|
Topics: |
|
How to: |
All machines participating in domain security should be members of the domain. This applies also to the PDC and all BDCs.
The process of joining a domain requires using the Net RPC join command. This process communicates with the domain controller it registers with (usually the PDC) through MS DCE RPC. This means, of course, that the SMBD process must be running on the target domain controller. It is therefore necessary to temporarily start Samba on a PDC so that it can join its own domain.
Enter the following command to make the Samba server join the domain, where PDC is the name of your PDC and Administrator is a domain user who has administrative privileges in the domain.
Note Before attempting to join a machine to the domain, verify that Samba is running on the target domain controller (usually PDC) and that it is capable of being reached via ports 137/udp, 135/tcp, 139/tcp, and 445/tcp (if Samba or Windows Server 2Kx).
The following syntax shows the use of the Net RPC join facility:
root# /usr/local/samba/bin/net rpc join -S PDC -U Administrator
The proper response to the command is:
Joined the domain DOMAIN
where:
Is your domain name.
Setting Environmental Variables as a Global Scope
The following syntax shows how to set the environmental variables as a global scope.
KRB5_CONFIG = path to /etc/krb5.conf KRB5_TRACE = /dev/stdout
Creating a Keytab on Linux
To create a keytab:
type ktutil ktutil: addent -password -p myuser@REALM1.REALM2.COM -k 1 -e aes256-cts-hmac-sha1-96 (addentry) ktutil: wkt /apps/kerberos/myuser.keytab (write keytab) ktutil:quit
Before initializing the keytab, make sure you are using Java Kerberos, since there are also MIT Kerberos, Microsoft Kerberos, and Heimdal Kerberos that may be installed on the machine. Ensure none of the others are in the PATH variable.
The Kinit program of Java can be found in the jre/bin folder.
On Windows and Linux, the following command line is the same:
kinit -V exampleuser@INNERREALM.OUTERREALM.COM -k -t exmpleuser.keytab
Usage: kinit [-A] [-f] [-p] [-c cachename] [[-k [-t keytab_file_name]] [principal] [password]
available options to Kerberos 5 ticket request:
-A do not include addresses
-f forwardable
-p proxiable
-c cache name (i.e., FILE:\d:\myProfiles\mykrb5cache)
-k use keytab
-t keytab file name
principal the principal name (i.e., qweadf@ATHENA.MIT.EDU qweadf)
password the principal's Kerberos password
Since the keytab already has a principal and password via ktutil or ktpass, there is no need to enter them. Depending on the Windows Domain settings, the credentials in a keytab expire in a short period.
Run the kinit command in a cron job on linux or a regularly scheduled service on Windows.
When the credentials expire, there is no error indications, but dialogs such as Logging Exception, User Principal Invalid, and several other messages may appear to mislead you.
Modifying the JAAS Configuration File
Modify the JAAS configuration file and enter the name of the current keytab in the filename.
Modifying the KRB5 Configuration File
Modify the krb5.conf file so it appears similar to the krb5.conf file found in Kerberos Configuration File (krb5.conf).
On Windows, it is good practice to put krb5.ini in the \Windows folder. On Linux, it should be /etc/krb5.config.
Debugging Setup (optional)
For initial DEBUG setup, modify the logging.properties file in SQL Server driver installation directory, and add the following syntax:
com.microsoft.sqlserver.jdbc.level = ALL
java.security.krb5.conf
c:\krb\krb5.conf
java.security.auth.login.config
C:\logon\logon.conf
sun.security.krb.debug
true
jdbc:sqlserver://myserver/mydb.INNER.OUTER.COM:1433;databaseName=Fido;
integrated Security=true;authenticationScheme=JavaKerberos
The Kerberos debug information will print in the iWay console window, You can find the domain name and SPN in the debug information, but all other data other than the Kerberos messages are encrypted.
If the connection is OK, a Success message will print in the driver window.