Research and Development Network

h1. ActiveDirectory KDC

* Kerberos Explained http://technet.microsoft.com/en-us/library/bb742516.aspx

* Notes about using AD KDC with Openafs http://docs.openafs.org/ReleaseNotesWindows/ch03s02.html

* Derrick's Presentation on AD KDC for AFS http://workshop.openafs.org/afsbpw06/talks/shadow-AD.pdf

* Ktpass information: http://technet.microsoft.com/en-us/library/cc753771(ws.10).aspx

* How SPNs and instances work http://thejavamonkey.blogspot.com/2008/03/active-directory-and-kerberos-service.html

* Linux, openssh, Kerberos, AD http://blogs.technet.com/cfs-file.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-86-46-PDFs/3716.OpenSSH-on-Linux-using-Windows.pdf

* MS Kerberos debuggin http://technet.microsoft.com/en-us/library/bb463167.aspx

* Windows Security and Directory Services for UNIX guide http://www.microsoft.com/en-us/download/details.aspx?id=6899

** Of interest, Chapter 4, page 205

* Iowa State guide (thanks to gendalia@iastate.edu) http://tech.its.iastate.edu/win2000/admin/Rhel6-AD-samba-winbind-keytab.pdf

* Backup AD http://technet.microsoft.com/library/cc771290(WS.10).aspx

* DNS records needed for AD  http://technet.microsoft.com/en-us/library/bb727055.aspx

h2. Initial

* Install MS Server 2008

* *Do not install the DNS Server unless you really need to.*

h2. Alternatives

* Apache Directory project http://directory.apache.org/

h2. Creating instances

Separation of privileges in Kerberos needs multiple accounts.  These are done by creating "instances" which

each control a subset.  Replace _instance_ with the one you want.  In this example, the user will be "foley", instance "root".

# Open Active Directory Users and Groups

# make the username: foley

## Set the password to not need changing and not expire

# make the username:  foley/root

# Make sure that the Name information reflects this being different than the primary account

# Give this account the administrator priviledges

h2. Allowing logins and administration on the server

# Open ActiveDirectory Users and Groups

# Right click on the user in question, and choose "Properties"

# Click on the "members-of" tab

# Add the user to the "Administrators" group.

# Note that you login with "foley.root" instead of "foley/root"

h2. Config

Starting with Windows 7 and Windows Server 2008 R2, Microsoft has disabled the single DES encryption type.  Changes in Kerberos Authentication. DES must be enabled via Group Policy in order for Active Directory to be used as a KDC for OpenAFS. Enable weak encryption becuase of AFS... 

We will also set the password requirements to be closer to an MIT KDC.

# Start > Administrative Tools > Group Policy Management 

# Expand Forest > Domains > (domain name)

# Right-click "Create a GPO in this domain, and Link it here.."

# Make a new policy "AFS"

# "Edit" Expand "Computer Configuration" > "Policies" > "Windows Settings” > "Security Settings” > "Local Policies” > "Security Options” 

# Double click "Network security: Configure encryption types allowed for Kerberos” 

# Select "Define this policy setting", then select "DES_CBC_CRC" and all the others... Press "OK"  (from the openafs.org guide)

# Expand "Computer configuration", "Windows Settings", "Security Settings", "Account Policies", "Password Policy"

## Enforce password history: 2

## Minimum password length: 6

## Password must meet complexity requirements: Disabled

# Now put it at the top of the policy list so that it takes precedence

h3. AFS user/key

* Create an "afs" user.

** Long password

** Unchangable and never expires

* make the srvtab

<pre>ktpass -princ afs/afs.ru.is@RU.IS -mapuser afs -pass * -crypto DES-CBC-MD5 -out afs-ru.is-keytab</pre>

h2. Securely transferring the keytab

# Install cygwin

## Make sure you install openssh in addition to the normal packages

# Copy the keytab somewhere useful

<pre>ssh afs-ru.is-keytab root@ruafs1.dev.ru.is:/usr/afs/etc/.</pre>

h2. Setting the time

For kerberos and AD to work properly, you need a good clock.  We have one on @time.dev.ru.is@, use it.

Instructions on how to set an external sync at http://defaultreasoning.com/2009/11/16/synchronize-time-with-external-ntp-server-on-windows-server-2008-r2/

# Open a powershell

# Figure out which is the PDC server and login to it as an Administrator

<pre>netdom /query fsmo</pre>

# Stop the W32Time service

<pre>net stop w32time</pre>

# Configure new time sources.  You can put more, comma separated in quotes.

<pre>w32tm /config /syncfromflags:manual /manualpeerlist:"time.dev.ru.is"</pre>

# Make the PDC a reliable time source

<pre>w32tm /config /reliable:yes</pre>

# start it up

<pre>net start w32 time</pre>

# check to make sure that the config made it in and everything is ok

<pre>w32tm /query /configuration</pre>

h1. Keytabs

h2. On the AD KDC

* use ktpass

<pre>ktpass -out tmp -pass somepassword -princ host/njord.dev.ru.is@RU.IS -mapuser host_njord -ptype KRB5_NT_SRV_HST -crypto All</pre>

h2. Samba

https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

Refer to the windows guide for UNIX mentioned a the beginning

* To interface with AD more effectively, use Samba

<pre>sudo yum install samba samba-winbind</pre>

* Edit the /etc/samba/smb.conf

** TODO

* And restart

<pre>service winbind stop

service smb restart

service winbind start</pre>

* Get kerberos tickets with Administrator group on the kdc

<pre>kinit foley/root@DEV.RU.IS</pre>

* Join the domain.  Ignore the DNS error.  You can use kerberos tickets to avoid typing passwords

<pre>net ads join -S stufur.dev.ru.is </pre> 

# Setup a keytab

<pre>net ads keytab create</pre>