Kerberos with Samba

Overview

Samba acts as an Active Directory domain controller, so setting up Kerberos authentication with Samba is very similar to setting up authentication with MS Active Directory.

CentOS 7 specifics

 
On CentOS 7, the bundle does not generate keytab files automatically, since the standard Samba package for CentOS 7 does not support creating principals on a remote controller. Because of this specificity, you need to prepare the keytab files manually before enabling Kerberos Samba in ADS. For this you can change the variables in the script below and use it. On other systems, the generation is automatic.

Start Kerberos Samba on an ADS cluster in the ADCM interface

  1. Initiate the Kerberos Samba enablement for the selected cluster. To do this, apply the Manage Kerberos cluster action by clicking actions default dark actions default light in the Actions column.

  2. Turn on the Existing Samba switch in the window that opens.

    Enable Existing Samba
    Enable Existing Samba
    NOTE
    Enabling Existing Samba can be combined with the Custom kerberization settings option.
  3. Set the Show advanced switch to active.

  4. Set the Samba Kerberos parameters of the ADS cluster and click Run.

    Configuring an ADS cluster for Kerberos Samba
    Configuring an ADS cluster for Kerberos Samba
  5. Verify the action in the opened window.

    Verify the action
    Verify the action
  6. Wait until Kerberos Samba is enabled. Analyze and correct errors if they occur.

    Kerberos startup process
    Kerberos startup process
Implementation specifics

 
In the presented script, principals are created in a special way (as in the bundle) for a number of reasons:

  • For authentication using keytab files to work, you must pass SPN (Service Principal Name) as the UPN (User Principal Name). This is necessary because Samba does not allow searching for principals by UPN when running kinit.

  • Since there is a UPN limit of one entry, you have to create an SPN for each service based on the number of hosts.

  • By default, Samba, when working with principals and keytab files, accesses the local database, and not the remote domain controller. In order for Samba to access the controller, the -H ldap://$SAMBA_SERVER argument must be used when launching actions.

This approach has its advantages: there is no need to add a computer to the domain and configure local replicas of Samba databases to create service users and principals. Also, authentication of principals occurs using separate keytab files for each, and not one keytab file per computer.

Keytab generation script
#!/bin/bash
# Script for adding services and keytabs to Cluster hosts
# Edit  HOSTS as it will be suitable for your case.
# EDIT your Samba parameters
# Select services according to the bundle

# Samba credentials
SAMBA_USER='Administrator'
SAMBA_PASSWORD='adminPassword'
SAMBA_SERVER='<samba_server>'
REALM='<samba_realm>'
SAMBA_HOST='<samba_host>'
USER_PASSWORD='userPassword'
OU_NAME='CN=Users,DC=samba,DC=test'

declare -a HOSTS

SSH_OPTS='-o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

HOSTS=(
    "List your hosts here"
)
encoded_password=$(echo -n "\"$USER_PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64)

#ADS services
SERVICES=(HTTP nifi zookeeper kafka ksql-server kafka-rest schema-registry kafka-manager)

mkdir /tmp/keytabs

for HOST in ${HOSTS[@]}; do
    echo "Set hostname"
        ssh $SSH_OPTS $HOST "sudo hostnamectl --static set-hostname $HOST"
    echo "Create keytab dir"
            ssh $SSH_OPTS $HOST "sudo mkdir -p /etc/security/keytabs"
    for SERVICE in ${SERVICES[@]}; do
        echo "Create service user"
        ssh $SSH_OPTS $SAMBA_HOST "sudo useradd $SERVICE"
        echo "Create service principal"
        echo "Create add.ldif"
        ssh $SSH_OPTS $SAMBA_HOST "cat <<EOF > /tmp/add.ldif
DN: CN=${SERVICE}/${HOST},${OU_NAME}
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
accountExpires: 0
sAMAccountName: ${SERVICE}-${HOST}
userPrincipalName: ${SERVICE}/${HOST}@${REALM}
servicePrincipalName: ${SERVICE}/${HOST}
distinguishedName: CN=${SERVICE}/${HOST},${OU_NAME}
userAccountControl: 514

DN: CN=${SERVICE}/${HOST},${OU_NAME}
changetype: modify
replace: unicodePwd
unicodePwd:: $encoded_password

DN: CN=${SERVICE}/${HOST},${OU_NAME}
changetype: modify
replace: userAccountControl
userAccountControl: 66048

EOF"

    	echo "sudo ldbmodify -H ldap://$SAMBA_SERVER /tmp/add.ldif -U $SAMBA_USER --password=$SAMBA_PASSWORD"
        ssh $SSH_OPTS $SAMBA_HOST "sudo ldbmodify -H ldap://$SAMBA_SERVER /tmp/add.ldif -U $SAMBA_USER --password=$SAMBA_PASSWORD"

        echo "Delete keytab"
        ssh $SSH_OPTS $SAMBA_HOST "sudo rm -f /tmp/$SERVICE.service.keytab"

        echo "Extract keytab"
        TMP_SCRIPT="/tmp/extract_keytab_${SERVICE}_${HOST}.sh"
        KTUTIL_SCRIPT="/tmp/ktutil_commands_${SERVICE}_${HOST}.txt"
        cat <<EOT > $TMP_SCRIPT
#!/bin/bash
cd /tmp
sudo ktutil < $KTUTIL_SCRIPT
EOT

