Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
11121314151617181920
20
Chapter 5 HP-UX Application Co-Existence
The typical HP-UX server is a multi-user and multi-application system. If Kerberos is the preferred
authentication protocol for a customer, then it will probably be preferred for Windows domain users as
well as HP-UX users and applications. However, Samba and HP CIFS Server, by default, create a CIFS
–specific Kerberos configuration that can only be used by CIFS/Samba users. After a “net ads join”,
the system Kerberos configuration is not valid for other users and applications on the HP-UX system.
If the access is restored to these users, then the CIFS/Samba users will be denied domain access.
When a service (such as a server) is joined to a Kerberos realm (like a domain, for Windows they
usually coincide – domain=realm), it stores a copy of its secret key locally on the server. This secret
key is used to encrypt and decrypt all Kerberos messages that are exchanged with the KDC and other
domain realm entities. UNIX convention is to store the secret in a file called /etc/krb5.keytab. Thus,
HP-UX Kerberos applications look to /etc/krb5.keytab to find the secret key.
Samba 3.0 was developed to store the secret key in the /var/opt/samba/private/secrets.tdb file – the
traditional Samba place for domain passwords. When a CIFS/Samba server is added to the Windows
domain, a new shared secret key is created. The KDC has a copy, and the CIFS/Samba server has a
copy – in the secrets.tdb file. When other HP-UX applications use the /etc/krb5.keytab file to decrypt
messages, it is now out of sync with the KDC’s secret key, and therefore invalid. If a new
/etc/krb5.keytab file is generated from the KDC, then the secrets.tdb file is out of sync.
NOTE: An HP-UX server using Kerberos and a Windows KDC would normally utilize a krb5.keytab file
that was generated on the Windows KDC using the ktpass.exe tool.
With HP CIFS Server A.02.01 and above, an /etc/krb5.keytab file can be generated from Samba, and
CIFS/Samba can be configured to access its secret key from the keytab file instead of the secrets.tdb
file. In addition, HP-UX Kerberos applications can use the CIFS/Samba-generated krb5.keytab file
also. This feature provides Kerberos interoperability between HP CIFS Server users and HP-UX
Internet Services (telnet, ftp, etc) and pam-kerberos users (for local HP-UX logins).
WARNING: All subsequent krb5.keytab discussions assume that the krb5.keytab file is created with
HP CIFS Server and either the “net ads keytab” command or the “net ads join” command. Using the
Windows ktpass.exe utility for keytab file generation will cause confusion – do not use it.
5.1 Configuring for krb5.keytab
Here are the required components to configure HP-UX Kerberos co-existence:
HP-UX Kerberos version 1.3.5 or newer
/etc/krb5.conf file
/etc/opt/samba/smb.conf file
/etc/krb5.keytab file
Samba “net ads keytab create” command
The first task is to configure CIFS/Samba for Kerberos authentication and join it to a Windows
domain. We know that this configuration will disable HP-UX INET Services access to the HP-UX