open a powershell
2. Figure out which is the PDC server and login to it as an Administrator
   

   netdom /query fsmo

3. Stop the W32Time service
   

   net stop w32time

4. Configure new time sources. You can put more, comma separated in quotes.
   

   w32tm /config /syncfromflags:manual /manualpeerlist:"time.dev.ru.is"

5. Make the PDC a reliable time source
   

   w32tm /config /reliable:yes

6. start it up
   

   net start w32 time

7. check to make sure that the config made it in and everything is ok
   

   w32tm /query /configuration

Keytabs¶

On the AD KDC¶

• use ktpass
  

  ktpass -out tmp -pass somepassword -princ host/njord.dev.ru.is@RU.IS -mapuser host_njord -ptype KRB5_NT_SRV_HST -crypto All

Samba¶

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

Refer to the windows guide for UNIX mentioned a the beginning

• To interface with AD more effectively, use Samba
  

  sudo yum install samba samba-winbind

• Edit the /etc/samba/smb.conf
  • TODO
• And restart
  

  service winbind stop
  service smb restart
  service winbind start

• Get kerberos tickets with Administrator group on the kdc
  

  kinit foley/root@DEV.RU.IS

• Join the domain. Ignore the DNS error. You can use kerberos tickets to avoid typing passwords
  

  net ads join -S stufur.dev.ru.is 

1. Setup a keytab
   

   net ads keytab create