   	    cat <<EOT > $KTUTIL_SCRIPT
add_entry -password -p ${SERVICE}/${HOST}@${REALM} -k 1 -e aes256-cts-hmac-sha1-96
${USER_PASSWORD}
add_entry -password -p ${SERVICE}/${HOST}@${REALM} -k 1 -e aes128-cts-hmac-sha1-96
${USER_PASSWORD}
add_entry -password -p ${SERVICE}/${HOST}@${REALM} -k 1 -e arcfour-hmac
${USER_PASSWORD}
wkt ${SERVICE}.service.keytab
quit
EOT
   	scp $SSH_OPTS $TMP_SCRIPT $SAMBA_HOST:$TMP_SCRIPT
        scp $SSH_OPTS $KTUTIL_SCRIPT $SAMBA_HOST:$KTUTIL_SCRIPT
        ssh $SSH_OPTS $SAMBA_HOST "chmod +x $TMP_SCRIPT && $TMP_SCRIPT && rm $TMP_SCRIPT && rm $KTUTIL_SCRIPT"
        rm $TMP_SCRIPT
        rm $KTUTIL_SCRIPT

        echo "Try kinit"
        ssh $SSH_OPTS $SAMBA_HOST "sudo klist -k /tmp/$SERVICE.service.keytab"
        echo "Change permission"
        ssh $SSH_OPTS $SAMBA_HOST "sudo chmod 777 /tmp/${SERVICE}.service.keytab"
        echo "Export keytab to local"
        scp $SAMBA_HOST:/tmp/${SERVICE}.service.keytab /tmp/keytabs/${SERVICE}.service.keytab
        echo "Export keytab to host"
        scp /tmp/keytabs/${SERVICE}.service.keytab $HOST:/tmp/${SERVICE}.service.keytab
        ssh $SSH_OPTS $HOST "sudo mv /tmp/${SERVICE}.service.keytab /etc/security/keytabs/${SERVICE}.service.keytab"
        echo "Clean up local temporary keytab"
        rm /tmp/keytabs/$SERVICE.service.keytab
    done

    echo "Change owner and group"


    ssh $SSH_OPTS $HOST sudo chown zookeeper:zookeeper /etc/security/keytabs/zookeeper*
    ssh $SSH_OPTS $HOST sudo chown nifi:nifi /etc/security/keytabs/HTTP*
    ssh $SSH_OPTS $HOST sudo chown nifi:nifi /etc/security/keytabs/nifi*
    ssh $SSH_OPTS $HOST sudo chown kafka:kafka /etc/security/keytabs/kafka*
    ssh $SSH_OPTS $HOST sudo chown ksql:kafka /etc/security/keytabs/ksql-server*
    ssh $SSH_OPTS $HOST sudo chown kafka-rest:kafka /etc/security/keytabs/kafka-rest*
    ssh $SSH_OPTS $HOST sudo chown schema-registry:kafka /etc/security/keytabs/schema-registry*
    ssh $SSH_OPTS $HOST sudo chown kafka-manager:kafka-manager /etc/security/keytabs/kafka-manager*

    echo "Change permissions"

    ssh $SSH_OPTS $HOST "sudo chmod -R 777 /etc/security/keytabs/"

done

To enable Kerberos Samba on hosts running CentOS 7, where default weak encryption algorithms are used and the Kerberos environment has not been previously configured, enabling authentication should be performed in several steps:

  1. Before running the script, make sure that the Domain Name Service (DNS) of the local computer (host) from which the script is launched, as well as the ADS cluster hosts, is configured to connect via SSH to the Samba server.

  2. The first time you enable Manage Kerberos, enable the Custom kerberization settings option, which sets the value true only for the Set up Kerberos utils and Configure Kerberos on hosts parameters. This will install all utilities and create all Kerberos configuration files.

  3. Оn the Primary configuration tab of the cluster in the Kerberos parameter group, set the Custom krb5.conf parameter to true. Next, open the custom krb5.conf template (located under Custom krb5.conf) and edit the [libdefaults] section as in the krb5.conf example below and save the configuration.

  4. The second time you enable Manage Kerberos, set the Custom kerberization settings option to true for all parameters except the Set up principals and keytabs parameter.

Example of custom krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  ticket_lifetime = 24h
  # renew_lifetime = 7d
  forwardable = true
  rdns = false
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
  default_realm = SAMBA.TEST
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac rc4-hmac arcfour-hmac-md5
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
  allow_weak_crypto = true

[realms]
  SAMBA.TEST = {
  admin_server = dc1.samba.test
  kdc = dc1.samba.test
  }

Samba Kerberos parameters

Parameter Description

Authentication on WEB UIs

Enables Kerberos authentication on Web UIs

KDC hosts

One or more domain controller hosts

Realm

A Kerberos realm

Domains

Domains associated with hosts

Kadmin server

A host where kadmin is running

Kadmin principal

A principal name used to connect via kadmin, for example admin@RU-CENTRAL1.INTERNAL

Kadmin password

A principal password used to connect via kadmin

Keytabs directory

Directory of the keytab file that contains one or several principals along with their keys

Additional realms

Additional Kerberos realms

LDAP URL

LDAP URL consists of ldap:// or ldaps://, hostname or IP address, and port of the LDAP server

Container DN

Container distinguished name

Trusted Active Directory server

A trusted DC server

Trusted Active Directory realm

A realm for cross-realm trust

NOTE
Samba-based Kerberos authentication after running Manage Kerberos in the Kafka service is done according to Use Kerberos with MS Active Directory in Kafka.
Found a mistake? Seleсt text and press Ctrl+Enter to report it